-
create a partition with partition type 8E (linux lvm)
-
apt-get install lvm2 -
Add new volumegroup
vgcreate vg0 /dev/sda6
-
apt-get install libvirt-bin virt-top qemu-kvm debootstrap dbus virtinst netcat-openbsd bridge-utils vde2 -
remove all additional ips from /e/n/i
-
We use vde2 to create a virtual switch for an internal network and bridge the tap device intern to the bridge intbr
/etc/network/interface
auto eth0
iface eth0 inet manual
auto extbr
iface extbr inet static
address 83.246.69.170
netmask 255.255.255.248
broadcast 83.246.69.175
gateway 83.246.69.169
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
auto intbr
iface intbr inet static
address 10.0.3.1
netmask 255.255.255.0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
bridge_ports intern
auto intern
iface intern inet manual
vde2-switch -t intern
For details about KSM see ksm.txt
apt-get install sysfsutils echo "kernel/mm/ksm/run = 1" >> /etc/sysfs.conf /etc/init.d/sysfsutils start
-
apt-get install slapd ldapvi -
Remove old ldap db:
rm /var/lib/ldap/(db|bdb|log*|alock) -
Remove slapd.d madness:
rm -rf /etc/ldap/slapd.d
/etc/ldap/slapd.conf
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
#ssl support
TLSCACertificateFile /etc/ldap/ssl/ca.crt
TLSCertificateFile /etc/ldap/ssl/server.crt
TLSCertificateKeyFile /etc/ldap/ssl/server.key
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel 0
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=grml,dc=org"
checkpoint 512 30
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# rootdn "cn=admin,dc=snow-crash,dc=org"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057
# for more information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# The userPassword by default can be changed
# by the owner
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=grml,dc=org" write
by anonymous auth
by self write
by * none
# Read access for the base (needed by sasl..)
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=grml,dc=org" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=snow-crash,dc=org" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
initalize ldap db
slapadd -c < EOF
dn: dc=grml,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: grml.org
dc: grml
dn: cn=admin,dc=grml,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {SSHA}ctYLwzAfESce+Yok3S9f2iW9HGpdakMB
dn: ou=People,dc=grml,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
dn: ou=Group,dc=grml,dc=org
ou: Group
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
----------------------------------
* +chown -R openldap:openldap /var/lib/ldap/* /etc/ldap/slapd.conf+
* start slapd
host firewall
-------------
* +apt-get install ferm+
.ferm.conf
----------------------------------
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# respond to ping
proto icmp ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}
domain ip6 {
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
policy ACCEPT;
# respond to ping
proto icmpv6 ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}
}
----------------------------------------------------------------------------------------------
3ware tools
-----------
----------------------------------
# echo 'deb http://jonas.genannt.name/debian squeeze restricted' >
/etc/apt/sources.list.d/3dm2.list
# wget -O - http://jonas.genannt.name/debian/jonas_genannt.pub | apt-key add -
# apt-get update ; apt-get install 3ware-cli-binary 3ware-3dm2-binary
---------------------------------
serial console
--------------
To activate sol for the BMC/IMPI enable gettys for ttyS0. Adjust /etc/inittab
and make sure it contains
---------------------------------
T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100
---------------------------------
grub
~~~~
To send the grub output to the serial console as well as the vga console edit
/etc/default/grub and add the following lines:
---------------------------------
GRUB_TERMINAL="serial console"
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
---------------------------------
Configure ipmi
--------------
* Show lan configuration: +ipmitool lan print+
* Set ip address: +ipmitool lan set 1 ipaddr $IPADDR+
* Set netmask: +ipmitool lan set 1 netmask 255.255.255.248+
* Set default gw: +ipmitool lan set 1 defgw ipaddr $GW+
Show user list: +ipmitool user list 1+
Create a new user:
---------------------------------
ipmitool user set name 6 mru
ipmitool user set password 6 PASSWORD
---------------------------------
Test the connection: +ipmitool -I lanplus -H $IP -U mru -a sol activate+
user management
---------------
Usermanagement is done with LDAP and cpu.
