Skip to content

Month: February 2009

Kernel modules must be present on RHEL >= 5.3

Published by jweisber on 2009-02-20

Updates to the RHEL kernel change the location of and/or delete any custom kernel modules that have been compiled (this applies most notably right now to graphics drivers). In the past this has been OK as I usually just recompile any modules against the new kernel after updating. Unfortunately, it seems that, starting in RHEL 5.3, the kernel will panic whenever it is asked to load a module that does not exist, instead of just throwing a polite error.

I noticed this with graphics drivers – the machine screen will go blank AND ssh will not function if X11 asks the kernel to load a graphics driver module that no longer exists. So, it is important when updating kernels now to remove any references to custom modules (i.e., modules not managed by yum) prior to rebooting after a kernel update. (Yet another reason that we don’t pull down kernel updates automatically!)

In the case of the graphics driver — which is the only custom module as of Feb 2009 — this is painless because the driver installer backs up the vanilla conf file. This means that you have to delete /etc/X11/xorg.conf and rename /etc/X11/xorg.conf.original-x (the vanilla backup, where “x” is a small integer or zero) to /etc/X11/xorg.conf prior to reboot. If you forget, you must boot into knoppix or something similar off a CD, mount the hard disk and make this same change.

-James

Cyclic Dependency in Java SDK Packages (RHEL 5.3 only)

Published by jweisber on 2009-02-08

As of Feb 2009, the RHEL5.3 yum repository has a cyclic dependency in some java packages that may be installed as dependencies by some openoffice.org packages. This will cause yum to be unable to update.

openoffice.org applications are java-based, and some of them require a java-SDK in addition to the normal java system. RHEL 5 provides a bunch of different java packages from many sources (Sun, IBM, BEA, etc….). If you don’t have an SDK installed when installing some openofice.org packages, yum will select one for you in order to fulfill dependencies. Beginning in RHEL 5.3, yum defaults to choosing the java sdk package from BEA if not instructed otherwise.

The java-1.x.x-bea packages, unfortunately, currently are involved in a cyclic dependency – which makes yum very unhappy when told to update.

To avoid this, install the Sun SDK package ahead of time:
#> yum install java-1.6.0-sun-devel
…after this, install whatever openoffice package you need!

Our automatic package setup script (which installs the packages and apps used on all default astronet machines) at /etc/secret/clientconfig/install-programs/install_packages.sh has been updated to reflect this problem by specifying the sun package explicitly. Only machines where packages are being installed by hand should need to worry about this.

–James

How to configuring a new astronet client box

Published by jweisber on 2009-02-05

How to make an astronet client from a virgin machine

BDUFFY 2011-04-26

===============================================
Assign a DHCP entry
===============================================

If this is a new machine:

Get the macaddr of the client box and ask dflynn in ITS to set up a DHCP entry with the desired name before installing RHEL5.

This makes setup go more smoothly for a number of reasons.

===============================================
Install RHEL5.4
===============================================

Carleton has only a subscription for the Server version, and by default Virtualization hosting options are preconfigured.  Turn them off during the installation process.

Turn on SELinux to Permissive

When setting the system time, make sure to open the ntpd tab and select the option to get time from the local time servers.

No matter how many times the installer asks you, *do not* register the box during RHEL5 installation.  We will register the machine later on.

===============================================
Mount thuban’s LVMs
===============================================

On Thuban:

Add client to thuban’s /etc/hosts file:

137.22.6.xxx<client>.physics.carleton.edu   <client>

Modify /etc/exports to export to <client>.  Here’s a set of entries for the client Mirzam:

# Mirzam – Joel’s office
/home 137.22.6.89(rw,insecure,sync,no_root_squash)
/data 137.22.6.89(rw,insecure,sync,no_root_squash)
/docs 137.22.6.89(rw,insecure,sync,no_root_squash)
/etc/secret   137.22.6.89(rw,insecure,sync,no_root_squash)
/usr/share/astro  137.22.6.89(rw,insecure,sync,no_root_squash)

Run ‘exportfs -a’ afterwards.

