You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 65 Next »

CentOS 7 is centrally supported at SLAC for the following platforms:

  • VMware virtual machine
  • OpenStack virtual machine
  • Bare metal server with devctl for remote console
  • Desktop productivity - under development.  If you wish to help testing, email unix-admin@slac.stanford.edu

Although RHEL 7 is also available if required by your application for support, CentOS 7 is preferred and recommended instead.  Any instructions below for CentOS 7 also apply for RHEL 7.

Step-by-step guide

These are the steps to install and configure CentOS 7 with Chef at SLAC for a headless bare metal server.
To request a CentOS 7 virtual machine (VM) in VMware or OpenStack, please email unix-admin@slac.stanford.edu . You can also find information about SLAC's OpenStack cluster here: https://confluence.slac.stanford.edu/display/SCSPub/Using+the+OpenStack+cluster+at+SLAC

 

  1. Install CentOS 7 using either the Minimal or the DVD ISO available here (available on the SLAC network or VPN).  The ISO image can also be used for a USB key install.

    http://yum.slac.stanford.edu/iso/centos/7

    N.B. some systems may have gpt labeled drives which enable larger than 2.2TB drives, these require an entry in the kickstart script like:  part biosboot --fstype=biosboot --size=1

    Without this entry, the kickstart will halt telling you that you need to create a 1MB biosboot partition.

     

  2. Log into your new CentOS 7 host. 
    Become root by using sudo or /bin/su. 
    Install Chef on bare metal or a VM by running this command (get a root prompt, or use sudo as shown below):

    curl -s http://yum.slac.stanford.edu/go-chef | sudo /bin/sh

    If you want to only configure yum, and not run any of the other Chef recipes, then don't run the above command, run this instead:

    curl -s http://yum.slac.stanford.edu/go-chef  >  /tmp/go-chef

    Then modify the /tmp/go-chef script, and change the chef-client command line towards the bottom to just run the slac_yum cookbook, something like this:

         [...] chef-client -l info -L /var/log/chef-client-install.log -r slac_yum

    Note these instructions are subject to frequent change, so please check back to this page for the most recent version. Configuring only yum, and nothing else, means that your CentOS 7 host is unmodified except it can now apply yum updates, even if your machine is on a private 172.X subnet.  If you need help, email unix-admin at slac.


  3. After you have run one of the above curl commands, you can optionally install the AFS client. Do not install the AFS client unless you have to. AFS is optional for CentOS 7 and it is not required to have a centrally manged CentOS 7 host. The default SLAC CentOS 7 host will not have AFS installed, but it is available if you require it.

    You must run 'yum upgrade' before attempting to install and configure openafs with Chef.  This is to deal with RPM dependency resolution issues.  A reboot should not be necessary.

    $ sudo yum upgrade

    After you update the RPMs as shown above, here is the command to install, configure, and start openafs:

    $ sudo chef-client -o slac_openafs

    This recipe takes a long time to run since it compiles an openafs kernel module for the running kernel.  The openafs client will start automatically – no reboot is required. You will not automatically get an afs token when logging in.  The slac_openafs Chef cookbook will install and enable DKMS (dynamic kernel module system) so future kernel updates should rebuild an afs client module automatically at the time the updated kernel is installed.  Run the following command to get an afs token from your Kerberos ticket:

    $ aklog

    If you want to leave your home directory alone (ie, keep it on the local disk) then you are done.  But if you want to have your AFS home directory as your home directory on this machine when you login, here are the steps to do that:

    Edit this file: /etc/sssd/sssd.conf

    comment out the line that says:
    override_homedir = /home/%u
    Run this command:
    systemctl restart sssd

    Create a symlink by running this command:
    ln -s /afs/slac.stanford.edu/u /u

    You should now have this symlink:
    /u -> /afs/slac.stanford.edu/u

    logout and login - and you should be in your AFS home directory, but you still need to run 'aklog' to get an AFS token after logging in.


