Setup for Ubuntu 20.04

Click here for Windows system setup

Re-installation Note

If you are re-installing an existing user's computer, you will need to know the computer's host name. The GID/UID for this user's account is used when creating an account backup staging server.

General Install Steps

This section describes the setup steps that a general to all Ubuntu installations. There are a number of steps to be done that are specific to the user who will be using the computer. Those steps are outlined below.

Labels

If this is a new computer, get a barcode label from DalePlummer and place it on the new computer. The computer hostname should be "biostat" (e.g. biostat0000).

Install Ubuntu

Using the live CD, install Ubuntu.

  • We usually make partitions like this:
Partition size comment
swap size of memory e.g. 32 GB
/ 256 GB (approximately) (ext4) This is where all system files are placed.
/home remainder of space (ext4) user's files
  • Get a hostname from ColeBeck or DalePlummer
  • During the installation, make a user called "biostat".

Once the Ubuntu installation is complete, log on as user "biostat" and continue...

Edit the sources.list file

Edit the sources.list file to use the http://mirrors.advancedhosters.com/ubuntu/ repository. Include main/restricted/universe/multiverse.
sudo gedit /etc/apt/sources.list

Here is a sources.list files that works well. Use "bionic" for 18.04 systems and "focal" for 20.04. Note the addition of the R materials.
deb http://mirrors.advancedhosters.com/ubuntu/ focal main restricted universe multiverse
deb http://mirrors.advancedhosters.com/ubuntu/ focal-updates main restricted universe multiverse
deb http://mirrors.advancedhosters.com/ubuntu/ focal-backports main restricted universe multiverse
deb-src http://mirrors.advancedhosters.com/ubuntu/ focal main restricted universe multiverse
deb-src http://mirrors.advancedhosters.com/ubuntu/ focal-updates main restricted universe multiverse
deb-src http://mirrors.advancedhosters.com/ubuntu/ focal-backports main restricted universe multiverse

deb http://mirrors.advancedhosters.com/ubuntu/ focal-security main restricted universe multiverse
deb-src http://mirrors.advancedhosters.com/ubuntu/ focal-security main restricted universe multiverse

deb https://cloud.r-project.org/bin/linux/ubuntu focal-cran40/

Then run these commands to get the key for the R repository:

gpg --keyserver keyserver.ubuntu.com --recv-key 51716619E084DAB9
gpg -a --export 51716619E084DAB9 | sudo apt-key add -

Then...

sudo apt update
sudo apt dist-upgrade

And maybe a reboot...
sudo reboot

Install packages

Install a few other things that we want.
sudo apt install gnumeric abiword pidgin samba ntp ssh cifs-utils sshfs nfs-kernel-server nfs-common remmina compizconfig-settings-manager vim r-base-core r-base-dev r-base-html r-doc-pdf r-recommended exim4 htop emacs texlive-base texlive-latex-recommended texlive-latex-extra libjpeg62 libappindicator1 libindicator7 lockfile-progs

Download (http://www.rstudio.com/) and install RStudio ( sudo dpkg -i Downloads/rstudio-0.98.953-amd64.deb ) Also, download (https://www.google.com/chrome/browser/) and install Google Chrome ( sudo dpkg -i Downloads/google-chrome-stable_current_amd64.deb )

Disallow ssh root logins

Edit /etc/ssh/sshd_config and set PermitRootLogin to no
sudo gedit /etc/ssh/sshd_config

Set up printers

See Printer hostnames for the names and other information about our printers. (Instructions for installing printers on Windows and Macintosh are in the FAQ topic (see the "How_to_install_printers..." section))

  • get printer definition files
cd /usr/share/cups/drv
sudo wget http://biostat.app.vumc.org/wiki/pub/Main/UbuntuSetup/hp-color_laserjet_m651-ps.ppd
sudo wget http://biostat.app.vumc.org/wiki/pub/Main/UbuntuSetup/hp-color_laserjet_m553-ps.ppd
sudo wget http://biostat.app.vumc.org/wiki/pub/Main/UbuntuSetup/xrx6360dn.ppd

