translated by Google

Tips for installing the machine on FI

Here are some tips on how to properly set up your computer at FI. These tips will help you increase the speed, efficiency, or safety of your machine. Any suggestions to improve or expand this page go to unix@fi.muni.cz .

General recommendations

The following section applies to both personal computers and servers. Most recommendations also apply to virtual machines.

Consider separating system and user data

When sharing a disk, consider whether you want to connect /home to a separate section. An advantage can be simple reinstalling of the system, a disadvantage of less efficient disk capacity utilization.

For your account on your machine, use faculty login

Print jobs must be sent from a user account whose login is identical to your faculty login. Therefore, we strongly recommend that you set up the login you use on the FI. See the documentation for details print on FI .

Use DHCP

Use DHCP instead of static configuration to configure your network. An advantage is the possibility of central administration and easier collective change. The DHCP configuration for your managed devices can be set in the Faculty Administration in Device management (possibly completing / editing the list on request by UNIX Administrators). If you are interested in the IPv6 configuration, please also contact the UNIX Administrator.

Set the local distribution mirror

If your distribution mirror is available on FI - ftp.linux.com , set this server as a mirror. Refer to the documentation for your distribution for instructions. If we do not mirror it and use it on multiple machines, you can try sending a mirror request to ftp-admin@fi.muni.cz .

Set up automatic security updates

To improve machine safety, it is important to install security updates to correct vulnerabilities. This can be automated, but the method differs depending on the distribution. Maybe in Ubuntu describes the procedure article AutomaticSecurityUpdates and for Fedora again article AutoUpdates .

Note: Ubuntu is already turned on after installation. And maybe in other distributions.

Faculty ssh_known_hosts

If you log in to other SSH machine machines from your machine, you can download the public keys of the faculty machines from the central repository (or use the auto download script) for added safety and convenience. See here: SSH Known Hosts .

Configuring the machine's mail system

Your machine may in some cases send mails (system updates, some daemon errors). With incorrect configuration, these mails can reach Unix administrators. Therefore, please check your configuration according to of our instructions .

Maily can also be sent directly from your machine if needed (for example, by using the command mail , eventually sendmail ).

Configuring the mail client

See the section for information Post in our technical documentation. Most clients are able to detect this configuration automatically.

Specifically, we only mention the mailing configuration where the SMTP server configuration is correct relay.fi.muni.cz and port 465 (with SSL).

Time synchronization

To ensure the exact time on the machine, verify that you have the time synchronization daemon (ntpd, chronyd) installed and use the local NTP server time.fi.muni.cz . More detailed instructions can be found here: The exact time in the FI network .


Server-specific recommendations

In this section, you'll find tips that can be found primarily on servers.

Auto power-on

In BIOS, you can set the computer to turn itself on again if a power failure occurs for some reason. For servers, this may be the desirable behavior. This entry is usually named Restore on AC/Power Loss .

AHCI disk interfaces

In BIOS, make sure that you have the AHCI interface set for SATA drives. AHCI is a standard that supports, for example, hot-swap drives. Instead, the older IDE requires disc restart recognition by the system restart system.

Test your hardware

Some later complications can be avoided by testing the hardware before putting it into operation.

How to test memory can be found here: Memory testing: memtester .

The procedure for thorough disk testing is as follows:

  • Determine the name of the test disk, and you will get a list of connected discs fdisk -l
  • Save the output smartctl -a /dev/sdX (replace X with something else)
  • Run a long SMART test smartctl -t long /dev/sdX
  • The test will run for some time. When finished, save the output again smartctl -a /dev/sdX and compare it with the status before the SMART test.
  • If you have a magnetic disk, check the wrong blocks. Attention! This is a destructive test that will overwrite the entire disk: badblocks -sw /dev/sdX
  • Finally, check the output dmesg and compare the current output smartctl -a /dev/sdX with an initial output (e.g. vimdiff ).

