#language en = Maintainance and Setup of s15.fluid.tuwien.ac.at = [[TableOfContents(2)]] The operation of s15 can be remotely controlled from its management interface at ms15.fluid.tuwien.ac.at. The credentials for the management interface, and also for the `root` and `oswat` accounts on s15 are known to Werner Jandl, Sebastian Böhm, Thomas Loimer and Francesco Zonta. The user account `oswat` on s15 is used for administrative purposes. Although customizations can only be done by root, any modified files, e.g., in /etc/, should be owned by oswat. If, in addition, the original files are saved with the suffix `.orig`, it is easy to find the differences to a stock debian system. Therefore, for instance, to customize `dhcpd.conf`, {{{ su; cd /etc cp -p dhcp/dhcpd.conf dhcp/dhcpd.conf.orig edit dhcp/dhcpd.conf chown oswat:oswat dhcp/dhcpd.conf # find differences; some files, e.g., in logrotate.d, # must be owned by root, group can be oswat find /etc -user oswat -o -group oswat -o -name "*.orig" }}} The operating system on s15 is debian. Type `lsb_release -a` to get information on the current release, and type `uname -a` to get the version of the running kernel. To keep the operating system up to date, from time to time the commands {{{ apt-get update apt-get upgrade apt-get dist-upgrade }}} should be issued, as root. == Installation of software packages == The list of software installed on s15 is maintained on a separate page, Self:s15-software. Please, if any software is installed, e.g., using `apt-get install`, update that [:s15-software: list]. The packages are retrieved from the official debian mirror at ftp.at.debian.org, as listed in [attachment:sources.list /etc/apt/sources.list]. == Ssh-daemon == As per the default configuration of the ssh-daemon, `root` is not allowed to log in to s15 via password authentication from a remote client. Therefore, log in with your regular account or as `oswat`, and `su` to root. Alternatively, create a public/private key pair. The default configuration of the ssh-daemon given in [attachment:sshd_config /etc/sshd/sshd_config] has been changed in one single instance. Clients are not allowed to pass the environment variables related to their locale settings to their shell on s15, {{{ # Allow client to pass locale environment variables #AcceptEnv LANG LC_* }}} The machinery for authentication via ldap, i.e., by querying the database that also feeds tiss, is documented at Self:ldap-authentication or at Self:loginviatiss (in german). == Network setup == S15 has, apart from the managment port at 128.130.169.3, four ethernet ports, which are bonded together to one interface, visible at 128.130.169.2. The network is configured from [attachment:interfaces /etc/network/interfaces] using the package ifupdown, not yet via systemd configuration files. == Firewall == There is a local firewall installed on s15, which serves to stop dictionary attacks. These manifest themselves by frequent log-in attempts with common username–password combinations. The log-in attempts can be observed in `/var/log/auth.log`. The firewall is implemented by iptable rules. These rules count the number of log-in attempts from a given ip-number, and block that number if more than 6 attempts are tried. On a succesful login, a command in the pam stack removes the ip-number from which the succesful login originated from the list of tracked addresses. The list of a maximum of 100 tracked or blocked ip-addresses is kept in /proc/net/xt_recent/DEFAULT. To manually unblock an ip-address, do, as root, {{{ # A minus (-) in front of the number # removes that number from the table. echo -ip.num.ber > /proc/net/xt_recent/DEFAULT }}} See man iptables_extensions(8), module xt_recent, and man pam_exec(3). The iptable-rules that populate the list of addresses in `proc/net/xt_recent/DEFAULT` can be found in [attachment:iptables.up.rules /etc/network/iptables.up.rules]. The latter file was created with `iptables-save > /etc/network/iptables.up.rules`. The script [attachment:iptables /etc/network/if-pre-up.d/iptables] loads the iptable-rules at each startup of the server. On a succesful login, a pam-module, see the line with pam_exec.so in [attachment:sshd /etc/pam.d/sshd], calls the script [attachment:unblock /etc/network/unblock]. == Certificates == SSL Certificates have been issued for www.fluid.tuwien.ac.at, files.fluid.tuwien.ac.at, druck.fluid.tuwien.ac.at and s15.fluid.tuwien.ac.at. The certificates are stored under /etc/ssl/certs/s15.crt and /etc/ssl/private/s15.key. Symbolic links point to them from /etc/cups/ssl/*. The certificates have to be renewed once a year, 1st of dezember. There is a renewal id in the e-mail shipping the download link. The e-mail has "SSL certificate" in its subject line. Alternatively, create a certificat request, {{{ openssl req -utf8 -sha256 -new -newkey rsa:2048 -nodes \ -out "s15_fluid_tuwien_ac_at.csr" -keyout "s15_fluid_tuwien_ac_at.key" \ -subj "/C=AT/ST=Austria/L=Vienna/O=Technische Universität Wien/OU=E322/CN=s15.fluid.tuwien.ac.at/subjectAltName=DNS.1=s15.fluid.tuwien.ac.at/subjectAltName=DNS.2=druck.fluid.tuwien.ac.at/subjectAltName=DNS.3=files.fluid.tuwien.ac.at/subjectAltName=DNS.4=www.fluid.tuwien.ac.at" # request a "Géant OV Multi-Domain" certificate # Subject Alternative Names: # s15.fluid.tuwien.ac.at,druck.fluid.tuwien.ac.at,files.fluid.tuwien.ac.at,www.fluid.tuwien.ac.at # Approximately two days later, download and install the new certificate, export CERTIFICATE_URL='https://cert-manager.com/customer/ACOnet/ssl?action=download&sslId=2976980&format=pemia' wget -O s15_fluid_tuwien_ac_at.crt "$CERTIFICATE_URL" install -T --owner=root --group=ssl-cert --mode=640 --backup \ s15_fluid_tuwien_ac_at.key /etc/ssl/private/s15.key install -T --owner=root --group=root --mode=644 --backup \ s15_fluid_tuwien_ac_at.crt /etc/ssl/certs/s15.crt service apache2 reload service apache2 status }}} == File server == The file server is implemented by a webdav cgi wrapper program from https://danrohde.github.io/webdavcgi. Currently, there is one install under `/usr/local/share/webdavcgi`, and the development version is installed under `/usr/local/share/webdavcgi-git`. Configuration files to use either version are provided under `/etc/apache2/sites-available/`. Look at `/etc/apache2/sites-enabled` to see which version is active. For requirements, look at https://danrohde.github.io/webdavcgi/doc.html#installation . In addition, do {{{ apt install libdatetime-format-human-duration-perl }}} {{{ # clone the source tree into /usr/local/share/webdavcgi-git root@s15:/usr/local/share# git https://github.com/DanRohde/webdavcgi.git webdavcgi-git cd webdavcgi-git # this script sets the appropriate permissions ./install.sh # create the apache configuration file cat >/etc/apache2/sites-available/files-git.conf < # Only allow secure connections to files.fluid.tuwien.ac.at ServerName files.fluid.tuwien.ac.at ServerAlias files ServerAlias files.fluid RedirectPermanent / "https://s15.fluid.tuwien.ac.at/" ServerName s15 # https://s15 would return "Your connection is not secure ... # ... only valid for the following names: files.fluid.tuwien.ac.at,... # The UseCanonicalName is also necessary here. # This is different from druck.conf (?!), see there. ServerAlias files.fluid