Bruce installed a fourth license onto deneb.
Deneb and Sirius are housed in 302 for the summer.
Joel
Carleton Astronet Admin Log
Bruce installed a fourth license onto deneb.
Deneb and Sirius are housed in 302 for the summer.
Joel
The /home user quotas for all existing users has been bumped from 80M to 200M to handle Firefox’s big disk footprint.
Our former quota of 80M was insufficient for the latest version of Firefox. By default Firefox uses 50M for file caching and another 30M->90M to stash a per-user copy of an anti-phishing blacklist file. Together, these two things could consume the entire original quota of 80M through normal Firefox usage. Rather than turning off Firefox’s cacheing and anti-phishing features I asked James to bump the quota from 80M to 200M and edited the ‘new user’ checklist post with the new values.
How to make an astronet client from a virgin machine
BDUFFY 2011-04-26
===============================================
Assign a DHCP entry
===============================================
If this is a new machine:
Get the macaddr of the client box and ask dflynn in ITS to set up a DHCP entry with the desired name before installing RHEL5.
This makes setup go more smoothly for a number of reasons.
===============================================
Install RHEL5.4
===============================================
Carleton has only a subscription for the Server version, and by default Virtualization hosting options are preconfigured. Turn them off during the installation process.
Turn on SELinux to Permissive
When setting the system time, make sure to open the ntpd tab and select the option to get time from the local time servers.
No matter how many times the installer asks you, *do not* register the box during RHEL5 installation. We will register the machine later on.
===============================================
Mount thuban’s LVMs
===============================================
On Thuban:
Add client to thuban’s /etc/hosts file:
137.22.6.xxx<client>.physics.carleton.edu <client>
Modify /etc/exports to export to <client>. Here’s a set of entries for the client Mirzam:
# Mirzam – Joel’s office
/home 137.22.6.89(rw,insecure,sync,no_root_squash)
/data 137.22.6.89(rw,insecure,sync,no_root_squash)
/docs 137.22.6.89(rw,insecure,sync,no_root_squash)
/etc/secret 137.22.6.89(rw,insecure,sync,no_root_squash)
/usr/share/astro 137.22.6.89(rw,insecure,sync,no_root_squash)
Run ‘exportfs -a’ afterwards.
On <client>:
Add entry for thuban to <client>:/etc/hosts:
# astronet hosts
137.22.6.9 thuban.physics.carleton.edu thuban
Create mount points for thuban’s partions:
mkdir /home /etc/secret /data /docs /usr/share/astro
Append these lines into /etc/fstab to mount thuban’s exported partitions:
thuban:/home /home nfs defaults 1 1
thuban:/etc/secret /etc/secret nfs defaults 1 1
thuban:/data /data nfs defaults 1 1
thuban:/docs /docs nfs defaults 1 1
thuban:/usr/share/astro /usr/share/astro nfs defaults 1 1
Execute:
‘mount -a’ to verify that the partitions have been mounted
NOTES:
One of the mounted LVMs, ‘/etc/secret’ contains many of the resources we use to configure clients. See below for details…
===============================================
Register machine with Carleton’s Science Group at redhat.com
===============================================
Execute:
/etc/secret/clientconfig/rhnreg-to-science-group.sh
NOTES:
Rich Graves in ITS created a “Science Group” at rhn.redhat.com and made me the owner. The Science group has it’s own registration key. Register all my linux boxes with rhn as one of my ‘Science’ linux boxes on campus by running the above script.
NOTE: Via rhn.redhat.com, I modified the Science group by adding access to additional rpm download ‘channels’ for the entire group so that we can download non-server related rpms such as openoffice.org-*
===============================================
Configure client to participate in /etc/secret system
===============================================
Append these lines to /etc/crontab:
#
## ASTRONET CONFIG
14,29,44,59 * * * * root /etc/secret/cron/import-acct-info.cron
NOTES:
This makes the client upload master copies of /etc/(passwd,shadow,group,host) files from the server.
