Differences between revisions 35 and 36
Revision 35 as of 2013-01-26 16:56:05
Size: 7014
Editor: ?AndreasMundt
Comment: sudo access
Revision 36 as of 2013-02-14 15:20:20
Size: 6805
Editor: ?AndreasMundt
Comment: update
Deletions are marked like this. Additions are marked like this.
Line 25: Line 25:
  * ICINGA and Munin system monitoring
Line 43: Line 44:
 * GOsa is used to manage users. Access GOsa with a browser {{{https://<mainserver IP address>/gosa/}}} and log in as {{{admin}}} with the initial password provided in {{{/root/installation/LDAPadminPWD}}}. Change the password immediately after login. The user {{{admin}}} has unlimited sudo access on all machines.  * GOsa is used to manage users. Access GOsa with a browser {{{https://<mainserver IP address>/gosa/}}} and log in as {{{admin}}} with the password as entered during installation. The user {{{admin}}} has unlimited sudo access on all machines.
 * To add a lists of users to GOsa, use the
provided script {{{add2gosa}}}.
Line 49: Line 51:
To '''install a client machine''', you have to add the hardware MAC address to {{{/etc/dhcp/dhcpd.conf}}}. This can be done by hand or with help of the command: To '''install a client machine''', you have to add the hardware MAC address to {{{/etc/dhcp/dhcpd.conf}}}. This should be done with the command:
Line 61: Line 63:
'''Distributing Kerberos keytabs to clients:''' During installation of a workstation, the kerberos keytab is sent to the machine and marked with a time stamp. In case you need to repeat this procedure manually, remove the timestamp from the keytab (i.e. rename it) and use the command: '''Distributing Kerberos keytabs to clients:''' During installation of a workstation, the kerberos keytab is sent to the machine and marked with a time stamp. In case you need to repeat this procedure manually, remove the timestamp from the keytab in {{{/etc/root/installtion/}}} (i.e. rename it). After that, use the command:
Line 63: Line 65:
debian-lan addmachine workstationXX debian-lan key2machine workstationXX
Line 92: Line 94:
The mainserver might serve the root file system for diskless machines. To enable diskless machines, install the mainserver with a corresponding partitioning scheme activated in {{{class/50-host-classes}}} ("FLAVOR"). This will add another partition for {{{/opt}}} and add the class {{{DISKLESS_SERVER}}} to the mainserver's classes. After installation and the creation of the FAI nfsroot ({{{fai-setup}}}), you can install the chroot automatically. To install it manually, run: The mainserver by default serves the root file system for diskless machines. To disable diskless machines, install the mainserver with a corresponding partitioning scheme activated in {{{class/50-host-classes}}} ("FLAVOR"). After installation and the creation of the FAI nfsroot ({{{fai-setup}}}), you can install the chroot automatically. To install it manually, run:
Line 108: Line 110:
 * munin-node-configure does not link all available (i.e. working) plugins during installation &rarr; add missing links (use {{{munin-node-configure --shell}}} to get links for available plugins).
* NFSv4 not kerberized: DebianBug:638157 &rarr; apply [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638157#10|patch]].
 * NFSv4 not kerberized (relevant only on squeeze): DebianBug:638157 &rarr; apply [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638157#10|patch]].

Translation(s): none


Debian-LAN Setup_A

Network Topology

Two variants are available:

  • The mainserver takes part in a network with a dedicated gateway. The mainserver's IP address differs from the gateway address.
  • The mainserver with two network cards acts as a gateway to the external network. To trigger this setup, choose the same IP addresses for mainserver and gateway.

The mainserver serves the central services to the LAN and optionally the root file system for diskless machines. The clients mount their home directories via kerberized NFSv4.

By default the following IP addresses are used: Gateway: 10.0.0.1, mainserver: 10.0.0.10, workstations: 10.0.0.50...10.0.0.149, diskless clients 10.0.0.150...10.0.0.249. This can be modified in the config space class/SERVER_A.var.

Machine Types

  • mainserver

    • DNS and DHCP for the internal network.
    • Kerberos KDC
    • LDAP
    • GOsa for user management
    • ICINGA and Munin system monitoring
    • Home directories distributed via NFSv4 (Wheezy: sec=krb5i by default. Squeeze: 638157, use backports)

    • disk quota
    • Squid proxy
    • apt-cacher-ng
    • local APT repository
    • etckeeper
    • System backup (/etc, home directories, FAI config space, LDAP, package selection and -configuration)
  • workstation

    • XFCE, LXDE and Gnome desktop enviroment
    • customized package selection
  • diskless (workstation)

    • same features as workstation (see below on how to activate)

Details and Hints

First make sure you can ssh as root into the mainserver with the root password.

