Lots of changes

2021-10-22 14:55:52 -04:00
parent f59e3d70e7
commit a188ea73a3
17 changed files with 1861 additions and 185 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-old/
+old/
 manual.odt
--- a/README.html
+++ b/README.html
--- a/README.md
+++ b/README.md
@@ -1,12 +1,57 @@
-# Hartman Lab Server Manual
+# Hartman Lab Server Manual <!-- omit in toc -->
-## Copyright 2021 Bryan C. Roessler
+© 2021 Bryan C. Roessler
-Last updated: 2021-10-18
+Last updated: 2021-10-22
-**Quick Note:** At some point in the future UAB may restrict direct ssh access to the Hartman Lab Server. If this occurs you will first need to connect to the UAB intranet via the UAB AnyConnect VPN. Directions for connecting to the UAB VPN can be found [here](https://www.uab.edu/vpn/) (Linux users, see Fig. A). Once the VPN connection is established you can follow the rest of the manual to connect to the server.
+## Table of Contents <!-- omit in toc -->
-For users that do not have UAB VPN credentials, a whitelist exception will need to be added to the UAB firewall for the specific IP address that the user will be connecting from. The requests can be made [here](https://uabprod.service-now.com/service_portal?id=sc_cat_item&sys_id=daf70746374ce3c0daa253b543990e7f) using your UAB credentials:
+- [Important information](#important-information)
 - [For users](#for-users)
  - [First time login](#first-time-login)
  - [File server](#file-server)
    - [SSH/SFTP](#sshsftp)
    - [Samba file shares](#samba-file-shares)
  - [X2Go remote desktop](#x2go-remote-desktop)
    - [Session tab](#session-tab)
    - [Connection tab](#connection-tab)
    - [Input/output tab](#inputoutput-tab)
    - [Media tab](#media-tab)
    - [Shared folders](#shared-folders)
  - [Native X forwarding](#native-x-forwarding)
    - [Linux, OSX](#linux-osx)
    - [Windows](#windows)
  - [Windows 10 Virtual Machines](#windows-10-virtual-machines)
  - [Robot computer access](#robot-computer-access)
  - [Webcam robot monitoring](#webcam-robot-monitoring)
  - [RStudio Server](#rstudio-server)
  - [Recommendations](#recommendations)
    - [Backing up data](#backing-up-data)
    - [Passwordless (public-private key) authentication](#passwordless-public-private-key-authentication)
 - [For administrators](#for-administrators)
  - [Adding a user](#adding-a-user)
  - [Resetting a user password](#resetting-a-user-password)
  - [Removing a user](#removing-a-user)
  - [Reset a buggy or corrupt X2Go user session](#reset-a-buggy-or-corrupt-x2go-user-session)
  - [Unban a user](#unban-a-user)
  - [Fix or repair user file permissions](#fix-or-repair-user-file-permissions)
  - [Services](#services)
  - [Adding a drive](#adding-a-drive)
  - [Virtual Machines](#virtual-machines)
    - [Allow access to the samba share within the Windows VM (Windows bug workaround)](#allow-access-to-the-samba-share-within-the-windows-vm-windows-bug-workaround)
    - [Make an existing Windows 10 account user an administrator](#make-an-existing-windows-10-account-user-an-administrator)
    - [Creating more VM disk space](#creating-more-vm-disk-space)
  - [Updating all software](#updating-all-software)
  - [Scheduling a restart](#scheduling-a-restart)
  - [Logging](#logging)
 - [Resources](#resources)
 - [Contact](#contact)
 ## Important information
 If UAB restricts direct `ssh` access to the Hartman Lab Server, users will need to first connect to the UAB VPN using the [UAB AnyConnect VPN](https://www.uab.edu/vpn/). Once the VPN connection is established, follow the rest of the manual to connect to the server.
 For users that do not have UAB VPN credentials, a whitelist exception for the user's IP address will need to be added to the UAB firewall. Requests to UAB IT can be made [here](https://uabprod.service-now.com/service_portal?id=sc_cat_item&sys_id=daf70746374ce3c0daa253b543990e7f) using your UAB credentials, and should resemble the following:
 ```(text)
 Type: Permit
@@ -20,199 +65,190 @@ Other Protocols: N/A
 Reason: Outside collaboration/(Other reason)
 ```
-### Server Capabilities
+- Network Manager UAB VPN settings
  ![UAB AnyConnect VPN](manual-images/anyconnect.png)
-
+## For users
 1. SSH/SFTP file server
 2. Linux X2Go remote desktop
 3. Windows 10 SPICE QEMU/KVM remote desktop
 4. Samba-compatible file server
 5. Webcam robot monitoring
 6. Robot computer remote access
 ### First time login
-1. Login via ssh client (ssh or putty): `ssh blazerid@hartmanlab.genetics.uab.edu`
+1. Ensure admin has enabled your user account.
