More Proxmox 2.1 setup notes – corosync

Way to change primary interface – edit /etc/hosts to change ip address returned when cman does lookup of system hostname.

e.g.

127.0.0.1 localhost.localdomain localhost
192.168.40.6 Hildasay.physics.gla.ac.uk Hildasay pvelocalhost

# The following lines are desirable for IPv6 capable hosts

::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

With this config cman will return 192.168.40.6 as the address totem should bind to for it’s multicast stuff.

There may be certificate problems doing this. Probably best in future to install proxmox with the initial interface on the SAN (or other appropriate private network).

Proxmox 2.1 setup notes

Proxy

In addition to the web interface setting (for the cluster), need to configure aptitude as well. Add to somewhere appropriate (e.g. /etc/apt/apt.conf.d/70debconf)

Acquire::http::Proxy "http://wwwcache.gla.ac.uk:8080";
Acquire::ftp::Proxy "http://wwwcache.gla.ac.uk:8080";

 Time

Have to set up NTP on each system as before. Edit /etc/ntp.conf to add:

server login.physics.gla.ac.uk iburst

and restart the service

/etc/init.d/ntp restart

Check with ntpq -p , output will look something like:

remote refid st t when poll reach delay offset jitter
==============================================================================
*puck.physics.gl 130.159.196.117 3 u 41 64 17 0.244 0.154 0.115
s02.be.it2go.eu .STEP. 16 u - 64 0 0.000 0.000 0.000
utl-ntp.evo.hlm .STEP. 16 u - 64 0 0.000 0.000 0.000
218-32-169-193. .STEP. 16 u - 64 0 0.000 0.000 0.000
wan1.dgeb.info .STEP. 16 u - 64 0 0.000 0.000 0.000

Time needs to be reasonably accurate before attempting cluster join!

Cluster

Instructions at http://pve.proxmox.com/wiki/Proxmox_VE_2.0_Cluster

Quick guide

Login to the a node. To create cluster:

pvecm create YOUR-CLUSTER-NAME

Use a unique name. This name cannot be changed later!

To check the state of cluster:

pvecm status

To add a node, log in to that node and run:

pvecm add IP-ADDRESS-CLUSTER

Where the address is that of one of the existing cluster nodes. It will ask for the root password of the node you are connecting to.

Remember to add the new node’s address to nfs shares etc.

CentOS setup for Subversion Edge

N.B. Gave up on this – taking too much time and effort for something that would require some command line admin anyway – such as the mailer configuration. Will go back to purely standard setup on Debian like existing servers.

Minimum setup

Network

To get network going edit ifcfg-eth0  in /etc/sysconfig/network-scripts/

Need to use vi for this – minimal install doesn’t have anything else.

DEVICE="eth0"
NM_CONTROLLED=no
ONBOOT=yes
HWADDR=6E:89:F7:F2:8B:47
TYPE=Ethernet
BOOTPROTO=none
IPADDR=130.209.45.49
NETMASK=255.255.255.0
GATEWAY=130.209.45.1
DNS1=130.209.4.16
DNS2=130.209.4.18
DNS3=130.209.16.6
DOMAIN=physics.gla.ac.uk
IPV6INIT=no
NAME="System eth0"
UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03

The UUID here was put in by the GUI network setup, as was some of the other stuff. The Minimum required is IPADDR, BOOTPROTO (maybe?), NETMASK, GATEWAY, DNS1(2,3,etc).

To edit file with vi:

vi filename
i (insert mode)
ESC (command mode)
😡 (Exit, saving changes)
:q! (Exit and ignore any changes)

vi cheat sheet at http://www.lagmonster.org/docs/vi.html

Enable network with service network start

Edit /etc/yum/conf to include the line

proxy=http://wwwcache.gla.ac.uk:8080/

then yum update to update system. Then use yum install packagename to install other stuff, like nano, ntp etc.

Install sudo. seems to want it.

Firewall

Install system-config-firewall-tui using yum and run it.

Java

yum install java-1.6.0-openjdk

Set environment variable by creating a file in /etc/profile.d/

export JAVA_HOME=/usr/lib/jvm/jre

(if the install worked properly /usr/lib/jvm/jre should be a symlink to /etc/alternatives/jre which in turn should link to the actual jre, e.g./usr/lib/jvm-exports/jre-1.6.0-openjdk.x86_64)

Python

Python should be installed. Apparently need to install python-ldap though.

User

Create user with:

useradd username -p password

Install

Create directory, e.g.

mkdir /export0/subversion_edge
chown subversion:subversion /export0/subversion_edge/

Put the downloaded file in subversion user’s directory, switch to the user and extract the file

tar -zxvf CollabNetSubversionEdge-3.1.0_linux-x86_64.tar

change back to root (su -) and:

[root@unst ~]# /export0/subversion_edge/csvn/bin/csvn install
Detected RHEL or Fedora:
 Installing the CSVN Console daemon..
Setting RUN_AS_USER to: 'root'. Please edit '../data/conf/csvn.conf' if this needs to be adjusted
Setting JAVA_HOME to: '/usr/lib/jvm/jre'. Please edit '../data/conf/csvn.conf' if this needs to be adjusted.