User and Machine Management

  • GOsa is used to manage users. Access GOsa with a browser https://<mainserver IP address>/gosa/ and log in as admin with the password as entered during installation. The user admin has unlimited sudo access on all machines.

  • To add a lists of users to GOsa, use the provided script add2gosa.

  • In addition, the script debian-lan is provided to manage users and groups in LDAP (using ldapscripts). The users created with debian-lan are not accessible within GOsa.

  • debian-lan also helps with adding machines to dhcpd.conf and copying the Kerberos keytabs to the machines (machine principals).

After installation of the mainserver (gateway version): Make sure your networks are connected to the right interfaces: Fixed IP address 10.0.0.1 to the internal network, DHCP to the outside world (internet/router).

To install a client machine, you have to add the hardware MAC address to /etc/dhcp/dhcpd.conf. This should be done with the command:

debian-lan add2dhcp

The command lists all (non-local and not yet known) MAC addresses found in the arp cache and prompts for skipping the address, adding it as workstation or as diskless machine.

So to (mass) add machines:

  • switch on all machines you want to add and boot via PXE
  • make sure no 'foreign' machines are in the network or note their hardware (MAC) address
  • eventually wait a bit, until all unwanted entries have vanished from the ARP cache
  • run debian-lan add2dhcp and choose the machines' type

Distributing Kerberos keytabs to clients: During installation of a workstation, the kerberos keytab is sent to the machine and marked with a time stamp. In case you need to repeat this procedure manually, remove the timestamp from the keytab in /etc/root/installtion/ (i.e. rename it). After that, use the command:

debian-lan key2machine workstationXX

on the mainserver to copy the Kerberos keytab to workstationXX. Diskless clients do not need this procedure to be activated.

Adding users: Adding users in GOsa should be straight forward (use the template prepared). If you prefer the command line, use:

debian-lan adduser <list of usernames separated by spaces>

or

debian-lan adduser <path to file>

to add users. The file is a simple text file containing on each line a single username and optionally the user's password separated by spaces. If you omit the password, debian-lan will create a random password and append it to the user's line in the file. Note that the users created with debian-lan are inaccessible within GOsa.

Removing users: Use the command deluser in the debian-lan script.

For more details take a look at the debian-lan script itself.

Backup

A dedicated backup disk is recommended. Use a class *BAK* for that case. Take a look at class/50-host-classes and disk_config/*BAK* for details.

RAID1

To use a RAID1 on the server, add the class RAID and replace LVM*_A with the corresponding RAIDLVM*_A class in class/50-host-classes.

Diskless Clients

/!\ The FAI classes DISKLESS_* work only on the mainserver, making the classes independent has not been done yet.

The mainserver by default serves the root file system for diskless machines. To disable diskless machines, install the mainserver with a corresponding partitioning scheme activated in class/50-host-classes ("FLAVOR"). After installation and the creation of the FAI nfsroot (fai-setup), you can install the chroot automatically. To install it manually, run:

export LC_ALL=C
fai -vNu diskless dirinstall /opt/live/filesystem.dir/

The command will install the chroot of the diskless machines in /opt. In addition, swaping over the network is activated and the PXE configuration prepared. Unknown machines and the disklessXX hosts will be booted as diskless clients. To update the chroot, use the commands:

chroot /opt/live/filesystem.dir/
fai -vNu diskless softupdate

Local APT repository

By default the mainserver includes a (signed) APT repository to distribute site-specific customized packages in your DebianLAN. For details look into /var/www/debian/create_archive.sh. This repository is added to the clients' sources.list on a FAI softupdate as soon as the publick key can be fetched. To disable this feature, remove the corresponding variables in class/SERVER_A.var and class/CLIENT_A.var.

Known Issues and Work-Arounds

  • Installation of munin-node fails during the mainserver FAI-installation because of 612481 (still relevant on squeeze) → install munin-node after the FAI installation.

  • NFSv4 not kerberized (relevant only on squeeze): 638157 → apply patch.