.cpu configuration
------------------------------
[GLOBAL]
DEFAULT_METHOD = ldap
#CRACKLIB_DICTIONARY = /var/cache/cracklib/cracklib_dict
[LDAP]
LDAP_URI = ldap://localhost
BIND_DN = cn=admin,dc=grml,dc=org
BIND_PASS = XXXXXXXXX
USER_BASE = ou=People,dc=grml,dc=org
GROUP_BASE = ou=Group,dc=grml,dc=org
USER_OBJECT_CLASS = account,posixAccount,shadowAccount,top
GROUP_OBJECT_CLASS = posixGroup,top
USER_FILTER = (objectClass=posixAccount)
GROUP_FILTER = (objectClass=posixGroup)
USER_CN_STRING = uid
GROUP_CN_STRING = cn
SKEL_DIR = /etc/skel
DEFAULT_SHELL = /usr/bin/zsh
HOME_DIRECTORY = /home
MAX_UIDNUMBER = 10000
MIN_UIDNUMBER = 1000
MAX_GIDNUMBER = 10000
MIN_GIDNUMBER = 1000
ID_MAX_PASSES = 1000
# Whether each user should have its own group created or not
USERGROUPS = yes
# If you change usergroup set this to the default group a user should have
#USERS_GID = 100
RANDOM = "false"
PASSWORD_FILE = "/etc/passfile"
SHADOW_FILE = "/etc/shadowfile"
HASH = "md5"
SHADOWLASTCHANGE = 11192
SHADOWMAX = 99999
SHADOWWARING = 7
SHADOWEXPIRE = -1
SHADOWFLAG = 134538308
SHADOWMIN = -1
SHADOWINACTIVE = -1
------------------------------
Adding users is simple: +cpu useradd -p formorer+
Add user to whell group: +cpu usermod -G wheel formorer+
puppet
------
the puppet configuration is on father.
client configuration
~~~~~~~~~~~~~~~~~~~~
Take care that father.grml.org is resovable (/etc/hosts.conf)
.puppet.conf
----------------------------------------------
[main]
pluginsync=true
server = father.grml.org
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
----------------------------------------------
run + puppetd -w 5 --debug -t+ afterwards and sign the request on father:
w
+puppetca --sign hostname+.
Run it again and check for errors. (It may take up to three runs until
everything is ok).
collectd
--------
TODO
reprepro
--------
On deb.grml.org:
----------------------------------
# apt-get install dpkg-dev
----------------------------------
repos.grml.org
--------------
----------------------------------
# apt-get install gitolite gitweb openbsd-inetd
# echo git stream tcp nowait gitdaemon /usr/bin/git git \
daemon --verbose --inetd --base-path=/srv/git/repositories \
/srv/git/repositories >> /etc/inetd
----------------------------------
bittorrent
----------
we use bttrack and transmission-daemon for bittorrent distribution. Both is
currently located on web.grml.org. bttrack is supervised by supervisor
(http://supervisord.org/) see `/etc/supervisor/conf.d/btracker.conf` for the
current configuration. transmission-daemon is started from it's init script.
If you remove some isos check `/home/tracker/torrents` for broken symlinks. If
you removed something that was in `/home/tracker/torrents` clear the symlink and
launch
---------------------------------
# supervisorctl restart bttrack
--------------------------------
afterwards.
Both use `/home/tracker/torrents/` as sourcedir for torrent seeding and allowed
torrents in the tracker. This directory is filled with symlinks to the real
files because of shortcomings in current BitTorrent software which limits
the usefulness of subdirectories.
create a new torrentfile
------------------------
to create a new torrent file call btmakemetafile:
-----------------------------------------------
btmakemetafile http://ftp-master.grml.org:6969/announce \
/var/www/ftp-master.grml.org/grml32-full_2012.05.iso \
--target /var/www/ftp-master.grml.org/grml32-full_2012.05.iso.torrent \
--announce_list \
http://tracker.publicbt.com/announce,http://ftp-master.grml.org:6969/announce,udp://tracker.openbittorrent.com:80/announce,udp://tracker.publicbt.com:80/announce \
--httpseeds http://download.grml.org/grml32-full_2012.05.iso
----------------------------------------------------------------------------------------------------------
and replace grml32-full_2012.05.iso with your iso name. After you created the file link it to `/home/tracker/torrents/` and restart bttrack afterwards.
If you are to lazy to do it by hand try:
-----------------------------------------------
# /usr/local/bin/make_torrent /var/www/ftp-master.grml.org/grml96-full_2013.02.iso
-----------------------------------------------
mirrors
-------
mirrors are configured in Mirrors.masterlist which is located in the
grml-mirrors repository. The format of the file should be more or less self
explanary. You can use any other entry as template. Please don't broke that
file as several other files are generated from that list.
We generate the following other files from the masterlist:
- mirmon config (`/etc/mirmon/mirror.list`). mirmon runs
(`/usr/local/bin/run_mirmon`) every 15 minutes and
calls `/usr/local/src/grml-mirrors/masterlist2mirmon`) after a git pull.
- after mirmon runs, `/usr/local/bin/generate_mirror_map` generates the apache
`/etc/apache2/grml.map` that drives the geoip mirror redirector.
The state of our mirrors can be checked via http://mirror.grml.org/.