Skip to content

Carleton Astronet Admin Log Posts

Bumped user quotas due to Firefox disk usage

Published by jweisber on 2009-06-01

The /home user quotas for all existing users has been bumped from 80M to 200M to handle Firefox’s big disk footprint.

Our former quota of 80M was insufficient for the latest version of Firefox. By default Firefox uses 50M for file caching and another 30M->90M to stash a per-user copy of an anti-phishing blacklist file. Together, these two things could consume the entire original quota of 80M through normal Firefox usage. Rather than turning off Firefox’s cacheing and anti-phishing features I asked James to bump the quota from 80M to 200M and edited the ‘new user’ checklist post with the new values.

Video Drivers no longer necessary

Published by jweisber on 2009-05-01

[Update: ATI open sourced the fglrx drivers, which is why this step is not necessary]

As of RHEL5 kernel version 2.6.18-128.1.6 (Apr 30 2009), Red Hat has inproved their kernel and default ATI drivers to the point where it is no longer necessary, as far as I know, to install ATI’s own drivers. This should now be considered an optional part of the install.

I have removed the ATI drivers from the astronet machines, because they are no longer worth the SELinux and kernel update hassel. To remove the drivers from machines that originally had them, I used these commands:

#>rm -rf /etc/X11/xorg.conf
#>cp /etc/X11/xorg.conf.original-0 /etc/X11/xorg.conf
#>yum -y reinstall xorg* mesa* gnome-screensaver kernel-headers
#>reboot

This should (1) Prevent the kernel and xorg from trying to load the 3rd party driver module and (2) Replace any ATI-compiled xorg and/or rendering libraries with the official Red Hat ones…which are, finally, good.

Denyhosts

Published by jweisber on 2009-04-15

A small daemon called Denyhosts has no been installed onto all astronet boxes as of April 15 2009. This will block IP addresses from remote access to linux services (sshd, nfs, samba, etc) after a remote host attempts, but fails, to connect after a certain number of times. This will go a long way to prevent our linux machines from brute force attacks where remote zombies try repeatedly to log in and guess our passwords.

It creates a log file at /var/log/denyhosts
It uses a configuration script at /etc/denyhosts.conf (#>service denyhosts restart if you want changes to take effect!)

I have made the directory /etc/secret/clientconfig/denyhosts to store install files and setup info. The .rpm in this directory which contains “fc3” in its filename is for RHEL4, whereas the .rpm with “fc6” in the filename is for RHEL5. The configuration script, which I copy to /etc/ after rpm installation, is also in this directory.

For more information, an excellent FAQ is maintained by the author at http://denyhosts.sourceforge.net/faq.html

People who are accidentally blocked must contact Bruce or I to be unbanned. If you have your username correct, you shouldn’t be banned until failing to enter your password correctly 10 times in succession.

-James

Note: In addition to the above, you must also edit /etc/hosts.allow and /etc/hosts.deny. Here’s a copy of both files on a properly configured system:
=========================================
hosts.allow:
=========================================

#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#

ALL: localhost.localdomain
#sshd: ALL
ALL: .carleton.edu

 

=========================================
hosts.deny:
=========================================

#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!

ALL EXCEPT sshd: ALL

# DenyHosts below this line

Kernel modules must be present on RHEL >= 5.3

Published by jweisber on 2009-02-20

Updates to the RHEL kernel change the location of and/or delete any custom kernel modules that have been compiled (this applies most notably right now to graphics drivers). In the past this has been OK as I usually just recompile any modules against the new kernel after updating. Unfortunately, it seems that, starting in RHEL 5.3, the kernel will panic whenever it is asked to load a module that does not exist, instead of just throwing a polite error.

I noticed this with graphics drivers – the machine screen will go blank AND ssh will not function if X11 asks the kernel to load a graphics driver module that no longer exists. So, it is important when updating kernels now to remove any references to custom modules (i.e., modules not managed by yum) prior to rebooting after a kernel update. (Yet another reason that we don’t pull down kernel updates automatically!)

