HowTos for general administration
The Getting Started and DebianEdu/Documentation/Lenny/Maintainance chapters describe how to get started with Debian Edu and how to do the basic maintainance work. The howtos in this chapter have some more "advanced" tips and tricks.
Contents
-
HowTos for general administration
- Configuration history: tracking /etc/ using the svk version control system
- Resizing Partitions
- Using ldapvi
- luma, an LDAP GUI
- Using volatile.debian.org
- Using backports.debian.org to install newer software
- Upgrading with a CD or DVD ROM
- Java
- Creating folders in the home directories of all users
- Easy access to USB drives and CDROMs/DVDs
- Automatic cleanup of left-over processes
- Automatic shutdown of machines during the night
- Access to skolelinux server from outside a firewall
- Installing single service machines for spreading the load from main-server
- Configuring the PXE menu
- HowTos from wiki.debian.org
Configuration history: tracking /etc/ using the svk version control system
With the introduction of the etcinsvk script in Debian Edu, all files in /etc/ are tracked using svk as a version control system.
This makes it possible to see when a file is added, changed and removed, as well as what was changed if the file is a text file. The svk repository is stored in ~root/.svk/. Every hour any changes are automatically recorded, allowing configuration history to be extracted and reviewed.
To look at the history, the command etcinsvk log is used. To check the differences between two points in time, a command like etcinsvk diff -r6:8 can be used. The numbers 6 and 8 here represent revision numbers, which can be found by using etcinsvk log. See below for some examples.
See the output of etcinsvk --help for verbose information.
List of useful commands:
etcinsvk diff etcinsvk log etcinsvk status etcinsvk commit etcinsvk ignore
Usage examples
In a freshly installed system try this to see all changes done since the system was installed:
etcinsvk diff -r6 | less
To see the list of changes done in /etc/, use this command:
etcinsvk log | less
Here check revision numbers by date and time. To see all changes done since revision N say:
etcinsvk diff -rN | less
To see the changes done to a specific file between specific revisions, specify the file and both revisions:
etcinsvk diff -r46 -r64 /etc/resolv.conf | less
To revert a change, use the diff command to look at the change, and edit the file to undo the change, or use a command like this to do it automatically:
( cd /etc && etcinsvk diff -r6 /etc/resolv.conf | patch -p0 -R )
To manually commit a file, because you don't want to wait up to an hour:
etcinsvk commit /etc/resolv.conf
If you don't want a specific file to be tracked in svk, you can tell to ignore it. But this is rarely useful
etcinsvk ignore /etc/path/to/file/to/be/ignored
For those who upgraded from Etch
debian-edu-etc-svk was moved to a separate package and renamed to etcinsvk for Lenny. Those used to using debian-edu-etc-svk should start to use etcinsvk instead.
Resizing Partitions
Most partitions in Debian Edu are logical LVM volumes. Only the /boot/ partition is not. With the Debian/Etch release of Debian Edu, it is possible to extend partitions while they are mounted. This is a feature of the Linux kernel since version 2.6.10. Shrinking partitions still need to happen while the partition is unmounted.
It is a good idea to avoid creating very large partitions, as large partitions will take a long time to restore from backup if the need should arise, and file system checks take a very long time for large partitions. A good limit can be 20 GiB. It is better, if possible, to create several smaller partitions than one very large one.
To make it easier to extend full partitions, the debian-edu-fsautoresize script is provided. When invoked, it reads the configuration from /usr/share/debian-edu-config/fsautoresizetab, /site/etc/fsautoresizetab and /etc/fsautoresizetab. It proposes to extend partitions with too little free space based on the rules provided in these files. Without any arguments, it will only show the commands needed to extend the file system. The argument -n is needed to actually execute this commands to extend the file systems.
The script is executed automatically every hour on every client listed in the fsautoresize-hosts netgroup.
When resizing the partition used by the Squid proxy, the cache size in etc/squid/squid.conf need to be updated as well. The helper script /usr/share/debian-edu-config/tools/squid-update-cachedir is provided to do this automatically, checking the current partition size of /var/spool/squid/ and configuring Squid to use 80% of this as its cache size.
Logical Volume Management
Logical Volume Management (LVM) enables resizing the partitions while they are mounted and in use. You can learn more about LVM in the LVM HowTo.
To extend a logical volume manually you simply tell the lvextend command how large you want it to grow to. For example, to extend home0 to 30GB you use the following commands:
lvextend -L30G /dev/vg_system/skole+tjener+home0 resize2fs /dev/vg_system/skole+tjener+home0
To extend home0 by 30G, you insert a '+' (-L+30G)
Using ldapvi
ldapvi is a tool to edit the LDAP database with a normal text editor on the commandline.
The following needs to be executed:
ldapvi --host ldap -ZZ --bind simple --tls allow -D 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no'
Then make your changes, safe and quit the editor. That's it!
Alternatively, to save key-strokes try:
ldapvi --ldap-conf -ZD '(cn=admin)'
Note: ldapvi will use whatever is the default editor. By executing export EDITOR=vim in the shell prompt one can configure the environment to get a vi clone as editor.
