How to make an astronet client from a virgin machine
BDUFFY 2011-04-26
===============================================
Assign a DHCP entry
===============================================
If this is a new machine:
Get the macaddr of the client box and ask dflynn in ITS to set up a DHCP entry with the desired name before installing RHEL5.
This makes setup go more smoothly for a number of reasons.
===============================================
Install RHEL5.4
===============================================
Carleton has only a subscription for the Server version, and by default Virtualization hosting options are preconfigured. Turn them off during the installation process.
Turn on SELinux to Permissive
When setting the system time, make sure to open the ntpd tab and select the option to get time from the local time servers.
No matter how many times the installer asks you, *do not* register the box during RHEL5 installation. We will register the machine later on.
===============================================
Mount thuban’s LVMs
===============================================
On Thuban:
Add client to thuban’s /etc/hosts file:
137.22.6.xxx<client>.physics.carleton.edu <client>
Modify /etc/exports to export to <client>. Here’s a set of entries for the client Mirzam:
# Mirzam – Joel’s office
/home 137.22.6.89(rw,insecure,sync,no_root_squash)
/data 137.22.6.89(rw,insecure,sync,no_root_squash)
/docs 137.22.6.89(rw,insecure,sync,no_root_squash)
/etc/secret 137.22.6.89(rw,insecure,sync,no_root_squash)
/usr/share/astro 137.22.6.89(rw,insecure,sync,no_root_squash)
Run ‘exportfs -a’ afterwards.
On <client>:
Add entry for thuban to <client>:/etc/hosts:
# astronet hosts
137.22.6.9 thuban.physics.carleton.edu thuban
Create mount points for thuban’s partions:
mkdir /home /etc/secret /data /docs /usr/share/astro
Append these lines into /etc/fstab to mount thuban’s exported partitions:
thuban:/home /home nfs defaults 1 1
thuban:/etc/secret /etc/secret nfs defaults 1 1
thuban:/data /data nfs defaults 1 1
thuban:/docs /docs nfs defaults 1 1
thuban:/usr/share/astro /usr/share/astro nfs defaults 1 1
Execute:
‘mount -a’ to verify that the partitions have been mounted
NOTES:
One of the mounted LVMs, ‘/etc/secret’ contains many of the resources we use to configure clients. See below for details…
===============================================
Register machine with Carleton’s Science Group at redhat.com
===============================================
Execute:
/etc/secret/clientconfig/rhnreg-to-science-group.sh
NOTES:
Rich Graves in ITS created a “Science Group” at rhn.redhat.com and made me the owner. The Science group has it’s own registration key. Register all my linux boxes with rhn as one of my ‘Science’ linux boxes on campus by running the above script.
NOTE: Via rhn.redhat.com, I modified the Science group by adding access to additional rpm download ‘channels’ for the entire group so that we can download non-server related rpms such as openoffice.org-*
===============================================
Configure client to participate in /etc/secret system
===============================================
Append these lines to /etc/crontab:
#
## ASTRONET CONFIG
14,29,44,59 * * * * root /etc/secret/cron/import-acct-info.cron
NOTES:
This makes the client upload master copies of /etc/(passwd,shadow,group,host) files from the server.
See thuban:/etc/secret/README.txt for details…
===============================================
YUM configuration:
===============================================
Insert these lines into /etc/yum.conf:
keepalive=1
retries=0
timeout=0
exclude=kernel*
Append these lines to <client>:/etc/crontab:
# ASTRONET CONFIG
04 3 * * * root /etc/secret/cron/yum-update.cron
NOTES:
The yum.conf lines exclude kernel updates and tell yum to keep trying to download rpms when redhat’s repository is flaky.
The crontab change automates a nightly ‘yum -y update’ to update the machine’s rpms.
NOTE: Carleton maintains a RHEL 5.2 yum update cache, but I decided not to use it. See http://rhn.carleton.edu/pub/RedHat/keys.html
At the time I was configuring the clients, access to rhn’s package repository was very flaky, and changing the clients to work through carleton’s cache made it even worse, so I undid this change.
Notes from talking to Rich re RHEL AS5 support:
RHEL5’s yum uses a stripped down version of up2date to connect to it’s rpm repositories.
