Table of Contents
Notes on Ubuntu
This is work in progress
CD Images
Jigdo
Use this to create a fresh copy of the ISO (with updates and other changes). This assumes that you already have a CD image under ~/Shared/Software/Ubuntu.
- mount previous images in /mnt
sudo mount -o loop ubuntu-8.04-alternate-amd64.iso /mnt
- cd ~/Shared/Software/Ubuntu/jigdo
- When asked point the previous image on /mnt
OEM Intallation
Summary
Test the OEM (for manufacturers) install procedures.
Procedure
Alternate CD
- Boot using the “Text mode install for manufacturers” option.
- You will not be asked for a username, although you will be asked for a password.
- You should see instructions shortly before rebooting; in case you miss them, they say:
- When you boot into the new system, you will be able to log in as the ‘oem’ user with the password you selected earlier; this user also has administrative privileges using ‘sudo’. You will then be able to make any additional modifications you require to the system.
- Once the system is configured to your satisfaction, run sudo oem-config-prepare. This will cause the system to delete the temporary ‘oem’ user and ask the end user various configuration questions the next time it boots.
- After rebooting you should see a normal Ubuntu desktop.
- Install one or two additional applications and click the oem-config-prepare icon on the desktop.
- Reboot and confirm that the new user setup procedure appears.
- Confirm that the applications you installed are now available.
Desktop CD
- Boot the Live CD with the OEM option
- At the desktop, click install; You will not be asked for a username, although you will be asked for a password.
- After rebooting you should see a normal Ubuntu desktop.
- Install one or two additional applications and click the oem-config-prepare icon on the desktop.
- Reboot and confirm that the new user setup procedure appears.
- Confirm that the applications you installed are now available.
Unattended Intallation
DHCP
... next-server 10.10.0.230; option tftp-server-name "tuxy"; filename "pxelinux.0"; ...
TFTP
sudo apt-get install tftpd-hpa
# /etc/default/tftpd-hpa TFTP_USERNAME="tftp" TFTP_DIRECTORY="/srv/tftp" TFTP_ADDRESS="0.0.0.0:69" TFTP_OPTIONS="-s"
Optionally:
sudo mkdir /tftpboot sudo mount --bind /srv/tftp /tftpboot
Preseed
https://help.ubuntu.com/10.04/installation-guide/hppa/preseed-creating.html
To check if the format of your preconfiguration file is valid before performing an install, you can use the command debconf-set-selections -c preseed.cfg.
RAID1 (mirror) with LVM partition
# Installs a new ubuntu desktop with the right partitions
# see notes:
# 2008-10-03 18:39 EDT - Luis Mondesi <lemsx1@gmail.com>
# Always install the server kernel.
d-i base-installer/kernel/override-image string linux-generic
# Only install basic language packs. Let tasksel ask about tasks.
d-i pkgsel/language-pack-patterns string
# No language support packages.
d-i pkgsel/install-language-support boolean false
# Only ask the UTC question if there are other operating systems installed.
d-i clock-setup/utc-auto boolean true
d-i debian-installer/locale string en_US
d-i console-setup/layoutcode string us
d-i netcfg/choose_interface select auto
# Any hostname and domain names assigned from dhcp take precedence over
# values set here. However, setting the values still prevents the questions
# from being shown, even if values come from dhcp.
d-i netcfg/get_hostname string unassigned-hostname
d-i netcfg/get_domain string unassigned-domain
d-i netcfg/wireless_wep string
### Mirror settings
# If you select ftp, the mirror/country string does not need to be set.
d-i mirror/country string enter information manually
d-i mirror/protocol string http
# apt-cacher-ng on port 9999
d-i mirror/http/hostname string apt:9999
d-i mirror/http/directory string /archive.ubuntu.com/ubuntu
d-i mirror/http/proxy string
# Suite to install.
#d-i mirror/suite string testing
# Suite to use for loading installer components (optional).
#d-i mirror/udeb/suite string testing
d-i mirror/suite string lucid
d-i unattended-upgrades/enable_auto_updates boolean false
d-i user-setup/encrypt-home boolean false
### Partitioning
# 2009-10-20 14:30 EDT
# LM: do not use "lvm" here as it breaks newer d-i
d-i partman-auto/method string raid
# If one of the disks that are going to be automatically partitioned
# contains an old LVM configuration, the user will normally receive a
# warning. This can be preseeded away...
# This makes partman automatically partition without confirmation.
# Write the changes to disks?
d-i partman/confirm boolean true
partman-base partman/confirm boolean true
# Write the changes to the storage devices and configure RAID?
d-i partman-md/confirm boolean true
partman-md partman-md/confirm boolean true
# Remove existing software RAID partitions?
d-i partman-md/device_remove_md boolean true
partman-md partman-md/device_remove_md boolean true
# Write the changes to disks and configure LVM?
d-i partman-lvm/confirm boolean true
partman-lvm partman-lvm/confirm boolean true
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm_nooverwrite boolean true
# Write a new empty partition table?
d-i partman-partitioning/confirm_write_new_label boolean true
partman-partitioning partman-partitioning/confirm_write_new_label boolean true
d-i partman-auto/disk string /dev/sda /dev/sdb
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-lvm/device_remove_lvm_span boolean true
