Setup CAD server

# How to Setup CAD server [TOC] Ubuntu 20.04 > This guide helps you setup the following on Ubuntu 20.04 > - fail2ban that protects server > - LDAP client that connect to LDAP server > - Mount CAD tool from TSRI ## Network alias - Edit `/etc/hosts` ```bash=1 140.116.245.125 ideal125 140.116.245.124 ideal124 140.116.245.123 ideal123 140.116.245.122 ideal122 140.116.245.121 ideal121 140.126.24.16 lshc 140.110.140.29 lstc 140.110.117.10 lstn 140.126.24.10 lscic 140.112.20.58 lsntu 140.113.202.151 lsnctu 140.120.90.46 lsnchu 140.116.49.24 lsncku ``` ## System security ### Install ssh server - Install ssh & ssh server ```bash=1 sudo apt-get install ssh openssh-server ``` - Edit ssh server config ```bash=1 vim /etc/ssh/sshd_config ``` - Restart ssh server ```bash=1 sudo service sshd restart ``` ### fail2ban ```bash= sudo apt install fail2ban ``` - Remember to add NFS directory to fail2ban excluded directory in `/etc/fail2ban/` ### Change default directory permission to 0700 - Mentioned in this [website](https://superuser.com/questions/303910/ubuntu-default-access-mode-permissions-for-users-home-dir-home-user), we can change the default directory permission by changing `/etc/adduser.conf` file - Change `DIR_MODE=0755` to `DIR_MODE=0700` ## Mount 123 NFS disk ```bash=1 # Install nfs-common sudo apt install nfs-common # Edit /etc/fstab sudo echo "140.116.245.123:/volume1/cad /home/nfs_cad nfs defaults 0 0" >> /etc/fstab sudo echo "140.116.245.123:/volume1/homes/@LH-IDEAL123/61 /home/nfs_home nfs defaults 0 0" >> /etc/fstab sudo echo "140.116.245.123:/volume1/share /home/nfs_share nfs defaults 0 0" >> /etc/fstab # Create mount point sudo mkdir /home/nfs_cad sudo mkdir /home/nfs_share sudo mkdir /home/nfs_home # Mount without reboot sudo mount -a ``` - Make sure you put your IP address on the list of permitted NFS mount target. Otherwise, you nfs mount request will be denied by the nfs server. You should configure the permitted IP address in 140.116.245.123 server. - For example, this figure shows a list of IPs that are allowed to mount the `cad` folder on nfs ![](https://i.imgur.com/jEelUcQ.png) Make sure you put your IP on the list of ALL three folders (cad,homes,share) - Use the following command to create a soft link. This is necessary because some tools/scripts assume it is located in /usr/cad. ```bash= sudo ln -s /home/nfs_cad/ /usr/cad/ ``` ## Install LDAP - Follow the instructions in [LDAPClientAuthentication](https://help.ubuntu.com/community/LDAPClientAuthentication) ```bash=1 # Install packages sudo apt-get install ldap-auth-config libnss-ldap libpam-ldap ldap-auth-client nscd ``` - Configure ldap client - ![](https://i.imgur.com/nGaBfZN.png) - ![](https://i.imgur.com/O744eoS.png) - ![](https://i.imgur.com/uvz81cE.png) - ![](https://i.imgur.com/TaeQocM.png) - ![](https://i.imgur.com/R3XAj4P.png) - ![](https://i.imgur.com/boz6gI8.png) - Type passwd **ideal123** ![](https://i.imgur.com/faobuIy.png) - Edit /etc/ldap.conf ```bash=1 base dc=ideal123 uri ldap://140.116.245.123 rootbinddn uid=root,cn=users,dc=ideal123 pam_password md5 ``` - Edit /etc/ldap/ldap.conf ```bash=1 BASE dc=ideal123 URI ldap://140.116.245.123/ timelimit 2 bind_timelimit 1 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 1 bind_policy soft ``` - Edit file `/etc/nsswitch.conf` ```bash=1 # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files ldap group: files ldap shadow: files ldap gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ``` - Edit `/etc/pam.d/common-session` ```bash=1 # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_ldap.so