[debian-edu-commits] [Debian Wiki] Update of "DebianEdu/Documentation/Bullseye/HowTo/Administration" by WolfgangSchweer
Debian Wiki
wiki at debian.org
Thu Feb 13 13:58:12 GMT 2020
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Debian Wiki" for change notification.
The "DebianEdu/Documentation/Bullseye/HowTo/Administration" page has been changed by WolfgangSchweer:
https://wiki.debian.org/DebianEdu/Documentation/Bullseye/HowTo/Administration
Comment:
WIP: starting to work on Debian Edu Bullseye documentation as a copy with s/buster/bullseye/ and some other adjustments
New page:
= HowTos for general administration =
The [[DebianEdu/Documentation/Bullseye/GettingStarted|Getting Started]] and [[DebianEdu/Documentation/Bullseye/Maintenance|Maintenance]] chapters describe how to get started with Debian Edu and how to do the basic maintenance work. The howtos in this chapter have some more "advanced" tips and tricks.
<<TableOfContents(2)>>
== Configuration history: tracking /etc/ using the git version control system ==
Using {{{etckeeper}}}, all files in {{{/etc/}}} are tracked using [[https://www.git-scm.com/|git]] as a version control system.
This makes it possible to see when a file is added, changed and removed, as well as what was changed if the file is a text file. The git repository is stored in {{{/etc/.git/}}}.
Every hour, any changes are automatically recorded, allowing configuration history to be extracted and reviewed.
To look at the history, the command {{{etckeeper vcs log}}} is used. To check the differences between two points in time, a command like {{{etckeeper vcs diff }}} can be used.
See the output of {{{man etckeeper}}} for more information.
List of useful commands:
{{{
etckeeper vcs log
etckeeper vcs status
etckeeper vcs diff
etckeeper vcs add .
etckeeper vcs commit -a
man etckeeper
}}}
=== Usage examples ===
On a freshly installed system, try this to see all changes done since the system was installed:
{{{
etckeeper vcs log
}}}
See which files are currently not tracked and which are not up-to-date:
{{{
etckeeper vcs status
}}}
To manually commit a file, because you don't want to wait up to an hour:
{{{
etckeeper vcs commit -a /etc/resolv.conf
}}}
== Resizing Partitions ==
In Debian Edu, all partitions other than the `/boot/` partition are on logical LVM volumes. With Linux kernels since version 2.6.10, it is possible to extend partitions while they are mounted. Shrinking partitions still needs to happen while the partition is unmounted.
It is a good idea to avoid creating very large partitions (over, say, 20GiB), because of the time it takes to run `fsck` on them or to restore them from backup if the need arises. It is better, if possible, to create several smaller partitions than one very large one.
## the "20GiB" dates back to <= Etch
The helper script {{{debian-edu-fsautoresize}}} is provided to make it easier to extend full partitions. When invoked, it reads the configuration from {{{/usr/share/debian-edu-config/fsautoresizetab}}}, {{{/site/etc/fsautoresizetab}}} and {{{/etc/fsautoresizetab}}}.
It then proposes to extend partitions with too little free space, according to the rules provided in these files. If run with no arguments, it will only show the commands needed to extend the file system. The argument {{{-n}}} is needed to actually execute these commands to extend the file systems.
The script is executed automatically every hour on every client listed in the {{{fsautoresize-hosts}}} netgroup.
When the partition used by the Squid proxy is resized, the value for cache size in {{{etc/squid/squid.conf}}} needs to be updated as well. The helper script {{{/usr/share/debian-edu-config/tools/squid-update-cachedir}}} is provided to do this automatically, checking the current partition size of {{{/var/spool/squid/}}} and configuring Squid to use 80% of this as its cache size.
=== Logical Volume Management ===
Logical Volume Management (LVM) enables resizing the partitions while they are mounted and in use. You can learn more about LVM from the [[https://www.tldp.org/HOWTO/LVM-HOWTO/|LVM HowTo]].
To extend a logical volume manually you simply tell the {{{lvextend}}} command how large you want it to grow to. For example, to extend home0 to 30GiB you use the following commands:
{{{
lvextend -L30G /dev/vg_system/skole+tjener+home0
resize2fs /dev/vg_system/skole+tjener+home0}}}
To extend home0 by additional 30GiB, you insert a '+' (-L+30G)
== Installing a graphical environment on the main-server to use GOsa² ==
If you (probably accidentally) installed a pure main-server profile and don't have a client with a web-browser handy, it's easy to install a minimal desktop on the main server using this command sequence in a (non-graphical) shell as the user you created during the main server's installation (first user):
{{{
$ sudo apt update
$ sudo apt install task-desktop-xfce lightdm education-menus
### after installation, run 'sudo service lightdm start'
### login as first user
}}}
== Using ldapvi ==
[[http://www.lichteblau.com/ldapvi/manual/|ldapvi]] is a tool to edit the LDAP database with a normal text editor on the commandline.