See thuban:/etc/secret/README.txt for details…
===============================================
YUM configuration:
===============================================
Insert these lines into /etc/yum.conf:
keepalive=1
retries=0
timeout=0
exclude=kernel*
Append these lines to <client>:/etc/crontab:
# ASTRONET CONFIG
04 3 * * * root /etc/secret/cron/yum-update.cron
NOTES:
The yum.conf lines exclude kernel updates and tell yum to keep trying to download rpms when redhat’s repository is flaky.
The crontab change automates a nightly ‘yum -y update’ to update the machine’s rpms.
NOTE: Carleton maintains a RHEL 5.2 yum update cache, but I decided not to use it. See http://rhn.carleton.edu/pub/RedHat/keys.html
At the time I was configuring the clients, access to rhn’s package repository was very flaky, and changing the clients to work through carleton’s cache made it even worse, so I undid this change.
Notes from talking to Rich re RHEL AS5 support:
RHEL5’s yum uses a stripped down version of up2date to connect to it’s rpm repositories.
Rich said I should run ‘yum clean all; yum -y upgrade’ rather than just ‘yum -y update’. The clean gets rid of partially downloaded packages, and ‘upgrade’ is better than ‘update’ because it will actually replace outdated packages with newer replacements, as when ‘seamonkey’ browser was superseded by firefox.
I decided not to use ‘upgrade’ — because I thought it could invalidate assumptions made by science packages.
===============================================
Install master list of yum packages:
===============================================
Run:
/etc/secret/clientconfig/install-programs/install-packages.sh
You may need to temporarily comment out the ‘exclude=kernel*’ line in /etc/yum.conf if yum decides it needs to pull in ‘kernel-headers’. Don’t forget to uncomment the line when you’re done.
NOTES:
James did a ‘yum list installed’ on a fully populated client and converted the output into the ‘yum -y install’ script named above. This script is essentially the master list of installed packages for the astronet client machines.
===============================================
Enable user ldap authentication
===============================================
Run:
rpm -i –force /etc/secret/clientconfig/carletonldapauth-1.02-3.noarch
NOTES:
Because most users accts inherited from algol were defined to authenticate against their carleton netid/pw, the /etc/secret system assumes you’ve install this rpm:
# rpm -i –force carletonldapauth-1.02-3.noarch
…which can be found at http://rhn.carleton.edu/pub/
===============================================
Mount network drives script
===============================================
Run:
/etc/secret/clientconfig/mntdrive-scripts/install-mntdrives.sh
NOTE: This script only works for users logged into accts that match their Carleton online accts. If you’re logged in as root or any other acct whose username doesn’t map to a Carleton online user it won’t work.
===========================================================
Printer configs (Olin301, 304)
===========================================================
Run:
/etc/secret/clientconfig/printers/install-ppds.sh
This will stuff the xerox ppd files into /usr/share/cups/model/Xerox
Invoke the web based CUPS configuration panel by pointing a web browser at this URL: (‘http://localhost:631’).
NOTE: If CUPS doesn’t come up properly, reboot the machine.
First, configure CUPS to show only local printer definitions by going to the admin page and deselecting ‘see other printers’.
Add the printers OLIN301-X4500 and OLIN304-X6350 by doing the following:
1. Select ‘Add printer’
2. On the ‘Add new printer’ page, enter the printer’s name & desc and select ‘continue’
3. On the ‘Device for
4. On the ‘Device URI for
5. Then select make and model of the printer (Xerox, (‘phaser 4500DT’ or ‘phaser 6350DP’))
After the printer is defined, edit the printer definition to set 2-sided printing.
For Xerox Phaser 4500’s, auto tray select doesn’t seem to work , so set paper source to ‘Tray 2’.
Print test page.
===============================================
Install ATI graphics driver (Not necessary as of RHEL5.3)
===============================================
OBSOLETE
Follow the instructions in:
/etc/secret/clientconfig/videodrivers/video-drvr-instruct.txt
Run /etc/secret/clientconfig/selinux-policy-mod/fix-selinux.sh
NOTES:
We’ve learned that when selinux is active it prevents the graphics driver from getting the access it needs to prevent drag-tearing. Running fix-selinux.sh fixes that.
