News Update: On 2/21/2019, TG officially "moved in" to a SLAC managed Centos7 Linux Desktop 2.0 environment. A major milestone!
This page describes certain features of the "Linux Desktop 2.0" pilot/R&D project. While this project has been in progress for some time, these notes begin in July 2018.
There are an estimated 200-300 Linux desktop users at SLAC. This project aims to provide a basic managed and maintained building block desktop from which users may customize to their specific needs. At this writing, either Ubuntu or CentOS are available options. This is very much a work in progress....
To-Do
- consider should the user have the netboot file remain active and have the user manually remove the link that makes it active with
echo "get Kickstart_end" | /usr/bin/tftp lnxpapaor do this for them automatically after the first build. Make this an attribute for the node build ? Consider this for ubuntu too - And ubuntu and kickstart are not great together, unless this is very, very dated https://help.ubuntu.com/community/KickstartCompatibility - Decide if we want the pxekicktit to by default run chef on the node. As of 2018-09-27, a build with ks.cfg.centos7.linux_desktop_2 does not run chef. I suggest we do run chef in the default installation, and one picks ks.cfg.centos7.linux_desktop_2.no_chef_run If one does not want to run chef.
- decide is this only for SLAC owned equipment or can users with non-SLAC equipment use the chef cookbooks - what does that mean for slac_motd - the content of that message does it change at all?
Current Pilot Machine Status
- A test machine, named comet2 (Dell Optiplex 9010, PC90105), was setup in Tom G's office, bldg 48/rm 248, on 7/13/2018. Linux (centos7) was installed over the network. Andrew set up the "old style" kerberos authentication to allow site-wide logins. This is expected to change in the near future to a Windows authentication scheme.
- At this time, comet2 is considered available for reboot with little or no notification as experts continue their development of the deployment software. Rebuilding from scratch becomes increasingly painful as more and more software is installed.
- As of 9/23/2018, a 2nd machine, ppa-pc89438-l, is also running centos7 in Warren Focke's office, bldg 48/rm 249, using Andrew's latest net install.
List of candidate add-on software to be included in CentOS 7 network-install image.
(The initial network-install might not have all this - but one can add it with post install step(s). A status of 'required' does not mean that configuration management can do that, as of , but that is it considered a requirement by a user community at SLAC. The user communities represented here include LSST Camera, DESC and Fermi )
| Package | Status | Date installed | Install Tool | Notes | |
|---|---|---|---|---|---|
| 1 | Linux | required | 7/13/2018 and 8/28/2018 | pxe boot | Basic CLI |
| 2 | X11 | required | 7/17/2018 and 9/28/2018 | note 1 below | X11+gnome+gazillion dependencies |
| 3 | window manager | required | 7/17/2018 and 9/28/2018 | " | gnome based - working on conf file |
| 4 | desktop | required | 7/17/2018 and 9/28/2018 | " | (various convenience apps) |
| 5 | chef-client | required | 11/13/2018 | (installed by KSA) | Needed for installing YFS |
| 6 | Windows Active Directory | new authentication model (old=kerberos) | |||
| 7 | printing | required | [10/4/2018] | sudo system-config-printer | Printing will be via Windows AD IP based printing. In the meantime, configure locally using built-in printing system. Configure B048F2COPIER as a generic postscript printer. This probably needs to be rethought. A better fix involves downloading "BrightQ" Canon drivers from codehost.com. Their drivers come with instructions. |
| 8 | YFS | required | 11/14/2018 | chef-client -o slac_yfs-client | Auristor's YFS (AFS) client. Use "kinit [<userID>]" followed by "aklog" to get a token |
| 9 | emacs | required | 7/19/2018 and 9/28/2018 | gnome-software | |
| 10 | chrome | required | 9/28/2018 | d/l + yum install | |
| 11 | thunderbird | required | 7/19/2018 and 9/28/2018 | gnome-software | |
