PREAMBLE

Which settings in this doc has to be adapted ?

Some settings only apply to one computer (e.g. IP) or to the admins. These settings are written in italic like : 128.178.x.y

How to partition my server ?

Basically, a server only needs 2 partitions :

More partitions could be useful :

NB. It's a good idea to put the partition that might one day need extension as the last partition.

What to remember once the server is installed ?

INSTALL

A) ● OS Install

Download Ubuntu 16.04 server 64bits from here

 

 

 

 

 

 

 

 

 

B) ● OS Updates

sudo apt update && sudo apt dist-upgrade; /usr/lib/update-notifier/update-motd-reboot-required
sudo reboot && exit

The 1st command is a shortcut to fetch the list of the updates available; apply them (after listing them and asking the admin his agreement); and finally display a message if the reboot is required (or no message).

The second reboots the server and exit the terminal. It's useful to exit the terminal before so that bash history is saved.

C) ● Server Basics

Common packages. (pick those you need)

ENACdrives

Mount/umount EPFL's NAS on the serverhttp://enacit.epfl.ch/enacdrives/

sudo vi /etc/apt/sources.list.d/enacrepo.list
# http://enacit1.epfl.ch/linux/sys/enacrepo.shtml
deb http://enacrepo.epfl.ch/public xenial main    # pour Ubuntu 16.04 LTS
wget -q http://enacrepo.epfl.ch/enacrepo.asc -O- | sudo apt-key add -
sudo apt update && sudo apt install enacdrives
vi /etc/enacdrives.conf
[global]
Linux_CIFS_method = mount.cifs

Vi Improved

Edit files from command line with vi (which alias to vim) https://en.wikipedia.org/wiki/Vim_%28text_editor%29

sudo apt install vim

tree

Nice output of a whole tree of files http://www.computerhope.com/unix/tree.htm

sudo apt install tree

screen

Use multiple shell windows and keep them active even after logout (alternative to tmux) https://www.rackaid.com/blog/linux-screen-tutorial-and-how-to/

sudo apt install screen

tmux

Use multiple shell windows and keep them active even after logout (alternative to screen) https://opensource.com/article/17/2/quick-introduction-tmux

sudo apt install tmux

multitail

Follow several logs in one console http://www.tecmint.com/view-multiple-files-in-linux/

sudo apt install multitail

Glances

System monitoring tool https://nicolargo.github.io/glances/

sudo pip3 install Glances

iftop

Bandwidth usage monitoring http://www.ex-parrot.com/pdw/iftop/

sudo apt install iftop

dstat

Versatile resource statistics tool http://dag.wiee.rs/home-made/dstat/

sudo apt install dstat

essential packages for compilation

sudo apt install build-essential

Meld

Browse differences between 2 or 3 files or folders (and be able to merge them) http://meldmerge.org/

sudo apt install meld

git

distributed version control system https://git-scm.com/

sudo apt install git

Python 2

https://docs.python.org/2/

sudo apt install python-dev python-pip

Python 3

https://docs.python.org/3/

sudo apt install python3-dev python3-pip

Python Virtualenv

http://docs.python-guide.org/en/latest/dev/virtualenvs/

sudo apt install virtualenv

D) ● Additional admin users on the server

You can have multiple admin-users :

sudo groupadd username
sudo useradd -m -c "Full User Name" -g username -G adm,cdrom,sudo,dip,plugdev,lxd,lpadmin,sambashare -s /bin/bash username
sudo passwd username

E) ● Additional non-admin users on the server

You can have multiple non-admin users :

sudo groupadd username
sudo useradd -m -c "Full User Name" -g username -s /bin/bash username
sudo passwd username

F) ● VMwareTools

This only applies to VMware virtual machines

sudo apt install open-vm-tools

G) ● Mail config

This is useful for the case the server wants to notify the admins of a problem, like an error while running a cron or whatever else that would use the command mail. You, as admin, might also want to use that command mail in your scripts.