  4.  Note, a Cheffed node by default does not limit login to the node, anyone at SLAC would be able to login to the node.  If you want to limit  login to the node please contact unix-admin@slac.stanford.edu with the name of the node and how you would like access to be restricted.

  5. And still before you exit your root prompt, create a sudoers entry for yourself inside the /etc/sudoers.d directory.
    If you do not want or need sudo access, you can skip this step.

    You can copy and paste the following (replace 'ksa' with your username):
    cat > /etc/sudoers.d/user-ksa << EOF
    ksa   ALL=ALL
    EOF

    Be sure to read and fill out the sudo request form.  This is required for auditing purposes:
    https://www.slac.stanford.edu/comp/unix/auth/superuser-req.shtml


  6. If you would like a Kerberos host keytab installed on your CentOS 7 host, send an email to unix-admin@slac.stanford.edu .

    The subject line of the email to unix-admin for a host keytab request should be "please update whitelist to include 'your_node_name_here'

    e.g "just cheffed node, please update whitelist to include lsst-aio02"


    Without a Kerberos host keytab, you will need to enter your SLAC password when connecting via ssh, even when you already have a Kerberos ticket granting ticket (TGT).  If you have unix-admin install a Kerberos host keytab, then you can use passwordless GSSPAI via ssh to connect without a password when you already have a Kerberos TGT.

    automation of putting a keytab on the host, is part of the chef short-term goals (Chef short-term todo list)   'automate method of putting node on whitelist, or putting node in system.info with chef.lastrun data which auto keytab install could use to determine if keytab can be installed'

 

Soon we will run the chef client as a daemon, but at the moment the go-chef command is a one-time configuration script, which will not install a cron job or a daemon to run chef periodically.  This is because we do not want to overwrite the access.netgroup.conf file and remove any modification you have made to the user login list.  Soon we will have your user login list maintained by Chef, but we are still working on that now.

After you install Chef using the go-chef script, your CentOS 7 host will be configured for central authentication using Unix Kerberos.

In addition, here is an incomplete list of the configuration items that will be configured by Chef (just to give you an idea):

  • cron
  • logrotate
  • rsyslog
  • /etc/motd
  • root password
  • kerberos
  • ssh
  • shells
  • sssd
  • ntp
  • yum
  • yum-cron
  • sudo for unix-admin
  • login access for unix-admin

 

These are the configuration items Scientific Computing Services (SCS) is working on next:

  • AFS client
  • Automated keytab installation (for passwordless ssh connections)
  • NFS client
  • grub2 configuration for bare metal server installation
  • login access for users
  • sudo access for users
  • GDM login on video console for a desktop

 

In addition, the SLAC Desktop Support team are currently testing CentOS 7 on their lab machines. 

 

Scope of Support for CentOS 7 on the Desktop

CentOS 7 on the desktop should be thought of as a personal productivity machine, not a development or server. Development machines and servers can be hosted in virtual machines or bare metal machines in servers rooms. Virtualization platforms available include OpenStack, VMware, and (in the future) Amazon Web Services public cloud. AWS for SLAC use is currently being tested.

List of supported personal productivity applications.  The following are the applications supported by the Help Desk IT Desktop Support (ITDS) team.  These are standard RPM packages supported by Red Hat, or else standard supported applications (such as Outlook Web Access email web client).

Application NameDescriptionRPM name(s)Notes
Firefoxweb browserfirefox 
LibreOfficeoffice suitelibreoffice, libreoffice-* 
Outlook Web Accessemail clientN/Ahttps://email.slac.stanford.edu/owa/
SSHssh clientopenssh-clientsssh, scp, sftp
FastXremote linux displayN/AFastX - Remote Linux on your desktop/laptop

Graphics Card Support

CentOS 7 includes supported drivers for proprietary graphics cards such as nVidia and ATI.  These supported drivers are included with each kernel update, so when you reboot into a new kernel, an updated graphics kernel module is available and your graphics will work. 

ITDS specifically does not support graphics drivers that are not part of the standard operating system.  If you want to replace the CentOS 7 support noveau driver with the proprietary Nvidia driver (for example), you are now responsible for any graphics configuration on your machine.  ITDS is not responsible for supporting non-standard graphics drivers.  When you replace the noveau driver with the Nvidia driver, special steps are required to verify the noveau driver gets blacklisted.  Also, each kernel update will require you to rebuild the Nvidia kernel module.  This is a non-standard configuration and is not covered under central support, because of the relationship between updated kernels and patching policy, the manual process of rebuilding the Nvidia kernel module with each kernel update, and the reboot policy.  If you wish to install the Nvidia driver, you need to have a documented procedure in place regarding how often you update the kernel, when you reboot the kernel, and when you rebuild the Nvidia kernel module after you reboot into a new kernel.  

 

Yum (RPM) Repositories

This is a list of the recommended yum repositories for CentOS 7 and RHEL 7.  Some of these will be enabled by default, and others can be enabled if you require them.

 

CentOSRHELRepository NameDescriptionPart of DistributionRecommendation LevelMore information
 x

rhel-7-server-rpms

RHEL 7 Base

yeshigh 
 xrhel-7-server-extras-rpmsRHEL 7 Extrayeshigh 
 xrhel-7-server-optional-rpmsRHEL 7 Optionalyeshigh 
 xrhel-7-server-rh-common-rpmsRHEL 7 Commonyeshigh 
 xrhel-7-server-supplementary-rpmsRHEL 7 Supplementaryyeshigh 
 x

rhel-7-server-thirdparty-oracle-java-rpms

RHEL 7 Oracle Javayeshigh 
 x

rhel-server-rhscl-7-rpms

Software Collections, Developer Toolsetyeshighhttp://developers.redhat.com/products/softwarecollections/overview/
x baseCentOS-7 - Baseyeshigh 
x extrasCentOS-7 - Extrasyeshigh 
x updatesCentOS-7 - Updatesyeshigh 
xxepelExtra Packages for Enterprise Linuxnomediumhttps://fedoraproject.org/wiki/EPEL
xxius

IUS Community Packages for Enterprise Linux 7

nomediumhttps://ius.io/
xxnux-dextop-releaseNux.Ro RPMs for general desktop usenomediumhttp://li.nux.ro/repos.html

 

We do not recommend these repositories: ATrpms, RPMForge, RepoForge. Those repositories do not play well with RHEL or CentOS. You can easily break your system due to distribution RPMs being replaced by the third party RPMs, and therefore causing rpm dependency problems that prevent routine security patches from being applied. If you need RPMs or software that you cannot find in the recommended repositories above, email unix-admin@slac.stanford.edu for advice.

 

Frequently Asked Questions:

 

QuestionAnswer

Why does ssh prompt me for a password?

If you don't have a Kerberos host keytab, password-less ssh will not work.  Send a request to unix-admin (with your hostname) to install a Kerberos host keytab.
Where is /nfs?

Client NFS access is on our to-do list.  We have switched from NIS to LDAP, and the automounter maps are not in LDAP yet.  In the mean time, you can use scp (or possibly git).  The rhel7.slac.stanford.edu login host was installed and configured before we started using Chef, and it is using NIS with NFS client access, but it will eventually be reinstalled and configured using Chef once we have client NFS support in Chef.

Where is /afs?

OpenAFS will be an option in CentOS 7, but not a requirement.  We are currently developing a Chef cookbook to automatically install and configure OpenAFS.  If you need /afs before the cookbook is ready, you can send a request to unix-admin and we can install and configure it manually.  The rhel7.slac.stanford.edu login host has /afs installed and configured.

