Category: Configuration

To access weekly online backup on canopus last updated 2024 August

Published by jweisber on 2012-12-04

Newest update 2024 Aug to reflect that backups are have been stored on canopus: for several years:

Go to canopus:/thuban2-backups

Bruce has an automatic (cron) job do a weekly backup of thuban onto canopus.

On canopus,

df -h gives the various mount points, incl
“Filesustem” /dev/mapper/centos_canopis-thuban2–backups”\
” Mounted on” /thuban2/backups

Navigate down to whatever file you’re looknig for, and copy over to a safe place (Careful: do not overwrite newer file of same name on thuban!)

See also post on root superuser privileges on thuban2 (although current post you are reading deals with canopus, which is where weekly backups are stored).

–joel

kwrite: show bar-ette with cursor line# and col #

Published by jweisber on 2011-11-07

in kwrite, say settings>>show status bar

this will put a little bar in bottom left banner with cursors line # and col #

jmw

aastex setup (latex) and emulateapj

Published by jweisber on 2011-08-30

1. download aastex.cls and emulateapj.cls from the web and place in /usr/share/texmf/tex/latex/misc/

(you will probably need superuser privileges to do this [or sudo]).

2. type texconfig rehash. This updates the paths where tex looks for files; eg the above.

3. that should be it! I got aastex to run on mirzam.

4. Note that /usr/share is NOT SHARED ACROSS OUR COMPUTERS, so the above needs to be done on any computer on which one wishes to use aastex. (A simpler workaround is to just put aastex.cls and emulateapj.cls in whatever directory the user has the .tex source file.)

(there are a variety of tools to find the latex default paths, etc. See the web, as I already forgot the many I had to use to figure out the above.)

(note that tex and latex files tend to be in (NONSHARED) /usr/share/texmf/.)

At the top of the .tex file, place one of the commands:

\documentclass[12pt,preprint]{aastex} or
\documentclass[manuscript]{aastex}

which use the asatex.cls file to generate typewriter-like preprint or manuscript files; or

\documentclass{emulateapj}

[This emulates apj format: see http://hea-www.harvard.edu/~alexey/emulateapj/ ]
In either case, a useful command to put a comment on leading page is:

\slugcomment{Draft 2011 Aug 21 skeleton from Joel and Andrew}

which is placed after abstract and keywords.
–Joel

Quota Check

Published by jweisber on 2010-01-22

Added a script to the bashrc, zshrc, and csh.cshrc files that automatically checks if you are over your quota.

Every time you open a new terminal, run an xterm, or ssh into a computer it should echo “Quotacheck OK (/home/$USER is <used/softcap>% full)” if you are under quota. If you are over quota it will tell you, so either delete files or talk to Joel about increasing your quota size.

Install Mathematica 7

Published by jweisber on 2009-11-13

Put in Mathematica 7 CD, ensuring that it appeared on the desktop.
Open a terminal window and cd to /media/Mathematica/Unix/Installer
Run ./MathInstaller.
(For some reason the Mathematica Installer won’t open unless you run it from the terminal)
Note, if it throws an error that says “/bin/sh: bad interpreter” point the shell directly at MathInstaller by typing:
/bin/bash ./MathInstaller

Choose default install directory:

/usr/local/Wolfram/Mathematica/7.0/

Allow selinux modification

Choose default script directory:

/usr/local/bin

For password configuration choose option (1):

(1) Single machine
Install a password specific to this machine. Mathematica will launch,
and you can enter your password.

This is what the Installer does upon selection of option (1).

xxxxxxxxxxxxxxxx
Configuring Single-Machine password…

Mathematica 7.0 for Linux x86 (32-bit)
Copyright 1988-2009 Wolfram Research, Inc.

You will need to get a password from your
license certificate or from Wolfram Research
(http://register.wolfram.com).
Machine name: antigone.Physics.Carleton.edu
MathID: 7108-71426-20286

You will need a valid license ID and password in order
to proceed. Go to http://register.wolfram.com or
consult your Getting Started documentation.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Then, go to (http://register.wolfram.com) and type in the information the Installer gave you; Machine Name, MathID, and Carleton’s License (L3125-8812). The registration web page will ask for the name of the person registering, supply either Joel Weisberg or Nelson Christensen, but give Bruce’s email address (or your own email, just forward the forthcoming email to Bruce).
So it will look like:

Name: Joel Weisberg
Organization: Carleton College
Department: Physics and Astronomy
Email address: bduffy@carleton.edu

This will cause an email to be sent the email address you entered with the password needed to finish the installation.

