Ubuntu
About Ubuntu
AAA
Ubuntu version
lsb_release -a uname -a
Install instructions
prepare
apt-get update apt-get upgrade
install time synchronization
apt-get -y install chrony echo server time1 iburst >> /etc/chrony/chrony.conf echo server time2 iburst >> /etc/chrony/chrony.conf echo server time3 iburst >> /etc/chrony/chrony.conf systemctl disable systemd-timesyncd.service systemctl stop systemd-timesyncd.service systemctl disable ntp systemctl stop ntp systemctl enable chrony systemctl restart chrony chronyc sources chronyc tracking
install email server
dpkg-reconfigure postfix ### or apt-get install postfix ### select "satellite system", enter full hostname "xxx.triumf.ca", enter "smtp.triumf.ca" echo olchansk@triumf.ca >> ~root/.forward mailx root test ^D
install missing packages
yes | apt-get -y install ssh yes | apt-get -y install git subversion g++ yes | apt-get -y install libz-dev sqlite sqlite3 libsqlite3-dev libmysqlclient-dev unixodbc-dev yes | apt-get -y install sqliteman yes | apt-get -y install libssl-dev yes | apt-get -y install sysstat smartmontools # also installs postfix yes | apt-get -y install emacs xemacs21 yes | apt-get -y install mutt # email client yes | apt-get -y install liblz4-tool pbzip2 yes | apt-get -y install libc6-dev-i386 # otherwise no /usr/include/sys/types.h yes | apt-get -y install libreadline-dev yes | apt-get -y install chromium-browser chromium-codecs-ffmpeg-extra yes | apt-get -y install ubuntu-mate-themes yes | apt-get -y install minicom yes | apt-get -y install screen
install ganglia
yes | apt-get -y install ganglia-monitor systemctl enable ganglia-monitor cd ~root/git/scripts git pull cp etc/gmond-ubuntu.conf /etc/ganglia/gmond.conf systemctl restart ganglia-monitor systemctl status ganglia-monitor ps -efw | grep gmond
install gonodeinfo
- go to https://bitbucket.org/dd1/gonodeinfo follow instructions:
yes | apt-get -y install golang mkdir ~/git cd ~/git git clone https://bitbucket.org/dd1/gonodeinfo.git cd gonodeinfo git pull make make install # install gonodeinfo agent cd ~ # this is important
- edit /etc/gonodeinfo.conf
- change "Description", "Location", "User" and "Administrator" as appropriate (or delete them)
- change "Servers" to read: Servers: ladd00.triumf.ca:8601
- run gonodeinfo
- if error is "connection refused". go to the nodeinfo server to add this client to the access control list:
- on the gonodeinfo server: run gonodereceive -a daq13
- try gonodeinfo again, there should be no error
- on the gonodeinfo server: run gonodereport, look at the web pages, the new machine should be listed now
install libz.so.1 for CentOS compatibility
yes | apt-get -y install zlib1g yes | apt-get -y install zlib1g:i386 libc6:i386 libgcc1:i386 gcc-6-base:i386
install libpng12.so.0 for Quartus compatibility
(does not work anymore!!!)
wget http://ftp.ca.debian.org/debian/pool/main/libp/libpng/libpng12-0_1.2.50-2+deb8u2_amd64.deb dpkg --install libpng12-0_1.2.50-2+deb8u2_amd64.deb
install packages for building ROOT
apt-get -y install libx11-dev libxpm-dev libxft-dev libxext-dev libpng-dev libjpeg-dev xlibmesa-glu-dev libxml2-dev libgsl-dev cmake
install desktop environments
- install MATE desktop
yes | apt-get -y install ubuntu-mate-core ubuntu-mate-desktop yes | apt-get -y install ubuntu-mate-themes
- install Cinnamon desktop
### not needed 18.04 LTS ### add-apt-repository ppa:embrosyn/cinnamon yes | apt update yes | apt-get -y install cinnamon
- install KDE desktop
yes | apt-get -y install kubuntu-desktop
- install Lxqt desktop
yes | apt-get -y install lxqt
- install Xfce4 desktop
yes | apt-get -y install xfce4
install ROOT
Please install ROOT per instructions at http://root.cern.ch.
NOTE1: The ROOT package available from Ubuntu repositories is severely out of date and cannot be used with MIDAS and ROOTANA. ### DO NOT DO THIS! apt-get install root-system
NOTE2: as of 2017-Jan-09, ROOT binary kits for Ubuntu do not work (use GCC 5 instead of GCC6), build from source instead.