Edit the csvn.conf file to change the RUN_AS_USER. Can also set the proxy here.

Change back to the subversion user and start the system

/export0/subversion_edge/csvn/bin/csvn start

After a minute or so should be able to access the console at http://servername:3343/csvn or https://servername:4434/csvn/

For troubleshooting this gives you the startup messages:

csvn console

Starting svn server on port 80 or 443

To allow the non-privileged user to bind to ports < 1024 there are some tweaks required. Either:

  1. Give root ownership of the httpd_bind utility to allow it to start the server from init.d, or
  2. edit sudoers to give allow subversion user to start apache

When you set a port < 1024 in the web interface for the svn server it will complain and show the commands required to make it work, for both options. I chose the httpd_bind route.

 chown root:subversion /export0/subversion_edge/csvn/lib/httpd_bind/httpd_bind
 chmod u+s /export0/subversion_edge/csvn/lib/httpd_bind/httpd_bind

https://ctf.open.collab.net/sf/go/artf5095?nav=1&selectedTab=comments

Setting daemons to start

To start the console and the svn/httpd services on boot:

csvn/bin/csvn install
csvn/bin/csvn-httpd install

LDAP on Debian setup notes

LDAP server package is slapd. LDAP command-line stuff gets installed along with it.

First database is set up automatically – only requirement is admin password. Root DN is taken from host IP domain name – so get dc=physics,dc=gla,dc=ac,dc=uk if not careful. And with OpenLDAP there’s no easy way to delete databases.

Browsers

Web-based

phpLDAPadmin works reasonably well as a server-based browser. Needs Apache. This template gives you users with the RDN set to uid rather than cn, and email entry.

Note that for this to work you need an existing group and user with numbers set, otherwise the autonumber logic doesn’t work. Or the template could be modified to let you enter them directly.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
 
<template>
<askcontainer>1</askcontainer>
<description>New User Account</description>
<icon>ldap-user.png</icon>
<invalid>0</invalid>
<rdn>uid</rdn>
<!--<regexp>^ou=People,o=.*,</regexp>-->
<title>Custom: User Account with Email</title>
<visible>1</visible>
 
<objectClasses>
<objectClass id="inetOrgPerson"></objectClass>
<objectClass id="posixAccount"></objectClass>
</objectClasses>
 
<attributes>
<attribute id="givenName">
	<display>First name</display>
	<icon>ldap-uid.png</icon>
	<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
	<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
	<order>1</order>
	<page>1</page>
</attribute>
<attribute id="sn">
	<display>Last name</display>
	<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
	<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
	<!-- <onchange>=autoFill(homeDirectory;/home/users/%uid|0-1/l%/%uid%)</onchange> -->
	<order>2</order>
	<page>1</page>
</attribute>
<attribute id="cn">
	<display>Common Name</display>
	<order>3</order>
	<page>1</page>
</attribute>
<attribute id="uid">
	<display>User ID</display>
	<onchange>=autoFill(homeDirectory;/home/users/%uid%)</onchange>
	<order>4</order>
	<page>1</page>
	<spacer>1</spacer>
</attribute>
<attribute id="homeDirectory">
	<display>Home directory</display>
	<!-- <onchange>=autoFill(homeDirectory;/home/users/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
	<order>8</order>
	<page>1</page>
</attribute>
<attribute id="uidNumber">
	<display>UID Number</display>
	<icon>terminal.png</icon>
	<order>6</order>
	<page>1</page>
	<readonly>1</readonly>
	<value>=php.GetNextNumber(/;uidNumber)</value>
</attribute>
<attribute id="gidNumber">
	<display>GID Number</display>
	<!-- <onchange>=autoFill(homeDirectory;/home/users/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
	<order>7</order>
	<page>1</page>
	<value><![CDATA[=php.PickList(/;(&(objectClass=posixGroup));gidNumber;%cn%;;;;cn)]]></value>
</attribute>
<attribute id="loginShell">
	<display>Login shell</display>
	<order>9</order>
	<page>1</page>
	<!-- <value><![CDATA[=php.PickList(/;(&(objectClass=posixAccount));loginShell;%loginShell%;;;;loginShell)]]></value> -->
	<type>select</type>
	<value id="/bin/sh">/bin/sh</value>
	<value id="/bin/csh">/bin/csh</value>
	<value id="/bin/tsh">/bin/tsh</value>
</attribute>
<attribute id="userPassword">
	<display>Password</display>
	<!-- <helper>
		<display>Encryption</display>
		<id>enc</id>
		<value>=php.PasswordEncryptionTypes()</value>
	</helper> -->
	<icon>lock.png</icon>
	<order>5</order>
	<page>1</page>
	<post>=php.PasswordEncrypt(%enc%;%userPassword%)</post>
	<spacer>1</spacer>
	<verify>1</verify>
</attribute>
<attribute id="mail">
	<display>Email</display>
	<order>10</order>
	<page>1</page>
</attribute>
</attributes>
 