Configure IPMI and serial console

Some IPMI servers are equipped with a dedicated, independent processor that is connected to the motherboard and the main processor and which allows hardware monitoring and control. This machine can be connected via a separate IP address, often on a dedicated network interface. The usual options include power management, machine status monitoring, BIOS configuration, and access to the operating system serial console. If your machine supports it (it can perform under different names: IPMI, iLO, iDRAC, BMC), we recommend that you use this option and configure IPMI.

Since this configuration is different for each hardware and BIOS manufacturer, general instructions can not be given here. Typically, however, it is advisable to set up a dedicated / dedicated Ethernet port, gain network configuration via DHCP (we assign addresses for security reasons from a non-public range available only from the agreed machines or the FI portion). Sometimes even a machine with a single (shared) Ethernet port can support IPMI. In this case, a VLAN tag can typically be set for IPMI - Unix Administrators will secure your connection to our infrastructure.

In any case, make sure you do not leave IPMI exposed to the world with the default password.

The serial console is also configured separately, for example, as follows:

Console redirection........Serial Port 1
Failsafe Baud Rate.........115200
Remote Terminal Type.......VT100/VT220
Redirection After Boot.....Enabled

In order to be functional, it is also necessary to properly configure the GRUB / kernel. Usually, simply add / modify these GRUB configuration parameters and then run them update-grub . An example of how the configuration could look like:

GRUB_CMDLINE_LINUX="<původní parametry> console=tty0 console=ttyS0,115200n,8"
GRUB_TERMINAL="serial console"
# následující parametr je zde zalomen, ale v konfiguraci
# musí být uveden v jednom řádku
GRUB_SERIAL_COMMAND="serial --unit=0 --speed=115200;
    terminal --timeout=5 serial console"

Note that the console numbering in the BIOS and the kernel may vary, ie, the console in the BIOS is usually numbered 1, while in the kernel they are numbered from ttyS0 .

If you want to help with the configuration, you can contact the faculty UNIX Administrator.

MCE Hardware Error Detection

Modern processors let the OS know about hardware errors. In Linux, this data can be retrieved using a daemon mcelog , which logs the detected hardware errors into a file /var/log/mcelog or it can be configured to respond to errors.

Update: This applies to Intel processors. For AMD, the old kernel module is edac_mce_amd and mcelog probably will not work.

Saving logs at syslog.fi.muni.cz

For security reasons, it is also useful to send logs to the central server. Another advantage is the ability to detect problems at the faculty network level by unix @ fi. If you are interested, talk to UNIX Administrators.

Watching discs via SMART

SMART is a monitoring system for hard disks. Tracking takes care of the demon smartd , which is in the package smartmontools . In configuration /etc/smartd.conf we recommend commenting DEVICESCAN and add one line for each disk, e.g.

# ata/sata disky
/dev/sda -S on -d ata -o on -a -m MAIL -M once -s (S/../.././02|L/../../7/04)
/dev/sdb -S on -d ata -o on -a -m MAIL -M once -s (S/../.././03|L/../../7/05)

Chain MAIL replace with a suitable mailing address, where information about potential problems (changing attributes indicating a failed disk or self-test failure) will be sent. This configuration is based on the parameter -s that's the disk /dev/sda will be checked by a short self-test every day at 2am and a long self-test once every 7 days at 4am. Although this load is not significant, we recommend running tests for individual drives at different times. For more details, see the documentation by using the command man smartd.conf . Also, be sure to activate the daemon to run at system startup.

Disable sudo for regular users

If other users are logged on to your server, you probably do not want to give them root access. In some distributions, it is allowed to use the command sudo for common users. This can be checked and possibly set in /etc/sudoers command visudo .

Webserver and SSL settings

If you are planning to run a secure website on your machine, you should pay attention to the correct and secure SSL / TLS configuration. You can read about the secure connection settings on the page Webserver and SSL settings .