session optional pam_systemd.so session optional pam_mkhomedir.so # end of pam-auth-update config ``` - Edit `/etc/pam.d/common-passwd` ```bash=1 # here are the per-package modules (the "Primary" block) password [success=2 default=ignore] pam_unix.so obscure sha512 #password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) password optional pam_gnome_keyring.so # end of pam-auth-update config ``` - Enable latest settings ```bash=1 sudo pam-auth-update sudo service nscd restart ``` - You shoule see this setting page ![](https://i.imgur.com/qgHdJTX.png) - Make sure you select **Create home directory on login** ## Check TSRI license status ```bash=1 lmstat ``` ## CAD tool dependencies - Some CAD tools depends on 32-bit libraries while most computers nowadays use 64-bit libraries. Install the following libraries so that CAD tools can run on the latest OS. ### Add 32-bit library in apt - Configure the package system to use 32-bit libraries. ```bash=1 sudo dpkg --add-architecture i386 sudo apt update ``` #### Install libraries for 32-bit C ``` sudo apt install libc6:i386 libncurses5:i386 libstdc++6:i386 ``` #### `libpng12.so.0` cannot open shared object file ```bash= sudo add-apt-repository ppa:linuxuprising/libpng12 sudo apt update sudo apt install libpng12-0 ``` #### `libncurses.so.5` cannot open shared object file ```bash= sudo apt install libncurses5 ``` #### `libjpeg.so.62` cannot open shared object file ```bash= sudo apt install libjpeg62 ``` #### `libtiff.so.3` cannot open shared object file According to this [answer](https://askubuntu.com/questions/44132/how-do-i-install-libtiff-so-3), the solution is to create a soft link from `libtiff.so.5` to `libtiff.so.3` ```bash= sudo apt install libtiff5 sudo ln -s /usr/lib/x86_64-linux-gnu/libtiff.so.5 /usr/lib/x86_64-linux-gnu/libtiff.so.3 ``` #### `libmng.so.1` cannot open shared object file ```bash= sudo apt install libmng2 sudo ln -s /usr/lib/x86_64-linux-gnu/libmng.so.2 /usr/lib/x86_64-linux-gnu/libmng.so.1 ``` #### `libX11.so.6: cannot open shared object file` ```bash= sudo apt install libx11-6:i386 ``` #### `libXext.so.6: cannot open shared object file` ```bash= sudo apt install libxext6:i386 ``` #### `libXp.so.6: cannot open shared object file` According to this [answer](https://askubuntu.com/questions/944838/libxp-so-6-missing-for-ubuntu-17-04) ``` sudo apt-get install libxpm4 sudo dpkg -S libXpm sudo ln -s /usr/lib/x86_64-linux-gnu/libXpm.so.4.11.0 /usr/lib/x86_64-linux-gnu/libXp.so.6 ``` #### `libXm.so.4 cannot open shared object file` ```bash= sudo apt install libxm4 ``` ## Define the new account behavior in `/etc/skel` ### git clone the sample repo ``` git clone --recurse-submodules git@github.com:NCKU-CAID/server-setup.git ``` ### git clone oh-my-zsh plugins ``` cd server-setup/.oh-my-zsh/plugins git clone https://github.com/zsh-users/zsh-autosuggestions git clone https://github.com/zsh-users/zsh-syntax-highlighting.git ``` ### Copy the content to `/etc/skel` directory ``` cp -a ~/server-setup/. /etc/skel/ ``` ### Remove unwanted files ``` cd /etc/skel rm -rf .git/ .gitmodules ``` ### Enable tools you want to use in `.zshrc` ```bash # virtualenv and virtualenvwrapper setup (if needed) export WORKON_HOME=$HOME/.virtualenvs export VIRTUALENVWRAPPER_PYTHON=/usr/bin/python3 export VIRTUALENVWRAPPER_VIRTUALENV=$HOME/.local/bin/virtualenv source $HOME/.local/bin/virtualenvwrapper.sh export PATH=$HOME/.local/bin:$PATH # Source CAD tool (if needed) source ~/.cad_tool.zshrc # RISC-V toolchain (if needed) export PATH=/opt/RISCV/bin:$PATH ```