-2. Default password has either been preset by an admin or is identical to blazerid
+2. Login via ssh client (ssh or [PuTTY](http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)): `ssh username@hartmanlab.genetics.uab.edu`
-3. System will prompt you to create new password
+3. Default password is identical to the `username`
-4. System will log user out after successful password generation
+4. System will prompt you to create a new password
-5. Re-login: `ssh blazerid@hartmanlab.genetics.uab.edu`
+5. System will log user out after successful password generation
-6. Enter new password
+6. Re-login: `ssh blazerid@hartmanlab.genetics.uab.edu` using the new password
-7. Change smbpasswd: `smbpasswd` (default password is your blazerid)
+7. *Optional:* Change Samba password (default password is your username): `smbpasswd`
-## Features
+### File server
-### SSH/SFTP file server
+#### SSH/SFTP
 Files can be transferred to/from the server using `sftp`.
-Users can access the server directly through a terminal (text-based) ssh client (`ssh` in OSX/Linux, or [`putty`](http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html) in Windows) or can access the storaeg via an SFTP program such as [Filezilla](https://filezilla-project.org/download.php?type=client). Linux users can access and mount the SFTP share directly within most file managers (Fig. 2) or by using `sshfs`.
+Users can access the server directly through a terminal (text-based) ssh client (`ssh` in OSX/Linux, or [`PuTTY`](http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html) in Windows) or via a GUI SFTP program such as [Filezilla](https://filezilla-project.org/download.php?type=client) or [WinSCP](https://winscp.net/eng/index.php). Linux users can access and mount the SFTP share directly within most file managers or by using [`sshfs`](https://www.digitalocean.com/community/tutorials/how-to-use-sshfs-to-mount-remote-file-systems-over-ssh).
 - Using `caja` to access sftp shares:
  ![Caja SFTP Example](manual-images/sftp-native-linux.png)
 - Using [Filezilla](https://filezilla-project.org/download.php?type=client) to access sftp shares:
  ![Filezilla SFTP Example](manual-images/filezilla.png)
 #### Samba file shares
 Samba file shares can be mounted cross-platform as if the data existed locally. The server provides two shares:
 1. The shared data array (`/mnt/data`): `\\username\data`
 2. The user's home directory (`$HOME`): `\\username\username`
 The default Samba credentials are the same as your server username and password. Users can change their Samba password using `smbpasswd`.
 - Mounting samba shares on Windows:
  1. ![Samba shares on Windows](manual-images/samba-windows1.png)
  2. ![Samba shares on Windows](manual-images/samba-windows2.png)
 ### X2Go remote desktop
-X2Go clients are provided for Windows, OSX, and Linux systems on the [X2Go website](http://wiki.x2go.org/doku.php) or from your package manager.
+X2Go provides a remote virtual desktop over `vnc` secured with `ssh`. X2Go clients are provided for Windows, OSX, and Linux systems on the [X2Go website](http://wiki.x2go.org/doku.php) or from your package manager (`x2goclient`).
-While each platform's X2Go client software varies, the following should provide an overview of how to connect to the X2Go server (Fig. 3).
+X2Go sessions can be paused or closed from the X2Go client window. Multiple sessions can be saved in the client, making it easy to select alternate quality settings based on location/bandwidth or to provide multiple user login sessions on the same machine.
-#### Session tab:
+**Note:** Some programs do not continue to run at full speed when an X2Go session is paused. In these cases, the program should be run via remote SSH (ideally in a [`tmux`](https://en.wikipedia.org/wiki/Tmux) or [`screen`](https://www.gnu.org/software/screen/) session).
- Session Name: Hartman Server
+#### Session tab
 - Session name: Hartman Lab Server
 - Host: hartmanlab.genetics.uab.edu
- Login: *blazerid*
+- Login: *username*
 - SSH port: 22
- session type: MATE (**required!**)
+- Session type: **MATE** (Not all session types are allowed and MATE should provide the best experience with X2Go)
 ![X2Go session preferences](manual-images/x2go-session.png)
 #### Connection tab
-Connection speed should be set to LAN while the client is connected to the UAB network to provide the best user experience. Compression should be left at the default or be set to *adaptive* for ease of use. While connecting to the server off-campus these quality values can be lowered in order to provide a fluid user experience at the expense of image quality.
+- Set the connection speed to *LAN* when connecting from within the UAB network. When connecting from off-campus these quality values can be adjusted based on bandwidth and latency.
 - Compression settings should be left unchanged or set to *adaptive*.
 #### Input/output tab
-Set the desired startup window resolution size manually. If there are any issues with keyboard mapping (ex. the arrow keys are not working), select *Configure keyboard* and leave the default settings.