On <client>:

Add entry for thuban to <client>:/etc/hosts:

# astronet hosts
137.22.6.9  thuban.physics.carleton.edu thuban

Create mount points for thuban’s partions:

mkdir /home /etc/secret /data /docs /usr/share/astro

Append these lines into /etc/fstab to mount thuban’s exported partitions:

thuban:/home /home   nfs defaults 1 1
thuban:/etc/secret   /etc/secret nfs defaults 1 1
thuban:/data /data   nfs defaults 1 1
thuban:/docs /docs   nfs defaults 1 1
thuban:/usr/share/astro  /usr/share/astro nfs defaults 1 1

Execute:

‘mount -a’ to verify that the partitions have been mounted

NOTES:

One of the mounted LVMs, ‘/etc/secret’ contains many of the resources we use to configure clients.  See below for details…

===============================================
Register machine with Carleton’s Science Group at redhat.com
===============================================

Execute:

/etc/secret/clientconfig/rhnreg-to-science-group.sh

NOTES:

Rich Graves in ITS created a “Science Group” at rhn.redhat.com and made me the owner.  The Science group has it’s own registration key.  Register all my linux boxes with rhn as one of my ‘Science’ linux boxes on campus by running the above script.

NOTE: Via rhn.redhat.com, I modified the Science group by adding access to additional rpm download ‘channels’ for the entire group so that we can download non-server related rpms such as openoffice.org-*

===============================================
Configure client to participate in /etc/secret system
===============================================

Append these lines to /etc/crontab:

#
## ASTRONET CONFIG
14,29,44,59 * * * * root /etc/secret/cron/import-acct-info.cron

NOTES:

This makes the client upload master copies of /etc/(passwd,shadow,group,host) files from the server.

See thuban:/etc/secret/README.txt for details…

===============================================
YUM configuration:
===============================================

Insert these lines into /etc/yum.conf:

keepalive=1
retries=0
timeout=0
exclude=kernel*

Append these lines to <client>:/etc/crontab:

# ASTRONET CONFIG
04 3 * * * root /etc/secret/cron/yum-update.cron

NOTES:

The yum.conf lines exclude kernel updates and tell yum to keep trying to download rpms when redhat’s repository is flaky.

The crontab change automates a nightly ‘yum -y update’ to update the machine’s rpms.

NOTE: Carleton maintains a RHEL 5.2 yum update cache, but I decided not to use it.  See http://rhn.carleton.edu/pub/RedHat/keys.html

At the time I was configuring the clients, access to rhn’s package repository was very flaky, and changing the clients to work through carleton’s cache made it even worse, so I undid this change.

Notes from talking to Rich re RHEL AS5 support:

RHEL5’s yum uses a stripped down version of up2date to connect to it’s rpm repositories.

Rich said I should run ‘yum clean all; yum -y upgrade’ rather than just ‘yum -y update’.  The clean gets rid of partially downloaded packages, and ‘upgrade’ is better than ‘update’ because it will actually replace outdated packages with newer replacements, as when ‘seamonkey’ browser was superseded by firefox.

I decided not to use ‘upgrade’ — because I thought it could invalidate assumptions made by science packages.

===============================================
Install master list of yum packages:
===============================================

Run:

/etc/secret/clientconfig/install-programs/install-packages.sh

You may need to temporarily comment out the ‘exclude=kernel*’ line in /etc/yum.conf if yum decides it needs to pull in ‘kernel-headers’.  Don’t forget to uncomment the line when you’re done.

NOTES:

James did a ‘yum list installed’ on a fully populated client and converted the output into the ‘yum -y install’ script named above.  This script is essentially the master list of installed packages for the astronet client machines.

===============================================
Enable user ldap authentication
===============================================

Run:

rpm -i –force /etc/secret/clientconfig/carletonldapauth-1.02-3.noarch

NOTES:

Because most users accts inherited from algol were defined to authenticate against their carleton netid/pw, the /etc/secret system assumes you’ve install this rpm:

# rpm -i –force carletonldapauth-1.02-3.noarch

…which can be found at http://rhn.carleton.edu/pub/

===============================================
Mount network drives script
===============================================

Run:

/etc/secret/clientconfig/mntdrive-scripts/install-mntdrives.sh

NOTE: This script only works for users logged into accts that match their Carleton online accts. If you’re logged in as root or any other acct whose username doesn’t map to a Carleton online user it won’t work.

===========================================================
Printer configs (Olin301, 304)
===========================================================

Run:

/etc/secret/clientconfig/printers/install-ppds.sh

This will stuff the xerox ppd files into /usr/share/cups/model/Xerox

Invoke the web based CUPS configuration panel by pointing a web browser at this URL: (‘http://localhost:631’).
NOTE: If CUPS doesn’t come up properly, reboot the machine.

First, configure CUPS to show only local printer definitions by going to the admin page and deselecting ‘see other printers’.

