COSI Arch Build
COSI Arch Build | |
Contact Person: | Jared Dunbar |
Last Update: | May 2017 |
Services: | Arch Linux Image for COSI |
The COSI Arch Build has been attempted in the past, with failures tending to cause people to resort to other operating systems for the lab build.
It is used on a handful of servers with decent levels of success wherever LDAP is not necessary (specifically where PAM is not involved).
Installation
Get the Arch ISO from your favorite local mirror, burn it to something with some software (dd
is good) and start it up.
To start, try pinging google (8.8.8.8) or mirror (128.153.145.19). If that fails, jump to Network Stack really quick and then get back up here.
At any point, if you have a problem with something, check the Troubleshooting section below, otherwise check the official Arch Wiki.
Set HW Clock
Check that the system clock is set up right. If you use man
, you will also find information that allows you to set the timezone, but that's not strictly necessary.
This command enables periodic syncs of the RTC with time servers
timedatectl set-ntp true
Configure Partitons
Determine what drive you want to use - this can be hard, but using volume sizes should make it easier to tell.
lsblk
In this case it was /dev/sda
Start up parted and begin partitioning the disks.
parted /dev/sda
mklabel msdos mkpart primary ext4 1M 280G quit
(this makes a partition table, then makes a partition, and then commits the changes)
Format the disk as ext4. Say yes if it complains to continue to format.
mkfs.ext4 /dev/sda1
And mount that partition.
mount /dev/sda1 /mnt
Set up Mirrors
If you are running x64, we fetch Arch from mirror. Otherwise you will need to find a mirror that does your architecture (such as 32 bit, or ARM).
vim /etc/pacman.d/mirrorlist
Add this line:
Server = http://mirror.clarkson.edu/archlinux/$repo/os/$arch
This file will automatically be applied to the new system as well. Don't wase your time copying it.
Installation
Pacstrap
Start up pacstrap and install the base system. Make sure that you have mounted the partition to start installing to.
(this will install the base system, development utilities that are needed to maintain the base system, vim
(a text editor), htop
(a colorful version of top
), grub
(the bootloader), nano
(another editor), wget
(a file downloader, alternatively install curl
), git
(a version control system, useful for the AUR), and the SSH Server/Client (for remoting into the system)
pacstrap /mnt base base-devel vim htop grub nano wget git openssh
Now wait as the system is downloaded then installed. If you set your mirror to Clarkson Mirror (and have decent hardware and internet), this is a matter of seconds.
Generate FSTAB
The FSTAB is a file used to determine what partitions to mount on system startup. The command below generates it automagically.
genfstab -U /mnt > /mnt/etc/fstab
Change Root
Change root, which puts us from being in the CD bootstrapping environment into the actual new system.
arch-chroot /mnt /bin/bash
Configuration
Set Timezone
Default timezone for COSI
tzselect 2 49 1 1
Locale Generation
Relevant locales in /etc/locale.gen
should be uncommented and the
locale-gen
command should be run.
/etc/locale.conf
should be edited to contain the following line:
LANG=en_US.UTF-8
Set up Grub
If you want to find other os's, use pacman to install os prober:
pacman -S os-prober
Install GRUB to the MBR.
grub-install /dev/sda grub-mkconfig -o /boot/grub/grub.cfg
Set the Hostname
Set the hostname (ex, cosi-3
)
vim /etc/hostname
Network Stack
Do this after you have rebooted once (or enable the correct ethernet interface for the next reboot if you are still in the live image)
Let's make some network!
ip l
This (above) is a list of the current NIC's
Now, pick one either at random or one that doesn't say NO-CARRIER (and that is not lo) and enable it! (If you only have lo
or nothing without with NO-CARRIER other than lo
, you have a problem)
systemctl enable dhcpcd@enp2s0
Warning! Don't run systemctl start dhcpcd@*
while in the chroot! It also only applies while the system is running (use enable to start it on boot), and usually the live disk establishes the internet for you when you're in live mode.
systemctl start dhcpcd@enp2s0
... and you should now have a link (the DHCP client daemon will get a dynamic lease for an IP).
ip a
... should show you the IP and the MAC address, as well as other information. If you have an IP (that is not a link-local ipv6 address), you are done with the network stack!