+- If automatic window resizing is not working properly (common on HiDPI monitors), set the desired startup window resolution size manually. For fullscreen sessions, this should match your client display.
 - If there are any issues with keyboard mapping (ex. the arrow keys are not working), select *Configure Keyboard* and leave the default selected settings.
 #### Media tab
-Disable sound support. This will prevent `pulseaudio` from spamming the server logs
+Disable sound support. This will prevent `pulseaudio` from spamming the server logs.
 #### Shared folders
-The user may select folders on his/her local computer to be shared with the server during the active session. The user should browse to the chosen folder on his/her computer, add it to the share, and select *automount*. Upon login, these folders will then appear on the server under /media/disk/*&lt;share\_name&gt;* (Fig. 4).
+- Select folders on the client to be shared with the server during a session. Browse to the chosen folder, add it to the share, and select *automount*.
 - These folders will then appear on the server under `/media/disk/<share_name>`.
 ![X2Go shared folders](manual-images/x2go-sharedfolders.png)
-Once configured, the user can select the session from the right side of X2Go client. If passwordless login is setup, X2Go will automatically login to a new session for that user. If password login is being used, the user will be prompted to enter his/her ssh password before logging in.
+### Native X forwarding
-Running sessions can be paused or closed from the main client window. Also, multiple session parameters can be stored in the X2Go client, making it easy to select alternate quality settings based on internet client speed, or to provide multiple user login sessions on the same machine.
+It is possible to launch graphical server programs directly on a client.
-Note: Some programs do not continue to run at full speed when an X2Go session is paused. In these cases, the program should be run via remote SSH (optionally, in a [tmux](https://en.wikipedia.org/wiki/Tmux) or screen session) and not in a graphical X2Go session.
+#### Linux, OSX
-### X forwarding
+- `ssh -X username@hartmanlab.genetics.uab.edu`
-
+- `matlab` (to launch Matlab GUI on the client)
 #### Linux, OSX, ChromeOS
 The server supports X11 forwarding so that graphical programs launched via a terminal ssh session will open on the client computer as if the program is running locally. You can activate X11 forwarding by appending the “-X” option to the ssh command: `ssh -X blazerid@hartmanlab.genetics.uab.edu`
 #### Windows
-Users can install Xming and enable X11 forwarding in the PuTTY options.
+- Install [`Xming`](http://www.straightrunning.com/XmingNotes/) and enable X11 forwarding in the [`PuTTY`](http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html) options.
 You will now be able to launch graphical programs from the server and have them display on your client machine. For example, launch Matlab by running the *matlab* command after logging into the server via ssh with X forwarding enabled. The Matlab graphical display will launch on your client machine even if Matlab is not installed locally.
 ### Windows 10 Virtual Machines
-Windows 10 VMs are accessible via SPICE, a remote desktop protocol that is available for all platforms. For ease of use it is recommended that Linux, [Windows](https://virt-manager.org/download/) and [OSX](https://www.spice-space.org/page/OSX_Client) users download and install `virt-viewer` to access the 
+- Access from within X2Go:
  - *Applications&gt;Internet&gt;Remote Viewer*: [`spice://localhost:5900`](spice://localhost:5900)
 - Direct external access:
  - [`virt-viewer`](/usr/local/bin/virt-viewer) is available across all platforms ([Windows](https://virt-manager.org/download/), [OSX](https://www.spice-space.org/page/OSX_Client)):
 ![Samba shares on Windows](manual-images/virt-viewer.png)
-The SPICE password for users (port 5900) is: **hartmanlab**
+The SPICE password is: **`hartmanlab`**
-Alternatively the VMs can be accessed using remote-viewer (*Applications&gt;Internet&gt;Remote Viewer*) within an existing x2go session (Fig. 5).
+The virtualized Windows 10 instances require logging in with your UAB e-mail address and password.
-The virtualized Windows 10 instances require logging in with your UAB e-mail address and password. **Note: users should NOT log in with a pin when prompted--it will disable access to the samba network shares (this is a Windows bug). Users should always log in with a password.**
+- **Note:** Users should NOT log in with a pin when prompted, it will disable access to the Samba file shares (Windows bug). Users should always log in with a password.
-Once you are finished using the Windows virtual machine, it is vital that users **log out of their Windows account** so that subsequent users do not accidentally login to their account. Windows will perform an automatic logoff after 30 minutes of inactivity.
+Once you are finished using the Windows virtual machine, remember to **log out of your UAB Windows account** so that other users do not have access to your session. Windows will perform an automatic logoff after 30 minutes of inactivity for security.
