COSI Arch Build

From CSLabsWiki
Revision as of 14:48, 29 August 2016 by Jared (talk | contribs) (NFS)

Jump to: navigation, search
COSI Arch Build
Contact Person: Jared Dunbar
Last Update: April 2016
Services: Arch Linux Image for COSI


The COSI Arch Build has been attempted in the past, with failures tending to cause people to resort to other operating systems.

It could be used as a lab build. This is stable as it can be for the most part. It's not the simplest thing you've ever done though.

Installation

Get the Arch Dual ISO CD from your favorite local mirror, burn it to something with some software (dd is good) and start it up.

To start, try pinging google (8.8.8.8) or mirror (128.153.145.19). If that fails, jump to Network Stack really quick and then get back up here.

At any point, if you have a problem with something, check the Troubleshooting section below, otherwise check the official Arch Wiki.

Set HW Clock

Check that the system clock is set up right.

timedatectl set-ntp true

Configure Partitons

Determine what drive you want to use.

lsblk

In this case it was /dev/sda

Start up parted and begin partitioning the disks.

parted /dev/sda
mklabel msdos
mkpart primary ext4 1M 280G
quit

Format the disks. Say yes if it complains to continue to partition.

mkfs.ext4 /dev/sda1

And mount that partition.

mount /dev/sda1 /mnt

Set up Mirrors

If you are running x86 or x64, we fetch Arch from mirror. Otherwise you will need to find a mirror that does your architecture.

vim /etc/pacman.d/mirrorlist

Add this line:

Server = http://mirror.clarkson.edu/archlinux/$repo/os/$arch

This file will automatically be applied to the new system as well. Don't wase your time copying it.

Installation

Pacstrap

Start up pacstrap and install the base system. Make sure that you have mounted the partition to start installing to.

pacstrap /mnt base base-devel vim htop grub nano wget git openssh

Now wait as the system is installed. If you set your mirror to Clarkson Mirror (and have decent hardware), this is a matter of seconds.

Generate FSTAB

genfstab -U /mnt > /mnt/etc/fstab

Change Root

arch-chroot /mnt /bin/bash

Configuration

Set Timezone

Default timezone for COSI

tzselect
2
49
1
1

Locale Generation

Relevant locales in /etc/locale.gen should be uncommented and the

locale-gen

command should be run.

/etc/locale.conf should be edited to contain the following line:

LANG=en_US.UTF-8

Set up Grub

If you want to find other os's, use pacman to install os prober:

pacman -S os-prober

Install GRUB to the MBR.

grub-install /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg

Network Stack

Let's make some network! If you try to network right now, you will (maybe) fail, but for sure when you restart you will fail hard (generally if you don't need drivers though you will still be able to do this after reboot).

ip l

This (above) is a list of the current NIC's

Now, pick one either at random or one that doesn't say NO-CARRIER (and that is not lo) and enable it! (If you only have lo or something with NO-CARRIER, you have a problem)

systemctl enable dhcpcd@enp2s0
systemctl start dhcpcd@enp2s0

... and you should now have a link.

ip a

... should show you the IP and all that fun stuff. If you have an IP, you are done with the network stack!

Set the Hostname

Set the hostname (ex, cosi-3)

vim /etc/hostname

Set the root password

passwd

Finish

exit
reboot

More Fun!

At this point, if you haven't rebooted, you should. If you accidentally derped with the partitioning and such, you would rather know now before you install fancy stuff that takes a while than know after you try rebooting into the system only to discover that GRUB didn't work or something else along those lines and that you lost all of your precious time and effort.

Try not to get frustrated if this didn't work so far. Check out the Arch Linux beginners guide for help and instructions.

Here we go!

CSGUEST user

Let's make a local user for CSGUEST!

useradd csguest
passwd csguest

Install sudo

pacman -S sudo

Edit the sudoers file and remove the comment in front of the %sudo so that the sudo group can sudo.

Add CSGUEST to sudo.

gpasswd -a csguest sudo

If the sudo group doesn't exist, create it.

groupadd sudo

X Server

This is another fun one!

pacman -Syu
pacman -S xfce4 xfce4-goodies lxdm

Select all prerequisites

Enable LXDM

systemctl enable lxdm

Edit the config file to enable capslock, change default session to startxfce4 and disable user listing.

vim /etc/lxdm/lxdm.conf

Install missing fonts

pacman -S ttf-bitstream-vera ttf-inconsolata ttf-ubuntu-font-family ttf-dejavu ttf-freefont ttf-linux-libertine ttf-liberation --noconfirm

Get a browser (and arandr)

pacman -S firefox arandr

Audio (alsa & pulse)

pacman -S pulseaudio pulseaudio-equalizer pamixer pavucontrol pulseaudio-alsa

Active Directory

LDAP client

Get the COSI Certs!

Get this:

https://talos.cslabs.clarkson.edu/cosi_ca.crt

and then put it at /etc/ssl/certs and then add that into the nslcd.conf as the ca certificate directory

nss-ldap

pacman -S nss-pam-ldapd openldap
vim /etc/nsswitch.conf

Add "ldap" (without quotes) to the end of the passwd, group, and shadow lines.

vim /etc/nslcd.conf

uri:

uri ldaps://128.153.145.3

base:

base dc=cslabs,dc=clarkson,dc=edu

And now..

systemctl enable nslcd.service
systemctl start nslcd.service

krb5

pacman -S pam-krb5

And edit the configuration file

Add these lines under their respective locations, and replace the default line at the top with CSLABS.

