Turning on Debian Wheezy ELTS

Add the following to /etc/apt/sources.list:

#
# Extended LTS
#

deb http://deb.freexian.com/extended-lts wheezy-lts main contrib non-free
deb-src http://deb.freexian.com/extended-lts wheezy-lts main contrib non-free
deb http://deb.freexian.com/extended-lts wheezy-lts-kernel main contrib non-free

Make sure the machine is set up to use the cclub caching proxy.

It should have /etc/apt/apt.conf.d/90cclubproxy:

Acquire::http {
    Proxy "http://pkg-proxy.club.cc.cmu.edu:8000/";
    Proxy::debian.club.cc.cmu.edu "DIRECT";
    Proxy::www.club.cc.cmu.edu "DIRECT";
    Proxy::ftp.club.cc.cmu.edu "DIRECT";
};

Old Stuff Below, Just Ignore It!

/!\ /!\ /!\

Bootstrapping a DomU

On the hosting machine

debootstrap wheezy /path/to/root http://mirrors.mit.edu/debian/
mount --bind /dev /path/to/root/dev
mount -t proc proc /path/to/root/proc
mount -t sysfs sysfs /path/to/root/sys
cp /afs/club/system/etc/skel/wheezy/apt/sources.list /path/to/root/etc/apt
chroot /path/to/root /bin/bash

In the wheezy chroot

# Fix /etc/hostname
# E.g., echo «my-hostname» > /etc/hostname

# Fix /etc/hosts
# E.g., add:
#   128.237.157.«XYZ» «my-hostname».club.cc.cmu.edu «my-hostname»
# to the beginning

# Setup /etc/network/interfaces
# E.g., add a stanza something like:
#   auto eth0
#   iface eth0 inet static
#           address 128.237.157.«XYZ»
#           netmask 255.255.255.0
#           network 128.237.157.0
#           broadcast 128.237.157.255
#           gateway 128.237.157.1
#           # dns-* options are implemented by the resolvconf package, if installed
#           dns-nameservers 128.237.157.12 128.237.157.14 128.2.204.150
#           dns-search club.cc.cmu.edu andrew.cmu.edu cmu.edu cc.cmu.edu

# Check /etc/resolv.conf

# Setup /etc/fstab
# E.g., something like:
#   /dev/xvda1      /               ext4    rw,noatime,errors=remount-ro 0       1
#   /dev/xvda2      swap            swap    sw              0       0

dpkg-divert --local --rename --divert /sbin/start-stop-daemon.real --add /sbin/start-stop-daemon
cat > /sbin/start-stop-daemon << EOF
#!/bin/sh
echo invoked fake start-stop-daemon... > /dev/stderr
exit 0
EOF
chmod a+x /sbin/start-stop-daemon

aptitude update
aptitude install cclub-keyring
aptitude update
aptitude install cclub-debconf-settings

aptitude dist-upgrade

# For 32-bit only machines, substitute -amd64 with -686
aptitude install '~pstandard' linux-image-3.2.0-4-amd64

# Pick America/New_York as the local time zone
dpkg-reconfigure tzdata

# Edit /etc/inittab
# After,
#   6:23:respawn:/sbin/getty 38400 tty6
# Add
#   H0:2345:respawn:/sbin/getty 38400 hvc0

rm /sbin/start-stop-daemon
dpkg-divert --rename --remove /sbin/start-stop-daemon

passwd root

# Leave chroot
exit

Boot the DomU

umount /path/to/root/dev
umount /path/to/root/proc
umount /path/to/root/sys
umount /path/to/root

# Create/configure Xen configuration

# Enable automatic boot if desired
(cd /etc/xen/auto && ln -s ../«my-hostname»)

xm create -c «my-hostname»

# Login as root

cd /root

scp «user»@unix:/afs/club/service/etc/skel/wheezy/packages.wheezy.domU .
aptitude install `cat packages.wheezy.domU`

Rsync and fake AFS

Please skip to the next section if you want the DomU to run AFS.

