About Ubuntu

AAA

Ubuntu version

lsb_release -a
uname -a

Install instructions

prepare

apt-get update
apt-get upgrade

install time synchronization

apt-get -y install chrony
echo server time1 iburst >> /etc/chrony/chrony.conf
echo server time2 iburst >> /etc/chrony/chrony.conf
echo server time3 iburst >> /etc/chrony/chrony.conf
systemctl disable systemd-timesyncd.service
systemctl stop systemd-timesyncd.service
systemctl disable ntp
systemctl stop ntp
systemctl enable chrony
systemctl restart chrony
chronyc sources
chronyc tracking

install email server

dpkg-reconfigure postfix ### or
apt-get install postfix ### select "satellite system", enter full hostname "xxx.triumf.ca", enter "smtp.triumf.ca"
echo olchansk@triumf.ca >> ~root/.forward
mailx root
test
^D

install missing packages

yes | apt-get -y install ssh
yes | apt-get -y install git subversion g++
yes | apt-get -y install libz-dev sqlite sqlite3 libsqlite3-dev libmysqlclient-dev unixodbc-dev
yes | apt-get -y install sqliteman
yes | apt-get -y install libssl-dev
yes | apt-get -y install sysstat smartmontools # also installs postfix
yes | apt-get -y install emacs xemacs21
yes | apt-get -y install mutt # email client
yes | apt-get -y install liblz4-tool pbzip2
yes | apt-get -y install libc6-dev-i386 # otherwise no /usr/include/sys/types.h
yes | apt-get -y install libreadline-dev
yes | apt-get -y install chromium-browser chromium-codecs-ffmpeg-extra
yes | apt-get -y install ubuntu-mate-themes
yes | apt-get -y install minicom
yes | apt-get -y install screen

install ganglia

yes | apt-get -y install ganglia-monitor
systemctl enable ganglia-monitor
cd ~root/git/scripts
git pull
cp etc/gmond-ubuntu.conf /etc/ganglia/gmond.conf
systemctl restart ganglia-monitor
systemctl status ganglia-monitor
ps -efw | grep gmond

install gonodeinfo

• go to https://bitbucket.org/dd1/gonodeinfo follow instructions:

yes | apt-get -y install golang
mkdir ~/git
cd ~/git
git clone https://bitbucket.org/dd1/gonodeinfo.git
cd gonodeinfo
git pull
make
make install # install gonodeinfo agent
cd ~ # this is important

• edit /etc/gonodeinfo.conf
• change "Description", "Location", "User" and "Administrator" as appropriate (or delete them)
• change "Servers" to read: Servers: ladd00.triumf.ca:8601
• run gonodeinfo
• if error is "connection refused". go to the nodeinfo server to add this client to the access control list:
• on the gonodeinfo server: run gonodereceive -a daq13
• try gonodeinfo again, there should be no error
• on the gonodeinfo server: run gonodereport, look at the web pages, the new machine should be listed now

install libz.so.1 for CentOS compatibility

yes | apt-get -y install zlib1g
yes | apt-get -y install zlib1g:i386 libc6:i386 libgcc1:i386 gcc-6-base:i386

install libpng12.so.0 for Quartus compatibility

(does not work anymore!!!)

wget http://ftp.ca.debian.org/debian/pool/main/libp/libpng/libpng12-0_1.2.50-2+deb8u2_amd64.deb
dpkg --install libpng12-0_1.2.50-2+deb8u2_amd64.deb

install packages for building ROOT

apt-get -y install libx11-dev libxpm-dev libxft-dev libxext-dev libpng-dev libjpeg-dev xlibmesa-glu-dev libxml2-dev libgsl-dev cmake

install desktop environments

• install MATE desktop

yes | apt-get -y install ubuntu-mate-core ubuntu-mate-desktop
yes | apt-get -y install ubuntu-mate-themes

• install Cinnamon desktop

### not needed 18.04 LTS ### add-apt-repository ppa:embrosyn/cinnamon
yes | apt update
yes | apt-get -y install cinnamon

• install KDE desktop

yes | apt-get -y install kubuntu-desktop

• install Lxqt desktop

yes | apt-get -y install lxqt

• install Xfce4 desktop

yes | apt-get -y install xfce4

install ROOT

Please install ROOT per instructions at http://root.cern.ch.

