Differences between revisions 1 and 10 (spanning 9 versions)
Revision 1 as of 2013-01-21 00:09:34
Size: 17032
Editor: HolgerLevsen
Comment: lets get going! copy and paste from squeeze-manual
Revision 10 as of 2013-08-25 10:39:31
Size: 19360
Editor: ?WolfgangSchweer
Comment: move group customisation example to howto chapter
Deletions are marked like this. Additions are marked like this.
Line 72: Line 72:
To extend home0 '''by''' 30G, you insert a '+' (-L+30G)
To extend home0 by additional 30G, you insert a '+' (-L+30G)
Line 100: Line 101:
/!\ Warning: {{{ldapvi}}} is a very powerful tool. Be careful and don't mess up the LDAP database.

== jxplorer, an LDAP GUI ==

If you prefer a GUI to work with the LDAP database, check out the {{{jxplorer}}} package.
/!\ Warning: {{{ldapvi}}} is a very powerful tool. Be careful and don't mess up the LDAP database, same warning applies for JXplorer.

== JXplorer, an LDAP GUI ==

If you prefer a GUI to work with the LDAP database, check out the {{{jxplorer}}} package, wich is installed by default. To get write access connect like this:
{{{
host: ldap.intern
port:636
Base dn:dc=skole,dc=skolelinux,dc=no
Security level: ssl + user + password
User dn: cn=admin,ou=ldap-access

Click "This session only" if asked for the certificate.}}}
Line 110: Line 119:
== Using stable-updates (formerly known an volatile) == == Using stable-updates (formerly known as volatile) ==
Line 114: Line 123:
While you can use stable-updates directly, you don't have to: stable-updates are pushed into the stable suite regularily when stable pointreleases are done, which roughly happens every two months. While you can use stable-updates directly, you don't have to: stable-updates are pushed into the stable suite regularily when stable point releases are done, which roughly happens every two months.
Line 122: Line 131:
Using backports.debian.org is simple:

{{{
echo "deb http://backports.debian.org/debian-backports wheezy-backports main contrib non-free" >> /etc/apt/sources.list
Using backports is simple:

{{{
echo "deb http://ftp.debian.org/debian/ wheezy-backports main" >> /etc/apt sources.list
Line 127: Line 136:

}}}

Previously, extra configuration was needed to get updates installed automatically for installed backports, but since 2011 the [[http://backports.debian.org/news/squeeze-backports_and_lenny-backports-sloppy_started/|squeeze-backports suite]] renders this unnecessary.

== Upgrading with a CD or DVD ROM ==

If you want to upgrade from one version to another (for example from Wheezy 7.0.0 to 7.0.1) but you do not have Internet connectivity, only physical media, follow these steps:

Insert the CD/DVD-ROM in the drive, mount it and use the apt-cdrom command:
}}}

After which one can install backported packages easily, the following command will install a backported version of ''tuxtype'':

{{{
apt-get install -t wheezy-backports tuxtype
}}}

Backports are automatically updated (if available) just like other packages. (Previously, extra configuration was needed to achieve this, but since 2011 this [[http://backports.debian.org/news/squeeze-backports_and_lenny-backports-sloppy_started/|is not needed anymore].

Like the normal archive, backports has three sections: main, contrib and non-free.

== Upgrading with a CD or similar image ==

If you want to upgrade from one version to another (for example from Wheezy 7.1+edu0 to 7.3+edu1) but you do not have Internet connectivity, only physical media, follow these steps:

Insert the CD / DVD / Blue-ray disc / USB flash drive, mount it and use the apt-cdrom command:
Line 165: Line 181:

== Group Customisation Example with GOsa² ==

In this example we want to create users in year groups, with common home directories for each group (home0/2014, home0/2015, etc.) We want to create the users by csv import.