# Edit /etc/ssh/ssh_config
# Change
#   #   GSSAPIDelegateCredentials no
# To
#       GSSAPIDelegateCredentials yes

scp «user»@unix:/afs/club/system/scripts/sh/newrsync-wheezy.sh .
kinit -S kadmin/admin «user»/admin
./newrsync-wheezy.sh

Set up real AFS

Do not follow the steps in this section if you set up rsync above.

aptitude install openafs-modules-3.2.0-4-amd64
aptitude install openafs-client libpam-afs-session

kinit -S kadmin/admin «user»/admin

Clubification

# If you need/want to create a new Kerberos host key
# Run
kadmin ank -r host/«my-hostname».club.cc.cmu.edu
# and accept all the defaults

kadmin ext_keytab host/«my-hostname».ċlub.cc.cmu.edu

/afs/club/system/scripts/sh/newmachine-wheezy.sh

Bootstrapping a Physical Machine

Debian install note: do not install "standard packages." Do it later so we don't install any packages (most notably exim4) that we'd like to preseed with the cclub-debconf-settings package.

# Add wheezy-cclub to /etc/apt/sources.list.  Either manually add it, or scp
# unix:/afs/club/service/etc/skel/wheezy/apt/sources.list.
# To manually add it, the appropriate line is:
#     deb http://debian.club.cc.cmu.edu/debian/ wheezy-cclub contrib

aptitude update
aptitude install cclub-keyring
aptitude update
aptitude install cclub-debconf-settings

aptitude dist-upgrade

aptitude install '~pstandard'

# For machines that should run Xen.
# For 32-bit only machines, substitute -amd64 with -686
aptitude install xen-hypervisor-4.1-amd64 xen-utils-4.1 xen-tools

scp «user»@unix:/afs/club/service/etc/skel/wheezy/packages.wheezy.dom? .
aptitude install `cat packages.wheezy.dom?`

Follow the steps in either #Rsync_and_fake_AFS or #Set_up_real_AFS. The latter is not recommended for machines that will be Xen Dom0s.

Then follow the steps in #Clubification.

# Edit /etc/network/interfaces.
# Replace all instances of "eth0" with "br0".
# Change "allow-hotplug br0" to "auto br0".
# Add "bridge_ports eth0" to the stanza for br0.

shutdown -r now

PAM

It looks like we only need a few minor tweaks to make the Debian settings work.

sed -i 's/\(pam_krb5.so.*minimum_uid\)=1000/\)=110/' /etc/pam.d/*

/etc/pam.d/common-account:

Add:

account sufficient                      pam_krb5.so minimum_uid=110

before

# here are the per-package modules (the "Primary" block)

/etc/pam.d/ssh:

Replace:

# Standard Un*x authorization.
@include common-account

with

account    required     pam_unix.so broken_shadow

Discussion

OpenAFS

Building the kernel module is a bit weird, since Debian has changed they way they handle kernel versions (I could reasonably claim it is the module packaging being broken; but I bet nobody else builds module packages this way anymore).

cd /usr/src
rm -rf ./modules
tar -jxvf openafs.tar.bz2

The modules need to be built such that the package name and "Recommend:" field reflect the correct Debian kernel package (e.g, linux-image-3.2.0-4-amd64). But you want the actual package version to reflect the debian revision of the kernel (e.g., 3.2.41-2). This is necessary for the modules themselves to get installed to the right place (/lib/modules/3.2.0-4-amd64), and so that the sources that built the modules are properly traceable as well.

To do this, set KVERS to the "package name version" and KDREV to the "debian revision."

Additional i386 note: Something wonky may happen when building an i386 kmod in an i386 chroot under an amd64 kernel. To compensate, run eval `dpkg-architecture -ai386 -s` before building, and add SYS_NAME=i386_linux26 and ARCH=i386 to the make commandline.

E.g.,

cd /usr/src/modules/openafs
make -f debian/rules KSRC=/usr/src/linux-headers-3.2.0-4-amd64 KVERS=3.2.0-4-amd64 KDREV=3.2.41-2 binary

Qmail

Looks like Debian has reasonable packages for daemontools and ucspi-tcp now.

aptitude install daemontools daemontools-run ucspi-tcp

Procmail... it doesn't seem like our collection has any patches. I guess it was just already lenient enough in Maildir delivery to work with AFS. It's also probably the worst code I've ever read, so I couldn't really tell. Since that's the case, I'm thinking the Debian package may just work. IIRC, there actually ended up being two problems with the Debian procmail. First was that it would come setuid, which caused it to behave somewhat weirdly. Second was that it would uselessly whine about something or another on every delivery.

Wow, there's a dspam debian package too.

kbare at CLUB.CC.CMU.EDU/Wheezy (last edited 2019-07-20 22:35:40 by kbare@CLUB.CC.CMU.EDU)