How to install your machine at FI
Here are some tips on how to correctly set up your computer at FI. These tips will help you increase speed, efficiency, and safety of your machine.
Please send any suggestions as to how to improve or expand this page to
The following section applies both to personal computers and servers. Most recommendations also apply to virtual machines.
Consider separating system and user data
When partitioning a disk, consider whether you want to mount
/home to a separate partition. The advantage of this step is that the system may be easily reinstalled; the disadvantage lies in reduced efficiency in the use of your disc capacity.
Use your faculty login as the account name.
Print jobs must be sent from a user account whose login is identical to your faculty login. Therefore, we strongly recommend that you use your faculty login in setting up the account. See Printing at FI documentation for details.
To configure your network access, use DHCP rather than static configuration. An advantage is the possibility of central administration and easier mass changes. DHCP configuration of devices you manage may be set in Device Management in Faculty Administration (Upon request, Unix administrators will make additions to the list or edit it.) If you are interested in the IPv6 configuration, please contact Unix administrators, too.
Set up a local mirror
If the mirror for your distribution is available at FI – ftp.linux.com, set this server as a mirror.
Refer to the documentation for your distribution for instructions. If we do not mirror it and you use it on multiple machines, you can try sending a mirror request to
Set up automatic security updates
For improved safety, it is important to install security updates to fix any vulnerabilities. This can be automated, but the method differs depending on the distribution. For example, for Ubuntu the procedure is described at AutomaticSecurityUpdates, and for Fedora, at AutoUpdates.
Note: In Ubuntu, this feature is automatically turned on immediately after installation. This is probably true for other distributions, too.
If you wish to log in to other faculty machines over SSH, you can—for greater safety and convenience—download public keys for the faculty machines from the central repository (or use an auto download script). See here: SSH Known Hosts.
Configure your machine's mail system
In some cases, your machine may send mails (system updates, some daemon errors). If configured incorrectly, these mails might reach Unix administrators. Therefore, please check your configuration according to our instructions.
Whenever necessary, you can send mails directly from your machine (for example, using
Configure your mail client
For details refer to the Mail section in our technical documentation. Most clients are capable of configuring data on their own.
A useful note: the SMTP server is
relay.fi.muni.cz, and the port number is 465 (using SSL).
To ensure the correct time is maintained on your machine, verify whether you have a time synchronization daemon (ntpd, chronyd) installed. Use the local NTP server
time.fi.muni.cz. Detailed instructions are available here: Correct time in the FI network.
In this section you will find tips that may be useful particularly for servers.
In BIOS, you can set your computer to turn itself on again should a power failure occur. For servers, this may be desirable. The relevant configuration option is usually called
Restore on AC/Power Loss.
AHCI disk interface
In BIOS, make sure that you have the AHCI interface set for SATA drives. AHCI is a standard that supports, for example, hot-swap of drives, whereas the older IDE requires the system to restart to recognize the newly connected disks.
Test your hardware
Future complications may be avoided by testing hardware before putting it into operation.
Memory testing method is available here: Memory Testing: memtester.
To thoroughly test your disk:
- Find out the name of the disk to be tested. The list of attached drives can be obtained with
- Save the output of
smartctl -a /dev/sdX(replace X)
- Run a long SMART test
smartctl -t long /dev/sdX
- The test will run for some time. Once it finishes, save the output of
smartctl -a /dev/sdXagain and compare it with the disk state before the SMART test.
- If you have a magnetic disk, check for bad blocks. Attention! This is a destructive test that will overwrite the entire disk:
badblocks -svw /dev/sdX
- Finally, check the
dmesgoutput and compare the current output of
smartctl -a /dev/sdXwith the initial output (for example with
Configure IPMI and serial console
Some servers are IPMI-equipped with a dedicated independent processor that is connected both to the motherboard and the main processor, which allows for hardware monitoring and control. You can get connected to this machine via an independent IP address, often on a dedicated network interface. Common options include power management, machine status monitoring, BIOS configuration, and access to the operating system's serial console. If your machine supports IPMI (sometimes different names are used: iLO, iDRAC, BMC), we recommend that you use this option and configure IPMI.
Since this configuration is different for each hardware and BIOS manufacturer, it is impossible to provide general instructions. Typically, however, it is advisable to set up an independent, i.e. dedicated Ethernet port, and obtain the network configuration over DHCP (to improve security, we assign addresses from a non-public range available only from the agreed machines or a portion of the FI network). Sometimes even a machine with a single (shared) Ethernet port may support IPMI. In this case, a VLAN tag can typically be set for IPMI. Unix administrators will provide you a connection via our infrastructure.
In any case, make sure that you do not leave IPMI with the default password open to the world.
The serial console is also configured independently, as follows:
Console redirection........Serial Port 1 Failsafe Baud Rate.........115200 Remote Terminal Type.......VT100/VT220 Redirection After Boot.....Enabled
In order to be functional, it is also necessary to configure the GRUB/kernel correctly. Usually, simply add/modify these GRUB configuration parameters and then run
update-grub. This is an example of what the configuration could look like:
GRUB_CMDLINE_LINUX="<original parameters> console=tty0 console=ttyS0,115200n,8" GRUB_TERMINAL="serial console" # the following parameter must be on a single line! (here it's not, to be readable) GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200; terminal --timeout=5 serial console"
Note that the console numbering in BIOS and in the kernel may vary, i.e., the BIOS consoles are usually numbered starting with 1, while the kernel numbers start at
Should you need any help with the configuration, please contact the faculty Unix administrators.
MCE Hardware Error Detection
Modern processors inform the OS about hardware errors. In Linux, this data can be retrieved using the
mcelog daemon, which logs any detected hardware errors into
/var/log/mcelog, or it can be configured to respond to the errors.
Remote logging to syslog.fi.muni.cz
For security reasons, it is useful to send logs to the central server as well. Another advantage is that problems get detected on the faculty network level by unix@fi. If you are interested, please contact Unix administrators.
Drive monitoring via SMART
SMART is a hard disk monitoring system. The
smartd daemon is in the
smartmontools package. The configuration file is located in
/etc/smartd.conf. We recommend that you comment out
DEVICESCAN and add one line for each disk, for example:
# ata/sata disks /dev/sda -S on -d ata -o on -a -m MAIL -M once -s (S/../.././02|L/../../7/04) /dev/sdb -S on -d ata -o on -a -m MAIL -M once -s (S/../.././03|L/../../7/05)
-s parameter in this configuration ensures that the
/dev/sda disk will have a short self-test scheduled every day at 2am and a long self-test scheduled every 7 days at 4am.
Although this load is not significant, we recommend that tests for individual drives are run at different times.
man smartd.conf for more details.
Also, be sure to enable the daemon to load on system startup.
Disable sudo for regular users
If other users are logged onto your server, you probably do not wish to give them root access. In some distributions, the
sudo command is allowed for common users. This can be checked and possibly set in
/etc/sudoers by the
Apache and SSL settings
If you plan to run secure websites on your machine, make sure the SSL/TLS configuration is correct and secure. Details on how to set up a secure configuration are available at Apache and SSL Settings.