 ### Robot computer access
-While in an x2go or local session, launch remote-viewer (*Applications&gt;Internet&gt;Remote Viewer*) and create a new connection (*Connection&gt;new*, see Fig. 5):`vnc://192.168.16.101:5900`
+- While logged into the server, launch *Applications&gt;Internet&gt;Remote Viewer>Connection>New*: `vnc://192.168.16.101:5900`
 ### Samba File Server
 While it is possible to mount Linux SFTP shares directly in Windows with third-party tools, it is better to allow native access to files from Windows clients for compatibility reasons. Linux **samba** shares can be mounted on Windows machines as if the drive exists locally.
 Because samba uses a separate protocol from ssh/sftp, it requires a separate authentication token in order to grant users access to the share. On first login, users should change their default samba password using the *smbpasswd* command. The default password is the same as your *blazerid*—it is recommended that users select the same password they used for ssh login.
 There are two samba shares per user, a private user home directory shared at \\\\*blazerid*\\*blazerid* that maps to `~`, and a global shared file storage directory shared at \\\\*blazerid\\data* that maps to /media/data. These directories can be mapped to local drives in the Windows VM and mounted automatically at login (see Fig. 6).
 ### Webcam robot monitoring
-The lab webcam is viewable within an X2Go session by opening a web browser and entering: `localhost:8888` in the url bar.
+The robot webcam is viewable in a web page within an X2Go session at: `localhost:8888`
 ### RStudio Server
-Newer versions of RStudio do not support IDE access via X2Go. The IDE can be accessed via web browser at `localhost:8787` in an X2Go session or via an SSH tunnel, ex. `ssh -f blazerid@hartmanlab.genetics.uab.edu -L 8787:localhost:8787 -N`
+Newer versions of RStudio do not support IDE access via X2Go. The IDE can be accessed via web browser at [`http://localhost:8787`](http://localhost:8787) in an X2Go session or via an SSH tunnel, ex. `ssh -f username@hartmanlab.genetics.uab.edu -L 8787:localhost:8787 -N`
-## Backing up data
+### Recommendations
-The [`rsync`](https://linux.die.net/man/1/rsync), `rsnapshot`, and [`syncthing`](https://syncthing.net/) backup tools are pre-installed on the server.
+#### Backing up data
-`rsync` is recommended for users that would just like to periodically backup their `~` directory to a local machine over ssh:
+The [`rsync`](https://linux.die.net/man/1/rsync), `rsnapshot`, and [`syncthing`](https://syncthing.net/) tools are installed on the server to facilitate user backups.
 `rsync -azH --delete blazerid@hartmanlab.genetics.uab.edu:~/* ~/backup/`
-A graphical alternative, [`syncthing`](https://syncthing.net/) (*Applications&gt;Internet&gt;Syncthing*) syncs folders oand files between machines automatically and is accessible at `http://localhost:8384`](http://localhost:8384)
+[`rsync`](https://linux.die.net/man/1/rsync) is recommended for users that would just like to periodically backup their `$HOME` directory to a local machine over ssh:
 `rsync -azH --delete username@hartmanlab.genetics.uab.edu:~/* ~/backup/`
-## Recommendations
+A GUI alternative, [`syncthing`](https://syncthing.net/) (*Applications&gt;Internet&gt;Syncthing*) syncs folders and files between machines automatically and is accessible at [`http://localhost:8384`](http://localhost:8384)
-### Passwordless (public-private key) authentication
+#### Passwordless (public-private key) authentication
-In addition to password-based authentication, the SSH server also support public-private key authentication. Not only is this authentication method more secure than passwords, it will streamline the login process so that the user will not need to enter his/her password for most operations on the server. This is especially convenient if the user regularly transfers files via SCP or SFTP or accesses the remote desktop or VMs.
+Public-private key authentication is more secure than passwords and can be configured for *passwordless* login.
-In order to set up public-private key authentication, the user will need to generate a public and private keys on the client machine. The user will then store the private key locally on their computer and transfer the public key to the server.
+- Generate the key-pair and add it to the server:
  - To enable public-private key authentication, the user will need to generate a public and private keys on the client machine using `ssh-keygen` (Linux & OSX) or `PuTTYgen` (Windows). The user can then transfer the public key to the server using `ssh-copy-id`.
 - Configure the X2Go client for passwordless login:
  - Linux
    - Check the *Try autologin* box in the session settings.
  - OSX/Windows
    - Select *Use RSA/DSA key for ssh connection* in the session settings and select the location of the public key manually.
-Linux and OSX users can use `ssh-keygen` and Windows users can use PuTTYgen to generate a public-private key pair. The following is an example using ssh-keygen (note: entering a passphrase is not strictly required):
+Most popular SFTP programs support using public-private keys for passwordless authentication. Windows/OSX users may need to add their key pair to PuTTy/Filezilla/WinSCP manually.
-```(sh)
+Once configured, the user will no longer need to enter their password to access the SFTP or X2Go server, which simplifies login and enhances security.
 blazerid@local-host$ ssh-keygen
 Generating public/private rsa key pair.
