Difference between revisions of "BIG Setup"
(4 intermediate revisions by the same user not shown) | |||
Line 90: | Line 90: | ||
IPADDR=146.189.76.* | IPADDR=146.189.76.* | ||
NETMASK=255.255.248.0 | NETMASK=255.255.248.0 | ||
− | DNS1= | + | DNS1=172.26.40.125 |
− | DNS2=146.189. | + | DNS2=172.27.40.125 |
+ | DNS3=146.189.24.10 | ||
+ | DNS4=172.27.40.120 | ||
GATEWAY=146.189.72.1 | GATEWAY=146.189.72.1 | ||
ONBOOT=yes | ONBOOT=yes | ||
Line 244: | Line 246: | ||
Drop private IPs to guard against attacks | Drop private IPs to guard against attacks | ||
− | + | <s> firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" drop' | |
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.0.0/12" drop' | firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.0.0/12" drop' | ||
− | firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.0.0/16" drop' | + | firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.0.0/16" drop'</s> |
=== Home directory === | === Home directory === | ||
Line 290: | Line 292: | ||
=== Software === | === Software === | ||
+ | ==== Microsoft Visual Studio Code ==== | ||
+ | sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc | ||
+ | sudo sh -c 'echo -e "[code]\nname=Visual Studio Code\nbaseurl=https://packages.microsoft.com/yumrepos/vscode\nenabled=1\ngpgcheck=1\ngpgkey=https://packages.microsoft.com/keys/microsoft.asc" > /etc/yum.repos.d/vscode.repo' | ||
+ | |||
+ | dnf check-update | ||
+ | sudo dnf install code | ||
==== Play ==== | ==== Play ==== | ||
dnf install compat-libf2c-34.i686 libX11.i686 mesa-libGL.i686 mesa-libGLU.i686 libXpm.i686 ffmpeg ffmpeg-libs.i686 | dnf install compat-libf2c-34.i686 libX11.i686 mesa-libGL.i686 mesa-libGLU.i686 libXpm.i686 ffmpeg ffmpeg-libs.i686 | ||
Line 305: | Line 313: | ||
=== Additional settings === | === Additional settings === | ||
− | === Remote Desktop === | + | ==== Remote Desktop ==== |
dnf install xrdp | dnf install xrdp | ||
firewall-cmd --permanent --add-port=3389/tcp | firewall-cmd --permanent --add-port=3389/tcp | ||
Line 317: | Line 325: | ||
change the time server in /etc/chrony.conf to "server time.umassmed.edu iburst" | change the time server in /etc/chrony.conf to "server time.umassmed.edu iburst" | ||
sudo service ntpd stop | sudo service ntpd stop | ||
− | sudo systemctl disable | + | sudo systemctl disable ntpd.service |
sudo service chronyd start | sudo service chronyd start | ||
sudo systemctl enable chronyd.service | sudo systemctl enable chronyd.service |
Latest revision as of 14:38, 25 July 2022
Installation/Settings for new Linux Workstations at University of Massachusett's Medical School.
Our group uses Fedora with KDE as the desktop for our workstations, which is why you will see yum as the package manager.
- Disk should be partitioned with the default filesystem: LVM.
- All additional packages from KDE should be deselected, packages should be installed in a second time with yum.
The first thing is set or learn the IP that new system will use. This will enable to remotely configure the system once the network is live, making configuration easier through SSH.