In the case of the graphics driver — which is the only custom module as of Feb 2009 — this is painless because the driver installer backs up the vanilla conf file. This means that you have to delete /etc/X11/xorg.conf and rename /etc/X11/xorg.conf.original-x (the vanilla backup, where “x” is a small integer or zero) to /etc/X11/xorg.conf prior to reboot. If you forget, you must boot into knoppix or something similar off a CD, mount the hard disk and make this same change.

-James

Cyclic Dependency in Java SDK Packages (RHEL 5.3 only)

Published by jweisber on 2009-02-08

As of Feb 2009, the RHEL5.3 yum repository has a cyclic dependency in some java packages that may be installed as dependencies by some openoffice.org packages. This will cause yum to be unable to update.

openoffice.org applications are java-based, and some of them require a java-SDK in addition to the normal java system. RHEL 5 provides a bunch of different java packages from many sources (Sun, IBM, BEA, etc….). If you don’t have an SDK installed when installing some openofice.org packages, yum will select one for you in order to fulfill dependencies. Beginning in RHEL 5.3, yum defaults to choosing the java sdk package from BEA if not instructed otherwise.

The java-1.x.x-bea packages, unfortunately, currently are involved in a cyclic dependency – which makes yum very unhappy when told to update.

To avoid this, install the Sun SDK package ahead of time:
#> yum install java-1.6.0-sun-devel
…after this, install whatever openoffice package you need!

Our automatic package setup script (which installs the packages and apps used on all default astronet machines) at /etc/secret/clientconfig/install-programs/install_packages.sh has been updated to reflect this problem by specifying the sun package explicitly. Only machines where packages are being installed by hand should need to worry about this.

–James

How to configuring a new astronet client box

Published by jweisber on 2009-02-05

How to make an astronet client from a virgin machine

BDUFFY 2011-04-26

===============================================
Assign a DHCP entry
===============================================

If this is a new machine:

Get the macaddr of the client box and ask dflynn in ITS to set up a DHCP entry with the desired name before installing RHEL5.

This makes setup go more smoothly for a number of reasons.

===============================================
Install RHEL5.4
===============================================

Carleton has only a subscription for the Server version, and by default Virtualization hosting options are preconfigured.  Turn them off during the installation process.

Turn on SELinux to Permissive

When setting the system time, make sure to open the ntpd tab and select the option to get time from the local time servers.

No matter how many times the installer asks you, *do not* register the box during RHEL5 installation.  We will register the machine later on.

===============================================
Mount thuban’s LVMs
===============================================

On Thuban:

Add client to thuban’s /etc/hosts file:

137.22.6.xxx<client>.physics.carleton.edu   <client>

Modify /etc/exports to export to <client>.  Here’s a set of entries for the client Mirzam:

# Mirzam – Joel’s office
/home 137.22.6.89(rw,insecure,sync,no_root_squash)
/data 137.22.6.89(rw,insecure,sync,no_root_squash)
/docs 137.22.6.89(rw,insecure,sync,no_root_squash)
/etc/secret   137.22.6.89(rw,insecure,sync,no_root_squash)
/usr/share/astro  137.22.6.89(rw,insecure,sync,no_root_squash)

Run ‘exportfs -a’ afterwards.

On <client>:

Add entry for thuban to <client>:/etc/hosts:

# astronet hosts
137.22.6.9  thuban.physics.carleton.edu thuban

Create mount points for thuban’s partions:

mkdir /home /etc/secret /data /docs /usr/share/astro

Append these lines into /etc/fstab to mount thuban’s exported partitions:

thuban:/home /home   nfs defaults 1 1
thuban:/etc/secret   /etc/secret nfs defaults 1 1
thuban:/data /data   nfs defaults 1 1
thuban:/docs /docs   nfs defaults 1 1
thuban:/usr/share/astro  /usr/share/astro nfs defaults 1 1

Execute:

‘mount -a’ to verify that the partitions have been mounted

NOTES:

One of the mounted LVMs, ‘/etc/secret’ contains many of the resources we use to configure clients.  See below for details…

===============================================
Register machine with Carleton’s Science Group at redhat.com
===============================================

Execute:

/etc/secret/clientconfig/rhnreg-to-science-group.sh

NOTES:

Rich Graves in ITS created a “Science Group” at rhn.redhat.com and made me the owner.  The Science group has it’s own registration key.  Register all my linux boxes with rhn as one of my ‘Science’ linux boxes on campus by running the above script.