 Enter file in which to save the key (/home/blazerid/.ssh/id\_rsa):\[Enter key\]
 Enter passphrase (empty for no passphrase): [Enter key]
 Enter same passphrase again: [Enter key]
 Your identification has been saved in /home/blazerid/.ssh/id\_rsa.
 Your public key has been saved in /home/blazerid/.ssh/id\_rsa.pub.
 ```
 Then use `ssh-copy-id` to copy the public key to the server: `ssh-copy-id -i ~/.ssh/id\_rsa.pub blazerid@hartmanlab.genetics.uab.edu`
 Once the public key is stored on the server and the user has tested passwordless login via SSH, the X2Go client can be configured to utilize passwordless login by checking the *Try autologin* box (Fig. 3). Windows and OSX users should leave the box disabled and select their *private* key manually (i.e. id\_rsa) in the “Use RSA/DSA key for ssh connection”. Additionally, they may need to add their private key to PuTTY and/or FileZilla/WinSCP to achieve passwordless login.
 Once configured, the user will no longer need to enter their password to access the SFTP or X2Go server, which simplifies the process and enhances security.
 ## For administrators
-### User management
+### Adding a user
-#### Adding a user
+- `sudo script-user-add` `username` *`password`*
  - Optionally pass a second argument *`password`* to create a user's password for them. If omitted, the default password is equal to the *`username`*.
  - `username` can be anything, but ideally a unique string of small capital letters.
-##### CLI
+### Resetting a user password
- `sudo script-user-add username`
+- `sudo script-user-reset-password` `username` *`password`*
-  - Optionally pass a second argument `password` to create a user's password for them.
+  - If a user forgets their password this will reset it to *`password`*, or if *`password`* is omitted, to the `username`. In either case the user will be prompted to enter a new password at next login. The Samba password cannot be changed by users, only admins.
  - `username` can be anything, but ideally a unique string of small capital letters
-##### GUI
+### Removing a user
-1. Launch the *Users & Groups* application from the system control panel (or `sudo system-config-users`)
+- `sudo script-user-remove` *`username`*
-2. Add User
+  - This will allow you to optionally backup user files to the array before user deletion.
   - Add blazerid or other username, add full name, and create temporary password, click OK
 3. Select *User&gt;properties&gt;password info&gt;Force password change on next login*
 4. *Optional:*
   - Allow user access to shared storage space
     1. Select *user blazerid&gt;Properties&gt;Groups&gt;Select “smbgrp”&gt;Click OK*
     2. Set default Samba password: `sudo smbpasswd -a` *`username`*
   - Make the new user an administrator
     1. Select *User&gt;properties&gt;groups&gt;Add* *`username`* *to 'wheel' group*
-#### Resetting a user password
+### Reset a buggy or corrupt X2Go user session
-##### CLI
+- `script-user-reset-x2go` `username`
  - Completely reset the X2Go state for the user `username`. This will destroy any active or paused X2Go sessions for that users.
-1. `sudo script-user-reset-password` *`username`*
+### Unban a user
   1. By default the password will be the same as the username (unsafe!)
   2. You can pass an optional second argument *`password`* to set the password manually, or the keyword `reset` to prompt the user to reset their password
-##### GUI
+- `script-user-unban` `IP Address`
  - Fail2ban is configured to whitelist the UAB subnet, however repeated failed authentication attempts from off-campus clients will result in a compounding “cool down” period starting at 10 minutes where repeated login attempts from an IP address will be blocked. In cases of emergency, this can be reset manually if the user provides their WAN IP address.
-1. Follow step 3 under “Adding a user” to force the user to set a new password on next login
+### Fix or repair user file permissions
-#### Removing a user
+- `script-files-permissions-set` *`username`* *`password`* *`PATH[...]`*
  - This script will walk you through fixing or setting the permissions on one or more `PATH`'s.
 - `script-files-permissions-reset`
  - If things go really south, use this script as a method of last resort to reset permissions on the entire shared data array `/mnt/data` so they are writeable by the `smbgrp` group.
-##### CLI
+### Services
 1. `sudo script-user-remove` *`username`*
 ### Enabling/disabling services
 - Start: *sudo systemctl start smb.service*
 - Stop: *sudo systemctl stop smb.service*
@@ -224,14 +260,14 @@ Once configured, the user will no longer need to enter their password to access
 ### Adding a drive
-1. `sudo scripts-drive-add /dev/sdX`
+- ~~`sudo scripts-drive-add` `/dev/sdX`~~ (Under construction)
-   - To determine the drive suffix `lsblk -f`
+  - To determine the correct drive, use `lsblk -f`.
 ### Virtual Machines
 - Use `virt-manager` to create a new virtual machine
-  - Optionally copy an existing Windows .qcow2 disk so that Windows and the virtio drivers do not need to be reinstalled.
