Difference between revisions of "Configure high-end desktop as server for lab experiments"
m |
m |
||
Line 28: | Line 28: | ||
**Preview for files smaller than 500KB | **Preview for files smaller than 500KB | ||
*Add lock icon to panel for locking screen | *Add lock icon to panel for locking screen | ||
*Disable screensaver and locking | |||
*Configure display to go to sleep in inactive for 10 minutes | |||
Revision as of 08:55, 7 March 2013
<yambe:breadcrumb>New_machine_configuration|New machine configuration</yambe:breadcrumb>
Configure high-end desktop as server for lab-experiments
This page is intended to describe settings to be done, files to be copied, packages to be installed via yum or source after OS has been on a high-end desktop to be used as server for lab-experiments. It was last updated during Cent-OS 6.3 installation on 7 March, 2013
Installing OS
Install OS with following partitioning:
- Create 30 GB RAID partition for root(/) on all disks with ext3 or ext4
- Create RAID device /dev/md0 with all 30GB partitions in RAID I with spares if possible
- Create 50 GB Standard partition with vfat for other OS / dual booting on all disks
- Create RAID partition to consume all available space on all three drives
- Create RAID device /dev/md1 as Phsical volume
- Create Volume group with following logical volumes
- swap partition of size 1.5 or 2 times RAM
- Rest for /mnt/das1 partition with ext4 (where das stands for directly attached storage)
GUI configuration
- Remove user switch option from panel from top right corner of screen
- Add system monitor panel extension for monitoring CPU, hard-disk and network usage.
- Remove all folders (Documents, Downloads, Music, Pictures, etc.) from home folder except Desktop
- Configure nautilus properly
- Show hidden and backup files
- Always open in browser window
- View executable text files when they are opened
- Preview for files smaller than 500KB
- Add lock icon to panel for locking screen
- Disable screensaver and locking
- Configure display to go to sleep in inactive for 10 minutes
Configure firefox
- Edit preferences for file download and blank page as home
- Configure proper proxy and no proxy for values
Configure terminal
Do following changes immediately after OS install to configure terminals
- Create file /etc/profile.d/history.sh as mentioned at Storing date / time along with commands in history
- Configure Ctl+Alt+t to be shortcut for running terminal
- Configure sudo to allow user saurabh to run all commands as root as mentioned at Allowing user to run all commands as root without specifying password
- Create shortcut for root terminal in gnome-panel with command 'sudo su -' to be run in terminal with '/usr/share/pixmaps/keyring.png' as image file.
- Remove all temporary files created in /root by anaconda
- Add 'alias mplayer="mplayer -idx -zoom -softvol -softvol-max 400"' to .bashrc
Configure start-up applications
Go to System -> Preferences -> Start-up applications and disable following start-up applications:
- AT SPI Registry Wrapper
- Automatic bug reporting tool
- Bluetooth
- File context maintainer
- Network manager
- Packetkit update
- Personal file sharing
- Policykit authentication agent
- Remote desktop
- SELinux troubleshooter
- Smart card manager
- Spice vdagents
- Terminal server client autostart
- User folder update
- Visual assistance
Disable SELinux
Edit file '/etc/sysconfig/selinux' and set value for SELINUX parameter to 'disabled'
Disabling services
Disable following services after OS is installed from automatically starting in run-levels 3 to 5: (List is alphabetic)
- abrt-ccpp
- abrt-oops
- abrtd
- avahi-daemon
- bluetooth
- cachefilesd
- cgconfig
- edac
- fcoe
- fcoe-target
- ibacm
- iscsi
- iscsid
- isdn
- lldpad
- nfslock
- pcscd
- pppoe-server
- qpidd
- rpcbind
- rpcgssd
- rpcidmapd
- sandbox
- spice-vdagentd
- stap-server
- tog-pegasus
- trace-cmd
- xinetd
One can use following shell script to disable all above mentioned services:
#!/bin/bash SERVICES="abrt-ccpp abrt-oops abrtd avahi-daemon bluetooth cachefilesd cgconfig edac fcoe fcoe-target ibacm iscsi iscsid isdn lldpad nfslock pcscd pppoe-server qpidd rpcbind rpcgssd rpcidmapd sandbox spice-vdagentd stap-server tog-pegasus trace-cmd xinetd " for SERVICE1 in $SERVICES; do echo "Going to run " chkconfig $SERVICE1 off chkconfig $SERVICE1 off done exit 0
In case LVM, Virtualization, Auditing, Software raid etc. are not going to be used then following services can also be stopped:
- auditd (Auditing)
- libvirt-guests, libvirt-qmf, libvirtd (Virtualization)
- lvm2-monitor (LVM)
- mdmonitor (Software raid)
- ksm, ksmtuned (Kernel same page merging)
Following script can be used to stop above mentioned additional services:
#!/bin/bash SERVICES="auditd libvirt-guests libvirt-qmf libvirtd lvm2-monitor mdmonitor ksm ksmtuned" for SERVICE1 in $SERVICES; do echo "Going to run " chkconfig $SERVICE1 off chkconfig $SERVICE1 off done exit 0
Configure yum
Configure yum with following repositories
- rpmfusion
- rpmforge
- epel
To configure use following steps:
- Vist http://www.rpmfusion.org/ and choose link 'Enable RPM Fusion no your system'.
