Contents
Overview
Basic data
Hostname |
gs1.fluid.tuwien.ac.at |
Model |
|
Purpose |
graphics server |
Operating system |
debian |
Management interface |
|
Authentication options |
TU password |
Hardware
CPU |
Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz (4 cores); Socket: FCLGA2011-3 |
RAM |
32 GiB; up to 256 GB DDR4-2400MHz |
Storage |
500 GB (/) Samsung SSD 850 EVO 500GB |
|
2 x 2 TB (/home) btrfs-raid1 |
Graphics card |
GeForce GTX 960 |
Battery type |
CR2032 |
User's manuals for motherboard/BIOS and BMC/IPMI.
Configuration
All customized configuration files are marked by owner or group oswat,
find /etc -user oswat -o -group oswat
BIOS
press DEL to enter BIOS, F11 for boot menu
Admins
- Thomas Loimer
- Rudolf Ladner (ZID)
- Sebastian Boehm (ZID)
Installation of the base system
Debian bookworm (12.0) was installed on the 500 GB SSD, one partition (≈100 MB) for the efi (/boot/efi), the reminder of the disk for root (/), ext4 filesystem. The file systems were labelled, root_fs and home_fs.
While in the debian installer, ssh-server was chosen, no localications, only C and C.utf8.
Install grub2 as bootloader; The kernel efi-stub needs a commandline (root=/dev/sda2 initrd=\EFI\debian\initrd.img), no way to set that from the BIOS.
Had to create an administrative user: oswat, the home directory is /opt/oswat!
Partitioning
/dev/sda |
500 GB |
|
|
/dev/sda1 |
94 MB |
/boot/efi |
vfat |
/dev/sda2 |
500 GB |
/ |
ext4 |
/dev/sdb+c |
2 TB |
/home |
btrfs-raid1 |
Network
echo gs1 >/etc/hostname
Note, the resolver (Domains=) and NTP-server is set per interface, see below. This keeps the configuration in one file.
cat >/etc/systemd/network/10-gs1.network <<EOF [Match] MACAddress=0c:c4:7a:69:5a:20 [Network] Description=Static ethernet connection Address=128.130.169.110/25 Gateway=128.130.169.1 DNS=128.130.4.3 DNS=128.131.4.3 Domains=fluid.tuwien.ac.at #NTP=tutimeb.tuwien.ac.at tutimec.tuwien.ac.at tutimea.tuwien.ac.at NTP=128.130.3.131 128.131.2.3 128.130.2.3 EOF
Remove legacy ifupdown, use ntp.
apt install systemd-resolved systemd-timesyncd apt purge ifupdown
File systems
apt install btrfs-progs zstd # create a btrfs-raid1 for data (-d) and medatadata (-m) from /dev/sdb and /dev/sdc mkfs.btrfs -f -L home_fs -d raid1 -m raid1 /dev/sdb /dev/sdc cat >>/etc/fstab <<EOF # / was on /dev/sda2 during installation LABEL=root_fs / ext4 noatime,errors=remount-ro 0 1 # /boot/efi was on /dev/sda1 during installation UUID=5AA6-2350 /boot/efi vfat umask=0077 0 1 LABEL=home_fs /home btrfs compress=zstd 0 2 EOF
Installation sources
cat >/etc/apt/sources.list <<EOF # Most preferred sources are listed first, see man sources.list(5) deb http://gd.tuwien.ac.at/opsys/linux/debian bookworm main contrib deb-src http://gd.tuwien.ac.at/opsys/linux/debian bookworm main contrib # The fallback solution, if gd.tuwien does not work deb http://deb.debian.org/debian bookworm main contrib deb-src http://deb.debian.org/debian bookworm main contrib deb http://security.debian.org/debian-security bookworm-security main contrib deb-src http://security.debian.org/debian-security bookworm-security main contrib # bookworm-updates, to get updates before a point release is made; # see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports deb http://gd.tuwien.ac.at/opsys/linux/debian/ bookworm-updates main contrib deb-src http://gd.tuwien.ac.at/opsys/linux/debian/ bookworm-updates main contrib deb http://deb.debian.org/debian/ bookworm-updates main contrib deb-src http://deb.debian.org/debian/ bookworm-updates main contrib EOF
Do not install, by default, recommended packages.
