50 | | # Takes up remaining space |
51 | | # Physical volume for RAID array |
52 | | }}} |
53 | | |
54 | | * Choose "Congifure software RAID" |
55 | | |
56 | | * Choose "Create MD Device" |
57 | | |
58 | | * Choose RAID1 |
59 | | |
60 | | * Number of active devices: 2 |
61 | | |
62 | | * Number of spare devices: 0 |
63 | | |
64 | | * Now select the first partition on each device. |
65 | | |
66 | | * Click Continue. Repeat for second partition on each device. |
67 | | |
68 | | * When you are done, click Finish. Now you are back at the partition menu. |
69 | | |
70 | | * Scroll down to the raid devices. Modify as follows: |
| 49 | Takes up remaining space |
| 50 | Physical volume for RAID array (or Physical volume for LVM if one disk system) |
| 51 | }}} |
| 52 | |
| 53 | * Choose "Congifure software RAID" (skip step if one disk system) |
| 54 | |
| 55 | * Choose "Create MD Device" |
| 56 | |
| 57 | * Choose RAID1 |
| 58 | |
| 59 | * Number of active devices: 2 |
| 60 | |
| 61 | * Number of spare devices: 0 |
| 62 | |
| 63 | * Now select the first partition on each device. |
| 64 | |
| 65 | * Click Continue. Repeat for second partition on each device. |
| 66 | |
| 67 | * When you are done, click Finish. Now you are back at the partition menu. |
| 68 | |
| 69 | * Scroll down to the raid devices (or apply straight to your partitions if it's a one disk system). Modify as follows: |
81 | | * Create a logical volumes in this volume group |
82 | | |
83 | | {{{ |
84 | | dom0: 1 GB |
85 | | dom0-swap: 512MB |
86 | | }}} |
87 | | |
88 | | * After returning to the main disk config menu, click on the LVM #1 and configure it to use ext3 and /. |
89 | | |
90 | | * Click on the !#2 lvm disk and configure it as swap |
91 | | |
92 | | ==== Afer reboot ==== |
93 | | |
94 | | * Set Hardware clock to GMT (even if it isn't) |
95 | | |
96 | | * Insert root password into pass db |
97 | | |
98 | | * Create new user: mayfirst |
99 | | |
100 | | * Do not select any of the pre-set application packages. Just tab to OK. |
101 | | |
102 | | * For mail congiration - choose No configuration (we will be installing postfix later) |
103 | | |
104 | | * Root and postmaster recipient: root@mayfirst.org |
| 80 | * Create logical volumes in this volume group based on your needs. A dom0 will only need a 1GB root partition. A "normal" server might need a 1 GB root, 3GB /usr, 5 GB /var and 512 MB swap. |
| 81 | |
| 82 | * After returning to the main disk config menu, click on each logical volume that you create and specify how it should be formatted and mounted. |
| 83 | |
| 84 | * Enter root password in resource db or give to Jamie! |
| 85 | |
| 86 | * Create a second user for yourself. |
| 87 | |
| 88 | * Do not install the server package or the base package - deselect all of them. |
122 | | ==== Setup xen ==== |
123 | | |
124 | | * Install with: |
125 | | |
126 | | {{{ |
127 | | apt-get install xen-hypervisor-3.0.3-1-i386 xen-linux-system-2.6.18-4-xen-686 libc6-xen |
128 | | }}} |
129 | | |
130 | | * Edit /boot/grub/menu.1st |
131 | | |
132 | | {{{ |
133 | | ## Xen hypervisor options to use with the default Xen boot option |
134 | | # xenhopt=dom0_mem=131072 |
135 | | }}} |
136 | | |
137 | | * run update-grub and reboot |
138 | | |
139 | | * Install bridge-utils and xen-tools |
140 | | |
141 | | {{{ |
142 | | aptitude install bridge-utils xen-tools |
143 | | /etc/init.d/xend restart |
144 | | }}} |