NOTE: Via rhn.redhat.com, I modified the Science group by adding access to additional rpm download ‘channels’ for the entire group so that we can download non-server related rpms such as openoffice.org-*

===============================================
Configure client to participate in /etc/secret system
===============================================

Append these lines to /etc/crontab:

#
## ASTRONET CONFIG
14,29,44,59 * * * * root /etc/secret/cron/import-acct-info.cron

NOTES:

This makes the client upload master copies of /etc/(passwd,shadow,group,host) files from the server.

See thuban:/etc/secret/README.txt for details…

===============================================
YUM configuration:
===============================================

Insert these lines into /etc/yum.conf:

keepalive=1
retries=0
timeout=0
exclude=kernel*

Append these lines to <client>:/etc/crontab:

# ASTRONET CONFIG
04 3 * * * root /etc/secret/cron/yum-update.cron

NOTES:

The yum.conf lines exclude kernel updates and tell yum to keep trying to download rpms when redhat’s repository is flaky.

The crontab change automates a nightly ‘yum -y update’ to update the machine’s rpms.

NOTE: Carleton maintains a RHEL 5.2 yum update cache, but I decided not to use it.  See http://rhn.carleton.edu/pub/RedHat/keys.html

At the time I was configuring the clients, access to rhn’s package repository was very flaky, and changing the clients to work through carleton’s cache made it even worse, so I undid this change.

Notes from talking to Rich re RHEL AS5 support:

RHEL5’s yum uses a stripped down version of up2date to connect to it’s rpm repositories.

Rich said I should run ‘yum clean all; yum -y upgrade’ rather than just ‘yum -y update’.  The clean gets rid of partially downloaded packages, and ‘upgrade’ is better than ‘update’ because it will actually replace outdated packages with newer replacements, as when ‘seamonkey’ browser was superseded by firefox.

I decided not to use ‘upgrade’ — because I thought it could invalidate assumptions made by science packages.

===============================================
Install master list of yum packages:
===============================================

Run:

/etc/secret/clientconfig/install-programs/install-packages.sh

You may need to temporarily comment out the ‘exclude=kernel*’ line in /etc/yum.conf if yum decides it needs to pull in ‘kernel-headers’.  Don’t forget to uncomment the line when you’re done.

NOTES:

James did a ‘yum list installed’ on a fully populated client and converted the output into the ‘yum -y install’ script named above.  This script is essentially the master list of installed packages for the astronet client machines.

===============================================
Enable user ldap authentication
===============================================

Run:

rpm -i –force /etc/secret/clientconfig/carletonldapauth-1.02-3.noarch

NOTES:

Because most users accts inherited from algol were defined to authenticate against their carleton netid/pw, the /etc/secret system assumes you’ve install this rpm:

# rpm -i –force carletonldapauth-1.02-3.noarch

…which can be found at http://rhn.carleton.edu/pub/

===============================================
Mount network drives script
===============================================

Run:

/etc/secret/clientconfig/mntdrive-scripts/install-mntdrives.sh

NOTE: This script only works for users logged into accts that match their Carleton online accts. If you’re logged in as root or any other acct whose username doesn’t map to a Carleton online user it won’t work.

===========================================================
Printer configs (Olin301, 304)
===========================================================

Run:

/etc/secret/clientconfig/printers/install-ppds.sh

This will stuff the xerox ppd files into /usr/share/cups/model/Xerox

Invoke the web based CUPS configuration panel by pointing a web browser at this URL: (‘http://localhost:631’).
NOTE: If CUPS doesn’t come up properly, reboot the machine.

First, configure CUPS to show only local printer definitions by going to the admin page and deselecting ‘see other printers’.

Add the printers OLIN301-X4500 and OLIN304-X6350 by doing the following:

1. Select ‘Add printer’

2. On the ‘Add new printer’ page, enter the printer’s name & desc and select ‘continue’

3. On the ‘Device for ‘ page, select ‘LPD/LPR Host or Printer’ from the ‘Device’ dropdown menu and select ‘continue’.

4. On the ‘Device URI for ‘ page, in the ‘Device URI’ typein, enter ‘ldp://goprint.its.carleton.edu/<printername>’. For example ‘ldp://goprint.its.carleton.edu/olin301-x4500’.

5. Then select make and model of the printer (Xerox, (‘phaser 4500DT’ or ‘phaser 6350DP’))

After the printer is defined, edit the printer definition to set 2-sided printing.

For Xerox Phaser 4500’s, auto tray select doesn’t seem to work , so set paper source to ‘Tray 2’.

Print test page.

===============================================
Install ATI graphics driver (Not necessary as of RHEL5.3)
===============================================
OBSOLETE
Follow the instructions in:

/etc/secret/clientconfig/videodrivers/video-drvr-instruct.txt

Run /etc/secret/clientconfig/selinux-policy-mod/fix-selinux.sh

NOTES:

We’ve learned that when selinux is active it prevents the graphics driver from getting the access it needs to prevent drag-tearing.  Running fix-selinux.sh fixes that.

See ~/Work/Notes/Linux/RHEL5/SELinux-graphics-card-speedup.txt for details on how to build the policy module.

================================================================
Make Graphics DRI accessible to non-root users
================================================================

Append these lines to /etc/X11/xorg.conf:

Section "DRI"

Mode 0666

EndSection

NOTES:

Apps that use the Direct Rendering Interface for fast screen writing (such as idl71’s idlde) can’t run properly on the optiplex 755’s unless you change the permissions on /dev/dri/* from 600 to 666.

The challenge was to find the right file that would change these perms at the right time. At first I thought that modding the <dri> entry at the bottom of /etc/security/console.perms.d/50-default.perms would do it, but it didn’t work. That’s because the dri devices don’t exist at the time this file is applied at boot, but only after X is launched.

================================================
Enable sound for non-root users:
================================================

Run:

/etc/secret/clientconfig/device-permissions-fix/install-device-fix

NOTES:

With the version of RHEL5 we installed, sound doesn’t work for root unless you run the script above.

The script modifies /etc/security/console.perms.d/50-default.perms, which resets device perms at boot time.  In particular it mods that file to set the perms for /dev/audio (or rather the <sound> group of devices that includes /dev/audio) to ‘0666’:

[root@NCHRISTE41272]# diff 50-default.perms~ 50-default.perms
37c37
< <console>  0600 <sound>  0600 root

> <console>  0666 <sound>  0666 root
[root@NCHRISTE41272 console.perms.d]#

===============================================
Enable non-root users to use usb key drives
===============================================

Run:

/etc/secret/clientconfig/usb-key-drive-fix/install-hal-fix.sh

NOTES:

On a vanilla RHEL5.3 install, inserting a usb key drive when you are NOT root will result in failure to mount the key drive and a nasty “DBus.Error.AccessDenied on Hal.FindDeviceByCapability” popup.

The above script installs an alternate copy of the file that fixes the problem by commenting out the last two “deny” lines in /etc/dbus-1/system.d/hal.conf

See thuban:/etc/secret/clientconfig/usb-key-drive-fix/README.txt for details…

===============================================
Modify client to show host name and time at login screen *and* to allow
user switching from locked screen.
===============================================

Run:

/etc/secret/clientconfig/gdmtheme/install-gdmtheme.sh

NOTES:

The script installs a modified version of /usr/share/gdm/themes/RHEL/RHEL.xml.  James diff’d rigel’s version (a RHEL4 system that showed the host and time in the LR of the screen) to deneb’s (a new RHEL5 system) and found this difference (after prettyprinting the xml files with ‘tidy’):