</template>

 Windows

There are a few browsers that work with Windows. JXplorer is cross platform – couldn’t get it to work on Win7 x64 with Java 7. Trying out LDAP Admin which looks quite nice

 Firewall Setup

Using usual setup – following the guide at http://www.medorion.net/p/19.xhtml edit the /etc/network/interfaces file to include the command pre-up iptables-restore < /etc/iptables.conf just after the loopback stuff (why? dunno) so the file looks something like

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.conf

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
...
*filter
 
# Create filter chain for Physics subnets only
-N PHYSICSONLY
-A PHYSICSONLY -s 130.209.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.204.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.204.0/24 -j ACCEPT
 
# This will allow all loopback (lo0) traffic and drop all traffic to 127/8
# that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
 
#  This accepts all already established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# This allows all outbound traffic
-A OUTPUT -j ACCEPT
 
# Allow SSH and pings from Physics subnets only
-A INPUT -p tcp -m state --state NEW --dport 22 -j PHYSICSONLY
-A INPUT -p icmp -m icmp --icmp-type echo-request -j PHYSICSONLY
-A INPUT -p tcp -m state --state NEW --dport 443 -j PHYSICSONLY
 
# Allow HTTP(S) from anywhere
#-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
 
# Allow LDAP(S) queries from Physics only
-A INPUT -p tcp -m state --state NEW --dport 389 -j PHYSICSONLY
-A INPUT -p tcp -m state --state NEW --dport 636 -j PHYSICSONLY
 
# Reject all other inbound traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT
 
COMMIT

 

Changes to GU visual identity Powerpoint templates

The latest versions of the Uni Powerpoint templates have slightly different RGB colours from the original guidelines. Looks like a improvement snuck in without telling anyone.

Colour R G B
Old blue 0 53 95
New blue 0 33 60
Old SciEng 119 120 0
New SciEng 91 101 27

For the new SciEng template the logo remains the same. For the generic Uni template the logo has been altered so the shield is the same shade as the new blue. I’ve approximately replicated this in Powerpoint 10 by altering the logo image with Brightness: -12% and Contrast: 25%. It’s not a perfect match for the other colours (comparing them to the logo that comes with the template), so I suspect there’s probably been some gamma tweaking or similar going on.

My version of the College pptx template with the school logo school_general.pptx. Has the Tower background as a title slide option. It has to be said, the green does look a little less yucky than before. Now if only they’d apply this to the website as well…

Replacing heatsink on Dell Precision T1500

This should be a five-minute job, and if Dell used the standard mountings it would be. Guess what…

The T1500 has the mounting holes in the standard places for a LGA 1156 socket, but has screw bosses in these holes, presumably held there by a backing plate behind the motherboard. The stock heatsink screws into these with captive screws – springs hold the bracket down. In theory if the bosses were removed a standard heatsink would clip in, but this would require the motherboard to be removed. Alternatively, the screws with the ~2mm stand-off bits (from the old-style green plastic CD drive mounting rails with the anti-vibration mounts) fit and work quite well. Note the stand-off in these is not quite right, so you probably don’t want to tighten them fully – just enough to hold the heatsink down firmly (It’s best to lay the system down so that the heatsink can rest on the processor to fine-tune the position).

Akasa AK-CCE-7101CP in Dell Precision T1500

(Why not just replace the fan? Because although it’s a standard size (80x80x25mm) it’s a high airflow model. RS and CPC don’t have anything similar with a 4-pin plug. And as a new heatsink and fan could be got for less than a tenner (before shipping charges) from Misco…)

Getting WebCal to work with DAViCal

Well, that was odd. Managed to get WebCal to work (after realising it doesn’t hook into the DAViCal database at all – it’s a completely separate admin account, user accounts etc). After creating user, couldn’t add calendars to them. Eventually tracked it down to utils/helper.php and the encode and decode functions which were retrieving $iv of the wrong lengths – saw 21 and 24 bytes. After putting code in to watch the variables created a new user – which worked perfectly. Disabled debugging code, deleted all users and recreated Glasgow10m user – works fine. Bizarre.

Installing Bedework

Install Java

Needs to be the Oracle JDK. Download the .bin file and make it executable. Create appropriate directory, change to it and run the .bin file.

update-alternatives --install "/usr/bin/java" java" "/usr/lib/jvm/jdk1.6.0_31/bin/java" 1

Creates link for java in /usr/bin/

update-alternatives --set java "/usr/local/bin/oracle-java-default/bin/java"

Not needed for a clean install – there are no other versions of java on the system.

Then in /etc/environment

JAVA_HOME="/usr/lib/jvm/jdk1.6.0_31"

Gave up at this point and decided to give DAViCal another go.