d-i partman-auto-lvm/new_vg_name string bootdisk
d-i partman-auto-lvm/guided_size string max
# customized by Luis Mondesi (2010-06-01 15:58 EDT)
# Notes:
# - partitions are created in the order they are defined
# - higher priority takes precendence
# - highest priority number chosen is 5,000
# - very impotant!! do not leave spaces after \ or it won't work
# RAID:
# /dev/md0 -> /boot -> 100M - 256MB (high priority)
# /dev/md1 -> LVM VG bootdisk -> 500M - 1T (high priority)
# LVM:
# /dev/mapper/bootdisk-root -> / -> 5G - 1T (high priority)
# /dev/mapper/bootdisk-swap_1 -> swap -> 3G - 3 times size of RAM (high priority)
#
# Last you need to specify how the previously defined partitions will be
# used in the RAID setup. Remember to use the correct partition numbers
# for logical partitions.
# Parameters are:
# <raidtype> <devcount> <sparecount> <fstype> <mountpoint> \
# <devices> <sparedevices>
# RAID levels 0, 1, 5, 6 and 10 are supported; devices are separated using "#"
d-i partman-auto-raid/recipe string \
1 2 0 ext4 /boot /dev/sda1#/dev/sdb1 . 1 2 0 lvm / /dev/sda2#/dev/sdb2 .
# RAID partitions are tagged as "lvmignore"
# and LVM logical volumes as "defaultignore" and "lvmok"
d-i partman-auto/expert_recipe string \
multiraid :: \
100 512 256 raid \
$lvmignore{ } \
$primary{ } \
method{ raid } \
. \
900 5000 1000000000 raid \
$lvmignore{ } \
$primary{ } \
method{ raid } \
. \
700 5000 1000000000 ext4 \
$defaultignore{ } \
$lvmok{ } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
options/relatime{ relatime } \
mountpoint{ / } \
. \
256 3000 300% linux-swap \
$defaultignore{ } \
$lvmok{ } \
method{ swap } \
format{ } \
.
### Clock and time zone setup
# Controls whether or not the hardware clock is set to UTC.
d-i clock-setup/utc boolean true
# You may set this to any valid setting for $TZ; see the contents of
# /usr/share/zoneinfo/ for valid values.
d-i time/zone string America/New_York
### Apt setup
# You can choose to install non-free and contrib software.
d-i apt-setup/multiverse boolean true
d-i apt-setup/universe boolean true
# To create a normal user account.
d-i passwd/user-fullname string System Administrator
d-i passwd/username string admin
# Normal user's password, either in clear text
#d-i passwd/user-password password insecure
#d-i passwd/user-password-again password insecure
# or encrypted using an MD5 hash.
# $> echo secret |mkpasswd -m md5 -s
d-i passwd/user-password-crypted password $1$jJ2LMHxV$..QYZ1gInMXG/H1zzcOFS1
# This is fairly safe to set, it makes grub install automatically to the MBR
# if no other operating system is detected on the machine.
d-i grub-installer/only_debian boolean true
# This one makes grub-installer install to the MBR if it also finds some other
# OS, which is less safe as it might not be able to boot that other OS.
d-i grub-installer/with_other_os boolean true
# install grub on all our disks (this is RAID)
#d-i grub-installer/bootdev string (hd0,0) (hd1,0)
d-i grub-installer/bootdev string /dev/md0
### Package selection
tasksel tasksel/first multiselect standard, lamp-server, ubuntu-desktop
# Individual additional packages to install
d-i pkgsel/include string openssh-server cfengine2 ubuntu-restricted-extras ssmtp libpam-ldap ldap-utils rsync m4 ruby nscd autofs-ldap nfs-kernel-server ntp snmpd nvidia-current dirvish lsb-core git-core nfs-common libpam-foreground debconf-utils rdoc ri traceroute sysstat dirvish openssl ca-certificates rubygems apache2 bison build-essential clusterssh eclipse flex gawk gnome-do gnome-do-plugins gstreamer0.10-ffmpeg gstreamer0.10-plugins-bad-multiverse gstreamer0.10-plugins-bad gstreamer0.10-plugins-ugly-multiverse gstreamer0.10-plugins-ugly gstreamer0.10-pulseaudio ksh libapache2-mod-jk libasound2-plugins libpam-ck-connector manpages-dev mysql-admin mytop nvidia-settings padevchooser pavucontrol pidgin pulseaudio-esound-compat pulseaudio-module-gconf pulseaudio-module-x11 pulseaudio-utils recode ruby-gnome2 samba seahorse-plugins smbfs tshark vim-gnome virtualbox-ose xawtv xul-ext-firebug xul-ext-webdeveloper xul-ext-bindwood anacron