276,290d275
<   <item type=”rect”>
<   <pos anchor=”se” x=”100%” y=”100%” width=”box” height=”box” />
<   <box orientation=”vertical” xpadding=”50″ spacing=”5″>
<   <item type=”label”>
<   <pos x=”100%” anchor=”se” />
<   <normal color=”#ffffff” font=”Sans Bold 11″ />
<   <text>%h</text>
<   </item>
<   <item type=”label”>
<   <pos x=”100%” anchor=”se” />
<   <normal color=”#ffffff” font=”Sans Bold 11″ />
<   <text>%c</text>
<   </item>
<   </box>
<   </item>

NOTE: you can test a theme by launching this app:

gdmthemetester xdmcp <theme name, in this case “RHEL”>

===============================================
Create symlink to g95
===============================================

Execute:

ln -s /usr/share/astro/g95/bin/i686-pc-linux-gnu-g95 /usr/bin/g95

NOTES:

Joel needed find g77, g95 (gnu fortran compilers).

I installed g77 on all machines like so:
yum install compat-gcc-34-g77

… and added this package to the master yum install script in thuban:/etc/secret/clientconfig/

But g95 (which was already on the shared partition /usr/share/astro) couldn’t find libg2c.  Joel did some more digging and found it in /usr/lib/libg2c.so.0.0.0 and created the above symlink to it in /usr/share/astro so that his /usr/share/astro scripts could find it more easily…

===============================================
Install Denyhosts (new as of April 2009)
===============================================

Install from:

rpm -i /etc/secret/clientconfig/denyhosts/denyhosts-2.6-5.fc6.noarch.rpm

Select the proper rpm based on the post in this blog that deals with denyhosts.

Configure and run:

cp /etc/secret/clientconfig/denyhosts/denyhosts.conf /etc/ [yes to overwrite!]
chkconfig –level 345 denyhosts on
service denyhosts start

===============================================
Configure shells to check user quota at terminal launch
===============================================

Append these lines to /etc/bashrc:

# Check user's quota at terminal launch
if [ "$PS1" ]; then

/etc/secret/bin/quotacheck.sh

fi

Append these lines to /etc/csh.cshrc:

# Check user's quota at terminal launch
if ($?prompt) then

/etc/secret/bin/quotacheck.sh

endif

Append these lines to /etc/zshrc:

# Check user's quota at terminal launch
if [[ -o interactive ]]; then

"/etc/secret/bin/quotacheck.sh"

fi

===============================================
Reboot
===============================================

Reboot the machine so that the OS can pick up the permission changes you made to the sound and usb devices.

===============================================
Turn off avahi service
===============================================

Avahi is a port of Apple’s Bonjour service and it generates a lot of spam in the /var/log/messages file. To turn it off issue these commands as root:

/sbin/chkconfig avahi-daemon off
/sbin/service avahi-daemon stop

Issues Upgrading from RHEL 5.2 to 5.3

Published by jweisber on 2009-02-04

As of the date of this posting, the latest version of Red Hat — and the version being used on all astronet machines — is 5.3, identified by kernel versions >= 2.6.18-128

If for some reason it ever becomes the case that a machine must be upgraded from 5.x to 5.3, Bruce and I ran into some hiccups in yum regarding the updating process.

Ideally, machines can be upgraded to a new RHEL release version simply by
1.) Removing any excluded packages by commenting out any exclude=XXXXX lines in /etc/yum.conf
2.) Running yum -y upgrade
3.) Coming back ~25 mins later and rebooting the machine.
4.) Uncommenting the traditional package excludes so updating can continue automatically as before

Unfortunately, as of this posting the 5.3 version of the tog-pegasus package from RedHat refuses to do an update install – and in fact hangs the update process. All of our machines that were up-and-running when 5.3 was released tried to get this package (because of our automatic update cron job) and the yum process was permanently hung.

