COSI Arch Build

From CSLabsWiki
Revision as of 00:08, 17 September 2018 by Jared (talk | contribs) (AUR (apacman))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
COSI Arch Build
Contact Person: Jared Dunbar
Last Update: May 2017
Services: Arch Linux Image for COSI


The COSI Arch Build has been attempted in the past, with failures tending to cause people to resort to other operating systems for the lab build.

It is used on a handful of servers with decent levels of success wherever LDAP is not necessary (specifically where PAM is not involved).

Installation

Get the Arch ISO from your favorite local mirror, burn it to something with some software (dd is good) and start it up.

To start, try pinging google (8.8.8.8) or mirror (128.153.145.19). If that fails, jump to Network Stack really quick and then get back up here.

At any point, if you have a problem with something, check the Troubleshooting section below, otherwise check the official Arch Wiki.

Set HW Clock

Check that the system clock is set up right. If you use man, you will also find information that allows you to set the timezone, but that's not strictly necessary.

This command enables periodic syncs of the RTC with time servers 

timedatectl set-ntp true

Configure Partitons

Determine what drive you want to use - this can be hard, but using volume sizes should make it easier to tell. 

lsblk

In this case it was /dev/sda

Start up parted and begin partitioning the disks. 

parted /dev/sda

mklabel msdos
mkpart primary ext4 1M 280G
quit

(this makes a partition table, then makes a partition, and then commits the changes)

Format the disk as ext4. Say yes if it complains to continue to format. 

mkfs.ext4 /dev/sda1

And mount that partition. 

mount /dev/sda1 /mnt

Set up Mirrors

If you are running x64, we fetch Arch from mirror. Otherwise you will need to find a mirror that does your architecture (such as 32 bit, or ARM). 

vim /etc/pacman.d/mirrorlist

Add this line: 

Server = http://mirror.clarkson.edu/archlinux/$repo/os/$arch

This file will automatically be applied to the new system as well. Don't wase your time copying it.

Installation

Pacstrap

Start up pacstrap and install the base system. Make sure that you have mounted the partition to start installing to.

(this will install the base system, development utilities that are needed to maintain the base system, vim (a text editor), htop (a colorful version of top), grub (the bootloader), nano (another editor), wget (a file downloader, alternatively install curl), git (a version control system, useful for the AUR), and the SSH Server/Client (for remoting into the system) 

pacstrap /mnt base base-devel vim htop grub nano wget git openssh

Now wait as the system is downloaded then installed. If you set your mirror to Clarkson Mirror (and have decent hardware and internet), this is a matter of seconds.

Generate FSTAB

The FSTAB is a file used to determine what partitions to mount on system startup. The command below generates it automagically. 

genfstab -U /mnt > /mnt/etc/fstab

Change Root

Change root, which puts us from being in the CD bootstrapping environment into the actual new system. 

arch-chroot /mnt /bin/bash

Configuration

Set Timezone

Default timezone for COSI 

tzselect
2
49
1
1

Locale Generation

Relevant locales in /etc/locale.gen should be uncommented and the 

locale-gen

command should be run.

/etc/locale.conf should be edited to contain the following line: 

LANG=en_US.UTF-8

Set up Grub

If you want to find other os's, use pacman to install os prober: 

pacman -S os-prober

Install GRUB to the MBR. 

grub-install /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg

Set the Hostname

Set the hostname (ex, cosi-3) 

vim /etc/hostname

Network Stack

Do this after you have rebooted once (or enable the correct ethernet interface for the next reboot if you are still in the live image)

Let's make some network! 

ip l

This (above) is a list of the current NIC's

Now, pick one either at random or one that doesn't say NO-CARRIER (and that is not lo) and enable it! (If you only have lo or nothing without with NO-CARRIER other than lo, you have a problem) 


systemctl enable dhcpcd@enp2s0

Warning! Don't run systemctl start dhcpcd@* while in the chroot! It also only applies while the system is running (use enable to start it on boot), and usually the live disk establishes the internet for you when you're in live mode. 

systemctl start dhcpcd@enp2s0

... and you should now have a link (the DHCP client daemon will get a dynamic lease for an IP). 

ip a

... should show you the IP and the MAC address, as well as other information. If you have an IP (that is not a link-local ipv6 address), you are done with the network stack!