Here are the contents of the email I received:

xxxxxxxxxxxxxxxxxxxxxx
Version 7.0 password(s) were generated for license: L3125-8812

Here is the content for your mathpass file:

antigone.Physics.Carleton.edu
7108-71426-20286
L3125-8812
5157-617-135:2:8:20080701

Requestor information:

Name: Joel Weisberg
Organization: Carleton College
Department: Physics and Astronomy
Email address: bduffy@carleton.edu

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The install script then asked for:

Carleton’s License (L3125-8812)
The Requestor (Nelson Christensen/Joel Weisberg)
The organization (Carleton College)

Then the Installer asked for the password (the one from the email I received was 5157-617-135:2:8:20080701).

The password will be the last string of digits given in the email. (And the only string you didn’t have before the email)

Bumped user quotas due to Firefox disk usage

Published by jweisber on 2009-06-01

The /home user quotas for all existing users has been bumped from 80M to 200M to handle Firefox’s big disk footprint.

Our former quota of 80M was insufficient for the latest version of Firefox. By default Firefox uses 50M for file caching and another 30M->90M to stash a per-user copy of an anti-phishing blacklist file. Together, these two things could consume the entire original quota of 80M through normal Firefox usage. Rather than turning off Firefox’s cacheing and anti-phishing features I asked James to bump the quota from 80M to 200M and edited the ‘new user’ checklist post with the new values.

Video Drivers no longer necessary

Published by jweisber on 2009-05-01

[Update: ATI open sourced the fglrx drivers, which is why this step is not necessary]

As of RHEL5 kernel version 2.6.18-128.1.6 (Apr 30 2009), Red Hat has inproved their kernel and default ATI drivers to the point where it is no longer necessary, as far as I know, to install ATI’s own drivers. This should now be considered an optional part of the install.

I have removed the ATI drivers from the astronet machines, because they are no longer worth the SELinux and kernel update hassel. To remove the drivers from machines that originally had them, I used these commands:

#>rm -rf /etc/X11/xorg.conf
#>cp /etc/X11/xorg.conf.original-0 /etc/X11/xorg.conf
#>yum -y reinstall xorg* mesa* gnome-screensaver kernel-headers
#>reboot

This should (1) Prevent the kernel and xorg from trying to load the 3rd party driver module and (2) Replace any ATI-compiled xorg and/or rendering libraries with the official Red Hat ones…which are, finally, good.

Denyhosts

Published by jweisber on 2009-04-15

A small daemon called Denyhosts has no been installed onto all astronet boxes as of April 15 2009. This will block IP addresses from remote access to linux services (sshd, nfs, samba, etc) after a remote host attempts, but fails, to connect after a certain number of times. This will go a long way to prevent our linux machines from brute force attacks where remote zombies try repeatedly to log in and guess our passwords.

It creates a log file at /var/log/denyhosts
It uses a configuration script at /etc/denyhosts.conf (#>service denyhosts restart if you want changes to take effect!)

I have made the directory /etc/secret/clientconfig/denyhosts to store install files and setup info. The .rpm in this directory which contains “fc3” in its filename is for RHEL4, whereas the .rpm with “fc6” in the filename is for RHEL5. The configuration script, which I copy to /etc/ after rpm installation, is also in this directory.

For more information, an excellent FAQ is maintained by the author at http://denyhosts.sourceforge.net/faq.html

People who are accidentally blocked must contact Bruce or I to be unbanned. If you have your username correct, you shouldn’t be banned until failing to enter your password correctly 10 times in succession.

-James

Note: In addition to the above, you must also edit /etc/hosts.allow and /etc/hosts.deny. Here’s a copy of both files on a properly configured system:
=========================================
hosts.allow:
=========================================
# # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. #

ALL: localhost.localdomain
#sshd: ALL
ALL: .carleton.edu

=========================================
hosts.deny:
=========================================

# # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap!

ALL EXCEPT sshd: ALL

# DenyHosts below this line

Cyclic Dependency in Java SDK Packages (RHEL 5.3 only)

Published by jweisber on 2009-02-08

As of Feb 2009, the RHEL5.3 yum repository has a cyclic dependency in some java packages that may be installed as dependencies by some openoffice.org packages. This will cause yum to be unable to update.

openoffice.org applications are java-based, and some of them require a java-SDK in addition to the normal java system. RHEL 5 provides a bunch of different java packages from many sources (Sun, IBM, BEA, etc….). If you don’t have an SDK installed when installing some openofice.org packages, yum will select one for you in order to fulfill dependencies. Beginning in RHEL 5.3, yum defaults to choosing the java sdk package from BEA if not instructed otherwise.

