BIG Setup

Installation/Settings for new Linux Workstations at University of Massachusett's Medical School.

Our group uses Fedora with KDE as the desktop for our workstations, which is why you will see yum as the package manager.

Repositories

RPMFusion Repositories

rpm -Uvh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm
rpm -Uvh http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm

Adobe Repository

rpm -Uvh http://linuxdownload.adobe.com/adobe-release/adobe-release-i386-1.0-1.noarch.rpm

And/Or

[adobe-linux-x86_64]
name=Adobe Systems Incorporated
baseurl=http://linuxdownload.adobe.com/linux/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux

Skype Repository

vi /etc/yum.repos.d/skype.repo

[skype]
name=Skype Repository
baseurl=http://download.skype.com/linux/repos/fedora/updates/i586/
gpgkey=http://www.skype.com/products/skype/linux/rpm-public-key.asc
enabled=1
gpgcheck=0

Google Repository

vi /etc/yum.repos.d/google.repo

[google]
name=Google - i386
baseurl=http://dl.google.com/linux/rpm/stable/i386
enabled=1
gpgcheck=1
gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub

vi /etc/yum.repos.d/google64.repo

[google64]
name=Google - x86_64
baseurl=http://dl.google.com/linux/rpm/stable/x86_64
enabled=1
gpgcheck=1
gpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub

VirtualBox Repository

vi /etc/yum.repos.d/virtualbox.repo

[virtualbox]
name=Fedora $releasever - $basearch - VirtualBox
baseurl=http://download.virtualbox.org/virtualbox/rpm/fedora/$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc

yum install libXv.rpm.i686 alsa-lib.rpm.i686 libXScrnSaver.rpm.i686 qt.ii686

Networking

ifcfg-p1p1

DEVICE=p1p1
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes

ifcfg-p1p2

DEVICE=p1p2
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes

ifcfg-bond0

DEVICE=bond0
IPADDR=146.189.76.*
NETMASK=255.255.248.0
DNS1=146.189.192.130
DNS2=146.189.192.131
GATEWAY=146.189.72.1
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
BONDING_OPTS="mode=6 miimon=500"

Note 1: devices changed from eth* to p1p* with Fedora 17. Note 2: NetworkManager can now be used with devices as long as the ifcfg-rh plugin is used

Packages

64 Bit Packages

yum install kernel-devel gimp grace mplayer mencoder mplayer-gui freeglut ffmpeg-libs lame-libs kdesdk clusterssh tcsh
yum install gstreamer-ffmpeg gstreamer-plugins-good  gstreamer-plugins-ugly gcc gpm tcsh pam_mount kdegraphics kdm google-chrome-stable.x86_64

yum install dkms.noarch

yum groupupdate "Administration Tools" "Base" "Design Suite" "Authoring and Publishing" "Dial-up Networking Support" "Directory Server"
yum groupupdate "Editors" "Electronic Lab" "Fedora Eclipse" "Fonts" "Graphical Internet" Graphics "Hardware Support" "Java" "Java Development" 
yum groupupdate "KDE Software Compilation" "KDE Software Development" "Legacy Fonts" "Mail Server" "Milkymist" "MySQL Database" "Network Servers" 
yum groupupdate "Office/Productivit" "Printing Support" "Robotics" "Ruby" "Server Configuration Tools" "Sound and Video" "System Tools"
yum groupupdate "Text-based Internet" "Web Development" "Web Server" "Window Managers" "Windows File Server" "X Window System"

• • Flash**

Check here for the latest 64bit flash: [[1]] and then copy it to /usr/lib64/mozilla/plugins/

32 Bit Packages

• • Flash**

[[2]]

yum install flash-plugin gtk2-engines.i686 nss_ldap.i686

cp /storage/big1/kdb/linux_setup/libflashplayer.so /usr/lib64/mozilla/plugins/

KDE Settings

yum groupinstall "KDE Software Development" system-switch-displaymanager.noarch

Set default desktop to KDE

echo -e "DESKTOP=\"KDE\"\nDISPLAYMANAGER=\"KDE\"\n" > /etc/sysconfig/desktop

or

system-switch-displaymanager kdm

Change default movie player from Totem to MPlayer, select "System Settings->File Associations", then open video->mpeg. Make sure "MPlayer" is first on the list.