Install x2go
x2go instructions, thanks to Art O.
add-apt-repository ppa:x2go/stable apt-get update apt-get install x2goserver x2goserver-xsession
Post installation
- setup hostname
xemacs -nw /etc/hostname ### add .triumf.ca to the hostname if it is missing
- install Konstantin's scripts
mkdir ~root/git cd ~root/git git clone https://ladd00.triumf.ca/~olchansk/git/scripts.git cd scripts git pull
- enable root login from ladd00
ssh localhost CTRL-C /bin/cp ~root/git/scripts/etc/authorized_keys ~root/.ssh/
- enable automatic updates 1
sudo apt-get install unattended-upgrades edit /etc/apt/apt.conf.d/50unattended-upgrades ### uncomment "-updates", uncomment "::Mail "root"", uncomment allowed-origins -security and -updates
- enable automatic updates 2
add this to /etc/apt/apt.conf.d/10periodic
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";
NIS instructions
- apt-get -y install portmap nis ### will ask for NIS domain (LADD-NIS)
- ypwhich -m
- edit /etc/default/nis
- set "NISSERVER=slave"
- set "YPSERVARGS=-p800"
- edit /etc/yp.conf", comment-out everything, add "domain LADD-NIS server localhost"
- /usr/lib/yp/ypinit -s ladd00
- systemctl restart nis
- ypwhich -m
- ypcat -k passwd
- apt-get -y install autofs
- systemctl enable autofs
- vi /etc/nsswitch.conf ### add the automount line, modify the passwd, group and shadow lines to read this:
passwd: files nis group: files nis shadow: files nis automount: files nis
- systemctl restart autofs
- enable hourly update of NIS maps
cd ~/git/scripts/etc git pull ln -s $PWD/ypxfr-cron-hourly /etc/cron.hourly
- ### NOT NEEDED sudo vi /etc/idmapd.conf ### add line: "Domain = triumf.ca"
- reboot
Fix systemd NIS breakage
there is a delay in ssh logins for normal users. "ssh -v" shows the delay is after "pledge...". this fix removes the delay.
systemd developers think that we should not use NIS and made sure there are problems if we do. To give them credit, they do offer a workaround. Read this: https://github.com/poettering/systemd/commit/695fe4078f0df6564a1be1c4a6a9e8a640d23b67
mkdir /etc/systemd/system/systemd-logind.service.d echo -e "[Service]\nIPAddressDeny=\n" > /etc/systemd/system/systemd-logind.service.d/local.conf systemctl daemon-reload systemctl cat systemd-logind.service
Install sddm display manager (DO NOT DO THIS)
- apt-get install sddm
- apt-get install sddm-theme-"*"
- create sddm.conf:
root@daqubuntu:~# more /etc/sddm.conf [Theme] Current=maldives root@daqubuntu:~#
- dpkg-reconfigure lightdm (select sddm)
- reboot
Configure lightdm display manager
- enable it
systemctl disable gdm systemctl disable sddm systemctl enable lightdm
- make the MATE desktop as default
cd ~root/git/scripts/ git pull /bin/cp -v etc/lightdm_default_mate.conf /etc/lightdm/lightdm.conf.d/
- enable login by NIS users
/bin/cp -v etc/lightdm_enable_nis_login.conf /etc/lightdm/lightdm.conf.d/
- restart lightdm
systemctl restart lightdm
Install libpng12.so.0
Quartus 16 needs libpng12:
wget http://mirrors.kernel.org/ubuntu/pool/main/libp/libpng/libpng12-0_1.2.54-1ubuntu1_amd64.deb dpkg --install libpng12-0_1.2.54-1ubuntu1_amd64.deb
Install google-chrome
Instructions from here: https://www.ubuntuupdates.org/ppa/google_chrome?dist=stable
wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list' apt-get update apt-get install google-chrome-stable
Disable unwanted services
systemctl disable mpd systemctl disable snapd systemctl disable ModemManager
Install apache httpd proxy for midas and elog
This will configure the HTTPS/SSL certificate using "certbot" and "letsencrypt" and configure an HTTPS web server using apache2.