The java-1.x.x-bea packages, unfortunately, currently are involved in a cyclic dependency – which makes yum very unhappy when told to update.

To avoid this, install the Sun SDK package ahead of time:
#> yum install java-1.6.0-sun-devel
…after this, install whatever openoffice package you need!

Our automatic package setup script (which installs the packages and apps used on all default astronet machines) at /etc/secret/clientconfig/install-programs/install_packages.sh has been updated to reflect this problem by specifying the sun package explicitly. Only machines where packages are being installed by hand should need to worry about this.

–James

How to configuring a new astronet client box

Published by jweisber on 2009-02-05

How to make an astronet client from a virgin machine

BDUFFY 2011-04-26

===============================================
Assign a DHCP entry
===============================================

If this is a new machine:

Get the macaddr of the client box and ask dflynn in ITS to set up a DHCP entry with the desired name before installing RHEL5.

This makes setup go more smoothly for a number of reasons.

===============================================
Install RHEL5.4
===============================================

Carleton has only a subscription for the Server version, and by default Virtualization hosting options are preconfigured. Turn them off during the installation process.

Turn on SELinux to Permissive

When setting the system time, make sure to open the ntpd tab and select the option to get time from the local time servers.

No matter how many times the installer asks you, *do not* register the box during RHEL5 installation. We will register the machine later on.

===============================================
Mount thuban’s LVMs
===============================================

On Thuban:

Add client to thuban’s /etc/hosts file:

137.22.6.xxx<client>.physics.carleton.edu <client>

Modify /etc/exports to export to <client>. Here’s a set of entries for the client Mirzam:

# Mirzam – Joel’s office
/home 137.22.6.89(rw,insecure,sync,no_root_squash)
/data 137.22.6.89(rw,insecure,sync,no_root_squash)
/docs 137.22.6.89(rw,insecure,sync,no_root_squash)
/etc/secret 137.22.6.89(rw,insecure,sync,no_root_squash)
/usr/share/astro 137.22.6.89(rw,insecure,sync,no_root_squash)

Run ‘exportfs -a’ afterwards.

On <client>:

Add entry for thuban to <client>:/etc/hosts:

# astronet hosts
137.22.6.9 thuban.physics.carleton.edu thuban

Create mount points for thuban’s partions:

mkdir /home /etc/secret /data /docs /usr/share/astro

Append these lines into /etc/fstab to mount thuban’s exported partitions:

thuban:/home /home   nfs defaults 1 1
thuban:/etc/secret   /etc/secret nfs defaults 1 1
thuban:/data /data   nfs defaults 1 1
thuban:/docs /docs   nfs defaults 1 1
thuban:/usr/share/astro /usr/share/astro nfs defaults 1 1

Execute:

‘mount -a’ to verify that the partitions have been mounted

NOTES:

One of the mounted LVMs, ‘/etc/secret’ contains many of the resources we use to configure clients. See below for details…

===============================================
Register machine with Carleton’s Science Group at redhat.com
===============================================

Execute:

/etc/secret/clientconfig/rhnreg-to-science-group.sh

NOTES:

Rich Graves in ITS created a “Science Group” at rhn.redhat.com and made me the owner. The Science group has it’s own registration key. Register all my linux boxes with rhn as one of my ‘Science’ linux boxes on campus by running the above script.

NOTE: Via rhn.redhat.com, I modified the Science group by adding access to additional rpm download ‘channels’ for the entire group so that we can download non-server related rpms such as openoffice.org-*

===============================================
Configure client to participate in /etc/secret system
===============================================

Append these lines to /etc/crontab:

#
## ASTRONET CONFIG
14,29,44,59 * * * * root /etc/secret/cron/import-acct-info.cron

NOTES:

This makes the client upload master copies of /etc/(passwd,shadow,group,host) files from the server.

See thuban:/etc/secret/README.txt for details…

===============================================
YUM configuration:
===============================================

Insert these lines into /etc/yum.conf:

keepalive=1
retries=0
timeout=0
exclude=kernel*

Append these lines to <client>:/etc/crontab:

# ASTRONET CONFIG
04 3 * * * root /etc/secret/cron/yum-update.cron

NOTES:

The yum.conf lines exclude kernel updates and tell yum to keep trying to download rpms when redhat’s repository is flaky.

The crontab change automates a nightly ‘yum -y update’ to update the machine’s rpms.

NOTE: Carleton maintains a RHEL 5.2 yum update cache, but I decided not to use it. See http://rhn.carleton.edu/pub/RedHat/keys.html

At the time I was configuring the clients, access to rhn’s package repository was very flaky, and changing the clients to work through carleton’s cache made it even worse, so I undid this change.

