Author: Jamie Scott

IT Administrator at the Institute for Gravitational Research, University of Glasgow

CentOS setup for Subversion Edge

N.B. Gave up on this – taking too much time and effort for something that would require some command line admin anyway – such as the mailer configuration. Will go back to purely standard setup on Debian like existing servers.

Minimum setup

Network

To get network going edit ifcfg-eth0  in /etc/sysconfig/network-scripts/

Need to use vi for this – minimal install doesn’t have anything else.

DEVICE="eth0"
NM_CONTROLLED=no
ONBOOT=yes
HWADDR=6E:89:F7:F2:8B:47
TYPE=Ethernet
BOOTPROTO=none
IPADDR=130.209.45.49
NETMASK=255.255.255.0
GATEWAY=130.209.45.1
DNS1=130.209.4.16
DNS2=130.209.4.18
DNS3=130.209.16.6
DOMAIN=physics.gla.ac.uk
IPV6INIT=no
NAME="System eth0"
UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03

The UUID here was put in by the GUI network setup, as was some of the other stuff. The Minimum required is IPADDR, BOOTPROTO (maybe?), NETMASK, GATEWAY, DNS1(2,3,etc).

To edit file with vi:

vi filename
i (insert mode)
ESC (command mode)
😡 (Exit, saving changes)
:q! (Exit and ignore any changes)

vi cheat sheet at http://www.lagmonster.org/docs/vi.html

Enable network with service network start

Edit /etc/yum/conf to include the line

proxy=http://wwwcache.gla.ac.uk:8080/

then yum update to update system. Then use yum install packagename to install other stuff, like nano, ntp etc.

Install sudo. seems to want it.

Firewall

Install system-config-firewall-tui using yum and run it.

Java

yum install java-1.6.0-openjdk

Set environment variable by creating a file in /etc/profile.d/

export JAVA_HOME=/usr/lib/jvm/jre

(if the install worked properly /usr/lib/jvm/jre should be a symlink to /etc/alternatives/jre which in turn should link to the actual jre, e.g./usr/lib/jvm-exports/jre-1.6.0-openjdk.x86_64)

Python

Python should be installed. Apparently need to install python-ldap though.

User

Create user with:

useradd username -p password

Install

Create directory, e.g.

mkdir /export0/subversion_edge
chown subversion:subversion /export0/subversion_edge/

Put the downloaded file in subversion user’s directory, switch to the user and extract the file

tar -zxvf CollabNetSubversionEdge-3.1.0_linux-x86_64.tar

change back to root (su -) and:

[root@unst ~]# /export0/subversion_edge/csvn/bin/csvn install
Detected RHEL or Fedora:
 Installing the CSVN Console daemon..
Setting RUN_AS_USER to: 'root'. Please edit '../data/conf/csvn.conf' if this needs to be adjusted
Setting JAVA_HOME to: '/usr/lib/jvm/jre'. Please edit '../data/conf/csvn.conf' if this needs to be adjusted.

Edit the csvn.conf file to change the RUN_AS_USER. Can also set the proxy here.

Change back to the subversion user and start the system

/export0/subversion_edge/csvn/bin/csvn start

After a minute or so should be able to access the console at http://servername:3343/csvn or https://servername:4434/csvn/

For troubleshooting this gives you the startup messages:

csvn console

Starting svn server on port 80 or 443

To allow the non-privileged user to bind to ports < 1024 there are some tweaks required. Either:

  1. Give root ownership of the httpd_bind utility to allow it to start the server from init.d, or
  2. edit sudoers to give allow subversion user to start apache

When you set a port < 1024 in the web interface for the svn server it will complain and show the commands required to make it work, for both options. I chose the httpd_bind route.

 chown root:subversion /export0/subversion_edge/csvn/lib/httpd_bind/httpd_bind
 chmod u+s /export0/subversion_edge/csvn/lib/httpd_bind/httpd_bind

https://ctf.open.collab.net/sf/go/artf5095?nav=1&selectedTab=comments

Setting daemons to start

To start the console and the svn/httpd services on boot:

csvn/bin/csvn install
csvn/bin/csvn-httpd install

LDAP on Debian setup notes

LDAP server package is slapd. LDAP command-line stuff gets installed along with it.

