CSCWiki - User contributions [en]

Mirror

2022-10-04T03:19:25Z

A268wang: Update section for merlin

The [https://csclub.uwaterloo.ca Computer Science Club] runs a public mirror ([http://mirror.csclub.uwaterloo.ca mirror.csclub.uwaterloo.ca]) on [[Machine_List#potassium-benzoate|potassium-benzoate]].

''We are listed on the ResNet "don't count" list, so downloading from our mirror will not count against one's ResNet quota.''

== Software Mirrored ==

A list of current archives (and their respective disk usage) is listed on our mirror's homepage at [http://mirror.csclub.uwaterloo.ca mirror.csclub.uwaterloo.ca].

=== Mirroring Requests ===

Requests to mirror a particular distribution or archive should be made to [mailto:syscom@csclub.uwaterloo.ca syscom@csclub.uwaterloo.ca].

== Implementation Details ==

=== Syncing ===

==== Storage ====

All of our projects are stored on an 8x18TB disk raidz2 array (cscmirror0). There is an additional drive acting as a hot-spare.

* <code>/mirror/root/.cscmirror0</code>

Each project is given a filesystem the pool. Symlinks are created <code>/mirror/root</code> to point to the correct pool and file system.

==== Merlin ====
Project synchronization is done by "merlin" which is a Go rewrite of the Python script "merlin" originally written by a2brenna.

The program is stored in <code>~mirror/merlin</code> and is managed by the systemd unit <code>merlin-go.service</code>.

The config file <code>merlin-config.ini</code> contains the list of repositories along with their configurations.

To view the sync status, execute <code>~mirror/merlin/cmd/arthur/arthur status</code>. To force the sync of a project, execute <code>~mirror/merlin/cmd/arthur/arthur sync:PROJECT_NAME</code>.

'''Remark''': For syncing Debian repositories we were [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020998 requested] to use ftpsync which has configs in <code>~mirror/ftpsync</code>.

===== Push Sync =====

Some projects support push syncing via SSH.

We are running a special SSHD instance on mirror.csclub.uwaterloo.ca:22. This instance has been locked down, with the following settings:

* Only SSH key authentication
* Only users of the <code>push</code> group (except <code>mirror</code>) are allowed to connect
* X11 Forwarding, TCP Forwarding, Agent Forwarding, User RC and TTY are disabled
* Users are chrooted to <code>/mirror/merlin</code>

Most projects will connect using the <code>push</code> user. The SSH authorized keys file is located at <code>/home/push/.ssh/authorized_keys</code>. An example entry is:

<pre>
restrict,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="arthur sync:ubuntu >/dev/null 2>/dev/null </dev/null &",from="XXX.XXX.XXX.XXX" ssh-rsa ...
</pre>

==== Sync Scripts ====

Our collection of synchronization scripts are located in <code>~mirror/bin</code>. They currently include:

* <code>csc-sync-apache</code>
* <code>csc-sync-debian</code>
* <code>csc-sync-debian-cd</code>
* <code>csc-sync-gentoo</code>
* <code>csc-sync-ssh</code>
* <code>csc-sync-standard</code>

Most of these scripts take the following parameters:

<code>local_dir rsync_host rsync_dir</code>

=== HTTP(s) ===

We use [https://nginx.org nginx] as our webserver.

==== Index ====

An index of the archives we mirror is available at [http://mirror.csclub.uwaterloo.ca mirror.csclub.uwaterloo.ca].

As of Winter 2010, it is now generated by a Python script in <code>~mirror/mirror-index</code>.

<code>~mirror/mirror-index/make-index</code> is scheduled in <code>/etc/cron.d/csc-mirror</code> to be run hourly. The script can be run manually when needed (for example, when the archive list is updated) by running:

<code>sudo -u mirror /home/mirror/mirror-index/make-index.py</code>

The script will iterate all folders in <code>/mirror/root</code>, identify the size of the project using `zfs get -H -o value used $dataset`, where $dataset is calculated from the symlink in <code>/mirror/root</code>. The size of all folders is added together to calculate the total folder size (the total size includes hidden projects).

<code>make-index.py</code> is configured by means of a [https://yaml.org YAML] file, <code>config.yaml</code>, in the same directory. Its format is as follows:

<pre class="yaml">docroot: /mirror/root
output: /mirror/root/index.html

exclude:
- include
- lost+found
- pub
# (...)

directories:
apache:
site: apache.org
url: http://www.apache.org/

archlinux:
site: archlinux.org
url: http://www.archlinux.org/

# (...)</pre>
The docroot is the directory which is to be scanned; this will probably always be the mirror root from which Apache serves. This is here so that it's easy to find and alter. For instance, we could change <code>--human-readable</code> to <code>--si</code> if we ever decided that, like hard disk manufacturers, we want sizes to appear larger than they are. <code>output</code> defines the file to which the generated index will be written.