145 | | |
146 | | * Edit /etc/xen-tools/xen-tools.conf. Apply the following diffs: |
147 | | |
148 | | {{{ |
149 | | 0 gramsci:/etc/xen-tools# diff -u xen-tools.conf.orig xen-tools.conf |
150 | | --- xen-tools.conf.orig 2007-05-27 19:59:38.000000000 -0400 |
151 | | +++ xen-tools.conf 2007-05-27 20:01:15.000000000 -0400 |
152 | | @@ -35,6 +35,7 @@ |
| 106 | ==== Misc ==== |
| 107 | |
| 108 | * Login as root and install the following packages: |
| 109 | |
| 110 | {{{ |
| 111 | # aptitude install ssh ntpdate ntp-server less emacs21-nox cron-apt iproute |
| 112 | }}} |
| 113 | |
| 114 | * Upload the [wiki:mfpl_admin_public_ssh_keys mayfirst public keys] to: |
| 115 | |
| 116 | {{{ |
| 117 | /root/.ssh/authorized_keys |
| 118 | }}} |
| 119 | |
| 120 | * Configure ssh to only accept connections with auth keys (unless this is a server that should be accessible by members). Edit /etc/ssh/sshd_config and uncomment/change this line: |
| 121 | |
| 122 | {{{ |
| 123 | PasswordAuthentication no |
| 124 | }}} |
| 125 | |
| 126 | * Reload ssh: |
| 127 | |
| 128 | {{{ |
| 129 | # /etc/init.d/ssh reload |
| 130 | }}} |
| 131 | |
| 132 | === Fix Bash === |
| 133 | |
| 134 | * Overwrite /root/.bashrc with: |
| 135 | {{{ |
| 136 | # ~/.bashrc: executed by bash(1) for non-login shells. |
| 137 | |
| 138 | export PS1='$? \h:\w\$ ' |
| 139 | umask 022 |
| 140 | |
| 141 | # You may uncomment the following lines if you want `ls' to be colorized: |
| 142 | # export LS_OPTIONS='--color=auto' |
| 143 | # eval "`dircolors`" |
| 144 | # alias ls='ls $LS_OPTIONS' |
| 145 | # alias ll='ls $LS_OPTIONS -l' |
| 146 | # alias l='ls $LS_OPTIONS -lA' |
154 | | ## |
155 | | # lvm = skx-vg |
156 | | +lvm = vg_gramsci0 |
157 | | |
158 | | |
159 | | # |
160 | | @@ -61,7 +62,7 @@ |
161 | | ## |
162 | | # |
163 | | # copy = /path/to/pristine/image |
164 | | -# debootstrap = 1 |
165 | | +debootstrap = 1 |
166 | | # rpmstrap = 1 |
167 | | # tar = /path/to/img.tar |
168 | | # |
169 | | @@ -95,7 +96,7 @@ |
170 | | swap = 128Mb # Swap size |
171 | | # noswap = 1 # Don't use swap at all for the new system. |
172 | | fs = ext3 # use the EXT3 filesystem for the disk image. |
173 | | -dist = sarge # Default distribution to install. |
174 | | +dist = etch # Default distribution to install. |
175 | | image = sparse # Specify sparse vs. full disk images. |
176 | | |
177 | | # |
178 | | @@ -154,8 +155,8 @@ |
179 | | # |
180 | | # Default kernel and ramdisk to use for the virtual servers |
181 | | # |
182 | | -kernel = /boot/vmlinuz-2.6.16-2-xen-686 |
183 | | -initrd = /boot/initrd.img-2.6.16-2-xen-686 |
184 | | +kernel = /boot/vmlinuz-2.6.18-4-xen-686 |
185 | | +initrd = /boot/initrd.img-2.6.18-4-xen-686 |
186 | | |
187 | | # |
188 | | # The architecture to use when using debootstrap or rpmstrap. |
189 | | 1 gramsci:/etc/xen-tools# |
190 | | }}} |
191 | | |
192 | | * Create new xen instances with: |
193 | | |
194 | | {{{ |
195 | | xen-create-image --size=5Gb --swap=512Mb --gateway=209.51.180.17 --netmask=255.2 |
196 | | 55.255.240 --ip=209.51.180.24 --hostname=mendes |
197 | | }}} |
198 | | |
199 | | Change settings as needed. |
200 | | |
201 | | ==== Misc ==== |
202 | | |
203 | | * Edit /etc/group and change the group id of mayfirst to 1500 (so it will be consistent with red) |
204 | | |
205 | | * Login as root and install the following packages: |
206 | | |
207 | | {{{ |