Repositories
RPMFusion Repositories
rpm -Uvh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm rpm -Uvh http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm
Adobe Repository
rpm -Uvh http://linuxdownload.adobe.com/adobe-release/adobe-release-i386-1.0-1.noarch.rpm
And/Or
[adobe-linux-x86_64] name=Adobe Systems Incorporated baseurl=http://linuxdownload.adobe.com/linux/x86_64/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
Dropbox
https://www.dropbox.com/install?os=lnx
Skype Repository
vi /etc/yum.repos.d/skype.repo
[skype] name=Skype Repository baseurl=http://download.skype.com/linux/repos/fedora/updates/i586/ gpgkey=http://www.skype.com/products/skype/linux/rpm-public-key.asc enabled=1 gpgcheck=0
Google Repository
vi /etc/yum.repos.d/google.repo
[google] name=Google - i386 baseurl=http://dl.google.com/linux/rpm/stable/i386 enabled=1 gpgcheck=1 gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub
vi /etc/yum.repos.d/google64.repo
[google64] name=Google - x86_64 baseurl=http://dl.google.com/linux/rpm/stable/x86_64 enabled=1 gpgcheck=1 gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub
VirtualBox Repository
vi /etc/yum.repos.d/virtualbox.repo
[virtualbox] name=Fedora $releasever - $basearch - VirtualBox baseurl=http://download.virtualbox.org/virtualbox/rpm/fedora/$releasever/$basearch enabled=1 gpgcheck=1 gpgkey=http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc
dnf install libXv.rpm.i686 alsa-lib.rpm.i686 libXScrnSaver.rpm.i686 qt.i686
Networking
Only for machine that have bond interface
ifcfg-p1p1
DEVICE=p1p1 BOOTPROTO=none ONBOOT=yes MASTER=bond0 SLAVE=yes
ifcfg-p1p2
DEVICE=p1p2 BOOTPROTO=none ONBOOT=yes MASTER=bond0 SLAVE=yes
ifcfg-bond0
DEVICE=bond0 IPADDR=146.189.76.* NETMASK=255.255.248.0 DNS1=172.26.40.125 DNS2=172.27.40.125 DNS3=146.189.24.10 DNS4=172.27.40.120 GATEWAY=146.189.72.1 ONBOOT=yes BOOTPROTO=none USERCTL=no BONDING_OPTS="mode=4 miimon=500"
- Note 1: devices changed from eth* to p1p* with Fedora 17.
- Note 2: NetworkManager can now be used with devices as long as the ifcfg-rh plugin is used.
- Note 3: IS must activate switch to accommodate mode=4 using Dynamic LAG.
From Citrix There are two types of LAGs:
- Static LAG: ports have LACP disabled and become automatically active members of the bond. Static LAG is not widely used, as it is often considered obsolete and inferior to dynamic LAG. With static LAG on the switch, the bond mode should be balance-slb rather than lacp. Note that use of static LAG is not supported.
- Dynamic LAG: Link Aggregation Control Protocol (LACP) is used for switch-server communication, in order to negotiate dynamically which links should be active and which should be in stand-by mode.
Packages
After upgrading to Fedora 20, groups must be converted to objects.
dnf groups mark convert
64 Bit Packages
dnf install gimp grace mplayer mencoder mplayer-gui imagej freeglut ffmpeg ffmpeg-libs lame-libs kdesdk clusterssh tcsh dnf install gcc gpm tcsh kdegraphics kdm google-chrome-stable.x86_64 dnf install gstreamer-plugins-bad-free.x86_64 gstreamer-ffmpeg gstreamer-plugins-good gstreamer-plugins-ugly dnf install gstreamer1-plugins-bad-free.x86_64 gstreamer1-plugins-bad-freeworld.x86_64 gstreamer1-plugins-base.x86_64 dnf install gstreamer1-plugins-good.x86_64 gstreamer1-plugins-ugly.x86_64 zsh
dnf install dkms.noarch
dnf groupupdate "KDE Plasma Workspaces" "Minimal Install" "Basic Desktop" dnf groupupdate "Administration Tools" "Design Suite" "Authoring and Publishing" dnf groupupdate "Editors" "Electronic Lab" dnf groupupdate "Milkymist" "Network Servers" dnf groupupdate "Office/Productivity" "Robotics" "Sound and Video" "System Tools" dnf groupupdate "Text-based Internet" "Window Managers"
[devel]
dnf groupupdate "Development and Creative Workstation" "Fedora Eclipse" "MySQL Database"
[optional]
dnf groupupdate "GNOME Desktop"
After update, Fedora 19 switched from groups to objects, leading to errors that groups don't exist
sudo rm -rf /var/lib/yum/*; yum clean all; yum update
- Flash**
Check here for the latest 64bit flash: [[1]] and then copy it to /usr/lib64/mozilla/plugins/
32 Bit Packages
- Flash**
[[2]]
dnf install flash-plugin gtk2-engines.i686 nss_ldap.i686 cp /storage/big1/kdb/linux_setup/libflashplayer.so /usr/lib64/mozilla/plugins/
Biomedical Imaging Group Specific Settings
using nfsvers=3 only on Fedora 16 or less because uid/gid seem to be mapping to nobody when using nfsver=4 edit fstab.
alcor:/mnt/alcor/VolGroup01-LogVol00 /mnt/alcor/VolGroup01-LogVol00 nfs bg,defaults alcor:/mnt/alcor/VolGroup02-LogVol00 /mnt/alcor/VolGroup02-LogVol00 nfs bg,defaults alcor:/mnt/alcor/VolGroup03-LogVol00 /mnt/alcor/VolGroup03-LogVol00 nfs bg,defaults alcor:/mnt/alcor/VolGroup04-LogVol00 /mnt/alcor/VolGroup04-LogVol00 nfs bg,defaults
mkdir /storage/; mkdir /mnt/alcor/;mkdir /mnt/alcor/VolGroup01-LogVol00;mkdir /mnt/alcor/VolGroup02-LogVol00 mkdir /mnt/alcor/VolGroup03-LogVol00;mkdir /mnt/alcor/VolGroup04-LogVol00 ln -s /mnt/alcor/VolGroup03-LogVol00 /storage/big1; ln -s /mnt/alcor/VolGroup04-LogVol00 /storage/big2 ln -s /mnt/alcor/VolGroup01-LogVol00 /storage/big3; ln -s /mnt/alcor/VolGroup02-LogVol00 /storage/big4
dnf -y install compat-libf2c-34.i686 compat-libf2c-34.x86_64 glib.i686 compat-libstdc++-33.i686 dnf -y install fftw.i686 fftw.x86_64 libtiff-tools
mkdir /usr/share/fonts/windows/; cp /storage/big1/kdb/NT/Fonts/* /usr/share/fonts/windows/
KDE Settings
only if GNOME install previously
dnf groupinstall "KDE Software Development" switchdesk-gui
Set default desktop to KDE
echo -e "DESKTOP=\"KDE\"\nDISPLAYMANAGER=\"KDE\"\n" > /etc/sysconfig/desktop
or
switchdesk kde
sddm is the default windows manager but I was having trouble with the breeze theme. I switched to the fedora theme (as of Fedora 23)
edit file /etc/sddm.conf replace
Current=breeze
to
Current=02-fedora
sddm instead of gdm or kdm
sudo systemctl disable gdm sudo systemctl disable gdm sudo systemctl enable sddm sudo systemctl stop gdm sudo systemctl stop kdm sudo systemctl start sddm
Change default movie player from Totem to MPlayer,
select "System Settings->File Associations", then open video->mpeg. Make sure "MPlayer" is first on the list.
dnf install thunderbird
IMAP Settings
incoming mail server: mail.umassmed.edu Port: 993 Security: SSL/TLS
Outgoing mail server: smtp.umassmed.edu Port: 587 Security: starttls
username: Windows Network Login password: Windows Network Password
After setting up Thunderbird, you need to turn on SSL for incoming mail and TSL for outgoing mail.
Global LDAP Address Book
host: people.umassmed.edu port: 50000 DN: ou=people,dc=umassmed,dc=edu
Security
cp /storage/big1/kdb/linux_setup/etc/hosts.allow /etc/ cp /storage/big1/kdb/linux_setup/etc/hosts.deny /etc/
Firewall
for every computer but out web server"
sudo firewall-cmd --set-default-zone="work"
IF BOND
sudo firewall-cmd --zone=work --change-interface=bond0
IF NOT
sudo firewall-cmd --zone=work --change-interface=em1
web server:
sudo firewall-cmd --set-default-zone="public" sudo firewall-cmd --permanent --add-service=http
Drop private IPs to guard against attacks
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" drop' firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.0.0/12" drop' firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.0.0/16" drop'
Home directory
vi /etc/default/useradd
Change:
HOME=/storage/big1
Some users are below 1000, so change
vi /etc/login.defs
UID_MIN and GID_MIN and put 500 instead of 1000
Updating
sudo dnf erase Packagekit gnome-packagekit apper sudo systemctl disable packagekit-offline-update
nVidia
for newer graphic cards
dnf install kmod-nvidia xorg-x11-drv-nvidia dracut
for older graphic cards
dnf install kmod-nvidia-340xx.x86_64 xorg-x11-drv-nvidia-340xx dracut
mv /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r)-nouveau.img ## Create new initramfs image ## dracut /boot/initramfs-$(uname -r).img $(uname -r)
Having trouble with nvidia on Fedora 23..so using nouveau
Misc