<code>exclude</code> specifies the list of directories which will not be included in the generated index page (since, by default, all folders are included in the generated index page).

Finally, <code>directories</code> specifies the information of directories. All directories are listed by default, whether or not they appear in this list - only those under <code>exclude</code> are ignored. The format is fairly straightforward: simply name the directory and provide a site (the display name in the "Project Site" column) and URL. One caveat here is that YAML does not allow tabs for whitespace. Indent with two spaces to remain consistent with the existing file format, please. Also note that the directory name is case-sensitive, as is always the case on Unix.

Finally, the HTML index file is generated from <code>index.mako</code>, a Mako template (which is mostly HTML anyhow). If you really can't figure out how it works, look up the Mako documentation.

=== FTP ===

We use [http://www.proftpd.org/ proftpd] (standalone daemon) as our FTP server.

To increase performance, we disable DNS lookups in <code>proftpd.conf</code>:

<pre>UseReverseDNS off
IdentLookups off</pre>
We also limit the amount of CPU/memory resources used (e.g. to minimize [https://en.wikipedia.org/wiki/Globbing Globbing] resources):

<pre>RLimitCPU session 10
RLimitMemory session 4096K</pre>
We allow a maximum of 500 concurrent FTP sessions:

<pre>MaxInstances 500
MaxClients 500</pre>
The contents of <code>/mirror/root/include/motd.msg</code> are displayed when a user connects.

=== rsync ===

We use <code>rsyncd</code> (standalone daemon).

We disable compression and checksumming in <code>rsyncd.conf</code>:

<pre>dont compress = *
refuse options = c delete</pre>
The contents of <code>/mirror/root/include/motd.msg</code> are displayed when a user connects.

== Mirror Administration ==

=== Adding a new project ===

# Find the instructions for mirroring the project. Ideally, try to sync directly from the project’s source repository.
#* Note that some projects provide sync scripts, however we generally won’t use them. We will instead use our custom ones.
# Create a zfs filesystem to store the project in:
#*<code>zfs create cscmirror0/$PROJECT_NAME</code>
# Change the folder ownership
#*<code>chown mirror:mirror /mirror/root/.cscmirror0/$PROJECT_NAME</code>
# Create the symlink in <code>/mirror/root</code>
#*<code>ln -s .cscmirror0/$PROJECT_NAME $PROJECT_NAME</code> ('''NOTE''': The symlink must be relative to the <code>/mirror/root</code> directory. If it isn’t, the symlinks will not work when chrooted)
# Repeat the above steps on mirror-phys. <code>sudo ssh mirror-dc</code> on potassium-benzoate ['''NOTE: This machine is currently unavailable]'''
# Configure the project in merlin (<code>~mirror/merlin/merlin.py</code>)
#* Select the appropriate sync script (typically <code>csc-sync-standard</code>) and supply the appropriate parameters
# Restart merlin: <code>systemctl restart merlin</code>
#* This will kick off the initial sync
#* Check <code>~mirror/merlin/logs/$PROJECT_NAME</code> for errors, <code>~mirror/merlin/logs/transfer.log</code> for transfer progress
# Configure the project in zfssync.yml (<code>~mirror/merlin/zfssync.yml</code>)
# Update the mirror index configuration (<code>~mirror/mirror-index/config.yaml</code>)
# Add the project to rsync (<code>/etc/rsyncd.conf</code>)
#* Restart rsync with <code>systemctl restart rsync</code>

If push mirroring is available/required, see [[#Push_Sync|Push Sync]].

=== Secondary Mirror ===

The School of Computer Science's CSCF has provided us with a secondary mirror machine located in DC. This will limit the downtime of mirror.csclub in the event of an outage affecting the MC machine room.

==== Keepalived ====

Mirror's IP addresses (129.97.134.71 and 2620:101:f000:4901:c5c::f:1055) have been configured has VRRP address on both machines. Keepalived does the monitoring and selecting of the active node.

Potassium-benzoate has higher priority and will typically be the active node. A node's priority is reduced when nginx, proftpd or rsync are not running. Potassium-benzoate starts with a score of 100 and mirror-dc starts with a priority of 90 (higher score wins).

When nginx is unavailable (checked w/ curl), the priority is reduced by 20. When proftpd is unavailable (checked with curl), the priority is reduced by 5. When rsync is unavailable (checking with rsync), the priority is reduced by 15.

The Systems Committee should received an email when the nodes swap position.

==== Project synchronization ====

Only potassium-benzoate is configure with merlin. mirror-dc has the software components, but they are probably not update to date nor configured to run correctly.