  • set up printers using the command line (biostatcolor1, biostatcolor2, and biostatcolor3 for regular users; biostatcolor4 is for administrators). The network addresses for the printers can be deduced from the commands below (following "socket://") or found at Main.PrinterHostnames.
sudo lpadmin -p 00_biostatcolor1 -L "biostatistics" -D "HP Color LaserJet M651" -P /usr/share/cups/drv/hp-color_laserjet_m651-ps.ppd -v socket://biostatcolor1.dhcp.mc.vanderbilt.edu:9100/ -E

sudo lpadmin -p 00_biostatcolor2 -L "biostatistics" -D "HP Color LaserJet M651" -P /usr/share/cups/drv/hp-color_laserjet_m651-ps.ppd -v socket://biostatcolor2.dhcp.mc.vanderbilt.edu:9100/ -E

sudo lpadmin -p 00_biostatcolor3 -L "biostatistics" -D "HP Color LaserJet M651" -P /usr/share/cups/drv/hp-color_laserjet_m651-ps.ppd -v socket://biostatcolor3.dhcp.mc.vanderbilt.edu:9100/ -E

sudo lpadmin -p 00_biostatcolor4 -L "biostatistics" -D "HP Color LaserJet M651" -P /usr/share/cups/drv/hp-color_laserjet_m651-ps.ppd -v socket://biostatcolor4.dhcp.mc.vanderbilt.edu:9100/ -E

sudo lpadmin -p 00_biostatcolor7 -L "biostatistics" -D "HP Color LaserJet M553" -P /usr/share/cups/drv/hp-color_laserjet_m553-ps.ppd -v socket://biostatcolor7.dhcp.mc.vanderbilt.edu:9100/ -E

Mount directory for administrative scripts

Create a mount point for the administrative scripts.
sudo mkdir -p  /biostat/cvs/admin

Add the following line to /etc/fstab

biostat1553.emp.vumc.io:/home/cvs/admin /biostat/cvs/admin nfs nfsvers=3,rsize=8192,wsize=8192,timeo=14,intr 0 0
...and mount the administrative folder
sudo mount /biostat/cvs/admin

Set up firewall

Set up the iptables firewall. Download iptables file and set things up.

We have stopped setting up firewalls on workstations with private IP addresses. It causes more trouble than it is worth. For servers and computers that are exposed to the internet, we probably DO want to set up a firewall.
cd /etc/network/if-up.d/
sudo wget -nc http://biostat.app.vumc.org/wiki/pub/Main/UbuntuSetup/iptables
sudo chmod ugo+x /etc/network/if-up.d/iptables
cd /etc/network/if-post-down.d
sudo ln -s ../if-up.d/iptables

Create the /var/lib/iptables directory and set up the inactive and active rule sets.
sudo mkdir /var/lib/iptables
sudo chmod 700 /var/lib/iptables
sudo cp /biostat/cvs/admin/etc/active /var/lib/iptables/
sudo touch /var/lib/iptables/inactive

Exim4

This setup allows the workstation to send emails, i.e. from the root account and from user cron jobs. This setup is orthogonal to the VUMCid user's email setup.

It works by having exim send all outgoing emails to the smarthost biostat.app.vumc.org. This will only work if the following steps are performed, and if the workstation IP address resolves to biostat?.dhcp.mc.vanderbilt.edu, where ? is replaced with the appropriate number.

Assuming exim v4...
sudo cp /biostat/cvs/admin/etc/update-exim4.conf.conf /etc/exim4/update-exim4.conf.conf
sudo /usr/sbin/update-exim4.conf
sudo cp /biostat/cvs/admin/etc/mailname /etc/mailname
Then edit /etc/aliases and add the following line root: biostat-it@list.vumc.org

Restart exim
sudo /etc/init.d/exim4 restart

You can test that it works by running something like this:
  • /biostat/cvs/admin/bin/mail-wrapper your.eamail.address@vumc.org ls -lh /tmp
This will email the output of 'ls -lh /tmp' to the biostat it mailing list.