First, configure apache2:
- execute these commands:
apt install apache2 cd /etc/apache2
- create new file conf-available/ssl-daq14.conf # use actual hostname instead of daq14
SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLSessionCacheTimeout 300 SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin
- create new file sites-available/daq14-ssl.conf # use actual hostname instead of daq14
<IfModule mod_ssl.c> <VirtualHost *:443> ServerName daq14.triumf.ca DocumentRoot /var/www/html ErrorLog /var/log/apache2/daq14.log SSLEngine on # note SSLProtocol, SSLCipherSuite and some other settings are overwritten by /etc/letsencrypt/options-ssl-apache.conf SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4 ## use port specified in elogd.cfg #ProxyPass /elog/ http://localhost:8082/ retry=1 ## use mhttpd port #ProxyPass / http://localhost:8080/ retry=1 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" <Location /> SSLRequireSSL AuthType Basic AuthName "DAQ password protected site" Require valid-user # create password file: touch /etc/apache2/htpasswd # to add new user or change password: htpasswd /etc/apache2/htpasswd username AuthUserFile /etc/apache2/htpasswd </Location> </VirtualHost> </IfModule>
- stop apache2 from listening on port 80: edit /etc/apache2/ports.conf, comment-out the line "Listen 80"
- stop apache2 from listening on port 80: edit /etc/apache2/ports.conf, comment-out the line "Listen 80"
- enable ssl module
- enable new configurations
- check that there are no syntax problems
a2enmod ssl a2enmod headers a2enmod proxy a2enmod proxy_http a2enconf ssl-daq14 a2ensite daq14-ssl apache2ctl configtest
- enable and start apache2:
systemctl enable apache2 systemctl restart apache2 systemctl status apache2
- apache2 may fail to start, look in /var/log/apache2/error.log and /var/log/apache2/daq14.log
- if it says "Failed to configure ... certificate", proceed to the step for setting certbot.
- try to access https://daq14.triumf.ca
- you should see a complaint about self-signed certificate
- you should see a request for password (do not login yet)
- if you get "connection refused", HTTPS port 443 may need to be enabled in the local firewall, look at documentation for ufw.
Second, configure certbot:
(Note: as of 2018-01-18 certbot requires use of http port 80 to get the initial https certificate, renewal can continue to use the https port 443)
(Note: as of 2019-01-?? certbot requires use of port 80 for renewals)
- check that port 80 is not used by anything:
- netstat -an | grep LISTEN | grep ^tcp | grep 80
- lsof -P | grep -i tcp | grep LISTEN | grep 80
- if lsof reports that apache2 is listening on port 80, follow the apache2 instructions above (remove "listen 80" from apache2.conf
- install certbot (if necessary open tcp port 80 in the firewall, see documentation for ufw):
apt install certbot python3-certbot-apache certbot certonly --standalone --installer apache
- then answer questions:
- "activate HTTPS for daq14.triumf.ca" - say ok
- "enter email address" - enter your own email address
- "please read terms..." - read the terms and say "agree"
- it will take a few moments...
- "congratulations..." - say ok.
certbot install --apache --cert-name daq14.triumf.ca
- then answer questions:
- "choose redirect..." - say "1" (no redirect)
- look inside /etc/apache2/sites-enabled/ssl-daq14.conf to see that SSLCertificateFile & co point to certbot certificates in
/etc/letsencrypt/live/daq14.triumf.ca/
- to check current renewal and to update the certbot config file in /etc/letsencrypt/renewal, run this:
certbot renew --standalone --installer apache --force-renewal
NOTE: this certificate will expire in 3 months, automatic renewal should work with current version of certbot
Third, activate password protection:
- as shown in the config file above, create password file and initial user: (replace "midas" with specific username)
touch /etc/apache2/htpasswd htpasswd /etc/apache2/htpasswd midas
- restart apache2
systemctl restart apache2 systemctl status apache2
From here:
- enable proxy for MIDAS mhttpd - uncomment redirect in the config file above
- enable proxy for ELOG - ditto
a2enmod proxy a2enmod proxy_http apache2ctl configtest systemctl restart apache2
From here:
- enable proxy for MIDAS mhttpd - uncomment redirect in the config file above
- enable proxy for ELOG - ditto
a2enmod proxy a2enmod proxy_http apache2ctl configtest systemctl restart apache2
- try accessing MIDAS https://daq14.triumf.ca/ (make sure mhttpd is running)
- if it's not working, check odb setting FIXME!
- try accessing ELog https://daq14.triumf.ca/elog/ (make sure elogd is running)
- if it's not working, check elogd.cfg file and make sure
SSL = 0
NOTE: if certbot fails with errors about 'module' object has no attribute 'pyopenssl', try this: pip install requests==2.6.0
Update packages
- apt-get update # update package list
- apt-get dist-upgrade # install updated packages and update "kept back" packages
- apt-get autoremove # remove packages that apt thinks should be removed
Finish installation
- reboot
shutdown -r now
Update to new version of Ubuntu
vi /etc/update-manager/release-upgrades # set "Prompt=normal" do-release-upgrade
Ubuntu package manager
- apt-get install xxx # install package xxx
- apt-get update
- apt-get upgrade
- apt-get dist-upgrade
- apt-get autoremove # remove automatically installed packages required by a removed package
- apt-get remove xxx # remove package xxx
- apt-cache search . # list all available packages
- apt-cache show "." | grep ^Package # list al available packages
- apt-cache madison root-system # show all available versions of package root-system
- apt list # list all installed packages
- dpkg --listfiles libpng16-16 # list all files from this package
- apt list --installed # list all installed packages