Mail

yum install thunderbird

IMAP Settings

incoming mail server: mail.umassmed.edu  
Port: 993
Security: SSL/TLS

Outgoing mail server: smtp.umassmed.edu
Port: 587
Security: starttls

username: Windows Network Login
password: Windows Network Password
 

After setting up Thunderbird, you need to turn on SSL for incoming mail and TSL for outgoing mail.

Global LDAP Address Book

host: people.umassmed.edu
port: 50000
DN: ou=people,dc=umassmed,dc=edu

Security

cp /storage/big1/kdb/linux_setup/etc/hosts.allow /etc/
cp /storage/big1/kdb/linux_setup/etc/hosts.deny /etc/

Home directory

vi /etc/default/useradd

Change:

HOME=/storage/big1

Some users are below 1000, so change

vi /etc/login.defs

Biomedical Imaging Group Specific Settings

using nfsvers=3 only on Fedora 16 or less because uid/gid seem to be mapping to nobody when using nfsver=4 edit fstab.

mizar:/mnt/VolGroup01-LogVol00     /mnt/mizar/VolGroup01-LogVol00     nfs  bg,defaults
mizar:/mnt/VolGroup02-LogVol00     /mnt/mizar/VolGroup02-LogVol00     nfs  bg,defaults
mizar:/mnt/VolGroup03-LogVol00     /mnt/mizar/VolGroup03-LogVol00     nfs  bg,defaults
mizar:/mnt/VolGroup04-LogVol00     /mnt/mizar/VolGroup04-LogVol00     nfs  bg,defaults

mkdir /storage/; mkdir /mnt/mizar/;mkdir /mnt/mizar/VolGroup01-LogVol00;mkdir /mnt/mizar/VolGroup02-LogVol00
mkdir /mnt/mizar/VolGroup03-LogVol00;mkdir /mnt/mizar/VolGroup04-LogVol00
ln -s  /mnt/mizar/VolGroup03-LogVol00 /storage/big1; ln -s /mnt/mizar/VolGroup04-LogVol00 /storage/big2
ln -s /mnt/mizar/VolGroup01-LogVol00 /storage/big3; ln -s /mnt/mizar/VolGroup02-LogVol00 /storage/big4

yum -y install compat-libf2c-34.i386 compat-libf2c-34.x86_64 glib.i386 fftw.i386 fftw.x86_64  libtiff-tools

mkdir /usr/share/fonts/windows/; cp /storage/big1/kdb/NT/Fonts/* /usr/share/fonts/windows/

Misc

sudo cp libforms.so.0.89 /usr/local/lib/

Disable package kit refresh

sudo vi /etc/yum/pluginconf.d/refresh-packagekit.conf

Change enable=1 to enable=0

Play

yum install compat-libf2c-34.i686 libX11.i686 mesa-libGL.i686 mesa-libGLU.i686 libXpm.i686 ffmpeg-libs.i686

DAVE

yum -y install "*8859*" glib glib.i686 libpng.i686 xorg-x11-drv-nvidia-libs.i686

epr_beowulf

sudo iptables -A INPUT -s itchy.umassmed.edu -m state --state NEW -m tcp -p tcp --dport 1022 -j ACCEPT

Network Time

cp /storage/big1/kdb/linux_setup/etc/ntp.conf /etc/
sudo service ntpd start
sudo service ntpd enable