Set the root password
passwd
Finish
exit reboot
More Fun!
At this point, if you haven't rebooted, you should. If you accidentally derped with the partitioning and such, you would rather know now before you install fancy stuff that takes a while than know after you try rebooting into the system only to discover that GRUB didn't work or something else along those lines and that you lost all of your precious time and effort.
Try not to get frustrated if this didn't work so far. Check out the Arch Linux beginners guide for help and instructions.
Here we go!
CSGUEST user
Let's make a local user for CSGUEST!
useradd csguest passwd csguest
Install sudo
pacman -S sudo
Edit the sudoers file and remove the comment in front of the %sudo so that the sudo group can sudo.
export EDITOR=vim visudo
(set the default EDITOR to vim, then execute the program that safely edits the sudoers file)
If the sudo group doesn't exist, create it.
groupadd sudo
Add CSGUEST to the sudo group.
gpasswd -a csguest sudo
X Server
This is another fun one! This will install xfce4, a lightweight desktop environment, and lxdm, a lightweight desktop environment manager (better known as a display manager) - lxdm stands for Light X Display Manager
pacman -Syu pacman -S xfce4 xfce4-goodies lxdm
Select all prerequisites
Enable LXDM (to enable automatic starting of the X server and graphical login prompts)
systemctl enable lxdm
Edit the config file to enable capslock, change default session to startxfce4 and disable user listing (depending upon what you are doing, you may not need these options).
vim /etc/lxdm/lxdm.conf
Install missing fonts to your system (these are more important than you think)
pacman -S ttf-bitstream-vera ttf-inconsolata ttf-ubuntu-font-family ttf-dejavu ttf-freefont ttf-linux-libertine ttf-liberation --noconfirm
Get a browser (and arandr - a display resolution manager)
pacman -S firefox arandr
Audio (alsa & pulse)
Pulse Audio is used as the audio server. It just.. works.
pacman -S pulseaudio pulseaudio-equalizer pamixer pavucontrol pulseaudio-alsa
Active Directory
Here's where things get hairy!
LDAP client
Get the COSI Certs!
Get this:
https://talos.cslabs.clarkson.edu/cosi_ca.crt
and then put it at /etc/ssl/certs
and then add that into the /etc/nslcd.conf
as the ca certificate directory
nss-ldap
pacman -S nss-pam-ldapd openldap
vim /etc/nsswitch.conf
Add ldap
(without quotes) to the end of the passwd, group, and shadow lines.
vim /etc/nslcd.conf
uri:
uri ldaps://128.153.145.3
base:
base dc=cslabs,dc=clarkson,dc=edu
And now..
systemctl enable nslcd.service systemctl start nslcd.service
krb5
pacman -S pam-krb5
And edit the configuration file
Add these lines under their respective locations, and replace the default line at the top with CSLABS
.
[realms] CSLABS.CLARKSON.EDU = { kdc = talos.cslabs.clarkson.edu admin_server = talos.cslabs.clarkson.edu default_domain = cslabs.clarkson.edu } [domain_realm] .cslabs.clarkson.edu = CSLABS.CLARKSON.EDU cslabs.clarkson.edu = CSLABS.CLARKSON.EDU [libdefaults] default_realm = CSLABS.CLARKSON.EDU
PAM
WARNING - THIS IS BUGGY!