sudo cp /storage/big1/kdb/linux_setup/libforms.so.0.89 /usr/local/lib/
Disable package kit refresh
sudo vi /etc/yum/pluginconf.d/refresh-packagekit.conf
Change enable=1 to enable=0
This is need for uManager to save global java preferences
sudo chmod a+rwx /etc/.java/.systemPrefs
Software
Microsoft Visual Studio Code
sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc sudo sh -c 'echo -e "[code]\nname=Visual Studio Code\nbaseurl=https://packages.microsoft.com/yumrepos/vscode\nenabled=1\ngpgcheck=1\ngpgkey=https://packages.microsoft.com/keys/microsoft.asc" > /etc/yum.repos.d/vscode.repo'
dnf check-update sudo dnf install code
Play
dnf install compat-libf2c-34.i686 libX11.i686 mesa-libGL.i686 mesa-libGLU.i686 libXpm.i686 ffmpeg ffmpeg-libs.i686
DAVE
dnf -y install "*8859*" glib glib.i686 libpng.i686 xorg-x11-drv-nvidia-libs.i686 libpng12.i686
==== epr_beowulf ====
sudo iptables -A INPUT -s itchy.umassmed.edu -m state --state NEW -m tcp -p tcp --dport 1022 -j ACCEPT
Super Resolution
dnf install tcsh fftw2.i686 libstdc++.i686 compat-libf2c-34.i686 fftw-libs-single.x86_64
Additional settings
Remote Desktop
dnf install xrdp firewall-cmd --permanent --add-port=3389/tcp service xrdp start systemctl enable xrdp.service
bug
sudo chcon --type=bin_t /usr/sbin/xrdp*
Network Time
change the time server in /etc/chrony.conf to "server time.umassmed.edu iburst" sudo service ntpd stop sudo systemctl disable ntpd.service sudo service chronyd start sudo systemctl enable chronyd.service
Alternative for laptops could be chrony, installed by default on Fedora systems after 16
64 Bit Settings
Set up paths to include additional directories
cp /storage/big1/kdb/linux_setup/etc/big64.sh /etc/profile.d/
32 Bit Settings
Set up paths to include additional directories
cp /storage/big1/kdb/linux_setup/etc/big.sh /etc/profile.d/
User Authentication
cp /storage/big1/kdb/linux_setup/etc/sssd/sssd.conf /etc/sssd/ cp /storage/big1/kdb/linux_setup/certs/* /etc/pki/tls/certs/ cp /storage/big1/kdb/linux_setup/certs/* /etc/openldap/certs/ cp /storage/big1/kdb/linux_setup/etc/nsswitch.conf /etc/ cp /storage/big1/kdb/linux_setup/etc/ldap.conf /etc/
chkconfig sssd on;service sssd start
Run
system-config-authentication
select "LDAP", for "User Account Database" and "Authentication Method" and then hit apply
SELinux
setsebool -P use_nfs_home_dirs 1 chcon -h system_u:object_r:user_home_dir_t:s0 /storage/big1 echo "/storage/big1 system_u:object_r:user_home_dir_t:s0" >> /etc/selinux/targeted/contexts/files/file_contexts.local
===Torque ===
Server
dnf install torque-server.x86_64 torque-scheduler.x86_64 systemctl start pbs_sched.service systemctl start pbs_server.service systemctl enable pbs_sched.service systemctl enable pbs_server.service
pbs_server -t create # configure manager/operator user qmgr -c "set server operators += $USER@$HOST" qmgr -c "set server managers += $USER@$HOST" # scheduling options qmgr -c 'set server scheduling = true' qmgr -c 'set server keep_completed = 300' qmgr -c 'create queue batch' qmgr -c 'set queue batch queue_type = execution' qmgr -c 'set queue batch started = true' qmgr -c 'set queue batch enabled = true' qmgr -c 'set queue batch resources_default.walltime = 72:00:00' qmgr -c 'set queue batch resources_default.nodes = 1' qmgr -c 'set server default_queue = batch' qmgr -c 'set server allow_node_submit = True'
edit /etc/sysconfig/iptables and add (change hostname to reflect client machine)
-A INPUT -s germanium.umassmed.edu -p tcp -m state --state NEW -m tcp --dport 1024:65535 -j ACCEPT
Restart firewall