When a project sync is complete, merlin will kick off a custom script to sync the zfs dataset to the other node. These scripts live in /usr/local/bin and in ~mirror/merlin.

Mirror

2022-08-05T02:37:30Z

A268wang: add temporary update message for merlin-go

The [https://csclub.uwaterloo.ca Computer Science Club] runs a public mirror ([http://mirror.csclub.uwaterloo.ca mirror.csclub.uwaterloo.ca]) on [[Machine_List#potassium-benzoate|potassium-benzoate]].

''We are listed on the ResNet "don't count" list, so downloading from our mirror will not count against one's ResNet quota.''

== Software Mirrored ==

A list of current archives (and their respective disk usage) is listed on our mirror's homepage at [http://mirror.csclub.uwaterloo.ca mirror.csclub.uwaterloo.ca].

=== Mirroring Requests ===

Requests to mirror a particular distribution or archive should be made to [mailto:syscom@csclub.uwaterloo.ca syscom@csclub.uwaterloo.ca].

== Implementation Details ==

=== Syncing ===

==== Storage ====

All of our projects are stored on one of three zfs zpools. There are 8 drives per array (7 run cscmirror3), configured as raidz2, and there is an additional drive that can be swapped in (in the event of a disk failure).

* <code>/mirror/root/.cscmirror1</code>
* <code>/mirror/root/.cscmirror2</code>
* <code>/mirror/root/.cscmirror3</code>

Each project is given a filesystem under one of the two pools. Symlinks are created <code>/mirror/root</code> to point to the correct pool and file system.

==== Merlin ====

<nowiki>**</nowiki>'''UPDATE'''**: merlin.py and the sync scripts are currently being merged together into merlin-go which can be found at <code>/home/mirror-go/merlin</code>. The current status can be found using <code>systemctl status merlin-go.service</code> or by going to <code>/home/mirror-go/merlin/cmd/arthur</code> and running <code>./arthur status</code>. To force sync a project execute <code>./arthur sync:PROJECT_NAME</code>.

The synchronization process is run by a Python script called "merlin", written by a2brenna. The script is stored in <code>~mirror/merlin</code>.

The list of repositories and their configuration (synch frequency, location, etc.) is configured in <code>merlin.py</code>.

To view the sync status, execute <code>~mirror/merlin/arthur.py status</code>. To force the sync of a project, execute <code>~mirror/merlin/arthur.py sync:PROJECT_NAME</code>.

===== Push Sync =====

Some projects support push syncing via SSH.

We are running a special SSHD instance on mirror.csclub.uwaterloo.ca:22. This instance has been locked down, with the following settings:

* Only SSH key authentication
* Only users of the <code>push</code> group (except <code>mirror</code>) are allowed to connect
* X11 Forwarding, TCP Forwarding, Agent Forwarding, User RC and TTY are disabled
* Users are chrooted to <code>/mirror/merlin</code>

Most projects will connect using the <code>push</code> user. The SSH authorized keys file is located at <code>/home/push/.ssh/authorized_keys</code>. An example entry is:

<pre>
restrict,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="arthur sync:ubuntu >/dev/null 2>/dev/null </dev/null &",from="XXX.XXX.XXX.XXX" ssh-rsa ...
</pre>

==== Sync Scripts ====

Our collection of synchronization scripts are located in <code>~mirror/bin</code>. They currently include:

* <code>csc-sync-apache</code>
* <code>csc-sync-debian</code>
* <code>csc-sync-debian-cd</code>
* <code>csc-sync-gentoo</code>
* <code>csc-sync-ssh</code>
* <code>csc-sync-standard</code>

Most of these scripts take the following parameters:

<code>local_dir rsync_host rsync_dir</code>

=== HTTP(s) ===

We use [https://nginx.org nginx] as our webserver.

==== Index ====

An index of the archives we mirror is available at [http://mirror.csclub.uwaterloo.ca mirror.csclub.uwaterloo.ca].

As of Winter 2010, it is now generated by a Python script in <code>~mirror/mirror-index</code>.

<code>~mirror/mirror-index/make-index</code> is scheduled in <code>/etc/cron.d/csc-mirror</code> to be run hourly. The script can be run manually when needed (for example, when the archive list is updated) by running:

<code>sudo -u mirror /home/mirror/mirror-index/make-index.py</code>

The script will iterate all folders in <code>/mirror/root</code>, identify the size of the project using `zfs get -H -o value used $dataset`, where $dataset is calculated from the symlink in <code>/mirror/root</code>. The size of all folders is added together to calculate the total folder size (the total size includes hidden projects).