''(as root on Tjener) ''
  * Make the necessary year group directories

mkdir /skole/tjener/home0/2014

''(as superuser in Gosa)''
  * Department
Main menu: goto 'Directory structure', click the 'Students' department. The 'Base' field should show '/Students'.
From the drop box 'Actions' choose 'Create'/'Department'.
Fill in values for Name (2014) and Description fields (students graduating in 2014), leave the Base field as is (should be '/Students'). Save it clicking 'Ok'.
Now the new department (2014) should show up below /Students. Click it.
  * Group
Choose 'Groups' from the main menu; 'Actions'/Create/Group.
Enter group name (leave 'Base' as is, should be /Students/2014) and click the check box left of 'Samba group'. 'Ok' to save it.
  * Template
Choose 'users' from the main menu. Change to 'Students' in the Base
field. An Entry {{{'NewStudent'}}} should show up, click it. This is the
'students' template, not a real user. As you'll have to create such a
template (to be able to use csv import for your structure) based on this
one, notice all entries showing up in the Generic, POSIX and Samba tabs,
mabe take screenshots.
Now change to /Students/2014 in the Base field; choose
Create/Template and start to fill in your desired values, first the
Generic tab (add your new 2014 group under Group Membership, too), then add POSIX and Samba account.

   * Import users
Choose your new template when doing csv import; testing it with a few users recommended.
Line 197: Line 247:
When users insert a USB drive or DVD/CDROM into a (diskless) workstation, a popup window appears asking what to do with it, just like in any other normal installation.

When users insert a USB drive or DVD/CDROM into a thin client there is only a notify-window showing up for a few seconds. The media is automatically mounted and it is possible to access it browsing to the /media/$user folder. This is quite difficult for many non experienced users.
When users insert a USB drive or a DVD / CDROM into a (diskless) workstation, a popup window appears asking what to do with it, just like in any other normal installation.

When users insert a USB drive or a DVD / CDROM into a thin client there is only a notify-window showing up for a few seconds. The media is automatically mounted and it is possible to access it browsing to the /media/$user folder. This is quite difficult for many non experienced users.
Line 203: Line 253:
In addition the following script could be used to create the symlink "media" for all users in their home folder for easy access to USB drives, CDROM/DVD or whatever media is connected to the thin client. This might come in handy if users want to edit files directly on their plugged in media. In addition the following script could be used to create the symlink "media" for all users in their home folder for easy access to USB drives, CDROM / DVD or whatever media is connected to the thin client. This might come in handy if users want to edit files directly on their plugged in media.

HowTos for general administration

The Getting Started and Maintenance chapters describe how to get started with Debian Edu and how to do the basic maintenance work. The howtos in this chapter have some more "advanced" tips and tricks.

Configuration history: tracking /etc/ using the git version control system

With the introduction of etckeeper in Debian Edu Squeeze (previous versions used etcinsvk which was removed from Debian), all files in /etc/ are tracked using git as a version control system.

This makes it possible to see when a file is added, changed and removed, as well as what was changed if the file is a text file. The git repository is stored in /etc/.git/.

Every hour, any changes are automatically recorded, allowing configuration history to be extracted and reviewed.

To look at the history, the command etckeeper vcs log is used. To check the differences between two points in time, a command like etcinsvk vcs diff  can be used.

See the output of man etckeeper for more information.

List of useful commands:

etckeeper vcs log
etckeeper vcs status
etckeeper vcs diff
etckeeper vcs add .
etckeeper vcs commit -a
man etckeeper

Usage examples

On a freshly installed system, try this to see all changes done since the system was installed:

etckeeper vcs log

See which files are currently not tracked and which are not up-to-date:

etckeeper vcs status

To manually commit a file, because you don't want to wait up to an hour:

etckeeper vcs commit -a /etc/resolv.conf

Resizing Partitions

In Debian Edu, all partitions other than the /boot/ partition are on logical LVM volumes. With Linux kernels since version 2.6.10, it is possible to extend partitions while they are mounted. Shrinking partitions still needs to happen while the partition is unmounted.

It is a good idea to avoid creating very large partitions (over, say, 20GiB), because of the time it takes to run fsck on them or to restore them from backup if the need arises. It is better, if possible, to create several smaller partitions than one very large one.

The helper script debian-edu-fsautoresize is provided to make it easier to extend full partitions. When invoked, it reads the configuration from /usr/share/debian-edu-config/fsautoresizetab, /site/etc/fsautoresizetab and /etc/fsautoresizetab. It then proposes to extend partitions with too little free space, according to the rules provided in these files. If run with no arguments, it will only show the commands needed to extend the file system. The argument -n is needed to actually execute these commands to extend the file systems.

The script is executed automatically every hour on every client listed in the fsautoresize-hosts netgroup.