The following needs to be executed:
{{{
ldapvi --ldap-conf -ZD '(cn=admin)'
}}}
Note: {{{ldapvi}}} will use whatever is the default editor. By executing {{{export EDITOR=vim}}} in the shell prompt one can configure the environment to get a vi clone as editor.
To add an LDAP object using ldapvi, use object sequence number with the string {{{add}}} in front of the new LDAP object.
## whatever that means - example please?
/!\ Warning: {{{ldapvi}}} is a very powerful tool. Be careful and don't mess up the LDAP database, same warning applies for JXplorer.
== Kerberized NFS ==
Using Kerberos for NFS to mount home directories is a security feature. As of Bullseye, LTSP clients won't work without Kerberos.
The levels ''krb5'', ''krb5i'' and ''krb5p'' are supported (''krb5'' means Kerberos authentication, ''i'' stands for integrity check and ''p'' for privacy, i.e. encryption); the load on both server and workstation increases with the security level, ''krb5i'' is a good choice and has been chosen as default.
For new systems added with GOsa², Kerberos host keytab files are generated automatically.<<BR>>
To create one for a system already configured with GOsa², log in on the main server as root and run
{{{
/usr/share/debian-edu-config/tools/gosa-modify-host <hostname> <IP>
}}}
'''Please note:''' host keytab creation is possible for systems of type ''workstations'', ''servers'' and ''terminals'' but not for those of type ''netdevices''.
=== How to change the default ===
'''Main server'''
* login as root
* run {{{ldapvi -ZD '(cn=admin)'}}}, search for ''sec=krb5i'' and replace it with ''sec=krb5'' or ''sec=krb5p''.
* edit {{{/etc/exports}}}: adjust these existing entries for /srv/* accordingly:
{{{
/srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
/srv/nfs4/home0 gss/krb5i(rw,sync,no_subtree_check)
}}}
* run {{{exportfs -r}}}
'''Workstation''', esp. any separate or additional '''LTSP server'''
* login as root.
* run {{{/usr/share/debian-edu-config/tools/copy-host-keytab}}}
== Standardskriver ==
This tool allows to set the default printer depending on location, machine, or group membership. For more information, see {{{/usr/share/doc/standardskriver/README.md}}}.
The configuration file {{{/etc/standardskriver.cfg}}} has to be provided by the admin, see {{{/usr/share/doc/standardskriver/examples/standardskriver.cfg}}} as an example.
== JXplorer, an LDAP GUI ==
If you prefer a GUI to work with the LDAP database, check out the {{{jxplorer}}} package, which is installed by default. To get write access connect like this:
{{{
host: ldap.intern
port: 636
Security level: ssl + user + password
User dn: cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
}}}
== ldap-createuser-krb, a command-line tool ==
`ldap-createuser-krb` is a small command line tool to create LDAP users and set their passwords in Kerberos. It's mostly useful for testing, though.
== Using stable-updates ==
Since the Squeeze release in 2011, Debian has included packages formerly maintained in volatile.debian.org in the [[https://wiki.debian.org/StableUpdates|stable-updates suite]].
While you can use stable-updates directly, you don't have to: stable-updates are pushed into the stable suite regularly when stable point releases are done, which roughly happens every two months.
== Using backports to install newer software ==
You are running Debian Edu because you prefer the stability of Debian Edu. It runs great; there is just one problem: sometimes software is a little bit more outdated than you like. This is where backports.debian.org steps in.
Backports are recompiled packages from Debian testing (mostly) and Debian unstable (in a few cases only, e.g. security updates), so they will run without new libraries (wherever this is possible) on a stable Debian distribution like Debian Edu. '''We recommend you to pick out individual backports which fit your needs, and not to use all backports available there.'''
Using backports is simple:
{{{
echo "deb http://deb.debian.org/debian/ buster-backports main" >> /etc/apt/sources.list
apt-get update
}}}
After which one can install backported packages easily, the following command will install a backported version of ''tuxtype'':
{{{
apt install -t buster-backports tuxtype
}}}
Backports are automatically updated (if available) just like other packages. Like the normal archive, backports has three sections: main, contrib and non-free.
== Upgrading with a CD or similar image ==
If you want to upgrade from one version to another (for example from Bullseye 11.1 to 11.2) but you do not have Internet connectivity, only physical media, follow these steps:
Insert the CD / DVD / Blu-ray disc / USB flash drive and use the apt-cdrom command:
{{{
apt-cdrom add
}}}
To quote the apt-cdrom(8) man page:
. apt-cdrom is used to add a new CD-ROM to APTs list of available sources. apt-cdrom takes care of determining the structure of the disc as well as correcting for several possible mis-burns and verifying the index files.