<code>make-index.py</code> is configured by means of a [https://yaml.org YAML] file, <code>config.yaml</code>, in the same directory. Its format is as follows:

<pre class="yaml">docroot: /mirror/root
output: /mirror/root/index.html

exclude:
- include
- lost+found
- pub
# (...)

directories:
apache:
site: apache.org
url: http://www.apache.org/

archlinux:
site: archlinux.org
url: http://www.archlinux.org/

# (...)</pre>
The docroot is the directory which is to be scanned; this will probably always be the mirror root from which Apache serves. This is here so that it's easy to find and alter. For instance, we could change <code>--human-readable</code> to <code>--si</code> if we ever decided that, like hard disk manufacturers, we want sizes to appear larger than they are. <code>output</code> defines the file to which the generated index will be written.

<code>exclude</code> specifies the list of directories which will not be included in the generated index page (since, by default, all folders are included in the generated index page).

Finally, <code>directories</code> specifies the information of directories. All directories are listed by default, whether or not they appear in this list - only those under <code>exclude</code> are ignored. The format is fairly straightforward: simply name the directory and provide a site (the display name in the "Project Site" column) and URL. One caveat here is that YAML does not allow tabs for whitespace. Indent with two spaces to remain consistent with the existing file format, please. Also note that the directory name is case-sensitive, as is always the case on Unix.

Finally, the HTML index file is generated from <code>index.mako</code>, a Mako template (which is mostly HTML anyhow). If you really can't figure out how it works, look up the Mako documentation.

=== FTP ===

We use [http://www.proftpd.org/ proftpd] (standalone daemon) as our FTP server.

To increase performance, we disable DNS lookups in <code>proftpd.conf</code>:

<pre>UseReverseDNS off
IdentLookups off</pre>
We also limit the amount of CPU/memory resources used (e.g. to minimize [https://en.wikipedia.org/wiki/Globbing Globbing] resources):

<pre>RLimitCPU session 10
RLimitMemory session 4096K</pre>
We allow a maximum of 500 concurrent FTP sessions:

<pre>MaxInstances 500
MaxClients 500</pre>
The contents of <code>/mirror/root/include/motd.msg</code> are displayed when a user connects.

=== rsync ===

We use <code>rsyncd</code> (standalone daemon).

We disable compression and checksumming in <code>rsyncd.conf</code>:

<pre>dont compress = *
refuse options = c delete</pre>
The contents of <code>/mirror/root/include/motd.msg</code> are displayed when a user connects.

== Mirror Administration ==

=== Adding a new project ===

# Find the instructions for mirroring the project. Ideally, try to sync directly from the project’s source repository.
#* Note that some projects provide sync scripts, however we generally won’t use them. We will instead use our custom ones.
# Create a zfs filesystem to store the project in:
#* Find the pool with least current disk usage
#* <code>zfs create cscmirror{1,2,3}/$PROJECT_NAME</code>
# Change the folder ownership
#* <code>chown mirror:mirror /mirror/root/.cscmirror{1,2,3}/$PROJECT_NAME</code>
# Create the symlink in <code>/mirror/root</code>
#* <code>ln -s .cscmirror{1,2,3}/$PROJECT_NAME $PROJECT_NAME</code> ('''NOTE''': The symlink must be relative to the <code>/mirror/root</code> directory. If it isn’t, the symlinks will not work when chrooted)
# Repeat the above steps on mirror-dc. <code>sudo ssh mirror-dc</code> on potassium-benzoate
# Configure the project in merlin (<code>~mirror/merlin/merlin.py</code>)
#* Select the appropriate sync script (typically <code>csc-sync-standard</code>) and supply the appropriate parameters
# Restart merlin: <code>systemctl restart merlin</code>
# Configure the project in zfssync.yml (<code>~mirror/merlin/zfssync.yml</code>)
#* This will kick off the initial sync
#* Check <code>~mirror/merlin/logs/$PROJECT_NAME</code> for errors, <code>~mirror/merlin/logs/transfer.log</code> for transfer progress
# Update the mirror index configuration (<code>~mirror/mirror-index/config.yaml</code>)
# Add the project to rsync (<code>/etc/rsyncd.conf</code>)
#* Restart rsync with <code>systemctl restart rsync</code>

If push mirroring is available/required, see [[#Push_Sync|Push Sync]].

=== Secondary Mirror ===

The School of Computer Science's CSCF has provided us with a secondary mirror machine located in DC. This will limit the downtime of mirror.csclub in the event of an outage affecting the MC machine room.

==== Keepalived ====

Mirror's IP addresses (129.97.134.71 and 2620:101:f000:4901:c5c::f:1055) have been configured has VRRP address on both machines. Keepalived does the monitoring and selecting of the active node.