Notes from talking to Rich re RHEL AS5 support:

RHEL5’s yum uses a stripped down version of up2date to connect to it’s rpm repositories.

Rich said I should run ‘yum clean all; yum -y upgrade’ rather than just ‘yum -y update’. The clean gets rid of partially downloaded packages, and ‘upgrade’ is better than ‘update’ because it will actually replace outdated packages with newer replacements, as when ‘seamonkey’ browser was superseded by firefox.

I decided not to use ‘upgrade’ — because I thought it could invalidate assumptions made by science packages.

===============================================
Install master list of yum packages:
===============================================

Run:

/etc/secret/clientconfig/install-programs/install-packages.sh

You may need to temporarily comment out the ‘exclude=kernel*’ line in /etc/yum.conf if yum decides it needs to pull in ‘kernel-headers’. Don’t forget to uncomment the line when you’re done.

NOTES:

James did a ‘yum list installed’ on a fully populated client and converted the output into the ‘yum -y install’ script named above. This script is essentially the master list of installed packages for the astronet client machines.

===============================================
Enable user ldap authentication
===============================================

Run:

rpm -i –force /etc/secret/clientconfig/carletonldapauth-1.02-3.noarch

NOTES:

Because most users accts inherited from algol were defined to authenticate against their carleton netid/pw, the /etc/secret system assumes you’ve install this rpm:

# rpm -i –force carletonldapauth-1.02-3.noarch

…which can be found at http://rhn.carleton.edu/pub/

===============================================
Mount network drives script
===============================================

Run:

/etc/secret/clientconfig/mntdrive-scripts/install-mntdrives.sh

NOTE: This script only works for users logged into accts that match their Carleton online accts. If you’re logged in as root or any other acct whose username doesn’t map to a Carleton online user it won’t work.

===========================================================
Printer configs (Olin301, 304)
===========================================================

Run:

/etc/secret/clientconfig/printers/install-ppds.sh

This will stuff the xerox ppd files into /usr/share/cups/model/Xerox

Invoke the web based CUPS configuration panel by pointing a web browser at this URL: (‘http://localhost:631’).
NOTE: If CUPS doesn’t come up properly, reboot the machine.

First, configure CUPS to show only local printer definitions by going to the admin page and deselecting ‘see other printers’.

Add the printers OLIN301-X4500 and OLIN304-X6350 by doing the following:

1. Select ‘Add printer’

2. On the ‘Add new printer’ page, enter the printer’s name & desc and select ‘continue’

3. On the ‘Device for ‘ page, select ‘LPD/LPR Host or Printer’ from the ‘Device’ dropdown menu and select ‘continue’.

4. On the ‘Device URI for ‘ page, in the ‘Device URI’ typein, enter ‘ldp://goprint.its.carleton.edu/<printername>’. For example ‘ldp://goprint.its.carleton.edu/olin301-x4500’.

5. Then select make and model of the printer (Xerox, (‘phaser 4500DT’ or ‘phaser 6350DP’))

After the printer is defined, edit the printer definition to set 2-sided printing.

For Xerox Phaser 4500’s, auto tray select doesn’t seem to work , so set paper source to ‘Tray 2’.

Print test page.

===============================================
Install ATI graphics driver (Not necessary as of RHEL5.3)
===============================================
OBSOLETE
Follow the instructions in:

/etc/secret/clientconfig/videodrivers/video-drvr-instruct.txt

Run /etc/secret/clientconfig/selinux-policy-mod/fix-selinux.sh

NOTES:

We’ve learned that when selinux is active it prevents the graphics driver from getting the access it needs to prevent drag-tearing. Running fix-selinux.sh fixes that.

See ~/Work/Notes/Linux/RHEL5/SELinux-graphics-card-speedup.txt for details on how to build the policy module.

================================================================
Make Graphics DRI accessible to non-root users
================================================================

Append these lines to /etc/X11/xorg.conf:

Section "DRI"

Mode 0666

EndSection

NOTES:

Apps that use the Direct Rendering Interface for fast screen writing (such as idl71’s idlde) can’t run properly on the optiplex 755’s unless you change the permissions on /dev/dri/* from 600 to 666.

The challenge was to find the right file that would change these perms at the right time. At first I thought that modding the <dri> entry at the bottom of /etc/security/console.perms.d/50-default.perms would do it, but it didn’t work. That’s because the dri devices don’t exist at the time this file is applied at boot, but only after X is launched.