# How do you want to manage upgrades on this system?
# Choices: No automatic updates, Install security updates automatically, Manage system with Landscape
pkgsel pkgsel/update-policy select none
### Finishing up the first stage install
# Avoid that last message about the install being complete.
d-i finish-install/reboot_in_progress note
xserver-xorg xserver-xorg/autodetect_monitor boolean true
xserver-xorg xserver-xorg/config/monitor/selection-method \
select medium
xserver-xorg xserver-xorg/config/monitor/mode-list \
select 1024x768 @ 60 Hz
### debconf
# LDAP configuration is managed by cfengine
ldap-auth-config ldap-auth-config/bindpw password
ldap-auth-config ldap-auth-config/rootbindpw password
ldap-auth-config ldap-auth-config/binddn string cn=proxyuser,dc=example,dc=net
ldap-auth-config ldap-auth-config/dbrootlogin boolean true
ldap-auth-config ldap-auth-config/pam_password select md5
ldap-auth-config ldap-auth-config/move-to-debconf boolean true
ldap-auth-config ldap-auth-config/ldapns/ldap-server string ldap://ldap
ldap-auth-config ldap-auth-config/ldapns/base-dn string dc=example,dc=com
ldap-auth-config ldap-auth-config/ldapns/ldap_version select 3
ldap-auth-config ldap-auth-config/dblogin boolean false
ldap-auth-config ldap-auth-config/rootbinddn string cn=manager,dc=example,dc=net
ldap-auth-config ldap-auth-config/override boolean false
ssmtp ssmtp/overwriteconfig boolean true
ssmtp ssmtp/mailname string
ssmtp ssmtp/mailhub string mail
ssmtp ssmtp/fromoverride boolean false
ssmtp ssmtp/hostname string
ssmtp ssmtp/root string admin
ssmtp ssmtp/rewritedomain string
ssmtp ssmtp/port string 25
sun-java6-bin shared/accepted-sun-dlj-v1-1 boolean true
sun-java6-jre shared/accepted-sun-dlj-v1-1 boolean true
dictionaries-common dictionaries-common/default-ispell select american (American English)
dictionaries-common dictionaries-common/default-wordlist select american (American English)
dictionaries-common dictionaries-common/ispell-autobuildhash-message note
mdadm mdadm/boot_degraded boolean false
mysql-server-5.1 mysql-server/root_password password
mysql-server-5.1 mysql-server/root_password_again password
grub-pc grub-pc/hidden_timeout boolean true
grub-pc grub-pc/timeout string 10
grub-pc grub-pc/kopt_extracted boolean false
grub-pc grub-pc/postrm_purge_boot_grub boolean false
grub-pc grub2/linux_cmdline_default string quiet splash
postfix postfix/mailname string example.net
postfix postfix/main_mailer_type select Internet with smarthost
postfix postfix/relayhost string smtp.example.net
### Shell commands
## d-i preseeding is inherently not secure. Nothing in the installer checks
## for attempts at buffer overflows or other exploits of the values of a
## preconfiguration file like this one. Only use preconfiguration files from
## trusted locations! To drive that home, and because it's generally useful,
## here's a way to run any shell command you'd like inside the installer,
## automatically.
#
## This first command is run as early as possible, just after
## preseeding is read.
##d-i preseed/early_command string /cdrom/early_command
#
## This command is run just before the install finishes, but when there is
## still a usable /target directory. You can chroot to /target and use it
## directly, or use the apt-install and in-target commands to easily install
## packages and run commands in the target system.
## "in-target" means: chroot /target
##d-i preseed/late_command string [in-target] foo
#d-i preseed/late_command string in-target touch /.first-boot; in-target rsync -a cfengine::cfengine/inputs-production/ /etc/cfengine || true; in-target rsync -a cfengine::cfengine/scripts/update-cfengine /etc/rc.local || true;
Mobile devices:
# Installs a new ubuntu Lucid desktop for mobile devices with the right partitions
# see notes:
# 2009-04-23 12:52 EDT - Luis Mondesi <lemsx1@gmail.com>
# Always install the server kernel.
d-i base-installer/kernel/override-image string linux-generic
# Only install basic language packs. Let tasksel ask about tasks.
d-i pkgsel/language-pack-patterns string
# No language support packages.
d-i pkgsel/install-language-support boolean false
# Only ask the UTC question if there are other operating systems installed.
d-i clock-setup/utc-auto boolean true
d-i debian-installer/locale string en_US
d-i console-setup/layoutcode string us
d-i netcfg/choose_interface select auto
# Any hostname and domain names assigned from dhcp take precedence over
# values set here. However, setting the values still prevents the questions
# from being shown, even if values come from dhcp.
d-i netcfg/get_hostname string unassigned-hostname
d-i netcfg/get_domain string unassigned-domain
d-i netcfg/wireless_wep string
### Mirror settings
# If you select ftp, the mirror/country string does not need to be set.
d-i mirror/country string enter information manually
d-i mirror/protocol string http
d-i mirror/http/hostname string apt:9999
d-i mirror/http/directory string /archive.ubuntu.com/ubuntu
d-i mirror/http/proxy string
# Suite to install.
#d-i mirror/suite string testing
# Suite to use for loading installer components (optional).
#d-i mirror/udeb/suite string testing
d-i mirror/suite string lucid
d-i unattended-upgrades/enable_auto_updates boolean false
d-i user-setup/encrypt-home boolean false
### Partitioning
# If the system has free space you can choose to only partition that space.
#d-i partman-auto/init_automatically_partition select biggest_free
# Alternatively, you can specify a disk to partition. The device name must
# be given in traditional non-devfs format.
# Note: A disk must be specified, unless the system has only one disk.
# For example, to use the first SCSI/SATA hard disk:
#d-i partman-auto/disk string /dev/sda
# In addition, you'll need to specify the method to use.
# The presently available methods are: "regular"
# 2009-10-20 14:30 EDT
# LM: do not use "lvm" here as it breaks newer d-i
d-i partman-auto/method string regular
# This makes partman automatically partition without confirmation.
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
# If one of the disks that are going to be automatically partitioned
# contains an old LVM configuration, the user will normally receive a
# warning. This can be preseeded away...
d-i partman-auto/purge_lvm_from_device boolean true
# And the same goes for the confirmation to write the lvm partitions.
d-i partman-lvm/confirm boolean true
# this is the new version of the previous line:
d-i partman-lvm/device_remove_lvm boolean true
# You can choose from any of the predefined partitioning recipes.
# Note: this must be preseeded with a localized (translated) value.
#d-i partman-auto/choose_recipe \
# select Separate /home, /usr, /var, and /tmp partitions
# customized by Luis Mondesi (2008-10-03 15:11 EDT)
# Notes:
# - partitions are created in the order they are defined
# - higher priority takes precendence
# - highest priority number chosen is 10,000
# - very impotant!! do not leave spaces after \ or it won't work
# /boot -> 100M - 256MB (high priority)
# / -> 5G - 1T (or whatever is left) (high priority)
# /var/tmp -> 500M - 1G
# /tmp -> 500M - 1G
# swap -> 1G - 3 times size of RAM (high priority)
d-i partman-auto/expert_recipe string \
boot-root :: \
100 10000 256 ext4 \
$primary{ } $bootable{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ /boot } \
. \
5000 9999 1000000 ext4 \
$lvmok{ } \
method{ format } format{ } \
options/relatime{ relatime } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ / } \
. \
256 3000 300% linux-swap \
$lvmok{ } \
method{ swap } format{ } \
. \
500 1000 1024 ext4 \
$lvmok{ } \
method{ format } format{ } \
options/relatime{ relatime } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ /tmp } \
. \
500 1000 1024 ext4 \
$lvmok{ } \
method{ format } format{ } \
options/relatime{ relatime } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ /var/tmp } \
. \
### Clock and time zone setup
# Controls whether or not the hardware clock is set to UTC.
d-i clock-setup/utc boolean true
# You may set this to any valid setting for $TZ; see the contents of
# /usr/share/zoneinfo/ for valid values.
d-i time/zone string America/New_York
### Apt setup
# You can choose to install non-free and contrib software.
d-i apt-setup/multiverse boolean true
d-i apt-setup/universe boolean true
# To create a normal user account.
d-i passwd/user-fullname string System Administrator
d-i passwd/username string admin
# Normal user's password, either in clear text
#d-i passwd/user-password password insecure
#d-i passwd/user-password-again password insecure
# or encrypted using an MD5 hash.
# $> echo secret |mkpasswd -m md5 -s
d-i passwd/user-password-crypted password $1$jJ2LMHxV$..QYZ1gInMXG/H1zzcOFS1
# This is fairly safe to set, it makes grub install automatically to the MBR
# if no other operating system is detected on the machine.
d-i grub-installer/only_debian boolean true
# This one makes grub-installer install to the MBR if it also finds some other
# OS, which is less safe as it might not be able to boot that other OS.
d-i grub-installer/with_other_os boolean true
### Package selection
tasksel tasksel/first multiselect standard, ubuntu-desktop
# Individual additional packages to install
d-i pkgsel/include string ubuntu-netbook-remix openssh-server cfengine2 ssmtp ldap-utils mobile-broadband-provider-info foobillard frozen-bubble neverball stardict rsync m4 ruby nscd
# How do you want to manage upgrades on this system?
# Choices: No automatic updates, Install security updates automatically, Manage system with Landscape
pkgsel pkgsel/update-policy select none
### Finishing up the first stage install
# Avoid that last message about the install being complete.
d-i finish-install/reboot_in_progress note
xserver-xorg xserver-xorg/autodetect_monitor boolean true
xserver-xorg xserver-xorg/config/monitor/selection-method \
select medium
xserver-xorg xserver-xorg/config/monitor/mode-list \
select 1024x768 @ 60 Hz
### debconf
# LDAP configuration is managed by cfengine
ldap-auth-config ldap-auth-config/bindpw password
ldap-auth-config ldap-auth-config/rootbindpw password
ldap-auth-config ldap-auth-config/binddn string cn=proxyuser,dc=example,dc=net
ldap-auth-config ldap-auth-config/dbrootlogin boolean true
ldap-auth-config ldap-auth-config/pam_password select md5
ldap-auth-config ldap-auth-config/move-to-debconf boolean true
ldap-auth-config ldap-auth-config/ldapns/ldap-server string ldap://ldap
ldap-auth-config ldap-auth-config/ldapns/base-dn string dc=example,dc=net
ldap-auth-config ldap-auth-config/ldapns/ldap_version select 3
ldap-auth-config ldap-auth-config/dblogin boolean false
ldap-auth-config ldap-auth-config/rootbinddn string cn=manager,dc=example,dc=net
ldap-auth-config ldap-auth-config/override boolean false
ssmtp ssmtp/overwriteconfig boolean true
ssmtp ssmtp/mailname string
ssmtp ssmtp/mailhub string mail
ssmtp ssmtp/fromoverride boolean false
ssmtp ssmtp/hostname string
ssmtp ssmtp/root string admin
ssmtp ssmtp/rewritedomain string
ssmtp ssmtp/port string 25
sun-java6-bin shared/accepted-sun-dlj-v1-1 boolean true
sun-java6-jre shared/accepted-sun-dlj-v1-1 boolean true
dictionaries-common dictionaries-common/default-ispell select american (American English)
dictionaries-common dictionaries-common/default-wordlist select american (American English)
dictionaries-common dictionaries-common/ispell-autobuildhash-message note
mdadm mdadm/boot_degraded boolean false
grub-pc grub-pc/hidden_timeout boolean true
grub-pc grub-pc/timeout string 10
grub-pc grub-pc/kopt_extracted boolean false
grub-pc grub-pc/postrm_purge_boot_grub boolean false
grub-pc grub2/linux_cmdline_default string quiet splash
### Shell commands
## d-i preseeding is inherently not secure. Nothing in the installer checks
## for attempts at buffer overflows or other exploits of the values of a
## preconfiguration file like this one. Only use preconfiguration files from
## trusted locations! To drive that home, and because it's generally useful,
## here's a way to run any shell command you'd like inside the installer,
## automatically.
#
## This first command is run as early as possible, just after
## preseeding is read.
##d-i preseed/early_command string /cdrom/early_command
#
## This command is run just before the install finishes, but when there is
## still a usable /target directory. You can chroot to /target and use it
## directly, or use the apt-install and in-target commands to easily install
## packages and run commands in the target system.
## "in-target" means: chroot /target
##d-i preseed/late_command string [in-target] foo
Manual Installation
Using Live CD for Gutsy (7.10)
Use these instructions to install a RAID1 (mirrored) system. This assumes that at least 2 disks of equal size are available.
