Contents
Turning on Debian Wheezy ELTS
Add the following to /etc/apt/sources.list:
# # Extended LTS # deb http://deb.freexian.com/extended-lts wheezy-lts main contrib non-free deb-src http://deb.freexian.com/extended-lts wheezy-lts main contrib non-free deb http://deb.freexian.com/extended-lts wheezy-lts-kernel main contrib non-free
Make sure the machine is set up to use the cclub caching proxy.
It should have /etc/apt/apt.conf.d/90cclubproxy:
Acquire::http { Proxy "http://pkg-proxy.club.cc.cmu.edu:8000/"; Proxy::debian.club.cc.cmu.edu "DIRECT"; Proxy::www.club.cc.cmu.edu "DIRECT"; Proxy::ftp.club.cc.cmu.edu "DIRECT"; };
Old Stuff Below, Just Ignore It!
Bootstrapping a DomU
On the hosting machine
debootstrap wheezy /path/to/root http://mirrors.mit.edu/debian/ mount --bind /dev /path/to/root/dev mount -t proc proc /path/to/root/proc mount -t sysfs sysfs /path/to/root/sys cp /afs/club/system/etc/skel/wheezy/apt/sources.list /path/to/root/etc/apt chroot /path/to/root /bin/bash
In the wheezy chroot
# Fix /etc/hostname # E.g., echo «my-hostname» > /etc/hostname # Fix /etc/hosts # E.g., add: # 128.237.157.«XYZ» «my-hostname».club.cc.cmu.edu «my-hostname» # to the beginning # Setup /etc/network/interfaces # E.g., add a stanza something like: # auto eth0 # iface eth0 inet static # address 128.237.157.«XYZ» # netmask 255.255.255.0 # network 128.237.157.0 # broadcast 128.237.157.255 # gateway 128.237.157.1 # # dns-* options are implemented by the resolvconf package, if installed # dns-nameservers 128.237.157.12 128.237.157.14 128.2.204.150 # dns-search club.cc.cmu.edu andrew.cmu.edu cmu.edu cc.cmu.edu # Check /etc/resolv.conf # Setup /etc/fstab # E.g., something like: # /dev/xvda1 / ext4 rw,noatime,errors=remount-ro 0 1 # /dev/xvda2 swap swap sw 0 0 dpkg-divert --local --rename --divert /sbin/start-stop-daemon.real --add /sbin/start-stop-daemon cat > /sbin/start-stop-daemon << EOF #!/bin/sh echo invoked fake start-stop-daemon... > /dev/stderr exit 0 EOF chmod a+x /sbin/start-stop-daemon aptitude update aptitude install cclub-keyring aptitude update aptitude install cclub-debconf-settings aptitude dist-upgrade # For 32-bit only machines, substitute -amd64 with -686 aptitude install '~pstandard' linux-image-3.2.0-4-amd64 # Pick America/New_York as the local time zone dpkg-reconfigure tzdata # Edit /etc/inittab # After, # 6:23:respawn:/sbin/getty 38400 tty6 # Add # H0:2345:respawn:/sbin/getty 38400 hvc0 rm /sbin/start-stop-daemon dpkg-divert --rename --remove /sbin/start-stop-daemon passwd root # Leave chroot exit
Boot the DomU
umount /path/to/root/dev umount /path/to/root/proc umount /path/to/root/sys umount /path/to/root # Create/configure Xen configuration # Enable automatic boot if desired (cd /etc/xen/auto && ln -s ../«my-hostname») xm create -c «my-hostname» # Login as root cd /root scp «user»@unix:/afs/club/service/etc/skel/wheezy/packages.wheezy.domU . aptitude install `cat packages.wheezy.domU`
Rsync and fake AFS
Please skip to the next section if you want the DomU to run AFS.
# Edit /etc/ssh/ssh_config # Change # # GSSAPIDelegateCredentials no # To # GSSAPIDelegateCredentials yes scp «user»@unix:/afs/club/system/scripts/sh/newrsync-wheezy.sh . kinit -S kadmin/admin «user»/admin ./newrsync-wheezy.sh
Set up real AFS
Do not follow the steps in this section if you set up rsync above.
aptitude install openafs-modules-3.2.0-4-amd64 aptitude install openafs-client libpam-afs-session kinit -S kadmin/admin «user»/admin
Clubification
# If you need/want to create a new Kerberos host key # Run kadmin ank -r host/«my-hostname».club.cc.cmu.edu # and accept all the defaults kadmin ext_keytab host/«my-hostname».ċlub.cc.cmu.edu /afs/club/system/scripts/sh/newmachine-wheezy.sh
Bootstrapping a Physical Machine
Debian install note: do not install "standard packages." Do it later so we don't install any packages (most notably exim4) that we'd like to preseed with the cclub-debconf-settings package.