Rich said I should run ‘yum clean all; yum -y upgrade’ rather than just ‘yum -y update’. The clean gets rid of partially downloaded packages, and ‘upgrade’ is better than ‘update’ because it will actually replace outdated packages with newer replacements, as when ‘seamonkey’ browser was superseded by firefox.
I decided not to use ‘upgrade’ — because I thought it could invalidate assumptions made by science packages.
===============================================
Install master list of yum packages:
===============================================
Run:
/etc/secret/clientconfig/install-programs/install-packages.sh
You may need to temporarily comment out the ‘exclude=kernel*’ line in /etc/yum.conf if yum decides it needs to pull in ‘kernel-headers’. Don’t forget to uncomment the line when you’re done.
NOTES:
James did a ‘yum list installed’ on a fully populated client and converted the output into the ‘yum -y install’ script named above. This script is essentially the master list of installed packages for the astronet client machines.
===============================================
Enable user ldap authentication
===============================================
Run:
rpm -i –force /etc/secret/clientconfig/carletonldapauth-1.02-3.noarch
NOTES:
Because most users accts inherited from algol were defined to authenticate against their carleton netid/pw, the /etc/secret system assumes you’ve install this rpm:
# rpm -i –force carletonldapauth-1.02-3.noarch
…which can be found at http://rhn.carleton.edu/pub/
===============================================
Mount network drives script
===============================================
Run:
/etc/secret/clientconfig/mntdrive-scripts/install-mntdrives.sh
NOTE: This script only works for users logged into accts that match their Carleton online accts. If you’re logged in as root or any other acct whose username doesn’t map to a Carleton online user it won’t work.
===========================================================
Printer configs (Olin301, 304)
===========================================================
Run:
/etc/secret/clientconfig/printers/install-ppds.sh
This will stuff the xerox ppd files into /usr/share/cups/model/Xerox
Invoke the web based CUPS configuration panel by pointing a web browser at this URL: (‘http://localhost:631’).
NOTE: If CUPS doesn’t come up properly, reboot the machine.
First, configure CUPS to show only local printer definitions by going to the admin page and deselecting ‘see other printers’.
Add the printers OLIN301-X4500 and OLIN304-X6350 by doing the following:
1. Select ‘Add printer’
2. On the ‘Add new printer’ page, enter the printer’s name & desc and select ‘continue’
3. On the ‘Device for
4. On the ‘Device URI for
5. Then select make and model of the printer (Xerox, (‘phaser 4500DT’ or ‘phaser 6350DP’))
After the printer is defined, edit the printer definition to set 2-sided printing.
For Xerox Phaser 4500’s, auto tray select doesn’t seem to work , so set paper source to ‘Tray 2’.
Print test page.
===============================================
Install ATI graphics driver (Not necessary as of RHEL5.3)
===============================================
OBSOLETE
Follow the instructions in:
/etc/secret/clientconfig/videodrivers/video-drvr-instruct.txt
Run /etc/secret/clientconfig/selinux-policy-mod/fix-selinux.sh
NOTES:
We’ve learned that when selinux is active it prevents the graphics driver from getting the access it needs to prevent drag-tearing. Running fix-selinux.sh fixes that.
See ~/Work/Notes/Linux/RHEL5/SELinux-graphics-card-speedup.txt for details on how to build the policy module.
================================================================
Make Graphics DRI accessible to non-root users
================================================================
Append these lines to /etc/X11/xorg.conf:
Section "DRI"
Mode 0666
EndSection
NOTES:
Apps that use the Direct Rendering Interface for fast screen writing (such as idl71’s idlde) can’t run properly on the optiplex 755’s unless you change the permissions on /dev/dri/* from 600 to 666.
The challenge was to find the right file that would change these perms at the right time. At first I thought that modding the <dri> entry at the bottom of /etc/security/console.perms.d/50-default.perms would do it, but it didn’t work. That’s because the dri devices don’t exist at the time this file is applied at boot, but only after X is launched.
================================================
Enable sound for non-root users:
================================================
Run:
/etc/secret/clientconfig/device-permissions-fix/install-device-fix
NOTES:
With the version of RHEL5 we installed, sound doesn’t work for root unless you run the script above.