- insert disc and choose Desktop install
- once on desktop, open terminal and set disks as you want
- fdisk -l # lists all disks
- cfdisk /dev/sda # partition disk. /dev/sd{a,b}1 is /boot 256MB. /dev/sd{a,b}2 rest of the disk
- apt-get install mdadm lvm2
- mdadm –create /dev/md0 –level=1 [–force] –raid-devices=2 /dev/sda1 /dev/sdb1 # /boot partition
- mdadm –create /dev/md1 –level=1 [–force] –raid-devices=2 /dev/sda2 /dev/sdb2 # LVM volumes
- pvcreate /dev/md1
- vgcreate vg00 /dev/md1
- lvcreate –name swap00 –size 8G vg00
- lvcreate –name vartmp00 –size 1G vg00
- lvcreate –name tmp00 –size 1G vg00
- lvcreate –name root00 –extents (see vgdisplay for the Free PE and put here) vg00
- double click on Install on desktop and follow prompts
- choose manual partition, and mount devices accordingly
/dev/md0 -> /boot /dev/vg00/root00 -> / /dev/vg00/swap00 -> swap /dev/vg00/vartmp00 -> /var/tmp /dev/vg00/tmp00 -> /tmp
- when done do not reboot
- mount /dev/vg00/root00 to /mnt
- mount /dev/vg00/var00 to /mnt/var
- mount /proc to /mnt/proc
- chroot to /mnt. apt-get install mdadm lvm2
- reboot
Troubleshooting
- insert disc and go into Live Desktop
- apt-get install mdadm lvm2
mdadm –assemble –scan
- make sure that dm-mod (device-mapper /dev/mapper) is loaded in the kernel, as well as md-mod (software raid)
Hardening
Network
- create /etc/hosts.deny with
ALL: PARANOID ALL: ALL EXCEPT 127.0.0.1
- create /etc/hosts.allow with
ALL: 127.0.0.1 # if you want to allow your local services to your local (private) networks: #in.tftpd tftpd mountd rpc.mountd portmap nfsd statd apcupsd UTadmin nc ucc smbd sshd: 10. 192.168. in.fingerd : ALL : DENY # but everything else is denied & reported with safe_finger ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail -s "Port Denial noted %d-%h" root) & : DENY
- close services that are not supposed to be running:
- run sudo netstat -nlp | egrep ‘(tcp|udp)’ to see services listening for connections (use update-rc.d -f <basename> remove to turn off the service)
- make sure that inetd or xinetd are not installed: apt-get remove inetd xinetd; rm -f /etc/inetd.conf.
- install shorewall and configure it:
- apt-get install shorewall
- /etc/shorewall/interfaces
net eth0 detect dhcp,tcpflags,logmartians,nosmurfs
- /etc/shorewall/zones
fw firewall net ipv4
- /etc/shorewall/policy
$FW net ACCEPT net $FW DROP info net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info
- /etc/shorewall/rules
Ping/REJECT net $FW ACCEPT $FW net icmp # change this to accept your services #ACCEPT net:10.0.0.0/24,192.168.0.0/16 $FW tcp nfs,ssh,sunrpc,netbios-ssn,microsoft-ds #ACCEPT net:10.0.0.0/24,192.168.0.0/16 $FW udp bootps,ntp,tftp,mdns,sunrpc,netbios-dgm,netbios-ns,nfs # allow us to connect to outside systems on high port numbers ACCEPT $FW net tcp - 1024:65535
Encrypted Home
This assumes that your users from the group staff will have encrypted HOMEs and their home path is /Users in /etc/passwd (or LDAP or any other PAM authentication mechanism you use)
- apt-get install libpam-mount openssl
- change /etc/pam.d/* files:
- add @include common-pammount after @include common-session to /etc/pam.d/{gdm,gdm-autologin,login,ssh} and any other login-related service
- create a password-proteced encryption key for your own USER:
sudo mkdir /etc/ehd sudo chmod 2770 /etc/ehd sudo chown root:staff /etc/ehd dd if=/dev/urandom bs=1c count=32 | openssl enc -aes-256-ecb > /etc/ehd/$USER.key # type the same password as the USER uses to login. If you need to change this password later, then do: # * cp /etc/ehd/$USER.key /etc/ehd/$USER.key.old # * chmod 0600 /etc/ehd/$USER.key # * passwdehd chmod 0400 /etc/ehd/$USER.key # Do the same for each user you want to have encrypted HOME - create encrypted image:
# 1024 * 5 of block-size 1M = 5 GB image dd if=/dev/urandom of=$USER.img bs=1M count=5120 openssl enc -d -aes-256-ecb -in /etc/ehd/$USER.key | losetup -e aes -k 256 -p0 /dev/loop0 /Users/$USER.img chown $USER /Users/$USER.img chmod 0600 /Users/$USER.img mkfs -t xfs /dev/loop0 umount /dev/loop0 losetup -d /dev/loop0 - edit /etc/fstab and add:
# encrypted hard drive /Users/&.img /Users/& xfs defaults,exec,user,rw,loop,encryption=aes,keybits=256,noauto 0 0 - edit /etc/security/pam_mount.conf and add:
volume @staff auto - /Users/&.img - loop,user,exec,encryption=aes,keybits=256 aes-256-ecb /etc/ehd/&.key