Potassium-benzoate has higher priority and will typically be the active node. A node's priority is reduced when nginx, proftpd or rsync are not running. Potassium-benzoate starts with a score of 100 and mirror-dc starts with a priority of 90 (higher score wins).

When nginx is unavailable (checked w/ curl), the priority is reduced by 20. When proftpd is unavailable (checked with curl), the priority is reduced by 5. When rsync is unavailable (checking with rsync), the priority is reduced by 15.

The Systems Committee should received an email when the nodes swap position.

==== Project synchronization ====

Only potassium-benzoate is configure with merlin. mirror-dc has the software components, but they are probably not update to date nor configured to run correctly.

When a project sync is complete, merlin will kick off a custom script to sync the zfs dataset to the other node. These scripts live in /usr/local/bin and in ~mirror/merlin.

New CSC Machine

2022-06-25T02:13:20Z

A268wang: fix ipv6 static address

= Firmware Updates =

Vendors such as Dell provide firmware updates that should be applied before putting new machines into service. Even if the machine's warranty has expired, security updates are still made available.

It is recommended to use the following sequence when updating firmware on the Dell PowerEdge servers ([https://downloads.dell.com/solutions/general-solution-resources/White%20Papers/Recommended%20Workflow%20for%20Performing%20Firmware%20Updates%20on%20PowerEdge%20Servers.pdf]):

# iDRAC
# Lifecycle Controller
# BIOS
# Diagnostics
# OS Driver Pack
# RAID
# NIC
# PSU
# CPLD
# Other update

= Booting =

* Put the TFTP image in place (if dist-arch pair installed before, you may skip this).
e.g. extract http://mirror.csclub.uwaterloo.ca/ubuntu/dists/oneiric/main/installer-amd64/current/images/netboot/netboot.tar.gz to caffeine:/srv/tftp/oneiric-amd64

* Force network boot in the BIOS. This may be called "Legacy LAN" or other such cryptic things. If this doesn't work, boot from CD or USB instead.

It is preferred to use the "alternate" Ubuntu installer image, based on debian-installer, instead of the Ubiquity installer. This installer supports software RAID and LVM out of the box, and will generally make your life easier. If installing Debian, this is the usual installer, so don't sweat it.

* Most of our newer servers (e.g. PowerEdge R815) need non-free firmware in order to boot. This means that if you are using a new netboot image, it is highly recommended to include the entire non-free firmware bundle in the boot image. See [https://wiki.debian.org/DebianInstaller/NetbootFirmware] for more information.

= Installing =

== debian-installer ==

At least in expert mode, you can choose a custom mirror (top of the countries list) and give the path for mirror directly. This will make installation super-fast compared to installing from anywhere else.

Please install to LVM volumes, as this is our standard configuration on all machines where possible. It allows more flexible partitioning across available volumes. Since GRUB 2, even /boot may be on LVM; this is the preferred configuration for simplicity, except when legacy partitioning setups make this inconvenient.

You may enable unattended upgrades, but do not enable Canonical's remote management service or any such nonsense. This is mostly a straightforward Debian/Ubuntu install.

== Ubiquity ==

Ubiquity is the Ubuntu GUI installer. For it to have lvm support, run:
apt install lvm2

If you still can't see the partitions (even if lvscan sees them, but no devices exist), run <tt>vgscan</tt> and <tt>vgchange -ay</tt> as root. Now the partitioner should be able to see them. We prefer to use LVM for partitions. Since GRUB 2, even /boot may be on LVM; this is the preferred configuration for simplicity, except when legacy partitioning setups make this inconvenient.

After installing with Ubiquity, you must also add LVM support to the newly installed system, and in particular its initramfs.

mount /dev/vg0/root /mnt
mount /dev/sda1 /mnt/boot
chroot /mnt
apt install lvm2

You should see an update-initramfs update. Reboot.

= After Installing =

Add the machine's name to ~git/public/hosts.git, and run the ansible playbook (https://git.uwaterloo.ca/csc/playbooks/blob/master/update-hosts.yml) to distribute the updated hosts file to all machines.

== apt ==

If you did not during installation, change all references in <tt>/etc/apt/sources.list</tt> to use <tt>mirror</tt> instead of the usual mirrors.

Also add support for the CSC packages. Add the following to <tt>/etc/apt/sources.list.d/csclub.list</tt> (or copy from another host):

deb http://debian.csclub.uwaterloo.ca/ <distribution> main contrib non-free
deb-src http://debian.csclub.uwaterloo.ca/ <distribution> main contrib non-free

You'll also need the CSC archive signing key (if <tt>curl</tt> is not installed, install it).
curl -s http://debian.csclub.uwaterloo.ca/csclub.asc | apt-key add -

You should now run <tt>apt-get update</tt> to reflect these changes.