Warning: ldapvi is a very powerful tool. Be careful and don't mess up the LDAP database.
luma, an LDAP GUI
If you prefer a GUI to work with the LDAP database, check out the luma package.
Using volatile.debian.org
What is debian-volatile?
Quoting from the webpage:
- Some packages aim at fast moving targets, such as spam filtering and virus scanning, and even when using updated data patterns, they do not really work for the full time of a stable release. The main goal of volatile is allowing system administrators to update their systems in a nice, consistent way, without getting the drawbacks of using unstable, even without getting the drawbacks for the selected packages. So debian-volatile will only contain changes to stable programs that are necessary to keep them functional.
How to use volatile
Since the Lenny release, the volatile archive is enabled and used by default.
Using backports.debian.org to install newer software
You are running Debian Edu, because you prefer the stability of Debian Edu. It runs great, there is just one problem: Sometimes software is a little bit more outdated as you like. This is where backports.debian.org steps in.
Backports are recompiled packages from Debian testing (mostly) and Debian unstable (in a few cases only, e.g. security updates), so they will run without new libraries (wherever this is possible) on a stable Debian distribution like Debian Edu. We recommend you to pick out single backports which fits your needs, and not to use all backports available there.
Using backports.debian.org is simple:
echo "deb http://backports.debian.org/debian-backports lenny-backports main contrib non-free" >> /etc/apt/sources.list apt-get update
Then you can either use aptitude -t lenny-backports install <packagename> to install or update packages once, or you can configure a package to be always installed from backports.debian.org though /etc/apt/preferences.
The latter is described in the instructions on backports.org and has the advantage, that updates to backports are installed automatically when they are available. With the first variant you need to update manually.
Upgrading with a CD or DVD ROM
If you want to upgrade from one version to another (for example from Lenny 5.0.4 to 5.0.6) but you do not have Internet connectivity, only a physical media, follow these steps:
Insert the CD/DVD-ROM in the drive, mount it and use apt-cdrom command:
mount /cdrom apt-cdrom add -m
Quoting from apt-cdrom(8) man page:
- apt-cdrom is used to add a new CDROM to APTs list of available sources. apt-cdrom takes care of determining the structure of the disc as well as correcting for several possible mis-burns and verifying the index files.
- It is necessary to use apt-cdrom to add CDs to the APT system, it cannot be done by hand. Furthermore each disk in a multi-cd set must be inserted and scanned separately to account for possible mis-burns.
Then run these two commands to upgrade the system:
apt-get update apt-get upgrade
Java
running standalone Java applications
Standalone Java applications are supported out of the box by the OpenJDK Java runtime.
running Java applications in the webbrowser
The version of the OpenJDK Java runtime available in Debian Edu Lenny does not support to run Java applications in the webbrowser, this will be fixed in the next release. On Lenny, the non-free (but freely available) Java from Sun needs to be installed.
To install Java from Sun you need to edit the /etc/apt/sources.list first to make sure it will install packages from non-free. There needs to be a line like this:
deb http://ftp.debian.org/debian/ lenny main contrib non-free
Then do:
# apt-get update
Now you are ready to run this command:
# apt-get install sun-java6-plugin sun-java6-jre sun-java6-fonts
Creating folders in the home directories of all users
With this script the administrator can create a folder in each users home directory and set access permissions and ownership.
In the example shown below with group=teachers and permissions=2770 a user can hand in an assignment by saving the file to the folder "assignments" where teachers are given write access to be able to make comments.
home_path="/skole/tjener/home0"; shared_folder="assignments"; permissions="2770"; created_dir=0; for home in $(ls $home_path);do if [ ! -d "$home_path/$home/$shared_folder" ]; then mkdir $home_path/$home/$shared_folder chmod $permissions $home_path/$home/$shared_folder #set the right owner and group #"username" = "group name" = "folder name" user=$home group=teachers chown $user:$group $home_path/$home/$shared_folder ((created_dir+=1)) else echo -e "the folder $home_path/$home/$shared_folder already exists.\n" fi done echo "$created_dir folders has been created"
Easy access to USB drives and CDROMs/DVDs
When users insert a USB drive or DVD/CDROM into a (diskless) workstation, there is a popup windows asking what to do with it, just like in any other normal installation.
When users insert a USB drive or DVD/CDROM into a thin client there is no popup window like they are used to from their usual Desktop. Instead it is automatically mounted and they have to browse to the /media/$user folder to access it.. This is quite difficult for many non experienced users.
With the following script the symlink "Media" is created for all users in the home folder for easy access to USB drives, CDROMs or whatever media is connected to the thin client.
home_path="/skole/tjener/home0"; shared_folder="Media"; permissions="775"; created_dir=0; for home in $(ls $home_path); do if [ ! -d "$home_path/$home/$shared_folder" ]; then ln -s /media/$home $home_path/$home/$shared_folder ((created_dir+=1)) else echo -e "the folder $home_path/$home/$shared_folder already exists.\n" fi done echo "$created_dir folders has been created"
A warning about removable media on LTSP servers
Warning: When inserted into a LTSP server USB drives and other removable media cause popup messages on remote LTSP clients.
