Detailed Server Build

From Linuxcentre Wiki

Jump to: navigation, search

Contents

Setup

OS Build

  • Install Centos 5.4
  • Server name: 'server.network'
  • Nameserver: 127.0.0.1
  • IP address: 10.104.186.9 / 255.255.254.0, gateway: 10.104.186.1

Add some yum repositories

rpm -ivh http://linuxdownload.adobe.com/linux/i386/adobe-release-i386-1.0-1.noarch.rpm

Add some useful packages

yum -y install mtr tcpdump flash-plugin AdobeReader_enu

DNS / bind

  • Install bind
yum install bind
  • Setup bind with local domain = '.network'
  • Setup forward zones: 'network.'
  • Setup PTR reverse lookup zones for: '186.104.10.in-addr.arpa' and '187.104.10.in-addr.arpa'
  • Setup forwarding entries to external name servers
  • Added named service to start at boot:
chkconfig named on
service named start
  • Example /etc/named.conf :
options {
        directory       "/var/named/data";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        allow-transfer  { 127.0.0.1; };
        version         "Go Away!";
        recursion       yes;
        forward only;
        // list upstream nameserver(s) here:
        forwarders { 10.100.249.245; };
};

zone "network." {
        type master;
        file "network.forward";
};

zone "186.104.10.in-addr.arpa." {
        type master;
        file "186.104.10.in-addr.arpa";
};

zone "187.104.10.in-addr.arpa." {
        type master;
        file "187.104.10.in-addr.arpa";
};

include "/etc/rndc.key";
  • Example zone file: /var/named/data/186.104.10.in-addr.arpa
$ttl 3600
@       SOA     server.network. root.network. (
        2009101100      ; Serial
        1200            ; Refresh seconds
        180             ; Retry seconds
        604800          ; Expiry seconds
        300 )           ; Negative cache seconds

        NS      server.network.

; dhcp hosts
1       PTR     gw.network.
2       PTR     gw2.network.
9       PTR     server.network.
145     PTR     ap1.network.
146     PTR     ap2.network.
147     PTR     ap3.network.
148     PTR     ap4.network.
149     PTR     ap5.network.
150     PTR     ap6.network.
250     PTR     proxy.network.
253     PTR     printer1.network.
  • Example zone file: /var/named/data/network.forward
$ttl 3600                                               
@       SOA     server.network. root.network. (         
        2009101100      ; Serial                        
        1200            ; Refresh seconds               
        180             ; Retry seconds                 
        604800          ; Expiry seconds                
        300 )           ; Negative cache seconds        

        NS      server

;;;;; server names ;;;;;

; Main linux file/dns/dhcp server
server          A       10.104.186.9
wpad            CNAME   server      

; Oxfordshire County Network local proxy server
proxy           A       10.104.186.250         

;;;;; network devices ;;;;;
; printers                 
photocopier     A       10.104.187.50
printer1        A       10.104.186.253

; routers
gw              A       10.104.186.1
gw2             A       10.104.186.2

; Access points
ap1             A       10.104.186.145
ap2             A       10.104.186.146
ap3             A       10.104.186.147
ap4             A       10.104.186.148
ap5             A       10.104.186.149
ap6             A       10.104.186.150

;;;;; dhcp hosts ;;;;;
dhcp001         A       10.104.187.1
dhcp002         A       10.104.187.2
dhcp003         A       10.104.187.3
dhcp004         A       10.104.187.4
dhcp005         A       10.104.187.5
dhcp006         A       10.104.187.6
dhcp007         A       10.104.187.7
dhcp008         A       10.104.187.8
dhcp009         A       10.104.187.9
dhcp010         A       10.104.187.10
; ...need to complete - also in PTR
dhcp170         A       10.104.187.170
dhcp171         A       10.104.187.171
dhcp172         A       10.104.187.172
dhcp173         A       10.104.187.173
dhcp174         A       10.104.187.174
dhcp175         A       10.104.187.175
dhcp176         A       10.104.187.176
dhcp177         A       10.104.187.177
dhcp178         A       10.104.187.178
dhcp179         A       10.104.187.179
dhcp180         A       10.104.187.180
dhcp181         A       10.104.187.181
dhcp182         A       10.104.187.182
dhcp183         A       10.104.187.183
dhcp184         A       10.104.187.184
dhcp185         A       10.104.187.185
dhcp186         A       10.104.187.186
dhcp187         A       10.104.187.187
dhcp188         A       10.104.187.188
dhcp189         A       10.104.187.189
dhcp190         A       10.104.187.190
dhcp191         A       10.104.187.191
dhcp192         A       10.104.187.192
dhcp193         A       10.104.187.193
dhcp194         A       10.104.187.194
dhcp195         A       10.104.187.195
dhcp196         A       10.104.187.196
dhcp197         A       10.104.187.197
dhcp198         A       10.104.187.198
dhcp199         A       10.104.187.199
dhcp200         A       10.104.187.200

