SLinstall: Difference between revisions

From DaqWiki
Jump to navigation Jump to search
 
(190 intermediate revisions by 2 users not shown)
Line 8: Line 8:
== Disk configurations ==
== Disk configurations ==


In the era of SSD storage, 6TB HDDs and $10 USB flash, use these disk configurations:
The year is 2019 and SSDs are used exclusively, except for bulk data storage, where one used 6-8-10-12 TB HDDs
 
For reliability, home directories and data disks must use redundant storage - mdadm raid1 or ZFS raid1/raid6.
 
For non-critical machines, a single SSD seems to be reliable enough to use as a boot and OS disk. But since any
storage device can fail at any time without warning, home directories and data disks should use redundant storage.
 
Note: for data disks bigger than 4-6TB, mdadm raid1/raid6 is no longer recommended because raid rebuild,
verification and repair time has become unreasonably long. Instead, use ZFS raid1/raid6 which implements online verification,
repair and disk replacement without requiring machine shutdown or OS down time.


* single SSD - 120GB min - single partition for "/", no swap partition (create a swap file if swap is needed) - for non-critical machine with no local data storage (OS only)
* single SSD - 120GB min - single partition for "/", no swap partition (create a swap file if swap is needed) - for non-critical machine with no local data storage (OS only)
* dual SSD - 2x120GB min - all partitions mirrored (RAID1), 30GB "/", 30GB swap, rest for /home1 and data - for machines required for beam data taking, with local user directories
* dual SSD - 2x240GB min - all partitions mirrored (RAID1), 30GB "/", rest for /home1 - for daq station with local user home directories and no bulk data storage
* single SSD + 2x4TB or 2x6TB HDD - SSD partition (a) all "/", (b) 30GB "/", 30GB swap, rest "/home1"; HDD partition is mirrored RAID1 "/data" - machine with local user directories and local data storage (complete midas daq server)
* single SSD + 2x6-8-10-12TB HDD - SSD partition: all "/", HDD partition as ZFS raid1 (mirrored) - for daq station with small local bulk data storage
* single SSD + 6-8x6TB HDD - same as above, HDD partition as RAID6 "/data", use XFS filesystem - for small storage server machines
* single SSD + 6-8x6-8-10-12TB HDD - for small storage server machines - for daq station with local home directories and large bulk data storage.


For VME processors:
For VME processors:
Line 26: Line 35:
* note the MAC addresses of all network interfaces, add them to ladd00 dhcpd.conf to enable PXE boot into the SL "network installer"
* note the MAC addresses of all network interfaces, add them to ladd00 dhcpd.conf to enable PXE boot into the SL "network installer"
* shutdown
* shutdown
== Running SL installer ==
* Start installation of the new system:
* IMPORTANT: if you have WDC "advanced partitioning disks" (4kB sectors), disks have to be repartitioned before use, see special instructions (TBW) (note: use fdisk -H 224 -S 56 /dev/sdx)
* (NOT AVAILABLE ANYMORE) boot from latest "SL5 kickstart" CD from Kelvin Raywood or PXE boot the latest SL installation image. after the system enters graphical mode, one can remove the CD- the installation is running over the network
* boot from ladd00 PXE server - after power up, during BIOS POST, press BIOS "boot selection menu" key (F8, F12, etc). The MAC of the network interface should be listed in the ladd00 dhcpd.conf file. In the PXE boot menu, select SL6x-64 kickstart install.
* linux will boot into the graphical installer
* two questions will be asked: how to partition the disks and the root password. The rest of the installation is automatic.
* to partition the disks, select "Custom partioning":
** If using a single SSD (30 or 60 GB), use whole disk for "/" partition (no swap partition)
** If using single HD, create 4 primary partitions (see below)
** If using dual HDs (should be same size), create 4 "RAID1" (see below) (DO NOT USE LVM)
** Use these partition sizes:
*** "/" - 40GB - md0 or sda1
*** swap - 32 GB - md1 or sda2
*** "/home1" - 100 GB - md2 or sda3
*** "/data" - remaining disk space - md3 or sda4
* if installer asks questions about boot loader, accept default settings
* package installation will proceed automatically
* when finished will ask "press button to reboot"
* boot newly installed system
* if installing without a kickstart, some questions need to be answered:
** Firewall: disabled
** SELinux: disabled
** KDump: disabled
** Date and Time: leave kickstart defaults (should be NTP using TRIUMF time servers)
** Create user: skip - will be handled during post-installation
** The system will reboot again
* after the final reboot, login as root and proceed with post-installation.


== Running installer (CentOS7) ==
== Running installer (CentOS7) ==


The CentOS7/SL7 installer is very different from the SL6 installer. There are some improvements, and there are several quirks:
CentOS7 can be installed from vanilla CentOS7 installation media or from
a custom USB key build per there instructions:
https://daqshare.triumf.ca/~olchansk/linux/CentOS7/


* the disk management part was completely FUBARed.
The custom installer makes it easy to use a custom kickstart file (ks.cfg).
* boot loader is now installed to the correct disk (no longer overwrites the usb-installer itself)
* vanilla installer removed all support for NIS and after first boot requires creation of fake local user. To avoid this, use the usb-installer or a custom kickstart installer (remove package "gnome-initial-setup"


Instructions for using the usb-installer:
Instructions for using the usb-installer:


* disconnect machine from network
* disconnect machine from network
* plug the usb-installer into usb3 port (blue colour)
* plug the usb-installer into a usb3 port (blue colour)
* reboot machine, select booting from usb (press F8 on ASUS motherboards)
* reboot machine, select booting from usb (press F8 on ASUS motherboards)
* usb-installer boot menu offers to install CentOS7, go there
* usb-installer boot menu offers to install CentOS7, go there
Line 81: Line 60:
** say "done"
** say "done"
** the "manual partitionning" menu will open
** the "manual partitionning" menu will open
** partition the SSD (good luck figuring out this new menu system).
** recommended is to use 120GB SSD, partition the whole SSD as one large partition ("normal partition" choice), use XFS filesystem (BTRFS is still experimental), no swap. (installer will complain, but accept lack of swap):
*** use the "-" button to delete all existing partitions
*** use the "-" button to delete all existing partitions
*** select "standard partition"
*** select "standard partition"
Line 95: Line 72:
* after installation is complete, reboot the machine
* after installation is complete, reboot the machine
* unplug the usb-installer, CentOS7 should boot from SSD into the login screen
* unplug the usb-installer, CentOS7 should boot from SSD into the login screen
* click on "not listed?", login as root (what's with that?!?)
* click on "not listed?", login as root
* setup network connection:
* setup network connection:
** connect the network cable
** open a terminal
** go to the gnome "network settings" (icon on top-right of screen)
** start "nm-connection-editor"
** select "wired"
** click on "+" to create a new connection profile
** select "wired ethernet"
** select "add profile..."
** select "add profile..."
** in "Identity", set "name" to "static"
** in "Identity", set "name" to "static"
** in "Identity", check that "Connect automatically" and "Make available..." is enabled
** in "Identity", check that "Connect automatically" and "Make available..." is enabled
** in "IPv4", set "Addresses" to "manual" instead of "dhcp"
** in "IPv4", set "Addresses" to "manual" instead of "dhcp"
** enter IP address, netmask 255.255.224.0, gateway 142.90.100.18, dns 142.90.100.19
** enter IP address, netmask 255.255.224.0, gateway 142.90.100.18, dns 142.90.100.19, search triumf.ca
** say "Add", then close/quit the network settings
** say "Add", then close/quit the network settings
* network should be up, ping something
* connect network cable
* network should be up, ping ladd00 should work
* run: yum update -y
* run: yum update -y
* check new kernel is installed: ls -l /boot
* check new kernel is installed: ls -l /boot
Line 129: Line 108:
</pre>
</pre>


== Configure disks, partitions, raid arrays and filesystems ==
== Set hostname ==


NOTE1: For compatibility with the SL6 installer, use "fdisk -u" when creating new partitions.
Set hostname: (use full name, i.e. daq11.triumf.ca)
 