The fix:
1.) See if any yum processes are currently being hung up by tog-pegasus
>> ps auxwww | grep -i yum
2.) If there are any yum processes running, and it looks like they’ve been running for a while, they’re probably hung. Reboot to kill the processes.
3.) When you’re back online, check again to see if any yum processes are running and kill (all of) them.
>> ps auxwww | grep -i yum
>> kill -9 <PIDs>
4.) Uninstall the following packages (tog-pegasus and openoffice must be wholly removed)
>> yum erase tog-pegasus openoffice.org-*
5.) Remove any excluded packages by commenting out any exclude=XXXXX lines in /etc/yum.conf
6.) Now try the update again
>> yum -y upgrade
7.) Come back in ~25 mins and make sure everything has completed. When yum tells you it’s done, reboot.
8.) Reinstall openoffice by running the script below or by hand with yum install
>> /etc/secret/clientconfig/install-programs/install-programs.sh
9.) Clear yum’s unfinished-transaction log so it forgets about the whole ordeal and doesn’t bug us about it
>> yum-complete-transaction –cleanup-only

Don’t bother reinstalling tog-pegasus, it’s nothing we will ever need.

**AS OF 2/4/2009 AND TO THE EXTENT OF MY KNOWLEDGE, ALL ASTRONET MACHINES ARE UPGRADED TO RHEL 5.3 AND FUNCTIONING**

IDL help browser bug fix

Published by jweisber on 2008-11-13

Joel installed a bug fix for the help browser on redhat 5 machines. (new sirius, new mirzam). As of 13 Feb 2009, it is installed on all three licensees (incl algol).

If you use idlde, it is transparent.

If you use command line idl, you have to type idlhelp before typing idl

Joel had to contact idl support to find out about it.  For ref,  XULRunner patch for IDL 7.0,http://www.ittvis.com/services/techtip.asp?ttid=4395

Change users quota (MUST BE *THUBAN* ROOT)

Published by jweisber on 2008-07-09

type edquota <username> as root on thuban.

this drops you into a vi editing session.

change the quota as desired and then exit the session.

If you are not familiar with vi, you may find more details on how to edit this file under the “new user” post, where the setting up of a quota for a new user is discussed.

–Joel

PALFA pulsar candidate viewer software install on rigel

Published by jweisber on 2008-06-19

PALFA viewer is in /data/psrdata/PALFA/viewers

as is our config file PALFA_config.py (subdir common_DB)

i installed several needed software pieces into /usr/share/astro and elsewhere

i installed freetds from /usr/share/astro

i downloaded to Desktop and installed tcl8.4.19 tcl8.5.3 according to its unix README

i downloaded to Desktop and installed tk8.5.3 a month later. is it incompat with above tcl? yes its readme says it is so I went back and installed new tcl8.5.3 as shown above.

i installed python 2.5.2 from desktop dnld, following directions. first i had to setenv LD_RUN_PATH /usr/local/lib in order that it could find _tkinter. the executable was placed into /usr/local/bin, whereas older ones are in /usr/bin. then i linked it to /usr/bin/python

i installed pymssql from /usr/share/astro to /usr/local/lib/python2.5/site-packages/

i installed pmw from /usr/share/astro onto rigels /usr/lib/python2.5/site-packages (see documentation via firefox at file:///usr/share/astro/Pmw.1.3.2/src/Pmw/Pmw_1_3/doc/starting.html )

i installed numpy-1.1.0 from desktop dnld.

i installed matplotlib-0.98.1 from desktop dnld. (directions are in file called “install” in distribution.) A routine’s name had been changed (I found this out in the file API_CHANGES in the distribution:

blend_xy_sep_transform(xtrans, ytrans)

was renamed

blended_transform_factory(xtrans, ytrans)

so I had to go to mywidgets.py in PALFA/viewers/common_DB/ and make this change.

I installed PIL (python imaging library) 1.1.6 from desktop dnld, creating Imaging-1.1.6

————————————————————

so note it is not accessible from other hosts but this is the only one we can access cornell database from anyway.

Joel