systemctl restart iptables
Note: Fedora 14 puts everything in /var/lib/torque and not /var/torque
Client
dnf install torque torque-mom echo "m13.umassmed.edu" > /etc/torque/server_name systemctl start pbs_mom.service systemctl enable pbs_mom.service
edit /var/lib/torque/mom_priv/config (should be linked to /etc/torque/mom/config)
$pbsserver m13.umassmed.edu $usecp m13.umassmed.edu:/storage /storage $usecp m13.umassmed.edu:/mnt/mizar/VolGroup01-LogVol00 /mnt/mizar/VolGroup01-LogVol00 $usecp m13.umassmed.edu:/mnt/mizar/VolGroup02-LogVol00 /mnt/mizar/VolGroup02-LogVol00 $usecp m13.umassmed.edu:/mnt/mizar/VolGroup03-LogVol00 /mnt/mizar/VolGroup03-LogVol00 $usecp m13.umassmed.edu:/mnt/mizar/VolGroup04-LogVol00 /mnt/mizar/VolGroup04-LogVol00 $restricted *.umassmed.edu
edit /etc/sysconfig/iptables and add
-A INPUT -s m13.umassmed.edu -m state --state NEW -m tcp -p tcp --dport 15001:15004 -j ACCEPT
iptables-save >/etc/sysconfig/iptables
Restart firewall
systemctl restart iptables.service
Note: Fedora 14 puts everything in /var/lib/torque and not /var/torque
File Servers
dnf install sendmail xauth openldap openldap-servers openldap-clients dnf groupinstall "GNOME Desktop" "Infrastructure Server" "Minimal Install"
Openldap
copy database from backup to /var/lib/ldap
copy configuration
cp -a /<backup>/etc/openldap/slapd.d/* slapd.d/
cd /var/lib/ldap/ db_recover -v -h . *.bdb db_upgrade -v -h . *.bdb db_checkpoint -v -h . -1
cd /var/lib/ldap/accesslog db_recover -v -h . *.bdb db_upgrade -v -h . *.bdb db_checkpoint -v -h . -1
firewall-cmd --permanent --zone=work --add-service=ldap firewall-cmd --permanent --zone=work --add-service=ldaps systemctl start slapd.service systemctl enable slapd.service
NFS
systemctl enable nfs-lock.service systemctl enable nfs-server.service
systemctl start nfs-lock.service systemctl start nfs-server.service
cat >/etc/firewalld/services/mountd.xml <<EOD <?xml version="1.0" encoding="utf-8"?> <service> <short>mountd</short> <description>Mount Lock Daemon</description> <port protocol="tcp" port="20048"/> <port protocol="udp" port="20048"/> </service> EOD
cat >/etc/firewalld/services/rpc-bind.xml <<EOD <?xml version="1.0" encoding="utf-8"?> <service> <short>rpc-bind</short> <description>Remote Procedure Call Bind</description> <port protocol="tcp" port="111"/> <port protocol="udp" port="111"/> </service> EOD
restorecon /etc/firewalld/services
firewall-cmd --permanent --zone work --add-service mountd firewall-cmd --permanent --zone work --add-service rpc-bind firewall-cmd --permanent --zone work --add-service nfs firewall-cmd --reload firewall-cmd --list-all
Samba
restorecon /etc/samba/smb.conf
semanage fcontext -a -t samba_share_t "/mnt/alcor/VolGroup01-LogVol00(/.*)?" restorecon -R -v /mnt/alcor/VolGroup01-LogVol00/
semanage fcontext -a -t samba_share_t "/mnt/alcor/VolGroup02-LogVol00(/.*)?" restorecon -R -v /mnt/alcor/VolGroup02-LogVol00/
semanage fcontext -a -t samba_share_t "/mnt/alcor/VolGroup03-LogVol00(/.*)?" restorecon -R -v /mnt/alcor/VolGroup03-LogVol00/
semanage fcontext -a -t samba_share_t "/mnt/alcor/VolGroup04-LogVol00(/.*)?" restorecon -R -v /mnt/alcor/VolGroup04-LogVol00/
setsebool samba_create_home_dirs=true setsebool samba_enable_home_dirs=true setsebool samba_export_all_rw=true setsebool samba_share_nfs=true
firewall-cmd --zone=work --add-service=samba firewall-cmd --permanent --zone=work --add-service=samba firewall-cmd --zone=work --add-service=mdns firewall-cmd --permanent --zone=work --add-service=mdns
systemctl start smb.service systemctl enable smb.service