DHCP Server

  • Install dhcpd
yum install dhcp
  • Configure /etc/dhcpd.conf as follows:
authoratative;
ddns-update-style none;

# Automatic web browser proxy configuration
option local-pac-server code 252 = text;
option local-pac-server "http://10.104.186.9:80/wpad.dat";

subnet 10.104.186.0 netmask 255.255.254.0 {

        # default gateway
        option routers 10.104.186.1;
        option subnet-mask 255.255.254.0;

        # Time server
        option ntp-servers 10.104.186.9;

        # Netbios stuff for windows
        option netbios-name-servers 10.104.186.9;
        option netbios-node-type 2;

        # PXE boot
        filename "pxelinux.0";
        next-server 10.104.186.9;

        # DNS
        option domain-name "network";
        option domain-name-servers 10.104.186.9;

        # Address pool
        range 10.104.187.51 10.104.187.200;
        # one day lease
        default-lease-time 86400;
        max-lease-time 86400;
}
  • Added dhcpd service to start at boot
chkconfig dhcpd on
service dhcpd start

Time Server

  • Create this as /etc/ntp.conf
# record clock drift
driftfile /var/lib/ntp/drift

# trust noone...
restrict default nomodify notrap noquery

# ...except myself...
restrict 127.0.0.1
server 127.127.1.0
fudge  127.127.1.0 stratum 10

broadcastdelay  0.008
keys  /etc/ntp/keys

server 0.centos.pool.ntp.org
server 1.centos.pool.ntp.org
server 2.centos.pool.ntp.org

restrict 0.centos.pool.ntp.org
restrict 1.centos.pool.ntp.org
restrict 2.centos.pool.ntp.org
restrict 0.0.0.0 mask 0.0.0.0 nomodify
  • Ensure service starts on boot
chkconfig ntpd on
service ntpd restart

Samba / Windows File Server

  • Add the following users, passwords should be set:
adduser pupil
adduser staff
passwd pupil (then set a strong password that won't be used)
passwd staff (then set a strong password that won't be used)
  • Create the following file hierarchy:
mkdir -p /home/{staff,pupil}/samba/{share,share-backup}
mkdir -p /home/pupil/samba/share/Year\ {0,1,2,3,4,5,6}/
# Create some application specific shared dirs
mkdir -p /home/pupil/samba/share/Data/
chown -R root.root /home/pupil/samba/share/
chmod -R 1777 /home/pupil/samba/share/*
chown staff.staff -R /home/staff/samba/
  • Setup /etc/samba/smb.conf as follows:
[global]                                  
workgroup = WORKGROUP                     
server string = Samba Server Version %v   
netbios name = SERVER                     

max log size = 500
log level = 2     

security = user
passdb backend = smbpasswd
smb passwd file = /etc/samba/smbpasswd
null passwords = yes                  

domain master = yes
preferred master = yes

wins support = yes
dns proxy = yes   

load printers = yes
cups options = raw 
printing = cups    

[homes]
        comment = Home Directories
        browseable = no
        writable = no

[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

[share]
        comment = Pupil Files
        path = /home/pupil/samba/share
        public = yes
        writable = yes
        printable = no
        force user = pupil
        force group = pupil

[share-backup]
        comment = Pupil Backup Files
        path = /home/pupil/samba/share-backup
        public = yes
        writable = no
        printable = no
        force user = pupil
        force group = pupil

[staff]
        comment = Staff Files
        path = /home/staff/samba/share
        public = no
        writable = yes
        printable = no
        force user = staff
        force group = staff
        valid users = staff

[staff-backup]
        comment = Staff Backup Files
        path = /home/staff/samba/share-backup
        public = no
        writable = no
        printable = no
        force user = staff
        force group = staff
        valid users = staff
  • Create the smbusers:
smbpasswd -a pupil (then set a strong password that won't be used)
smbpasswd -a staff (set a shared password for staff)
smbpasswd -n pupil 
  • Added smb service to start at boot
chkconfig smb on
service smb restart

Squid Web Proxy

  • Installed squid
  • Allow all access to all and cache files up to 32MB in size, create this file /etc/squid/squid.conf:
http_port 8080