Set the root password

passwd

Finish

exit
reboot

More Fun!

At this point, if you haven't rebooted, you should. If you accidentally derped with the partitioning and such, you would rather know now before you install fancy stuff that takes a while than know after you try rebooting into the system only to discover that GRUB didn't work or something else along those lines and that you lost all of your precious time and effort.

Try not to get frustrated if this didn't work so far. Check out the Arch Linux beginners guide for help and instructions.

Here we go!

CSGUEST user

Let's make a local user for CSGUEST! 

useradd csguest
passwd csguest

Install sudo 

pacman -S sudo

Edit the sudoers file and remove the comment in front of the %sudo so that the sudo group can sudo. 

export EDITOR=vim
visudo

(set the default EDITOR to vim, then execute the program that safely edits the sudoers file)

If the sudo group doesn't exist, create it. 

groupadd sudo

Add CSGUEST to the sudo group. 

gpasswd -a csguest sudo

X Server

This is another fun one! This will install xfce4, a lightweight desktop environment, and lxdm, a lightweight desktop environment manager (better known as a display manager) - lxdm stands for Light X Display Manager 

pacman -Syu
pacman -S xfce4 xfce4-goodies lxdm

Select all prerequisites

Enable LXDM (to enable automatic starting of the X server and graphical login prompts) 

systemctl enable lxdm

Edit the config file to enable capslock, change default session to startxfce4 and disable user listing (depending upon what you are doing, you may not need these options). 

vim /etc/lxdm/lxdm.conf

Install missing fonts to your system (these are more important than you think) 

pacman -S ttf-bitstream-vera ttf-inconsolata ttf-ubuntu-font-family ttf-dejavu ttf-freefont ttf-linux-libertine ttf-liberation --noconfirm

Get a browser (and arandr - a display resolution manager) 

pacman -S firefox arandr

Audio (alsa & pulse)

Pulse Audio is used as the audio server. It just.. works. 

pacman -S pulseaudio pulseaudio-equalizer pamixer pavucontrol pulseaudio-alsa

Active Directory

Here's where things get hairy!

LDAP client

Get the COSI Certs!

Get this:

https://talos.cslabs.clarkson.edu/cosi_ca.crt

and then put it at /etc/ssl/certs and then add that into the /etc/nslcd.conf as the ca certificate directory

nss-ldap

pacman -S nss-pam-ldapd openldap

vim /etc/nsswitch.conf

Add ldap (without quotes) to the end of the passwd, group, and shadow lines. 

vim /etc/nslcd.conf

uri: 

uri ldaps://128.153.145.3

base: 

base dc=cslabs,dc=clarkson,dc=edu

And now.. 

systemctl enable nslcd.service
systemctl start nslcd.service

krb5

pacman -S pam-krb5

And edit the configuration file

Add these lines under their respective locations, and replace the default line at the top with CSLABS. 

[realms]
	CSLABS.CLARKSON.EDU = {
		kdc = talos.cslabs.clarkson.edu
		admin_server = talos.cslabs.clarkson.edu
		default_domain = cslabs.clarkson.edu
	}
[domain_realm]
	.cslabs.clarkson.edu = CSLABS.CLARKSON.EDU
	cslabs.clarkson.edu = CSLABS.CLARKSON.EDU

[libdefaults]
	default_realm = CSLABS.CLARKSON.EDU

PAM

WARNING - THIS IS BUGGY!

