Versions Compared

Old Version 61

changes.mady.by.user Andrew May

Saved on

compared with

New Version 62

changes.mady.by.user Karl Amrhein

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Install CentOS 7 using either the Minimal or the DVD ISO available here (available on the SLAC network or VPN).  The ISO image can also be used for a USB key install.

    http://yum.slac.stanford.edu/iso/centos/7

    N.B. some systems may have gpt labeled drives which enable larger than 2.2TB drives, these require an entry in the kickstart script like:  part biosboot --fstype=biosboot --size=1

    Without this entry, the kickstart will halt telling you that you need to create a 1MB biosboot partition.

     

  2. Log into your new CentOS 7 host. 
    Become root by using sudo or /bin/su. 
    Install Chef on bare metal or a VM by running this command (get a root prompt, or use sudo as shown below):

    curl -s http://yum.slac.stanford.edu/go-chef | sudo /bin/sh

    If you want to only configure yum, and not run any of the other Chef recipes, then don't run the above command, run this instead:

    curl -s http://yum.slac.stanford.edu/go-chef  >  /tmp/go-chef

    Then modify the /tmp/go-chef script, and change the chef-client command line towards the bottom to just run the slac_yum cookbook, something like this:

         [...] chef-client -l info -L /var/log/chef-client-install.log -r slac_yum

    Note these instructions are subject to frequent change, so please check back to this page for the most recent version. Configuring only yum, and nothing else, means that your CentOS 7 host is unmodified except it can now apply yum updates, even if your machine is on a private 172.X subnet.  If you need help, email unix-admin at slac.


  3. After you have run one of the above curl commands, you can optionally install the AFS client. Do not install the AFS client unless you have to. AFS is optional for CentOS 7 and it is not required to have a centrally manged CentOS 7 host. The default SLAC CentOS 7 host will not have AFS installed, but it is available if you require it.

    You must run 'yum upgrade' before attempting to install and configure openafs with Chef.  This is to deal with RPM dependency resolution issues.  A reboot should not be necessary.

    $ sudo yum upgrade

    After you update the RPMs as shown above, here is the command to install, configure, and start openafs:

    $ sudo chef-client -o slac_openafs

    This recipe takes a long time to run since it compiles an openafs kernel module for the running kernel.  The openafs client will start automatically – no reboot is required. You will not automatically get an afs token when logging in.  The slac_openafs Chef cookbook will install and enable DKMS (dynamic kernel module system) so future kernel updates should rebuild an afs client module automatically at the time the updated kernel is installed.  Run the following command to get an afs token from your Kerberos ticket:

    $ aklog

    If you want to leave your home directory alone (ie, keep it on the local disk) then you are done.  But if you want to have your AFS home directory as your home directory on this machine when you login, here are the steps to do that:

    Edit this file: /etc/sssd/sssd.conf

    comment out the line that says:
    override_homedir = /home/%u
    Run this command:
    systemctl restart sssd

    Create a symlink by running this command:
    ln -s /afs/slac.stanford.edu/u /u

    You should now have this symlink:
    /u -> /afs/slac.stanford.edu/u

    logout and login - and you should be in your AFS home directory, but you still need to run 'aklog' to get an AFS token after logging in.


  4.  Note, a Cheffed node by default does not limit login to the node, anyone at SLAC would be able to login to the node.  If you want to limit  login to the node please contact unix-admin@slac.stanford.edu with the name of the node and how you would like access to be restricted.

  5. And still before you exit your root prompt, create a sudoers entry for yourself inside the /etc/sudoers.d directory.
    If you do not want or need sudo access, you can skip this step.

    You can copy and paste the following (replace 'ksa' with your username):
    cat > /etc/sudoers.d/user-ksa << EOF
    ksa   ALL=ALL
    EOF

    Be sure to read and fill out the sudo request form.  This is required for auditing purposes:
    https://www.slac.stanford.edu/comp/unix/auth/superuser-req.shtml


  6. If you would like a Kerberos host keytab installed on your CentOS 7 host, send an email to unix-admin@slac.stanford.edu .

    Without a Kerberos host keytab, you will need to enter your SLAC password when connecting via ssh, even when you already have a Kerberos ticket granting ticket (TGT).  If you have unix-admin install a Kerberos host keytab, then you can use passwordless GSSPAI via ssh to connect without a password when you already have a Kerberos TGT.


...