<pre>
NOTE2a: For 2TB disks or bigger, use "gdisk" to create GPT partitions (yum install epel-release; yum install gdisk)
emacs -nw /etc/hostname
</pre>


NOTE2c: (SL6) 3TB, 4TB, 6TB disks do not require anything special - proceed with installation as normal.
== Configure email ==


Typical disk configuration for DAQ use has 2 large disks with system ("/"), swap, home and data partitions, fully mirrored across the 2 disks using RAID1 software raid (MD).
* TRIUMF: use relayhost = smtp.triumf.ca
* CERN: use relayhost = cernmx.cern.ch


In this fully mirrored configuration, a DAQ system will continue to operate without interruption and without performance degradation when there is a full or partial failure of either of the two disks.
* edit /etc/postfix/main.cf, set "relayhost = smtp.triumf.ca"
* echo "olchansk@triumf.ca amaudruz@triumf.ca lindner@triumf.ca bsmith@triumf.ca" >> ~root/.forward


If disks are hot-swappable, the failed or defective disk can then be physically replaced by a spare, the spare disk can be partioned and added to the RAID1 array, restoring full normal operation, without shutting down or rebooting the system or interrupting data taking. (Since SATA, eSATA and USB are always electrically hot-swappable, disk hot-replacement is more of a mechanical issue).
== Make log files readable ==


For small disks using traditional partitions (<=2TB) a typical layout looks like this:
<pre>
<pre>
[root@ladd06 ~]# fdisk -l  ### use "fdisk -lu" instead!!!
chmod a+r /var/log/messages
chmod a+r /var/log/yum.log
</pre>


Disk /dev/sdb: 750.2 GB, 750156374016 bytes
== Activate /etc/rc.local ==
...
  Device Boot      Start        End      Blocks  Id  System
/dev/sdb1  *          1        5100    40960000  fd  Linux raid autodetect
/dev/sdb2            5100        9179    32768000  fd  Linux raid autodetect
/dev/sdb3            9179      21927  102399603+  fd  Linux raid autodetect
/dev/sdb4          21928      91201  556443405  fd  Linux raid autodetect


Disk /dev/sda: 750.2 GB, 750156374016 bytes
Activate rc.local:
...
<pre>
  Device Boot      Start        End      Blocks  Id  System
chmod a+x /etc/rc.local
/dev/sda1  *          1        5100    40960000  fd  Linux raid autodetect
chmod a+x /etc/rc.d/rc.local  # TL edit
/dev/sda2            5100        9179    32768000  fd  Linux raid autodetect
systemctl enable rc-local
/dev/sda3            9179      21927  102399603+ fd  Linux raid autodetect
systemctl start rc-local
/dev/sda4          21928      91201  556443405  fd  Linux raid autodetect
systemctl status rc-local
...
</pre>
[root@ladd06 ~]# cat /proc/mdstat
Personalities : [raid1]
md3 : active raid1 sdb4[1] sda4[0]
      556442245 blocks super 1.2 [2/2] [UU]
      bitmap: 0/5 pages [0KB], 65536KB chunk


md2 : active raid1 sdb3[1] sda3[0]
== Disable "persistent network names" (DO NOT DO THIS) ==
      102398507 blocks super 1.2 [2/2] [UU]
      bitmap: 0/1 pages [0KB], 65536KB chunk


md1 : active raid1 sda2[0] sdb2[1]
<pre>
      32766908 blocks super 1.1 [2/2] [UU]
/bin/touch /etc/udev/rules.d/75-persistent-net-generator.rules
      bitmap: 0/1 pages [0KB], 65536KB chunk
/bin/rm /etc/udev/rules.d/70-persistent-net.rules
#shutdown -r now
</pre>


md0 : active raid1 sda1[0] sdb1[1]
== Configure NIS client (CentOS7) ==
      40959928 blocks super 1.0 [2/2] [UU]
 
      bitmap: 1/1 pages [4KB], 65536KB chunk
<pre>
...
yum -y install ypbind authconfig
[root@ladd06 ~]# df -kl
echo "NISTIMEOUT=5" >> /etc/sysconfig/network
Filesystem          1K-blocks      Used Available Use% Mounted on
echo "NETWORKWAIT=yes" >> /etc/sysconfig/network
/dev/md0              40316208  6222676  32045536  17% /
authconfig --enablenis --enablepreferdns --nisdomain LADD-NIS --nisserver ladd00.triumf.ca --update
/dev/md2            100790232    192116  95478192  1% /home1
ypwhich
/dev/md3            547709948    202404 519685432  1% /data6
ypcat -k passwd
...
systemctl restart autofs
[root@ladd06 ~]# swapon -s
</pre>
Filename                                Type            Size    Used    Priority
* On the master NIS node (ladd00), add this new node to /etc/netgroup, and update NIS maps (cd /var/yp; make)
/dev/md1                                partition      32766900        0      -1
* Use "system-config-users" to add local user accounts
* enable selinux ssh key login to nfs mounted home directories:
<pre>
setsebool -P use_nfs_home_dirs 1
</pre>
</pre>


Typical size of partitions:
== Configure NIS client (CentOS8) ==
* /dev/md0 : "/" : 40 Gbytes should be sufficient. SL5 fits into an 8GB "/" and SL6 fits into a 16GB "/".
* /dev/md1 : swap : 32 Gbytes. Additional swap space can be added using a swap file located on the data disk.
* /dev/md2 : "/home1" : 100 Gbytes. User home directories backed up by the amanda site backup system. Space is limited by the capacity and capability of the backup and archiving system used to protect user data against accidental file deletion, filesystem corruption and disastrous system failures.
* /dev/md3 : "/data" : data partition uses the remaining space on the disks.


Usually, the "/" and swap partitions are created through the SL installer program. The /home and /data partitions can be created at the same time.
* all the same as for CentOS7
* ensure correct boot order for ypbind (in CentOS 8.1 ypbind is started before network is ready, service file uses "Wants" instead of "After")
<pre>
mkdir /etc/systemd/system/ypbind.service.d
echo -e "[Unit]\nAfter=network-online.target\n" > /etc/systemd/system/ypbind.service.d/local.conf
systemctl daemon-reload
systemctl cat ypbind.service
</pre>


Otherwise, for traditional partitions (disks <2TB) follow these instructions:
== Configure NIS secondary server (CentOS7) ==
* create the partitions using fdisk or similar (this example creates a 60 GB partition):
** fdisk -cu /dev/sda
** Command (m for help): <strong>n</strong>
** Command action ...  <strong>p</strong>
** Partition number ... <strong>2, 3 or 4</strong> according to what has been defined before
** First cylinder ... default
** Last cylinder ...  <strong>+60000M</strong>  or default
** Command action ...  t
** Partition number ... : <strong>2, 3 or 4</strong> according to what has been defined before
** Hex code ... : fd
** Command action ...  <strong>p to check all is correct</strong>
** Command (m for help): <strong>w</strong>
** fdisk /dev/sdb and repeat as above
** Reboot the machine


For GPT partitions (disks >=2TB), do this:
Enable local NIS server, make local machine use it:
* install gdisk: yum install epel-release; yum install gdisk
* gdisk /dev/sdX
** if this is a new disk, do "o" to create a blank partition table
** "n" to create new partition:
*** accept default for partition number
*** accept default for first sector
*** for last sector, say "+40G" to create 40 Gbyte partition, accept default to use all remaining disk space
*** for partition type, say "fd00" to create an mdadm raid partition
** "p" to print the partition table
** "d" to delete wrong partition
** "w" to save and exit


Typical GPT layout:
<pre>
<pre>
[root@isdaq01 ~]# gdisk -l /dev/sdh
yum -y install ypserv
GPT fdisk (gdisk) version 0.8.10
/usr/lib64/yp/ypinit -s ladd00 ### (/usr/lib/yp/ypinit on 32-bit machines)
### ypinit will give lots of errors about "rpc.ypxfrd failed: RPC: Can't decode result"; can be ignored
systemctl disable ypxfrd yppasswdd
systemctl stop ypxfrd yppasswdd
systemctl enable rpcbind ypserv
systemctl start rpcbind ypserv
emacs -nw /etc/yp.conf # change "domain XXX server YYY.triumf.ca" to read "domain XXX server localhost"
systemctl restart ypbind
ypwhich # should say "localhost"
ypcat -k auto.master # should work
</pre>


