Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

--- content:serverbasics [2024/04/20 15:02] – [UMask- Approach] obel1x
+++ content:serverbasics [2026/04/10 10:18] (aktuell) – [Mountoptions] obel1x
@@ Zeile 1: / Zeile 1: @@
-====== Linux: Basic Server Configuration ======
+====== Linux: Advanced SoHo- Server Configuration ======
-These setting here are an advice to think about when setting up a new linux- machine (here on an opensuse distrubution, which i really like).
+~~NOCACHE~~
+Welcome to my **Advanced Server Setup- Documentation**.
+In these chapters, i will explain how to setup and configure a full featured Active Domain- Network with Kerberos Single-Sign-On and Domain Integration of Linux Clients on a rootless containerized Docker- Installation including Nextcloud as personal Cloud to store all your Data and PIM locally and safe. That way you get a fully managed, Cloud enabled Homeoffice Network at low costs and much space for your personal data on your own pc.
+===== Current State =====
+This Document is currently under developement and chapters are not final right now. This will change in the Future.
+===== Usecase =====
+This is not a slim Setup - so if you only have old hardware or you are trying to figure out on yoru small office-pc, this may not work as well as you need it.
+You should have at least
+  * Large Harddrives: If you have maybe 1.5 TB of Data all togehter, you will need:
+      * 3 TB of space on your working directory / raid5 = 3 Harddrives, each 1 TB at least
+      * 6 TB of space on your backup / raid5 = 3 Harddrives, each 2 TB at least
+      * about maybe 100GB for the system / raid1 = 2 Harddrives
+      * about maybe 100GB for the databases / raid1 = 2 Harddrives
+      * maybe two extra drives for external backups, each 6 TB (you can also store that in the internet, but you will need a large space there too)
+  * A Server, that has relyable, quite fast internet in Download and Upload rates - while Upload may be more Importen
+  * The Server should be reachable all the time
+===== How to Start =====
+First, read this Page, get the Hardware and install the system. You should understand the Hardwaresetup and the installation of Linux and Raid- Systems first (as decribend beneath).
+Then, go on whith [[:content:serverbasics:network-dyndns|DynDNS- Setup]] to make your PC reachable from the net.
+Next, setup docker as decribed in the Chapter. When you have portainer running, you can go like this:
+  - Nextcloud-AIO
+  - FreeIPA
+  - Authentik
+Then glue them together with SSO, SPNEGO and Nextcloud-SSO. Then you should have understood everything, you can now play around on your own.
 ===== Subpages =====
 <catlist content:serverbasics -nohead -noNSInBold -sortAscending -sortByTitle -noAddPageButton -maxDepth:1>
+===== Basic System =====
+As Hardware, you should have at least:
+  * a single standard Desktop- PC with 4 or more Cores
+  * equipped with at least 16 GB of RAM and
+  * for failure of Discs a swappable mounting Rack to contain at least 5 Discs (should not have Raid as Hardware, as Software Raid in Linux is much more efficient!)
+  * Additional at least one external Disk, you may use to copy your Backups to and store them on a different physikal location
 ===== Mountpoints =====
@@ Zeile 51: / Zeile 97: @@
 So I would suggest to use two disks both partioned with GPT and same sized efi-partitions (as said, at least 500 Megabytes in Size to store Bios or UCODE updates for Firmware Updater) and before creating the FAT32 filesystem do software raid on it. E.g.:
 <code>
 ~ # mdadm --create --verbose /dev/md/efiboot --level=1 --raid-devices=2 --metadata=1.0 --name=efiboot --homehost=system /dev/sda1 /dev/sdb1
@@ Zeile 61: / Zeile 107: @@
 You than install your Linux Bootmanager / EFIBOOT to that md- Device. If its not found in the beginning of the installation, scan for raid- devices or just create it while installing with the line above.