How do I get an AFS token?Run the command 'aklog'.  Then run the command 'tokens' to view your token.  Then cd to /afs/slac/... to access afs space.
What is the difference between CentOS 7 and RHEL 7?CentOS announced the official joining with Red Hat in January 2014.  Although independent from Red Hat Enterprise Linux, the joining of CentOS and Red Hat strengthens the CentOS community and facilitates the CentOS build process since Red Hat is directly involved in supporting it.   Scientific Computing Services (SCS) can offer a centrally managed CentOS 7 OS distribution because of the flexibility of the Chef configuration management tool.  This provides SLAC the choice to pay for vendor support where required and appropriate, and also leverage the High Energy Physics Unix Information Exchange (HEPiX, https://www.hepix.org) and CentOS community for many use cases.  SLAC has benefited from Red Hat Enterprise Linux (RHEL) vendor support since 2004 starting with RHEL 3.  SLAC will continue to leverage vendor support from Red Hat, however it will be beneficial to for SCS to manage CentOS 7, and only use RHEL 7 where appropriate (ERP business systems and IBM GPFS servers, for example).
When I can get CentOS 7 on my desktop?SCS has focused our energy on Chef managed headless servers and virtual machines.  However, SCS is also meeting with SLAC Desktop Support on a weekly basis to discuss CentOS 7 desktop support.  If you are interested in participating in the testing, and being an early adopter, send email to unix-admin@slac.stanford.edu . Initially it may be best to install CentOS 7 on an extra desktop rather than your primary, so if you find problems, it will not prevent you from getting your work done.  Currently sssd needs to be configured to allow GDM.  In the meantime, CentOS 7 can be run in "init 3" mode, login on the command line at the video console, then Gnome can be started by typing 'startx'.  
What is the scope of CentOS 7 desktop support?SLAC desktop support will provide level 1 support of CentOS 7 on the desktop for CentOS productivity applications (email, desktop office suite, pdf viewer, etc.) that are part of the official CentOS distribution.  For use cases such as software development, testing, and proof of concepts, it is recommended to take advantage of the SCS supported OpenStack cluster at SLAC where you can quickly self provision, and destroy, SCS centrally managed CentOS 7 and also RHEL 6 virtual machines. You can find information about the SLAC OpenStack here: https://confluence.slac.stanford.edu/display/SCSPub/Using+the+OpenStack+cluster+at+SLAC
Do you recommend installing CentOS 7 on my desktop?It's a personal decision, but you should consider the possibility of keeping RHEL 6 on your desktop and running CentOS 7 virtual machines using the SLAC OpenStack cluster.  RHEL 6 is supported by Red Hat until 2020.  You can get centrally managed CentOS 7 virtual machines for development and testing that are configured identically to the central compute environment, since they both run the same Chef cookbooks.  Desktops can rarely be configured to match the central compute environment exactly, and often times it is temping to install third party yum repositories to install additional desktop applications, and that can quickly lead to a special and sometimes fragile configuration that does not match the central computing environment.  Also, you can use services like FastX to access the centrally managed CentOS 7 hosts at SLAC.  Using FastX, you can display CentOS 7 X applications using a desktop client application, or even a web browser.  You can also run CentOS 7 X applications and display back to your desktop or laptop using ssh X forwarding.  FastX is better at WAN connections, and for running disconnected X applications that you can return to later.
How do I install a machine that does not have a CD drive?

You can install using a USB thumb drive.  See https://wiki.centos.org/HowTos/InstallFromUSBkey

If you have a server that has a connection to SLAC's out of band devctl (Device Control) subnet, then SCS can PXE boot your server and install it over the network.

What is the easiest way to start trying CentOS 7?
  1. Log into rhel7.slac.stanford.edu with your SLAC Unix account.
  2. Use an openstack VM on the slac openstack cluster.  The OpenStack CentOS VM will be a centrally managed Chef host.
  3. Use vagrant and virtualbox on your laptop or desktop.  The Vagrant CentOS VM should be able to run Chef to be centrally managed.
Grub2Centos7 and RHEL7 use grub2 which don't do the automatic setup of console as grub legacy did.

 

 

Please send any questions to unix-admin@slac.stanford.edu

 

  • No labels