================================================
Enable sound for non-root users:
================================================

Run:

/etc/secret/clientconfig/device-permissions-fix/install-device-fix

NOTES:

With the version of RHEL5 we installed, sound doesn’t work for root unless you run the script above.

The script modifies /etc/security/console.perms.d/50-default.perms, which resets device perms at boot time. In particular it mods that file to set the perms for /dev/audio (or rather the <sound> group of devices that includes /dev/audio) to ‘0666’:

[root@NCHRISTE41272]# diff 50-default.perms~ 50-default.perms
37c37
< <console> 0600 <sound> 0600 root
—
> <console> 0666 <sound> 0666 root
[root@NCHRISTE41272 console.perms.d]#

===============================================
Enable non-root users to use usb key drives
===============================================

Run:

/etc/secret/clientconfig/usb-key-drive-fix/install-hal-fix.sh

NOTES:

On a vanilla RHEL5.3 install, inserting a usb key drive when you are NOT root will result in failure to mount the key drive and a nasty “DBus.Error.AccessDenied on Hal.FindDeviceByCapability” popup.

The above script installs an alternate copy of the file that fixes the problem by commenting out the last two “deny” lines in /etc/dbus-1/system.d/hal.conf

See thuban:/etc/secret/clientconfig/usb-key-drive-fix/README.txt for details…

===============================================
Modify client to show host name and time at login screen *and* to allow
user switching from locked screen.
===============================================

Run:

/etc/secret/clientconfig/gdmtheme/install-gdmtheme.sh

NOTES:

The script installs a modified version of /usr/share/gdm/themes/RHEL/RHEL.xml. James diff’d rigel’s version (a RHEL4 system that showed the host and time in the LR of the screen) to deneb’s (a new RHEL5 system) and found this difference (after prettyprinting the xml files with ‘tidy’):

276,290d275
<   <item type=”rect”>
<   <pos anchor=”se” x=”100%” y=”100%” width=”box” height=”box” />
<   <box orientation=”vertical” xpadding=”50″ spacing=”5″>
<   <item type=”label”>
<   <pos x=”100%” anchor=”se” />
<   <normal color=”#ffffff” font=”Sans Bold 11″ />
<   <text>%h</text>
<   </item>
<   <item type=”label”>
<   <pos x=”100%” anchor=”se” />
<   <normal color=”#ffffff” font=”Sans Bold 11″ />
<   <text>%c</text>
<   </item>
<   </box>
<   </item>

NOTE: you can test a theme by launching this app:

gdmthemetester xdmcp <theme name, in this case “RHEL”>

===============================================
Create symlink to g95
===============================================

Execute:

ln -s /usr/share/astro/g95/bin/i686-pc-linux-gnu-g95 /usr/bin/g95

NOTES:

Joel needed find g77, g95 (gnu fortran compilers).

I installed g77 on all machines like so:
yum install compat-gcc-34-g77

… and added this package to the master yum install script in thuban:/etc/secret/clientconfig/

But g95 (which was already on the shared partition /usr/share/astro) couldn’t find libg2c. Joel did some more digging and found it in /usr/lib/libg2c.so.0.0.0 and created the above symlink to it in /usr/share/astro so that his /usr/share/astro scripts could find it more easily…

===============================================
Install Denyhosts (new as of April 2009)
===============================================

Install from:

rpm -i /etc/secret/clientconfig/denyhosts/denyhosts-2.6-5.fc6.noarch.rpm

Select the proper rpm based on the post in this blog that deals with denyhosts.

Configure and run:

cp /etc/secret/clientconfig/denyhosts/denyhosts.conf /etc/ [yes to overwrite!]
chkconfig –level 345 denyhosts on
service denyhosts start

===============================================
Configure shells to check user quota at terminal launch
===============================================

Append these lines to /etc/bashrc:

# Check user's quota at terminal launch if [ "$PS1" ]; then


/etc/secret/bin/quotacheck.sh

fi
Append these lines to /etc/csh.cshrc:

# Check user's quota at terminal launch if ($?prompt) then


/etc/secret/bin/quotacheck.sh

endif
Append these lines to /etc/zshrc:

# Check user's quota at terminal launch if [[ -o interactive ]]; then


"/etc/secret/bin/quotacheck.sh"

fi
===============================================
Reboot
===============================================

Reboot the machine so that the OS can pick up the permission changes you made to the sound and usb devices.

===============================================
Turn off avahi service
===============================================

Avahi is a port of Apple’s Bonjour service and it generates a lot of spam in the /var/log/messages file. To turn it off issue these commands as root:

/sbin/chkconfig avahi-daemon off /sbin/service avahi-daemon stop