This page describes certain features of the "Linux Desktop 2.0" pilot/R&D project. While this project has been in progress for some time, these notes begin in July 2018.
There are an estimated 200-300 Linux desktop users at SLAC. This project aims to provide a basic managed and maintained building block desktop from which users may customize to their specific needs. At this writing, either Ubuntu or CentOS are available options. This is very much a work in progress....
To-Do
- consider should the user have the netboot file remain active and have the user manually remove the link that makes it active with
echo "get Kickstart_end" | /usr/bin/tftp lnxpapa
or do this for them automatically after the first build. Make this an attribute for the node build ? Consider this for ubuntu too - And ubuntu and kickstart are not great together, unless this is very, very dated https://help.ubuntu.com/community/KickstartCompatibility - Decide if we want the pxekicktit to by default run chef on the node. As of 2018-09-27, a build with ks.cfg.centos7.linux_desktop_2 does not run chef. I suggest we do run chef in the default installation, and one picks ks.cfg.centos7.linux_desktop_2.no_chef_run If one does not want to run chef.
- decide is this only for SLAC owned equipment or can users with non-SLAC equipment use the chef cookbooks - what does that mean for slac_motd - the content of that message does it change at all?
Current Pilot Machine Status
- A test machine, named comet2, was setup in Tom G's office, bldg 48/rm 248, on 7/13/2018. Linux (centos7) was installed over the network. Andrew set up the "old style" kerberos authentication to allow site-wide logins. This is expected to change in the near future to a Windows authentication scheme.
- At this time, comet2 is considered available for reboot with little or no notification as experts continue their development of the deployment software. Rebuilding from scratch becomes increasingly painful as more and more software is installed.
- As of 9/23/2018, a 2nd machine, ppa-pc89438-l, is also running centos7 in Warren Focke's office, bldg 48/rm 249, using Andrew's latest net install.
List of candidate add-on software to be included in CentOS 7 network-install image.
Package | Status | Date installed | Install Tool | Notes |
---|---|---|---|---|
Linux | required | 7/13/2018 and 8/28/2018 | pxe boot | Basic CLI |
X11 | required | 7/17/2018 and 9/28/2018 | note 1 below | X11+gnome+gazillion dependencies |
window manager | required | 7/17/2018 and 9/28/2018 | " | gnome based - working on conf file |
desktop | required | 7/17/2018 and 9/28/2018 | " | (various convenience apps) |
chef-client | required | 11/13/2018 | (installed by KSA) | Needed for installing YFS |
Windows Active Directory | new authentication model (old=kerberos) | |||
printing | required | [10/4/2018] | sudo system-config-printer | Printing will be via Windows AD IP based printing. In the meantime, configure locally using built-in printing system. Configure B048F2COPIER as a generic postscript printer. |
YFS | required | 11/14/2018 | chef-client -o slac_yfs-client | Auristor's YFS (AFS) client. Use "kinit [<userID>]" followed by "aklog" to get a token |
emacs | required | 7/19/2018 and 9/28/2018 | gnome-software | |
chrome | required | 9/28/2018 | d/l + yum install | |
thunderbird | required | 7/19/2018 and 9/28/2018 | gnome-software | |
NX | required | 9/28/2018 | d/l + yum install | NoMachine client for use with NERSC |
citrix client | TESTING INC0211099 not sure if it will work | |||
fastx | 9/28/2018 | d/l + tar -xvf | https connection fails, but ssh connection works. KSA has opened ticket with vendor | |
slack | 9/28/2018 | d/l + yum install | ||
zoom | 9/28/2018 | d/l + yum install | (implies support for microphone, camera and speakers) | |
LibreOffice | required | 7/19/2018 and 9/28/2018 | gnome-software | calc,writer,base,draw,impress,CAD |
python v3 | required | 9/28/2018 | yum install | |
sshfs | yum install fuse-sshfs | |||
dev tools (gcc) | required | 9/28/2018 | yum install | sudo yum group install 'Development Tools' |
filezilla | 10/1/2018 | gnome-software | GUI file transfer between comet2 and SLAC servers | |
Ksnapshot | required | 10/1/2018 | gnome-software | screen shot utility |
DbVis | needed by Fermi/LSST app developers | |||
NetBeans | needed by Fermi/LSST app developers | |||
LSF | 10/25/2018 | requires slac_yfs-client | requires desktop is in the lsf configuration file and allowed to run batch commands, if desktop name is not in LSF configuration, start a service now ticket to request addition Needs YFS to do run command a link for /etc/lsf.conf (likely a cookbook configured setting?) | |
VPN | required | 11/14/2018 | download | Must download from a current Cisco AnyConnect customer , e.g., NCSA |
clamav | not needed | sudo yum install clamav | Anti-virus (needed to access SLAC VPN, but not necessary on machine connected to internal network) | |
Notes:
X11 & GUI installed in this way:
X11 and GUIcurl http://yum/centos-gui > /tmp/centos-gui /bin/sh /tmp/centos-gui
(very large set of packages, takes a long time...)