For unattended upgrades in the future, install the <tt>unattended-upgrades</tt> package and copy <tt>/etc/apt/apt.conf</tt> from another host.

== network ==

Note that inapt current uninstalls NetworkManager, which is what Ubuntu uses by default to configure the network. Once this completes, open <tt>/etc/network/interfaces</tt> and set up a static networking configuration (otherwise, networking will not come back up on reboot). It should look something like this (NOTE: csc-storage is only for servers in the machine room):

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 129.97.134.xxx
netmask 255.255.255.0
gateway 129.97.134.1

iface eth0 inet6 static
address 2620:101:f000:4901:c5c::XXXX
netmask 64
gateway 2620:101:f000:4901::1

# csc-storage
auto eth0.530
iface eth0.530 inet static
address 172.19.168.xxx
netmask 255.255.255.224
vlan-raw-device eth0

iface eth0.530 inet6 static
address fd74:6b6a:8eca:4903:c5c::xx
netmask 64

== Keys ==

If this is a reinstall of an existing host, copy back the SSH host keys and <tt>/etc/krb5.keytab</tt> from its former incarnation. Otherwise, create a new Kerberos principal and copy the keytab over, as follows (run from the host in question):
kadmin -p sysadmin/admin # or any other admin principal; the password for this one is the usual root password
addprinc -randkey host/[hostname].csclub.uwaterloo.ca
ktadd host/[hostname].csclub.uwaterloo.ca

This will generate a new principal (you can skip this step if one already exists) and add it to the local Kerberos keytab.

Also copy <tt>/etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem</tt> from another host, as many of our services use a certificate issued by this CA.

== Configuration ==

=== General ===

The following config files are needed to work in the CSC environment (examples given below for an office terminal; perhaps refer to another host if preferred).

<tt>/etc/nsswitch.conf</tt>
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: files ldap
group: files ldap
shadow: files ldap
sudoers: files ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

<tt>/etc/ldap/ldap.conf</tt>

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=csclub, dc=uwaterloo, dc=ca
URI ldap://ldap1.csclub.uwaterloo.ca ldap://ldap2.csclub.uwaterloo.ca

SIZELIMIT 0

TLS_CACERT /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem
TLS_CACERTFILE /etc/ssl/certs/GlobalSign_Intermediate_Root_SHA256_G2.pem

SUDOERS_BASE ou=SUDOers,dc=csclub,dc=uwaterloo,dc=ca

Also make <tt>/etc/sudo-ldap.conf</tt> a symlink to the above. On debian, install <tt>sudo-ldap</tt> package too.

<tt>/etc/nslcd.conf</tt>
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://ldap1.csclub.uwaterloo.ca
uri ldap://ldap2.csclub.uwaterloo.ca

# The search base that will be used for all queries.
base dc=csclub,dc=uwaterloo,dc=ca

# use the uniqueMember attribute for group membership
# (not applicable on Debian squeeze)
map group member uniqueMember

<tt>/etc/krb5.conf</tt>
[libdefaults]
default_realm = CSCLUB.UWATERLOO.CA
forwardable = true
proxiable = true
dns_lookup_kdc = false
dns_lookup_realm = false

[realms]
CSCLUB.UWATERLOO.CA = {
kdc = kdc1.csclub.uwaterloo.ca
kdc = kdc2.csclub.uwaterloo.ca
admin_server = kadmin.csclub.uwaterloo.ca
}
(rest omitted for brevity)

Update: <tt>allow_weak_crypto</tt> is basically a no-op in recent Kerberos versions - but this is not a problem as any linux kernel with version >= 2.6.38.2 can use any cipher available to the kernel to grab tickets from the KDC for the purpose of NFS sec=krb5. Notably, this means you can use ciphersuites less craptastic than des-cbc-crc (the only one that used to work prior to this kernel revision) for NFS sec=krb5 mounts. Therefore, <tt>allow_weak_crypto</tt> has been removed from /etc/krb5.conf on all our machines.

Furthermore, the lines <tt>dns_lookup_kdc</tt> and <tt>dns_lookup_realm</tt> have been added - they are needed to stop the KDC from throwing its arms in the air and giving up if IST's DNS servers ever explode - an event that has happened in the recent past far more often than I'd like it to.

Notably, <tt>allow_weak_crypto</tt> is currently needed to mount <tt>/users</tt> (/music and <tt>/scratch</tt> is sec=sys and thus will always mount, even when krb5 is down and/or broken). Otherwise, you will get a mysterious "permission denied" error (even though the server claims to have authenticated the mount successfully).