When a remote users acknowledges the popup or uses pmount from console, a remote user can even mount the removable devices and access the files.
This is being tracked as Debian Edu bug #1376.
Automatic cleanup of left-over processes
killer is is a perl script that gets rid of background jobs. Background jobs are defined as processes that belong to users who are not currently logged into the machine. It's run by cron job once an hour.
Due to 551753 (also documented as Debian Edu bug #1373) killer should not be installed on thin-client servers when long usernames are used!
To install it run the following command as root:
apt-get install killer
Automatic shutdown of machines during the night
It is possible to save energy and money by turning off client machines at night, and turn them automatically on in the morning. The package will try to turn off the machine every hour on the hour from 16:00 in the afternoon, but not turn it off if the machine seems to have users. It will try to tell the bios to turn on the machine around 07:00 in the morning, and the main-server will try to turn on machines from 06:30 using wake-on-lan packages. These times can be changed in the crontabs of individual machines.
There are some considerations to make when doing this:
The clients should not be shut down when someone is using them. This is done by checking the output from who, and as a special case, checking for the LDM ssh connection command to work with LTSP thin clients.
- To avoid breaking electrical fuses, it is a good idea to make sure all clients do not start at the same time.
There are two different methods available to wake up clients. One uses a BIOS feature and require a working and correct hardware clock, as well as a motherboard and BIOS version supported by nvram-wakeup, The other require a server with knowledge about all the clients to wake up and for all the clients to have support for wake-on-lan.
How to set up shutdown-at-night
On clients that should turn off at night, touch /etc/shutdown-at-night/shutdown-at-night, or add the hostname (ie the output from 'uname -n' on the client) to the netgroup "shutdown-at-night-hosts". Adding hosts to the netgroup in LDAP can be done using the lwat web tool. The clients might need to have wake-on-lan configured in the BIOS. It is also important that the switches and routers used between the wake-on-lan server and the clients will pass the WOL packages to the clients even if the clients are turned off. Some switches fail to pass on packages to clients that are missing in the ARP table on the switch, and this block the WOL packages.
To enable wake-on-lan on the server, add the clients to /etc/shutdown-at-night/clients, with one line per client, IP address first, and MAC address (ethernet address) next, with space between them, or create a script /etc/shutdown-at-night/clients-generator to generate the list of clients on the fly.
Here is an example /etc/shutdown-at-night/clients-generator for use with sitesummary:
#!/bin/sh PATH=/usr/sbin:$PATH export PATH sitesummary-nodes -w
An alternative if the netgroup is used to activate shutdown-at-night on clients is this script using the netgroup tool from the ng-utils package:
#!/bin/sh PATH=/usr/sbin:$PATH export PATH netgroup -h shutdown-at-night-hosts
This text was originally taken from this README.
Access to skolelinux server from outside a firewall
A boot script open-backdoor is provided in the debian-edu-config package to "break out" from behind a firewall. It is useful for system administrators responsible for several Debian Edu installations. It set up an SSH tunnel to another machine, allowing ssh login from the outside of the firewall.
To enable it, create a ssh key without a password, create a user on a remote host to use for ssh login, copy the public key into ~/.ssh/authorized_keys for the remote user used for and specify the login information in /etc/default/backdoor.
Content of /etc/default/backdoor should be similar to this:
RHOST=admin.example.net RPORT=1234 RUSER=backdoor
FIXME: paragraph about access from outside need to be completed and tested.
Installing single service machines for spreading the load from main-server
FIXME: this is so generic its almost useless
install the minimal profile using the debian-edu-expert boot-option
- install the packages for the service
- configure the service
- disable the service on main-server
- update DNS on main-server
Configuring the PXE menu
The PXE configuration is generated using the debian-edu-pxeinstall script. It allow some settings to be overriden by adding a file /etc/debian-edu/pxeinstall.conf with replacement values.
Configuring the PXE installation
The PXE installation option is by default available to anyone able to PXE boot a machine. To password protect the PXE installation options, a file /var/lib/tftpboot/menupassword.cfg can be created with content similar to this:
MENU PASSWD $4$NDk0OTUzNTQ1NTQ5$7d6KvAlVCJKRKcijtVSPfveuWPM$
The password hash should be replaced with a MD5 hash for the wanted password.
The PXE installation will inherit the language, keyboard layout and mirror settings from the settings used when installing the main-server, and the other questions will be asked during installation (profile, popcon participation, partitioning and root password). To avoid these questions, the file /etc/debian-edu/www/debian-edu-install.dat can be modified to provide preselected answers to debconf values. Some examples of available debconf values are already commented in /etc/debian-edu/www/debian-edu-install.dat. Your changes will be lost as soon as debian-edu-pxeinstall is used to recreate the PXE-installation environment. To append debconf values to /etc/debian-edu/www/debian-edu-install.dat during recreation with debian-edu-pxeinstall, add the file /etc/debian-edu/www/debian-edu-install.dat.local with your additional debconf values.
FIXME: Compare with DebianEdu/Documentation/Lenny/HowTo/NetworkClients and get rid of redundant information.
HowTos from wiki.debian.org
The HowTos from http://wiki.debian.org/DebianEdu/HowTo/ are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)