files.fluid.tuwien.ac.at s15 s15.fluid RedirectPermanent / "https://s15.fluid.tuwien.ac.at/" ServerName s15.fluid.tuwien.ac.at # Use the ServerName supplied by the client - useful when logging in, # otherwise the user would have to login to, e.g., files and to # files.fluid.tuwien.ac.at # Probably not needed with the Redirect UseCanonicalName On ServerAdmin thomas.loimer@tuwien.ac.at #DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # The SSL-stuff SSLEngine on # The Installation Instructions from digicert require to # also install the DigiCertCA.crt as SSLCertificateChainFile. # Also the apache documentation describes this directive as obsolete # and recommends to use SSLCertificateFile, the latter does not work. SSLCertificateFile /etc/ssl/certs/s15.crt SSLCertificateChainFile /etc/ssl/certs/DigiCertCA.crt SSLCertificateKeyFile /etc/ssl/private/s15.key # from /etc/apache2/sites-available/ssl-default.conf BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown ScriptAlias /webdavcgi /usr/local/share/webdavcgi-git/cgi-bin/webdavwrapper # Never found this log. ScriptLog /tmp/cgi.log AuthType Basic AuthBasicProvider ldap AuthName "Your upTUdate credentials" # mod_authnz_ldap # AuthLDPAUrl ldap://host:port/basedn?attribute?scope?filter AuthLDAPUrl ldaps://dc.intern.tuwien.ac.at/ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at?sAMAccountName?one AuthLDAPBindDN CN=E322_LDAP,OU=interactive,OU=exchange,OU=IT-services,OU=TU,DC=intern,DC=tuwien,DC=ac,DC=at AuthLDAPBindPassword # this does not work any longer, since 2019-01-01 #Require ldap-group cn=E322,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at Require ldap-attribute showInAddressBook="CN=E322,CN=TU Wien,CN=All Address Lists,CN=Address Lists Container,CN=TU Wien,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=intern,DC=tuwien,DC=ac,DC=at" # Correctly set $VIRTUAL_BASE and $DOCUMENT_ROOT in /etc/webdav.conf! # Otherwise, paths like /home//tloimer, /home///tloimer, etc, result. RewriteEngine On RewriteRule ^/ /webdavcgi [PT,E=WEBDAVCONF:/usr/local/share/webdavcgi/webdav.conf,E=PERLLIB:/usr/local/share/webdavcgi-git/lib/perl,L] # Seems to be unnecessary. Probably necessary, when additional backends # (smb, kerberos,..) are used? # # AllowOverride None # Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch # #Require all granted # Require valid-user # EOF }}} Create the configuration file for the webdav-program, {{{ cat >/usr/local/share/webdavcgi-git/webdav.conf < user home): $VIRTUAL_BASE = '/'; #$DOCUMENT_ROOT = '/home/'.$ENV{REMOTE_USER}.'/'; $DOCUMENT_ROOT = '/home/'; ## if you use a complex home folder structure, try this: # $DOCUMENT_ROOT=(getpwnam($ENV{REMOTE_USER}))[7].'/'; $DBI_SRC='dbi:SQLite:dbname=/var/spool/webdav/'.$ENV{REMOTE_USER}.'.db'; $DBI_USER=''; $DBI_PASS=''; $CREATE_DB = !-e '/var/spool/webdav/'.$ENV{REMOTE_USER}.'.db'; $DEBUG=0; @EXTENSIONS = ('Permissions', 'PosixAclManager', 'TextEditor', 'Download', 'Zip'); $LOGFILE='/var/log/webdavcgi.log'; #th /tmp/webdav would not work, # because /tmp/webdav is created with the current user as owner $THUMBNAIL_CACHEDIR='/var/cache/webdav'; # ## FINE TUNING ## $TITLEPREFIX='files/home:'; $SHOWDOTFILES = 0; $SHOWDOTFOLDERS = 0; $ENABLE_DAVMOUNT = 1; #@ALLOWED_TABLE_COLUMNS = ('name','size','lastmodified','created','mode','mime','uid','gid'); @VISIBLE_TABLE_COLUMNS = ('name', 'mode', 'uid', 'gid', 'size', 'lastmodified'); push @VISIBLE_TABLE_COLUMNS, 'fileactions' if $ALLOW_FILE_MANAGEMENT; $LANGSWITCH = '
[EN] [DE] [FR] [IT] $CLOCK
'; ## -- HEADER ## content after body tag in the Web interface $HEADER = '
files/home - Web interface: You are logged in as ${USER}.