. It is necessary to use apt-cdrom to add CDs to the APT system, it cannot be done by hand. Furthermore each disk in a multi-CD set must be inserted and scanned separately to account for possible mis-burns.
Then run these two commands to upgrade the system:
{{{
apt update
apt full-upgrade
}}}
== Automatic cleanup of leftover processes ==
{{{killer}}} is a perl script that gets rid of background jobs. Background jobs are defined as processes that belong to users who are not currently logged into the machine. It's run by cron job once an hour.
== Automatic installation of security upgrades ==
{{{unattended-upgrades}}} is a Debian package which will install security (and other) upgrades automatically. If installed, the package is preconfigured to install security upgrades. The logs are available in {{{/var/log/unattended-upgrades/}}}; also, there are always {{{/var/log/dpkg.log}}} and {{{/var/log/apt/}}}.
== Automatic shutdown of machines during the night ==
It is possible to save energy and money by automatically turning client machines off at night and back on in the morning. The package will try to turn off the machine every hour on the hour from 16:00 in the afternoon, but will not turn it off if it seems to have users. It will try to tell the BIOS to turn on the machine around 07:00 in the morning, and the main-server will try to turn on machines from 06:30 by sending wake-on-lan packets. These times can be changed in the crontabs of individual machines.
Some considerations should be kept in mind when setting this up:
* The clients should not be shut down when someone is using them. This is ensured by checking the output from {{{who}}}, and as a special case, checking for the LDM ssh connection command to work with LTSP thin clients.
* To avoid blowing electrical fuses, it is a good idea to make sure all clients do not start at the same time.
* There are two different methods available to wake up clients. One uses a BIOS feature and requires a working and correct hardware clock, as well as a motherboard and BIOS version supported by {{{nvram-wakeup}}}; the other requires clients to have support for wake-on-lan, and the server to know about all the clients that need to be woken up.
=== How to set up shutdown-at-night ===
On clients that should turn off at night, touch {{{/etc/shutdown-at-night/shutdown-at-night}}}, or add the hostname (that is, the output from '{{{uname -n}}}' on the client) to the netgroup "shutdown-at-night-hosts". Adding hosts to the netgroup in LDAP can be done using the {{{GOsa²}}} web tool. The clients might need to have wake-on-lan configured in the BIOS. It is also important that the switches and routers used between the wake-on-lan server and the clients will pass the WOL packets to the clients even if the clients are turned off. Some switches fail to pass on packets to clients that are missing in the ARP table on the switch, and this blocks the WOL packets.
To enable wake-on-lan on the server, add the clients to {{{/etc/shutdown-at-night/clients}}}, with one line per client, IP address
first, followed by MAC address (ethernet address), separated by a space; or create a script {{{/etc/shutdown-at-night/clients-generator}}} to generate the list of clients on the fly.
Here is an example {{{/etc/shutdown-at-night/clients-generator}}} for use with sitesummary:
{{{
#!/bin/sh
PATH=/usr/sbin:$PATH
export PATH
sitesummary-nodes -w
}}}
An alternative if the netgroup is used to activate shutdown-at-night on clients is this script using the netgroup tool from the {{{ng-utils}}} package:
{{{
#!/bin/sh
PATH=/usr/sbin:$PATH
export PATH
netgroup -h shutdown-at-night-hosts
}}}
== Access Debian-Edu servers located behind a firewall ==
To access machines behind a firewall from the Internet, consider installing the package {{{autossh}}}. It can be used to set up an SSH tunnel to a machine on the Internet that you have access to. From that machine, you can access the server behind the firewall via the SSH tunnel.
== Installing additional service machines for spreading the load from main-server ==
In the default installation, all services are running on the main-server, tjener. To simplify moving some to another machine, there is a ''minimal'' installation profile available. Installing with this profile will lead to a machine, which is part of the Debian Edu network, but which doesn't have any services running (yet).
These are the required steps to setup a machine dedicated to some services:
* install the ''minimal'' profile using the ''debian-edu-expert'' boot-option
* install the packages for the service
* configure the service
* disable the service on main-server
* update DNS (via LDAP/GOsa²) on main-server
== HowTos from wiki.debian.org ==
FIXME: The !HowTos from https://wiki.debian.org/DebianEdu/HowTo/ are either user- or developer-specific. Let's move the user-specific !HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)
* https://wiki.debian.org/DebianEdu/HowTo/AutoNetRespawn
* https://wiki.debian.org/DebianEdu/HowTo/BackupPC
* https://wiki.debian.org/DebianEdu/HowTo/ChangeIpSubnet
* https://wiki.debian.org/DebianEdu/HowTo/SiteSummary
* https://wiki.debian.org/DebianEdu/HowTo/Squid_LDAP_Authentication
CategoryPermalink
More information about the debian-edu-commits
mailing list