Partition table scan:
Punch hole in the firewall: (or "make" on NIS master will complain)
  MBR: protective
  BSD: not present
  APM: not present
  GPT: present


Found valid GPT with protective MBR; using GPT.
<pre>
Disk /dev/sdh: 3907029168 sectors, 1.8 TiB
echo YPSERV_ARGS=\"-p 800\" >> /etc/sysconfig/network
Logical sector size: 512 bytes
systemctl restart ypserv
Disk identifier (GUID): D4FCDE83-12BD-4118-ACA2-702F0E2E57C2
firewall-cmd --get-services
Partition table holds up to 128 entries
firewall-cmd --add-service rpc-bind --permanent
First usable sector is 34, last usable sector is 3907029134
firewall-cmd --add-port=800/tcp --add-port=800/udp --permanent
Partitions will be aligned on 2048-sector boundaries
firewall-cmd --reload
Total free space is 2014 sectors (1007.0 KiB)
firewall-cmd --list-all
 
Number  Start (sector)    End (sector)  Size      Code  Name
  1            2048        83888127  40.0 GiB    FD00  Linux RAID
  2        83888128      150996991  32.0 GiB    FD00  Linux RAID
  3      150996992      360712191  100.0 GiB  FD00  Linux RAID
  4      360712192      3907029134  1.7 TiB    FD00  Linux RAID
[root@isdaq01 ~]#
</pre>
</pre>


* Check the newly created partitions: fdisk -lu /dev/sda; fdisk -lu /dev/sdb
* on the NIS master:
* mdadm --create /dev/md2 --metadata=1.0 --bitmap=internal -l 1 -n 2 /dev/sda3 /dev/sdb3
** add the new machine to /var/yp/ypservers, run "make -C /var/yp" and also "cd /var/yp; yppush -h newmachine ypservers"
* Check the progress of building the RAID with: more /proc/mdstat
*** TL (2020-09): we not doing this anymore?  I guess it doesn't work anyway...
* When finished: mkfs -t ext4 /dev/md2; tune2fs -i 0 -c 0 /dev/md2
** if using /var/yp/securenets, copy it from NIS master to new NIS secondary server
* mkdir /home1
* Add to /etc/fstab: "/dev/md2                /home1                  ext4    defaults        1 2"
* Finally mount this new partition: mount -a
* Repeat from "mkfs" for each of the data partitions


* At this point you should have these disk partitions (single-disk in parenthesis)
Enable hourly NIS update cron job (DO THIS AFTER git pull scripts, see below)
** /dev/md0 (/dev/sda1, sdb1) is the system partition, 40 GBytes or more
** /dev/md1 (/dev/sda2, sdb2) is the swap partition, 32 GBytes or more
** /dev/md2 (/dev/sda3, sdb3) is the /home1 partition, 100 GBytes or more
** /dev/md3 (/dev/sda4, sdb4) is the data partition


* Add array descriptions to /etc/mdadm.conf:
** mdadm -Ds >> /etc/mdadm.conf
** emacs -nw /etc/mdadm.conf ### remove duplicate entries
Example /etc/mdadm.conf:
<pre>
<pre>
MAILADDR root
cd ~/git/scripts
AUTO +imsm +1.x -all
git pull
ARRAY /dev/md0 metadata=1.0 name=isdaq01.triumf.ca:0 UUID=055f0455:18401f41:b12abf53:2b23eca0
cd etc
ARRAY /dev/md1 metadata=1.0 name=isdaq01.triumf.ca:1 UUID=dde05275:17961aaf:7c864e3a:c51477d6
cd ~/git/scripts/etc; ln -s $PWD/ypxfr-cron-hourly /etc/cron.hourly
ARRAY /dev/md2 metadata=1.0 name=isdaq01.triumf.ca:2 UUID=e430ba44:361f1807:41f0c491:53c10438
ARRAY /dev/md3 metadata=1.0 name=isdaq01.triumf.ca:3 UUID=a34d8c5b:cb65a435:be8ee01d:7f988927
</pre>
</pre>


* (SL5.5 or newer) enable raid1 bitmap files, for each /dev/mdX device: mdadm --grow --bitmap=internal /dev/mdX
== Configure AUTOFS (CentOS7) ==


== Restore data from backups ==
<pre>
 
yum -y install autofs
* (on midm15/midm9b/midm20 only) install correct ethernet driver eepro100 not e100
systemctl enable autofs
* restore /home (non-NIS) or /home1 (NIS) and other required user directories from backup. (Can use /triumfcs/trshare/midas/Disks/rsync_back.csh ).
systemctl start autofs
* if needed, for non-NIS only, make a softlink for /home1: ln -s /home /home1
ls -l /daq/daqshare
* restore users accounts (non-NIS and NIS master only): edit /etc/passwd and /etc/shadow, append users' login info to the end of these files from the backup versions.
</pre>


== Post installation ==


* echo "olchansk@triumf.ca amaudruz@triumf.ca lindner@triumf.ca" >> ~root/.forward
* emacs -nw /etc/sysconfig/network
** set "HOSTNAME=" (set it to blank to use hostname from DHCP)
** set "NETWORKWAIT=yes"
* (not needed for SL6.1, NEEDED for SL6->6.1 update) in /etc/hosts, remove exteraneous entries - only entries for localhost and localhost6 should remain
* disable selinux: edit /etc/sysconfig/selinux, change line to read: SELINUX=disabled, reboot later for change to take effect
* chmod a+r /var/log/messages
* chmod a+r /var/log/yum.log


== Post installation CentOS7 ==
== Label Selinux labels ==
 
When upgrading non-selinux machines (el6) to el7 (selinux enforcing) the existing
user home directories will not have the correct selinux labels and many things
will not work, including ssh logins (sshd cannot access ~user/.ssh files).


<pre>
<pre>
CentOS 7.1 default installer will be stuck at the "create local user" screen. To proceed without creating fake local users, do:
semanage fcontext -a -e /home /home1 ### selinux has special rules for /home, assign them to /home1
yum erase gnome-initial-setup
restorecon -R -v /home1 ### apply the new rules to files in /home1
killall Xorg
ls -Zd /home1/alpha/.ssh
# should say: drwx------. alpha users system_u:object_r:ssh_home_t:s0  /home1/alpha/.ssh
</pre>
</pre>


Set hostname: (use full name, i.e. daq11.triumf.ca)
== Configure time (CentOS7) ==
<pre>
emacs -nw /etc/hostname
</pre>


<pre>
Time server ntpd was replaced by chronyd.
echo "olchansk@triumf.ca amaudruz@triumf.ca lindner@triumf.ca" >> ~root/.forward
chmod a+r /var/log/messages
chmod a+r /var/log/yum.log
</pre>


Activate rc.local:
<pre>
<pre>
chmod a+x /etc/rc.local
yum -y install chrony
chmod u+x /etc/rc.d/rc.local  # TL edit
echo server time1 iburst >> /etc/chrony.conf
systemctl start rc-local
echo server time2 iburst >> /etc/chrony.conf
systemctl status rc-local
echo server time3 iburst >> /etc/chrony.conf
systemctl enable chronyd
systemctl restart chronyd
chronyc sources
chronyc tracking
</pre>
</pre>


== Disable "persistent network names" (DO NOT DO THIS) ==
* if desired, edit /etc/chrony.conf, remove non-triumf time servers
 
== Enable automatic system updates (CentOS7) ==
 
Disable yum-cron:


<pre>
<pre>
/bin/touch /etc/udev/rules.d/75-persistent-net-generator.rules
rpm --erase yum-cron
/bin/rm /etc/udev/rules.d/70-persistent-net.rules
/bin/rm -v /var/lock/subsys/yum-cron
#shutdown -r now
/bin/rm -v /etc/cron.daily/0yum-daily.cron
/bin/rm -v /etc/cron.hourly/0yum-hourly.cron
</pre>
</pre>


== Configure NIS master (OPTIONAL) ==
Enable yum-autoupdate:
 
(do not use SL6.2 for NIS master)
 
* yum install ypserv
* domainname DEAP-NIS
* cd /var/yp
* edit Makefile
** change NOPUSH=false
** change the "all:" entry to read: all: passwd group netgrp shadow auto.master auto.home auto.local ypservers
* touch /etc/netgroup /etc/auto.home /etc/auto.local ./ypservers
* make
* inspect created NIS maps: ls -l DEAP-NIS
* chkconfig ypserv on
* chkconfig ypxfrd on
* chkconfig yppasswdd on
* service ypserv start
 
== Configure NIS client ==
 
* run "authconfig --enablenis --enablepreferdns --nisdomain LADD-NIS --update"
* if NIS server is SL6.2, add "--nisserver=ladd00" to above command
* (not needed with --enablepreferdns above) run "sed 's/^hosts:.*/hosts: files dns/' -i /etc/nsswitch.conf" (to undo a mistake from authconfig)
* On the master NIS node (ladd00), add this new node to /etc/netgroup, and update NIS maps (cd /var/yp; make)
* Use "system-config-users" to add local user accounts
* NIS: check user accounts: run "ypcat -k passwd"
* echo "NISTIMEOUT=5" >> /etc/sysconfig/network
* echo "NETWORKWAIT=yes" >> /etc/sysconfig/network
 
== Configure NIS client (CentOS7) ==


<pre>
<pre>
yum -y install ypbind authconfig
yum install -y epel-release
echo "NISTIMEOUT=5" >> /etc/sysconfig/network
yum install -y yum-changelog yum-protectbase yum-tsflags yum-versionlock
echo "NETWORKWAIT=yes" >> /etc/sysconfig/network
rpm -vh --install http://linuxsoft.cern.ch/cern/centos/7.2/cern/x86_64/Packages/yum-kernel-module-1-5.el7.cern.noarch.rpm
authconfig --enablenis --enablepreferdns --nisdomain LADD-NIS --nisserver ladd00.triumf.ca --update
rpm -vh --install http://linuxsoft.cern.ch/cern/centos/7.2/cern/x86_64/Packages/yum-autoupdate-4.4.2-1.el7.cern.noarch.rpm
ypwhich
#rpm -vh --install https://daqshare.triumf.ca/~olchansk/linux/yum-autoupdate-4.4.2-1.el7.cern.noarch.rpm https://daqshare.triumf.ca/~olchansk/linux/yum-kernel-module-1-5.el7.cern.noarch.rpm
ypcat -k passwd
systemctl enable yum-autoupdate
systemctl restart autofs
systemctl start yum-autoupdate
systemctl status yum-autoupdate
</pre>
</pre>
* On the master NIS node (ladd00), add this new node to /etc/netgroup, and update NIS maps (cd /var/yp; make)
 
* Use "system-config-users" to add local user accounts
== Disable automatic system updates (CentOS7) ==
* enable selinux ssh key login to nfs mounted home directories:
 
<pre>
<pre>
setsebool -P use_nfs_home_dirs 1
yum -y erase yum-autoupdate
/bin/rm -f /etc/sysconfig/yum-autoupdate.rpmsave
/bin/rm -f /var/lock/subsys/yum-autoupdate
</pre>
</pre>


== Configure NIS secondary server (OPTIONAL) ==
== Enable automatic system updates (CentOS8) ==


<pre>
<pre>
yum -y install ypserv
yum -y install dnf-automatic
ypwhich -m # to identify hostname of nis master for next step:
systemctl enable --now dnf-automatic.timer
/usr/lib64/yp/ypinit -s ladd00 # /usr/lib/yp/ypinit on 32-bit machines
systemctl list-timers *dnf-*
chkconfig ypserv on
service ypserv start
emacs -nw /etc/yp.conf # change "domain XXX server YYY.triumf.ca" to read "domain XXX server localhost"
service ypbind restart
ypwhich # should report "localhost"
ypcat auto.master # should work
</pre>
</pre>


* on the NIS master:
edit /etc/dnf/automatic.conf
** add the new machine to /var/yp/ypservers, run "make -C /var/yp" and also "cd /var/yp; yppush -h newmachine ypservers"
<pre>
** if using /var/yp/securenets, copy it from NIS master to new NIS secondary server
apply_updates = yes
</pre>


== Configure NIS secondary server (CentOS7) ==
== Configure system services (CentOS7) ==
 
Enable local NIS server, make local machine use it:


* systemctl list-unit-files | grep enabled | sort ### (to see enabled services)
* disable unwanted services:
<pre>
<pre>
yum -y install ypserv
systemctl disable bluetooth
/usr/lib64/yp/ypinit -s ladd00 ### (/usr/lib/yp/ypinit on 32-bit machines)
systemctl disable dm-event
systemctl enable rpcbind ypserv ypxfrd yppasswdd
systemctl disable dmraid-activation
systemctl start rpcbind ypserv ypxfrd yppasswdd
systemctl disable iscsid
emacs -nw /etc/yp.conf # change "domain XXX server YYY.triumf.ca" to read "domain XXX server localhost"
systemctl disable iscsi
systemctl restart ypbind
systemctl disable iscsiuio
ypwhich # should say "localhost"
systemctl disable libvirtd
ypcat -k auto.master # should work
systemctl disable lvm2-lmetad
</pre>
systemctl disable lvm2-monitor
 
systemctl disable ModemManager
Punch hole in the firewall: (or "make" on NIS master will complain)
systemctl disable multipathd
 
systemctl disable netcf-transaction
<pre>
systemctl disable lvm2-lvmetad.socket
echo YPSERV_ARGS=\"-p 800\" >> /etc/sysconfig/network
systemctl disable lvm2-lvmpolld.socket
systemctl restart ypserv
systemctl disable iscsid.socket
firewall-cmd --get-services
systemctl disable iscsiuio.socket
firewall-cmd --add-service rpc-bind --permanent
systemctl disable ksm
firewall-cmd --add-port=800/tcp --add-port=800/udp --permanent
systemctl disable ksmtuned
firewall-cmd --reload
#systemctl disable
firewall-cmd --list-all
</pre>
</pre>


* on the NIS master:
== Erase unwanted packages (CentOS7) ==
** add the new machine to /var/yp/ypservers, run "make -C /var/yp" and also "cd /var/yp; yppush -h newmachine ypservers"
** if using /var/yp/securenets, copy it from NIS master to new NIS secondary server


Enable hourly NIS update cron job
* PackageKit # bugs users about security updates, hogs yum lock
* perl-homedir # creates unwanted $HOME/perl5
* ModemManager # thinks that all USB-attached devices are modems
* pcp # sends error email to itself, does not work
* abrt # sends email to root about useless crashes, i.e. crash of X when machine is rebooted
* rear # some kind of backup and recovery tool, not clear what it does, but it sends email complaining how it is broken
* bash-completion # "echo $HOME/<TAB>" becomes "echo \$HOME" (notice "\" added before "$") preventing tab-completion from doing anything useful.


<pre>
<pre>
cd ~/git/scripts
yum -y erase PackageKit perl-homedir ModemManager pcp abrt abrt-libs abrt-gui-libs rear bash-completion
git pull
</pre>
cd etc
 
cd ~/git/scripts/etc; ln -s $PWD/ypxfr-cron-hourly /etc/cron.hourly
== Disable unwanted package "tracker" ==
</pre>
 
The "tracker" package is part of the GNOME desktop, it scans the content of all files
into a database for quick searching.
 
When it malfunctions, bad things happen, i.e. read through
https://bugzilla.redhat.com/show_bug.cgi?id=747689


== Configure AUTOFS ==
Specific problem I see is that it floods the system log with error messages. Also
consumes network and filesystem bandwidth for NFS mounted home directories.


* (if NIS master or standalone) check /etc/auto.* against backups, particularly auto.master if NIS master
This package cannot be removed by "yum erase tracker" dues to dependencies
* (if needed) add "+auto.master" at the end of /etc/auto.master
from core GNOME desktop.
* restart autofs to use the newly configured NIS maps: "service autofs stop; service autofs start"


== Configure AUTOFS (CentOS7) ==
Instead, do this to deactivate it:


<pre>
<pre>
yum -y install autofs
chmod -x /usr/libexec/tracker-*
systemctl enable autofs
chmod -x /usr/bin/tracker
systemctl start autofs
chattr +i /usr/bin/tracker
ls -l /daq/daqshare
chattr +i /usr/libexec/tracker-*
</pre>
</pre>


== Configure external package repositories (CentOS7) ==


EPEL: (addtional packages)
<pre>
yum install epel-release
</pre>


== Label Selinux labels ==
ELREPO: (kernel modules and drivers) (CentOS8)
 
When upgrading non-selinux machines (el6) to el7 (selinux enforcing) the existing
user home directories will not have the correct selinux labels and many things
will not work, including ssh logins (sshd cannot access ~user/.ssh files).
 
<pre>
<pre>
semanage fcontext -a -e /home /home1 ### selinux has special rules for /home, assign them to /home1
yum install elrepo-release
restorecon -R -v /home1 ### apply the new rules to files in /home1
ls -Zd /home1/alpha/.ssh
# should say: drwx------. alpha users system_u:object_r:ssh_home_t:s0  /home1/alpha/.ssh
</pre>
</pre>


== Configure time with chronyd (SL6) ==
ELREPO: (kernel drivers)
 
Use chronyd instead of ntpd.
 
<pre>
<pre>
yum -y install chrony
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
echo server time1 iburst >> /etc/chrony.conf
rpm -Uvh https://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
echo server time2 iburst >> /etc/chrony.conf
yum -y install yum-plugin-fastestmirror
echo server time3 iburst >> /etc/chrony.conf
chkconfig --level 123456 ntpd off
chkconfig --level 123456 ntpdate off
service ntpd stop
chkconfig chronyd on
service chronyd restart
chronyc sources
chronyc tracking
</pre>
</pre>


* if desired, edit /etc/chrony.conf, remove non-triumf time servers
== Install packages needed to continue with installation ==
 
(+CentOS7)


== Configure time (CentOS7) ==
(these packages are sometimes missing, they are needed to follow following instructions instructions)


Time server ntpd was replaced by chronyd.
(SL6.5: libotf is a dependancy of emacs - SL6.5 installer fails to install it)


<pre>
<pre>
yum -y install chrony
yum install ed patch wget git libotf gdisk emacs perl
echo server time1 iburst >> /etc/chrony.conf
echo server time2 iburst >> /etc/chrony.conf
echo server time3 iburst >> /etc/chrony.conf
systemctl enable chronyd
systemctl restart chronyd
chronyc sources
chronyc tracking
</pre>
</pre>


* if desired, edit /etc/chrony.conf, remove non-triumf time servers
== Configure Konstantin's scripts ==


== Enable automatic kernel updates (SL6) ==
(+Centos7)


* enable kernel updates: sed 's/^EXCLUDE=/#EXCLUDE=/' -i /etc/sysconfig/yum-autoupdate
<pre>
mkdir ~root/git
cd ~root/git
git clone http://ladd00.triumf.ca/~olchansk/git/scripts.git
cd scripts
git pull
</pre>


== Enable automatic system updates (CentOS7) ==
Go back to the NIS slave server and install the hourly NIS update cron job.


Disable yum-cron:
== Enable yum version lock ==


<pre>
<pre>
rpm --erase yum-cron
yum install yum-plugin-versionlock
/bin/rm -v /var/lock/subsys/yum-cron
#yum versionlock packagename # yum versionlock rpcbind
/bin/rm -v /etc/cron.daily/0yum-daily.cron
#yum versionlock list # list locked packages
/bin/rm -v /etc/cron.hourly/0yum-hourly.cron
#yum versionlock delete packagename # unlock given package
#yum versionlock clear # delete all locks
</pre>
</pre>


Enable yum-autoupdate:
== Configure trusted ssh keys ==
 
(+CentOS7)


<pre>
<pre>
yum install -y epel-release
ssh localhost
yum install -y yum-changelog yum-protectbase yum-tsflags yum-versionlock
interrupt by Ctrl-C
rpm -vh --install http://linuxsoft.cern.ch/cern/centos/7.2/cern/x86_64/Packages/yum-kernel-module-1-5.el7.cern.noarch.rpm
/bin/cp ~/git/scripts/etc/authorized_keys ~/.ssh/
rpm -vh --install http://linuxsoft.cern.ch/cern/centos/7.2/cern/x86_64/Packages/yum-autoupdate-4.4.2-1.el7.cern.noarch.rpm
#rpm -vh --install https://daqshare.triumf.ca/~olchansk/linux/yum-autoupdate-4.4.2-1.el7.cern.noarch.rpm https://daqshare.triumf.ca/~olchansk/linux/yum-kernel-module-1-5.el7.cern.noarch.rpm
systemctl enable yum-autoupdate
systemctl start yum-autoupdate
systemctl status yum-autoupdate
</pre>
</pre>


== Disable automatic system updates (CentOS7) ==
== Configure hardware sensors ==


<pre>
* yum -y install lm_sensors
yum -y erase yum-autoupdate
* sensors-detect (accept default answer to all questions - press ENTER)
/bin/rm -f /etc/sysconfig/yum-autoupdate.rpmsave
* systemctl restart lm_sensors
/bin/rm -f /var/lock/subsys/yum-autoupdate
* sensors (to see available sensors)
</pre>


== Configure system services ==
If no sensors are detected by standard drivers, follow motherboard-specific instructions at the bottom of this page.


* chkconfig --list | grep :on | sort (to see enabled services)
== Configure IPMI sensors ==
* disable unwanted services:
<pre>(only if amanda is not used) -&gt; chkconfig --level 12345 xinetd off
chkconfig --level 12345 canna off
chkconfig --level 12345 FreeWnn off
chkconfig --level 12345 hpoj off
chkconfig --level 12345 ip6tables off
chkconfig --level 12345 iptables off
chkconfig --level 12345 isdn off
chkconfig --level 12345 pcmcia off
chkconfig --level 12345 rhnsd off
chkconfig --level 12345 spamassassin off
chkconfig --level 12345 bluetooth off
chkconfig --level 12345 apmd off
chkconfig --level 12345 iiim off
chkconfig --level 12345 fenced off
chkconfig --level 12345 ccsd off
chkconfig --level 12345 cpuspeed off
chkconfig --level 12345 pcp off
chkconfig --level 12345 pmie off
chkconfig --level 12345 yum-updatesd off
chkconfig --level 12345 clvmd off
chkconfig --level 12345 cman off
chkconfig --level 12345 lvm2-monitor off
chkconfig --level 12345 modclusterd off
chkconfig --level 12345 yum-updateonboot off
chkconfig --level 12345 cmirror off
chkconfig --level 12345 lock_gulmd off
chkconfig --level 12345 firstboot off
chkconfig --level 12345 ricci off
chkconfig --level 12345 gfs off
chkconfig --level 12345 scsi_reserve off
chkconfig --level 12345 openibd off
chkconfig --level 12345 arptables_jf off
chkconfig --level 12345 auditd off
chkconfig --level 12345 avahi-daemon off
chkconfig --level 12345 hplip off
chkconfig --level 12345 iscsi off
chkconfig --level 12345 iscsid off
chkconfig --level 12345 mcstrans off
chkconfig --level 12345 pcscd off
chkconfig --level 12345 restorecond off
chkconfig --level 12345 setroubleshoot off
chkconfig --level 12345 xend off
chkconfig --level 12345 xendomains off
chkconfig --level 12345 kudzu off
#chkconfig --level 12345 yum-cron off
chkconfig --level 12345 kdump off
chkconfig --level 12345 libvirt-guests off
chkconfig --level 12345 libvirtd off
chkconfig --level 12345 spice-vdagentd off
chkconfig --level 12345 ksm off
chkconfig --level 12345 ksmtuned off
chkconfig --level 12345 iscsi off
chkconfig --level 12345 iscsid off
chkconfig --level 12345 openct off
chkconfig --level 12345 blk-availability off
chkconfig --level 12345 fcoe off
chkconfig --level 12345 lldpad off
</pre>


== Configure system services (CentOS7) ==
Some machines support the IPMI interface for monitoring the hardware: fan speeds, temperatures, voltages.


