Difference between revisions of "BIG Setup"

Installation/Settings for new Linux Workstations at University of Massachusett's Medical School.

Our group uses Fedora with KDE as the desktop for our workstations, which is why you will see yum as the package manager.

- Disk should be partitioned with the default filesystem: LVM.

- All additional packages from KDE should be deselected, packages should be installed in a second time with yum.

The first thing is set or learn the IP that new system will use. This will enable to remotely configure the system once the network is live, making configuration easier through SSH.

Repositories

RPMFusion Repositories

rpm -Uvh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm
rpm -Uvh http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm

Adobe Repository

rpm -Uvh http://linuxdownload.adobe.com/adobe-release/adobe-release-i386-1.0-1.noarch.rpm

And/Or

[adobe-linux-x86_64]
name=Adobe Systems Incorporated
baseurl=http://linuxdownload.adobe.com/linux/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux

Dropbox

https://www.dropbox.com/install?os=lnx

Skype Repository

vi /etc/yum.repos.d/skype.repo

[skype]
name=Skype Repository
baseurl=http://download.skype.com/linux/repos/fedora/updates/i586/
gpgkey=http://www.skype.com/products/skype/linux/rpm-public-key.asc
enabled=1
gpgcheck=0

Google Repository

vi /etc/yum.repos.d/google.repo

[google]
name=Google - i386
baseurl=http://dl.google.com/linux/rpm/stable/i386
enabled=1
gpgcheck=1
gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub

vi /etc/yum.repos.d/google64.repo

[google64]
name=Google - x86_64
baseurl=http://dl.google.com/linux/rpm/stable/x86_64
enabled=1
gpgcheck=1
gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub

VirtualBox Repository

vi /etc/yum.repos.d/virtualbox.repo

[virtualbox]
name=Fedora $releasever - $basearch - VirtualBox
baseurl=http://download.virtualbox.org/virtualbox/rpm/fedora/$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc

dnf install libXv.rpm.i686 alsa-lib.rpm.i686 libXScrnSaver.rpm.i686 qt.i686

Networking

Only for machine that have bond interface

ifcfg-p1p1

DEVICE=p1p1
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes

ifcfg-p1p2

DEVICE=p1p2
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes

ifcfg-bond0

DEVICE=bond0
IPADDR=146.189.76.*
NETMASK=255.255.248.0
DNS1=172.26.40.125
DNS2=172.27.40.125
DNS3=146.189.24.10
DNS4=172.27.40.120
GATEWAY=146.189.72.1
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
BONDING_OPTS="mode=4 miimon=500"

• Note 1: devices changed from eth* to p1p* with Fedora 17.
• Note 2: NetworkManager can now be used with devices as long as the ifcfg-rh plugin is used.
• Note 3: IS must activate switch to accommodate mode=4 using Dynamic LAG.

From Citrix There are two types of LAGs:

• Static LAG: ports have LACP disabled and become automatically active members of the bond. Static LAG is not widely used, as it is often considered obsolete and inferior to dynamic LAG. With static LAG on the switch, the bond mode should be balance-slb rather than lacp. Note that use of static LAG is not supported.
• Dynamic LAG: Link Aggregation Control Protocol (LACP) is used for switch-server communication, in order to negotiate dynamically which links should be active and which should be in stand-by mode.

Packages

After upgrading to Fedora 20, groups must be converted to objects.

dnf groups mark convert

64 Bit Packages

dnf install gimp grace mplayer mencoder mplayer-gui imagej freeglut ffmpeg ffmpeg-libs lame-libs kdesdk clusterssh tcsh
dnf install gcc gpm tcsh kdegraphics kdm google-chrome-stable.x86_64
dnf install gstreamer-plugins-bad-free.x86_64 gstreamer-ffmpeg gstreamer-plugins-good  gstreamer-plugins-ugly 
dnf install gstreamer1-plugins-bad-free.x86_64 gstreamer1-plugins-bad-freeworld.x86_64 gstreamer1-plugins-base.x86_64 
dnf install gstreamer1-plugins-good.x86_64 gstreamer1-plugins-ugly.x86_64 zsh

dnf install dkms.noarch

dnf groupupdate "KDE Plasma Workspaces" "Minimal Install" "Basic Desktop"
dnf groupupdate "Administration Tools" "Design Suite" "Authoring and Publishing"
dnf groupupdate "Editors" "Electronic Lab" 
dnf groupupdate "Milkymist" "Network Servers" 
dnf groupupdate "Office/Productivity" "Robotics" "Sound and Video" "System Tools"
dnf groupupdate "Text-based Internet" "Window Managers" 

[devel]

dnf groupupdate "Development and Creative Workstation" "Fedora Eclipse" "MySQL Database"

[optional]

dnf groupupdate "GNOME Desktop"

After update, Fedora 19 switched from groups to objects, leading to errors that groups don't exist

sudo rm -rf /var/lib/yum/*; yum clean all; yum update

• • Flash**

Check here for the latest 64bit flash: [[1]] and then copy it to /usr/lib64/mozilla/plugins/

32 Bit Packages

• • Flash**

[[2]]

dnf install flash-plugin gtk2-engines.i686 nss_ldap.i686

cp /storage/big1/kdb/linux_setup/libflashplayer.so /usr/lib64/mozilla/plugins/

Biomedical Imaging Group Specific Settings

using nfsvers=3 only on Fedora 16 or less because uid/gid seem to be mapping to nobody when using nfsver=4 edit fstab.

alcor:/mnt/alcor/VolGroup01-LogVol00     /mnt/alcor/VolGroup01-LogVol00     nfs  bg,defaults
alcor:/mnt/alcor/VolGroup02-LogVol00     /mnt/alcor/VolGroup02-LogVol00     nfs  bg,defaults
alcor:/mnt/alcor/VolGroup03-LogVol00     /mnt/alcor/VolGroup03-LogVol00     nfs  bg,defaults
alcor:/mnt/alcor/VolGroup04-LogVol00     /mnt/alcor/VolGroup04-LogVol00     nfs  bg,defaults

mkdir /storage/; mkdir /mnt/alcor/;mkdir /mnt/alcor/VolGroup01-LogVol00;mkdir /mnt/alcor/VolGroup02-LogVol00
mkdir /mnt/alcor/VolGroup03-LogVol00;mkdir /mnt/alcor/VolGroup04-LogVol00
ln -s  /mnt/alcor/VolGroup03-LogVol00 /storage/big1; ln -s /mnt/alcor/VolGroup04-LogVol00 /storage/big2
ln -s /mnt/alcor/VolGroup01-LogVol00 /storage/big3; ln -s /mnt/alcor/VolGroup02-LogVol00 /storage/big4

dnf -y install compat-libf2c-34.i686 compat-libf2c-34.x86_64 glib.i686 compat-libstdc++-33.i686 
dnf -y install fftw.i686 fftw.x86_64  libtiff-tools

mkdir /usr/share/fonts/windows/; cp /storage/big1/kdb/NT/Fonts/* /usr/share/fonts/windows/

KDE Settings

only if GNOME install previously

dnf groupinstall "KDE Software Development" switchdesk-gui

Set default desktop to KDE

echo -e "DESKTOP=\"KDE\"\nDISPLAYMANAGER=\"KDE\"\n" > /etc/sysconfig/desktop

or

switchdesk kde 

sddm is the default windows manager but I was having trouble with the breeze theme. I switched to the fedora theme (as of Fedora 23) edit file /etc/sddm.conf replace

Current=breeze

to

Current=02-fedora

sddm instead of gdm or kdm

sudo systemctl disable gdm
sudo systemctl disable gdm
sudo systemctl enable sddm
sudo systemctl stop gdm
sudo systemctl stop kdm
sudo systemctl start sddm

Change default movie player from Totem to MPlayer,

select "System Settings->File Associations", then open video->mpeg. Make sure "MPlayer" is first on the list.

Mail

dnf install thunderbird

IMAP Settings

incoming mail server: mail.umassmed.edu  
Port: 993
Security: SSL/TLS

Outgoing mail server: smtp.umassmed.edu
Port: 587
Security: starttls

username: Windows Network Login
password: Windows Network Password
 

After setting up Thunderbird, you need to turn on SSL for incoming mail and TSL for outgoing mail.

Global LDAP Address Book

host: people.umassmed.edu
port: 50000
DN: ou=people,dc=umassmed,dc=edu

Security

cp /storage/big1/kdb/linux_setup/etc/hosts.allow /etc/
cp /storage/big1/kdb/linux_setup/etc/hosts.deny /etc/

Firewall

for every computer but out web server"

sudo firewall-cmd --set-default-zone="work"

IF BOND

sudo firewall-cmd --zone=work --change-interface=bond0

IF NOT

sudo firewall-cmd --zone=work --change-interface=em1

web server:

sudo firewall-cmd --set-default-zone="public"
sudo firewall-cmd --permanent --add-service=http

Drop private IPs to guard against attacks

 firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" drop'
 firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.0.0/12" drop'
 firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.0.0/16" drop'

Home directory

vi /etc/default/useradd

Change:

HOME=/storage/big1

Some users are below 1000, so change

vi /etc/login.defs

UID_MIN and GID_MIN and put 500 instead of 1000

Updating

sudo dnf erase Packagekit gnome-packagekit apper
sudo systemctl disable packagekit-offline-update

nVidia

for newer graphic cards

dnf install kmod-nvidia xorg-x11-drv-nvidia dracut

for older graphic cards

dnf install kmod-nvidia-340xx.x86_64 xorg-x11-drv-nvidia-340xx dracut

mv /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r)-nouveau.img

## Create new initramfs image ##
dracut /boot/initramfs-$(uname -r).img $(uname -r)

Having trouble with nvidia on Fedora 23..so using nouveau

Misc

sudo cp /storage/big1/kdb/linux_setup/libforms.so.0.89 /usr/local/lib/

Disable package kit refresh

sudo vi /etc/yum/pluginconf.d/refresh-packagekit.conf

Change enable=1 to enable=0

This is need for uManager to save global java preferences

sudo chmod a+rwx /etc/.java/.systemPrefs

Software

Microsoft Visual Studio Code

sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
sudo sh -c 'echo -e "[code]\nname=Visual Studio Code\nbaseurl=https://packages.microsoft.com/yumrepos/vscode\nenabled=1\ngpgcheck=1\ngpgkey=https://packages.microsoft.com/keys/microsoft.asc" > /etc/yum.repos.d/vscode.repo'

dnf check-update
sudo dnf install code

Play

dnf install compat-libf2c-34.i686 libX11.i686 mesa-libGL.i686 mesa-libGLU.i686 libXpm.i686 ffmpeg ffmpeg-libs.i686

DAVE

dnf -y install "*8859*" glib glib.i686 libpng.i686 xorg-x11-drv-nvidia-libs.i686 libpng12.i686

==== epr_beowulf ====

sudo iptables -A INPUT -s itchy.umassmed.edu -m state --state NEW -m tcp -p tcp --dport 1022 -j ACCEPT

Super Resolution

dnf install tcsh fftw2.i686 libstdc++.i686 compat-libf2c-34.i686 fftw-libs-single.x86_64

Additional settings

Remote Desktop

dnf install xrdp
firewall-cmd --permanent --add-port=3389/tcp
service xrdp start
systemctl enable xrdp.service

bug

sudo chcon --type=bin_t /usr/sbin/xrdp*

Network Time

change the time server in /etc/chrony.conf to "server time.umassmed.edu iburst"
sudo service ntpd stop
sudo systemctl disable ntpd.service
sudo service chronyd start
sudo systemctl enable chronyd.service

Alternative for laptops could be chrony, installed by default on Fedora systems after 16

64 Bit Settings

Set up paths to include additional directories

cp /storage/big1/kdb/linux_setup/etc/big64.sh /etc/profile.d/

32 Bit Settings

Set up paths to include additional directories

cp /storage/big1/kdb/linux_setup/etc/big.sh /etc/profile.d/

User Authentication

cp /storage/big1/kdb/linux_setup/etc/sssd/sssd.conf /etc/sssd/
cp /storage/big1/kdb/linux_setup/certs/* /etc/pki/tls/certs/
cp /storage/big1/kdb/linux_setup/certs/* /etc/openldap/certs/
cp /storage/big1/kdb/linux_setup/etc/nsswitch.conf /etc/
cp /storage/big1/kdb/linux_setup/etc/ldap.conf /etc/

chkconfig sssd on;service sssd start

Run

system-config-authentication

select "LDAP", for "User Account Database" and "Authentication Method" and then hit apply

SELinux

setsebool -P use_nfs_home_dirs 1

chcon -h system_u:object_r:user_home_dir_t:s0 /storage/big1

echo "/storage/big1    system_u:object_r:user_home_dir_t:s0" >> /etc/selinux/targeted/contexts/files/file_contexts.local

===Torque ===

dnf install torque-server.x86_64 torque-scheduler.x86_64
systemctl start pbs_sched.service
systemctl start pbs_server.service
systemctl enable pbs_sched.service
systemctl enable pbs_server.service

pbs_server -t create
# configure manager/operator user
qmgr -c "set server operators += $USER@$HOST"
qmgr -c "set server managers += $USER@$HOST"
# scheduling options
qmgr -c 'set server scheduling = true'
qmgr -c 'set server keep_completed = 300'
qmgr -c 'create queue batch'
qmgr -c 'set queue batch queue_type = execution'
qmgr -c 'set queue batch started = true'
qmgr -c 'set queue batch enabled = true'
qmgr -c 'set queue batch resources_default.walltime = 72:00:00'
qmgr -c 'set queue batch resources_default.nodes = 1'
qmgr -c 'set server default_queue = batch'
qmgr -c 'set server allow_node_submit = True'