Install the Tenable Nessus End Point Protection Agent

Installation steps that are user specific

Before configuring a new computer, please read NewEmployeeInfoSysProcedures.

Create an account and location for backup on the biostat1553 server (backup staging server)

  • Create the user on the biostat1553.emp.vumc.io server (for backup services). If this is a reinstall or new computer for an existing user, record the UID and GID from the old system. See Transition to new backup server for additional detail.
sudo adduser VUMCid
  • Note the UID and GID that are generated when the biostat1553 account is created. We will use these values when setting up the user account on the workstation.
  • edit /etc/passwd and change "/bin/bash" to be "/bin/false" for the user just created
  • Make the user's backup directory: /home/wsbu/backup/VUMCid

Make a user account on the workstation (if not reinstalling)

Be sure to use the GID and UID that you recorded earlier. See NewEmployeeInfoSysProcedures

sudo addgroup --gid [GID] [VUMCid]
sudo useradd --create-home --shell "/bin/bash" --groups cdrom,audio,video,plugdev,lpadmin,adm,sudo --uid [UID] --gid [GID] [VUMCid] && sudo passwd [VUMCid]

Workstation Backups

  • Create the directory /biostat/backup/VUMCid (make sure to change "VUMCid" to real value)
sudo mkdir -p /biostat/backup/VUMCid

  • Add the following line to /etc/fstab:
biostat1553.emp.vumc.io:/home/wsbu/VUMCid /biostat/backup/VUMCid nfs nfsvers=3,rsize=8192,wsize=8192,timeo=14,intr 0 0

  • If you are restoring a backup because of a machine replacement or reimaging then use rsync. When logged on the the user's account, a command like this will work:
cd /biostat/backup
rsync -av VUMCid /home

  • Add the following cron entry to the VUMCid's crontab and choose a suitable value for X and Y ( crontab -e). The command is sudo crontab -u VUMCid -e
mm hh  * * * /biostat/cvs/admin/sbin/run-user-cron
  • If there's problems mounting those entries, try running exportfs -a on the server, either biostat or biostat1553. It seems to clear up the nfs export entries.

Samba

  • Set up Samba. To allow user to mount their /home/VUMCid directory from elsewhere, add this paragraph to then end of their /etc/samba/smb.conf file. Change "VUMCid" as appropriate.
[VUMCid]
    comment = Samba on Ubuntu
    path = /home/VUMCid
    read only = no
    browsable = yes
  • Create a Samba ID: sudo smbpasswd -a VUMCid
  • Restart the Samba service: sudo service smbd restart

Set up password-less SSH login to servers

See http://askubuntu.com/questions/46930/how-can-i-set-up-password-less-ssh-login. Here is an example from that topic:
VUMCid@biostatnnn:~$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/VUMCid/.ssh/id_rsa): 
Created directory '/home/VUMCid/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/VUMCid/.ssh/id_rsa.
Your public key has been saved in /home/VUMCid/.ssh/id_rsa.pub.
The key fingerprint is:
b1:25:04:21:1a:38:73:38:3c:e9:e4:5b:81:e9:ac:0f VUMCid@biostatnnn
The key's randomart image is:
+--[ RSA 2048]----+
|.o= . oo.        |
|*B.+ . .         |
|*=o .   o .      |
| = .     =       |
|. o     S        |
|E.               |
| o               |
|  .              |
|                 |
+-----------------+

Copy the public key to the server (e.g. biostat.app.vumc.org).

VUMCid@biostatnnn:~$ ssh-copy-id VUMCid@biostat.app.vumc.org
VUMCid@biostat.app.vumc.org's password: 

Now try logging into the machine, with "ssh 'VUMCid@biostat.app.vumc.org'", and check in:

~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.
Topic revision: r4 - 31 Aug 2021, DalePlummer
 

This site is powered by FoswikiCopyright © 2013-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Vanderbilt Biostatistics Wiki? Send feedback