Add the printers OLIN301-X4500 and OLIN304-X6350 by doing the following:

1. Select ‘Add printer’

2. On the ‘Add new printer’ page, enter the printer’s name & desc and select ‘continue’

3. On the ‘Device for ‘ page, select ‘LPD/LPR Host or Printer’ from the ‘Device’ dropdown menu and select ‘continue’.

4. On the ‘Device URI for ‘ page, in the ‘Device URI’ typein, enter ‘ldp://goprint.its.carleton.edu/<printername>’. For example ‘ldp://goprint.its.carleton.edu/olin301-x4500’.

5. Then select make and model of the printer (Xerox, (‘phaser 4500DT’ or ‘phaser 6350DP’))

After the printer is defined, edit the printer definition to set 2-sided printing.

For Xerox Phaser 4500’s, auto tray select doesn’t seem to work , so set paper source to ‘Tray 2’.

Print test page.

===============================================
Install ATI graphics driver (Not necessary as of RHEL5.3)
===============================================
OBSOLETE
Follow the instructions in:

/etc/secret/clientconfig/videodrivers/video-drvr-instruct.txt

Run /etc/secret/clientconfig/selinux-policy-mod/fix-selinux.sh

NOTES:

We’ve learned that when selinux is active it prevents the graphics driver from getting the access it needs to prevent drag-tearing.  Running fix-selinux.sh fixes that.

See ~/Work/Notes/Linux/RHEL5/SELinux-graphics-card-speedup.txt for details on how to build the policy module.

================================================================
Make Graphics DRI accessible to non-root users
================================================================

Append these lines to /etc/X11/xorg.conf:

Section "DRI"

Mode 0666

EndSection

NOTES:

Apps that use the Direct Rendering Interface for fast screen writing (such as idl71’s idlde) can’t run properly on the optiplex 755’s unless you change the permissions on /dev/dri/* from 600 to 666.

The challenge was to find the right file that would change these perms at the right time. At first I thought that modding the <dri> entry at the bottom of /etc/security/console.perms.d/50-default.perms would do it, but it didn’t work. That’s because the dri devices don’t exist at the time this file is applied at boot, but only after X is launched.

================================================
Enable sound for non-root users:
================================================

Run:

/etc/secret/clientconfig/device-permissions-fix/install-device-fix

NOTES:

With the version of RHEL5 we installed, sound doesn’t work for root unless you run the script above.

The script modifies /etc/security/console.perms.d/50-default.perms, which resets device perms at boot time.  In particular it mods that file to set the perms for /dev/audio (or rather the <sound> group of devices that includes /dev/audio) to ‘0666’:

[root@NCHRISTE41272]# diff 50-default.perms~ 50-default.perms
37c37
< <console>  0600 <sound>  0600 root

> <console>  0666 <sound>  0666 root
[root@NCHRISTE41272 console.perms.d]#

===============================================
Enable non-root users to use usb key drives
===============================================

Run:

/etc/secret/clientconfig/usb-key-drive-fix/install-hal-fix.sh

NOTES:

On a vanilla RHEL5.3 install, inserting a usb key drive when you are NOT root will result in failure to mount the key drive and a nasty “DBus.Error.AccessDenied on Hal.FindDeviceByCapability” popup.

The above script installs an alternate copy of the file that fixes the problem by commenting out the last two “deny” lines in /etc/dbus-1/system.d/hal.conf

See thuban:/etc/secret/clientconfig/usb-key-drive-fix/README.txt for details…

===============================================
Modify client to show host name and time at login screen *and* to allow
user switching from locked screen.
===============================================

Run:

/etc/secret/clientconfig/gdmtheme/install-gdmtheme.sh

NOTES:

The script installs a modified version of /usr/share/gdm/themes/RHEL/RHEL.xml.  James diff’d rigel’s version (a RHEL4 system that showed the host and time in the LR of the screen) to deneb’s (a new RHEL5 system) and found this difference (after prettyprinting the xml files with ‘tidy’):

276,290d275
<   <item type=”rect”>
<   <pos anchor=”se” x=”100%” y=”100%” width=”box” height=”box” />
<   <box orientation=”vertical” xpadding=”50″ spacing=”5″>
<   <item type=”label”>
<   <pos x=”100%” anchor=”se” />
<   <normal color=”#ffffff” font=”Sans Bold 11″ />
<   <text>%h</text>
<   </item>
<   <item type=”label”>
<   <pos x=”100%” anchor=”se” />
<   <normal color=”#ffffff” font=”Sans Bold 11″ />
<   <text>%c</text>
<   </item>
<   </box>
<   </item>

NOTE: you can test a theme by launching this app:

gdmthemetester xdmcp <theme name, in this case “RHEL”>

===============================================
Create symlink to g95
===============================================

Execute:

ln -s /usr/share/astro/g95/bin/i686-pc-linux-gnu-g95 /usr/bin/g95

NOTES:

Joel needed find g77, g95 (gnu fortran compilers).