See ~/Work/Notes/Linux/RHEL5/SELinux-graphics-card-speedup.txt for details on how to build the policy module.
================================================================
Make Graphics DRI accessible to non-root users
================================================================
Append these lines to /etc/X11/xorg.conf:
Section "DRI"
Mode 0666
EndSection
NOTES:
Apps that use the Direct Rendering Interface for fast screen writing (such as idl71’s idlde) can’t run properly on the optiplex 755’s unless you change the permissions on /dev/dri/* from 600 to 666.
The challenge was to find the right file that would change these perms at the right time. At first I thought that modding the <dri> entry at the bottom of /etc/security/console.perms.d/50-default.perms would do it, but it didn’t work. That’s because the dri devices don’t exist at the time this file is applied at boot, but only after X is launched.
================================================
Enable sound for non-root users:
================================================
Run:
/etc/secret/clientconfig/device-permissions-fix/install-device-fix
NOTES:
With the version of RHEL5 we installed, sound doesn’t work for root unless you run the script above.
The script modifies /etc/security/console.perms.d/50-default.perms, which resets device perms at boot time. In particular it mods that file to set the perms for /dev/audio (or rather the <sound> group of devices that includes /dev/audio) to ‘0666’:
[root@NCHRISTE41272]# diff 50-default.perms~ 50-default.perms
37c37
< <console> 0600 <sound> 0600 root
—
> <console> 0666 <sound> 0666 root
[root@NCHRISTE41272 console.perms.d]#
===============================================
Enable non-root users to use usb key drives
===============================================
Run:
/etc/secret/clientconfig/usb-key-drive-fix/install-hal-fix.sh
NOTES:
On a vanilla RHEL5.3 install, inserting a usb key drive when you are NOT root will result in failure to mount the key drive and a nasty “DBus.Error.AccessDenied on Hal.FindDeviceByCapability” popup.
The above script installs an alternate copy of the file that fixes the problem by commenting out the last two “deny” lines in /etc/dbus-1/system.d/hal.conf
See thuban:/etc/secret/clientconfig/usb-key-drive-fix/README.txt for details…
===============================================
Modify client to show host name and time at login screen *and* to allow
user switching from locked screen.
===============================================
Run:
/etc/secret/clientconfig/gdmtheme/install-gdmtheme.sh
NOTES:
The script installs a modified version of /usr/share/gdm/themes/RHEL/RHEL.xml. James diff’d rigel’s version (a RHEL4 system that showed the host and time in the LR of the screen) to deneb’s (a new RHEL5 system) and found this difference (after prettyprinting the xml files with ‘tidy’):
276,290d275
< <item type=”rect”>
< <pos anchor=”se” x=”100%” y=”100%” width=”box” height=”box” />
< <box orientation=”vertical” xpadding=”50″ spacing=”5″>
< <item type=”label”>
< <pos x=”100%” anchor=”se” />
< <normal color=”#ffffff” font=”Sans Bold 11″ />
< <text>%h</text>
< </item>
< <item type=”label”>
< <pos x=”100%” anchor=”se” />
< <normal color=”#ffffff” font=”Sans Bold 11″ />
< <text>%c</text>
< </item>
< </box>
< </item>
NOTE: you can test a theme by launching this app:
gdmthemetester xdmcp <theme name, in this case “RHEL”>
===============================================
Create symlink to g95
===============================================
Execute:
ln -s /usr/share/astro/g95/bin/i686-pc-linux-gnu-g95 /usr/bin/g95
NOTES:
Joel needed find g77, g95 (gnu fortran compilers).
I installed g77 on all machines like so:
yum install compat-gcc-34-g77
… and added this package to the master yum install script in thuban:/etc/secret/clientconfig/
But g95 (which was already on the shared partition /usr/share/astro) couldn’t find libg2c. Joel did some more digging and found it in /usr/lib/libg2c.so.0.0.0 and created the above symlink to it in /usr/share/astro so that his /usr/share/astro scripts could find it more easily…
===============================================
Install Denyhosts (new as of April 2009)
===============================================
Install from:
rpm -i /etc/secret/clientconfig/denyhosts/denyhosts-2.6-5.fc6.noarch.rpm
Select the proper rpm based on the post in this blog that deals with denyhosts.