- (optional) edit /etc/login.defs and make sure that CLOSE_SESSION is set to “yes” (Does not apply to [http://ubuntu.com|Feisty]] and newer versions)
Notes: * if the user ever changes his/her password, use passwdehd to change the password for the /etc/ehd/$USER.key file * Make sure you read /usr/share/doc/libpam-mount/README.Debian.gz file
Enabling SELinux
- edit /boot/grub/menu.lst and append selinux=1 and enforcing=0 (for now):
# defoptions=... selinux=1 enforcing=0 - install the following packages
- get the required tools
apt-get -y install libselinux1 libselinux1-dev setools selinux-basics selinux-utils selinux-policy-refpolicy-targeted build-essential linux-headers-$(uname -r) m4
- install your own policy.21 file
cd /usr/src ; apt-get -y install selinux-policy-refpolicy-src; tar -zxvf selinux-policy-refpolicy-src.tar.gz ; cd selinux-policy-refpolicy-src
- Edit these values in the build.conf file:
OUTPUT_POLICY = 21 MONOLITHIC = y
- make and copy the resulting policy file:
make clean make sudo cp policy.21 /etc/selinux/refpolicy-targeted/policy/
- create a file called /etc/initramfs-tools/scripts/init-bottom/zselinux
#! /bin/sh # load selinux policy PREREQ="" prereqs () { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac . /scripts/functions . /root/etc/selinux/config # Check config variables here? log_begin_msg "Mounting selinuxfs" mount -t selinuxfs none /root/selinux log_end_msg log_begin_msg "Loading selinux policy" # load_policy should be moved to /sbin chroot /root /usr/sbin/load_policy log_end_msg exit 0 - make sure that /etc/selinux/config has the following:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # refpolicy-targeted - Only targeted network daemons are protected. # refpolicy-strict - Full SELinux protection. # refpolicy-src - Custom policy built from source SELINUXTYPE=refpolicy-targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0
- reboot your computer
- fix labels
/sbin/fixfiles -f -F relabel
- reboot once more and make sure labels are correct:
ls -Z /dev ls -Z /
At this point it might be wise to check /var/log/syslog for a while and take note on things that would be denied, should you change SELinux to enforcing mode.
Note: I’m building policies to support fully functional desktop with SELinux enabled. I’ll post them later... Yes, I’ll use Fedora’s policies as inspiration, of course.
Testing SELinux
Ok, at this point SELinux is running and everything is working. Our refpolicy-targeted is being used, which means that all processes are running under the unconfined_t domain unless they are explicitly protected by a policy (targeted).
To show the domains for running processes do:
ps -eaf -Z | grep unconfined | grep -v $USER | more
Extra modules
Modules are in the source directory /usr/share/selinux/refpolicy-targeted/. If you need to enable any of them by hand, then do it with:
semodule -i /usr/share/selinux/refpolicy-targeted/ssh.pp -s refpolicy-targeted -n semodule -i /usr/share/selinux/refpolicy-targeted/automount.pp -s refpolicy-targeted -n
Some modules have dependencies. To see what they depend on, use this:
semodule_deps -g /usr/share/selinux/refpolicy-targeted/base.pp /usr/share/selinux/refpolicy-targeted/postfix.pp
digraph mod_deps {
overlap=false
}
Local modules
To add new policies:
- Get the denied entries since last reboot:
cp /etc/selinux/local.te /etc/selinux/local.te-`date -I` # Fedora uses: /var/log/audit/audit.log audit2allow -m local -l -i /var/log/syslog > /etc/selinux/local.te # you might use /var/log/messages as well - edit /etc/selinux/local.te
- checkmodule -M -m -o local.mod local.te # to compile the te file. Note that checkmodule is part of the checkpolicy rpm, so you need to have it installed.
- semodule_package -o local.pp -m local.mod # to create a policy package.
- semodule -i local.pp # to add it to the current machine’s running policy. This installs a new module called local with these rules into the module store.
Power saving
sudo apt-get install powertop cpufrequtils sudo powertop
Then follow the tips from powertop...