| 12 | NX | required | 9/28/2018 | d/l + yum install | NoMachine client for use with NERSC $ sudo rpm -i <nomachine...rpm> or $ sudo yum localinstall <nomachine...rpm> |
| 13 | citrix client | TESTING INC0211099 not sure if it will work | |||
| 14 | fastx | required | 9/28/2018 | d/l + tar -xvf | https connection fails, but ssh connection works. KSA has opened ticket with vendor |
| 15 | slack | required | 9/28/2018 | d/l + yum install | $ sudo yum localinstall <slack...rpm> |
| 16 | zoom | required | 9/28/2018 | d/l + yum install | (implies support for microphone, camera and speakers) |
| 17 | LibreOffice | required | 7/19/2018 and 9/28/2018 | gnome-software | calc,writer,base,draw,impress,CAD |
| 18 | python v3 | required | 9/28/2018 | yum install | |
| 19 | sshfs | required | 12/19/2018 | yum install | sudo yum install fuse-sshfs commands include: sshfs, fusermount |
| 20 | dev tools (gcc) | required | 9/28/2018 | yum install | sudo yum group install 'Development Tools' |
| 21 | filezilla | required | 10/1/2018 | gnome-software | GUI file transfer between comet2 and SLAC servers |
| 22 | Ksnapshot | required | 10/1/2018 | gnome-software | screen shot utility |
| 23 | DbVis | required | 4/8/2019 | yum install | $ sudo yum localinstall dbvis_linux_10_0_18.rpm https://www.dbvis.com/download/10.0 download RPM |
| 24 | NetBeans | needed by Fermi/LSST app developers | |||
| 25 | LSF client | convenient | 10/25/2018 | requires slac_yfs-client | requires desktop is in the lsf configuration file and allowed to run batch commands, if desktop name is not in LSF configuration, start a service now ticket to request addition Needs YFS to do run command a link for /etc/lsf.conf (likely a cookbook configured setting?) |
| 26 | VPN | required | 11/14/2018 | download | Must download from a current Cisco AnyConnect customer or SLAC (How to Connect to SLAC VPN) |
| 27 | clamav | not needed | sudo yum install clamav | Anti-virus (needed to access SLAC VPN, but not necessary on machine connected to internal network) | |
| 28 | media codecs | very strongly desired | 12/14/2018 | Many steps --> | Followed numerous "sudo yum install ..." commands from https://wiki.centos.org/TipsAndTricks/MultimediaOnCentOS7 |
| 29 | htop | very strongly desired | 12/14/2018 | yum install htop | in EPEL |
| 30 | gimp | elective | 12/17/2018 | desktop installer | Gnome installer accessed through the Window Manager menu: Applications -> System Tools -> Application Installer |
| 31 | code42 | required | 112/20/2018 | (via SU web) | Stanford supported disk backup (for local files) https://stanford.app.box.com/v/SU-SemiCustomized-CPPe-Install |
| 32 | nVidia driver/dashboard | probably not needed | -- | -- | Needed to run dual monitors. On comet2, two (DVI) monitors connected to the two displayPorts on the Quadro 2000 board work just fine with the built-in (nouveau) driver seems to work fine. |
| 33 | GTK+ v3 | elective | 1/23/2019 | via KSA | needed to build galculator. (Also: gnome-software as gtk3-devel-3.22.20-3.el7) |
| 34 | galculator | elective | 1/24/2019 | d/l from web and build | One of the few decent RPN calculator apps available for linux |
| 35 | Java | required | Needed for Cisco VPN and other apps. | ||
| 36 | hdparm | elective | yum install hdparm | Useful HDD/SSD information: $ lsblk $ sudo hdparm -I /dev/sda1 | |
| 37 | highly desired | 6/6/2019 | recipe | CERN-based remote file distribution system. This will access LSST software. | |
| 38 | cvmfs client II | highly desired | 9/10/2019 | chef | Earlier cvmfs client removed and new(er) chef recipe installed by SCS |
| 39 | numpy,scipy,pandas | required | 6/7/2019 | gnome-installer | Python packages |
| 40 | conda | required | 7/26/2019 | gnome-installer | Needed in preparation for Jupyter |
| 41 | matplotlib (python3) | required | 10/11/2019 | cmd line and gnome-installer | $ sudo python3 -mpip install matplotlib GUI installer for: python3-tkinter-3.6.8-10.el7 |
| 42 |
, e.g., NCSA
Notes:
X11 & GUI installed in this way:
X11 and GUIcurl http://yum/centos-gui > /tmp/centos-gui /bin/sh /tmp/centos-gui
(very large set of packages, takes a long time...)
Software installed via the GUI, e.g., Thunderbird, emacs, LibreOffice
sudo gnome-software
Attempt to install FastX downloaded from www.starnet.com. Code is unpacked from a tar.gz file and run without any special installation. Attempt to configure SLAC but code fails with a relocation error associated with /lib64/libssl.so.10. Karl to the rescue! Use the "ssh" connection rather than "https" while he queries the vendor for a proper fix.
TRS should not be used as it currently requires the use of DES enctypes that are insecure. WE have a todo to remove the ability for this weak-key to work. And are working to make TRS more secure so it can be used on Centos.
Configuration Hints
Desktop
The default desktop manager is gnome. A large number of desktop settings are stored in the dconf database. There are several ways to view/set these settings:
- From the Applications menu, select System Tools and then Settings. Or, use gnome-command-center from the command line. Not all settings are available in this way. There is a second utility accessed via Applications -> Utilities -> Tweak Tools, which offers additional desktop configurations.
- The gsettings command provides access to all of the dconf DB
- The GUI app, dconf-editor, which is not included in the centos7 installation by default, is a graphical front-end to gsettings
For example, to increase the idle time interval until the screen blanks and locks to one hour:
$ gsettings set org.gnome.desktop.session idle-delay 3600
$ gsettings get org.gnome.desktop.session idle-delay
uint32 3600
and
$ gsettings set org.gnome.desktop.screensaver lock-delay 0
$ gsettings get org.gnome.desktop.screensaver lock-delay
uint32 0
To change gnome's default behavior of opening new windows maximized, do this:
$ gsettings set org.gnome.mutter auto-maximize false
gpg
If you use this encryption tool, it can be fussy about how it asks for your pass phrase, depending on, for example, whether you have a $DISPLAY variable set. I've found that one way to force gpg to use a terminal-emulator style (e.g., curses) dialog is to create the following file:
$ cd ~/.gnupg $ cat > gpg-agent.conf pinentry-program /usr/bin/pinentry-curses ^D
OS Update Log
| Date | uname -a | Notes |
|---|---|---|
| 7/13/2018 | 3.10.0-862.6.3.el7.x86_64 | |
| 8/8/2018 | 3.10.0-862.9.1.el7.x86_64 | |
| 8/28/2018 | 3.10.0-327.el7.x86_64 | Fresh install by ksa |
| 8/29/2018 | 3.10.0-862.11.6.el7.x86_64 | |
| 10/4/2018 | 3.10.0-862.14.4.el7.x86_64 | |
| 12/7/2018 | 3.10.0-957.1.3.el7.x86_64 | |
| 2/19/2019 | 3.10.0.957.5.1.el7.x86_64 | Fresh net install on new SSD |
| 4/1/2019 | 3.10.0-957.10.1.el7.x86_64 | |
| 5/15/2019 | 3.10.0-957.12.2.el7.x86_64 | $ sudo yum upgrade ; failure of yfs, so (via ksa)... $ sudo yum clean all;sudo yum erase kmod-yfs;sudo yum install kmod-yfs;sudo yum upgrade |
| 6/14/2019 | 3.10.0-957.21.2.el7.x86_64 | Automatic upon reboot (after notifications) |
| 9/24/2019 | 3.10.0-1062.1.1.el7.x86_64 | |
| 12/2/2019 | 3.10.0-1062.4.3 | |
| 12/4/2019 | 3.10.0-1062.7.1 | |
| 1/6/2020 | 3.10.0-1062.9.1 | |
| 2/10/2020 | 3.10.0-1062.12.1 |
Disk Partitioning
The following table indicates a "standard" suggested disk partitioning for centos7 with a 1 TB SSD. (Note: the machine, comet2, has 16 GB of RAM.)