When the partition used by the Squid proxy is resized, the value for cache size in etc/squid/squid.conf needs to be updated as well. The helper script /usr/share/debian-edu-config/tools/squid-update-cachedir is provided to do this automatically, checking the current partition size of /var/spool/squid/ and configuring Squid to use 80% of this as its cache size.

Logical Volume Management

Logical Volume Management (LVM) enables resizing the partitions while they are mounted and in use. You can learn more about LVM from the LVM HowTo.

To extend a logical volume manually you simply tell the lvextend command how large you want it to grow to. For example, to extend home0 to 30GB you use the following commands:

lvextend -L30G /dev/vg_system/skole+tjener+home0
resize2fs /dev/vg_system/skole+tjener+home0

To extend home0 by additional 30G, you insert a '+' (-L+30G)

Installing a graphical environment on the main-server to use GOsa²

If you (probably accidentally) installed a pure main-server profile and don't have a client with a web-browser handy, it's easy to install a minimal desktop on the main server using this command sequence in a (non-graphical) shell as the user you created during the main server's installation (first user):

  $ sudo apt-get update
  $ sudo apt-get install gnome-session gnome-terminal iceweasel xorg
  # after installation, start a graphical session for the first user 
  $ startx

Using ldapvi

ldapvi is a tool to edit the LDAP database with a normal text editor on the commandline.

The following needs to be executed:

ldapvi --ldap-conf -ZD '(cn=admin)'

Note: ldapvi will use whatever is the default editor. By executing export EDITOR=vim in the shell prompt one can configure the environment to get a vi clone as editor.

To add an LDAP object using ldapvi, use object sequence number with the string add in front of the new LDAP object.

/!\ Warning: ldapvi is a very powerful tool. Be careful and don't mess up the LDAP database, same warning applies for JXplorer.

JXplorer, an LDAP GUI

If you prefer a GUI to work with the LDAP database, check out the jxplorer package, wich is installed by default. To get write access connect like this:

host: ldap.intern
port:636
Base dn:dc=skole,dc=skolelinux,dc=no 
Security level: ssl + user + password
User dn: cn=admin,ou=ldap-access

Click "This session only" if asked for the certificate.

ldap-createuser-krb, a command-line tool

ldap-createuser-krb is a small command line tool to create LDAP users and set their passwords in Kerberos. It's mostly useful for testing, though.

Using stable-updates (formerly known as volatile)

Since the Squeeze release, Debian has included packages formerly maintained in volatile.debian.org in the 2011 created stable-updates suite.

While you can use stable-updates directly, you don't have to: stable-updates are pushed into the stable suite regularily when stable point releases are done, which roughly happens every two months.

Using backports.debian.org to install newer software

You are running Debian Edu because you prefer the stability of Debian Edu. It runs great; there is just one problem: sometimes software is a little bit more outdated than you like. This is where backports.debian.org steps in.

Backports are recompiled packages from Debian testing (mostly) and Debian unstable (in a few cases only, e.g. security updates), so they will run without new libraries (wherever this is possible) on a stable Debian distribution like Debian Edu. We recommend you to pick out individual backports which fit your needs, and not to use all backports available there.

Using backports is simple:

echo "deb http://ftp.debian.org/debian/ wheezy-backports main" >> /etc/apt sources.list
apt-get update

After which one can install backported packages easily, the following command will install a backported version of tuxtype:

apt-get install -t wheezy-backports tuxtype

Backports are automatically updated (if available) just like other packages. (Previously, extra configuration was needed to achieve this, but since 2011 this [[http://backports.debian.org/news/squeeze-backports_and_lenny-backports-sloppy_started/|is not needed anymore].

Like the normal archive, backports has three sections: main, contrib and non-free.

Upgrading with a CD or similar image

If you want to upgrade from one version to another (for example from Wheezy 7.1+edu0 to 7.3+edu1) but you do not have Internet connectivity, only physical media, follow these steps:

Insert the CD / DVD / Blue-ray disc / USB flash drive, mount it and use the apt-cdrom command:

mount /media/cdrom
apt-cdrom add -m

To quote the apt-cdrom(8) man page:

  • apt-cdrom is used to add a new CDROM to APTs list of available sources. apt-cdrom takes care of determining the structure of the disc as well as correcting for several possible mis-burns and verifying the index files.
  • It is necessary to use apt-cdrom to add CDs to the APT system, it cannot be done by hand. Furthermore each disk in a multi-cd set must be inserted and scanned separately to account for possible mis-burns.