echo 'APT::Install-Recommends "false";' >/etc/apt/apt.conf.d/90recommended_false
User access
sshd customization
Do not forward the client's locale, since there is only C/POSIX on gs1. Also, there is no sudo, allow root to login.
echo "PermitRootLogin yes" >/etc/ssh/sshd_config.d/permitrootlogin.conf apt install patch patch <<EOF --- /etc/ssh/sshd_config.orig 2023-04-12 16:19:45.904116844 +0200 +++ /etc/ssh/sshd_config 2023-03-29 10:20:37.697903087 +0200 @@ -109,7 +109,7 @@ #Banner none # Allow client to pass locale environment variables -AcceptEnv LANG LC_* +#AcceptEnv LANG LC_* # override default of no subsystems Subsystem sftp /usr/lib/openssh/sftp-server EOF
Allow all members of E322 to log in
# see https://arthurdejong.org/nss-pam-ldapd/ apt install libnss-ldapd libpam-ldapd nscd # here is the entire /etc/nslcd.conf file # some options in the first 20 lines might be set at installation time cat >/etc/nslcd.conf <<EOF # # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldaps://dc.intern.tuwien.ac.at # The search base that will be used for all queries. base ou=tu,dc=intern,dc=tuwien,dc=ac,dc=at # The LDAP protocol version to use. #ldap_version 3 # The DN to bind with for normal lookups. binddn cn=E322_LDAP,ou=interactive,ou=exchange,ou=IT-services,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at bindpw **<confidential>** # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com # SSL options #ssl off tls_reqcert never tls_cacertfile /etc/ssl/certs/ca-certificates.crt # The search scope. #scope sub # Here ends the shipped configuration file, customisation starts ... base passwd ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at base shadow ou=people,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at base group ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at # Mappings filter passwd (memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at) map passwd uid sAMAccountName map passwd uidNumber employeeID map passwd gecos cn map passwd homeDirectory "/home/${sAMAccountName}" map passwd loginShell "/bin/bash" map passwd gidNumber "2153" filter shadow (memberOf:1.2.840.113556.1.4.1941:=cn=E322_ALL,ou=groups,ou=TU,dc=intern,dc=tuwien,dc=ac,dc=at) map shadow uid sAMAccountName filter group (cn=E322*) map group userPassword "" map group gidNumber objectSid:S-1-5-21-527783839-1561677997-9029855232 EOF
Do not forget to have users have a home directory,
pam-auth-update mkhomedir # Installation of libpam-ldapd most probably runs # pam-auth-update ldap
Enable hibernation
Create a swap file (not a swap partition), enable swap and modify the kernel command line to search for a RAM image.
Use filefrag to get the offset of the swap file.
It is not necessary to modify etc/initramfs-tools/conf.d/resume.
touch /swap chmod 600 /swap dd if=/dev/zero of=/swap bs=1M count=32768 filefrag -v /swap | head # Use the number in the first row, first column of the "physical offset:" columns. # This number has two dots appended (here: 202752..). echo GRUB_CMDLINE_LINUX_DEFAULT=\"resume=PARTLABEL=root_partition resume_offset=202752\" \ >/etc/default/grub.d/resume.cfg echo "/swap swap swap defaults 0 0" >>/etc/fstab
Mark customized files
cd etc chgrp oswat hostname fstab apt/sources.list apt/apt.conf.d/90recommended_false \ systemd/network/10-gs1.network sshd_config sshd_config.d/permitrootlogin.conf \ default/grub.d/resume.cfg chown oswat nslcd.conf