Currently recommended partition sizes are in blue.
| Partition | Type | Size (GB) | Usage as of 3/12/2020 | Red Hat guideline | encrypt? | Notes |
|---|---|---|---|---|---|---|
| /boot | ext4 | 2 | .33G (19%) | >1 GB | ||
| / | ext4 | 30 | 11G (36%) | >10 GB | root | |
| /home | ext4 | 30 | 23G (80%) | >1 GB | local user $HOMEs | |
| swap | 8 | >1 GB | calculation based on amount of RAM | |||
| /opt | ext4 | 40 | .75G (2%) | 3rd party software | ||
| /tmp | ext4 | 10 | 0.04G (1%) | don't let this fill up! | ||
| /var | ext4 | 10 | 2.1G (23%) | logs | ||
| /scratch | ext4 | 300 | 38G (14%) | yum! | ||
| /scswork | ext4 | 10 | 0.04G (1%) | maybe combine with / ? | ||
| /usr/vice/cache | ext4 | 5 | 0.1G (3%) | AFS/YFS only | ||
| /afs | auristorfs | --- | N/A | empty mount point (AFS/YFS only) | ||
Here is comet2's current disk config (on a 160 GB HDD):
$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 149.1G 0 disk ├─sda1 8:1 0 600M 0 part /boot └─sda2 8:2 0 148.5G 0 part ├─VolGroup00-LogVol07 253:0 0 55.2G 0 lvm /scratch ├─VolGroup00-LogVol01 253:1 0 30G 0 lvm /opt ├─VolGroup00-LogVol06 253:2 0 5G 0 lvm /tmp ├─VolGroup00-LogVol05 253:3 0 5G 0 lvm /scswork ├─VolGroup00-LogVol04 253:4 0 4G 0 lvm /usr/vice/cache ├─VolGroup00-LogVol03 253:5 0 8G 0 lvm [SWAP] ├─VolGroup00-LogVol02 253:6 0 10G 0 lvm /var └─VolGroup00-LogVol00 253:7 0 30G 0 lvm /
Useful storage-related commands.
| command | function | example |
|---|---|---|
| lsblk | show disk partitioning | $ lsblk |
| smartctl | show disk monitoring and health | $ sudo smartctl -AH /dev/sda1 |
| hdparm | show detailed storage device info | $ sudo hdparm -I /dev/sda |
On a new build, old or new hardware
check if firmware updates need to happen
- BIOS, IDRAC, DISK/PERC
NETDB needs for the node:
a. NetDB must have the MAC address
b. NetDB must have these dhcp-opt options: --options filename=pxelinux.0,next-server=lnxpapa,tftp-server-name=lnxpapa
c. NetDB must have dhcp enabled
d. Determine the pxeboot-kickstart to use. There are many! and we should agree on which one to use. I'd recommend we make that part of the netdb record the way we do with some newer builds - I think it helps. See for instance comet2 pxekickit: CentOS7/default.netboot.CentOS7.linux_desktop_2
NOTE I would like to change the attribute name on the netdb record from 'pxekickit' to 'netboot' I came up with the pxekickitit name, it made sense sorta at that time, but now that we will expect to have more than just kickstart builds, think Ubuntu, I think it better to just change this naming convention to netboot.e. NetDB must have the MAC address
Determine is there anything special about this machine that needs to be considered
If this is rhel[56] node with a taylor.opts take a look and see if there is a one to one correspondence between what taylor.opts is doing on the node and what we can do in chef. For example, if the pre-cheffed node is using automounter, then all parties ( unix platform, the user) need to know that no NFS native mounts are supported.
User Log
The first part of the log concerns the first build up on comet2.
7/13/2018 - comet2 machine arrives in bldg 48 rm 248. Kerberos authentication (temporary). Initial pass at identifying and installing needed software packages (above table)
8/28/2018 - comet2 rebuilt, lose login ability
9/28/2018 - regain ability to login via local account. Re-install needed packages. Also move offending file which causes polkitd to consume too much CPU, "A workaround that I've been using is to remove /etc/xdg/autostart/org.gnome.SettingsDaemon.Account.desktop until the above mentioned bug is fixed." (but this does not clear up the issue - polkitd still consumes 7-6% of the CPU continuously)
11/13/2018 - chef client installed (by Karl). Unexpectedly (to TG), this also activated unix kerberos authentication, thus I begin to use the 'dragon' (SLAC) account in favor of the dragon1 (local) account on comet2.