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
maximum_object_size 32768 KB
# emulate_httpd_log off
# debug_options ALL,1
# log_fqdn off
negative_ttl 1 minute
positive_dns_ttl 1 hour
negative_dns_ttl 1 minute

access_log /var/log/squid/access.log squid

### Only Allow These URLs or SSL domains ###
acl allowed_urls url_regex -i ^http://.*
acl allowed_ssl_domains dstdomain .

acl internal src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 8080        # http
acl CONNECT method CONNECT

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# Only allow access to defined URLs
http_access allow all
http_access deny !internal
http_access allow CONNECT allowed_ssl_domains
http_access allow allowed_urls
http_access deny all
  • Added Squid service to start at boot
chkconfig squid on
/etc/init.d/squid restart

Client Proxy Setup

  • ref
  • Create the following file as follows in /var/www/html/wpad.dat :
function FindProxyForURL( url, host ) {

        var normal = "PROXY 10.104.186.250:8080; DIRECT";
        var support = "PROXY 10.104.186.9:8080; DIRECT";
        var direct = "DIRECT";

        // Don't use the proxy for these: 127.0.0.1, localhost, 10.104.186.*, 10.104.187.*, <unqualified hostname>
        var bypass_regex = /^https?:\/\/(127\.0\.0\.1|localhost|.+\.network|10\.104\.18[67]\.[0-9]+|[a-zA-Z0-9\-]+)(:[0-9]+)?(\/+.*)?$/;

        // Don't use the proxy for these: rm.com
        var support_regex = /^https?:\/\/(.+\.rm\.com)(:[0-9]+)?(\/+.*)?$/;

        if ( bypass_regex.test( url ) ) {
                return DIRECT;
        }

        if ( support_regex.test( url ) ) {
                return support;
        }

        return normal;
}
  • Configure Apache web server to use the right mime-type for .pac files
  • Add this to the end of /etc/httpd/conf/httpd.conf:
# Make sure we have the right mime-type for the proxy pac wpad.dat file
AddType application/x-ns-proxy-autoconfig .dat
  • Ensure apache is started at boot and restart apache
chkconfig httpd on
service httpd restart

System Synchronization

  • Setup rsyncd to serve out directories to sync to netbooks:
  • Enable rsyncd in startup:
chkconfig xinetd on
chkconfig rsync on
/etc/init.d/xinetd restart
  • Create file /etc/rsyncd.conf :
uid=root
gid=root
use chroot=no
pid file=/var/run/rsyncd.pid

[custom-scripts]
read only=true
path=/opt/custom-scripts/
comment=custom scripts for pushing to all systems

[pupilhome]
read only=true
path=/opt/pupilhome/
comment=pupil home directory for pushing to all systems
  • Create dirs
mkdir -p /opt/custom-scripts /opt/pupilhome
  • Copy the initial home directory on there before booting any clients, from the master build client:
sudo rsync -av --one-file-system --delete /home/pupil/ root@server:/opt/pupilhome/

Incremental Backups

Create a file: /opt/server-scripts/backup-shares as follows:

#!/bin/bash
#
# Sync files from local dirs with incremental backups
#
# Phil Lewis (C)2009, License GPLv3
INCDIR="inc-`date +%Y%m%d-%H-%M-%S`"
date

# Remove old archives over 60 days old
find $BASEDIR/ -maxdepth 1 -mtime +60 -a -name 'inc-*' -exec rm -rf {} \;

sync-src()
{
SRCDIR=$1
shift
DESTDIR=$1
shift
OPTS=$*
echo "rsyncing from: '$SRCDIR' to: '$DESTDIR' with Options: '$OPTS'"
rsync   --archive \
        --safe-links \
        --progress \
        --update \
        --owner \
        --sparse \
        --one-file-system \
        --whole-file \
        --delete \
        --stats \
        -v \
        $OPTS $SRCDIR $DESTDIR
}

# Backup pupils files, create incrementals in /home/pupil/samba/share-backup
sync-src /home/pupil/samba/share/ /home/pupil/samba/share-backup/latest/ --backup --backup-dir=/home/pupil/samba/share-backup/${INCDIR}
# Backup staff files, create incrementals in /home/staff/samba/share-backup
sync-src /home/staff/samba/share/ /home/staff/samba/share-backup/latest/ --backup --backup-dir=/home/staff/samba/share-backup/${INCDIR}

date
  • Make script executable:
chmod 755 /opt/server-scripts/backup-shares
  • Set up backups to run at 23:00h: Edit /etc/crontab and add:
# Run backups
0 23 * * * root /opt/server-scripts/backup-shares 2>&1