$NOW
'; #$POST_MAX_SIZE=1073741824; # 1GB $POST_MAX_SIZE=5000000000; $BUF_SIZE=1073741824; # 1GB $ENABLE_CARDDAV = 0; $ENABLE_GROUPDAV = 0; $ENABLE_THUMBNAIL = 0; $ENABLE_THUMBNAIL_PDFPS = 0; %FILECOUNTPERDIRLIMIT = (); %FILEFILTERPERDIR = (); EOF # check the syntax of the configuration file perl -c webdav.conf }}} webdavcgi assumes to be installed under /etc/webdavcgi. Here, the program is installed under /usr/local/share/webdavcgi-git. Look for occurences of `etc/webdavcgi` under `/usr/local/share/webdavcgi-git` and correct these, {{{ fgrep -r 'etc/webdavcgi' sed -i 's/etc\/webdavcgi/usr\/local\/share\/webdavcgi-git/g' helper/mod_perl_startup.pl }}} Disable the old webdavcgi-site, enable the new one, {{{ a2dissite files.conf a2ensite files-git.conf # reload apache systemctl reload apache2 }}} == Dhcp server == S15 also is the dhcp-server at our institute, that is, it provides ip-numbers to those machines that do not have a fixed ip-address, e.g., laptops. At present, there is a pool of 7 ip-numbers. Therefore, users should set their computer to a fixed ip-address as soon as possible. The configuration-file for the dhcp-server, [attachment:dhcpd.conf /etc/dhcp/dhcpd.conf], has the following options set differently from the configuration file shipped with the package, now /etc/dhcp/dhcpd.conf.orig: {{{ # option definitions common to all supported networks... option domain-name "fluid.tuwien.ac.at"; # tunamea.tuwien.ac.at, tunameb.tuwien.ac.at option domain-name-servers 128.130.4.3, 128.131.4.3; option lpr-servers 128.130.169.2; # ntp-servers - RFC 1035 protocol # tutimeb.tuwien.ac.at, tutimea.tuwien.ac.at, tutimec.tuwien.ac.at; option ntp-servers 128.130.3.131, 128.130.2.3, 128.131.2.3; # time-servers - RFC 868 protocol # tutimeb.tuwien.ac.at, tutimea.tuwien.ac.at; option time-servers 128.130.3.131, 128.130.2.3; default-lease-time 7200; # orig: 600 max-lease-time 14400; # orig: 7200 # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. authoritative; # the ip-numbers which can be dynamically distributed subnet 128.130.169.0 netmask 255.255.255.128 { range 128.130.169.54 128.130.169.56; range 128.130.169.65 128.130.169.66; range 128.130.169.72; range 128.130.169.63; option routers 128.130.169.1; } }}} == Print server == S15 also is a print server. The web interface of the cups print server can be accessed at the alias of s15, https://druck.fluid.tuwien.ac.at. The print server is configured such that it can be accessed from any address within TU Wien. Therefore, one can print from laptops connected via WLAN. The configuration of the cups server is stored in the file [attachment:cupsd.conf /etc/cups/cupsd.conf]. By default, cupsd generates self-signed certificates and stores them under /etc/cups/ssl/s15.fluid.tuwien.ac.at.{crt,key}. These files were replaced by symbolic links to the correct certificate under /etc/ssl/. This also switches off generation of self-signed certificates, The differences from the shipped version of cupsd.conf are {{{ --- /etc/cups/cupsd.conf.orig 2015-06-09 10:42:36.000000000 +0200 +++ /etc/cups/cupsd.conf 2017-07-25 14:30:10.440857673 +0200 @@ -13,8 +13,20 @@ MaxLogSize 0 -# Only listen for connections from the local machine. -Listen localhost:631 +#thomas: the /var/spool/cups directory filled up to 1.5G +# only store a limited amount of jobs (Default: 500) +MaxJobs 40 + +# Listen for connections from remote machines. +#Listen 128.130.169.2:631 +Listen *:631 Listen /var/run/cups/cups.sock +# With ServerName commented out, there were "BadRequests", +# no matter what was done with Listen. +#ServerName druck.fluid.tuwien.ac.at +ServerAlias