+  - Optionally copy an existing Windows `.qcow2` image so that Windows and the virtio drivers do not need to be reinstalled.
-  - In case a new VM is required, the Windows virtualization drivers ([`virtio`](https://fedoraproject.org/wiki/Windows_Virtio_Drivers)) are located at [`/usr/share/virtio-win/`](/usr/share/virtio-win/).
+  - In case a new VM is required, the Windows virtualization drivers ([`virtio`](https://fedoraproject.org/wiki/Windows_Virtio_Drivers)) are located at `/usr/share/virtio-win`.
 - Activate Windows using the UAB license in elevated Powershell:
@@ -242,49 +278,54 @@ Once configured, the user will no longer need to enter their password to access
 - Add the UAB DNS server(s) (138.26.5.2, 138.26.5.66) to the Windows network config access UAB resources
-#### Allow new users to access samba share within the Windows VM (Windows bug workaround)
+#### Allow access to the samba share within the Windows VM (Windows bug workaround)
-1. Open `C:\Windows\system32\\drivers\\etc\\hosts` file and copy contents
+1. Open `C:\Windows\system32\drivers\etc\hosts` file and copy contents.
-2. Open new text document, paste contents of existing hosts file and add appropriate blazerid and server IP line (see existing entries)
+2. Open new text document, paste contents of existing hosts file and add appropriate blazerid and server IP line (see existing entries).
-3. Save as “hosts” (no extension)
+3. Save as “hosts” (no extension).
-4. Copy new hosts file to C:\\Windows\\system32\\drivers\\etc\\ (allow it to overwrite existing hosts file)
+4. Copy new hosts file to `C:\Windows\system32\drivers\etc\` (allow it to overwrite existing hosts file).
-5. The new user will be able to map/access their samaba shares at *\\\\blazerid\\data* and *\\\\blazerid\\blazerid*
+5. The new user will be able to map/access their samba shares at `\\blazerid\data` and `\\blazerid\blazerid`.
-#### Making an existing Windows 10 account user an administrator
+#### Make an existing Windows 10 account user an administrator
-1. Login to the PC as the Azure AD user you want to be a local admin. This gets the GUID onto the PC.
+1. Login to the PC as the Azure AD user you want to make a local admin.
-2. Log out as that user and login as a local admin
+2. Log out as that user and login as a local admin.
 3. In elevated Powershell, add the user to the administrators group: `net localgroup administrators AzureAD\\blazerid@uab.edu /add`
 4. Log back in as the user and they will be a local admin now
 #### Creating more VM disk space
- `sudo qemu-img resize /var/lib/libvirt/images/win10-5901.qcow2 +20G`
+- Add 20 GBs of space to the Windows VM: `sudo qemu-img resize /var/lib/libvirt/images/win10-5900.qcow2 +20G`
- Then add gparted iso (in /media/share/documentation) as boot device and expand working partition)
+- Add [gparted iso](/media/share/documentation) as boot device and expand working partition.
-### Security
+### Updating all software
 - `sudo script-system-update`
  - The server regularly installs security updates unattended
  - If the kernel, java, systemd, or other major components are updated, the system should be restarted.
-The server has several security features in place, namely a stateful firewall and fail2ban brute-force blocker. Since all internet-facing services are initiated via ssh or samba, only two incoming ports are required to be open (22), which limits the attack surface. Fail2ban is configured to whitelist the UAB subnet, however repeated failed authentication attempts from off-campus clients will result in a three hour “cool down” period where any access from that IP address will be blocked. In cases of emergency, this can be reset manually by an administrator using the following command: `sudo fail2ban-client set sshd unbanip IPADDRESS`
+### Scheduling a restart
 - `sudo script-system-scheduled-restart` *`OnCalendar`*
  - If a valid `OnCalendar` is not passed, assumes `*-*-* 01:30:00` (1:30 AM).
  - See [Calendar Events](https://www.freedesktop.org/software/systemd/man/systemd.time.html) for proper time format.
  - This will alert users via `notify-send` in X2Go, `wall` in ssh, and add a reminder to the `motd` about the scheduled restart.
 ### Logging
-Global logs can be read using: `sudo journalctl`. This should be your first point of reference for server problems.
+- First point of reference for server problems: `sudo journalctl`
-
+  - Follow new output: `sudo journalctl -f`
-### Troubleshooting
+  - Reverse logs: `sudo journalctl -r`
-
+- Logging in via `ssh` will provide some useful server information in the [`motd`](https://en.wikipedia.org/wiki/Motd_(Unix)).
 #### X2go sessions
 If users do not exit X2Go sessions and the server is improperly shut down (i.e., sudden power loss), corruption may occur which will prevent future logins. Run `x2goterminate-session` as the affected user to help rectify.