Modify this file to look exactly like this (baring updates to the system configuration)
vim /etc/pam.d/passwd
#%PAM-1.0 password sufficient pam_ldap.so password sufficient pam_krb5.so #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 #password required pam_unix.so sha512 shadow use_authtok password required pam_unix.so sha512 shadow nullok
vim /etc/pam.d/system-auth
#%PAM-1.0 auth sufficient pam_krb5.so auth sufficient pam_ldap.so auth required pam_unix.so nullok try_first_pass auth optional pam_permit.so auth required pam_env.so account sufficient pam_krb5.so account sufficient pam_ldap.so account required pam_unix.so account optional pam_permit.so account required pam_time.so password sufficient pam_krb5.so password sufficient pam_ldap.so password sufficient pam_unix.so nullok try_first_pass sha512 shadow password optional pam_permit.so session required pam_limits.so session required pam_unix.so session optional pam_krb5.so session optional pam_ldap.so session optional pam_permit.so
make sure to hardlink su-l to su before continuing
mv /etc/pam.d/su-l /etc/pam.d/su-l-old ln /etc/pam.d/su /etc/pam.d/su-l
vim /etc/pam.d/su
#%PAM-1.0 auth sufficient pam_ldap.so auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth required pam_unix.so use_first_pass account sufficient pam_krb5.so account sufficient pam_ldap.so account required pam_unix.so session sufficient pam_krb5.so session sufficient pam_ldap.so session required pam_unix.so
SUDO
In the following, you can change the default editor to anything, but for simplicity's sake, we're going with NANO. You can also use Vim, Emacs, etc.. but a simple text editor is better. Default is VI which I hate.
export EDITOR=vim visudo
and add the following (this is only for the lab builds - these are related to LDAP groups):
%admins ALL=(ALL) ALL %maintainers ALL=(ALL) ALL %users ALL=(ALL) ALL
NFS
pacman -S ntp nfs-utils
kadmin - note this only works on machines that already have defined tickets (cosi-01 through cosi-08 and servers)
Also good to note is that you need to use the admin principle, and you need to have the admin principle
ktadmin -p <username>/admin ktadd host/<machine-name>.cslabs.clarkson.edu
add this to fstab:
This part is out of date! We use NFS v4 now
128.153.145.10:/storage/ /mnt nfs vers=3,sec=krb5i,nolock,x-systemd.automount 0 0
More Packages
AUR (yay)
Install yay for convenient AUR access
pacman -Syu go git clone https://aur.archlinux.org/yay.git cd yay makepkg -i
Debugging
General Questions
- The kernel is not recognizing that I have changed the partition table or the partitions that I have made!
Solution: Reboot into the live disk again. It will be there.
- It won't boot!
Solution:
- Did you install grub?
- Did you tell it to install to the root of the device and not the partition? (/dev/sda NOT /dev/sda1)
- Does your computer use UEFI? These instructions only work for MBR
- Did you leave 1M at the beginning of the partition? Make sure you did this right when you did parted or you will need to make a new partition table or delete the first partition to redo it..
- Does your BIOS even do to the hard drive? If you're using a flash drive, make sure that USB is enabled and that the computer can even handle it (sometimes you can try PLOP if you can't seem to find the setting but CD boot works fine)
- I get GRUB RESCUE>
Solution: You forgot to configure GRUB. Run grub-mkconfig -o /boot/grub/grub.cfg
from the live image chroot.
- I can't seem to find my hardware, it's not working!
Solution: run lsusb, lsblk, and lspci and determine if there is your device there. If it's not, there is a problem with the hardware or you need a driver (or both), and also check the /sys
filesystem for any pieces of hardware (/sys/class/devices
is really handy for that)
LDAP
- I seem to be typing my password in a lot.
Solutin: You either have rekt PAM and you need to use grub to get to single user logon and enter root and fix this, or you are discovering that you need to enter it multiple times. Either way, see PAM above, after adding init=/bin/bash
to the linux line in GRUB (press E to edit, and then follow the instructions to boot, usually F10
- getent passwd doesn't list LDAP users.
Solution: You need to check your connection to Talos, or play with configurations for openLDAP (and nss-pam-ldapd)
ldapsearch is your friend, but be sure that you use ldaps:// in ALL cases.
Network Stack
If you have all NO-CARRIER links, there are three things you can do:
- Check cables
- Get drivers (use a USB drive with the driver packages on them, and then install, then reboot after installing them for safe measure)
- Try different hardware