Then run these two commands to upgrade the system:

apt-get update
apt-get upgrade

Java

running standalone Java applications

Standalone Java applications are supported out of the box by the OpenJDK Java runtime.

Running Java applications in the web browser

Running Java applets in the browser are supported out of the box by the OpenJDK Java runtime.

Group Customisation Example with GOsa²

In this example we want to create users in year groups, with common home directories for each group (home0/2014, home0/2015, etc.) We want to create the users by csv import.

(as root on Tjener)

  • Make the necessary year group directories

mkdir /skole/tjener/home0/2014

(as superuser in Gosa)

  • Department

Main menu: goto 'Directory structure', click the 'Students' department. The 'Base' field should show '/Students'. From the drop box 'Actions' choose 'Create'/'Department'. Fill in values for Name (2014) and Description fields (students graduating in 2014), leave the Base field as is (should be '/Students'). Save it clicking 'Ok'. Now the new department (2014) should show up below /Students. Click it.

  • Group

Choose 'Groups' from the main menu; 'Actions'/Create/Group. Enter group name (leave 'Base' as is, should be /Students/2014) and click the check box left of 'Samba group'. 'Ok' to save it.

  • Template

Choose 'users' from the main menu. Change to 'Students' in the Base field. An Entry 'NewStudent' should show up, click it. This is the 'students' template, not a real user. As you'll have to create such a template (to be able to use csv import for your structure) based on this one, notice all entries showing up in the Generic, POSIX and Samba tabs, mabe take screenshots. Now change to /Students/2014 in the Base field; choose Create/Template and start to fill in your desired values, first the Generic tab (add your new 2014 group under Group Membership, too), then add POSIX and Samba account.

  • Import users

Choose your new template when doing csv import; testing it with a few users recommended.

Creating folders in the home directories of all users

With this script the administrator can create a folder in each user's home directory and set access permissions and ownership.

In the example shown below with group=teachers and permissions=2770 a user can hand in an assignment by saving the file to the folder "assignments" where teachers are given write access to be able to make comments.

 #!/bin/bash
 home_path="/skole/tjener/home0"
 shared_folder="assignments"
 permissions="2770"
 created_dir=0
 for home in $(ls $home_path); do
    if [ ! -d "$home_path/$home/$shared_folder" ]; then
        mkdir $home_path/$home/$shared_folder
        chmod $permissions $home_path/$home/$shared_folder
        #set the right owner and group
        #"username" = "group name" = "folder name"
        user=$home
        group=teachers
        chown $user:$group $home_path/$home/$shared_folder
        ((created_dir+=1))
    else
        echo -e "the folder $home_path/$home/$shared_folder already exists.\n"
    fi
 done
 echo "$created_dir folders have been created"

Easy access to USB drives and CDROMs/DVDs

When users insert a USB drive or a DVD / CDROM into a (diskless) workstation, a popup window appears asking what to do with it, just like in any other normal installation.

When users insert a USB drive or a DVD / CDROM into a thin client there is only a notify-window showing up for a few seconds. The media is automatically mounted and it is possible to access it browsing to the /media/$user folder. This is quite difficult for many non experienced users.

It is possible to have the default KDE file manager Dolphin showing up if KDE (or LDXE, if installed in parallel to KDE) is in use as desktop environment. To configure this, simply execute /usr/share/debian-edu-config/ltspfs-mounter-kde enable on the terminal server. (When using Gnome, device icons will be placed on the desktop allowing easy access).

In addition the following script could be used to create the symlink "media" for all users in their home folder for easy access to USB drives, CDROM / DVD or whatever media is connected to the thin client. This might come in handy if users want to edit files directly on their plugged in media.

 #!/bin/bash
 home_path="/skole/tjener/home0"
 shared_folder="media"
 permissions="775"
 created_dir=0;
 for home in $(ls $home_path); do
    if [ ! -d "$home_path/$home/$shared_folder" ]; then
        ln -s /media/$home $home_path/$home/$shared_folder
        ((created_dir+=1))
    else
        echo -e "the folder $home_path/$home/$shared_folder already exists.\n"
    fi
 done
 echo "$created_dir folders has been created"

A warning about removable media on LTSP servers

/!\ Warning: When inserted into an LTSP server USB drives and other removable media cause popup messages on remote LTSP clients.