<tt>/etc/pam.d/common-account</tt>
#
# /etc/pam.d/common-account - authorization settings common to all services
#

# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required pam_krb5.so minimum_uid=10000
# end of pam-auth-update config

# Make sure the user is up to date. System accounts and syscom are exempt.
account [success=2 default=ignore] pam_succeed_if.so quiet uid < 10000
account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup syscom
account required pam_csc.so

This file is notably different on syscom-only hosts. Look at an existing syscom-only host to see the difference.

Alter <tt>/etc/default/nfs-common</tt> to enable <tt>statd</tt>, and more importantly <tt>gssd</tt> (needed for Kerberos NFS mounts). Start both daemons manually for now.

Add <tt>/users</tt>, <tt>/music</tt> and <tt>/scratch</tt> to <tt>/etc/fstab</tt> (as appropriate for the machine's role), make their mount points and mount them. Note that <tt>/music</tt> and <tt>/scratch</tt> are sec=sys whereas /users is sec=krb5 (with exceptions granted on a case-by-case basis for servers only, office terminals are always sec=krb5 for security reasons).

To allow single sign-on as <tt>root</tt> (primarily useful for pushing files to all machines simultaneously), put the following in <tt>/root/.k5login</tt>:
sysadmin/admin@CSCLUB.UWATERLOO.CA

Also copy the following files from another CSC host:
* <tt>/etc/ssh/ssh_config</tt> and <tt>/etc/ssh/sshd_config</tt> (for single sign-on)
* <tt>/etc/ssh/ssh_known_hosts</tt> (to remove hostkey warnings within our network)
* <tt>/etc/hosts</tt> (for host tab completion and emergency name resolution)
* <tt>/etc/resolv.conf</tt> (to use IST's nameservers and search csclub/uwaterloo domains. Only required if you are not using <tt>/etc/network/interfaces</tt> to configure DNS)

=== Display Manager ===

LightDM (with unity-greeter) is the current display manager of choice for CSC office terminals. Copy <tt>/etc/lightdm/lightdm.conf</tt> from another CSC machine to configure it properly. If kdm or another display manager gets installed, please ensure that you continue to choose LightDM as the default display manager.

Please leave AccountsService enabled, as LightDM and certain parts of the GNOME packages work better when it is available.

The Unity greeter configuration is now in gsettings. We currently have a novelty wallpaper configured. To configure this, copy <tt>/usr/local/share/backgrounds/tarkin.png</tt> from another machine and run:

sudo -u lightdm dbus-launch gsettings set com.canonical.unity-greeter background /usr/local/share/backgrounds/tarkin.png

=== User-Defined Session ===

For some reason, ubuntu does not install a session file for a session that just launches whatever's in the user's ~/.xsession. To fix this, put the following into <tt>/usr/share/xsessions/xsession.desktop</tt>:

[Desktop Entry]
Name=User-defined session
Exec=/etc/X11/Xsession

=== Audio ===

On an office terminal, copy <tt>/etc/pulse/default.pa</tt> from another office terminal.

If this is to be the machine that actually plays audio (currently <tt>nullsleep</tt>), the setup is slightly more complicated. You'll need to set up MPD and PulseAudio to receive connections, and store the PulseAudio cookie in <tt>~audio</tt>, with appropriate permissions so that only the <tt>audio</tt> group can access it. If this is a new audio machine, you'll also need to change <tt>default.pa</tt> on all office terminals to point to it.

=== Tweaks ===

On Ubuntu precise, even when <tt>gnome-keyring</tt> is uninstalled, it leaves a config file behind that causes error messages. Remove <tt>/etc/pkcs11/modules/gnome-keyring-module</tt> to fix this.

On Ubuntu saucy or newer, edit <tt>/etc/sysctl.d/10-magic-sysrq</tt> at change the value 244.

== Records ==

You probably already created the host in the University IPAM system beforehand. If not, please do so.

Please also add the host to the [[Machine List]] here on the Wiki, and to <tt>/users/syscom/csc-machines</tt> (and <tt>csc-office-machines</tt>, if applicable).

== Munin (System Monitoring) ==

If the new machine is not a container, you probably want to have it participate in the Munin cluster. Run <tt>apt-get install munin-node</tt> to install the monitoring client, then
edit the file /etc/munin/munin-node.conf. Look for a line that says <tt>allow ^127\.0\.0\.1$</tt> and add the following on a new line immediately below it:
<tt>allow ^129\.97\.134\.51$</tt> (this is the IP address for munin.csclub). Save the file, then <tt>/etc/init.d/munin-node restart</tt> and <tt>update-rc.d munin-node defaults</tt>.

