CentOS 7 is centrally supported at SLAC for the following platforms:
- VMware virtual machine
- OpenStack virtual machine
- Bare metal server
Desktop productivity- under development. If you wish to help testing, email unix-admin@slac.stanford.edu
Although RHEL 7 is also available if required by your application for support, CentOS 7 is preferred and recommended instead.
Step-by-step guide
These are the steps to install and configure CentOS 7 with Chef at SLAC for a headless bare metal server.
To request a CentOS 7 virtual machine in VMware or OpenStack, please email unix-admin@slac.stanford.edu .
Install CentOS 7 using either the Minimal or the DVD ISO available here (available on the SLAC network or VPN):
http://yum.slac.stanford.edu/iso/centos/7
Log into your new CentOS 7 host.
Become root by using sudo or /bin/su.
Install Chef by running this command as root:curl -s http://yum.slac.stanford.edu/go-chef | /bin/shBefore you exit your root prompt, you need to modify this file:
/etc/security/access.netgroup.conf
Add a line that looks like this (replace 'ksa' with your username):
+ : ksa : ALL
Make sure to add that line above the last line. Here is an example of what the file might look like if you wanted to grant login access to SLAC users ksa and vanilla:
+ : root : LOCAL 134.79.0.0/16 172.16.0.0/12
+ : ksa : ALL
+ : vanilla : ALL
+ : @u-scs-staff : ALL
- : ALL : ALLAnd still before you exit your root prompt, create a sudoers entry for yourself inside the /etc/sudoers.d directory.
If you do not want or need sudo access, you can skip this step.
You can copy and paste the following (replace 'ksa' with your username):cat > /etc/sudoers.d/user-ksa << EOF
ksa ALL=ALL
EOFBe sure to read and fill out the sudo request form. This is required for auditing purposes:
https://www.slac.stanford.edu/comp/unix/auth/superuser-req.shtml- If you would like a Kerberos host keytab installed on your CentOS 7 host, send an email to unix-admin@slac.stanford.edu .
Without a Kerberos host keytab, you will need to enter your SLAC password when connecting via ssh, even when you already have a Kerberos ticket granting ticket (TGT). If you have unix-admin install a Kerberos host keytab, then you can use passwordless GSSPAI via ssh to connect without a password when you already have a Kerberos TGT.
Soon we will run the chef client as a daemon, but at the moment the go-chef command is a one-time configuration script, which will not install a cron job or a daemon to run chef periodically. This is because we do not want to overwrite the access.netgroup.conf file and remove any modification you have made to the user login list. Soon we will have your user login list maintained by Chef, but we are still working on that now.
After you install Chef using the go-chef script, your CentOS 7 host will be configured for central authentication using Unix Kerberos.
In addition, here is an incomplete list of the configuration items that will be configured by Chef (just to give you an idea):
- cron
- logrotate
- rsyslog
- /etc/motd
- root password
- kerberos
- ssh
- shells
- sssd
- ntp
- yum
- yum-cron
- sudo for unix-admin
- login access for unix-admin
These are the configuration items Scientific Computing Services (SCS) is working on next:
- AFS client
- Automated keytab installation (for passwordless ssh connections)
- NFS client
- login access for users
- sudo access for users
- GDM login on video console for a desktop
In addition, the SLAC Desktop Support team are currently testing CentOS 7 on their lab machines.
Frequently Asked Questions:
| Question | Answer |
|---|---|
| Why does ssh prompt me for a password? | If you don't have a Kerberos host keytab, password-less ssh will not work. Send a request to unix-admin to install a Kerberos host keytab. |
| Where is /nfs? | Client NFS access is on our to-do list. We have switched from NIS to LDAP, and the automounter maps are not in LDAP yet. In the mean time, you can use scp (or possibly git). |
| Where is /afs? | OpenAFS will be an option in CentOS 7, but not a requirement. We will soon have a Chef cookbook to automatically install and configure OpenAFS. If you need /afs before the cookbook is ready, you can send a request to unix-admin and we can install and configure it manually. |
| What is the difference between CentOS 7 and RHEL 7? | CentOS announced the official joining with Red Hat in January 2014. Although independent from Red Hat Enterprise Linux, the joining of CentOS and Red Hat strengthens the CentOS community and facilitates the CentOS build process since Red Hat is directly involved in supporting it. Scientific Computing Services (SCS) can offer a centrally managed CentOS 7 OS distribution because of the flexibility of the Chef configuration management tool. This provides SLAC the choice to pay for vendor support where required and appropriate, and also leverage the High Energy Physics Unix Information Exchange (HEPiX, https://www.hepix.org) and CentOS community for many use cases. SLAC has benefited from Red Hat Enterprise Linux (RHEL) vendor support since 2004 starting with RHEL 3. SLAC will continue to leverage vendor support from Red Hat, however it will be beneficial to for SCS to manage CentOS 7, and only use RHEL 7 where appropriate (ERP business systems and IBM GPFS servers, for example). |
| When I can get CentOS 7 on my desktop? | SCS has focused our energy on Chef managed headless servers and virtual machines. However, SCS is also meeting with SLAC Desktop Support on a weekly basis to discuss CentOS 7 desktop support. If you are interested in participating in the testing, and being an early adopter, send email to unix-admin@slac.stanford.edu . Initially it may be best to install CentOS 7 on an extra desktop rather than your primary, so if you find problems, it will not prevent you from getting your work done. Currently sssd needs to be configured to allow GDM. In the meantime, CentOS 7 can be run in "init 3" mode, login on the command line at the video console, then Gnome can be started by typing 'startx'. |
| What is the scope of CentOS 7 desktop support? | SLAC desktop support will provide level 1 support of CentOS 7 on the desktop for CentOS productivity applications (email, desktop office suite, pdf viewer, etc.) that are part of the official CentOS distribution. For use cases such as software development, testing, and proof of concepts, it is recommended to take advantage of the SCS supported OpenStack cluster at SLAC where you can quickly self provision, and destroy, SCS centrally managed CentOS 7 and also RHEL 6 virtual machines. |
| Do you recommend installing CentOS 7 on my desktop? | It's a personal decision, but you should consider the possibility of keeping RHEL 6 on your desktop and running CentOS 7 virtual machines using the SLAC OpenStack cluster. RHEL 6 is supported by Red Hat until 2020. You can get centrally managed CentOS 7 virtual machines for development and testing that are configured identically to the central compute environment, since they both run the same Chef cookbooks. Desktops can rarely be configured to match the central compute environment exactly, and often times it is temping to install third party yum repositories to install additional desktop applications, and that can quickly lead to a special and sometimes fragile configuration that does not match the central computing environment. Also, you can use services like FastX to access the centrally managed CentOS 7 hosts at SLAC. Using FastX, you can display CentOS 7 X applications using a desktop client application, or even a web browser. You can also run CentOS 7 X applications and display back to your desktop or laptop using ssh X forwarding. FastX is better at WAN connections, and for running disconnected X applications that you can return to later. |
Please send any questions to unix-admin@slac.stanford.edu