 -A INPUT -s germanium.umassmed.edu -p tcp -m state --state NEW -m tcp --dport 1024:65535 -j ACCEPT

systemctl restart iptables

dnf install torque torque-mom
echo "m13.umassmed.edu" > /etc/torque/server_name
systemctl start pbs_mom.service
systemctl enable pbs_mom.service

$pbsserver m13.umassmed.edu
$usecp m13.umassmed.edu:/storage /storage
$usecp m13.umassmed.edu:/mnt/mizar/VolGroup01-LogVol00  /mnt/mizar/VolGroup01-LogVol00
$usecp m13.umassmed.edu:/mnt/mizar/VolGroup02-LogVol00  /mnt/mizar/VolGroup02-LogVol00
$usecp m13.umassmed.edu:/mnt/mizar/VolGroup03-LogVol00  /mnt/mizar/VolGroup03-LogVol00
$usecp m13.umassmed.edu:/mnt/mizar/VolGroup04-LogVol00  /mnt/mizar/VolGroup04-LogVol00
$restricted *.umassmed.edu

-A INPUT -s m13.umassmed.edu -m state --state NEW -m tcp -p tcp --dport 15001:15004 -j ACCEPT

iptables-save >/etc/sysconfig/iptables

systemctl restart iptables.service

Note: Fedora 14 puts everything in /var/lib/torque and not /var/torque

File Servers

dnf install sendmail xauth openldap openldap-servers openldap-clients 
dnf groupinstall "GNOME Desktop" "Infrastructure Server" "Minimal Install"

Openldap

copy database from backup to /var/lib/ldap

copy configuration

cp -a /<backup>/etc/openldap/slapd.d/* slapd.d/

cd /var/lib/ldap/
db_recover -v -h . *.bdb
db_upgrade -v -h . *.bdb
db_checkpoint -v -h . -1

cd /var/lib/ldap/accesslog
db_recover -v -h . *.bdb
db_upgrade -v -h . *.bdb
db_checkpoint -v -h . -1

firewall-cmd --permanent --zone=work --add-service=ldap
firewall-cmd --permanent --zone=work --add-service=ldaps

systemctl start slapd.service
systemctl enable slapd.service

NFS

systemctl enable nfs-lock.service
systemctl enable nfs-server.service

systemctl start  nfs-lock.service
systemctl start  nfs-server.service

cat >/etc/firewalld/services/mountd.xml <<EOD
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>mountd</short>
<description>Mount Lock Daemon</description>
<port protocol="tcp" port="20048"/>
<port protocol="udp" port="20048"/>
</service>
EOD

cat >/etc/firewalld/services/rpc-bind.xml <<EOD
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>rpc-bind</short>
<description>Remote Procedure Call Bind</description>
<port protocol="tcp" port="111"/>
<port protocol="udp" port="111"/>
</service>
EOD

restorecon /etc/firewalld/services

firewall-cmd --permanent --zone work --add-service mountd
firewall-cmd --permanent --zone work --add-service rpc-bind
firewall-cmd --permanent --zone work --add-service nfs
firewall-cmd --reload
firewall-cmd --list-all

Samba

restorecon /etc/samba/smb.conf

semanage fcontext -a -t samba_share_t "/mnt/alcor/VolGroup01-LogVol00(/.*)?"
restorecon -R -v /mnt/alcor/VolGroup01-LogVol00/

semanage fcontext -a -t samba_share_t "/mnt/alcor/VolGroup02-LogVol00(/.*)?"
restorecon -R -v /mnt/alcor/VolGroup02-LogVol00/

semanage fcontext -a -t samba_share_t "/mnt/alcor/VolGroup03-LogVol00(/.*)?"
restorecon -R -v /mnt/alcor/VolGroup03-LogVol00/

semanage fcontext -a -t samba_share_t "/mnt/alcor/VolGroup04-LogVol00(/.*)?"
restorecon -R -v /mnt/alcor/VolGroup04-LogVol00/

setsebool samba_create_home_dirs=true
setsebool samba_enable_home_dirs=true
setsebool samba_export_all_rw=true
setsebool samba_share_nfs=true

firewall-cmd --zone=work --add-service=samba
firewall-cmd --permanent --zone=work --add-service=samba

firewall-cmd --zone=work --add-service=mdns
firewall-cmd --permanent --zone=work --add-service=mdns

systemctl start  smb.service
systemctl enable smb.service