- Then download both RPM Fusion free and RPM Fusion nonfree setup rpms
- Install epel using from http://ftp.cuhk.edu.hk/pub/linux/fedora-epel/6/i386/epel-release-6-8.noarch.rpm
- Install downloaded rpms using 'rpm -ivh rpmfusion*'
- Disable 'rpmfusion-free-updates-testing' and 'rpmfusion-nonfree-updates-testing' repositories
- Visit http://repoforge.org/use/ and download rpmfile for configuring repoforge (rpmforge) repository.
- Configure repoforge repository using downloaded rpm file 'rpm -ivh repo*.rpm'
- Edit '/etc/yum.conf' and configure proper proxy and do 'keepcache=1'
- rsync yum cache backup from updated Cent-OS 6.3 machines '/var/cache/yum' folder with keepcache=1 to current machine
Installing packages from yum
Install following packages using yum (List is alphabetic)
- atop
- denyhosts
- dia
- dot
- dvdisaster
- encfs
- emacs
- flash-plugin
- geany
- htop
- hunt
- iptraf
- john
- kile
- libotf-devel
- mplayer
- openvpn
- phpMyAdmin
- tcptrack
- wireshark
- wireshark-gnome
Following script can be used to install above packages:
#!/bin/bash PACKAGES="atop denyhosts dia dot dvdisaster encfs emacs flash-plugin geany htop hunt iptraf john kile libotf-devel mplayer openvpn phpMyAdmin tcptrack wireshark wireshark-gnome" yum -y install $PACKAGES exit 0
Install vlc and mp3 codecs
To install vlc
- Remove all conflicting packages (libdvdread etc.)
- yum -y --disablerepo='epel' install vlc yum -y install vlc
- yum -y install gstreamer-plugins-{bad,ugly} yum -y install gstreamer-plugins-ugly
If problems are faced during installation of mplayer or gstreamer-plugins-{bad,ugly} then disable testing repositories and try again.
Mount all filesystems
- Install ntfs-3g using 'yum -y install ntfs-3g'
- Create /mnt/cdrive folder if it does not exists
- Try to mount NTFS partition on /mnt/cdrive
- Get block IDS of all partitions using blkid
- Do proper entries in /etc/fstab for interesting partitions. Use 'umask=0000' option whereever required like vfat partitions
Configure SSH
- Enable connection multiplexing as explained at Sharing multiple ssh connections
- Disable GSSAPI authentication using 'GSSAPIAuthentication no'
Disable guest account
- Use 'userdel -r xguest' to disable guest account
Install packages from source
Install following packages from source:
- Emacs installation from source
- Installing emacs package manager
- Installing Erlang by source
- Installing yaws by source
- Installing latest org mode
- Configure .emacs file
Configure firewall
Configure iptables firewall with proper port knocking rules. Following configuration can be used as basic '/etc/sysconfig/iptables' file on new installations:
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :INTO-PHASE1 - [0:0] :INTO-PHASE2 - [0:0] :INTO-PHASE3 - [0:0] :INTO-PHASE4 - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p icmp --icmp-type any -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT #-A INPUT -p tcp -m tcp --dport 22 -s 10.3.1.183 -j ACCEPT #-A INPUT -p tcp -m tcp --dport 22 -s 10.3.3.230 -j ACCEPT -A INPUT -p tcp -m tcp --dport 100 -j INTO-PHASE1 -A INPUT -p tcp -m tcp --dport 200 -m recent --rcheck --name PHASE1 -j INTO-PHASE2 -A INPUT -p tcp -m tcp --dport 300 -m recent --rcheck --name PHASE2 -j INTO-PHASE3 -A INPUT -p tcp -m tcp --dport 400 -m recent --rcheck --name PHASE3 -j INTO-PHASE4 -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 60 --name PHASE4 -j ACCEPT -A INPUT -p udp -j DROP -A INPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "denied_connection_attempt_" -A INPUT -j REJECT --reject-with icmp-host-prohibited # -A INTO-PHASE1 -m recent --remove --name PHASE2 -A INTO-PHASE1 -m recent --remove --name PHASE3 -A INTO-PHASE1 -m recent --remove --name PHASE4 -A INTO-PHASE1 -m recent --set --name PHASE1 -A INTO-PHASE1 -j LOG --log-prefix "INTO PHASE1: " # -A INTO-PHASE2 -m recent --remove --name PHASE1 -A INTO-PHASE2 -m recent --set --name PHASE2 -A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: " # -A INTO-PHASE3 -m recent --remove --name PHASE2 -A INTO-PHASE3 -m recent --set --name PHASE3 -A INTO-PHASE3 -j LOG --log-prefix "INTO PHASE3: " # -A INTO-PHASE4 -m recent --remove --name PHASE3 -A INTO-PHASE4 -m recent --set --name PHASE4 -A INTO-PHASE4 -j LOG --log-prefix "INTO PHASE4: " # -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT #
Configure logging
- Edit '/etc/logwatch/conf/logwatch.conf' and write 'Detail = High' in the file.
- Edit '/etc/mail/sendmail.mc' and configure it such that it can send emails
- Edit '/etc/aliases' file and enter email address as alias for root.
- Run 'newaliases', 'make', 'service sendmail restart' etc. appropriately.
- Test by sending email to root@localhost whether email configuration is working properly or not.
<yambe:breadcrumb>New_machine_configuration|New machine configuration</yambe:breadcrumb>