I installed g77 on all machines like so:
yum install compat-gcc-34-g77

… and added this package to the master yum install script in thuban:/etc/secret/clientconfig/

But g95 (which was already on the shared partition /usr/share/astro) couldn’t find libg2c.  Joel did some more digging and found it in /usr/lib/libg2c.so.0.0.0 and created the above symlink to it in /usr/share/astro so that his /usr/share/astro scripts could find it more easily…

===============================================
Install Denyhosts (new as of April 2009)
===============================================

Install from:

rpm -i /etc/secret/clientconfig/denyhosts/denyhosts-2.6-5.fc6.noarch.rpm

Select the proper rpm based on the post in this blog that deals with denyhosts.

Configure and run:

cp /etc/secret/clientconfig/denyhosts/denyhosts.conf /etc/ [yes to overwrite!]
chkconfig –level 345 denyhosts on
service denyhosts start

===============================================
Configure shells to check user quota at terminal launch
===============================================

Append these lines to /etc/bashrc:

# Check user's quota at terminal launch
if [ "$PS1" ]; then

/etc/secret/bin/quotacheck.sh

fi

Append these lines to /etc/csh.cshrc:

# Check user's quota at terminal launch
if ($?prompt) then

/etc/secret/bin/quotacheck.sh

endif

Append these lines to /etc/zshrc:

# Check user's quota at terminal launch
if [[ -o interactive ]]; then

"/etc/secret/bin/quotacheck.sh"

fi

===============================================
Reboot
===============================================

Reboot the machine so that the OS can pick up the permission changes you made to the sound and usb devices.

===============================================
Turn off avahi service
===============================================

Avahi is a port of Apple’s Bonjour service and it generates a lot of spam in the /var/log/messages file. To turn it off issue these commands as root:

/sbin/chkconfig avahi-daemon off
/sbin/service avahi-daemon stop

Issues Upgrading from RHEL 5.2 to 5.3

Published by jweisber on 2009-02-04

As of the date of this posting, the latest version of Red Hat — and the version being used on all astronet machines — is 5.3, identified by kernel versions >= 2.6.18-128

If for some reason it ever becomes the case that a machine must be upgraded from 5.x to 5.3, Bruce and I ran into some hiccups in yum regarding the updating process.

Ideally, machines can be upgraded to a new RHEL release version simply by
1.) Removing any excluded packages by commenting out any exclude=XXXXX lines in /etc/yum.conf
2.) Running yum -y upgrade
3.) Coming back ~25 mins later and rebooting the machine.
4.) Uncommenting the traditional package excludes so updating can continue automatically as before

Unfortunately, as of this posting the 5.3 version of the tog-pegasus package from RedHat refuses to do an update install – and in fact hangs the update process. All of our machines that were up-and-running when 5.3 was released tried to get this package (because of our automatic update cron job) and the yum process was permanently hung.

The fix:
1.) See if any yum processes are currently being hung up by tog-pegasus
>> ps auxwww | grep -i yum
2.) If there are any yum processes running, and it looks like they’ve been running for a while, they’re probably hung. Reboot to kill the processes.
3.) When you’re back online, check again to see if any yum processes are running and kill (all of) them.
>> ps auxwww | grep -i yum
>> kill -9 <PIDs>
4.) Uninstall the following packages (tog-pegasus and openoffice must be wholly removed)
>> yum erase tog-pegasus openoffice.org-*
5.) Remove any excluded packages by commenting out any exclude=XXXXX lines in /etc/yum.conf
6.) Now try the update again
>> yum -y upgrade
7.) Come back in ~25 mins and make sure everything has completed. When yum tells you it’s done, reboot.
8.) Reinstall openoffice by running the script below or by hand with yum install
>> /etc/secret/clientconfig/install-programs/install-programs.sh
9.) Clear yum’s unfinished-transaction log so it forgets about the whole ordeal and doesn’t bug us about it
>> yum-complete-transaction –cleanup-only

Don’t bother reinstalling tog-pegasus, it’s nothing we will ever need.

**AS OF 2/4/2009 AND TO THE EXTENT OF MY KNOWLEDGE, ALL ASTRONET MACHINES ARE UPGRADED TO RHEL 5.3 AND FUNCTIONING**