First database is set up automatically – only requirement is admin password. Root DN is taken from host IP domain name – so get dc=physics,dc=gla,dc=ac,dc=uk if not careful. And with OpenLDAP there’s no easy way to delete databases.

Browsers

Web-based

phpLDAPadmin works reasonably well as a server-based browser. Needs Apache. This template gives you users with the RDN set to uid rather than cn, and email entry.

Note that for this to work you need an existing group and user with numbers set, otherwise the autonumber logic doesn’t work. Or the template could be modified to let you enter them directly.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
 
<template>
<askcontainer>1</askcontainer>
<description>New User Account</description>
<icon>ldap-user.png</icon>
<invalid>0</invalid>
<rdn>uid</rdn>
<!--<regexp>^ou=People,o=.*,</regexp>-->
<title>Custom: User Account with Email</title>
<visible>1</visible>
 
<objectClasses>
<objectClass id="inetOrgPerson"></objectClass>
<objectClass id="posixAccount"></objectClass>
</objectClasses>
 
<attributes>
<attribute id="givenName">
	<display>First name</display>
	<icon>ldap-uid.png</icon>
	<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
	<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
	<order>1</order>
	<page>1</page>
</attribute>
<attribute id="sn">
	<display>Last name</display>
	<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
	<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
	<!-- <onchange>=autoFill(homeDirectory;/home/users/%uid|0-1/l%/%uid%)</onchange> -->
	<order>2</order>
	<page>1</page>
</attribute>
<attribute id="cn">
	<display>Common Name</display>
	<order>3</order>
	<page>1</page>
</attribute>
<attribute id="uid">
	<display>User ID</display>
	<onchange>=autoFill(homeDirectory;/home/users/%uid%)</onchange>
	<order>4</order>
	<page>1</page>
	<spacer>1</spacer>
</attribute>
<attribute id="homeDirectory">
	<display>Home directory</display>
	<!-- <onchange>=autoFill(homeDirectory;/home/users/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
	<order>8</order>
	<page>1</page>
</attribute>
<attribute id="uidNumber">
	<display>UID Number</display>
	<icon>terminal.png</icon>
	<order>6</order>
	<page>1</page>
	<readonly>1</readonly>
	<value>=php.GetNextNumber(/;uidNumber)</value>
</attribute>
<attribute id="gidNumber">
	<display>GID Number</display>
	<!-- <onchange>=autoFill(homeDirectory;/home/users/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
	<order>7</order>
	<page>1</page>
	<value><![CDATA[=php.PickList(/;(&(objectClass=posixGroup));gidNumber;%cn%;;;;cn)]]></value>
</attribute>
<attribute id="loginShell">
	<display>Login shell</display>
	<order>9</order>
	<page>1</page>
	<!-- <value><![CDATA[=php.PickList(/;(&(objectClass=posixAccount));loginShell;%loginShell%;;;;loginShell)]]></value> -->
	<type>select</type>
	<value id="/bin/sh">/bin/sh</value>
	<value id="/bin/csh">/bin/csh</value>
	<value id="/bin/tsh">/bin/tsh</value>
</attribute>
<attribute id="userPassword">
	<display>Password</display>
	<!-- <helper>
		<display>Encryption</display>
		<id>enc</id>
		<value>=php.PasswordEncryptionTypes()</value>
	</helper> -->
	<icon>lock.png</icon>
	<order>5</order>
	<page>1</page>
	<post>=php.PasswordEncrypt(%enc%;%userPassword%)</post>
	<spacer>1</spacer>
	<verify>1</verify>
</attribute>
<attribute id="mail">
	<display>Email</display>
	<order>10</order>
	<page>1</page>
</attribute>
</attributes>
 
</template>

 Windows

There are a few browsers that work with Windows. JXplorer is cross platform – couldn’t get it to work on Win7 x64 with Java 7. Trying out LDAP Admin which looks quite nice

 Firewall Setup

Using usual setup – following the guide at http://www.medorion.net/p/19.xhtml edit the /etc/network/interfaces file to include the command pre-up iptables-restore < /etc/iptables.conf just after the loopback stuff (why? dunno) so the file looks something like

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.conf

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
...
*filter
 
# Create filter chain for Physics subnets only
-N PHYSICSONLY
-A PHYSICSONLY -s 130.209.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.204.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.204.0/24 -j ACCEPT
 