# Add wheezy-cclub to /etc/apt/sources.list. Either manually add it, or scp # unix:/afs/club/service/etc/skel/wheezy/apt/sources.list. # To manually add it, the appropriate line is: # deb http://debian.club.cc.cmu.edu/debian/ wheezy-cclub contrib aptitude update aptitude install cclub-keyring aptitude update aptitude install cclub-debconf-settings aptitude dist-upgrade aptitude install '~pstandard' # For machines that should run Xen. # For 32-bit only machines, substitute -amd64 with -686 aptitude install xen-hypervisor-4.1-amd64 xen-utils-4.1 xen-tools scp «user»@unix:/afs/club/service/etc/skel/wheezy/packages.wheezy.dom? . aptitude install `cat packages.wheezy.dom?`
Follow the steps in either #Rsync_and_fake_AFS or #Set_up_real_AFS. The latter is not recommended for machines that will be Xen Dom0s.
Then follow the steps in #Clubification.
# Edit /etc/network/interfaces. # Replace all instances of "eth0" with "br0". # Change "allow-hotplug br0" to "auto br0". # Add "bridge_ports eth0" to the stanza for br0. shutdown -r now
PAM
It looks like we only need a few minor tweaks to make the Debian settings work.
sed -i 's/\(pam_krb5.so.*minimum_uid\)=1000/\)=110/' /etc/pam.d/*
/etc/pam.d/common-account:
Add:
account sufficient pam_krb5.so minimum_uid=110
before
# here are the per-package modules (the "Primary" block)
/etc/pam.d/ssh:
Replace:
# Standard Un*x authorization. @include common-account
with
account required pam_unix.so broken_shadow
Discussion
pam_krb5.so—"account" only works after "auth"
- caused an issue with sshd if user is marked as shadowed in /etc/passwd (password field is "x")
- ssh runs "account" before "auth", so pam_krb5.so would return PAM_IGNORE; pam_unix.so would fail due to missing shadow entry
- solution is to use the broken_shadow arg on pm_unix.so for ssh only
- will never succeed without an "auth" phase
- this also means having it as "sufficient" for atd/cron does not allow users without shadow entries to run atd/cron jobs (assuming "x" in /etc/passwd)
- caused an issue with sshd if user is marked as shadowed in /etc/passwd (password field is "x")
- pam_afs_session.so
- will silently succeed if AFS is not running
- so, it's not necessary to explicitly disable it for non-AFS machines
OpenAFS
Building the kernel module is a bit weird, since Debian has changed they way they handle kernel versions (I could reasonably claim it is the module packaging being broken; but I bet nobody else builds module packages this way anymore).
cd /usr/src rm -rf ./modules tar -jxvf openafs.tar.bz2
The modules need to be built such that the package name and "Recommend:" field reflect the correct Debian kernel package (e.g, linux-image-3.2.0-4-amd64). But you want the actual package version to reflect the debian revision of the kernel (e.g., 3.2.41-2). This is necessary for the modules themselves to get installed to the right place (/lib/modules/3.2.0-4-amd64), and so that the sources that built the modules are properly traceable as well.
To do this, set KVERS to the "package name version" and KDREV to the "debian revision."
Additional i386 note: Something wonky may happen when building an i386 kmod in an i386 chroot under an amd64 kernel. To compensate, run eval `dpkg-architecture -ai386 -s` before building, and add SYS_NAME=i386_linux26 and ARCH=i386 to the make commandline.
E.g.,
cd /usr/src/modules/openafs make -f debian/rules KSRC=/usr/src/linux-headers-3.2.0-4-amd64 KVERS=3.2.0-4-amd64 KDREV=3.2.41-2 binary
Qmail
Looks like Debian has reasonable packages for daemontools and ucspi-tcp now.
aptitude install daemontools daemontools-run ucspi-tcp
Procmail... it doesn't seem like our collection has any patches. I guess it was just already lenient enough in Maildir delivery to work with AFS. It's also probably the worst code I've ever read, so I couldn't really tell. Since that's the case, I'm thinking the Debian package may just work. IIRC, there actually ended up being two problems with the Debian procmail. First was that it would come setuid, which caused it to behave somewhat weirdly. Second was that it would uselessly whine about something or another on every delivery.
Wow, there's a dspam debian package too.