Ubuntu VM Admin

From MyWiki

Jump to: navigation, search

Contents

Networking

Disappearing Ethernet

To deal with eth0 disappearing after moving or copying a VM: 

rm /etc/udev/rules.d/70-persistent-net.rules
reboot

Registering a New host

Use lynx to connect to https://ner.ncsa.uiuc.edu/dnsworks/ 

lynx https://ner.ncsa.uiuc.edu/dnsworks/

Follow the directions at Create New VMware VM from Template#Register with the DNS System

(I would love to find a lynx option to turn off the SSL warning at each page.)

After getting an IP address allocated, you can bounce networking to have it take effect: 

/etc/init.d/networking restart

Network Configuration

  • Edit /etc/hosts. Add the new server name to the beginning of the localhost line so that local GSI authorization will work. E.g.: 
127.0.0.1       gs-dev.ncsa.uiuc.edu gs-dev localhost
  • Edit /etc/hostname. Change the contents to the full name of the new server.

Krb5 Install

Based on directions at [1] and [2]

Install Packages

apt-get install heimdal-clients libpam-heimdal

Install krb5.conf

cd /etc
mv krb5.conf krb5.conf.old
wget http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/krb5.conf
chmod 644 krb5.conf

Configure PAM

In /etc/pam.d edit the following files so they appear as follows.

common-auth

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#

auth    sufficient      pam_krb5.so ccache=/tmp/krb5cc_%u
auth    sufficient      pam_unix.so likeauth nullok_secure use_first_pass
auth    required        pam_deny.so

common-session

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#
session required        pam_unix.so
session optional        pam_foreground.so
session optional        pam_krb5.so ignore_root
  • On at least one Ubuntu box (gs-dev) pam_foreground does not exist.

vmware-authd

See Self Service Option for VM Administration#PAM Configuration. (Note this really has nothing to do with Kerberos, but since you're editing PAM stuff you may as well fix this now.)

e-Mail

Based on the these directions, I did the following (btw, don't try this in 'screen' as the curses based configuration is unintelligible): 

# apt-get install postfix mailx
# dpkg-reconfigure postfix

Note that the dpkg-reconfigure will seem to do a similar configuration as apt-get does, but it's actually more complete. Enter the following values (many should be default):

  • General type of mail configuration: Satellite system
  • mail name: system-name..ncsa.uiuc.edu (I.e. the FQDN of the system)
  • SMTP relay host: smtp.ncsa.uiuc.edu
  • Root and postmaster mail recipient: <your login name>
  • Other destinations to accept mail for (blank for none): localhost, localhost.localdomain, system-name..ncsa.uiuc.edu (default)
  • Force synchronous updates on mail queue? No (default)
  • Local networks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 (default)
  • Mailbox size limit (bytes): 0 (default)
  • Local address extension character: + (default)
  • Internet protocols to use: all (default)

You then want to add aliases to user@ncsa.uiuc.edu addresses or ~/.forward files for users. Directions for adding an alias can be found here: [3]

Apache

SSL Support

Based on directions at https://help.ubuntu.com/community/forum/server/apache2/SSL: 

# mkdir /etc/apache2/ssl
# chmod 755 /etc/apache2/ssl
# cp /etc/grid-security/hostcert.pem /etc/grid-security/hostkey.pem /etc/apache2/ssl
# chown www-data /etc/apache2/ssl/hostcert.pem /etc/apache2/ssl/hostkey.pem
  • Make a copy of the default site: 
# sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
  • And edit it to look like: 
# vi /etc/apache2/sites-available/ssl
# cat /etc/apache2/sites-available/ssl
NameVirtualHost *:443
<VirtualHost *:443>
        ServerAdmin your-email@ncsa.uiuc.edu

        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/hostcert.pem
        SSLCertificateKeyFile /etc/apache2/ssl/hostkey.pem

        DocumentRoot /var/www/
        ...rest of file follows unaltered...
  • Edit the default site to restrict it to port 80: 
# vi /etc/apache2/sites-available/default
# cat /etc/apache2/sites-available/default
NameVirtualHost *:80
<VirtualHost *:80>
        ServerAdmin your-email@ncsa.uiuc.edu

        DocumentRoot /var/www/
        ...rest of file follows unaltered...
  • And enable: 
# a2enmod ssl
# a2ensite ssl
  • And restart Apache: 
# etc/init.d/apache2 restart
  • If you run into problems, check the apache error log: 
# tail /var/log/apache2/error.log

PHP Support

# apt-get install php5 libapache2-mod-php5
# /etc/init.d/apache2 restart

Globus

Java install

apt-get install sun-java6-jdk

setenv JAVA_HOME /usr/lib/jvm/java-6-sun-*/

Ant Install

apt-get install ant ant-optional

setenv ANT_HOME /usr/share/ant

zlib install

Needed for GSI-Enabled OpenSSH [4] 

apt-get install zlib1g-dev

OpenSSL for 4.2

Open problem. GT 4.2.1 build on Ubuntu fails with: 

configure: error: Unable to compile with SSL

ERROR: Build has failed

Shibboleth

Install

You'll need to install Apache with SSL support, if you haven't already done so:

Follow the Ubuntu-specific directions here which build on the linux-specific directions here.

When I was done, Shibboleth kept looking for files in /usr/share/xml/shibboleth, so I did the following: 

ln -s /usr/local/shibboleth-sp/share/xml/ /usr/share/xml/

Then see Shibboleth-SP Deployment.

Non-working apt-get Install

This did not work for me. The resulting install fails on any sort of signature verification.

As of this writing (Oct 22, 2008), the following installs version 1.3f of the Shibboleth SP. 

apt-get install libshib-dev libapache2-mod-shib libshib-target5 libshib6

Buildbot

Installed buildbot via apt-get: 

# apt-get install buildbot

Creates user 'buildbot' automatically. Creates /etc/init.d/buildbot starting buildbot running as buildbot.

Misc

Disabling Root Login

Edit /etc/shadow by hand and change root's password field to "!". Works for any account.

E.g.: 

# grep root /etc/shadow
root:!:14145:0:99999:7::1:

Adding a User

useradd -m username

(-m creates home directory)

To give user sudo permission, add to "admin" group in /etc/group.

Retrieved from "http://mywiki.ncsa.uiuc.edu/wiki/Ubuntu_VM_Admin"
Personal tools