Then, ssh into munin.csclub and edit the file /etc/munin/munin.conf and add the following lines to the end:
<tt>

[NEW-MACHINE-NAME.csclub] <br/>
addr 129.97.134.### <br />
use_node_name yes

</tt>

= New Distribution =

If you're adding a new distribution, there a couple of steps you'll need to take in updating the CSClub Debian repository on [[Machine_List#sodium_benzoate|sodium-benzoate/mirror]].

The steps to add a new Debian release (in the examples, jessie) is as follows, modify as necessary:

=== Step 0: Create a GPG key ===

Use "gpg --gen-key" or something like that. Skip this if you already have one.

=== Step 1: Add to Uploaders ===

The /srv/debian/conf/uploaders file on mirror contains the list of people who can upload. Add your GPG key id to this file. Use "gpg --list-secret-keys" to find out the key ID. You also need to import your key into the mirror's gpg homedir as follows:

gpg --export $KEYID | sudo env GNUPGHOME=/srv/debian/gpg gpg --import

You only need to do this step once.

=== Step 2: Add Distro ===

Add a new section to /srv/debian/conf/distributions:

Origin: CSC
Label: Debian
Codename: '''jessie'''
Architectures: alpha amd64 i386 mips mipsel sparc powerpc armel source
Components: main contrib non-free
Uploaders: uploaders
Update: dell chrome
SignWith: yes
Log: '''jessie'''.log
--changes notifier

And update the '''Allow''' line in /srv/debian/conf/incoming:

Allow: '''jessie>jessie''' oldstable>squeeze stable>wheezy lucid>lucid maverick>maverick oneiric>oneiric precise>precise quantal>quantal

=== Step 3: Update from Sources ===

Run:

sudo env GNUPGHOME=/srv/debian/gpg /srv/debian/bin/rrr-update

If all went well you should see the new distribution listed at http://debian.csclub.uwaterloo.ca/dists/

=== Step 4: CSC Packages ===

Now that we've got our new distribution set up we need to generate our packages and have them uploaded. Namely, ceo and libpam-csc. For libpam-csc:

Get the package:

git clone https://git.csclub.uwaterloo.ca/public/libpam-csc.git
cd libpam-csc

Update change log:

EMAIL=[you]@csclub.uwaterloo.ca NAME="Your Name" dch -i

Update as necessary, i.e:

libpam-csc (1.10'''jessie0''') '''jessie'''; urgency=low

* Packaging for jessie.

-- Your Name <[you]@csclub.uwaterloo.ca> Thu, 10 Oct 2013 22:08:48 -0400

Build! (You may need to install various dependencies, which it will yell at you if you don't have.)

debuild -k'''YOURKEYID'''

Yay, it built now let's upload it to the repo. The build process which create a PACKAGE.changes file in the parent directory (replace PACKAGE with the actual package name).

Copy the dupload file from corn-syrup and dupload:

mv /etc/dupload /etc/dupload.bak
scp corn-syrup:/etc/dupload /etc/dupload
dupload libpam-csc_1.10jessie0_amd64.changes

Finally, log into mirror and type "sudo /srv/debian/bin/rrr-incoming". This is supposed to happen once every few minutes however it is always faster to run it manually.

And you're done. For CEO, see https://git.csclub.uwaterloo.ca/public/pyceo/src/branch/master/PACKAGING.md

MEF Guide

2021-11-15T03:40:25Z

A268wang: fix url

Website: http://mef.uwaterloo.ca/

==Beginning of the term==

It's wise to start thinking about proposals at the start of term (or even before the term starts). The due date for proposals is typically 2.5 months into the term.

==Writing up the proposal==

* MEF seems to like us getting high-quality components from respectable vendors (e.g. HP).
* MEF wants us to do our research. This means that we should be able to clearly justify why we need exactly what we've asked for. In the past they have indicated that we didn't give enough explanation as to why we needed something.
* Make sure to justify how the project/request falls under MEF's mandate. Specifically, it should somehow benefit undergraduate education.
* Talk to MathSoc in advance about the proposal. The intersection of MathSoc and MEF is generally large, and they tend to hold sway on the MEF council.

==What MEF likes to fund==
* Textbooks; note that MEF doesn't like funding programming language manuals/guides (unless they are obscure/special).
* Talks; we need to have specific speakers lined up; we can't just ask for "$X for random speakers".
* Hardware; as long as we can justify the usefulness of the purchase, they generally seem open to fund it; here's some good reasons:
** Existing hardware is failing (e.g. mirror, caffeine)
** Existing hardware is inadequate (e.g. gigabit switch)

==Presenting at the funding council meeting==

* MEF wants professional presentations.
* Most people prepare slide shows and we should too, if possible.
* Holden should never present to MEF - he's far too sketchy.

[[Category:MEF]]
[[Category:Guides]]