 ### Current bugs
 There is a bug in the Windows PIN handling and SMB shares. There are some registry workarounds, but it’s best to avoid that and hope that Microsoft patches the bug in the future.
 ### Configuration files
 I have hard-linked some common file server configuration files in /media/data/documentation for easy administration.
 ## Resources
 - [RHEL documentation](https://access.redhat.com/documentation/en/red-hat-enterprise-linux/)
- [Navigating the Linux CLI](https://www.digitalocean.com/community/tutorials/basic-linux-navigation-and-file-management)
+- CLI
  - [Navigating the Linux CLI](https://www.digitalocean.com/community/tutorials/basic-linux-navigation-and-file-management)
  - [Explainshell](https://explainshell.com/)
 - [UAB Cheaha](https://docs.uabgrid.uab.edu/wiki/Cheaha_GettingStarted)
 ## Contact
 - [John Rodgers](mailto:jwrodger@uab.edu)
 - [Bryan Roessler](mailto:bryanroessler@gmail.com)
--- a/manual-images/anyconnect.png
+++ b/manual-images/anyconnect.png
--- a/manual-images/filezilla.png
+++ b/manual-images/filezilla.png
--- a/manual-images/samba-windows1.png
+++ b/manual-images/samba-windows1.png
--- a/manual-images/samba-windows2.png
+++ b/manual-images/samba-windows2.png
--- a/manual-images/sftp-native-linux.png
+++ b/manual-images/sftp-native-linux.png
--- a/manual-images/virt-viewer.png
+++ b/manual-images/virt-viewer.png
--- a/manual-images/x2go-session.png
+++ b/manual-images/x2go-session.png
--- a/manual-images/x2go-sharedfolders.png
+++ b/manual-images/x2go-sharedfolders.png
--- a/25
+++ b/25
@@ -0,0 +1,25 @@
 #!/usr/bin/env bash
 # This script will add scripts-* to the PATH
 # Copyright 2021 Bryan C. Roessler
 [[ -f functions ]] && . functions || exit 1
 is_root
 install -m 644 functions /usr/local/bin/
 for script in script-*; do
    install -m755 "$script" /usr/local/bin/
 done
 # Install manual
 manual="README.html"
 [[ ! -f "$manual" ]] && echo "No manual found, skipping!" && exit 1
 for homedir in /home/*; do
    remove=("manual.pdf" "manual.odt" "Notes.pdf" "Notes.odt")
    for f in "${remove[@]}"; do
        [[ -f "$f" ]] && echo "Removing $f" && rm "$f"
    done
    ln -s "$manual" "${homedir}/Desktop/$manual"
 done
--- a/41
+++ b/41
@@ -13,13 +13,13 @@ installdir="/usr/local/bin/"
 [[ ! -d "$installdir" ]] && mkdir -p "$installdir"
 if [[ -v DEBUG ]]; then
-  banner="generate-motd.sh"
+  script="generate-motd.sh"
 else
-  banner="$installdir/generate-motd.sh"
+  script="$installdir/generate-motd.sh"
  [[ -f ./functions ]] && cp -f functions "$installdir" 
 fi
-cat <<- 'EOF' > "$banner"
+cat <<- 'EOF' > "$script"
 #!/usr/bin/env bash
 echo -n '
@@ -33,7 +33,7 @@ echo -n '
 EOF
 # System info
-cat <<- 'EOF' >> "$banner"
+cat <<- 'EOF' >> "$script"
 # get load averages
 IFS=" " read LOAD1 LOAD5 LOAD15 <<<$(cat /proc/loadavg | awk '{ print $1,$2,$3 }')
 # get free memory
@@ -61,7 +61,7 @@ $W  Memory......: $G$USED$W used, $G$AVAIL$W avail, $G$TOTAL$W total$W"
 EOF
 # Disk usage
-cat <<- 'EOF' >> "$banner"
+cat <<- 'EOF' >> "$script"
 # config
 max_usage=90
 bar_width=50
@@ -104,7 +104,7 @@ done
 EOF
 # # Disk health
-# cat <<- 'EOF' >> "$banner"
+# cat <<- 'EOF' >> "$script"
 # # config
 # MAX_TEMP=40
 # # set column width
@@ -176,7 +176,7 @@ EOF
 # Services
-cat <<- 'EOF' >> "$banner"
+cat <<- 'EOF' >> "$script"
 # set column width
 COLUMNS=2
 # colors
@@ -216,7 +216,7 @@ EOF
 # Fail2Ban
-cat <<- 'EOF' >> "$banner"
+cat <<- 'EOF' >> "$script"
 # fail2ban-client status to get all jails, takes about ~70ms
 jails=($(fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) print a[i]}'))
@@ -236,7 +236,24 @@ printf "\nfail2ban status:\n"
