CentOS 7 is centrally supported at SLAC for the following platforms:

Although RHEL 7 is also available if required by your application for support, CentOS 7 is preferred and recommended instead.

Step-by-step guide

These are the steps to install and configure CentOS 7 with Chef at SLAC for a headless bare metal server.
To request a CentOS 7 virtual machine in VMware or OpenStack, please email unix-admin@slac.stanford.edu .


  1. Install CentOS 7 using either the Minimal or the DVD ISO available here (available on the SLAC network or VPN):



  2. Log into your new CentOS 7 host. 
    Become root by using sudo or /bin/su. 
    Install Chef by running this command as root:

    curl -s http://yum.slac.stanford.edu/go-chef | /bin/sh


  3. Before you exit your root prompt, you need to modify this file:


    Add a line that looks like this (replace 'ksa' with your username):

    + : ksa : ALL

    Make sure to add that line above the last line.  Here is an example of what the file might look like if you wanted to grant login access to SLAC users ksa and vanilla:

    + : root : LOCAL
    + : ksa : ALL
    + : vanilla : ALL
    + : @u-scs-staff : ALL
    - : ALL : ALL


  4. And still before you exit your root prompt, create a sudoers entry for yourself inside the /etc/sudoers.d directory.
    If you do not want or need sudo access, you can skip this step.

    You can copy and paste the following (replace 'ksa' with your username):

    cat > /etc/sudoers.d/user-ksa << EOF
    ksa   ALL=ALL

    Be sure to read and fill out the sudo request form.  This is required for auditing purposes:


  5. If you would like a Kerberos host keytab installed on your CentOS 7 host, send an email to unix-admin@slac.stanford.edu .
    Without a Kerberos host keytab, you will need to enter your SLAC password when connecting via ssh, even when you already have a Kerberos ticket granting ticket (TGT).  If you have unix-admin install a Kerberos host keytab, then you can use passwordless GSSPAI via ssh to connect without a password when you already have a Kerberos TGT.


Soon we will run the chef client as a daemon, but at the moment the go-chef command is a one-time configuration script, which will not install a cron job or a daemon to run chef periodically.  This is because we do not want to overwrite the access.netgroup.conf file and remove any modification you have made to the user login list.  Soon we will have your user login list maintained by Chef, but we are still working on that now.

After you install Chef using the go-chef script, your CentOS 7 host will be configured for central authentication using Unix Kerberos.

In addition, here is an incomplete list of the configuration items that will be configured by Chef (just to give you an idea):


These are the configuration items Scientific Computing Services (SCS) is working on next:


In addition, the ITDS Desktop Support team are currently testing CentOS 7 on their lab machines. 


Frequently Asked Questions:


ssh prompts me for a passwordsend a request to unix-admin to install a Kerberos host keytab



Please send any questions to unix-admin@slac.stanford.edu