Configure and run:
cp /etc/secret/clientconfig/denyhosts/denyhosts.conf /etc/ [yes to overwrite!]
chkconfig –level 345 denyhosts on
service denyhosts start
===============================================
Configure shells to check user quota at terminal launch
===============================================
Append these lines to /etc/bashrc:
# Check user's quota at terminal launch
if [ "$PS1" ]; then
/etc/secret/bin/quotacheck.sh
fi
Append these lines to /etc/csh.cshrc:
# Check user's quota at terminal launch
if ($?prompt) then
/etc/secret/bin/quotacheck.sh
endif
Append these lines to /etc/zshrc:
# Check user's quota at terminal launch
if [[ -o interactive ]]; then
"/etc/secret/bin/quotacheck.sh"
fi
===============================================
Reboot
===============================================
Reboot the machine so that the OS can pick up the permission changes you made to the sound and usb devices.
===============================================
Turn off avahi service
===============================================
Avahi is a port of Apple’s Bonjour service and it generates a lot of spam in the /var/log/messages file. To turn it off issue these commands as root:
/sbin/chkconfig avahi-daemon off
/sbin/service avahi-daemon stop
if printing dies, login as root and type
service cups restart
thanks to bruce
Thuban as the server, is more sensitive to rebooting than other machines. Therefore do not reboot thuban unless absolutely necessary.
If it is rebooted, be sure that it has exported all the shared disks for use on other astro net clients. To check that this has successfully happened, log in to another desktop and try cd-ing to various shared disks like /data/psrdata and /docs and so on. If thuban has NOT mounted these disks for sharing, then James Fuller says to enter the following command on thuban:
(as root):# /usr/sbin/exportfs -a
–Joel
As of this post date, arcturus is now a functioning workstation in the Astro network (no longer has any trace of being a server).
OUT OF DATE as of 2008-11-01.
For our systems, we want to use the network time protocol put in place by the college. Therefore, we do not set the time manually but rather, have it sync from the Carleton Network Time server. To do this follow these easy steps.
As root, under the Applications menu to the right of the little red hat, click on System Settings/Date and Time.
Click on the Network Time protocol tab. Under this tab you should see a place to add and delete network time servers. Delete any servers that are there.
Then type ntp.carleton.edu and click the add button. ntp.carleton.edu should then appear as a server on the list. Click OK and wait a few moments for the machine to sync with the server.
Double check the time to make sure it is accurate. Your system should now have the correct date and time.
This week we experienced some login failures with the astro network. The symptoms were as follows. The user could not log in as himself/herself under our linux boxes. However, root login continued to be successful. Errors in /var/log/messages indicated an error which suggested the ldap server could not be contacted.
To fix this problem, we first looked at /etc/ldap.conf which had a line like “host 127.0.0.1″ which was not the proper configuration for our network(the ldap server is ldap.carleton.edu”.
To fix this we reinstalled the carletonldapauth rpm located in /etc/secret/RPMS/.
However, this did not fix our error. The error we were now getting in /var/log/messages was an invalid credentials error when trying to bind with the ldap server. After calling ITS admins to see the logs on the server side of things we noted that our astro machines were trying to bind to the ldap server as root. This is incorrect. After discussing the matter further we determined that a newer version of carletonldapauth had been created which was not on the astro network.
This should have been installed automatically by our scripts that we run on the astro network. However, ITS had recently changed the cert on the server which broke our updates. After installing the new cert(located in /etc/secret/RPMS), installing some missing packages on some of the machines(openssl-perl) and installing the new carletonldapauth everything is back to normal.
OUT OF DATE as of 2008-11-01.
OUT OF DATE as of 2008-11-01.
Steps to configure an astronomy department linux client computer.
Mount network drives: