MediaWiki API result
This is the HTML representation of the JSON format. HTML is good for debugging, but is unsuitable for application use.
Specify the format parameter to change the output format. To see the non-HTML representation of the JSON format, set format=json.
See the complete documentation, or the API help for more information.
{
"batchcomplete": "",
"continue": {
"gapcontinue": "Ser2net",
"continue": "gapcontinue||"
},
"warnings": {
"main": {
"*": "Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/> for notice of API deprecations and breaking changes."
},
"revisions": {
"*": "Because \"rvslots\" was not specified, a legacy format has been used for the output. This format is deprecated, and in the future the new format will always be used."
}
},
"query": {
"pages": {
"323": {
"pageid": 323,
"ns": 0,
"title": "Renew cert",
"revisions": [
{
"contentformat": "text/x-wiki",
"contentmodel": "wikitext",
"*": "= To renew a soon to expire grid certificate: =\nCurrent expiry dates of certificates:\n\n \nServer\n\tGrid certificate expiry date\ntrdata00 \tMay 19th 2014\ntrdata01 \tMay 19th 2014\ntrdata02 \tMay 19th 2014\ntrdata03 \tMay 19th 2014\n\n \n= Instructions to renew grid certificates = \n\n* Go to Grid Canada grid certificate website:\n https://cert.gridcanada.ca/pki/pub\n \nYou may need a valid grid certificate in your browser in order to access this website.\n \n* Click on the \"Request a certificate\" link.\n \n* Click on \"Server Request\" link and fill in the request. Couple details\n ** Set the hostname to trdata00.triumf.ca \n ** Set the Role to 'User'\n ** Choose some passphrase for the PIN.\n\n* A couple days later you will receive emails from grid-canada with a link to your new grid certificates. Following the links will download the new grid certificates for each host into your browser.\n\n* Next you need to export these certificate from the browser into a PKCS#12 format file (extension .p12 file). Following instructions are for firefox 10.0.3; go to 'preferences' -> 'advanced' -> 'encryption', then click on 'View Certificates'. You should see a list of your certificates, which should show the new certificates for trdata*. For each certificate click on 'backup' and then save the .p12 file somewhere on your local computer with a name like 'trdata00_cert.p12'.\n\n** Update 2020: new grid canada website is odd... need to go to bottom, under \"certificate and keypair\", choose PCKS#12 then click Download\n\n* Next, transform these .p12 files into the hostcert.pem and hostkey.pem files the trdata grid security requires. The instructions for this transformation are given here:\n http://gridcanada.ext.nrc.ca/?q=node/7&page=0%2C8\n\nThe critical set of steps is as follows (for trdata00 as example):\n<pre>\n cd <whereever on local computer you have .p12 files>\n openssl pkcs12 -nocerts -in trdata00_cert.p12 -out trdata00_hostkey.encrypted.pem\n openssl pkcs12 -clcerts -nokeys -in trdata00_cert.p12 -out trdata00_hostcert_noText.pem\n openssl x509 -in trdata00_hostcert_noText.pem -text > trdata00_hostcert.pem\n openssl rsa -in trdata00_hostkey.encrypted.pem -out trdata00_hostkey.pem\n chmod 0444 trdata00_hostcert.pem\n chmod 0400 trdata00_hostkey.pem\n</pre>\nDuring this transformation you are asked for other passphrases; I just used the same set of passphrases as for the online application; not sure if this is correct.\n\nFor t2ksrm you also need to do \n\n<pre>\nchown dcache /etc/grid-security/hostkey.pem\nchown dcache /etc/grid-security/hostcert.pem\n</pre>\n\n\n* Finally, login to root@trdata00, move the old certificate files to a new folder and copy the new certificates from your local computer:\n\n<pre>\n ssh root@trdata00\n cd /etc/grid-security/\n mkdir 2011; cp -p host* 2011 (if copy does not already exist)\n mkdir 2012\n scp neut14:<dir>/trdata00_hostcert.pem 2012/hostcert.pem\n scp neut14:<dir>/trdata00_hostkey.pem 2012/hostkey.pem\n cp -p 2012/host* .\n</pre>\n\n* Finally restart dcache server from head node:\n\n<pre>\n service dcache restart\n</pre>\n\n= test certificates = \n\nNow go ahead and try to do a grid transfer (globus-url-copy) from trdata. If this succeeds then you have successfully uploaded new certificates. \n\n<pre>\nexport LFC_HOST=lfc.gridpp.rl.ac.uk; export LCG_GFAL_INFOSYS=lcg-bdii.cern.ch:2170; lcg-cp -v -v srm://t2ksrm.nd280.org/nd280data/t2k.org/nd280/raw/ND280/ND280/00007000_00007999/nd280_00007892_0019.daq.mid.gz file://tmp/nd280_00007892_0019_30643.daq.mid.gz\n</pre>\n\nAlso try a lcg-ls command:\n\n<pre>\n lcg-ls srm://t2ksrm.nd280.org/nd280data/t2k.org/nd280/production005/A/mcp/genie/2010-11-water/magnet/beamb/numc/oa_gn_beam_91210002-0029_io24sikspw4w_numc_000_prod005magnet201011waterb.root\n</pre>"
}
]
},
"13": {
"pageid": 13,
"ns": 0,
"title": "SLinstall",
"revisions": [
{
"contentformat": "text/x-wiki",
"contentmodel": "wikitext",
"*": "== Notes ==\n\n* these instructions are periodically updated to include items needed for older/newer versions of Linux. They are marked like this: (SL4.2+) means Scientific Linux 4.2 and newer; (SL4 is equivalent to FC3). (FC5 only) means Fedora Core 5; etc.\n* obsolete items are marked by the \"#\" sign at the beginning of the line and sometimes have a comment about the reason for removal.\n* typically, we do not \"upgrade\" machines using the Red Hat \"upgrade\" function. Instead, we save critical files from the old installation and do a \"fresh install\" from scratch\n* starting with RHEL7, the recommended OS is CentOS7 (instead of SL7).\n\n== Disk configurations ==\n\nThe year is 2019 and SSDs are used exclusively, except for bulk data storage, where one used 6-8-10-12 TB HDDs\n\nFor reliability, home directories and data disks must use redundant storage - mdadm raid1 or ZFS raid1/raid6.\n\nFor non-critical machines, a single SSD seems to be reliable enough to use as a boot and OS disk. But since any\nstorage device can fail at any time without warning, home directories and data disks should use redundant storage.\n\nNote: for data disks bigger than 4-6TB, mdadm raid1/raid6 is no longer recommended because raid rebuild,\nverification and repair time has become unreasonably long. Instead, use ZFS raid1/raid6 which implements online verification,\nrepair and disk replacement without requiring machine shutdown or OS down time.\n\n* single SSD - 120GB min - single partition for \"/\", no swap partition (create a swap file if swap is needed) - for non-critical machine with no local data storage (OS only)\n* dual SSD - 2x240GB min - all partitions mirrored (RAID1), 30GB \"/\", rest for /home1 - for daq station with local user home directories and no bulk data storage\n* single SSD + 2x6-8-10-12TB HDD - SSD partition: all \"/\", HDD partition as ZFS raid1 (mirrored) - for daq station with small local bulk data storage\n* single SSD + 6-8x6-8-10-12TB HDD - for small storage server machines - for daq station with local home directories and large bulk data storage.\n\nFor VME processors:\n\n* network boot - [[VME-CPU#Network_boot]] - only option for V7648/V7750, do not use for V7805 (no netboot from GigE), optional for V7865/XVB-602\n* USB boot - 8GB USB for V7805, 16GB USB for V7865/XVB-602\n\n== Preparation ==\n\n* save /etc, /var, /root, /opt, (if needed: /usr/local, /tftpboot) by rsync to some data disk (/ladd/data0/root)\n* check that \"/\" partition (it will be overwritten) is different from /home1 and /data partitions\n* note the MAC addresses of all network interfaces, add them to ladd00 dhcpd.conf to enable PXE boot into the SL \"network installer\"\n* shutdown\n\n== Running installer (CentOS7) ==\n\nCentOS7 can be installed from vanilla CentOS7 installation media or from\na custom USB key build per there instructions:\nhttps://daqshare.triumf.ca/~olchansk/linux/CentOS7/\n\nThe custom installer makes it easy to use a custom kickstart file (ks.cfg).\n\nInstructions for using the usb-installer:\n\n* disconnect machine from network\n* plug the usb-installer into a usb3 port (blue colour)\n* reboot machine, select booting from usb (press F8 on ASUS motherboards)\n* usb-installer boot menu offers to install CentOS7, go there\n* CentOS7 should boot (many messages scroll on screen)\n* into graphical mode\n* into installer main menu\n* all installer options should \"happy\" except for the \"installation destination\"\n* go to the \"installation destination\" menu\n** unselect all disks except for the SSD where the OS will be installed\n** (MOST IMPORTANT: unselect the USB installer disk!)\n** select \"I will configure...\"\n** say \"done\"\n** the \"manual partitionning\" menu will open\n*** use the \"-\" button to delete all existing partitions\n*** select \"standard partition\"\n*** click on the \"+\" button\n*** in the \"Add new partition\" dialog, set mount point \"/\", capacity blank, click \"add mount point\"\n*** check capacity (should be full size of SSD), check filesystem type (should be XFS)\n*** say \"done\", there will be a warning about absent swap partition, say \"done\" again.\n*** in the big useless dialog, say \"accept changes\"\n*** should be back to the \"installation summary\" screen, \"installation destination\" should be happy now\n* after everything is happy, say \"begin installation\"\n* as the installation proceeds, set the password for the root user\n* after installation is complete, reboot the machine\n* unplug the usb-installer, CentOS7 should boot from SSD into the login screen\n* click on \"not listed?\", login as root\n* setup network connection:\n** open a terminal\n** start \"nm-connection-editor\"\n** click on \"+\" to create a new connection profile\n** select \"wired ethernet\"\n** select \"add profile...\"\n** in \"Identity\", set \"name\" to \"static\"\n** in \"Identity\", check that \"Connect automatically\" and \"Make available...\" is enabled\n** in \"IPv4\", set \"Addresses\" to \"manual\" instead of \"dhcp\"\n** enter IP address, netmask 255.255.224.0, gateway 142.90.100.18, dns 142.90.100.19, search triumf.ca\n** say \"Add\", then close/quit the network settings\n* connect network cable\n* network should be up, ping ladd00 should work\n* run: yum update -y\n* check new kernel is installed: ls -l /boot\n* logout and restart (good luck finding these buttons in the gui!)\n* confirm correct linux kernel is selected during boot (-229.20, not the original installer kernel)\n* login as root, confirm network is up, proceed with the rest of these instructions\n\n== Configure SSH ==\n\n(+CentOS7)\n\n* Login from the console\n* restore the SSH keys from backup (/etc/ssh/*key*)\n* service sshd restart\n* ssh into the new machine as root\n* ssh root@localhost, ctrl-C\n* ### this is done later from Konstantin's git repository - scp root@ladd00:/root/authorized_keys ~root/.ssh/\n* (not needed for SL5.5 kickstart) check that /etc/ssh/ssh_config contains \"ForwardX11 yes\" and \"ForwardX11Trusted yes\":\n<pre>\necho \" ForwardX11 yes\" >> /etc/ssh/ssh_config\necho \" ForwardX11Trusted yes\" >> /etc/ssh/ssh_config\n</pre>\n\n== Set hostname ==\n\nSet hostname: (use full name, i.e. daq11.triumf.ca)\n<pre>\nemacs -nw /etc/hostname\n</pre>\n\n== Configure email ==\n\n* TRIUMF: use relayhost = smtp.triumf.ca\n* CERN: use relayhost = cernmx.cern.ch\n\n* edit /etc/postfix/main.cf, set \"relayhost = smtp.triumf.ca\"\n* echo \"olchansk@triumf.ca amaudruz@triumf.ca lindner@triumf.ca bsmith@triumf.ca\" >> ~root/.forward\n\n== Make log files readable ==\n\n<pre>\nchmod a+r /var/log/messages\nchmod a+r /var/log/yum.log\n</pre>\n\n== Activate /etc/rc.local ==\n\nActivate rc.local:\n<pre>\nchmod a+x /etc/rc.local\nchmod a+x /etc/rc.d/rc.local # TL edit\nsystemctl enable rc-local\nsystemctl start rc-local\nsystemctl status rc-local\n</pre>\n\n== Disable \"persistent network names\" (DO NOT DO THIS) ==\n\n<pre>\n/bin/touch /etc/udev/rules.d/75-persistent-net-generator.rules\n/bin/rm /etc/udev/rules.d/70-persistent-net.rules\n#shutdown -r now\n</pre>\n\n== Configure NIS client (CentOS7) ==\n\n<pre>\nyum -y install ypbind authconfig\necho \"NISTIMEOUT=5\" >> /etc/sysconfig/network\necho \"NETWORKWAIT=yes\" >> /etc/sysconfig/network\nauthconfig --enablenis --enablepreferdns --nisdomain LADD-NIS --nisserver ladd00.triumf.ca --update\nypwhich\nypcat -k passwd\nsystemctl restart autofs\n</pre>\n* On the master NIS node (ladd00), add this new node to /etc/netgroup, and update NIS maps (cd /var/yp; make)\n* Use \"system-config-users\" to add local user accounts\n* enable selinux ssh key login to nfs mounted home directories:\n<pre>\nsetsebool -P use_nfs_home_dirs 1\n</pre>\n\n== Configure NIS client (CentOS8) ==\n\n* all the same as for CentOS7\n* ensure correct boot order for ypbind (in CentOS 8.1 ypbind is started before network is ready, service file uses \"Wants\" instead of \"After\")\n<pre>\nmkdir /etc/systemd/system/ypbind.service.d\necho -e \"[Unit]\\nAfter=network-online.target\\n\" > /etc/systemd/system/ypbind.service.d/local.conf\nsystemctl daemon-reload\nsystemctl cat ypbind.service\n</pre>\n\n== Configure NIS secondary server (CentOS7) ==\n\nEnable local NIS server, make local machine use it:\n\n<pre>\nyum -y install ypserv\n/usr/lib64/yp/ypinit -s ladd00 ### (/usr/lib/yp/ypinit on 32-bit machines)\n### ypinit will give lots of errors about \"rpc.ypxfrd failed: RPC: Can't decode result\"; can be ignored\nsystemctl disable ypxfrd yppasswdd\nsystemctl stop ypxfrd yppasswdd\nsystemctl enable rpcbind ypserv\nsystemctl start rpcbind ypserv\nemacs -nw /etc/yp.conf # change \"domain XXX server YYY.triumf.ca\" to read \"domain XXX server localhost\"\nsystemctl restart ypbind\nypwhich # should say \"localhost\"\nypcat -k auto.master # should work\n</pre>\n\nPunch hole in the firewall: (or \"make\" on NIS master will complain)\n\n<pre>\necho YPSERV_ARGS=\\\"-p 800\\\" >> /etc/sysconfig/network\nsystemctl restart ypserv\nfirewall-cmd --get-services\nfirewall-cmd --add-service rpc-bind --permanent\nfirewall-cmd --add-port=800/tcp --add-port=800/udp --permanent\nfirewall-cmd --reload\nfirewall-cmd --list-all\n</pre>\n\n* on the NIS master:\n** add the new machine to /var/yp/ypservers, run \"make -C /var/yp\" and also \"cd /var/yp; yppush -h newmachine ypservers\"\n*** TL (2020-09): we not doing this anymore? I guess it doesn't work anyway...\n** if using /var/yp/securenets, copy it from NIS master to new NIS secondary server\n\nEnable hourly NIS update cron job (DO THIS AFTER git pull scripts, see below)\n\n<pre>\ncd ~/git/scripts\ngit pull\ncd etc\ncd ~/git/scripts/etc; ln -s $PWD/ypxfr-cron-hourly /etc/cron.hourly\n</pre>\n\n== Configure AUTOFS (CentOS7) ==\n\n<pre>\nyum -y install autofs\nsystemctl enable autofs\nsystemctl start autofs\nls -l /daq/daqshare\n</pre>\n\n\n\n== Label Selinux labels ==\n\nWhen upgrading non-selinux machines (el6) to el7 (selinux enforcing) the existing\nuser home directories will not have the correct selinux labels and many things\nwill not work, including ssh logins (sshd cannot access ~user/.ssh files).\n\n<pre>\nsemanage fcontext -a -e /home /home1 ### selinux has special rules for /home, assign them to /home1\nrestorecon -R -v /home1 ### apply the new rules to files in /home1\nls -Zd /home1/alpha/.ssh\n# should say: drwx------. alpha users system_u:object_r:ssh_home_t:s0 /home1/alpha/.ssh\n</pre>\n\n== Configure time (CentOS7) ==\n\nTime server ntpd was replaced by chronyd.\n\n<pre>\nyum -y install chrony\necho server time1 iburst >> /etc/chrony.conf\necho server time2 iburst >> /etc/chrony.conf\necho server time3 iburst >> /etc/chrony.conf\nsystemctl enable chronyd\nsystemctl restart chronyd\nchronyc sources\nchronyc tracking\n</pre>\n\n* if desired, edit /etc/chrony.conf, remove non-triumf time servers\n\n== Enable automatic system updates (CentOS7) ==\n\nDisable yum-cron:\n\n<pre>\nrpm --erase yum-cron\n/bin/rm -v /var/lock/subsys/yum-cron\n/bin/rm -v /etc/cron.daily/0yum-daily.cron\n/bin/rm -v /etc/cron.hourly/0yum-hourly.cron\n</pre>\n\nEnable yum-autoupdate:\n\n<pre>\nyum install -y epel-release\nyum install -y yum-changelog yum-protectbase yum-tsflags yum-versionlock\nrpm -vh --install http://linuxsoft.cern.ch/cern/centos/7.2/cern/x86_64/Packages/yum-kernel-module-1-5.el7.cern.noarch.rpm\nrpm -vh --install http://linuxsoft.cern.ch/cern/centos/7.2/cern/x86_64/Packages/yum-autoupdate-4.4.2-1.el7.cern.noarch.rpm\n#rpm -vh --install https://daqshare.triumf.ca/~olchansk/linux/yum-autoupdate-4.4.2-1.el7.cern.noarch.rpm https://daqshare.triumf.ca/~olchansk/linux/yum-kernel-module-1-5.el7.cern.noarch.rpm\nsystemctl enable yum-autoupdate\nsystemctl start yum-autoupdate\nsystemctl status yum-autoupdate\n</pre>\n\n== Disable automatic system updates (CentOS7) ==\n\n<pre>\nyum -y erase yum-autoupdate\n/bin/rm -f /etc/sysconfig/yum-autoupdate.rpmsave\n/bin/rm -f /var/lock/subsys/yum-autoupdate\n</pre>\n\n== Enable automatic system updates (CentOS8) ==\n\n<pre>\nyum -y install dnf-automatic\nsystemctl enable --now dnf-automatic.timer\nsystemctl list-timers *dnf-*\n</pre>\n\nedit /etc/dnf/automatic.conf\n<pre>\napply_updates = yes\n</pre>\n\n== Configure system services (CentOS7) ==\n\n* systemctl list-unit-files | grep enabled | sort ### (to see enabled services)\n* disable unwanted services:\n<pre>\nsystemctl disable bluetooth\nsystemctl disable dm-event\nsystemctl disable dmraid-activation\nsystemctl disable iscsid\nsystemctl disable iscsi\nsystemctl disable iscsiuio\nsystemctl disable libvirtd\nsystemctl disable lvm2-lmetad\nsystemctl disable lvm2-monitor\nsystemctl disable ModemManager\nsystemctl disable multipathd\nsystemctl disable netcf-transaction\nsystemctl disable lvm2-lvmetad.socket\nsystemctl disable lvm2-lvmpolld.socket\nsystemctl disable iscsid.socket\nsystemctl disable iscsiuio.socket\nsystemctl disable ksm\nsystemctl disable ksmtuned\n#systemctl disable \n</pre>\n\n== Erase unwanted packages (CentOS7) ==\n\n* PackageKit # bugs users about security updates, hogs yum lock\n* perl-homedir # creates unwanted $HOME/perl5\n* ModemManager # thinks that all USB-attached devices are modems\n* pcp # sends error email to itself, does not work\n* abrt # sends email to root about useless crashes, i.e. crash of X when machine is rebooted\n* rear # some kind of backup and recovery tool, not clear what it does, but it sends email complaining how it is broken\n* bash-completion # \"echo $HOME/<TAB>\" becomes \"echo \\$HOME\" (notice \"\\\" added before \"$\") preventing tab-completion from doing anything useful.\n\n<pre>\nyum -y erase PackageKit perl-homedir ModemManager pcp abrt abrt-libs abrt-gui-libs rear bash-completion\n</pre>\n\n== Disable unwanted package \"tracker\" ==\n\nThe \"tracker\" package is part of the GNOME desktop, it scans the content of all files\ninto a database for quick searching.\n\nWhen it malfunctions, bad things happen, i.e. read through\nhttps://bugzilla.redhat.com/show_bug.cgi?id=747689\n\nSpecific problem I see is that it floods the system log with error messages. Also \nconsumes network and filesystem bandwidth for NFS mounted home directories.\n\nThis package cannot be removed by \"yum erase tracker\" dues to dependencies\nfrom core GNOME desktop.\n\nInstead, do this to deactivate it:\n\n<pre>\nchmod -x /usr/libexec/tracker-*\nchmod -x /usr/bin/tracker\nchattr +i /usr/bin/tracker\nchattr +i /usr/libexec/tracker-*\n</pre>\n\n== Configure external package repositories (CentOS7) ==\n\nEPEL: (addtional packages)\n<pre>\nyum install epel-release\n</pre>\n\nELREPO: (kernel modules and drivers) (CentOS8)\n<pre>\nyum install elrepo-release\n</pre>\n\nELREPO: (kernel drivers)\n<pre>\nrpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org\nrpm -Uvh https://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm\nyum -y install yum-plugin-fastestmirror\n</pre>\n\n== Install packages needed to continue with installation ==\n\n(+CentOS7)\n\n(these packages are sometimes missing, they are needed to follow following instructions instructions)\n\n(SL6.5: libotf is a dependancy of emacs - SL6.5 installer fails to install it)\n\n<pre>\nyum install ed patch wget git libotf gdisk emacs perl\n</pre>\n\n== Configure Konstantin's scripts ==\n\n(+Centos7)\n\n<pre>\nmkdir ~root/git\ncd ~root/git\ngit clone http://ladd00.triumf.ca/~olchansk/git/scripts.git\ncd scripts\ngit pull\n</pre>\n\nGo back to the NIS slave server and install the hourly NIS update cron job.\n\n== Enable yum version lock ==\n\n<pre>\nyum install yum-plugin-versionlock\n#yum versionlock packagename # yum versionlock rpcbind\n#yum versionlock list # list locked packages\n#yum versionlock delete packagename # unlock given package\n#yum versionlock clear # delete all locks\n</pre>\n\n== Configure trusted ssh keys ==\n\n(+CentOS7)\n\n<pre>\nssh localhost\ninterrupt by Ctrl-C\n/bin/cp ~/git/scripts/etc/authorized_keys ~/.ssh/\n</pre>\n\n== Configure hardware sensors ==\n\n* yum -y install lm_sensors\n* sensors-detect (accept default answer to all questions - press ENTER)\n* systemctl restart lm_sensors\n* sensors (to see available sensors)\n\nIf no sensors are detected by standard drivers, follow motherboard-specific instructions at the bottom of this page.\n\n== Configure IPMI sensors ==\n\nSome machines support the IPMI interface for monitoring the hardware: fan speeds, temperatures, voltages.\n\n* find out if IPMI is supported. Try this:\n<pre>\ndmidecode | grep -i ipmi\n</pre>\nif output is not blank, IPMI is maybe supported.\n* install and enable IPMI software:\n<pre>\nyum install \"OpenIPMI*\" ipmitool\nservice ipmi start\nipmitool sensor ### to confirm IPMI is present. If output is blank, do not go further.\nchkconfig ipmi on\nchkconfig ipmievd on\nservice ipmi restart\nservice ipmievd restart\ntail -100 /var/log/messages ### look at messages logged by ipmievd\n</pre>\n* (CentOS7) install and enable IPMI software:\n<pre>\nyum install \"OpenIPMI*\" ipmitool\nsystemctl start ipmi\nipmitool sensor ### to confirm IPMI is present. If output is blank, do not go further.\nsystemctl list-unit-files | grep -i ipmi\nsystemctl enable ipmi\nsystemctl restart ipmi\nsystemctl status ipmi\nsystemctl enable ipmievd\nsystemctl restart ipmievd\nsystemctl status ipmievd\ntail -100 /var/log/messages ### look at messages logged by ipmievd\n</pre>\n\n* if ipmievd complains about SEL buffer overflow, clear it manually:\n<pre>\nipmitool sel list ### show ipmi messages in raw format\nipmitool sel elist ### show ipmi messages in useful format\nipmitool sel elist > file ### save ipmi messages into a file\nipmitool sel clear ### clear all accumulated ipmi messages\n</pre>\n\n* useful ipmi commands:\n** ipmitool sensor -- read hardware sensors\n** ipmitool sel elist -- report all accumulated messages\n\n== Configure ECC memory ==\n\n* check that machine has ECC memory: dmidecode --type memory | grep -i ecc\n\nConfigure mcelog (machine check exception)\n\n* yum install mcelog\n* check that mcelog is running: ps -efw | grep mcelog\n* (el6) chkconfig mcelogd on; service mcelogd restart\n* (el7) systemctl status mcelog.service; systemctl enable mcelog.service; systemctl restart mcelog.service\n\nCheck for MCE (machine check exception) messages:\n\n* mcelog --client\n* grep -i mce /var/log/messages*\n* grep -i ecc /var/log/messages*\n\nConfigure EDAC\n\n<pre>\nyum install edac-utils\nedac-ctl --mainboard\nedac-ctl --status\nlsmod | grep edac\nmodprobe ie31200_edac ### driver for Intel E3-1200 series ECC memory\n\n[root@grsmid00 ~]# ls -l /sys/devices/system/edac/mc/\n... empty\n\n[root@alpha00 ~]# ls -l /sys/devices/system/edac/mc/\ndrwxr-xr-x. 15 root root 0 Oct 25 16:40 mc0\n...\n[root@alpha00 ~]# ls -l /sys/devices/system/edac/mc/mc0\ntotal 0\n-r--r--r--. 1 root root 4096 Oct 25 16:40 ce_count\n-r--r--r--. 1 root root 4096 Oct 25 16:40 ce_noinfo_count\ndrwxr-xr-x. 3 root root 0 Oct 25 16:40 csrow0\ndrwxr-xr-x. 3 root root 0 Oct 25 16:40 csrow1\ndrwxr-xr-x. 3 root root 0 Oct 25 16:40 csrow2\ndrwxr-xr-x. 3 root root 0 Oct 25 16:40 csrow3\n-r--r--r--. 1 root root 4096 Oct 25 16:40 max_location\n-r--r--r--. 1 root root 4096 Oct 25 16:40 mc_name\ndrwxr-xr-x. 2 root root 0 Oct 25 16:40 power\ndrwxr-xr-x. 3 root root 0 Oct 25 16:40 rank0\ndrwxr-xr-x. 3 root root 0 Oct 25 16:40 rank1\ndrwxr-xr-x. 3 root root 0 Oct 25 16:40 rank2\ndrwxr-xr-x. 3 root root 0 Oct 25 16:40 rank3\ndrwxr-xr-x. 3 root root 0 Oct 25 16:40 rank4\ndrwxr-xr-x. 3 root root 0 Oct 25 16:40 rank5\ndrwxr-xr-x. 3 root root 0 Oct 25 16:40 rank6\ndrwxr-xr-x. 3 root root 0 Oct 25 16:40 rank7\n--w-------. 1 root root 4096 Oct 25 16:40 reset_counters\n-r--r--r--. 1 root root 4096 Oct 25 16:40 seconds_since_reset\n-r--r--r--. 1 root root 4096 Oct 25 16:40 size_mb\nlrwxrwxrwx. 1 root root 0 Oct 2 12:02 subsystem -> ../../../../../bus/mc0\n-r--r--r--. 1 root root 4096 Oct 25 16:40 ue_count\n-r--r--r--. 1 root root 4096 Oct 25 16:40 ue_noinfo_count\n-rw-r--r--. 1 root root 4096 Oct 25 16:40 uevent\n[root@alpha00 ~]# \n\n[root@alpha00 ~]# edac-ctl --status\nedac-ctl: drivers are loaded.\n\n[root@alpha00 ~]# edac-util \nedac-util: No errors to report.\n\n[root@alpha00 ~]# edac-util -s\nedac-util: EDAC drivers are loaded. 1 MC detected\n</pre>\n\n== Configure SMARTD (CentOS7) ==\n\nDefault el7 smartd config files send deficient email notices about disk failures. Overwrite.\n\n<pre>\n/bin/cp ~/git/scripts/etc/smartd.conf /etc/smartmontools/\n/bin/cp ~/git/scripts/etc/smartd_warning.sh /etc/smartmontools/\nsystemctl enable smartd\nsystemctl restart smartd\nsystemctl status smartd\n</pre>\n\n== Enable User Disk Quotas (OPTIONAL) ==\n\n(+CentOS7)\n\n* read http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-disk-quotas.html\n* emacs -nw /etc/fstab, add \"grpquota,usrquota\" to filesystem options, e.g.:\n<pre>\n[root@isdaq00 home1]# grep quota /etc/fstab\nUUID=5a2aefbd-45db-475e-841e-12ec89220fbd /home1 ext4 defaults,grpquota,usrquota 1 2\n</pre>\n* cd /; umount /home1; mount /home1\n* quotacheck -cug /home1\n* quotacheck -avug\n* quotaon -av\n* quota system is now active\n* increase the soft quota time limit from default 7days to 30 or 60 days: edquota -t\n* set quotas for all users (see below)\n* setup warnquota:\n** create warnquota config file: emacs -nw /etc/warnquota.conf\n<pre>\n# values can be quoted:\nMAIL_CMD = \"/usr/sbin/sendmail -t\"\nFROM = root\nSUBJECT = User %i@%h exceeded allocated disk quota\nCC_TO = \"root\"\n# If you set this variable CC will be used only when user has less than\n# specified grace time left (examples of possible times: 5 seconds, 1 minute,\n# 12 hours, 5 days)\n# CC_BEFORE = 2 days\nSUPPORT = \"root\"\n# Text in the beginning of the mail (if not specified, default text is used)\n# This way text can be split to more lines\n# Line breaks are done by '|' character\n# The expressions %i, %h, %d, and %% are substituted for user/group name,\n# host name, domain name, and '%' respectively. For backward compatibility\n# %s behaves as %i but is deprecated.\nMESSAGE = User \"%i\" on \"%h\" has exceeded the allocated disk quota.||Please delete any unnecessary files on following filesystems or|contact the system administrato\nr to increase your quota allocation:|\nSIGNATURE = --|automated email from warnquota\n</pre>\n** note that %i@%h in the SUBJECT line do not seem to work\n** create cron job: emacs -nw /etc/cron.daily/warnquota\n<pre>\n#!/bin/sh\nwarnquota\n#end\n</pre>\n** chmod a+x /etc/cron.daily/warnquota\n** touch /etc/crontab\n\nUseful commands for managing quotas:\n* repquota -a | sort -n -k3 ### show quota of all users sorted by disk usage\n* edquota -u username ### open \"vi\" editor to change user quotas\n* repquote -a | grep username ### report quota for given user\n* setquota -u username 0 0 0 0 /home1 ### disable quotas for given user\n* setquota -u username 50000000 100000000 0 0 /home1 ### set quotas for 50GB soft and 100GB hard\n* edquota -t ### change user quota time limits\n* edquote -tg ### change group quota time limits\n\n== Enable NFS V4 server (CentOS7) ==\n\n* create /etc/exports. example: (fsid numbers should be unique and increase 1,2,3,...)\n<pre>\n/home1 @home_export(rw,no_root_squash,async,fsid=1)\n/data1 @data_export(rw,no_root_squash,async,fsid=2)\n</pre>\n* check the netgroup file\n** if using NIS: check NIS netgroup: ypcat -k netgroup\n** if no NIS, create /etc/netgroup: @daqmachines (deap00,,) (deap01,,) (deap02,,)\n** if no NIS, edit /etc/nsswitch.conf, make the netgrooup line read: \"netgroup: files\"\n* enable things, start them:\n<pre>\nfirewall-cmd --get-services\nfirewall-cmd --permanent --add-service=nfs\nfirewall-cmd --permanent --add-service=rpc-bind ### needed for ubuntu automounter\nfirewall-cmd --reload\nfirewall-cmd --list-all\nsystemctl enable nfs-server\nsystemctl start nfs-server\nsystemctl status nfs\n</pre>\n\n== Enable NFS V3 server (CentOS7) ==\n\n<pre>\nps -efw | grep rpc.mountd # should be running!\nfirewall-cmd --get-services\nfirewall-cmd --permanent --add-service=mountd\nfirewall-cmd --permanent --add-service=rpc-bind\nfirewall-cmd --reload\nfirewall-cmd --list-all\n</pre>\n\n== Enable NFS V3 server ==\n\n* edit /etc/hosts.allow, add or uncomment \"mountd: 142.90.0.0/255.255.0.0\"\n* create /etc/exports. example:\n<pre>\n/home1 @home_export(rw,no_root_squash,async)\n/data1 @data_export(rw,no_root_squash,async)\n</pre>\n* check the netgroup file\n** if using NIS: check NIS netgroup: ypcat -k netgroup\n** if no NIS, create /etc/netgroup: @daqmachines (deap00,,) (deap01,,) (deap02,,)\n** if no NIS, edit /etc/nsswitch.conf, make the netgrooup line read: \"netgroup: files\"\n* chkconfig nfs on\n* chkconfig nfslock on\n* service nfs restart\n\nThen on ladd00 need to do\n* ssh to root@ladd00\n* edit /etc/auto.daq to add new machine...\n* make -C /var/yp\n\n== Enable NFS V4 SERVER (SL6) ==\n\n* if used with NIS, same as NFSv3\n* if used as standalone, need to edit idmapd.conf - set the \"Domain\" name to the same value on NFS server and NFS slave (default automagically determined value does not always work). More TBW.\n\n== Enable AMANDA backups ==\n\nAMANDA backups are already enabled by TRIUMF kickstart installs. For non-kickstart installation, follow instructions at [[http://amanda/~amanda http://amanda/~amanda]], or look at \"/triumfcs/trshare/olchansk/linux/amanda/amanda-enable.perl\". As final step, use [[https://helpdesk.triumf.ca https://helpdesk.triumf.ca]] to contact TRIUMF CS to add this new machine to the amanda backup list.\n\n* yum install triumf-amanda\n\n== Enable AMANDA backups (CentOS7) ==\n\n<pre>\nyum install amanda-client\nsystemctl list-unit-files | grep -i amanda\n#systemctl enable amanda\nsystemctl enable amanda.socket\nsystemctl enable amanda-udp.socket\nsystemctl restart amanda.socket\nsystemctl restart amanda-udp.socket\nfirewall-cmd --get-services\nfirewall-cmd --permanent --add-service=amanda-client\nfirewall-cmd --reload\nfirewall-cmd --list-all\necho amanda.triumf.ca amanda amdump >> /var/lib/amanda/.amandahosts\n</pre>\n\nOn amanda server, add new machine to the disklist, then:\n\n<pre>\namcheck -c daily titan00\n</pre>\n\n== Enable DCACHE ==\n\nDAQ dcache server is mounted as\n\n/daq/pnfs/triumf.ca/data/\n\nFor Centos-7 machines, you need to adjust the firewall rules in order to be able to communicate with the trdata machines; this is only necessary if you are copying data to trdata. The firewall changes are\n\n<pre>\nfirewall-cmd --permanent --add-rich-rule=\"rule family=\"ipv4\" source address=\"142.90.100.212/32\" port protocol=\"tcp\" port=\"0-65535\" accept\"\nfirewall-cmd --permanent --add-rich-rule=\"rule family=\"ipv4\" source address=\"142.90.107.156/32\" port protocol=\"tcp\" port=\"0-65535\" accept\"\nfirewall-cmd --permanent --add-rich-rule=\"rule family=\"ipv4\" source address=\"142.90.100.219/32\" port protocol=\"tcp\" port=\"0-65535\" accept\"\nfirewall-cmd --reload\nfirewall-cmd --list-all\n</pre>\n\nThis instructions are unnecessary \n* # mkdir -p /pnfs\n* # edit /etc/rc.local, add to the end of file: \"mount -o intr,rw,noac,hard,nfsvers=3 trdata00:/pnfs /pnfs &\"\n* # . /etc/rc.local\n\nFor more information on, see [[TrdataDcache]] dcache page.\n\n== Configure Ganglia (Centos7) ==\n\nCentOS7 Ganglia instructions (EPEL7 ganglia-3.7.2)\n\n<pre>\n/bin/rm /etc/gmond.conf\nyum -y install \"ganglia-gmond*\"\n/bin/cp -v /dev/null /etc/ganglia/conf.d/multicpu.conf # collects useless data\n/bin/cp -v /dev/null /etc/ganglia/conf.d/netstats.pyconf # spews errors into syslog\n/bin/cp -v /dev/null /etc/ganglia/conf.d/diskstat.pyconf # collects useless data\n/bin/cp -v /dev/null /etc/ganglia/conf.d/procstat.pyconf # do not create /tmp/gmond.conf\nyum erase -y ganglia-vmstat ganglia-sensors ganglia-top ganglia-smart ganglia-cpumhz\ncd ~/git/scripts\ngit pull\n/bin/cp etc/gmond.conf /etc/ganglia/gmond.conf\nsystemctl enable gmond\nsystemctl restart gmond\nsystemctl status gmond\ncd ganglia\n./ganglia-all.perl\nmake install\ncd ~\n</pre>\n\n== Configure Ganglia (Centos8) ==\n\nCentOS8 Ganglia instructions (EPEL8 ganglia-3.7.2)\n\n<pre>\n/bin/rm /etc/gmond.conf\nyum -y install \"ganglia-gmond*\"\n/bin/cp ~/git/scripts/etc/gmond.conf /etc/ganglia/gmond.conf\nsystemctl enable gmond\nsystemctl restart gmond\nsystemctl status gmond\ncd ~/git/scripts/ganglia\ngit pull\n./ganglia-all.perl\nmake install\n</pre>\n\n== Configure TRIUMF DAQ packages ==\n\n(+CentOS7)\n\n<pre>\ncd /etc/yum.repos.d\nwget http://daq.triumf.ca/~daqweb/yum/triumf-daq.repo\n</pre>\n\n== Install Konstantin's packages ==\n\n(+CentOS7)\n\n<pre>\nyum --disablerepo=\\* --enablerepo=triumf-daq --skip-broken install diskscrub emailonreboot monitor_nfs\n</pre>\n\n== Install memtest and PXE boot ==\n\n!!!DO NOT DO THIS!!!\n\n<pre>\ncd /boot\nwget http://ladd00.triumf.ca/tftpboot/memtest86+-5.01.bin.gz\nwget http://ladd00.triumf.ca/tftpboot/memtest86+-4.20.bin.gz\nwget http://ladd00.triumf.ca/tftpboot/memtest86+-4.10\nwget http://ladd00.triumf.ca/tftpboot/gpxe-1.0.1+-gpxe.lkrn\n\nemacs -nw /boot/grub/grub.conf\ntitle memtest86+-5.01\n root (hd0,0)\n kernel /boot/memtest86+-5.01.bin.gz\ntitle memtest86+-4.20\n root (hd0,0)\n kernel /boot/memtest86+-4.20.bin.gz\ntitle memtest86+-4.10\n root (hd0,0)\n kernel /boot/memtest86+-4.10\ntitle pxeboot\n root (hd0,0)\n kernel /boot/gpxe-1.0.1+-gpxe.lkrn\n</pre>\n\n== Install node monitoring ==\n\n!!! OBSOLETE, DO NOT DO THIS !!!\n\n(+CentOS7)\n\n<pre>\nyum --disablerepo=\\* --enablerepo=triumf-daq --skip-broken install triumf_nodeinfo\n/usr/sbin/sendnodeinfo.perl --config ladd00.triumf.ca:8600\nemacs -nw /etc/nodeinfo\n/usr/sbin/sendnodeinfo.perl ladd00.triumf.ca:8600\n</pre>\n\n== Install gonodeinfo node monitoring ==\n\n(+Ubuntu, +CentOS7, +CentOS8)\n\ngo to https://bitbucket.org/dd1/gonodeinfo\nfollow instructions:\n<pre>\nyum -y install golang\nmkdir ~/git\ncd ~/git\ngit clone https://bitbucket.org/dd1/gonodeinfo.git\n# or git clone https://daq.triumf.ca/~olchansk/git/gonodeinfo.git\ncd gonodeinfo\ngit pull\nmake\nmake install # install gonodeinfo agent\ncd ~ # this is important\n</pre>\n\n* emacs -nw /etc/gonodeinfo.conf\n* change \"Description\", \"Location\", \"User\" and \"Administrator\" as appropriate (or delete them)\n* change \"Servers\" to read: Servers: daq00.triumf.ca:8601\n* run gonodeinfo -e\n* if error is \"connection refused\". go to the nodeinfo server to add this client to the access control list:\n* on the gonodeinfo server: run /opt/gonodeinfo/gonodereceive.exe -a daq13\n* try gonodeinfo again, there should be no error\n* on the gonodeinfo server: run gonodereport, look at the web pages, the new machine should be listed now\n\n== Install latest system updates ==\n\n(+CentOS7)\n\n<pre>\nyum update -y\n</pre>\n\n== Configure TRIUMF Printers (CentOS7) ==\n\n<pre>\nsystemctl stop cups\nsystemctl disable cups\necho \"ServerName printers.triumf.ca\" > /etc/cups/client.conf\nlpstat -a\n</pre>\n\n== Disable syslog spam (CentOS7) ==\n\nDefault el7 config is spamming the syslog with useless messages \"systemd: Starting Session\", etc. Disable this:\n\n<pre>\necho auditctl -e 0 >> /etc/rc.local\necho /usr/bin/systemd-analyze set-log-level notice >> /etc/rc.local\n/etc/rc.local\n</pre>\n\n== Install basic system packages (CentOS7) ==\n\n(if starting from minimal system, basic system packages required:)\n\n<pre>\nyum install -y which psmisc redhat-lsb-core xorg-x11-xauth xterm emacs-nox rsync tcpdump strace nfs-utils sysstat iftop tcsh\nyum install -y gcc gcc-c++ gdb glibc-static libstdc++-static zlib zlib-devel openssl-devel httpd-tools\n</pre>\n\n== Install packages needed for QUARTUS, ROOT, EPICS and MIDAS DAQ ==\n\n(+CentOS7)\n\nyum install --skip-broken giflib.x86_64 sysstat \"libusb-devel*\" \"libusbx-devel*\" unixODBC-devel postgresql-devel libxml2-devel libXpm-devel libgfortran git compat-readline43 \"graphviz*\" dcap \"tigervnc*\" telnet glibc\"*\" strace \"fftw*\" libpng \"freetype*\" xpdf \"xemacs*\" tkcvs xterm mutt \"*-g77*\" joe \"libXmu*\" dcap-devel gsl-devel pcre-devel h5py gd-devel xorg-x11-fonts\"*\" minicom xfig\"*\" perl-BSD-Resource \"net-snmp-*\" readline-static git-all nasm imake tcl-devel gv xorg-x11-twm expat-devel screen compat-readline5 ImageMagick ImageMagick-devel wget alacarte scipy numpy sympy nedit gnuplot php-cli php-domxml-php4-php5 php-gd php-fpdf php-cli kdebase cmake tcpdump sqlite sqlite-devel kdegraphics gdisk lsof gconf-editor iftop tk-devel mcelog kdm blt itcl lz4 bzip2 pbzip2 apr-devel apr-util-devel net-tools golang\"*\" --exclude golang-cover\"*\"hg\"*\" --exclude golang\"*\"hg\"*\" --exclude golang-pkg\"*\" --exclude golang-github\"*\" --exclude golang\"*\"git\"*\" mesa\"*\" xerces-c\"*\" diffuse clang i2c-tools texlive-revtex texlive-revtex4 kile kbibtex xrdp glibc.i686 gimp gimp-data-extras perl-GD\"*\" perl-Math\"*\" perl-Statistics-Basic cmake3 cmake3-gui extra-cmake-modules python2-pip mariadb-devel glibc-devel.i686 libzstd zlib-devel.i686\n\n== Install optional packages ==\n\n!! DO NOT DO THIS !!\n\n(do not install boost on 32-bit machines)\n\nyum install --skip-broken \"boost-*\" \n\n(packages for 32-bit software compilation on 64-bit machines. this is optional)\n\nyum install --skip-broken giflib.i386 giflib.i686 compat-libf2c-34.i386 compat-libf2c-34.i686 mysql-devel.i686 openssl-devel.i686 unixODBC-devel.i686 libstdc++-devel.i386 libstdc++-devel.i686 \"zlib-*.i686\" \"libXext-*.i686\" \"libXtst-*.i686\" glibc-static.i686 freetype.i686 fontconfig.i686 libpng.i686 libXrender.i686 glibc-devel.i686 libX11-devel.i686 libXpm-devel.i686 libXft-devel.i686 mysql-devel.i686 dcap-devel.i686 gsl-devel.i686 pcre-devel.i686 fontconfig-devel.i686 freetype-devel.i686 libpng-devel.i686 libjpeg-devel.i686 libgfortran.i686 libxml2-devel.i686 gd-devel.i686 readline-devel.i686 ncurses-devel.i686 libXdmcp.i686 readline-static.i686 compat-readline5.i686\n\nyum install boost-devel.i686\n\n(separately install these packages - they collide with the big bunch above)\n\nyum install rdesktop\n\nyum reinstall urw-fonts\n\n== Install libraries for PHYSICA (CentOS7) ==\n\nTo run physica built on el6 from git sources on el7, do this:\n\n(building physica on el7 is nort supported at this time)\n\n(see more http://www.triumf.info/wiki/DAQwiki/index.php/PHYSICA)\n\n<pre>\nyum -y install libX11.i686 gd.i686 libpng12.i686 readline.i686 compat-libf2c-34.i686\n</pre>\n\n== Install additional desktop environements (CentOS7) ==\n\n<pre>\n# LXQT (from EPEL)\n# NOT COMPATIBLE WITH el7.7 # yum -y install \"lxqt*\"\n# Cinnamon desktop (from EPEL)\nyum -y install cinnamon\n# KDE5 not available yet\n# MATE (from epel)\nyum -y groupinstall \"MATE Desktop\"\nyum -y install mate-common mate-icon-theme-faenza mate-netspeed mate-sensors-applet mate-themes-extras mate-utils\nyum -y erase ModemManager abrt abrt-libs abrt-gui-libs\n# XFCE4 (from EPEL)\nyum -y groupinstall xfce\nyum -y install \"xfce*plugin\" xfce4-about --exclude xfce4-hamster-plugin\nyum -y erase bash-completion\n</pre>\n\n* make the MATE desktop as default\n\n<pre>\ncd ~root/git/scripts/\ngit pull\n/bin/cp -v etc/lightdm_default_mate.conf /etc/lightdm/lightdm.conf.d/\n</pre>\n\n* lighdm login manager (from EPEL)\n<pre>\nyum install lightdm lightdm-kde lightdm-qt lightdm-qt5\n</pre>\n\n* and switch from gdm to lighdm\n<pre>\nsystemctl disable gdm.service\nsystemctl enable lightdm.service\n(systemctl stop gdm; systemctl restart lightdm) &\n</pre>\n\n== Install SMART scripts ==\n\n(+CentOS7)\n\n<pre>\nln -sf ~/git/scripts/smart-status/smart-status.perl ~/\n</pre>\n\n== Install NTFS drivers ==\n\nyum install ntfs-3g ntfsprogs (from EPEL)\n\n== Install HFS and HFS+ drivers (CentOS7) ==\n\nyum --disablerepo=\\* --enablerepo=elrepo install kmod-hfs kmod-hfsplus\n\n== Install Google Chrome web browser (64-bit CentOS7) ==\n\nDOES NOT WORK AS OF google-chrome-stable-114 because google uses signature incompatible with CentOS-7, see https://www.reddit.com/r/chrome/comments/13s799o/googlechromebeta_1140573545_rpm_invalid_signature/\n\nautomatic updates will fail with signature check error, to defeat it lock old version of google-chrome:\n<pre>\nyum versionlock google-chrome-stable\n</pre>\n\nTHIS DOES NOT WORK ANYMORE:\n\n<pre>\n/bin/cp ~/git/scripts/etc/google-chrome-64.repo /etc/yum.repos.d/\nyum install google-chrome-stable\n</pre>\n\n== Enable monitoring of HTTPS certificates ==\n\nOn SL6, CentOS7:\n\n<pre>\nyum install crypto-utils\n/etc/cron.daily/certwatch\nstrace -f /etc/cron.daily/certwatch |& grep open | grep crt\n</pre>\n\n== Enable 100dpi fonts for EPICS ==\n\n(+CentOS7)\n\n<pre>\nln -s /usr/share/X11/fonts/100dpi /etc/X11/fontpath.d/\n</pre>\n\n== Enable crontab @reboot for MIDAS (CentOS7) ==\n\nel7 has a bug - cron @reboot entries for normal users can run before autofs is ready, so if the home directory\nis on autofs/NFS, it cannot be accessed and the cron job fails. If MIDAS is supposed to be\nstarted by cron @reboot, it will not start (there *will* be an error message in /var/log/cron).\n\n<pre>\nmkdir /etc/systemd/system/crond.service.d\necho -e \"[Unit]\\nAfter=ypbind.service autofs.service\\n\" > /etc/systemd/system/crond.service.d/local.conf\nsystemctl daemon-reload\nsystemctl cat crond.service\n</pre>\n\nel7 has a second bug, sometimes it thinks the network is running when it is not, specifically,\nDNS is not working and autofs mount of user home directory fails. So not only cron has\nto wait for ypbind and autofs to be ready, we also have to wait for DNS to be ready:\n\n<pre>\ncd ~/git/scripts\ngit pull\ncp etc/wait-for-dns.service /etc/systemd/system/\nsystemctl daemon-reload\nsystemctl enable wait-for-dns\nsystemctl restart wait-for-dns # should return immediately. if there is a 30 second time, script is broken, disable it\nsystemctl status wait-for-dns # to see what went wrong.\n</pre>\n\nExplore the systemd dependacy tree using \"systemctl list-dependencies\" maybe with \"--all\".\n\nVisualize the exact boot sequence from previous boot: \"systemd-analyze plot > xxx.svg\", look at the svg file using a web browser.\n\n== Enable firewall for MIDAS (CentOS7) ==\n\nDefault el7 configuration prevents all access to servers running on the local machine, including access to MIDAS mhttpd (tcp port 8443) and mserver (all tcp ports).\n\nTo enable access to mhttpd:\n\n<pre>\nfirewall-cmd --add-port=8443/tcp --permanent\nfirewall-cmd --reload\nfirewall-cmd --list-all\n</pre>\n\nTo enable access to the mserver from a specific host: (replace 142.90.111.175 with the IP address of the permitted host)\n\n<pre>\nfirewall-cmd --permanent --add-rich-rule=\"rule family=\"ipv4\" source address=\"142.90.111.175/32\" port protocol=\"tcp\" port=\"0-65535\" accept\"\nfirewall-cmd --reload\nfirewall-cmd --list-all\n</pre>\n\nTo enable access from the private network (replace \"192.168.1.0\" with your private network number):\n\n<pre>\nfirewall-cmd --permanent --add-rich-rule=\"rule family=\"ipv4\" source address=\"192.168.1.0/24\" port protocol=\"tcp\" port=\"0-65535\" accept\"\nfirewall-cmd --reload\nfirewall-cmd --list-all\n</pre>\n\n== Enable firewall for EPICS (CentOS7) ==\n\nTo enable access to TRIUMF EPICS servers, do this:\n\n<pre>\nfirewall-cmd --permanent --add-rich-rule=\"rule family=\"ipv4\" source address=\"142.90.132.0/23\" accept\"\nfirewall-cmd --reload\nfirewall-cmd --list-all\n</pre>\n\nFor UCN the controls people seem to have EPICS setup on a different server; this might be true for CMMS as well. In this case the firewall rule change should be\n\n<pre>\nfirewall-cmd --permanent --add-rich-rule=\"rule family=\"ipv4\" source address=\"142.90.139.0/23\" accept\"\nfirewall-cmd --reload\nfirewall-cmd --list-all\n</pre>\n\n== Disable gdm and X11 (OPTIONAL) ==\n\n<pre>\ninitctl stop prefdm\necho \"start on never\" > /etc/init/prefdm.override\necho \"start on never\" > /etc/init/splash-manager.override\ninitctl reload-configuration\n</pre>\n\nthen enable login on default console:\n<pre>\necho \"plymouth quit\" >> /etc/rc.local\necho \"X_TTY=xxx/dev/tty1\" >> /etc/sysconfig/init\n</pre>\n\n== Install JAVAWS (OPTIONAL) ==\n\n* to run Java \"web start\" jnlp files (EVO, SEEVOGH, etc): javaws Downloads/spider.jnlp\n* install javaws:\n* yum install icedtea-web icedtea-web-javadoc\n\n== Install firefox java plugin (OPTIONAL, DO NOT DO THIS) ==\n\nThis installs the Oracle Java plugin:\n\n* rpm -vh --install ~deap/jdk-7u15-linux-x64.rpm\n* ls -l /usr/lib64/mozilla/plugins/\n* ln -s /usr/java/jdk1.7.0_15/jre/lib/amd64/libnpjp2.so /usr/lib64/mozilla/plugins/\n* start firefox, go edit->preferences->general->manage add-ons->plugins\n* \"java plugin 1.7.0_15\" should be listed\n\n\n\n== Configure USB device permissions ==\n\n(+CentOS7)\n\nConfigure USB device permissions for user access to USB-serial devices, Altera USB Blaster, etc.\n\n* create file /etc/udev/rules.d/99-usb-chmod.rules with this contents:\n\n<pre>\nemacs -nw /etc/udev/rules.d/99-usb-chmod.rules\nACTION==\"add\", SUBSYSTEM==\"usbmisc\", RUN+=\"/bin/chmod a+wr $env{DEVNAME}\" \nACTION==\"add\", SUBSYSTEM==\"usb_device\", RUN+=\"/bin/chmod a+wr /dev/%c\"\nACTION==\"add\", SUBSYSTEM==\"usb_device\", RUN+=\"/bin/chmod a+wr /proc/%c\"\nACTION==\"add\", ENV{DEVTYPE}==\"usb_device\", RUN+=\"/bin/chmod a+wr $env{DEVNAME}\"\nACTION==\"add\", ENV{DEVTYPE}==\"usb_device\", RUN+=\"/bin/chmod a+wr $env{DEVICE}\"\nACTION==\"add\", ENV{PHYSDEVBUS}==\"usb-serial\", RUN+=\"/bin/chmod a+wr $env{DEVNAME}\"\nACTION==\"add\", ENV{DEVPATH}==\"/class/tty/ttyS*\", RUN+=\"/bin/chmod a+wr $env{DEVNAME}\"\nACTION==\"add\", SUBSYSTEM==\"tty\", DEVPATH==\"*ttyUSB*\", RUN+=\"/bin/chmod a+rw $env{DEVNAME}\"\nACTION==\"add\", SUBSYSTEM==\"tty\", DEVPATH==\"*ttyACM*\", RUN+=\"/bin/chmod a+rw $env{DEVNAME}\"\nACTION==\"add\", SUBSYSTEM==\"tty\", DEVPATH==\"*ttyS*\", RUN+=\"/bin/chmod a+rw $env{DEVNAME}\"\nACTION==\"add\", DEVPATH==\"*video*\", RUN+=\"/bin/chmod a+rw $env{DEVNAME}\"\n</pre>\n\n* reload udev rules: udevadm control --reload-rules\n* apply new permissions: udevadm trigger --action=add\n* watch udev activity: udevadm monitor -p\n\n== Disable modem-manager ==\n\nThe modem-manager will try to talk to any serial devices attached to USB serial ports. It assumes that those devices are modems and will send out modem-specific commands. if the devices are not modems and do not understand or do not like modem commands, well that's too bad. modem-manager is installed by the ModemManager package required by the NetworkManager package, and there is no configuration setting to turn modem-manager off.\n\nOne way to disable it is: chmod a= /usr/sbin/modem-manager\n\nAnother way to disable it is by forced uninstall: rpm --erase --nodeps ModemManager\n\nRemember to kill the running copy: killall -KILL modem-manager\n\nCaveat: it is not clear if modem-manager would not be resurrected by an update to the NetworkManager or ModemManager packages.\n\n== Configure Altera jtagd ==\n\n(if needed)\n\n<pre>\nmkdir /etc/jtagd\necho 'Password = \"123\";' > /etc/jtagd/jtagd.conf\ncp -pv /daq/daqshare/olchansk/altera/11.0/quartus/linux/pgm_parts.txt /etc/jtagd/jtagd.pgm_parts\n</pre>\n\n* start local jtagd: /daq/daqshare/olchansk/altera/11.0/quartus/bin/jtagd\n* test local connection: /daq/daqshare/olchansk/altera/11.0/quartus/bin/jtagconfig\n* test remote connection (add this machine to your .jtag.conf, run jtagconfig\n\nFor more information, go to [[Quartus]]\n\n== Install EOS ==\n\nInstructions from here:\nhttp://eos-docs.web.cern.ch/eos-docs/quickstart/setup_repo.html\n\n<pre>\nrpm -vh --install https://dss-ci-repo.web.cern.ch/dss-ci-repo/eos/citrine/tag/el-7/x86_64/eos-repo-el7-generic-1.noarch.rpm\nyum-config-manager --disable eos-citrine # disable auto-update because all packages are not signed\nyum-config-manager --disable eos-dep # disable auto-update because all packages are not signed.\nyum install eos-client eos-fuse --enablerepo=eos-citrine\n</pre>\n\n== Install fix for the el7 systemd dbus boot hang ==\n\nAround early Summer 2018 el7 started showing a boot problem. In the nutshell,\nthere is a problem with the dbus connection between dbus and systemd that\nprevents polkit, firewalld, etc from starting. The system eventually boots\nenough that one can ssh into it, but most things do not work. Notably,\npolkit is not running, firewalld is not running, ssh login takes about 15-30 second.\n\nSolution is to add a special systemd service to check that dbus started correctly.\nIt that runs after dbus is started, but before it is used, and it restarts dbus in a loop\nwith a delay until dbus starts correctly. In testing, dbus always starts correctly after\nthe first retry.\n\n<pre>\ncd ~root/git/scripts/etc\ngit pull\n/bin/cp -vf systemd-check-dbus.perl /usr/bin/\n/bin/cp -vf systemd-check-dbus.service /etc/systemd/system/\nsystemctl daemon-reload\nsystemctl enable systemd-check-dbus\nsystemctl start systemd-check-dbus\nsystemctl status systemd-check-dbus\n</pre>\n\nAfter linux boots, if everything was okey, the script will report this:\n<pre>\n[root@iris01 ~]# systemctl status systemd-check-dbus\n...\nFeb 08 17:15:49 iris01.triumf.ca systemd[1]: Starting Check that systemd is registered with dbus...\nFeb 08 17:15:49 iris01.triumf.ca sh[4283]: Starting check for systemd dbus connection\nFeb 08 17:15:50 iris01.triumf.ca sh[4283]: List: string \"org.freedesktop.DBus\"\nFeb 08 17:15:50 iris01.triumf.ca sh[4283]: List: string \"org.freedesktop.systemd1\"\nFeb 08 17:15:50 iris01.triumf.ca sh[4283]: systemd1 dbus service exists, success!\nFeb 08 17:15:50 iris01.triumf.ca sh[4283]: Finished check for systemd dbus connection\nFeb 08 17:15:50 iris01.triumf.ca systemd[1]: Started Check that systemd is registered with dbus.\n</pre>\n\nIf the boot problem happened, the script will report about restarting dbus.\n\nNote: the systemd service file adjusts the start order of other services, this adjustment seems to reduce the probability of the problem.\n\n== Configure GRUB boot loader (CentOS7, CentOS8) ==\n\n* emacs -nw /etc/default/grub, remove \"rhgb\" and \"quiet\" from GRUB_CMDLINE_LINUX\n* grub2-mkconfig -o /boot/grub2/grub.cfg\n* grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg\n* grub2-editenv list # show contents of boot environement file\n* /bin/rm /boot/grub2/grubenv # remove stale settings, make grub2 boot from first entry in config file\n\n== Install memtest86+ (CentOS7, CentOS8) ==\n\n<pre>\nyum -y install memtest86+\n/bin/cp -vf /usr/share/memtest86+/20_memtest86+ /etc/grub.d/\n/bin/chmod a+x /etc/grub.d/20_memtest86+ \ngrub2-mkconfig -o /boot/grub2/grub.cfg\n</pre>\n\n== Disable ELREPO ==\n\n<pre>\nsed 's/enabled=.*/enabled=0/' -i /etc/yum.repos.d/elrepo_triumf.repo\nsed 's/enabled=.*/enabled=0/' -i /etc/yum.repos.d/elrepo.repo\n</pre>\n\n== Reduce install size (optional) ==\n\nThis is optional. Only do this if reducing the size of the OS image is very important.\n\nDo this for VME processors.\n\n<pre>\nyum erase \"texlive*\" \"java*\" \"boost*\" libreoffice\"*\"\n#yum erase \"xemacs*\"\nyum erase \"libstdc++-docs\"\nyum erase firefox google-chrome\"*\"\nyum clean all\n</pre>\n\n<pre>\n/bin/rm -rf /usr/share/help\n/bin/rm -rf /usr/share/doc\n</pre>\n\n== Update from el7.6 to el7.7 ==\n\n<pre>\nyum-config-manager --disable zfs\nyum-config-manager --disable zfs-kmod\nyum-config-manager --disable zfs-testing-kmod\nyum versionlock delete zfs\nyum versionlock delete kernel\nyum -y update \"yum*\" \"rpm*\"\nyum -y erase libqtxdg lxqt-qtplugin ### LXQT is not compatible\nyum update\nafter rebooting into el7.7, follow instructions for updating ZFS from version 0.7 to 0.8.\n</pre>\n\n== Update ZFS ==\n\n* CentOS-7: 0.8.5 to 2.0.7\n** update kernel to latest version, reboot\n** check /etc/yum.repos.d/zfs.repo has [zfs-kmod] baseurl=http://download.zfsonlinux.org/epel/7.9/kmod/$basearch/\n** yum --enablerepo=zfs-kmod update\n** reboot, login as root\n** run \"zfs version\"\n** run \"zfs upgrade\"\n\n== Switch from LADD-NIS to DAQ-NIS ==\n\n<pre>\ndomainname DAQ-NIS\n/usr/lib64/yp/ypinit -s daq00\nls -l /var/yp\nsed -i s/LADD-NIS/DAQ-NIS/ /etc/yp.conf\nsed -i s/LADD-NIS/DAQ-NIS/ /etc/sysconfig/network\nsystemctl restart ypserv\nsystemctl restart ypbind\nypwhich\nypwhich -m\n</pre>\n\n== Finish installation ==\n\nreboot\n\n== Special hardware settings ==\n\n=== ASUS Crosshair mobo ===\n\n* use BIOS version 1207 or newer\n* (before CentOS7) sensors need these drivers from ELREPO: yum install --noplugins kmod-it87 kmod-k10temp; sensors-detect; service lm_sensors restart; sensors\n* CentOS7: installs correct drivers automatically\n\n=== ASUS Crosshair-II mobo ===\n\n* use BIOS version 2607 or newer\n* for the onboard IDE to work, add \"all-generic-ide\" to kernel boot options in grub.conf\n* sensors need these drivers from ELREPO: yum install --noplugins kmod-it87 kmod-k10temp; sensors-detect; service lm_sensors restart; sensors\n\n=== ASUS P7P55D EVO mobo ===\n\n* use BIOS version 2004 or newer\n* SL6 - install special driver for on board PCIe GigE network port and disable on board PCI GigE network port:\n** yum --enablerepo elrepo install kmod-r8168 kmod-r8169\n** # do not do this: sed 's/^blacklist/#blacklist/' -i /etc/modprobe.d/blacklist-r8169.conf\n** reboot\n** verify that correct drivers are loaded: ethtool -i eth0; ethtool -i eth1\n** note: there will be no eth1 - r8169 driver is disabled.\n\n=== ASUS P6X58-E-WS mobo ===\n\n* BIOS settings\n** F1 or DEL to enter BIOS setup, F8 boot menu\n** go to POWER->HW mon, confirm CPU temperature is around 30C. (heatsink is installed correctly. Bad heatsink temperature quickly goes up to 50-70C).\n** Main menu: Storage config - SATA change IDE->AHCI\n** System information: confirm BIOS version 301, CPU type, memory size\n** AI Tweak: set DRAM frequency - AUTO->DDR3-1333\n** Advanced->Onboard devices: LAN BOOT: enabled\n** Power->HW monitor: CPU Q-FAN: enabled\n** Boot->Settings: Quick boot: enabled; Full screen logo: disabled; Wait for F1: disabled\n** Save and exit\n\n=== ASUS E35M1-M PRO mobo ===\n\n* http://www.asus.com/Motherboards/E35M1M_PRO/#specifications\n* use BIOS version 1002 or newer\n* for CPU temperature: install kmod-k10temp from ELREPO (kmod-k10temp-0.0-4.el6.elrepo.x86_64.rpm)\n* for Sensors: yum --enablerepo elrepo install kmod-w83627ehf; modprobe w83627ehf; sensors\n* for Graphics: yum --enablerepo elrepo install kmod-fglrx fglrx-x11-drv\n* to enable booting from USB3, edit /etc/dracut.conf, change line \"add_drivers\" to read: add_drivers+=\"xhci-hcd\"\n* to use multiple monitors, run \"aticonfig --initial --heads=2 --adapter=1 --xinerama=on\", to change screen layout, edit /etc/X11/xorg.conf. Only dual monitors DVI+HDMI seem to work. Tripple monitors does not seem to work.\n\nSensors instructions below are obolete (use driver from ELREPO)\n* for Sensors, install driver for NCT6776F chip from https://github.com/groeck/w83627ehf/archives/master (in the Makefile, change the line \"KERNEL_BUILD=\" to read: \"KERNEL_BUILD:=/usr/src/kernels/$(TARGET)\"):\n<pre>\ncd ~root\nwget http://ladd00.triumf.ca/~olchansk/linux/groeck-w83627ehf-dd3e543/w83627ehf.ko\necho \"modprobe hwmon; modprobe hwmon-vid; modprobe k10temp; rmmod w83627ehf; insmod /root/w83627ehf.ko\" >> /etc/rc.local\n</pre>\n\n=== ASUS E45M1-M PRO mobo ===\n\n* https://www.asus.com/Motherboards/E45M1M_PRO/#specifications\n* use BIOS 1202 or newer\n* follow the E35M1-M PRO instructions above\n\n=== ASUS P9X79 WS ===\n\n* http://www.asus.com/Motherboard/P9X79_WS/\n* use BIOS version 4901. Older versions seem to be ok: 3101, 3401, 4701, 4802 or newer. If BIOS is 1305 or older, install P9X79-WS-CAP-Converter.ROM (BIOS 2902/3101), then the new BIOS.\n* (not needed for CentOS7) for CPU temperature, install coretemp\n* (not needed for CentOS7) for sensors, install driver for NCT6776F chip same as E35M1-M above.\n* BIOS Settings:\n** enter \"Advanced mode\"\n** Ai Tweaker -> Ai Overclock Tuner -> Set to \"XMP\" - this enables DDR3-1600 RAM speed vs DDR3-1333 by default\n** ### NOT THIS: Monitor -> CPU fan speed low limit -> Set to \"200 RPM\" - we are using high efficiency slow turning CPU coolers and the default 600 RPM is right on the edge of firing false warnings\n** Monitor -> disable Q-fan on for all fans - let all fans always run at maximum RPMs\n** Boot -> Full screen logo -> Set to \"disabled\"\n** Wait for F1 -> Set to \"disabled\"\n\n=== ASUS P8B-M ===\n\n* use BIOS version 6103 or newer\n* for CPU temperature, install coretemp\n* for sensors, install driver for NCT6776F chip same as E35M1-M above.\n\n=== SUPERMICRO X9SCL ===\n\n* yum install kmod-w83627ehf.x86_64 coretemp\n* xemacs -nw /etc/rc.local, add:\n<pre>\nmodprobe coretemp\nmodprobe w83627ehf\n</pre>\n\n=== ASUS Z87-WS ===\n\n<pre>\ncd ~root\nwget http://ladd00.triumf.ca/~olchansk/linux/nct6775.ko\necho modprobe hwmon-vid >> /etc/rc.local\necho insmod /root/nct6775.ko >> /etc/rc.local\n/etc/rc.local\nsensors\n</pre>\n\n=== ASUS Z97-WS ===\n\nthe nct6775 driver does not work because of conflict with ACPI.\n\n=== ASUS Z170-DELUXE ===\n\n* use bios 3801\n* set XMP mode (DDR4-2400)\n* Advanced->On board devices: set sata mode to \"M2\", set PCIe slot 3 to \"x4\"\n* boot: disable f1, disable logo, disable numlock\n\n=== ASUS AM1M-A ===\n\n* use BIOS 602 or later\n* SL6.5 installer cannot use USB2 ports and the network. Use USB3 ports (blue colour) to boot USB installer (memtest, rescue, etc)\n* SL6.5 kernels require boot option \"iommu=soft\" or USB2 and network do not work. (USB3 - blue ports - seems okey)\n* install ATI/AMD video drivers from ELREPO (see below)\n* sensors chip is ITE IT8623E, for SL6, use standalone driver from lm_sensors. (2 fans rpm, 2 temperatures):\n<pre>\ncd ~root\nwget http://ladd00.triumf.ca/~olchansk/linux/it87.ko\necho modprobe hwmon_vid >> /etc/rc.local\necho insmod /root/it87.ko >> /etc/rc.local\n. /etc/rc.local\n</pre>\n* for el7 use it87.ko driver:\n<pre>\ncd ~root\nwget https://daqshare.triumf.ca/~olchansk/linux/CentOS7/it87.ko\necho modprobe hwmon_vid >> /etc/rc.local\necho insmod /root/it87.ko >> /etc/rc.local\n. /etc/rc.local\n</pre>\n* sensors output:\n<pre>\n[root@midemma02 ~]# sensors\nradeon-pci-0008\nAdapter: PCI adapter\ntemp1: +22.0\u00b0C (crit = +120.0\u00b0C, hyst = +90.0\u00b0C)\n\nfam15h_power-pci-00c4\nAdapter: PCI adapter\npower1: N/A (crit = 25.00 W)\n\nk10temp-pci-00c3\nAdapter: PCI adapter\ntemp1: +22.2\u00b0C (high = +70.0\u00b0C)\n (crit = +70.0\u00b0C, hyst = +69.0\u00b0C)\n\nit8603-isa-0290\nAdapter: ISA adapter\nin0: +0.96 V (min = +2.50 V, max = +2.95 V) ALARM\nin1: +2.23 V (min = +0.94 V, max = +1.22 V) ALARM\nin2: +2.03 V (min = +0.74 V, max = +0.77 V) ALARM\nin3: +2.00 V (min = +1.26 V, max = +0.13 V) ALARM\nin4: +2.23 V (min = +2.95 V, max = +2.15 V) ALARM\n3VSB: +3.36 V (min = +6.00 V, max = +2.50 V) ALARM\nVbat: +3.22 V \n+3.3V: +3.36 V \nfan1: 611 RPM (min = 200 RPM)\nfan2: 707 RPM (min = 600 RPM) ALARM\ntemp1: +38.0\u00b0C (low = +122.0\u00b0C, high = +122.0\u00b0C) sensor = thermistor\ntemp2: +22.0\u00b0C (low = +119.0\u00b0C, high = -35.0\u00b0C) ALARM sensor = thermistor\ntemp3: -128.0\u00b0C (low = +16.0\u00b0C, high = +93.0\u00b0C) sensor = thermistor\nintrusion0: ALARM\n\n[root@midemma02 ~]# \n</pre>\n* AMD \"Athlon(tm) 5350 APU\" graphics supports 2 monitors maximum (mobo has 3 video outputs, only 2 can be used together)\n\n=== Intel SE7230NH1 ===\n\n* front panel header connector pinout is like this:\n<pre>\nPWR LED | 1 2|\n | 3 4|\nPWR LED | 5 6|\nHDD LED | 7 8|\nHDD LED | 9 10|\nPWR SW |11 12| NIC1 LED\nPWR SW |13 14| NIC1 LED\nRST SW |15 16|\nRST SW |17 18|\n |19 20|\nNMI SW |21 22| NIC2 LED\nNMI SW |23 24| NIC2 LED\n... |... |\n |33 34|\n</pre>\n\n=== ASUS H110M-A/M.2 ===\n\n* use BIOS 2003 or later\n* dmidecode | grep -i nct reports: Nuvoton NCT5539D\n* sensors chip is \"NCT6793D or compatible chip\", for el7, use this driver:\n<pre>\ncd ~root\nwget http://ladd00.triumf.ca/~olchansk/linux/nct6775.ko\necho modprobe hwmon-vid >> /etc/rc.local\necho insmod /root/nct6775.ko >> /etc/rc.local\n/etc/rc.local\nsensors\n</pre>\n\n* sensors output:\n<pre>\n[root@daq03 ~]# sensors\nacpitz-virtual-0\nAdapter: Virtual device\ntemp1: +27.8\u00b0C (crit = +119.0\u00b0C)\ntemp2: +29.8\u00b0C (crit = +119.0\u00b0C)\n\nnct6793-isa-0290\nAdapter: ISA adapter\nin0: +0.34 V (min = +0.00 V, max = +1.74 V)\nin1: +1.02 V (min = +0.00 V, max = +0.00 V) ALARM\nin2: +3.39 V (min = +0.00 V, max = +0.00 V) ALARM\nin3: +3.39 V (min = +0.00 V, max = +0.00 V) ALARM\nin4: +1.02 V (min = +0.00 V, max = +0.00 V) ALARM\nin5: +0.15 V (min = +0.00 V, max = +0.00 V) ALARM\nin6: +0.97 V (min = +0.00 V, max = +0.00 V) ALARM\nin7: +3.38 V (min = +0.00 V, max = +0.00 V) ALARM\nin8: +3.12 V (min = +0.00 V, max = +0.00 V) ALARM\nin9: +1.00 V (min = +0.00 V, max = +0.00 V) ALARM\nin10: +0.14 V (min = +0.00 V, max = +0.00 V) ALARM\nin11: +0.12 V (min = +0.00 V, max = +0.00 V) ALARM\nin12: +0.14 V (min = +0.00 V, max = +0.00 V) ALARM\nin13: +0.12 V (min = +0.00 V, max = +0.00 V) ALARM\nin14: +0.13 V (min = +0.00 V, max = +0.00 V) ALARM\nfan1: 1041 RPM (min = 0 RPM)\nfan2: 1020 RPM (min = 0 RPM)\nfan5: 0 RPM (min = 0 RPM)\nfan6: 0 RPM\nSYSTIN: +119.0\u00b0C (high = +98.0\u00b0C, hyst = +95.0\u00b0C) sensor = thermistor\nCPUTIN: +26.5\u00b0C (high = +80.0\u00b0C, hyst = +75.0\u00b0C) sensor = thermistor\nAUXTIN0: +27.5\u00b0C sensor = thermistor\nAUXTIN1: +112.0\u00b0C sensor = thermistor\nAUXTIN2: +111.0\u00b0C sensor = thermistor\nAUXTIN3: +111.0\u00b0C sensor = thermistor\nPECI Agent 0: +28.0\u00b0C (high = +98.0\u00b0C, hyst = +95.0\u00b0C)\n (crit = +100.0\u00b0C)\nPECI Agent 0 Calibration: +25.5\u00b0C \nPCH_CHIP_CPU_MAX_TEMP: +0.0\u00b0C \nPCH_CHIP_TEMP: +0.0\u00b0C \nintrusion0: ALARM\nintrusion1: ALARM\nbeep_enable: disabled\n\ncoretemp-isa-0000\nAdapter: ISA adapter\nPhysical id 0: +31.0\u00b0C (high = +80.0\u00b0C, crit = +100.0\u00b0C)\nCore 0: +31.0\u00b0C (high = +80.0\u00b0C, crit = +100.0\u00b0C)\nCore 1: +28.0\u00b0C (high = +80.0\u00b0C, crit = +100.0\u00b0C)\n\n[root@daq03 ~]# \n</pre>\n\n=== Supermicro X11SSH-F ===\n\n* blacklist the mei and mei_me drivers per http://www.supermicro.com/support/faqs/faq.cfm?faq=14537\n<pre>\n[root@alpha00 ~]# more /etc/modprobe.d/blacklist.conf\nblacklist mei\nblacklist mei_me\n[root@alpha00 ~]# \n</pre>\n* mobo requires M.2 PCIe SSD (M.2 SATA SSD would not work. SATA SATA SSD ok)\n* boot from M.2 PCIe SSD requires UEFI boot (from an MSDOS partition on the SSD)\n\n=== ASUS TUF Z390M-PRO GAMING (WI-FI) ===\n\n* BIOS 2417 is okey, upgrade to this if older\n* do not set XMP memory mode\n* in the BIOS, enable the boot compatibility support module mode: BIOS (press DEL) -> Advanced mode -> BOOT -> CSM Module -> Enable CSM \"yes\".\n* for SL6, install e1000e driver from ELREPO:\n<pre>\nyum install --enablerepo=elrepo kmod-e1000e\n</pre>\n* sensors chip appears to be \"Nuvoton NCT6798D\" not clear what driver to use\n* dmidecode | grep -i nct reports: Nuvoton NCT6798D\n* kmod-nct6775-0.0-5.el7_7.elrepo.x86_64.rpm from ELrepo finds the chip but bombs because of conflict with ACPI\n\n=== ASUS PRIME X399-A ===\n\n* BIOS 1002\n* for reading temperatures and fan rotations, install driver: https://github.com/electrified/asus-wmi-sensors/issues/29\n\n== Configure X11 graphics ==\n\n=== Special settings for DAQ ===\n\n* add the following at the end of /etc/X11/xorg.conf. The enables Ctrl-Alt-KP-/ and Ctrl-Alt-KP-* to unlock the keyboard after Altera Quartus crash:\n<pre>Section \"ServerFlags\"\n Option \"AllowDeactivateGrabs\" \"true\"\n Option \"AllowClosedownGrabs\" \"true\"\nEndSection</pre>\n\n=== Install NVIDIA drivers ===\n\n* yum --enablerepo=elrepo install nvidia-detect\n* run: nvidia-detect\n* as instructed by nvidia-detect, install correct driver:\n** yum --enablerepo=elrepo install kmod-nvidia\n** yum --enablerepo=elrepo install kmod-nvidia-304xx\n** yum --enablerepo=elrepo install kmod-nvidia-173xx\n* (before SL6.x: if it fails due to conflict with module-init-tools, run \"yum --disablerepo \\* --enablerepo elrepo update module-init-tools\")\n* yum erase xorg-x11-glamor ### see http://elrepo.org/tiki/kmod-nvidia (search for glamor)\n* mv /etc/X11/xorg.conf /etc/X11/xorg.conf-xxx\n* nvidia-xconfig\n* (SL6) reboot\n* (SL5) /dev/MAKEDEV nvidia\n* (SL5) restart the X11 server (Ctrl-Alt-Backspace or \"killall Xorg gdm-binary\")\n* observe that X11 server restarts using the NVIDIA driver (big NVIDIA logo on startup)\n* if needed, login as root and run \"nvidia-settings\" to setup dual-screen configuration, etc\n\n=== Install legacy NVIDIA drivers ===\n\nFor old NVIDIA cards:\n* GeForce FX 5500\n\n<pre>\nwget http://us.download.nvidia.com/XFree86/Linux-x86/173.14.31/NVIDIA-Linux-x86-173.14.31-pkg1.run\nsh ./NVIDIA-Linux-x86-173.14.31-pkg1.run\n</pre>\n\n* GeForce 6200 - NVIDIA Corporation NV44A [GeForce 6200]\n<pre>\nyum install nvidia-x11-drv-304xx-304.121 --enablerepo=elrepo\nnvidia-xconfig\nrmmod nvidia\nkillall gdm-binary\nlogin as root\nnvidia-settings to setup multiple displays\n</pre>\n\n=== Install ATI/AMD drivers ===\n\n* yum --enablerepo elrepo install kmod-fglrx fglrx-x11-drv\n* check that /etc/X11/xorg.conf section \"Device\" entry \"Driver\" says \"fglrx\"\n* run \"aticonfig --initial\" to create xorg.conf if existing one is not good\n* run \"amdcccle\" as root to configure dual-screens, etc\n Note: 'amdcccle' is a GUI, so you must run this command from within a running X session\n* killall Xorg\n\n=== Install ATI/AMD drivers (CentOS7) ===\n\n* wget http://elrepo.org/linux/testing/el7/x86_64/RPMS/fglrx-x11-drv-15.12-3.el7.elrepo.x86_64.rpm\n* wget http://elrepo.org/linux/testing/el7/x86_64/RPMS/kmod-fglrx-15.12-3.el7.elrepo.x86_64.rpm\n* yum install acpid\n* rpm -vh --install kmod-fglrx-15.12-3.el7.elrepo.x86_64.rpm fglrx-x11-drv-15.12-3.el7.elrepo.x86_64.rpm\n* amdconfig -f --initial\n* grub2-mkconfig -o /boot/grub2/grub.cfg\n* reboot\n* login as root\n* amdcccle\n\nNOTE: if both drivers - radeon and fglrx are loaded, boot will hang. the radeon driver is supposed to be blacklisted through grub rdblacklist=radeon entry which is installed by running grub2-mkconfig.\n\n=== Install Intel drivers for HD4600/Z87 ===\n\nSL6.5 has the required drivers for the socket 1150 machines with Intel HD4600 graphics and Z87 chipset.\n\nASUS Z87 WS motherboard has these video connections with corresponding Intel video port assignements, as reported by \"xrandr\":\n* DisplayPort - DP1/HDMI1\n* MiniDisplayPort - DP2/HDMI2\n* HDMI - HDMI3\n\nDue to hardware limitations, 3 HDMI monitors using 2 passive DP-HDMI adapters (and 1 straight HDMI) cannot be used.\n\nTo use 3 monitors do this:\n* 1st monitor: DisplayPort - DP-to-HDMI-passive-adapter - HDMI monitor (not tried: DP-to-DP-cable - DisplayPort monitor).\n* 2nd monitor: MiniDisplayPort - MiniDP-to-DP-cable - DisplayPort monitor\n* 3rd monitor: HDMI - HDMI-cable - HDMI monitor\n\nWith the monitors I have (Dell 1920x1200 VGA-HDMI-DP), the software thinks that there are 4 monitors: somehow both DP2 and HDMI2 see 1 minitor each, but the hardware cannot drive 4 monitors, so everything goes blank. To fix, disable HDMI2 (xrandr -display :0 --output HDMI2 --off) and enable DP2 (xrandr -display :0 --output DP2 --auto).\n\nHow to make this configuration permanent and how to assign monitor locations (left-right, etc), you figure it out.\n\n=== Manual selection of monitor, video mode and resolution ===\n\nAutomatic selection of monitor and video mode usually works. When it does not, configure it manualls:\n\n* physically go to the computer\n* login as root\n* run \"nvidia-settings\" on machines using the NVIDIA driver\n* run \"aticonfig\" on machines with the ATI/AMD driver (use \"aticonfig --initial\" for initial setup, and good luck with anything more complicated)\n* run \"system-config-display\".\n** In the \"hardware\" tab, select monitor type: \"generic LCD 1280x1024\" or \"generic LCD 1600x1200\".\n** In the \"settings\" tab, select \"1280x1024\" or \"1600x1200\" and \"Thousands of colors\".\n** Press \"ok\", the display settings application should close.\n* Logout, the new login window should use the new settings.\n\n=== Disable screen saver ===\n\nIf machine is booted without any monitor connected, current video cards to not enable any video outputs. If a monitor is connected later, there is no video image and there is no easy way to get a video image.\n\nThis can be solved by configuring X11 to always enable some video output. Because the monitor type is not known when X11 starts, one has to select some standard video mode (i.e. VESA 1280x1024) on some video output (VGA, DVI or HDMI).\n\nOnly NVIDIA cards with the NVIDIA driver (from EPEL) is supported by these instructions.\n\n* create default xorg.conf: nvidia-xconfig\n* edit /etc/X11/xorg.conf\n* add monitor section for the fake monitor:\n<pre>\nSection \"Monitor\"\n Identifier \"Monitor0\"\n VendorName \"Unknown\"\n ModelName \"Unknown\"\n HorizSync 31.0 - 83.0\n VertRefresh 59.0 - 61.0\n Option \"DPMS\" \"off\"\n ModeLine \"1280x1024\" 108.00 1280 1328 1440 1688 1024 1025 1028 1066 +hsync +vsync\nEndSection\n</pre>\n* add output selection in the \"Device\" section:\n<pre>\nSection \"Device\"\n Identifier \"Device0\"\n Driver \"nvidia\"\n VendorName \"NVIDIA Corporation\"\n BoardName \"GeForce 210\"\n #Option \"ConnectedMonitor\" \"DFP\"\n #Option \"ConnectedMonitor\" \"CRT\"\n Option \"ConnectedMonitor\" \"CRT-1\"\n Option \"UseEDID\" \"no\"\nEndSection\n</pre>\n* add fake video mode to the \"Screen\" section:\n<pre>\nSection \"Screen\"\n Identifier \"Screen0\"\n Device \"Device0\"\n Monitor \"Monitor0\"\n DefaultDepth 24\n SubSection \"Display\"\n Depth 24\n Modes \"1280x1024\"\n EndSubSection\nEndSection\n</pre>\n* disable screen saver and DPMS power off in the \"ServerLayout\" or \"ServerFlags\" section:\n<pre>\nSection \"ServerLayout\"\n Identifier \"Layout0\"\n Screen 0 \"Screen0\" 0 0\n InputDevice \"Keyboard0\" \"CoreKeyboard\"\n InputDevice \"Mouse0\" \"CorePointer\"\n Option \"Xinerama\" \"0\"\n Option \"BlankTime\" \"0\"\n Option \"StandbyTime\" \"0\"\n Option \"SuspendTime\" \"0\"\n Option \"OffTime\" \"0\"\nEndSection\n\nSection \"ServerFlags\" \n Option \"BlankTime\" \"0\" \n Option \"StandbyTime\" \"0\" \n Option \"SuspendTime\" \"0\" \n Option \"OffTime\" \"0\" \nEndSection \n</pre>\n\n== Finish installation ==\n\n* logout and reboot the computer to have all the changes to take effect\n\n== Configure HTTPS server (CentOS7) ==\n\nThis will configure the HTTPS/SSL certificate using \"certbot\" and \"letsencrypt\" and configure an HTTPS web server using apache httpd.\n\nFirst, configure apache httpd:\n\n* execute these commands:\n<pre>\nyum install -y mod_ssl certwatch crypto-utils\ncd /etc/httpd/conf.d/\nmv ssl.conf ssl.conf-not-used ### remove the stock ssl.conf which refers to the localhost certificate that will expire in 1 year\ntouch ssl.conf ### create a blank file to prevent automatic updates from installing a stock ssl.conf file\n# this is done later: rm /etc/pki/tls/certs/localhost.crt\n</pre>\n* create new file ssl-daq12.conf # use actual hostname instead of daq12\n<pre>\nListen 443 https\n#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog\nSSLSessionCache shmcb:/run/httpd/sslcache(512000)\nSSLSessionCacheTimeout 300\nSSLRandomSeed startup file:/dev/urandom 256\nSSLRandomSeed connect builtin\nSSLCryptoDevice builtin\n\n<VirtualHost *:443>\nServerName daq12.triumf.ca\nDocumentRoot /var/www/html\nErrorLog /var/log/httpd/daq12.log\nSSLEngine on\n# note SSLProtocol, SSLCipherSuite and some other settings are overwritten by /etc/letsencrypt/options-ssl-apache.conf\n# new SSL settings: K.O. Jan 2020, SSLlabs rating \"A+\"\nSSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1\nSSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4:!RSA\nSSLHonorCipherOrder on\n# pervious SSL settings:\n#SSLProtocol all -SSLv2 -SSLv3\n#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4\nSSLCertificateFile /etc/pki/tls/certs/localhost.crt\nSSLCertificateKeyFile /etc/pki/tls/private/localhost.key\n#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt\n#ProxyPass /elog/ http://localhost:8082/ retry=1\n#ProxyPass / http://localhost:8080/ retry=1\nHeader always set Strict-Transport-Security \"max-age=31536000; includeSubDomains\"\n<Location />\nSSLRequireSSL\nAuthType Basic\nAuthName \"DAQ password protected site\"\nRequire valid-user\n# create password file: touch /etc/httpd/htpasswd\n# to add new user or change password: htpasswd /etc/httpd/htpasswd username\nAuthUserFile /etc/httpd/htpasswd\n</Location>\n</VirtualHost>\n</pre>\n* stop httpd from listening on port 80: edit /etc/httpd/conf/httpd.conf, comment-out the line \"Listen 80\"\n* enable and start httpd:\n<pre>\nsystemctl enable httpd\nsystemctl restart httpd\nsystemctl status httpd\n</pre>\n* try to access https://daq12.triumf.ca\n** you should see a complaint about self-signed certificate\n** you should see a request for password (do not login yet)\n** if you get \"connection refused\", HTTPS port 443 may need to be enabled in the local firewall, then try again:\n<pre>\nfirewall-cmd --add-port=443/tcp --permanent\nfirewall-cmd --reload\nfirewall-cmd --list-all\n</pre>\n\nSecond, configure certbot:\n\n(Note: as of 2018-01-18 certbot requires use of http port 80 to get the initial https certificate,\nrenewal can continue to use the https port 443)\n\n(Note: as of 2019-01-?? certbot requires use of port 80 for renewals)\n\n* check that port 80 is not used by anything:\n* netstat -an | grep LISTEN | grep ^tcp | grep 80\n* lsof -P | grep -i tcp | grep LISTEN | grep 80\n* if lsof reports that httpd is listening on port 80, follow the httpd instructions above (remove \"listen 80\" from httpd.conf\n\n* install certbot and open tcp port 80 in the firewall:\n<pre>\nyum install -y certbot python2-certbot-apache # (from EPEL)\nfirewall-cmd --add-port=80/tcp --permanent\nfirewall-cmd --reload\nfirewall-cmd --list-all\n</pre>\n* certbot certonly --standalone --installer apache # then answer questions:\n* \"activate HTTPS for daq12.triumf.ca\" - say ok\n* \"enter email address\" - enter your own email address\n* \"please read terms...\" - read the terms and say \"agree\"\n* it will take a few moments...\n* \"please choose...\" - say \"easy\" (http access is disabled (a) by firewall, (b) by local configuration\n* \"congratulations...\" - say ok.\n* certbot install --apache --cert-name daq12.triumf.ca # then answer questions:\n* \"choose redirect...\" - say \"1\" (no redirect)\n* look inside ssl-daq12.conf to see that SSLCertificateFile & co point to certbot certificates in /etc/letsencrypt/live/daq12.triumf.ca/\n* remove self-signed localhost certificate, it will expire in 1 year and cause warnings and complaints: rm /etc/pki/tls/certs/localhost.crt\n* enable automatic renewal\n<pre>\nsystemctl enable certbot-renew.timer\nsystemctl start certbot-renew.timer\nsystemctl list-timers --all\n</pre>\n\n* to check corrent renewal and to update the certbot config file in /etc/letsencrypt/renewal, run this:\n<pre>\ncertbot renew --standalone --installer apache --force-renewal\n</pre>\n\nNOTE: this certificate will expire in 3 months, automatic renewal should work starting with certbot-0.12.0-4.el7.noarch.\nCertificate expiration should be automatically detected by \"certwatch\" and email\nwill be sent to local root user, to be forwarded to an actual person by ~root/.forward.\n\nThird, activate password protection:\n\n* as shown in the config file above, create password file and initial user: (replace \"midas\" with specific username)\n<pre>\ntouch /etc/httpd/htpasswd\nhtpasswd /etc/httpd/htpasswd midas\n</pre>\n\nFinal test:\n* access https://daq12.triumf.ca - https status should be \"green\"\n* login with password should work\n* the apache httpd test page should load\n* check site security using the SSLlabs https tester. (I get grade \"A-\"): https://www.ssllabs.com/ssltest/\n\nFrom here:\n* Configure selinux to allow proxying\n<pre>\n setsebool -P httpd_can_network_connect 1\n systemctl restart httpd\n</pre>\n* enable proxy for MIDAS mhttpd - uncomment redirect in the config file above\n* enable proxy for ELOG - ditto\n\nNOTE: if certbot fails with errors about 'module' object has no attribute 'pyopenssl',\ntry this: pip install requests==2.6.0\n\n== Configure large RAID6 arrays ==\n\n* connect the disks\n* check the disks health\n** run smart-status.perl\n* partition the disks\n** yum install gdisk\n** gdisk /dev/sdX\n** delete all partitions: o\n** create new partition: n, enter, enter, enter, fd00 (default sizes, partition type fd00)\n** write and exit: w\n* check presence of all partitions:\n** /bin/ls -l /dev/sd*1\n* prepare to use an external bitmap file\n** touch /md6bitmap\n** edit /etc/fstab, change entry for root filesystem from: \"defaults 1 1\" to \"defaults 0 0\"\n** edit /boot/grub/grub.conf, change entry \"kernel ... ro ...\" to \"kernel ... rw ...\"\n* create raid array:\n** mdadm --create /dev/md6 --level=6 --bitmap=/md6bitmap --raid-devices=10 /dev/sd[b-k]1\n** mdadm -Ds >> /etc/mdadm.conf\n** cleanup /etc/mdadm.conf\n** echo \"echo 16384 > /sys/block/md6/md/stripe_cache_size\" >> /etc/rc.local\n** echo \"echo 1 > /sys/block/md6/md/sync_speed_min\" >> /etc/rc.local\n** source /etc/rc.local\n* observe raid array rebuild:\n** watch -d -n1 \"cat /proc/mdstat\"\n\n== Configure ZFS ==\n\n=== Install ZFS ===\n\n(from here: https://github.com/zfsonlinux/zfs/wiki/RHEL-%26-CentOS)\n\nFollow the instructions for \"kABI-tracking kmod\" - dkms modules seem to always mess up the system when upgrading to next release of zfs.\n\n<pre>\n#rpm -vh --install http://archive.zfsonlinux.org/epel/zfs-release.el7.noarch.rpm\n#yum install http://download.zfsonlinux.org/epel/zfs-release.el7.noarch.rpm\n#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_3.noarch.rpm\n#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_4.noarch.rpm\n#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_5.noarch.rpm\n#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_6.noarch.rpm\n#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_7.noarch.rpm\nyum install http://download.zfsonlinux.org/epel/zfs-release.el7_9.noarch.rpm\nyum-config-manager --disable zfs\nyum-config-manager --disable zfs-kmod\nyum --enablerepo=zfs-kmod clean all\nyum --enablerepo=zfs-kmod install zfs\n#sed 's/^SELINUX=.*/SELINUX=disabled/' -i /etc/selinux/config\necho USE_DISK_BY_ID=\\'yes\\' >> /etc/default/zfs\n#systemctl enable zfs-import-cache\n#systemctl enable zfs-mount\n#systemctl enable zfs-share\n#systemctl enable zfs-zed\n#shutdown -r now # required to load the zfs kernel modules and to disable selinux\nmodprobe zfs # should work\nzpool status # should report no pools available\n</pre>\n\n#Note: zfs and selinux and not compatible: with selinux enabled, files on zfs cannot be deleted (files are gone, but \"df\" does not go down, zfs-0.6.5.7-1.el7.centos.x86_64), see #https://github.com/zfsonlinux/zfs/issues/4845\n\n* http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/zfs-quickstart.html)\n* http://www.freebsd.org/cgi/man.cgi?query=zpool&sektion=8\n\nIf ZFS kernel module does not load automatically at boot time, add this to load it manually:\n<pre>\nls -l /etc/sysconfig/modules/\ncat > /etc/sysconfig/modules/zfs.modules <<EOF\nif [ ! -e /sys/module/zfs ] ; then\n modprobe zfs;\nfi\nEOF\nchmod +x /etc/sysconfig/modules/zfs.modules\n</pre>\n\n=== Update ZFS (CentOS-7.9) ===\n\n* update CentOS-7.x to latest point release\n* reboot to latest kernel\n* check that currently installed ZFS is 0.8.x (not 0.7 or older)\n* then update ZFS:\n<pre>\n[root@daq16 ~]# zfs version\nzfs-0.8.4-1\nzfs-kmod-0.8.4-1\n[root@daq16 ~]# yum --enablerepo=kmod-zfs update\n...\n[root@daq16 ~]# zfs version ### observe mismatched version numbers: 0.8.5 userspace vs 0.8.4 kernel module\nzfs-0.8.5-1\nzfs-kmod-0.8.4-1\n</pre>\n* reboot to activate the updated kernel module\n* zfs version again\n<pre>\n[root@daq16 ~]# zpool version\nzfs-0.8.5-1\nzfs-kmod-0.8.5-1\n</pre>\n* zpool status in case some ZFS volume needs to be updated\n<pre>\n[root@daq16 ~]# zpool status\n pool: z12tb\n state: ONLINE\n...\n</pre>\n\n=== Update ZFS 0.7 to 0.8 ===\n\nHow to identify zfs 0.7: \"zfs version\" does not work, also \"rpm -q zfs\"\n\nzfs 0.7 is obsolete.\n\nTo opdate to zfs 0.8 or newer, remove 0.7, then install\nnew version per instructions above.\n\n* remove zfs 0.7\n<pre>\nyum versionlock delete zfs ### versionlock not needed anymore\nyum versionlock delete kernel ### versionlock not needed anymore\nrm /etc/yum.repos.d/zfs.repo* ### delete old repo files\nyum erase zfs spl\n</pre>\n* reboot\n* install new zfs per instructions above\n* zpool import -as\n* zpool status ### check if any pool needs to be upgraded\n* zpool upgrade zssd ### upgrade zfs pool features\n\n=== Lock kernel and zfs packages ===\n\n!!! THIS IS NOT NEEDED ANYMORE !!!\n\n<pre>\nyum versionlock kernel\nyum versionlock zfs\nyum-config-manager --disable zfs\nyum-config-manager --disable zfs-kmod\n</pre>\n\n=== Follow generic ZFS instructions ===\n\nHere: [[ZFS]]\n\n== performance notes ==\n\nGo here: [[disk_benchmarks]]\n\n== Configure UEFI boot ==\n\nSome mobo can boot from NVME (PCIe) SSDs only via UEFI boot. Do this:\n\n* partition the NVME SSD using gdisk (must be GPT partition table, must have MSDOS EFI partition size 512MiB)\n<pre>\n[root@alpha00 ~]# gdisk -l /dev/nvme0n1\nGPT fdisk (gdisk) version 0.8.6 ...\nFound valid GPT with protective MBR; using GPT.\nDisk /dev/nvme0n1: 500118192 sectors, 238.5 GiB\nLogical sector size: 512 bytes\nDisk identifier (GUID): 1A82CC87-2757-44ED-980F-C78E3681D9D3\nPartition table holds up to 128 entries\nFirst usable sector is 34, last usable sector is 500118158\nPartitions will be aligned on 2048-sector boundaries\nTotal free space is 2014 sectors (1007.0 KiB)\n\nNumber Start (sector) End (sector) Size Code Name\n 1 2048 1050623 512.0 MiB EF00 EFI System\n 2 1050624 500118158 238.0 GiB 8300 Linux filesystem\n[root@alpha00 ~]# \n</pre>\n* create filesystems\n<pre>\nmkfs.msdos /dev/nvme0n1p1\nmkfs.xfs /dev/nvme0n1p2\n</pre>\n* prepare EFI partition\n<pre>\nmkdir /mnt/efi\nmount /dev/nvme0n1p1 /mnt/efi\nmkdir -p /mnt/efi/efi/boot\ncd /mnt/efi/efi/boot\n# with Ubuntu LTS 20.04\ncp /boot/vmlinuz vmlinuz # copy the desired linux kernel\n#cp /boot/initramfs initramfs.img # copy the matching initramfs file\ncp /boot/initrd.img initrd.img # copy the matching initrd file\n#from /home/olchansk/sysadm/syslinux/syslinux-6.03 copy\ncp /home/olchansk/sysadm/syslinux/syslinux-6.03/efi64/efi/syslinux.efi .\ncp /home/olchansk/sysadm/syslinux/syslinux-6.03/efi64/com32/elflink/ldlinux/ldlinux.e64 .\ncp syslinux.efi bootx64.efi\n</pre>\n* create syslinux config file: syslinux.cfg\n<pre>\ndefault linux\nlabel linux\nkernel vmlinuz\nappend ro root=/dev/nvme0n1p2 nomodeset initrd=initrd.img\n</pre>\n* prepare system partition\n<pre>\nmkdir /mnt/tmp\nmount /dev/nvme0n1p2 /mnt/tmp\nrsync -avx / /mnt/tmp\ncd /mnt/tmp\n#edit etc/fstab\n#edit etc/syslinux/selinux # set selinux to permissive mode because rsync did not copy the selinux labels\n</pre>\n* unmount and reboot\n* restore selinux labels after first boot\n<pre>\n#login as root\ncd /\nrestorecon -R / # can also add \"-v\" to see progress, but runs much slower\n#edit /etc/sysconfig/selinux # enable selinux\n#shutdown -r now # reboot with selinux enabled\n</pre>\n\n= Configure UEFI secure boot =\n\nThe above instructions do not quite work if \"secure boot\" is enabled.\n\nThese modifications are needed:\n\n* ls -l /boot/efi/EFI/bootko/\n<pre>\ntotal 140116\n-rwxr-xr-x 1 root root 108 Feb 24 15:47 BOOTX64.CSV\n-rwxr-xr-x 1 root root 1334816 Feb 24 16:16 bootx64.efi\n-rwxr-xr-x 1 root root 217495 Feb 24 16:16 config-4.15.0-74-generic\n-rwxr-xr-x 1 root root 105 Feb 24 15:47 grub.cfg\n-rwxr-xr-x 1 root root 199952 Feb 24 16:16 grubx64.efi\n-rwxr-xr-x 1 root root 58986147 Feb 24 16:16 initramfs.img\n-rwxr-xr-x 1 root root 58986147 Feb 24 16:16 initrd.img-4.15.0-74-generic\n-rwxr-xr-x 1 root root 139968 Feb 24 16:16 ldlinux.e64\n-rwxr-xr-x 1 root root 1269496 Feb 24 15:47 mmx64.efi\n-rwxr-xr-x 1 root root 1334816 Feb 24 16:16 shimx64.efi\n-rwxr-xr-x 1 root root 171 Feb 24 16:16 syslinux.cfg\n-rwxr-xr-x 1 root root 102 Feb 24 16:16 syslinux.cfg~\n-rwxr-xr-x 1 root root 199952 Feb 24 16:16 syslinux.efi\n-rwxr-xr-x 1 root root 4068355 Feb 24 16:16 System.map-4.15.0-74-generic\n-rwxr-xr-x 1 root root 8367768 Feb 24 16:16 vmlinuz\n-rwxr-xr-x 1 root root 8367768 Feb 24 16:16 vmlinuz-4.15.0-74-generic\n</pre>\n** shmix64.efi is a copy from /boot/efi/EFI/ubuntu\n** bootx64.efi is a copy of shimx64.efi (maybe not needed?)\n** grubx64.efi is a copy of syslinux.efi\n* efibootmgr -c -d /dev/nvme0n1 -p 2 -w -L bootko -l '\\EFI\\bootko\\shimx64.efi'\n* efibootmgr -v\n<pre>\nroot@daqubuntu:~# efibootmgr -v\nBootCurrent: 0000\nTimeout: 1 seconds\nBootOrder: 0000,0001,0002\nBoot0000* bootko HD(2,GPT,5d1cac95-29dd-4d8a-a56e-a8f414dd4047,0x800,0x100000)/File(\\EFI\\BOOTKO\\SHIMX64.EFI)\nBoot0001* Hard Drive BBS(HD,,0x0)..GO..NO........y.I.N.T.E.L. .S.S.D.P.E.K.K.W.1.2.8.G.7....................A.......................................<..Gd-.;.A..MQ..L.I.N.T.E.L. .S.S.D.P.E.K.K.W.1.2.8.G.7........BO\nBoot0002* ubuntu HD(2,GPT,5d1cac95-29dd-4d8a-a56e-a8f414dd4047,0x800,0x100000)/File(\\EFI\\UBUNTU\\SHIMX64.EFI)..BO\nroot@daqubuntu:~# \n</pre>\n* NOTE: if, after running \"efibootmgr -c\", the UUID is zero, then it probably did not take and the entry will vanish after reboot. In my case the mistake was to use \"-p 1\" instead of \"-p 2\".\n\nBoot sequence is this:\n* shmix64.efi - Microsoft-signed boot loader is accepted by secure boot, loads and runs\n* shimx64.efi loads and runs grubx64.efi, this file name is hardwired into the signed shim, cannot be changed\n* grubx64.efi is syslinux.efi (could be anything)\n* syslinux.efi runs, loads syslinux.cfg, loads the linux kernel, loads the initrd, runs the linux kernel with specified flags (ro root=...).\n\n= UEFI syslinux kernel update =\n\nTo update the linux kernel booted by UEFI syslinux, use this script:\n* ~root/git/scripts/etc/update_efi.perl\n\n= Update SL6 ssh =\n\nStock SL6 ssh is now very old and by default, cannot connect to current Ubuntu and MacOS sshd. In reverse their ssh cannot connect to SL6 sshd.\n\nWorkaround is to manually enable SL6-compatible settings.\n\n<pre>\nroot@daq00:~# ssh -oHostKeyAlgorithms=+ssh-rsa -oPubKeyAcceptedAlgorithms=+ssh-rsa ladd00\n</pre>\n\nSolution is to install newer ssh on affected SL6 machines.\n\n<pre>\nssh root@sl6-machine\ncd /opt\ngit clone https://daq00.triumf.ca/~olchansk/git/openssh.git\n/bin/cp -pv /etc/ssh/*key* /opt/openssh/etc/ ### copy old ssh host keys\n/opt/openssh/bin/ssh-keygen -A ### generate any missing ssh host keys\n# test sshd /opt/openssh/sbin/sshd -p 2222 -d\n/bin/mv /usr/sbin/sshd /usr/sbin/sshd-SL6\n/bin/ln -s /opt/openssh/sbin/sshd /usr/sbin/\n/bin/mv /usr/bin/ssh /usr/bin/ssh-SL6\n/bin/ln -s /opt/openssh/bin/ssh /usr/bin/\nservice sshd restart\n</pre>\n\nBuild openssh:\n\n<pre>\nssh sl6-machine\ncd git\ngit clone git://anongit.mindrot.org/openssh.git\ncd openssh\nautoreconf\nxemacs -nw ./configure ### fix syntax error: line 28124 empty \"if/then/else\" block bombs out, fill it with \"AAA=aaa\"\n./configure --prefix=/opt/openssh\nmake -j\n</pre>\n\nInstall openssh:\n\n<pre>\nssh root@sl6-machine\ncd .../git/openssh\nmake install ### copies stuff to /opt/openssh\n/opt/openssh/sbin/sshd -p 2222 -d ### test sshd\n/opt/openssh/bin/ssh -v sl6-machine ### test ssh\n</pre>"
}
]
}
}
}
}