 printf $out | column -ts $',' | sed -e 's/^/  /'
 EOF
-# cat <<- 'EOF' > "$banner"
+# Help links
 cat <<- 'EOF' >> "$script"
 Cockpit (graphical admin): http://localhost:9090
 Robot webcam: http://localhost:8888
 Robot computer: vnc://192.168.16.101:5900
 EOF
 # Scheduled reboot
 cat <<- "EOF" >> "$script"
 if systemctl is-active scheduled-reboot.timer; then
    echo -n "Next scheduled reboot: "
    time=$(systemctl cat scheduled-reboot.timer | grep OnCalendar=)
    time=${time#*=}
    echo "$time"
 fi
 EOF
 # cat <<- 'EOF' > "$script"
 # #!/usr/bin/env bash
 # [[ -v NO_MOTD ]] && exit 0
@@ -294,14 +311,14 @@ generate-services() {
 		[Service]
 		Type=simple
-        ExecStart=$banner > /etc/motd
+        ExecStart=$script > /etc/motd
 		[Install]
 		WantedBy=default.target
 	EOF
 	cat <<- 'EOF' > "$timer"
 		[Unit]
-		Description=Generate MoTD on a timer
+		Description=Generate MoTD every minute on a timer
 		[Timer]
 		OnCalendar=*:0/1
@@ -312,7 +329,7 @@ generate-services() {
 	EOF
 }
-chmod +x "$banner"
+chmod +x "$script"
 if [[ -v DEBUG ]]; then
  bash generate-motd.sh
--- a/13
+++ b/13
@@ -1,13 +0,0 @@
 #!/usr/bin/env bash
 # This script will add scripts-* to the PATH
 # Copyright 2021 Bryan C. Roessler
 [[ -f functions ]] && . functions || exit 1
 is_root
 for script in script-*; do
    install "$script" /usr/local/bin/
    install -m 644 functions /usr/local/bin/
 done
--- a/48
+++ b/48
@@ -0,0 +1,48 @@
 #!/usr/bin/env bash
 # Update and restart the system
 # Copyright 2021 Bryan C. Roessler
 [[ -f functions ]] && . functions || exit 1
 is_root
 [[ $# -eq 0 ]] && time='*-*-* 01:30:00' # 1:30AM
 [[ $# -gt 1 ]] && time="$*"
 script-system-update
 ask_ok "Set a scheduled reboot for $time?" || exit 1
 cat <<- "EOF" > "/usr/lib/systemd/system/scheduled-reboot.timer"
 [Unit]
 Description=Scheduled reboot
 [Timer]
 OnCalendar=$time
 Unit=reboot.target
 [Install]
 WantedBy=timers.target
 EOF
 systemctl daemon-reload
 systemctl start scheduled-reboot.timer
 # Current date
 dt=$(date '+%d/%m/%Y %H:%M:%S');
 message="System restart scheduled for $time. The current time is $dt. Make sure all changes are saved."
 # Graphical notification
 IFS=$'\n'
 for LINE in $(w -hs); do
    USER=$(echo "$LINE" | awk '{print $1}')
    USER_ID=$(id -u "$USER")
    DISP_ID=$(echo "$LINE" | awk '{print $8}')
    su "$USER" DISPLAY="$DISP_ID" DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/"$USER_ID"/bus notify-send "$message" --icon=dialog-warning
 done
 # Wall notification
 wall -n "$message"
 exit $?
--- a/6
+++ b/6
@@ -4,8 +4,8 @@
 [[ -f functions ]] && . functions || exit 1
 echo "Security updates are automatically installed, use this program to perform a full system update"
 is_root
-dnf update --refresh -y
+ask_ok "Security updates are automatically installed, perform a full system update?" || exit $?
 dnf update --refresh
--- a/6
+++ b/6
@@ -3,10 +3,14 @@
 # Place in /usr/share/smartmontools/smartd_warning.d/ or use "DEVICESCAN -m @smartd-notify-all" in /etc/smartd.conf
 # Copyright 2021 Bryan C. Roessler
 [[ -f functions ]] && . functions || exit 1
 is_root
 IFS=$'\n'
 for LINE in $(w -hs); do
    USER=$(echo "$LINE" | awk '{print $1}')
    USER_ID=$(id -u "$USER")
    DISP_ID=$(echo "$LINE" | awk '{print $8}')
-    sudo -u "$USER" DISPLAY="$DISP_ID" DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/"$USER_ID"/bus notify-send "S.M.A.R.T Error ($SMARTD_FAILTYPE)" "$SMARTD_MESSAGE" --icon=dialog-warning
+    su "$USER" DISPLAY="$DISP_ID" DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/"$USER_ID"/bus notify-send "S.M.A.R.T Error ($SMARTD_FAILTYPE) $SMARTD_MESSAGE" --icon=dialog-warning
 done