208 | | # apt-get install --purge ssh ntpdate ntp-server sudo vim less rsync postfix |
209 | | }}} |
210 | | |
211 | | * Add the group wheel. |
212 | | |
213 | | {{{ |
214 | | # addgroup wheel |
215 | | }}} |
216 | | |
217 | | * Add mayfirst to wheel: |
218 | | |
219 | | {{{ |
220 | | # addgroup mayfirst wheel |
221 | | }}} |
222 | | |
223 | | * Configure sudo: |
224 | | |
225 | | {{{ |
226 | | # visudo |
227 | | }}} |
228 | | |
229 | | * Add a line at the bottom that says: |
230 | | |
231 | | {{{ |
232 | | %wheel ALL=(ALL) ALL |
233 | | }}} |
234 | | |
235 | | * Upload the mayfirst public keys to: |
236 | | |
237 | | {{{ |
238 | | .ssh/authorized_keys |
239 | | }}} |
240 | | |
241 | | * Configure ssh to only accept connections with auth keys (unless this is a server that should be accessible by members). Edit /etc/ssh/sshd_config. |
242 | | |
243 | | * Uncomment and change the !ChallengeResponseAuthentication line and the !PasswordAuthentication line to match the following: |
244 | | |
245 | | {{{ |
246 | | ChallengeResponseAuthentication no |
247 | | PasswordAuthentication no |
248 | | }}} |
249 | | |
250 | | * Reload ssh: |
251 | | |
252 | | {{{ |
253 | | # /etc/init.d/ssh reload |
254 | | }}} |
255 | | |
256 | | * Uninstall unecesary packages: |
257 | | |
258 | | {{{ |
259 | | $ sudo apt-get remove --purge portmap lpr nfs-common ppp |
260 | | }}} |
261 | | |
262 | | * Make sure no uneeded services are running. Look through /etc/rc2.d. Move from S to K any services that are not needed (e.g. rsync and inetd). |
| 148 | # Some more alias to avoid making mistakes: |
| 149 | alias rm='rm -i' |
| 150 | alias cp='cp -i' |
| 151 | alias mv='mv -i |
| 152 | }}} |
| 153 | |
| 154 | * Modify the following lines in /etc/skel/.bashrc |
| 155 | {{{ |
| 156 | PS1='$? ${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' |
| 157 | ;; |
| 158 | *) |
| 159 | PS1='$? ${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' |
| 160 | }}} |
| 161 | |
| 162 | * Add a .ssh directory and empty authorized_keys file in /etc/skel: |
| 163 | {{{ |
| 164 | mkdir /etc/skel/.ssh |
| 165 | touch /etc/skel/.ssh/authorized_keys |
| 166 | }}} |
311 | | ==== Encrypted File system ==== |
312 | | |
313 | | * Install programs: |
314 | | |
315 | | {{{ |
316 | | $ sudo apt-get install dmsetup cryptsetup |
317 | | }}} |
318 | | |
319 | | * Create an encrypted file system for members: |
320 | | |
321 | | * Now, unmount the partition (make sure there is no data on it that you care about). |
322 | | |
323 | | {{{ |
324 | | $ sudo umount /home/members |
325 | | }}} |
326 | | |
327 | | * Create the encrypted filesystem: |
328 | | |
329 | | {{{ |
330 | | $ cryptsetup luksFormat /dev/mapper/vg_NAMEOFSERVER0-members |
331 | | }}} |
332 | | |
333 | | You will be prompted for a password. Put password in resource db! |
334 | | |
335 | | * Add to crypttab |
336 | | |
337 | | {{{ |
338 | | echo crypt_members /dev/mapper/vg_NAMEOFSERVER0-members none luks >> /etc/crypttab |
339 | | }}} |
340 | | |
341 | | * Start it |
342 | | |
343 | | {{{ |
344 | | /etc/init.d/cryptdisks start |
345 | | }}} |
346 | | |
347 | | * Create a file system on the partition: |
348 | | |
349 | | {{{ |
350 | | $ mkfs -t ext3 /dev/mapper/crypt_members |
351 | | }}} |
352 | | |
353 | | * Remove cryptdisks from the rc2.d directory - we do not want this to start automatically on boot! Instead we want to start it manually so the boot process doesn't hang waiting for a password. |