[realms]
	CSLABS.CLARKSON.EDU = {
		kdc = talos.cslabs.clarkson.edu
		admin_server = talos.cslabs.clarkson.edu
		default_domain = cslabs.clarkson.edu
	}
[domain_realm]
	.cslabs.clarkson.edu = CSLABS.CLARKSON.EDU
	cslabs.clarkson.edu = CSLABS.CLARKSON.EDU

[libdefaults]
	default_realm = CSLABS.CLARKSON.EDU

PAM

WARNING - THIS IS BUGGY!

Modify this file to look exactly like this (baring updates to the system configuration)

vim /etc/pam.d/passwd
#%PAM-1.0
password	sufficient	pam_ldap.so
password	sufficient	pam_krb5.so
#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password	required	pam_unix.so sha512 shadow use_authtok
password	required	pam_unix.so sha512 shadow nullok
vim /etc/pam.d/system-auth
#%PAM-1.0

auth      sufficient  pam_krb5.so
auth      sufficient  pam_ldap.so
auth      required  pam_unix.so     nullok try_first_pass
auth      optional  pam_permit.so
auth      required  pam_env.so

account   sufficient  pam_krb5.so
account   sufficient  pam_ldap.so
account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  sufficient pam_krb5.so
password  sufficient pam_ldap.so
password  sufficient pam_unix.so     nullok try_first_pass sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_krb5.so
session   optional  pam_ldap.so
session   optional  pam_permit.so

make sure to hardlink su-l to su before continuing

mv /etc/pam.d/su-l /etc/pam.d/su-l-old
ln /etc/pam.d/su /etc/pam.d/su-l
vim /etc/pam.d/su
#%PAM-1.0
auth		sufficient	pam_ldap.so
auth		sufficient	pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth		required	pam_wheel.so use_uid
auth		required	pam_unix.so use_first_pass
account		sufficient	pam_krb5.so
account		sufficient	pam_ldap.so
account		required	pam_unix.so
session		sufficient	pam_krb5.so
session		sufficient	pam_ldap.so
session		required	pam_unix.so

SUDO

In the following, you can change the default editor to anything, but for simplicity's sake, we're going with NANO. You can also use Vim, Emacs, etc.. but a simple text editor is better. Default is VI which I hate.

export EDITOR=nano
visudo

and add the following:

%admins ALL=(ALL) ALL
%maintainers ALL=(ALL) ALL
%users ALL=(ALL) ALL

NFS

pacman -S ntp nfs-utils

kadmin - note this only works on machines that already have defined tickets (cosi-01 through cosi-08 and servers)

Also good to note is that you need to use the admin principle, and you need to have the admin principle

ktadmin -p <username>/admin
ktadd host/<machine-name>.cslabs.clarkson.edu

add this to fstab:

128.153.145.10:/storage/	/mnt	nfs	vers=3,sec=krb5i,nolock,x-systemd.automount	0	0

More Packages

Install apacman for convenient AUR access

pacman -S jshon
git clone https://github.com/oshazard/apacman.git
cd apacman
./apacman -S apacman

Debugging

General Questions

  • The kernel is not recognizing that I have changed the partition table or the partitions that I have made!

Solution: Reboot into the live disk again. It will be there.

  • It won't boot!

Solution:

- Did you install grub?

- Did you tell it to install to the root of the device and not the partition? (/dev/sda NOT /dev/sda1)

- Does your computer use UEFI? These instructions only work for MBR

- Did you leave 1M (or more, up to 8M if you're feeling like it's not right) at the beginning of the partition? Make sure you did this right when you did parted or you will need to make a new partition table or delete the first partition to redo it..

- Does your BIOS even do to the hard drive? If you're using a flash drive, make sure that USB is enabled and that the computer can even handle it (try PLOP or SMARTBOOT if you can't seem to find the setting but CD boot works fine)

  • I get GRUB RESCUE>

Solution: Install GRUB, silly. You need it to boot. Go put the live disk in, mount and arch-chroot into your system, then install grub. Don't forget to configure it, either.

  • I can't seem to find my hardware, it's not working!

Solution: run lsusb and determine if there is your device there. If it's not, there is a problem with the hardware, if it does, you need a driver.

  • I seem to be typing my password in a lot.

Solutin: You either have rekt PAM and you need to use grub to get to single user logon and enter root and fix this, or you are discovering that you need to enter it multiple times. Either way, see PAM above.

  • getent passwd doesn't list LDAP users.

Solution: You need to check your connection to Talos, or play with configurations for openLDAP (and nss-pam-ldapd) -> https://wiki.archlinux.org/index.php/OpenLDAP

ldapsearch is your friend, but be sure that you use ldaps:// in ALL cases.

Network Stack

If you have all NO-CARRIER links, there are three things you can do:

  • Check cables
  • Get drivers (use a USB drive with the driver packages)
  • Get rekt, reboot and install a new networking card