• Institute of Fluid Mechanics and Heat Transfer

Search:

Overview

Basic data

Hardware

Firmware

User's manuals for motherboard/BIOS and BMC/IPMI.

Configuration

All customized configuration files are usually marked by group oswat, sometimes also user oswat,
find /etc -user oswat -o -group oswat

BIOS

press DEL to enter BIOS, F11 for boot menu

Admins

• Thomas Loimer
• Rudolf Ladner (ZID)

Firmware update

Baseboard Management Controller (BMC)

Update firmware, because newer version provides iKVM/HTML5 virtual console and Redfish.
Initially, IP Address of BMC was set to static 128.131.183.xxx - needed to go to the server room and access BMC from the console.

On 2024-04-24, download firmware BMC_X10AST2400-32M_20210528_03.93_STD.zip from https://www.supermicro.com/en/support/resources/downloadcenter/firmware/MBD-X10SRW-F/BMC

Unzip, trying to dump current firmware with binary AlUpdate contained in zip-file resulted in core dump.
Log in into GUI of BMC -> Maintenance -> Update Firmware
upload exactly 32 MiB file BMC_X10AST2400-32M_20210528_03.93_STD.bin Uncheck box Preserve configuration; Network settings thankfully remain.

BIOS

Download firmware on 2024-04-24 from https://www.supermicro.com/en/support/resources/downloadcenter/firmware/MBD-X10SRW-F/BIOS, file X10SRW1.605.zip, unzip. BIOS update needs an activation key, get one by using the tool from https://github.com/bwachter/supermicro-ipmi-key.[[BR]] Generate activation key, ./supermicro-ipmi-key 0c:c4:7a:37:57:9d, output: 90d4 cdb7 ab21 0cf7 33d0 96fa. Log in into GUI of BMC -> BIOS Update, Choose file (exactly 16 MiB) X10SRW1.605, uncheck any preserve-boxes (ME region, NVRAM, SMBIOS). Click Start Upgrade.

BIOS Settings

Advanced -> PCIe/PCI/PnP Configuration:

• RSC-R1UW-E8R SLOT1 PCI-E X8 OPROM, RSC-R1UW-2E16 SLOT1 PCI-E X16 OPROM, RSC-R1UW-2E16 SLOT1 PCI-E X16 OPROM: Set type to EFI, was Legacy.
  Onboard LAN OPROM Type: EFI, was Legacy.
  Boot: Set boot type to EFI, was Dual.

Installation of the base system (2024-04-29)

Boot - the only boot media present is PXE booting - choose
Linuxe Network Installs -> Debian -> Text Based Install

Debian Installer

• Language: C - no localization
  Select your location: Europe -> Austria
  keymap to use: American English (since this is the keymap on the virtual iKVM/HTML5 keyboard)
  Configure the network: eno1 (yields a dhcp address during installation)

  • -> hostname: gs2
    -> domain name: fluid.tuwien.ac.at
    

  Choose a mirror of the Debian archive: enter information manually
  

  • -> mirror hostname: gd.tuwien.ac.at
    -> mirror directory: /opsys/linux/debian
    -> proxy information: (blank)
    

  Set up users and passwords:

  • -> root password: ***
    -> Full name for user account: (blank)
    -> username: oswat
    -> Password for the new user: (same as root)
    

  Partition disks:
  

  • -> Guided - use entire disk
    -> Select disk to partition: SCSI5 (0,0,0) (sda) - 500.1 GB ATA Samsung SSD 850
    -> All files in one partition ... then, change partition to
    

    • #1 267.4 MB B f ESP efi_fs EFI System Partition, bootable (choose 265 MiB)
      #2 465 GB f ext4 root_fs /
      #3 34.8 GB f swap
      

  Configuring popularity-contest: Yes
  Software selection: (nothing except)
  

  • [*] SSH server
    [*] standard system utilities
    

  Reboot

Network

Remove legacy ifupdown, use systemd-networkd and systemd-resolved.

ssh oswat@dhcp1 # Log in to the temporary address

# some network details are already set
chgrp oswat /etc/hostname

# the static IP address
cat >/etc/systemd/network/20-gs2.network <<EOF
[Match]
Type=ether

[Network]
Description=Static ethernet connection
Address=128.130.169.115/25
Gateway=128.130.169.1
DNS=128.130.4.3
DNS=128.131.4.3
Domains=fluid.tuwien.ac.at
#NTP=tutimeb.tuwien.ac.at tutimec.tuwien.ac.at tutimea.tuwien.ac.at
NTP=128.130.3.131 128.131.2.3 128.130.2.3
EOF

chgrp oswat /etc/systemd/network/20-gs2.network

# remove legacy network stack
apt purge ifupdown && systemctl start systemd-networkd

After that, the shell freezes, kill ssh, log in again,

ssh oswat@gs2
su - # change to root
systemctl enable systemd-networkd
# systemd-resolved is supposed to have DNS caching,
# use it instead of a manual /etc/resolv.conf file
apt install systemd-resolved
# these are packages recommended by systemd-resolved; here they are useful
apt install libnss-myhostname libnss-resolve