The script modifies /etc/security/console.perms.d/50-default.perms, which resets device perms at boot time. In particular it mods that file to set the perms for /dev/audio (or rather the <sound> group of devices that includes /dev/audio) to ‘0666’:
[root@NCHRISTE41272]# diff 50-default.perms~ 50-default.perms
37c37
< <console> 0600 <sound> 0600 root
—
> <console> 0666 <sound> 0666 root
[root@NCHRISTE41272 console.perms.d]#
===============================================
Enable non-root users to use usb key drives
===============================================
Run:
/etc/secret/clientconfig/usb-key-drive-fix/install-hal-fix.sh
NOTES:
On a vanilla RHEL5.3 install, inserting a usb key drive when you are NOT root will result in failure to mount the key drive and a nasty “DBus.Error.AccessDenied on Hal.FindDeviceByCapability” popup.
The above script installs an alternate copy of the file that fixes the problem by commenting out the last two “deny” lines in /etc/dbus-1/system.d/hal.conf
See thuban:/etc/secret/clientconfig/usb-key-drive-fix/README.txt for details…
===============================================
Modify client to show host name and time at login screen *and* to allow
user switching from locked screen.
===============================================
Run:
/etc/secret/clientconfig/gdmtheme/install-gdmtheme.sh
NOTES:
The script installs a modified version of /usr/share/gdm/themes/RHEL/RHEL.xml. James diff’d rigel’s version (a RHEL4 system that showed the host and time in the LR of the screen) to deneb’s (a new RHEL5 system) and found this difference (after prettyprinting the xml files with ‘tidy’):
276,290d275
< <item type=”rect”>
< <pos anchor=”se” x=”100%” y=”100%” width=”box” height=”box” />
< <box orientation=”vertical” xpadding=”50″ spacing=”5″>
< <item type=”label”>
< <pos x=”100%” anchor=”se” />
< <normal color=”#ffffff” font=”Sans Bold 11″ />
< <text>%h</text>
< </item>
< <item type=”label”>
< <pos x=”100%” anchor=”se” />
< <normal color=”#ffffff” font=”Sans Bold 11″ />
< <text>%c</text>
< </item>
< </box>
< </item>
NOTE: you can test a theme by launching this app:
gdmthemetester xdmcp <theme name, in this case “RHEL”>
===============================================
Create symlink to g95
===============================================
Execute:
ln -s /usr/share/astro/g95/bin/i686-pc-linux-gnu-g95 /usr/bin/g95
NOTES:
Joel needed find g77, g95 (gnu fortran compilers).
I installed g77 on all machines like so:
yum install compat-gcc-34-g77
… and added this package to the master yum install script in thuban:/etc/secret/clientconfig/
But g95 (which was already on the shared partition /usr/share/astro) couldn’t find libg2c. Joel did some more digging and found it in /usr/lib/libg2c.so.0.0.0 and created the above symlink to it in /usr/share/astro so that his /usr/share/astro scripts could find it more easily…
===============================================
Install Denyhosts (new as of April 2009)
===============================================
Install from:
rpm -i /etc/secret/clientconfig/denyhosts/denyhosts-2.6-5.fc6.noarch.rpm
Select the proper rpm based on the post in this blog that deals with denyhosts.
Configure and run:
cp /etc/secret/clientconfig/denyhosts/denyhosts.conf /etc/ [yes to overwrite!]
chkconfig –level 345 denyhosts on
service denyhosts start
===============================================
Configure shells to check user quota at terminal launch
===============================================
Append these lines to /etc/bashrc:
# Check user's quota at terminal launch
if [ "$PS1" ]; then
/etc/secret/bin/quotacheck.sh
fi
Append these lines to /etc/csh.cshrc:
# Check user's quota at terminal launch
if ($?prompt) then
/etc/secret/bin/quotacheck.sh
endif
Append these lines to /etc/zshrc:
# Check user's quota at terminal launch
if [[ -o interactive ]]; then
"/etc/secret/bin/quotacheck.sh"
fi
===============================================
Reboot
===============================================
Reboot the machine so that the OS can pick up the permission changes you made to the sound and usb devices.
===============================================
Turn off avahi service
===============================================
Avahi is a port of Apple’s Bonjour service and it generates a lot of spam in the /var/log/messages file. To turn it off issue these commands as root:
/sbin/chkconfig avahi-daemon off
/sbin/service avahi-daemon stop
Comments are closed.