+=== Recover faulty Disc ===
-==== LVM ====
+If some Raid- Disc becomes faulty, it will show up like this (its for raid5, but raid1 will look alkie):
-LVM is a powerful partition-management-layer and should always be used, when there is some none low-end hardware present. If you can use the **KDE Partitioning- Tool**  (which means having Plasma=KDE Desktop compatible support), the support is very inuitive and opens a lot of flexibility whne handling partitions, like adding more disk space or moving partitions, but also on console this offers good functionality. OpenSuSE offer to create LVM- Styled system setup in installation optionally (not by default). If you can: use it.
+<code>
+obel1x:~ # mdadm -D /dev/md126
+/dev/md126:
+          Version : 1.0
+    Creation Time : Fri Apr 10 11:44:19 2020
+       Raid Level : raid5
+       Array Size : 1460286976 (1392.64 GiB 1495.33 GB)
+    Used Dev Size : 730143488 (696.32 GiB 747.67 GB)
+     Raid Devices : 3
+    Total Devices : 2
+      Persistence : Superblock is persistent
+    Intent Bitmap : Internal
+      Update Time : Sat Oct 26 14:26:37 2024
+            State : clean, degraded
+   Active Devices : 2
+  Working Devices : 2
+   Failed Devices : 0
+    Spare Devices : 0
+           Layout : left-symmetric
+       Chunk Size : 128K
+Consistency Policy : bitmap
+             Name : any:slowstorage
+             UUID : 6542dc7c:a8f93b36:15f90ca1:54d03417
+           Events : 285411
+   Number   Major   Minor   RaidDevice State
+       8        5        0      active sync   /dev/sda5
+       8       21        1      active sync   /dev/sdb5
+      -       0        0        2      removed
+</code>
+Maybe instead of removed you can see some entry like faulty instead of removed - this is, when the array had just failed.
+To add a new device, you need an empty partiotion with at least the expected size (here 696 GB would be enough):
+<code>
+obel1x:~ # fdisk -l /dev/sdc
+Disk /dev/sdc: 698.64 GiB, 750156374016 bytes, 1465149168 sectors
+Disk model: WDC WD7500AAVS-0
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+Disklabel type: gpt
+Disk identifier: 699DC7F4-D344-4447-8C5B-1F98E017A12B
+Device     Start        End    Sectors   Size Type
+/dev/sdc1   2048 1465149134 1465147087 698.6G Linux RAID
+</code>
+That Partition should have the Type Linx Raid. If you don't have that, create it with partition- tool of kde or what you want.
+Now you can simply add the device to the raid and it will begin to work:
+<code>
+obel1x:~ # mdadm /dev/md126 --add /dev/sdc1
+mdadm: re-added /dev/sdc1
+obel1x:~ # mdadm -D /dev/md126
+/dev/md126:
+          Version : 1.0
+    Creation Time : Fri Apr 10 11:44:19 2020
+       Raid Level : raid5
+       Array Size : 1460286976 (1392.64 GiB 1495.33 GB)
+    Used Dev Size : 730143488 (696.32 GiB 747.67 GB)
+     Raid Devices : 3
+    Total Devices : 3
+      Persistence : Superblock is persistent
+    Intent Bitmap : Internal
+      Update Time : Sat Oct 26 14:34:57 2024
+            State : clean, degraded, recovering
+   Active Devices : 2
+  Working Devices : 3
+   Failed Devices : 0
+    Spare Devices : 1
+           Layout : left-symmetric
+       Chunk Size : 128K
+Consistency Policy : bitmap
+   Rebuild Status : 1% complete
+             Name : any:slowstorage
+             UUID : 6542dc7c:a8f93b36:15f90ca1:54d03417
+           Events : 285497
+   Number   Major   Minor   RaidDevice State
+       8        5        0      active sync   /dev/sda5
+       8       21        1      active sync   /dev/sdb5
+       8       33        2      spare rebuilding   /dev/sdc1
+</code>
+==== LVM ====
+LVM is a powerful partition-management-layer and should always be used, when there is some none low-end hardware present. If you can use the **KDE Partitioning- Tool** (which means having Plasma=KDE Desktop compatible support), the support is very inuitive and opens a lot of flexibility whne handling partitions, like adding more disk space or moving partitions, but also on console this offers good functionality. OpenSuSE offer to create LVM- Styled system setup in installation optionally (not by default). If you can: use it.