64 Bit Settings

Set up paths to include additional directories

cp /storage/big1/kdb/linux_setup/etc/big64.sh /etc/profile.d/

32 Bit Settings

Set up paths to include additional directories

cp /storage/big1/kdb/linux_setup/etc/big.sh /etc/profile.d/

User Authentication

cp ~kdb/linux_setup/etc/sssd/sssd.conf /etc/sssd/
cp ~kdb/linux_setup/certs/* /etc/pki/tls/certs/
cp ~kdb/linux_setup/certs/* /etc/openldap/cacerts/
cp ~kdb/linux_setup/etc/nsswitch.conf /etc/
cp ~kdb/linux_setup/etc/ldap.conf /etc/

chkconfig sssd on;service sssd start

SELinux

setsebool -P use_nfs_home_dirs 1

chcon -h system_u:object_r:user_home_dir_t:s0 /storage/big1

echo "/storage/big1    system_u:object_r:user_home_dir_t:s0" >> /etc/selinux/targeted/contexts/files/file_contexts.local

Torque

Server

yum install torque-server.x86_64 torque-scheduler.x86_64
systemctl start pbs_sched.service
systemctl start pbs_server.service
systemctl enable pbs_sched.service
systemctl enable pbs_server.service

pbs_server -t create
# configure manager/operator user
qmgr -c "set server operators += $USER@$HOST"
qmgr -c "set server managers += $USER@$HOST"
# scheduling options
qmgr -c 'set server scheduling = true'
qmgr -c 'set server keep_completed = 300'
qmgr -c 'create queue batch'
qmgr -c 'set queue batch queue_type = execution'
qmgr -c 'set queue batch started = true'
qmgr -c 'set queue batch enabled = true'
qmgr -c 'set queue batch resources_default.walltime = 72:00:00'
qmgr -c 'set queue batch resources_default.nodes = 1'
qmgr -c 'set server default_queue = batch'
qmgr -c 'set server allow_node_submit = True'

edit /etc/sysconfig/iptables and add (change hostname to reflect client machine)

 -A INPUT -s germanium.umassmed.edu -p tcp -m state --state NEW -m tcp --dport 1024:65535 -j ACCEPT

Restart firewall

systemctl restart iptables

Note: Fedora 14 puts everything in /var/lib/torque and not /var/torque

Client

yum install torque torque-mom
echo "m13.umassmed.edu" > /etc/torque/server_name
systemctl start pbs_mom.service
systemctl enable pbs_mom.service

edit /var/lib/torque/mom_priv/config (should be linked to /etc/torque/mom/config)

$pbsserver m13.umassmed.edu
$usecp m13.umassmed.edu:/storage /storage
$usecp m13.umassmed.edu:/mnt/mizar/VolGroup01-LogVol00  /mnt/mizar/VolGroup01-LogVol00
$usecp m13.umassmed.edu:/mnt/mizar/VolGroup02-LogVol00  /mnt/mizar/VolGroup02-LogVol00
$usecp m13.umassmed.edu:/mnt/mizar/VolGroup03-LogVol00  /mnt/mizar/VolGroup03-LogVol00
$usecp m13.umassmed.edu:/mnt/mizar/VolGroup04-LogVol00  /mnt/mizar/VolGroup04-LogVol00
$restricted *.umassmed.edu

edit /etc/sysconfig/iptables and add

-A INPUT -s m13.umassmed.edu -m state --state NEW -m tcp -p tcp --dport 15001:15004 -j ACCEPT

iptables-save >/etc/sysconfig/iptables

Restart firewall

systemctl restart iptables.service

Note: Fedora 14 puts everything in /var/lib/torque and not /var/torque

Exchange Home Directory

The following interferes with pam_mount

 yum erase gvfs-fuse

edit /etc/pam.d/system-auth

The following system-auth file should only mount the Exchange directory if the user id >= 10000

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        [default=1 success=ok]  pam_succeed_if.so uid >= 10000 quiet
auth        optional      pam_mount.so
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session     [default=1 success=ok]  pam_succeed_if.so uid >= 10000 quiet
session     optional      pam_mount.so

 cp ~kdb/linux_setup/etc/pam_mount.conf.xml /etc/security/