If remote users acknowledge the popup or use pmount from the console, they can even mount the removable devices and access the files.

This is being tracked as Debian Edu bug #1376.

Automatic cleanup of leftover processes

killer is is a perl script that gets rid of background jobs. Background jobs are defined as processes that belong to users who are not currently logged into the machine. It's run by cron job once an hour.

To install it run the following command as root:

 apt-get install killer

Automatic installation of security upgrades

unattended-upgrades is a Debian package which will install security (and other) updates automatically. If you plan to use it, you should have some means to monitor your systems, such as installing the apt-listchanges package and configuring it to send you emails about updates. And there is always /var/log/dpkg.log.

To install these packages run the following command as root:

 apt-get install unattended-upgrades apt-listchanges

Automatic shutdown of machines during the night

It is possible to save energy and money by automatically turning client machines off at night and back on in the morning. The package will try to turn off the machine every hour on the hour from 16:00 in the afternoon, but will not turn it off if it seems to have users. It will try to tell the BIOS to turn on the machine around 07:00 in the morning, and the main-server will try to turn on machines from 06:30 by sending wake-on-lan packets. These times can be changed in the crontabs of individual machines.

Some considerations should be kept in mind when setting this up:

  • The clients should not be shut down when someone is using them. This is ensured by checking the output from who, and as a special case, checking for the LDM ssh connection command to work with LTSP thin clients.

  • To avoid blowing electrical fuses, it is a good idea to make sure all clients do not start at the same time.
  • There are two different methods available to wake up clients. One uses a BIOS feature and requires a working and correct hardware clock, as well as a motherboard and BIOS version supported by nvram-wakeup; the other requires clients to have support for wake-on-lan, and the server to know about all the clients that need to be woken up.

How to set up shutdown-at-night

On clients that should turn off at night, touch /etc/shutdown-at-night/shutdown-at-night, or add the hostname (that is, the output from 'uname -n' on the client) to the netgroup "shutdown-at-night-hosts". Adding hosts to the netgroup in LDAP can be done using the GOsa² web tool. The clients might need to have wake-on-lan configured in the BIOS. It is also important that the switches and routers used between the wake-on-lan server and the clients will pass the WOL packets to the clients even if the clients are turned off. Some switches fail to pass on packets to clients that are missing in the ARP table on the switch, and this blocks the WOL packets.

To enable wake-on-lan on the server, add the clients to /etc/shutdown-at-night/clients, with one line per client, IP address first, followed by MAC address (ethernet address), separated by a space; or create a script /etc/shutdown-at-night/clients-generator to generate the list of clients on the fly.

Here is an example /etc/shutdown-at-night/clients-generator for use with sitesummary:

  #!/bin/sh
  PATH=/usr/sbin:$PATH
  export PATH
  sitesummary-nodes -w

An alternative if the netgroup is used to activate shutdown-at-night on clients is this script using the netgroup tool from the ng-utils package:

  #!/bin/sh
  PATH=/usr/sbin:$PATH
  export PATH
  netgroup -h shutdown-at-night-hosts

Access Debian-Edu servers located behind a firewall

To access machines behind a firewall from the Internet, consider installing the package autossh. It can be used to set up an SSH tunnel to a machine on the Internet that you have access to. From that machine, you can access the server behind the firewall via the SSH tunnel.

Installing additional service machines for spreading the load from main-server

In the default installation, all services are running on the main-server, tjener. To simplify moving some to another machine, there is a minimal installation profile available. Installing with this profile will lead to a machine, which is part of the Debian Edu network, but which doesn't have any services running (yet).

These are the required steps to setup a machine dedicated to some services:

  • install the minimal profile using the debian-edu-expert boot-option

  • install the packages for the service
  • configure the service
  • disable the service on main-server
  • update DNS (via LDAP/GOsa²) on main-server

HowTos from wiki.debian.org

The HowTos from http://wiki.debian.org/DebianEdu/HowTo/ are either user- or developer-specific. Let's move the user-specific HowTos over here (and delete them over there)! (But first ask the authors (see the history of those pages to find them) if they are fine with moving the howto and putting it under the GPL.)

CategoryPermalink