 === Mirror- Raided LVM- Volumes (RAID1) ===
@@ Zeile 167: / Zeile 317: @@
 </code>
+=== LVM Error Recovery ===
+In case on Harddrive is failing, the Array gets degraded. If you boot your system without that disk, it will not start due to inaktive volume groups.
+To recover, do this:
+. Get Volume Groups up, if degraded
+vgchange -a y
+. Add a new PV to the VG that is large enough to hold the Data
+vgextend vgname /dev/sdX
+. Repair the logical volume by searching for usable PVs automagically
+lvconvert –repair vgname/lvname
+This should rebuild your logical Volume
+. After rebuild, remove the faild drive from the vg:
+vgreduce –removemissing vgdata
+Thats it, your System should become usable after that.
+== Moving Data before Drive fails ==
+If you have the possibility to add a new PV before the array gets degraded, you can use the replace- method after adding the new pv to the VG:
+lvconvert –replace /dev/sdX1 vgname/lvname /dev/sdY1
+=== More Info for LVMs ===
+https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_logical_volumes/configuring-raid-logical-volumes_configuring-and-managing-logical-volumes
 ==== Filesystem ====
@@ Zeile 173: / Zeile 360: @@
 And there is one Reason: Docker - at the current time of writing this (20.04.2024) you should NOT USE BTRFS with Docker. More is explained later.
 ==== Mountoptions ====
@@ Zeile 183: / Zeile 369: @@
 While autodefrag should not be necessary on ssd- harddiscs.
-For **Databases**  or files that need speed and __**are well backed up otherwise**__  : nodatacow,nodatasum,noatime,nodiratime
+For **Databases** or files that need speed and __**are well backed up otherwise**__  : nodatacow,nodatasum,noatime,nodiratime
 === Sources: ===
   * [[https://fedoraproject.org/wiki/Changes/BtrfsTransparentCompression|https://fedoraproject.org/wiki/Changes/BtrfsTransparentCompression]]
   * [[https://btrfs.readthedocs.io/en/latest/Administration.html|https://btrfs.readthedocs.io/en/latest/Administration.html]]
+=== Powermode settings ===
+Your Harddrives may have set a power level, that allows spindown. I personally would not let your harddrives spindown, because every start brings your harddrives mechanics nearer to death. In Fact there is not very much worse than spinning up and down every few minutes for a harddrive with physical discs.
+To change that, create the following file:
+<file>
+pcserver2023:/usr/lib/udev/rules.d # cat 85-hdparm.rules
+ACTION=="add|change", SUBSYSTEM=="block", KERNEL=="[sh]d[a-z]", RUN+="/sbin/hdparm -S 0 -B 128 /dev/%k"
+</file>
+That way, your harddrives will stay up all time.
 ===== Quotas =====
@@ Zeile 306: / Zeile 506: @@
 So you should maybe think of setting a better umask than 022 - which would make all users of you group have read access to you files to lets say 077. Or - even better don't use the group "users", but make a group with the same name as the user per User itself. Than you can have umask 007.
-On my system the umask can be defined in the file ''/etc/login.defs'' .
+On my system the umask can be defined in the file ''/etc/login.defs''  .
 But to go on directory- permissions: forget about umask.
 ==== FACLs ====
@@ Zeile 462: / Zeile 661: @@
 And with FACLs there are powerful tools that should cover everything an administrator needs.
+===== Firewall =====
+To check, which services are open, use:
+PLEASE, Before opening the Ports, check the Services described at the Sub-Pages first to secure them!
+<code>
+servername:~ # firewall-cmd --list-ports
+/tcp 3478/udp
+servername:~ # for s in $(firewall-cmd --list-services); do firewall-cmd --permanent --service "$s" --get-ports; done;
+/udp
+/tcp 53/udp
+/tcp
+/tcp
+/tcp 88/udp
+/tcp
+/tcp
+/tcp 873/udp
+/tcp
+</code>