12/17/2018 - Karl adds 'dragon1' and 'dragon' accounts to /etc/group 'wheel' group. This allows a user to run, for example, the software installation tool GUI launched from the Applications -> System Tools menu in the WM.
12/19/2018 - Karl adds 'dragon' to sudo list.
1/14/2019 - Add system monitor to "top panel" in Gnome3 (right-click in that area no allows one to add new widgets): Applications->System Tools->Application Installer->Add-ons
1/18/2019 - Erik Chavez kindly provided two displayPort-to-DVI adaptors and that seems to work just fine with default display driver, etc.
1/22/2019 - install 'hdparm' on comet2 in anticipation of running with SSD. Use: "lsblk" to determine the device for the HDD/SSD, then "hdparm -I /dev/sda2" for details. (Current HDD is Western Digital 160 GB drive.)
1/24/2019 - Karl installed GTK+ v3, enabling build of galculator (./configure, make, make install).
1/24/2019 - Attempt to update BIOS on comet2 (from A26 -> A30). After multiple attempts, was unable to produce a bootable FreeDOS USB device using parted & unetbootin on comet2. However, using rufus (http://rufus.akeo.ie/) on a Win10 machine was trivial (and successful). BIOS was updated to version A30 on 1/25/2019. Hint: rename the Dell bios updater app so that it has 6 or fewer characters, or it will be abbreviated by DOS.
1/25/2019 - Reduce those huge desktop icons with
'gsettings set org.gnome.nautilus.icon-view default-zoom-level small'
1/30/2019 - 'sudo yum install redhat-support-tool' and search for data on SSD/trim support in RHEL.
2/21/2019 - official "move in date". That is, switch comet < – > comet2 as my primary desktop computer 
The second part of the log commences with the installation of a new SSD into comet2 and a complete re-install of all other software.
2/19/2019 - Install 1 TB SSD in comet2 using partitioning scheme above. Andrew activates kerberos and adds me to sudo list. Then begin process of installing needed software all over again!
2/20/2018 -
- New CR 2032 battery installed in comet2 for RTC
- X11 install appears successful, but causes screen freeze early on. Also SELinux complaints...but Karl fixes:
sudo semanage fcontext -a -t abrt_var_log_t '/var/adm'
sudo restorecon -v '/var/adm'
sudo systemctl restart rsyslog
- And adds me to the 'wheel' group so I may use the GUI s/w installer tools.
# usermod -a -G wheel dragon
- The X11 freeze was "solved" by reseating the nVidia card. Will have to see if this is a long-term solution. If not, Karl suggests swapping out the nouveau video driver for the nVidia driver: nvidia-automatic-builds-via-dkms
- Install AFS/YFS
- Install google-chrome
- Install thunderbird
- Install emacs + git version control package
- Install NX client (from NERSC)
- Install FastX
- Install python3
- Install slack app
- Install Zoom app
- Install sshfs
- Install dev tools
- Install filezilla
- NOTE: the following apps were already installed (or equivalents): libreOffice, ksnapshot
- Install multimedia codecs and apps (including ffmpeg)
- Install htop
- Install gimp
- Install gitg (GTK+ interfact to git)
- Install galculator and GTK+ development files
- Install BrightQ printer support for Canon ImageRunner Advance C5255
- Driver package is recommended by Canon, https://www.codehost.com/canon/
- One must "register" to download and then again to install the drivers
- This system was installed to interface with CUPS (already installed)
- A number of "BrightQ" apps appear in the gnome Applications->Office menu
- It seems to work, including providing the printer-specific options (e.g., paper size, duplex, etc.)