NOTE1: The ROOT package available from Ubuntu repositories is severely out of date and cannot be used with MIDAS and ROOTANA. ### DO NOT DO THIS! apt-get install root-system

NOTE2: as of 2017-Jan-09, ROOT binary kits for Ubuntu do not work (use GCC 5 instead of GCC6), build from source instead.

Install x2go

x2go instructions, thanks to Art O.

add-apt-repository ppa:x2go/stable
apt-get update
apt-get install x2goserver x2goserver-xsession

Post installation

• setup hostname

xemacs -nw /etc/hostname ### add .triumf.ca to the hostname if it is missing

• install Konstantin's scripts

mkdir ~root/git
cd ~root/git
git clone https://ladd00.triumf.ca/~olchansk/git/scripts.git
cd scripts
git pull

• enable root login from ladd00

ssh localhost
CTRL-C
/bin/cp ~root/git/scripts/etc/authorized_keys ~root/.ssh/

• enable automatic updates 1

sudo apt-get install unattended-upgrades
edit /etc/apt/apt.conf.d/50unattended-upgrades ### uncomment "-updates", uncomment "::Mail "root"", uncomment allowed-origins -security and -updates

• enable automatic updates 2

add this to /etc/apt/apt.conf.d/10periodic

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

NIS instructions

• apt-get -y install portmap nis ### will ask for NIS domain (LADD-NIS)
• ypwhich -m
• edit /etc/default/nis
  • set "NISSERVER=slave"
  • set "YPSERVARGS=-p800"
• edit /etc/yp.conf", comment-out everything, add "domain LADD-NIS server localhost"
• /usr/lib/yp/ypinit -s ladd00
• systemctl restart nis
• ypwhich -m
• ypcat -k passwd
• apt-get -y install autofs
• systemctl enable autofs
• vi /etc/nsswitch.conf ### add the automount line, modify the passwd, group and shadow lines to read this:

passwd: files nis
group: files nis
shadow: files nis
automount:  files nis

• systemctl restart autofs
• enable hourly update of NIS maps

cd ~/git/scripts/etc
git pull
ln -s $PWD/ypxfr-cron-hourly /etc/cron.hourly

• ### NOT NEEDED sudo vi /etc/idmapd.conf ### add line: "Domain = triumf.ca"
• reboot

Fix systemd NIS breakage

there is a delay in ssh logins for normal users. "ssh -v" shows the delay is after "pledge...". this fix removes the delay.

systemd developers think that we should not use NIS and made sure there are problems if we do. To give them credit, they do offer a workaround. Read this: https://github.com/poettering/systemd/commit/695fe4078f0df6564a1be1c4a6a9e8a640d23b67

mkdir /etc/systemd/system/systemd-logind.service.d
echo -e "[Service]\nIPAddressDeny=\n" > /etc/systemd/system/systemd-logind.service.d/local.conf
systemctl daemon-reload
systemctl cat systemd-logind.service

Install sddm display manager (DO NOT DO THIS)

• apt-get install sddm
• apt-get install sddm-theme-"*"
• create sddm.conf:

root@daqubuntu:~# more /etc/sddm.conf
[Theme]
Current=maldives
root@daqubuntu:~# 

• dpkg-reconfigure lightdm (select sddm)
• reboot

Configure lightdm display manager

• enable it

systemctl disable gdm
systemctl disable sddm
systemctl enable lightdm

• make the MATE desktop as default

cd ~root/git/scripts/
git pull
/bin/cp -v etc/lightdm_default_mate.conf /etc/lightdm/lightdm.conf.d/