druck.fluid.tuwien.ac.at +ServerAlias druck.fluid +ServerAlias druck + # Show shared printers on the local network. Browsing On @@ -30,4 +42,8 @@ Order allow,deny +# Allow from @LOCAL +# Allow from within TU Wien + Allow from 128.130.0.0/15 +# Order deny,allow @@ -35,4 +51,5 @@ Order allow,deny + Allow from 128.130.169.0/24 @@ -41,5 +58,6 @@ AuthType Default Require user @SYSTEM - Order allow,deny + Order deny,allow +# Allow from @LOCAL @@ -53,5 +71,5 @@ # Job-related operations must be done by the owner or an administrator... - + Order deny,allow @@ -76,6 +94,6 @@ - # Only the owner or an administrator can cancel or authenticate a job... - + # Only the owner or an administrator authenticate a job... + Require user @OWNER @SYSTEM Order deny,allow }}} The printer description files for all printers, except canon, were installed from the web-interface of cups, after installing hplip. The printer description file for canon, [attachment:canon.ppd /etc/cups/ppd/canon.ppd] was extracted from the tar-archive of the CQue printer driver, which was obtained from the canon support page, http://www.canon.at/support/products/imagerunner/ir2230.aspx === hplip bug === Some files did not print, with an error in /var/log/cups/error.log `UnicodeEncodeError: \'utf-8\' codec can\'t encode character ... surrogates not allowed`. Fix with {{{ --- /usr/share/hplip/base/sixext.py.orig 2017-05-04 18:35:44.000000000 +0200 +++ /usr/share/hplip/base/sixext.py 2017-10-20 11:11:55.722454094 +0200 @@ -107,5 +107,5 @@ def to_bytes_utf8(s): - return s.encode("utf-8") + return s.encode("utf-8", errors="surrogateescape") }}} See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879115, or https://bugs.launchpad.net/hplip/+bug/1498366. At the next update of hplip, do not forget to delete the file usr/share/hplip/base/sixext.py.orig. == Time synchronization == The computer clock is synchronized with the TU time servers, not with the ntp pool servers from debian, [attachment:timesyncd.conf /etc/systemd/timesyncd.conf]. {{{ timedatectl set-ntp true rm /etc/localtime cp /usr/share/zoneinfo/Europe/Vienna /etc/localtime }}} == Privileges for oswat == The privileges for oswat were elevated slightly. {{{ # For cups, lpadmin; adm to see log files usermod -a -G adm,lpadmin oswat }}} == Resource usage metrics == Resource usage on s15 is tracked using munin: {{{ apt-get install munin munin-node libapache2-mod-fcgid a2enmod fcgid cp -n /etc/munin/munin.conf /etc/munin/munin.conf.orig cp -n /etc/munin/apache24.conf /etc/munin/apache24.conf.orig chown oswat:oswat /etc/munin/munin.conf chown oswat:oswat /etc/munin/apache24.conf cat >/etc/munin/munin.conf </etc/apache2/conf-available/munin.conf < Require ip 128.131.36.0/24 Require ip 128.130.169.0/25 Options None ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph Require ip 128.131.36.0/24 Require ip 128.130.169.0/25 SetHandler fcgid-script SetHandler cgi-script EOF service munin-node restart service apache2 restart }}} == Netgen/NDSolve == See https://ngsolve.org and the [https://ngsolve.org/docu/latest/install/installlinux.html documentation] for updating the software and ''setting the necessary environment variables'' for running the software. {{{ mkdir /usr/local/src/ngsuite cd /usr/local/src/ngsuite git clone git://git.code.sf.net/p/ngsolve/git ngsolve-src cd ngsolve-src git submodule update --init --recursive mkdir ngsolve-build cd ngsolve-build # This will set the installation location to /opt/netgen # For a different location, try, e.g., # cmake -DCMAKE_INSTALL_PREFIX=/usr/local/share/netgen cmake /usr/local/src/ngsuite/ngsolve-src/ make -j make install }}}