* systemctl list-unit-files | grep enabled | sort ### (to see enabled services)
* find out if IPMI is supported. Try this:
* disable unwanted services:
<pre>
dmidecode | grep -i ipmi
</pre>
if output is not blank, IPMI is maybe supported.
* install and enable IPMI software:
<pre>
<pre>
systemctl disable bluetooth
yum install "OpenIPMI*" ipmitool
systemctl disable dm-event
service ipmi start
systemctl disable dmraid-activation
ipmitool sensor ### to confirm IPMI is present. If output is blank, do not go further.
systemctl disable iscsid
chkconfig ipmi on
systemctl disable iscsi
chkconfig ipmievd on
systemctl disable iscsiuio
service ipmi restart
systemctl disable libvirtd
service ipmievd restart
systemctl disable lvm2-lmetad
tail -100 /var/log/messages ### look at messages logged by ipmievd
systemctl disable lvm2-monitor
systemctl disable ModemManager
systemctl disable multipathd
systemctl disable netcf-transaction
systemctl disable lvm2-lvmetad.socket
systemctl disable lvm2-lvmpolld.socket
systemctl disable iscsid.socket
systemctl disable iscsiuio.socket
#systemctl disable
</pre>
</pre>
 
* (CentOS7) install and enable IPMI software:
== Erase unwanted packages ==
 
<pre>
<pre>
yum erase PackageKit # bugs users about security updates
yum install "OpenIPMI*" ipmitool
</pre>
systemctl start ipmi
 
ipmitool sensor ### to confirm IPMI is present. If output is blank, do not go further.
== Erase unwanted packages (CentOS7) ==
systemctl list-unit-files | grep -i ipmi
 
systemctl enable ipmi
* PackageKit # bugs users about security updates, hogs yum lock
systemctl restart ipmi
* perl-homedir # creates unwanted $HOME/perl5
systemctl status ipmi
* ModemManager # thinks that all USB-attached devices are modems
systemctl enable ipmievd
* pcp # sends error email to itself, does not work
systemctl restart ipmievd
* abrt # sends email to root about useless crashes, i.e. crash of X when machine is rebooted
systemctl status ipmievd
* rear # some kind of backup and recovery tool, not clear what it does, but it sends email complaining how it is broken
tail -100 /var/log/messages ### look at messages logged by ipmievd
* bash-completion # "echo $HOME/<TAB>" becomes "echo \$HOME" (notice "\" added before "$") preventing tab-completion from doing anything useful.
</pre>


* if ipmievd complains about SEL buffer overflow, clear it manually:
<pre>
<pre>
yum -y erase PackageKit perl-homedir ModemManager pcp abrt abrt-libs abrt-gui-libs rear bash-completion
ipmitool sel list ### show ipmi messages in raw format
ipmitool sel elist ### show ipmi messages in useful format
ipmitool sel elist > file ### save ipmi messages into a file
ipmitool sel clear  ### clear all accumulated ipmi messages
</pre>
</pre>


== Configure external package repositories ==
* useful ipmi commands:
** ipmitool sensor -- read hardware sensors
** ipmitool sel elist -- report all accumulated messages
 
== Configure ECC memory ==


<pre>
* check that machine has ECC memory: dmidecode --type memory | grep -i ecc
yum install elrepo-release epel-release
</pre>


== Configure external package repositories (CentOS7) ==
Configure mcelog (machine check exception)


EPEL: (addtional packages)
* yum install mcelog
<pre>
* check that mcelog is running: ps -efw | grep mcelog
yum install epel-release
* (el6) chkconfig mcelogd on; service mcelogd restart
</pre>
* (el7) systemctl status mcelog.service; systemctl enable mcelog.service; systemctl restart mcelog.service


ELREPO: (kernel drivers)
Check for MCE (machine check exception) messages:
<pre>
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh https://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
yum -y install yum-plugin-fastestmirror
</pre>


== Install packages needed to continue with installation ==
* mcelog --client
* grep -i mce /var/log/messages*
* grep -i ecc /var/log/messages*


(+CentOS7)
Configure EDAC


(these packages are sometimes missing, they are needed to follow following instructions instructions)
<pre>
yum install edac-utils
edac-ctl --mainboard
edac-ctl --status
lsmod | grep edac
modprobe ie31200_edac ### driver for Intel E3-1200 series ECC memory


(SL6.5: libotf is a dependancy of emacs - SL6.5 installer fails to install it)
[root@grsmid00 ~]# ls -l /sys/devices/system/edac/mc/
... empty


<pre>
[root@alpha00 ~]# ls -l /sys/devices/system/edac/mc/
yum install ed patch wget git libotf gdisk emacs
drwxr-xr-x. 15 root root    0 Oct 25 16:40 mc0
</pre>
...
[root@alpha00 ~]# ls -l /sys/devices/system/edac/mc/mc0
total 0
-r--r--r--. 1 root root 4096 Oct 25 16:40 ce_count
-r--r--r--. 1 root root 4096 Oct 25 16:40 ce_noinfo_count
drwxr-xr-x. 3 root root    0 Oct 25 16:40 csrow0
drwxr-xr-x. 3 root root    0 Oct 25 16:40 csrow1
drwxr-xr-x. 3 root root    0 Oct 25 16:40 csrow2
drwxr-xr-x. 3 root root    0 Oct 25 16:40 csrow3
-r--r--r--. 1 root root 4096 Oct 25 16:40 max_location
-r--r--r--. 1 root root 4096 Oct 25 16:40 mc_name
drwxr-xr-x. 2 root root    0 Oct 25 16:40 power
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank0
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank1
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank2
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank3
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank4
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank5
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank6
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank7
--w-------. 1 root root 4096 Oct 25 16:40 reset_counters
-r--r--r--. 1 root root 4096 Oct 25 16:40 seconds_since_reset
-r--r--r--. 1 root root 4096 Oct 25 16:40 size_mb
lrwxrwxrwx. 1 root root    0 Oct  2 12:02 subsystem -> ../../../../../bus/mc0
-r--r--r--. 1 root root 4096 Oct 25 16:40 ue_count
-r--r--r--. 1 root root 4096 Oct 25 16:40 ue_noinfo_count
-rw-r--r--. 1 root root 4096 Oct 25 16:40 uevent
[root@alpha00 ~]#


== Configure TRIUMF packages ==
[root@alpha00 ~]# edac-ctl --status
edac-ctl: drivers are loaded.


(only for machines on the TRIUMF network)
[root@alpha00 ~]# edac-util
edac-util: No errors to report.


(TRIUMF kickstart usually installs this automatically)
[root@alpha00 ~]# edac-util -s
 
edac-util: EDAC drivers are loaded. 1 MC detected
<pre>
rpm -vh --install  http://mirror.triumf.ca/triumf/6/x86_64/Packages/triumf-release-1.4-1.noarch.rpm
yum install triumf-ssh triumf-syslog
</pre>
</pre>


== Configure TRIUMF packages (CentOS7) ==
== Configure SMARTD (CentOS7) ==


(only for machines on the TRIUMF network)
Default el7 smartd config files send deficient email notices about disk failures. Overwrite.