# append my public key to .ssh/authorized_keys
# scp ed25519.pub >/root/.ssh/authorized_keys

Package sources

Use the local mirror gd.tuwien.ac.at, as entered during installation.
Do not install recommended packages.

chgrp oswat /etc/apt/sources.list

echo 'APT::Install-Recommends "false";' >/etc/apt/apt.conf.d/90recommended_false
chgrp oswat /etc/apt/apt.conf.d/90recommended_false

sshd does not accept environment

Do not forward the client's locale, since there is only C/POSIX on gs1.

apt install patch
patch /etc/ssh/sshd_config <<EOF
--- /etc/ssh/sshd_config.orig   2023-04-12 16:19:45.904116844 +0200
+++ /etc/ssh/sshd_config        2023-03-29 10:20:37.697903087 +0200
@@ -109,7 +109,7 @@
 #Banner none

 # Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
+#AcceptEnv LANG LC_*

 # override default of no subsystems
 Subsystem      sftp    /usr/lib/openssh/sftp-server
EOF

chgrp oswat /etc/ssh/sshd_config

Allow all members of E322 to log in

apt install libnss-ldapd libpam-ldapd nscd  # additionally installs nslcd

Configuring nslcd:
LDAP server URI: ldaps://dc.intern.tuwien.ac.at
search base: ou=tu,dc=intern,dc=tuwien,dc=ac,dc=at
check server's SSL certificate: never
Name services to configure (etc/nsswitch): passwd, group, shadow

cat >>/etc/nslcd.conf <<EOF
#
# CUSTOMIZATION
#

# The DN to bind with for normal lookups.
binddn cn=E322_LDAP,ou=interactive,ou=exchange,ou=IT-services,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
bindpw ***

base    passwd  ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
base    shadow  ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at
base    group   ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at

# Mappings
filter  passwd  (memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at)
map     passwd  uid             sAMAccountName
map     passwd  uidNumber       employeeID
map     passwd  gecos           cn
map     passwd  homeDirectory   "/home/${sAMAccountName}"
map     passwd  loginShell      "/bin/bash"
map     passwd  gidNumber       "2153"

filter  shadow  (memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at)
map     shadow  uid             sAMAccountName

filter  group   (cn=E322*)
map     group   userPassword    ""
map     group   gidNumber       objectSid:S-1-5-21-527783839-1561677997-9029855232
EOF

# create home directories on first login
pam-auth-update --enable mkhomedir

# Login message
cat >/etc/motd <<EOF
Welcome to gs2.fluid.tuwien.ac.at

This computer is available for all members of the Institute
of Fluid Mechanics and Heat Transfer. By default, you belong
to group E322 and everybody can read your files. Issue the
command `umask 077` if you want to keep your files private.
EOF

chgrp oswat /etc/nslcd.conf /etc/motd
systemctl restart nslcd

Hibernation

Hibernate after 72 hours idle time

Backup configuration

Create user gs2-root@b.fluid.tuwien.ac.at, see the description to backup users on page b
Create a ssh-key, copy the public part to ~gs2-root@b/.ssh/authorized_keys, copy the backup scripts to /opt/backup_scripts and create a cron job for periodic backup. On b, create a cron-job to prune the backups.

ssh-keygen -q -t ed25519 -N "" -f .ssh/id_ed25519
{ echo -n 'command="borg serve --restrict-to-path /mnt/backup",restrict '; cat .ssh/id_ed25519.pub; } \
    | ssh tloimer@b "cat >/tmp/authorized_keys"
root@b$ install -m 600 -o gs2-root -g gs2-root /tmp/authorized_keys /mnt/backup/gs2/.ssh/ \
    && rm /tmp/authorized_keys
git clone  oswat@b.fluid.tuwien.ac.at:backup-scripts.git /opt/borgscripts

---

Installation sources

User access

sshd customization

Allow all members of E322 to log in

---

Enable hibernation

Create a swap file (not a swap partition), enable swap and modify the kernel command line to search for a RAM image.
Use filefrag to get the offset of the swap file.
It is not necessary to modify etc/initramfs-tools/conf.d/resume.

touch /swap
chmod 600 /swap
dd if=/dev/zero of=/swap bs=1M count=32768
filefrag -v /swap | head
# Use the number in the first row, first column of the "physical offset:" columns.
# This number has two dots appended (here: 202752..).
echo GRUB_CMDLINE_LINUX_DEFAULT=\"resume=PARTLABEL=root_partition resume_offset=202752\" \
    >/etc/default/grub.d/resume.cfg
echo "/swap    swap    swap    defaults    0    0"  >>/etc/fstab

Mark customized files

cd etc
chgrp oswat hostname fstab apt/sources.list apt/apt.conf.d/90recommended_false \
    systemd/network/10-gs1.network sshd_config sshd_config.d/permitrootlogin.conf \
    default/grub.d/resume.cfg
chown oswat nslcd.conf