Software installed via the GUI, e.g., Thunderbird, emacs, LibreOffice
sudo gnome-software
Attempt to install FastX downloaded from www.starnet.com. Code is unpacked from a tar.gz file and run without any special installation. Attempt to configure SLAC but code fails with a relocation error associated with /lib64/libssl.so.10. Karl to the rescue! Use the "ssh" connection rather than "https" while he queries the vendor for a proper fix.
TRS should not be used as it currently requires the use of DES enctypes that are insecure. WE have a todo to remove the ability for this weak-key to work. And are working to make TRS more secure so it can be used on Centos.
Configuration Hints
Desktop
The default desktop manager is gnome. A large number of desktop settings are stored in the dconf database. There are several ways to view/set these settings:
- From the Applications menu, select System Tools and then Settings. Or, use gnome-command-center from the command line. Not all settings are available in this way. There is a second utility accessed via Applications -> Utilities -> Tweak Tools, which offers additional desktop configurations.
- The gsettings command provides access to all of the dconf DB
- The GUI app, dconf-editor, which is not included in the centos7 installation by default, is a graphical front-end to gsettings
For example, to increase the idle time interval until the screen blanks and locks to one hour:
$ gsettings set org.gnome.desktop.session idle-delay 3600 $ gsettings get org.gnome.desktop.session idle-delay uint32 3600 and $ gsettings set org.gnome.desktop.screensaver lock-delay 0 $ gsettings get org.gnome.desktop.screensaver lock-delay uint32 0
OS Updates
Date | uname -a | Notes |
---|---|---|
7/13/2018 | 3.10.0-862.6.3.el7.x86_64 | |
8/8/2018 | 3.10.0-862.9.1.el7.x86_64 | |
8/28/2018 | 3.10.0-327.el7.x86_64 | Fresh install by ksa |
8/29/2018 | 3.10.0-862.11.6.el7.x86_64 | |
10/4/2018 | 3.10.0-862.14.4.el7.x86_64 |
On a new build, old or new hardware
check if firmware updates need to happen
- BIOS, IDRAC, DISK/PERC
NETDB needs for the node:
a. NetDB must have the MAC address
b. NetDB must have these dhcp-opt options: --options filename=pxelinux.0,next-server=lnxpapa,tftp-server-name=lnxpapa
c. NetDB must have dhcp enabled
d. Determine the pxeboot-kickstart to use. There are many!
and we should agree on which one to use. I'd recommend we make that part
of the netdb record the way we do with some newer builds - I think it
helps. See for instance comet2
pxekickit: CentOS7/default.netboot.CentOS7.linux_desktop_2
d. NetDB must have the MAC addressDetermine is there anything special about this machine that needs to be considered
If this is rhel[56] node with a taylor.opts take a look and see if there
is a one to one correstpondence between what taylor.opts is doing on the
node and what we can do in chef. For example, if the pre-cheffed node is
using automounter, then all parties ( unix platform, the user) need to know that no NFS native mounts are supported.
User Log:
References:
- SLAC minimum security requirements:
https://docs.slac.stanford.edu/sites/pub/Publications/701-I02-001-00_Min_Sec_Req_for_Comp.pdf Stanford minimum security requirements:
https://uit.stanford.edu/guide/securitystandards