<pre>
<pre>
# TL Was rpm -vh --install http://mirror.triumf.ca/triumf/6/x86_64/RPMS/triumf-release-1.4-1.noarch.rpm
/bin/cp ~/git/scripts/etc/smartd.conf /etc/smartmontools/
rpm -vh --install  http://mirror.triumf.ca/triumf/6/x86_64/Packages/triumf-release-1.4-1.noarch.rpm
/bin/cp ~/git/scripts/etc/smartd_warning.sh /etc/smartmontools/
yum install triumf-ssh triumf-syslog
systemctl enable smartd
systemctl restart smartd
systemctl status smartd
</pre>
</pre>


== Configure Konstantin's scripts ==
== Enable User Disk Quotas (OPTIONAL) ==


(+Centos7)
(+CentOS7)


* read http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-disk-quotas.html
* emacs -nw /etc/fstab, add "grpquota,usrquota" to filesystem options, e.g.:
<pre>
<pre>
mkdir ~root/git
[root@isdaq00 home1]# grep quota /etc/fstab
cd ~root/git
UUID=5a2aefbd-45db-475e-841e-12ec89220fbd /home1 ext4 defaults,grpquota,usrquota 1 2
git clone http://ladd00.triumf.ca/~olchansk/git/scripts.git
cd scripts
git pull
</pre>
</pre>
 
* cd /; umount /home1; mount /home1
== Enable yum version lock ==
* quotacheck -cug /home1
 
* quotacheck -avug
DO THIS ONLY IF NEEDED
* quotaon -av
 
* quota system is now active
* increase the soft quota time limit from default 7days to 30 or 60 days: edquota -t
* set quotas for all users (see below)
* setup warnquota:
** create warnquota config file: emacs -nw /etc/warnquota.conf
<pre>
<pre>
yum install yum-plugin-versionlock
# values can be quoted:
yum versionlock packagename # yum versionlock rpcbind
MAIL_CMD        = "/usr/sbin/sendmail -t"
yum versionlock list # list locked packages
FROM            = root
yum versionlock delete packagename # unlock given package
SUBJECT        = User %i@%h exceeded allocated disk quota
yum versionlock clear # delete all locks
CC_TO          = "root"
</pre>
# If you set this variable CC will be used only when user has less than
 
# specified grace time left (examples of possible times: 5 seconds, 1 minute,
== Configure TRIUMF mirror of yum repositories (SL6) ==
# 12 hours, 5 days)
 
# CC_BEFORE = 2 days
(only for machines on TRIUMF network)
SUPPORT        = "root"
 
# Text in the beginning of the mail (if not specified, default text is used)
* if /daq/mirror is available: /bin/cp ~/git/scripts/etc/daq-mirror-SL6.repo /etc/yum.repos.d/
# This way text can be split to more lines
* if /triumfcs/mirror is available: /bin/cp ~/git/scripts/etc/triumfcs-mirror-SL6.repo /etc/yum.repos.d/
# Line breaks are done by '|' character
* otherwise: /bin/cp ~/git/scripts/etc/triumf-SL6.repo /etc/yum.repos.d/
# The expressions %i, %h, %d, and %% are substituted for user/group name,
 
# host name, domain name, and '%' respectively. For backward compatibility
then disable external repositories:
# %s behaves as %i but is deprecated.
MESSAGE        = User "%i" on "%h" has exceeded the allocated disk quota.||Please delete any unnecessary files on following filesystems or|contact the system administrato
r to increase your quota allocation:|
SIGNATURE      = --|automated email from warnquota
</pre>
** note that %i@%h in the SUBJECT line do not seem to work
** create cron job: emacs -nw /etc/cron.daily/warnquota
<pre>
<pre>
yum clean all
#!/bin/sh
yum-config-manager --disable epel
warnquota
yum-config-manager --disable elrepo
#end
yum-config-manager --disable sl
</pre>
yum-config-manager --disable sl-security
** chmod a+x /etc/cron.daily/warnquota
yum-config-manager --disable sl6x
** touch /etc/crontab
yum-config-manager --disable sl6x-security
yum clean all
</pre>


== Configure trusted ssh keys ==
Useful commands for managing quotas:
* repquota -a | sort -n -k3 ### show quota of all users sorted by disk usage
* edquota -u username ### open "vi" editor to change user quotas
* repquote -a | grep username ### report quota for given user
* setquota -u username 0 0 0 0 /home1 ### disable quotas for given user
* setquota -u username 50000000 100000000 0 0 /home1 ### set quotas for 50GB soft and 100GB hard
* edquota -t ### change user quota time limits
* edquote -tg ### change group quota time limits


(+CentOS7)
== Enable NFS V4 server (CentOS7) ==


* create /etc/exports. example: (fsid numbers should be unique and increase 1,2,3,...)
<pre>
<pre>
ssh localhost
/home1  @home_export(rw,no_root_squash,async,fsid=1)
interrupt by Ctrl-C
/data1  @data_export(rw,no_root_squash,async,fsid=2)
/bin/cp ~/git/scripts/etc/authorized_keys ~/.ssh/
</pre>
* check the netgroup file
** if using NIS: check NIS netgroup: ypcat -k netgroup
** if no NIS, create /etc/netgroup: @daqmachines (deap00,,) (deap01,,) (deap02,,)
** if no NIS, edit /etc/nsswitch.conf, make the netgrooup line read: "netgroup: files"
* enable things, start them:
<pre>
firewall-cmd --get-services
firewall-cmd --permanent --add-service=nfs
firewall-cmd --permanent --add-service=rpc-bind ### needed for ubuntu automounter
firewall-cmd --reload
firewall-cmd --list-all
systemctl enable nfs-server
systemctl start nfs-server
systemctl status nfs
</pre>
</pre>


== Configure hardware sensors ==
== Enable NFS V3 server (CentOS7) ==
 
* yum install lm_sensors kmod-k10temp kmod-coretemp
* sensors-detect (accept default answer to all questions - press ENTER)
* service lm_sensors restart (to reload the kernel modules)
* sensors (to see available sensors)
 
If no sensors are detected by standard drivers, follow motherboard-specific instructions at the bottom of this page.


== Configure coretemp CPU sensors ==
On some machines, the coretemp driver for Intel CPU temperature sensors is not loaded after the above steps.
* sensors | grep coretemp ### number of sensors reported should be the same as the number of CPU cores
* if output is blank, add this to /etc/rc.local
<pre>
<pre>
emacs -nw /etc/rc.local
ps -efw | grep rpc.mountd # should be running!
modprobe coretemp
firewall-cmd --get-services
firewall-cmd --permanent --add-service=mountd
firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --reload
firewall-cmd --list-all
</pre>
</pre>


== Configure IPMI sensors ==
== Enable NFS V3 server ==


Some machines support the IPMI interface for monitoring the hardware: fan speeds, temperatures, voltages.
* edit /etc/hosts.allow, add or uncomment "mountd: 142.90.0.0/255.255.0.0"
 
* create /etc/exports. example:
* find out if IPMI is supported. Try this:
<pre>
<pre>
dmidecode | grep -i ipmi
/home1  @home_export(rw,no_root_squash,async)
/data1  @data_export(rw,no_root_squash,async)
</pre>
</pre>
if output is not blank, IPMI is maybe supported.
* check the netgroup file
* install and enable IPMI software:
** if using NIS: check NIS netgroup: ypcat -k netgroup
** if no NIS, create /etc/netgroup: @daqmachines (deap00,,) (deap01,,) (deap02,,)
** if no NIS, edit /etc/nsswitch.conf, make the netgrooup line read: "netgroup: files"
* chkconfig nfs on
* chkconfig nfslock on
* service nfs restart
 
Then on ladd00 need to do
* ssh to root@ladd00
* edit /etc/auto.daq to add new machine...
* make -C /var/yp
 
== Enable NFS V4 SERVER (SL6) ==
 
* if used with NIS, same as NFSv3
* if used as standalone, need to edit idmapd.conf - set the "Domain" name to the same value on NFS server and NFS slave (default automagically determined value does not always work). More TBW.
 
== Enable AMANDA backups ==
 
AMANDA backups are already enabled by TRIUMF kickstart installs. For non-kickstart installation, follow instructions at [[http://amanda/~amanda http://amanda/~amanda]], or look at "/triumfcs/trshare/olchansk/linux/amanda/amanda-enable.perl". As final step, use [[https://helpdesk.triumf.ca https://helpdesk.triumf.ca]] to contact TRIUMF CS to add this new machine to the amanda backup list.
 