# This will allow all loopback (lo0) traffic and drop all traffic to 127/8
# that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
 
#  This accepts all already established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# This allows all outbound traffic
-A OUTPUT -j ACCEPT
 
# Allow SSH and pings from Physics subnets only
-A INPUT -p tcp -m state --state NEW --dport 22 -j PHYSICSONLY
-A INPUT -p icmp -m icmp --icmp-type echo-request -j PHYSICSONLY
-A INPUT -p tcp -m state --state NEW --dport 443 -j PHYSICSONLY
 
# Allow HTTP(S) from anywhere
#-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
 
# Allow LDAP(S) queries from Physics only
-A INPUT -p tcp -m state --state NEW --dport 389 -j PHYSICSONLY
-A INPUT -p tcp -m state --state NEW --dport 636 -j PHYSICSONLY
 
# Reject all other inbound traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT
 
COMMIT

 

Changes to GU visual identity Powerpoint templates

The latest versions of the Uni Powerpoint templates have slightly different RGB colours from the original guidelines. Looks like a improvement snuck in without telling anyone.

Colour R G B
Old blue 0 53 95
New blue 0 33 60
Old SciEng 119 120 0
New SciEng 91 101 27

For the new SciEng template the logo remains the same. For the generic Uni template the logo has been altered so the shield is the same shade as the new blue. I’ve approximately replicated this in Powerpoint 10 by altering the logo image with Brightness: -12% and Contrast: 25%. It’s not a perfect match for the other colours (comparing them to the logo that comes with the template), so I suspect there’s probably been some gamma tweaking or similar going on.

My version of the College pptx template with the school logo school_general.pptx. Has the Tower background as a title slide option. It has to be said, the green does look a little less yucky than before. Now if only they’d apply this to the website as well…

Replacing heatsink on Dell Precision T1500

This should be a five-minute job, and if Dell used the standard mountings it would be. Guess what…

The T1500 has the mounting holes in the standard places for a LGA 1156 socket, but has screw bosses in these holes, presumably held there by a backing plate behind the motherboard. The stock heatsink screws into these with captive screws – springs hold the bracket down. In theory if the bosses were removed a standard heatsink would clip in, but this would require the motherboard to be removed. Alternatively, the screws with the ~2mm stand-off bits (from the old-style green plastic CD drive mounting rails with the anti-vibration mounts) fit and work quite well. Note the stand-off in these is not quite right, so you probably don’t want to tighten them fully – just enough to hold the heatsink down firmly (It’s best to lay the system down so that the heatsink can rest on the processor to fine-tune the position).

Akasa AK-CCE-7101CP in Dell Precision T1500

(Why not just replace the fan? Because although it’s a standard size (80x80x25mm) it’s a high airflow model. RS and CPC don’t have anything similar with a 4-pin plug. And as a new heatsink and fan could be got for less than a tenner (before shipping charges) from Misco…)

Getting WebCal to work with DAViCal

Well, that was odd. Managed to get WebCal to work (after realising it doesn’t hook into the DAViCal database at all – it’s a completely separate admin account, user accounts etc). After creating user, couldn’t add calendars to them. Eventually tracked it down to utils/helper.php and the encode and decode functions which were retrieving $iv of the wrong lengths – saw 21 and 24 bytes. After putting code in to watch the variables created a new user – which worked perfectly. Disabled debugging code, deleted all users and recreated Glasgow10m user – works fine. Bizarre.

Installing Bedework

Install Java

Needs to be the Oracle JDK. Download the .bin file and make it executable. Create appropriate directory, change to it and run the .bin file.

update-alternatives --install "/usr/bin/java" java" "/usr/lib/jvm/jdk1.6.0_31/bin/java" 1

Creates link for java in /usr/bin/

update-alternatives --set java "/usr/local/bin/oracle-java-default/bin/java"

Not needed for a clean install – there are no other versions of java on the system.

Then in /etc/environment

JAVA_HOME="/usr/lib/jvm/jdk1.6.0_31"

Gave up at this point and decided to give DAViCal another go.

DokuWiki data migration

Migrating files in media directory under data works fine. Suspect copying over the pages directory into the new namespace would have worked ok as well, if namespace is flat and links are relative. For hierarchical structures there will be a lot of link editing to do, but that’s almost always the case anyway. And you need to browse all the pages to get them indexed anyway.