Versions Compared

Old Version 75

changes.mady.by.user Karl Amrhein

Saved on

compared with

New Version 76

changes.mady.by.user Karl Amrhein

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • VMware virtual machines
  • Bare metal server with devctl for remote console (IPMI / BMC)

For desktops or laptops, we recommend Ubuntu LTS is the supported choice.

Although RHEL 7 is also available if required by your application for support, CentOS 7 is preferred and recommended instead.  Any instructions below for CentOS 7 also apply for RHEL 7.

Note: RHEL 8 and Rocky Linux 8 support will be available soon (in 2022).

Step-by-step guide

These are the steps to install and configure CentOS 7 with Chef at SLAC for a headless bare metal server.
To request a CentOS 7 virtual machine (VM) in VMware, please email unix-admin@slac.stanford.edu .

...

  1. Install CentOS 7 using either the Minimal or the DVD ISO available here (available on the SLAC network or VPN).  The ISO image can also be used for a USB key install.

    http://yum.slac.stanford.edu/iso/centos/7

    N.B. some systems may have gpt labeled drives which enable larger than 2.2TB drives, these require an entry in the kickstart script like:  part biosboot --fstype=biosboot --size=1

    Without this entry, the kickstart will halt telling you that you need to create a 1MB biosboot partition.


  2. Log into your new CentOS 7 host. 
    Become root by using sudo or /bin/su. 
    Install Chef on bare metal or a VM by running this command (get a root prompt, or use sudo as shown below):

    curl -s http://yum.slac.stanford.edu/go-chef | sudo /bin/sh

    If you want to only configure yum, and not run any of the other Chef recipes, then don't run the above command, run this instead:

    curl -s http://yum.slac.stanford.edu/go-chef-yum-only | sudo /bin/sh


  3. After you have run one of the above curl commands, you can optionally install the YFS client to get access to AFS.  Do not install the YFS client unless you have to.  Access to AFS is optional for CentOS 7 and it is not required for a centrally manged CentOS 7 host.  SLAC is making an effort to not introduce additional dependencies on AFS.  We do understand there are some current workflows which require AFS.  The default SLAC CentOS 7 host will not have YFS installed, but it is available if you require it.

    You may need to run "yum upgrade" and then "reboot" before doing the following steps, if you installed an older version of CentOS 7 (eg, installed 7.0, when the current version is at 7.9)

    Use this command, after the above "go-chef" script completes:

    # /usr/bin/knife-node-add-role yfs-client

    Then run "chef-client" again:

    # chef-client

    The install of the YFS kernel module can take some time.  The YFS client will start automatically. Future updates to the YFS kernel module will occur through yum.  You will not automatically get an AFS token when logging in.   Run the following command to get an afs token from your Kerberos ticket:

    $ aklog

    If you want to leave your home directory alone (ie, keep it on the local disk) then you are done.  But if you want to have your AFS home directory as your home directory on this machine when you login, here are the steps to do that:

    Edit this file: /etc/sssd/sssd.conf

    comment out the line that says:
    override_homedir = /home/%u
    Run this command:
    systemctl restart sssd

    Create a symlink by running this command:
    ln -s /afs/slac.stanford.edu/u /u

    You should now have this symlink:
    /u -> /afs/slac.stanford.edu/u

    logout and login - and you should be in your AFS home directory, but you still need to run 'aklog' to get an AFS token after logging in.

    Info

    Note, if you decide to use AFS, then one should also set the following
    attribute "override_homedir=no"
    for your node so your edits to /etc/sssd/sssd.conf don't get
    overwritten with a chef run.

    "override_homedir=no"  means don't change the setting in /etc/sssd/sssd.conf

    (Yes that value setting is bit odd, and we have it on the short-term list

    https://confluence.slac.stanford.edu/display/CHEF/Chef+short-term+todo+list

    to consider renaming.)

    The "override_homedir"  attribute, and others, are describe at:

    https://confluence.slac.stanford.edu/pages/viewpage.action?pageId=232068309

    The above page also describes how to set that for the node.

  4.  Note, a Cheffed node by default does not limit login to the node, anyone at SLAC would be able to login to the node.  If you want to limit  login to the node please contact unix-admin@slac.stanford.edu with the name of the node and how you would like access to be restricted.

  5. And still before you exit your root prompt, create a sudoers entry for yourself inside the /etc/sudoers.d directory.
    If you do not want or need sudo access, you can skip this step.

    You can copy and paste the following (replace 'ksa' with your username):
    cat > /etc/sudoers.d/user-ksa << EOF
    ksa   ALL=ALL
    EOF

    Be sure to read and fill out the sudo request form.  This is required for auditing purposes:
    https://www.slac.stanford.edu/comp/unix/auth/superuser-req.shtml


  6. If you would like a Kerberos host keytab installed on your CentOS 7 host, send an email to unix-admin@slac.stanford.edu .

    UPDATE (2022-Jan): The installation of the CentoS/RHEL Kerberos keytab should be completely automated with chef-client.  It can take up to 24 hours, but there should not be a need to email unix-admin anymore to request the key installation.  If the automatic installation of the keytab does not work, please let unix-admin know.

    The subject line of the email to unix-admin for a host keytab request should be "please update whitelist for kerberos host keytab to include 'your_node_name_here'"

    e.g "just cheffed node, please update whitelist for kerberos host keytab to include lsst-aio02"


    Without a Kerberos host keytab, you will need to enter your SLAC password when connecting via ssh, even when you already have a Kerberos ticket granting ticket (TGT).  If you have unix-admin install a Kerberos host keytab, then you can use passwordless GSSPAI via ssh to connect without a password when you already have a Kerberos TGT.

    automation of putting a keytab on the host, is part of the chef short-term goals (Chef short-term todo list)   'automate method of putting node on whitelist, or putting node in system.info with chef.lastrun data which auto keytab install could use to determine if keytab can be installed'

...

Scope of Support for CentOS 7 on the Desktop

Update (2022-Jan): CentOS 7 is no longer a supported choice for personal productivity desktops or laptops.  SLAC IT offers full support for Ubuntu LTS on both the desktop and laptop.  Please open a Service Now ticket for any assistance.  Note, the "go-chef" script works on Ubuntu desktops.  Use the "go-chef-laptop" script for laptops (the go-chef-laptop script is intended for roaming machines that move on and off the SLAC network).

CentOS 7 on the desktop should be thought of as a personal productivity machine, not a development or server. Development machines and servers can be hosted in virtual machines or bare metal machines in servers rooms. Virtualization platforms available include VMware, and (in the future) Amazon Web Services public cloud. AWS for SLAC use is currently being tested.

...