• enable login by NIS users

/bin/cp -v etc/lightdm_enable_nis_login.conf /etc/lightdm/lightdm.conf.d/

• restart lightdm

systemctl restart lightdm

Install libpng12.so.0

Quartus 16 needs libpng12:

wget http://mirrors.kernel.org/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.54-1ubuntu1_amd64.deb
dpkg --install libpng12-0_1.2.54-1ubuntu1_amd64.deb

Install google-chrome

Instructions from here: https://www.ubuntuupdates.org/ppa/google_chrome?dist=stable

wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add -
sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
apt-get update
apt-get install google-chrome-stable

Disable unwanted services

systemctl disable mpd
systemctl disable snapd
systemctl disable ModemManager

Install apache httpd proxy for midas and elog

This will configure the HTTPS/SSL certificate using "certbot" and "letsencrypt" and configure an HTTPS web server using apache2.

First, configure apache2:

• execute these commands:

apt install apache2
cd /etc/apache2

• create new file conf-available/ssl-daq14.conf # use actual hostname instead of daq14

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

• create new file sites-available/daq14-ssl.conf # use actual hostname instead of daq14

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerName daq14.triumf.ca
        DocumentRoot /var/www/html
        ErrorLog /var/log/apache2/daq14.log
        SSLEngine on
        # note SSLProtocol, SSLCipherSuite and some other settings are overwritten by /etc/letsencrypt/options-ssl-apache.conf
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4
        #ProxyPass /elog/ http://localhost:8082/ retry=1        ## use port specified in elogd.cfg
        #ProxyPass /      http://localhost:8080/ retry=1        ## use mhttpd port
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
        <Location />
            SSLRequireSSL
            AuthType Basic
            AuthName "DAQ password protected site"
            Require valid-user
            # create password file: touch /etc/apache2/htpasswd
            # to add new user or change password: htpasswd /etc/apache2/htpasswd username
            AuthUserFile /etc/apache2/htpasswd
        </Location>
    </VirtualHost>
</IfModule>

• stop apache2 from listening on port 80: edit /etc/apache2/ports.conf, comment-out the line "Listen 80"
• stop apache2 from listening on port 80: edit /etc/apache2/ports.conf, comment-out the line "Listen 80"
• enable ssl module
• enable new configurations
• check that there are no syntax problems

a2enmod ssl
a2enmod headers
a2enconf ssl-daq14
a2ensite daq14-ssl
apache2ctl configtest

• enable and start apache2:

systemctl enable apache2
systemctl restart apache2
systemctl status apache2

• apache2 may fail to start, look in /var/log/apache2/error.log and /var/log/apache2/daq14.log
• if it says "Failed to configure ... certificate", proceed to the step for setting certbot.
• try to access https://daq14.triumf.ca
  • you should see a complaint about self-signed certificate
  • you should see a request for password (do not login yet)
  • if you get "connection refused", HTTPS port 443 may need to be enabled in the local firewall, look at documentation for ufw.

Update packages

• apt-get update # update package list
• apt-get dist-upgrade # install updated packages and update "kept back" packages
• apt-get autoremove # remove packages that apt thinks should be removed

Finish installation

• reboot

shutdown -r now

Update to new version of Ubuntu

vi /etc/update-manager/release-upgrades # set "Prompt=normal"
do-release-upgrade

Ubuntu package manager

• apt-get install xxx # install package xxx
• apt-get update
• apt-get upgrade
• apt-get dist-upgrade
• apt-get autoremove # remove automatically installed packages required by a removed package
• apt-get remove xxx # remove package xxx
• apt-cache search . # list all available packages
• apt-cache show "." | grep ^Package # list al available packages
• apt-cache madison root-system # show all available versions of package root-system
• apt list # list all installed packages
• dpkg --listfiles libpng16-16 # list all files from this package
• apt list --installed # list all installed packages