Note : Sending emails at EPFL requires authentication (using port 465 SSL/TLS). However if you don't want to use an account and store username + password on the server, you can use port 25 (no authentication) and refer in the FROM field to a service account (http://services.epfl.ch/) redirected to noreply@epfl.ch.

To simplify the procedure, one can use the default service account named noreply@epfl.ch or a customized one like noreply+anything-here@epfl.ch which is equivalent to the first one.

Here is how to set it up :

sudo apt install mailutils ssmtp
sudo vi /etc/ssmtp/ssmtp.conf
root=Firstname.Lastname@.epfl.ch
mailhub=mail.epfl.ch
hostname=hostname.epfl.ch
sudo vi /etc/ssmtp/revaliases
root:noreply+hostname@epfl.ch:mail.epfl.ch
echo test | sudo mail -s test1 Firstname.Lastname@epfl.ch

H) ● NTP

NTP adjusts the server's time to the time reference servers.

sudo apt install ntp
sudo vi /etc/ntp.conf
server 128.178.x.1
sudo service ntp restart

I) ● Firewall

This will set up your server's firewall. To set up EPFL's firewall, you can contact

Default policy of a secure firewall config is to deny everything coming to the server and then allow only the expected protocols. This is what the following setup does.

For each admin and user's IP who need to ssh, add an incoming rule permission. Then add other protocols rules (like 80 port for http, 443 for https, ...)

sudo ufw disable
sudo ufw --force reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow proto tcp from 128.178.x.y to any port 22
sudo ufw allow proto tcp from any to any port 80
sudo ufw --force enable

sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       128.178.x.y
80/tcp                     ALLOW       Anywhere
80/tcp (v6)                ALLOW       Anywhere (v6)

J) ● Clonezilla setup

Clonezilla is a great tool to make cold image of your server. Here is how to set it up so that you can dualboot on it without CD-drive (or iso to map).

sudo wget http://heanet.dl.sourceforge.net/project/clonezilla/clonezilla_live_alternative/20160529-xenial/clonezilla-live-20160529-xenial-amd64.iso -O /clone_sys/clonezilla-live-20160529-xenial-amd64.iso
sudo ln -s clonezilla-live-20160529-xenial-amd64.iso /clone_sys/clonezilla.iso

df -h /clone_sys/

sudo vi /etc/grub.d/40_custom
# Note: adapt it to match the partition /clone_sys.
# On my server it's on sda2 which is converted to (hd0,2)
menuentry "Clonezilla live" {
    set root=(hd0,2)
    set isofile="/clonezilla.iso"
    loopback loop $isofile
    linux (loop)/live/vmlinuz boot=live live-config noswap nolocales edd=on nomodeset ocs_live_run=\"ocs-live-general\" ocs_live_extra_param=\"\" ocs_live_keymap=\"\" ocs_live_batch=\"no\" ocs_lang=\"\" vga=788 ip=frommedia nosplash toram=filesystem.squashfs findiso=$isofile
    initrd (loop)/live/initrd.img
}
sudo vi /etc/default/grub
GRUB_DEFAULT=0
#GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=5
sudo update-grub2
less /boot/grub/grub.cfg

K) ● Monitored with Icinga2 enacitmon2.epfl.ch

sudo vi /etc/apt/sources.list.d/enacrepo.list
# http://enacit1.epfl.ch/linux/sys/enacrepo.shtml
deb http://enacrepo.epfl.ch/public xenial main    # pour Ubuntu 16.04 LTS
wget -q http://enacrepo.epfl.ch/enacrepo.asc -O- | sudo apt-key add -
sudo apt update && sudo apt install enac-monitoring

Follow the dedicated documentation http://enacit.epfl.ch/monitoring/activation/ to enable and have access to the monitoring with ENAC-IT.

L) ● Backup

This is not documented here since it depends much on the data hosted on your server.

If you need help, please contact . We'll need to know :

SUPPORT

Visit http://enacit1.epfl.ch/linux/ for further information and support.