Since 10 November our faculty has a new website! The old website will still be available at oldwww.fi.muni.cz for now. Something is broken? Please report it to webmaster@fi.muni.cz or use our webform.

How to install your machine at FI

Here are some tips on how to correctly set up your computer at FI. These tips will help you increase speed, efficiency, and safety of your machine. Please send any suggestions as to how to improve or expand this page to unix@fi.muni.cz.

General recommendations

The following section applies both to personal computers and servers. Most recommendations also apply to virtual machines.

Consider separating system and user data

When partitioning a disk, consider whether you want to mount /home to a separate partition. The advantage of this step is that the system may be easily reinstalled; the disadvantage lies in reduced efficiency in the use of your disc capacity.

Use your faculty login as the account name.

Print jobs must be sent from a user account whose login is identical to your faculty login. Therefore, we strongly recommend that you use your faculty login in setting up the account. See Printing at FI documentation for details.

Use DHCP

To configure your network access, use DHCP rather than static configuration. An advantage is the possibility of central administration and easier mass changes. DHCP configuration of devices you manage may be set in Device Management in Faculty Administration (Upon request, Unix administrators will make additions to the list or edit it.) If you are interested in the IPv6 configuration, please contact Unix administrators, too.

Set up a local mirror

If the mirror for your distribution is available at FI – ftp.linux.com, set this server as a mirror. Refer to the documentation for your distribution for instructions. If we do not mirror it and you use it on multiple machines, you can try sending a mirror request to ftp-admin@fi.muni.cz.

Set up automatic security updates

For improved safety, it is important to install security updates to fix any vulnerabilities. This can be automated, but the method differs depending on the distribution. For example, for Ubuntu the procedure is described at AutomaticSecurityUpdates, and for Fedora, at AutoUpdates.

Note: In Ubuntu, this feature is automatically turned on immediately after installation. This is probably true for other distributions, too.

Faculty ssh_known_hosts

If you wish to log in to other faculty machines over SSH, you can—for greater safety and convenience—download public keys for the faculty machines from the central repository (or use an auto download script). See here: SSH Known Hosts.

Configure your machine's mail system

In some cases, your machine may send mails (system updates, some daemon errors). If configured incorrectly, these mails might reach Unix administrators. Therefore, please check your configuration according to our instructions.

Whenever necessary, you can send mails directly from your machine (for example, using mail or sendmail).

Configure your mail client

For details refer to the Mail section in our technical documentation. Most clients are capable of configuring data on their own.

A useful note: the SMTP server is relay.fi.muni.cz, and the port number is 465 (using SSL).

Time synchronization

To ensure the correct time is maintained on your machine, verify whether you have a time synchronization daemon (ntpd, chronyd) installed. Use the local NTP server time.fi.muni.cz. Detailed instructions are available here: Correct time in the FI network.


Server-specific recommendations

In this section you will find tips that may be useful particularly for servers.

Auto power-on

In BIOS, you can set your computer to turn itself on again should a power failure occur. For servers, this may be desirable. The relevant configuration option is usually called Restore on AC/Power Loss.

AHCI disk interface

In BIOS, make sure that you have the AHCI interface set for SATA drives. AHCI is a standard that supports, for example, hot-swap of drives, whereas the older IDE requires the system to restart to recognize the newly connected disks.

Test your hardware

Future complications may be avoided by testing hardware before putting it into operation.

Memory testing method is available here: Memory Testing: memtester.

To thoroughly test your disk:

Configure IPMI and serial console

Some servers are IPMI-equipped with a dedicated independent processor that is connected both to the motherboard and the main processor, which allows for hardware monitoring and control. You can get connected to this machine via an independent IP address, often on a dedicated network interface. Common options include power management, machine status monitoring, BIOS configuration, and access to the operating system's serial console. If your machine supports IPMI (sometimes different names are used: iLO, iDRAC, BMC), we recommend that you use this option and configure IPMI.

Since this configuration is different for each hardware and BIOS manufacturer, it is impossible to provide general instructions. Typically, however, it is advisable to set up an independent, i.e. dedicated Ethernet port, and obtain the network configuration over DHCP (to improve security, we assign addresses from a non-public range available only from the agreed machines or a portion of the FI network). Sometimes even a machine with a single (shared) Ethernet port may support IPMI. In this case, a VLAN tag can typically be set for IPMI. Unix administrators will provide you a connection via our infrastructure.

In any case, make sure that you do not leave IPMI with the default password open to the world.

The serial console is also configured independently, as follows:

Console redirection........Serial Port 1
Failsafe Baud Rate.........115200
Remote Terminal Type.......VT100/VT220
Redirection After Boot.....Enabled

In order to be functional, it is also necessary to configure the GRUB/kernel correctly. Usually, simply add/modify these GRUB configuration parameters and then run update-grub. This is an example of what the configuration could look like:

GRUB_CMDLINE_LINUX="<original parameters> console=tty0 console=ttyS0,115200n,8"
GRUB_TERMINAL="serial console"
# the following parameter must be on a single line! (here it's not, to be readable)
GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200;
    terminal --timeout=5 serial console"

Note that the console numbering in BIOS and in the kernel may vary, i.e., the BIOS consoles are usually numbered starting with 1, while the kernel numbers start at ttyS0.

Should you need any help with the configuration, please contact the faculty Unix administrators.

MCE Hardware Error Detection

Modern processors inform the OS about hardware errors. In Linux, this data can be retrieved using the mcelog daemon, which logs any detected hardware errors into /var/log/mcelog, or it can be configured to respond to the errors.

Remote logging to syslog.fi.muni.cz

For security reasons, it is useful to send logs to the central server as well. Another advantage is that problems get detected on the faculty network level by unix@fi. If you are interested, please contact Unix administrators.

Drive monitoring via SMART

SMART is a hard disk monitoring system. The smartd daemon is in the smartmontools package. The configuration file is located in /etc/smartd.conf. We recommend that you comment out DEVICESCAN and add one line for each disk, for example:

# ata/sata disks
/dev/sda -S on -d ata -o on -a -m MAIL -M once -s (S/../.././02|L/../../7/04)
/dev/sdb -S on -d ata -o on -a -m MAIL -M once -s (S/../.././03|L/../../7/05)

Replace the MAIL string with a suitable mailing address, where information about potential problems will be sent (a change in attributes indicating disk failure or self-test failures). The -s parameter in this configuration ensures that the /dev/sda disk will have a short self-test scheduled every day at 2am and a long self-test scheduled every 7 days at 4am. Although this load is not significant, we recommend that tests for individual drives are run at different times. See man smartd.conf for more details. Also, be sure to enable the daemon to load on system startup.

Disable sudo for regular users

If other users are logged onto your server, you probably do not wish to give them root access. In some distributions, the sudo command is allowed for common users. This can be checked and possibly set in /etc/sudoers by the visudo command.

Apache and SSL settings

If you plan to run secure websites on your machine, make sure the SSL/TLS configuration is correct and secure. Details on how to set up a secure configuration are available at Apache and SSL Settings.