NX Remote Access

  • Install FreeNX:
yum install nx freenx
  • Create a privileged user called 'administrator':
adduser administrator
passwd administrator
[enter password twice]
  • Edit /etc/sudoers and uncomment this line:
%wheel  ALL=(ALL)       ALL
  • Add administrator to the wheel group in /etc/groups:
wheel:x:10:root,administrator
  • Append the commercial nxclient key into nx account. Edit this file and add the below ~nx/.ssh/authorized_keys2 :
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/usr/bin/nxserver" ssh-dss AAAAB3NzaC1kc3MAAACBAJe/0DNBePG9dYLWq7cJ0SqyRf1iiZN/IbzrmBvgPTZnBa5FT/0Lcj39sRYt1paAlhchwUmwwIiSZaON5JnJOZ6jKkjWIuJ9MdTGfdvtY1aLwDMpxUVoGwEaKWOyin02IPWYSkDQb6cceuG9NfPulS9iuytdx0zIzqvGqfvudtufAAAAFQCwosRXR2QA8OSgFWSO6+kGrRJKiwAAAIEAjgvVNAYWSrnFD+cghyJbyx60AAjKtxZ0r/Pn9k94Qt2rvQoMnGgt/zU0v/y4hzg+g3JNEmO1PdHh/wDPVOxlZ6Hb5F4IQnENaAZ9uTZiFGqhBO1c8Wwjiq/MFZy3jZaidarLJvVs8EeT4mZcWxwm7nIVD4lRU2wQ2lj4aTPcepMAAACANlgcCuA4wrC+3Cic9CFkqiwO/Rn1vk8dvGuEQqFJ6f6LVfPfRTfaQU7TGVLk2CzY4dasrwxJ1f6FsT8DHTNGnxELPKRuLstGrFY/PR7KeafeFZDf+fJ3mbX5nxrld3wi5titTnX+8s4IKv29HJguPvOK/SI7cjzA+SqNfD7qEo8= root@hostname
  • Set an nx password for administrator
nxpasswd administrator
[enter password twice]
  • Install the latest NXclient from http://nomachine.com
  • Create a new session for the server's IP address, user administrator, and Gnome as the session type.

iTalc Master Server

  • As root, Download and install packages:
wget ftp://ftp.pbone.net/mirror/atrpms.net/el5-i386/atrpms/stable/italc-1.0.9-6.el5.i386.rpm
wget ftp://ftp.pbone.net/mirror/atrpms.net/el5-i386/atrpms/stable/italc-master-1.0.9-6.el5.i386.rpm
yum install qt4
rpm -ivh italc-1.0.9-6.el5.i386.rpm italc-master-1.0.9-6.el5.i386.rpm
  • As root, Create a key pair:
ica -createkeypair
chown -R administrator /etc/italc/keys/
  • Copy the teachers public key to all netbooks (i.e. the netbook image) from (ref):
/etc/italc/keys/public/teacher/key
  • to:
/etc/italc/keys/public/teacher/key

Custom Scripts

These scripts are required to be on all the netbooks. The netbooks will grab these scripts from this server. Install these scripts and untar/gzip them into /opt/custom-scripts/ as follows:

wget http://linuxcentre.net/wiki/images/1/1b/Custom-scripts-1.2.tar.gz
mkdir -p /opt/custom-scripts/
tar -C /opt/custom-scripts/ -xzvf Custom-scripts-1.2.tar.gz

Dell Specific Build Steps

Add Dell Repository

  • Run this as root:
wget -q -O - http://linux.dell.com/repo/hardware/OMSA_6.1/bootstrap.cgi | bash

Configure Dell Remote Access Controller

  • Install DRAC command line tools (ref1 ref2):
yum install srvadmin-rac5-components srvadmin-racadm5 srvadmin-racsvc srvadmin-omacore srvadmin-storage
  • Start the dell data engine service
/etc/init.d/dataeng restart
  • View the current DRAC IP Address:
racadm getniccfg
  • Set the DRAC IP Address:
racadm setniccfg -s 10.104.186.8 255.255.254.0 10.104.186.1

Related Links:

Dell Storage Information

  • Show physical disk status:
/opt/dell/srvadmin/oma/bin/omreport storage pdisk controller=0
  • Show virtual disk status:
/opt/dell/srvadmin/oma/bin/omreport storage vdisk
Personal tools