Mail Server
http://howtoforge.com/postfix_antispam_mailscanner_clamav_ubuntu
apt-get install libc6-dev dpkg-dev db4.3-util libdb4.3-dev vim lynx bzip2 unzip perl-doc libwww-perl ntp-simple apt-get install zlib1g-dev zip libdbi-perl libconvert-binhex-perl gcc make autoconf automake libtool libmail-spf-query-perl rblcheck libnet-ident-perl apt-get install flex bison libcompress-zlib-perl pax libberkeleydb-perl ncftp unzoo arj lzop nomarch arc zoo apt-get install postfix postfix-pcre postfix-mysql postfix-ldap cabextract lha unrar razor pyzor spamassassin
Grub2 (grub-pc)
root@ubuntu:/# cat /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automaticaly generated by /usr/sbin/update-grub using templates from /etc/grub.d
# and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
set default=0
set timeout=5
set root=(zod-root)
font (zod-root)/usr/share/grub/unifont.pff
set gfxmode=640x480
insmod gfxterm
insmod vbe
terminal gfxterm
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/10_hurd ###
### END /etc/grub.d/10_hurd ###
### BEGIN /etc/grub.d/10_linux ###
menuentry "Debian GNU/Linux, linux 2.6.22-14-generic" {
linux (hd0,1)/vmlinuz-2.6.22-14-generic root=/dev/mapper/zod-root ro
initrd (hd0,1)/initrd.img-2.6.22-14-generic
}
menuentry "Debian GNU/Linux, linux 2.6.22-14-generic (single-user mode)" {
linux (hd0,1)/vmlinuz-2.6.22-14-generic root=/dev/mapper/zod-root ro single
initrd (hd0,1)/initrd.img-2.6.22-14-generic
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_memtest86+ ###
menuentry "Memory test (memtest86+)" {
linux (hd0,1)/memtest86+.bin
}
### END /etc/grub.d/20_memtest86+ ###
VirtualBox
https://help.ubuntu.com/community/VirtualBox#Open%20Source%20Edition%20on%20Ubuntu%208.04%20(Hardy)
https://help.ubuntu.com/community/VirtualBox#8.04%20Hardy
- sudo apt-get install virtualbox-ose virtualbox-ose-modules-generic
- sudo apt-get install bridge-utils uml-utilities
- Setup your network bridge
$ sudo gedit /etc/network/interfaces auto eth0 iface eth0 inet manual auto br0 iface br0 inet dhcp bridge_ports eth0 # The loopback network interface auto lo iface lo inet loopback
- Restart your network
sudo /etc/init.d/networking restart
- Assign names to the bridges for VirtualBox users
sudo gedit /etc/vbox/interfaces # Each line should be of the format : # <interface name> <user name> [<bridge>] vbox0 <your user name> br0 vbox1 <your user name> br0
- Restart VirtualBox to load your network settings
sudo /etc/init.d/virtualbox-ose restart
Sharing Files
Windows file share (Samba)
https://help.ubuntu.com/community/Samba/Kerberos
- sudo apt-get install samba libpam-krb5 krb5-user
- edit /etc/krb5.conf
[logging] default = FILE10000:/var/log/krb5lib.log [libdefaults] ticket_lifetime = 24000 default_realm = MYDOMAIN.INTERNAL default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] MYDOMAIN.INTERNAL = { kdc = dc.mydomain.internal admin_server = dc.mydomain.internal default_domain = MYDOMAIN.INTERNAL } [domain_realm] .mydomain.internal = MYDOMAIN.INTERNAL mydomain.internal = MYDOMAIN.INTERNAL - edit /etc/samba/smb.conf
[global] workgroup = MYDOMAIN realm = MYDOMAIN.INTERNAL security = ADS server string = %h server password server = dc.mydomain.internal socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No domain master = No wins proxy = Yes wins server = 10.0.0.2 invalid users = root guest account = nobody idmap uid = 4000-10000000 idmap gid = 4000-10000000 template shell = /bin/bash encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes dns proxy = no syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d winbind use default domain = Yes - edit /etc/hosts
10.0.0.2 dc.mydomain.internal dc dc1
- edit /etc/nsswitch.conf
hosts: files mdns4_minimal [NOTFOUND=return] dns wins mdns4
- make sure that /etc/resolv.conf lists mydomain.internal correctly
domain mydomain.internal search mydomain.internal in.mydomain.internal nameserver 10.0.0.2
- restart Samba
sudo /etc/init.d/samba restart
- join the Windows domain (need to be administrator on the Windows Active Domain server)
sudo net -Uadministrator ads join
- restart Samba
- use kinit administrator@MYDOMAIN.INTERNAL and klist to test your kerberos5 settings
To share new directories you can just right click on them and choose Sharing Options
General Procedures
Anti-virus from Live CD
- boot from Ubuntu Live CD
- sudo apt-get install clamav nautilus-clamscan
- sudo mount /dev/sda1 /mnt # mount your Windows disk
- sudo clamscan –infected –move=/mnt/temp
Kernel Modesetting
With intel video hardware:
- edit /etc/initramfs-tools/modules
- add the following modules
intel_agp drm i915 modeset=1 fb fbcon
- update-initramfs -u -k all
- add a kernel parameter like i915.modeset=1
Package Selection
Copy the packages from another Ubuntu system and then load it using:
# another system dpkg --get-selections \* > /tmp/selections.txt
# send /tmp/selections.txt to new-system dpkg --set-selections < /tmp/selections.txt apt-get -y dselect-upgrade
Network Interface Bonding
1. apt-get install ifenslave-2.6
2. edit /etc/network/interfaces
iface bond0 inet static address 192.168.1.x netmask 255.255.255.0 network 192.168.1.0 up /sbin/ifenslave bond0 eth0 up /sbin/ifenslave bond0 eth1
3. add the following lines to your /etc/modprobe.d/arch/x86_64
alias bond0 bonding options bonding mode=1 miimon=100 downdelay=200 updelay=200
Multipath HBA
Setting up LVM volumes over multipath using Qlogic cards (qla2xxx driver)
Be sure to load your kernel module with:
$> cat /etc/modules | grep qla2xxx qla2xxx qlport_down_retry=1 ql2xextended_error_logging=1 $> sudo modprobe qla2xxx qlport_down_retry=1 ql2xextended_error_logging=1
1. Install tools
$> sudo apt-get install multipath-tools qla-tools
daemon start automatically with defaults
2. rescan your HBA for new LUNs and show multipath information
$> sudo ql-dynamic-tgt-lun-disc -s $> sudo multipath -v3 ... ===== paths list ===== uuid hcil dev dev_t pri dm_st chk_st vend/prod/rev 350002ac0720907e3 3:0:0:407 sdb 8:16 1 [undef][undef] 3PARdata,VV 350002ac0720a07e3 3:0:0:408 sdc 8:32 1 [undef][undef] 3PARdata,VV 350002ac0720907e3 3:0:1:407 sdd 8:48 1 [undef][undef] 3PARdata,VV 350002ac0720a07e3 3:0:1:408 sde 8:64 1 [undef][undef] 3PARdata,VV 350002ac0720907e3 4:0:0:407 sdf 8:80 1 [undef][undef] 3PARdata,VV 350002ac0720a07e3 4:0:0:408 sdg 8:96 1 [undef][undef] 3PARdata,VV 350002ac0720907e3 4:0:1:407 sdh 8:112 1 [undef][undef] 3PARdata,VV 350002ac0720a07e3 4:0:1:408 sdi 8:128 1 [undef][undef] 3PARdata,VV ...