Modify this file to look exactly like this (baring updates to the system configuration) 

vim /etc/pam.d/passwd

#%PAM-1.0
password	sufficient	pam_ldap.so
password	sufficient	pam_krb5.so
#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password	required	pam_unix.so sha512 shadow use_authtok
password	required	pam_unix.so sha512 shadow nullok

vim /etc/pam.d/system-auth

#%PAM-1.0

auth      sufficient  pam_krb5.so
auth      sufficient  pam_ldap.so
auth      required  pam_unix.so     nullok try_first_pass
auth      optional  pam_permit.so
auth      required  pam_env.so

account   sufficient  pam_krb5.so
account   sufficient  pam_ldap.so
account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  sufficient pam_krb5.so
password  sufficient pam_ldap.so
password  sufficient pam_unix.so     nullok try_first_pass sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_krb5.so
session   optional  pam_ldap.so
session   optional  pam_permit.so

make sure to hardlink su-l to su before continuing 

mv /etc/pam.d/su-l /etc/pam.d/su-l-old
ln /etc/pam.d/su /etc/pam.d/su-l

vim /etc/pam.d/su

#%PAM-1.0
auth		sufficient	pam_ldap.so
auth		sufficient	pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth		required	pam_wheel.so use_uid
auth		required	pam_unix.so use_first_pass
account		sufficient	pam_krb5.so
account		sufficient	pam_ldap.so
account		required	pam_unix.so
session		sufficient	pam_krb5.so
session		sufficient	pam_ldap.so
session		required	pam_unix.so

SUDO

In the following, you can change the default editor to anything, but for simplicity's sake, we're going with NANO. You can also use Vim, Emacs, etc.. but a simple text editor is better. Default is VI which I hate. 

export EDITOR=vim
visudo

and add the following (this is only for the lab builds - these are related to LDAP groups): 

%admins ALL=(ALL) ALL
%maintainers ALL=(ALL) ALL
%users ALL=(ALL) ALL

NFS

pacman -S ntp nfs-utils

kadmin - note this only works on machines that already have defined tickets (cosi-01 through cosi-08 and servers)

Also good to note is that you need to use the admin principle, and you need to have the admin principle 

ktadmin -p <username>/admin
ktadd host/<machine-name>.cslabs.clarkson.edu

add this to fstab:

This part is out of date! We use NFS v4 now 

128.153.145.10:/storage/	/mnt	nfs	vers=3,sec=krb5i,nolock,x-systemd.automount	0	0

More Packages

AUR (yay)

Install yay for convenient AUR access 

pacman -Syu go
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -i

Debugging

General Questions

  • The kernel is not recognizing that I have changed the partition table or the partitions that I have made!

Solution: Reboot into the live disk again. It will be there.

  • It won't boot!

Solution:

- Did you install grub?

- Did you tell it to install to the root of the device and not the partition? (/dev/sda NOT /dev/sda1)

- Does your computer use UEFI? These instructions only work for MBR

- Did you leave 1M at the beginning of the partition? Make sure you did this right when you did parted or you will need to make a new partition table or delete the first partition to redo it..

- Does your BIOS even do to the hard drive? If you're using a flash drive, make sure that USB is enabled and that the computer can even handle it (sometimes you can try PLOP if you can't seem to find the setting but CD boot works fine)

  • I get GRUB RESCUE>

Solution: You forgot to configure GRUB. Run grub-mkconfig -o /boot/grub/grub.cfg from the live image chroot.

  • I can't seem to find my hardware, it's not working!

Solution: run lsusb, lsblk, and lspci and determine if there is your device there. If it's not, there is a problem with the hardware or you need a driver (or both), and also check the /sys filesystem for any pieces of hardware (/sys/class/devices is really handy for that)

LDAP

  • I seem to be typing my password in a lot.

Solutin: You either have rekt PAM and you need to use grub to get to single user logon and enter root and fix this, or you are discovering that you need to enter it multiple times. Either way, see PAM above, after adding init=/bin/bash to the linux line in GRUB (press E to edit, and then follow the instructions to boot, usually F10

  • getent passwd doesn't list LDAP users.

Solution: You need to check your connection to Talos, or play with configurations for openLDAP (and nss-pam-ldapd)

ldapsearch is your friend, but be sure that you use ldaps:// in ALL cases.

Network Stack

If you have all NO-CARRIER links, there are three things you can do:

  • Check cables
  • Get drivers (use a USB drive with the driver packages on them, and then install, then reboot after installing them for safe measure)
  • Try different hardware
Retrieved from "http://docs.cslabs.clarkson.edu/mediawiki/index.php?title=COSI_Arch_Build&oldid=8699"