- Install Code42 CrashPlan, configure and start
2/21/2019 -
- Install hdparm
- Add shell extentions (Applications --> System Tools --> Application Installer --> Add-ons)
- "system-monitor" – CPU/Network/Disk activity plots to gnome top bar
- "No Topleft Hot Corner"
- "Workspace Indicator"
4/10/2019 - After a flurry of "Important OS Update" notifications, and after three reboots did not clear the notifications, Karl manually intervenes due to an issue with YFS:
sudo yum clean all; sudo yum erase kmod-yfs; sudo yum install kmod-yfs; sudo yum upgrade |
|---|
5/17/2019 - comet2 has been operating normally (no observed hardware hiccups)
Gotchas
Here is a list of gotchas or concerns that I stumbled into during these project investigations.
At this time (1/7/2020), updating YFS without a concurrent OS kernel update may fail due to an issue with the kmod-yfs library. The workaround is:
sudo yum erase kmod-yfs-0.190-1.3.10.0_1062.9.1.el7.x86_64 # (substitute your current version) sudo yum update # or "yum upgrade"
- Tilde (~) does not work. Remember that LD2.0 machines have their own user databases which are not the same as the SLAC site unix user database. If you are accustomed to typing "$ ls ~lsstprod/workflows", that will no longer function. It is not clear how to implement a good, reliable work-around.
Absolute NFS file paths will be different. Using sshfs means every remote file system must have a local mount point. On central SLAC machines, "/nfs" works. However, sshfs documentation recommends that mount points be r/w by the user and, usually, /nfs is not such a candidate. So any scripts or aliases that use the "/nfs" path must be changed. [AFS/YFS is different in that if you elect to have the client installed, the absolute paths will look identical with that on a public SLAC machine.]
** WORKAROUND: On a single-user workstation in the SLAC network, the following example shows how to allow a customary absolute NFS path using a symbolic link:sudo ln -s /nfs /home/dragon/nfs mkdir -p /home/dragon/nfs/farm/g/lsst sshfs dragon@rhel6-64:/nfs/farm/g/lsst /nfs/farm/g/lsst
Access to AFS home directories can proceed either via an absolute path, e.g., `/afs/slac/u/...` or one can create a symbolic link to recover the familiar `/u/ec/dragon/...` path.
sudo ln -s /afs/slac.stanford.edu/u /u
Lots of SLAC-written and SLAC-specific commands are no longer available locally, e.g., everything in /usr/local/bin
** WORKAROUND: Create an alias in your .bashrc to prefix your favorite SLAC command(s) with "ssh rhel6-64 ", e.g.alias person='ssh rhel6-64 person '
- Printing is currently possible via the unix print server, but I've heard rumors that this service might be deprecated and replaced with a Windows-based system. Also, the current print config in use on comet2 is very rudimentary and needs further thought. It does not, for example, know about printer-specific functions & capabilities, such as faxing, duplex printing, oddball paper sizes, etc.
** FIX: The "BrightQ" print drivers for Canon printers are straight-forward to install, interface seamlessly with CUPS, and offer all the features of my printer (a Canon C5255). There is a bit of a rigamorole involved (one must "register" twice, once for download and again for installation), but in the end it worked well. Get the drivers here: https://www.codehost.com/canon/ - Many users will need a moderately-to-highly customized application repertoire to work well for them. The application list above is acceptable for my (TG) work needs. But there are items that even I need only rarely and it is not clear it is better to seek them out and install locally, or to simply log into a public login machine to use. Here I am thinking of database tools, advanced development tools, TeX (and friends), more sophisticated printing capabilities, etc.
- While for may activities it is desirable to work locally, one will still need to log onto a public SLAC login machine (think licensed software, certain computing resource management functions, dealing with PPI, etc.) There are certain files and directories that I would like synchronized between the desktop machine and my SLAC environment (such as ssh keys, personal logbook, app configurations). Possibly a trscron job would do the trick, but then which copy becomes the master? I would like a smart synchronizer that allows either environment to make changes that will then be reflected in the other environment.
References
- SLAC minimum security requirements:
https://docs.slac.stanford.edu/sites/pub/Publications/701-I02-001-00_Min_Sec_Req_for_Comp.pdf Stanford minimum security requirements:
https://uit.stanford.edu/guide/securitystandardsSLAC support for Linux:
Ubuntu/CentOS 7 Desktop Scope of Support