3. create /etc/multipath.conf with:
defaults {
polling_interval 5
path_grouping_policy multibus
getuid_callout "/lib/udev/scsi_id -g -u -s /block/%n"
failback immediate
no_path_retry 1000
}
blacklist {
devnode "^sda"
}
multipaths {
multipath {
wwid 350002ac0720907e3
alias 3pardataux05vol1
}
multipath {
wwid 350002ac0720a07e3
alias 3pardataux05vol2
}
}
devices {
device {
vendor "3PARdata"
product "VV"
path_grouping_policy multibus
path_selector "round-robin 0"
}
}
sda is my local SATA disk.
4. list configuration
$> sudo multipath -l ... 3pardataux05vol2 (350002ac0720a07e3) dm-5 3PARdata,VV [size=50G][features=1 queue_if_no_path][hwhandler=0] \_ round-robin 0 [prio=0][active] \_ 3:0:0:408 sdc 8:32 [active][undef] \_ 3:0:1:408 sde 8:64 [active][undef] \_ 4:0:0:408 sdg 8:96 [active][undef] \_ 4:0:1:408 sdi 8:128 [active][undef] 3pardataux05vol1 (350002ac0720907e3) dm-4 3PARdata,VV [size=50G][features=1 queue_if_no_path][hwhandler=0] \_ round-robin 0 [prio=0][active] \_ 3:0:0:407 sdb 8:16 [active][undef] \_ 3:0:1:407 sdd 8:48 [active][undef] \_ 4:0:0:407 sdf 8:80 [active][undef] \_ 4:0:1:407 sdh 8:112 [active][undef]
5. tell lvm to ignore all other disks and only scan for our explicit, multipath’d, volumes # By default we accept every block device: #filter = [ “a/.*/” ] filter = [ “a|^/dev/sda.$|”,”a|^/dev/mapper/3pardataux05vol1$|”, “a|^/dev/mapper/3pardataux05vol2$|”, “r/.*/” ]
Only 1 filter line is allowed. Do not add multiple filter = []
6. run sudo lvscan 7. create your volumes
sudo pvcreate /dev/mapper/3pardataux05vol1 sudo pvcreate /dev/mapper/3pardataux05vol2 sudo vgcreate xendata /dev/mapper/3pardataux05vol1 /dev/mapper/3pardataux05vol2 sudo lvcreate --name api01 --size 20G xendata sudo lvcreate --name blog01 --size 20G xendata sudo mkfs -t xfs /dev/xendata/api01 sudo mkfs -t xfs /dev/xendata/blog01
8. to test your configuration, populate your new volumes with data and pull the plug on one of your paths
Network boot
First follow Linux Network boot
Then, use this script to get the netboot.tar.gz from latest Ubuntu release
#!/bin/bash
#
# PXE boot updater
#
# Luis Mondesi <lemsx1@gmail.com>
# 2010-04-13 11:50 EDT
#
# we use netboot for preseeding Ubuntu servers and workstations
# License: GPL
FLAVOR=lucid
MIRROR=archive.ubuntu.com
NETBOOTDIR=/tftpboot/ubuntu
[ -d $NETBOOTDIR ] || mkdir -p $NETBOOTDIR
cd $NETBOOTDIR || exit 1
for arch in amd64 i386; do
rsync --no-motd -auz --delete ${MIRROR}::ubuntu/dists/${FLAVOR}/main/installer-${arch}/current/images/netboot/ubuntu-installer/${arch}/ ${FLAVOR}/${arch}/
done
chown -R root:root *
Hardware Specific
oqotalk.com
OQO 02
- install Ubuntu Hard 8.04 from alternate CD or using PXE boot (preseed)
- go to Recovery Mode and drop to a root shell
- edit /etc/X11/xorg.conf (Bug #222873)
Section "Device" Identifier "Configured Video Device" Driver "openchrome" Option "VBEModes" "true" BusID "PCI:1:0:0" EndSection - create file /etc/modprobe.d/blacklist-oqo
blacklist via_agp blacklist agpgart
- (optional) apt-get install ubuntu-mid
- copy http://www.oqo.com/unsupported/linux/wwan to /etc/ppp/peers (make sure you change sprint-connect to wwan-connect)
- copy http://www.oqo.com/unsupported/linux/wwan-connect and http://www.oqo.com/unsupported/linux/wwan-disconnect to /etc/chatscripts
- edit /etc/rc.local and add a line /usr/bin/pon wwan so it starts your network at boot time
- reboot
Configuration
Turn off graphic acceleration on netbook-launcher
$> gconftool-2 --set /apps/netbook-launcher/force_low_graphics --type bool true $> gconftool-2 --recursive-list /apps/netbook-launcher force_low_graphics = true disable_single_instance = false monitor = 0 volume_exclude_list = [] $> killall netbook-launcher $> netbook-launcher & $> get fences failed: -1 ** (netbook-launcher:13113): DEBUG: CONFIG: Forcing low graphics mode from GConf