* yum install triumf-amanda
 
== Enable AMANDA backups (CentOS7) ==
 
<pre>
<pre>
yum install "OpenIPMI*" ipmitool
yum install amanda-client
service ipmi start
systemctl list-unit-files | grep -i amanda
ipmitool sensor ### to confirm IPMI is present. If output is blank, do not go further.
#systemctl enable amanda
chkconfig ipmi on
systemctl enable amanda.socket
chkconfig ipmievd on
systemctl enable amanda-udp.socket
service ipmi restart
systemctl restart amanda.socket
service ipmievd restart
systemctl restart amanda-udp.socket
tail -100 /var/log/messages ### look at messages logged by ipmievd
firewall-cmd --get-services
firewall-cmd --permanent --add-service=amanda-client
firewall-cmd --reload
firewall-cmd --list-all
echo amanda.triumf.ca amanda amdump >> /var/lib/amanda/.amandahosts
</pre>
</pre>
* (CentOS7) install and enable IPMI software:
 
On amanda server, add new machine to the disklist, then:
 
<pre>
<pre>
yum install "OpenIPMI*" ipmitool
amcheck -c daily titan00
systemctl start ipmi
</pre>
ipmitool sensor ### to confirm IPMI is present. If output is blank, do not go further.
 
systemctl list-unit-files | grep -i ipmi
== Enable DCACHE ==
systemctl enable ipmi
systemctl restart ipmi
systemctl status ipmi
systemctl enable ipmievd
systemctl restart ipmievd
systemctl status ipmievd
tail -100 /var/log/messages ### look at messages logged by ipmievd
</pre>


* if ipmievd complains about SEL buffer overflow, clear it manually:
DAQ dcache server is mounted as
<pre>
ipmitool sel list ### show ipmi messages in raw format
ipmitool sel elist ### show ipmi messages in useful format
ipmitool sel elist > file ### save ipmi messages into a file
ipmitool sel clear  ### clear all accumulated ipmi messages
</pre>


* useful ipmi commands:
/daq/pnfs/triumf.ca/data/
** ipmitool sensor -- read hardware sensors
** ipmitool sel elist -- report all accumulated messages


== Configure SMARTD (CentOS7) ==
For Centos-7 machines, you need to adjust the firewall rules in order to be able to communicate with the trdata machines; this is only necessary if you are copying data to trdata. The firewall changes are
 
Default el7 smartd config files send deficient email notices about disk failures. Overwrite.


<pre>
<pre>
/bin/cp ~/git/scripts/etc/smartd.conf /etc/smartmontools/
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.100.212/32" port protocol="tcp" port="0-65535" accept"
/bin/cp ~/git/scripts/etc/smartd_warning.sh /etc/smartmontools/
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.107.156/32" port protocol="tcp" port="0-65535" accept"
systemctl restart smartd
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.100.219/32" port protocol="tcp" port="0-65535" accept"
systemctl status smartd
firewall-cmd --reload
firewall-cmd --list-all
</pre>
</pre>


== Enable User Disk Quotas (OPTIONAL) ==
This instructions are unnecessary
* # mkdir -p /pnfs
* # edit /etc/rc.local, add to the end of file: "mount -o intr,rw,noac,hard,nfsvers=3 trdata00:/pnfs /pnfs &"
* # . /etc/rc.local
 
For more information on, see [[TrdataDcache]] dcache page.
 
== Configure Ganglia (Centos7) ==


(+CentOS7)
CentOS7 Ganglia instructions (EPEL7 ganglia-3.7.2)


* read http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-disk-quotas.html
* emacs -nw /etc/fstab, add "grpquota,usrquota" to filesystem options, e.g.:
<pre>
<pre>
[root@isdaq00 home1]# grep quota /etc/fstab
/bin/rm /etc/gmond.conf
UUID=5a2aefbd-45db-475e-841e-12ec89220fbd /home1 ext4 defaults,grpquota,usrquota 1 2
yum -y install "ganglia-gmond*"
</pre>
/bin/cp -v /dev/null /etc/ganglia/conf.d/multicpu.conf  # collects useless data
* cd /; umount /home1; mount /home1
/bin/cp -v /dev/null /etc/ganglia/conf.d/netstats.pyconf # spews errors into syslog
* quotacheck -cug /home1
/bin/cp -v /dev/null /etc/ganglia/conf.d/diskstat.pyconf # collects useless data
* quotacheck -avug
/bin/cp -v /dev/null /etc/ganglia/conf.d/procstat.pyconf # do not create /tmp/gmond.conf
* quotaon -av
yum erase -y ganglia-vmstat ganglia-sensors ganglia-top ganglia-smart ganglia-cpumhz
* quota system is now active
cd ~/git/scripts
* increase the soft quota time limit from default 7days to 30 or 60 days: edquota -t
git pull
* set quotas for all users (see below)
/bin/cp etc/gmond.conf /etc/ganglia/gmond.conf
* setup warnquota:
systemctl enable gmond
** create warnquota config file: emacs -nw /etc/warnquota.conf
systemctl restart gmond
systemctl status gmond
cd ganglia
./ganglia-all.perl
make install
cd ~
</pre>
 
== Configure Ganglia (Centos8) ==
 
CentOS8 Ganglia instructions (EPEL8 ganglia-3.7.2)
 
<pre>
<pre>
# values can be quoted:
/bin/rm /etc/gmond.conf
MAIL_CMD        = "/usr/sbin/sendmail -t"
yum -y install "ganglia-gmond*"
FROM            = root
/bin/cp ~/git/scripts/etc/gmond.conf /etc/ganglia/gmond.conf
SUBJECT        = User %i@%h exceeded allocated disk quota
systemctl enable gmond
CC_TO          = "root"
systemctl restart gmond
# If you set this variable CC will be used only when user has less than
systemctl status gmond
# specified grace time left (examples of possible times: 5 seconds, 1 minute,
cd ~/git/scripts/ganglia
# 12 hours, 5 days)
git pull
# CC_BEFORE = 2 days
./ganglia-all.perl
SUPPORT        = "root"
make install
# Text in the beginning of the mail (if not specified, default text is used)
# This way text can be split to more lines
# Line breaks are done by '|' character
# The expressions %i, %h, %d, and %% are substituted for user/group name,
# host name, domain name, and '%' respectively. For backward compatibility
# %s behaves as %i but is deprecated.
MESSAGE        = User "%i" on "%h" has exceeded the allocated disk quota.||Please delete any unnecessary files on following filesystems or|contact the system administrato
r to increase your quota allocation:|
SIGNATURE      = --|automated email from warnquota
</pre>
</pre>
** note that %i@%h in the SUBJECT line do not seem to work
 
** create cron job: emacs -nw /etc/cron.daily/warnquota
== Configure TRIUMF DAQ packages ==
 
(+CentOS7)
 
<pre>
<pre>
#!/bin/sh
cd /etc/yum.repos.d
warnquota
wget http://daq.triumf.ca/~daqweb/yum/triumf-daq.repo
#end
</pre>
</pre>
** chmod a+x /etc/cron.daily/warnquota
** touch /etc/crontab


Useful commands for managing quotas:
== Install Konstantin's packages ==
* repquota -a | sort -n -k3 ### show quota of all users sorted by disk usage
* edquota -u username ### open "vi" editor to change user quotas
* repquote -a | grep username ### report quota for given user
* setquota -u username 0 0 0 0 /home1 ### disable quotas for given user
* setquota -u username 50000000 100000000 0 0 /home1 ### set quotas for 50GB soft and 100GB hard
* edquota -t ### change user quota time limits
* edquote -tg ### change group quota time limits


== Enable NFS V4 server (CentOS7) ==
(+CentOS7)


* create /etc/exports. example: (fsid numbers should be unique and increase 1,2,3,...)
<pre>
<pre>
/home1  @home_export(rw,no_root_squash,async,fsid=1)
yum --disablerepo=\* --enablerepo=triumf-daq --skip-broken install diskscrub emailonreboot monitor_nfs
/data1  @data_export(rw,no_root_squash,async,fsid=2)
</pre>
</pre>
* check the netgroup file
 
** if using NIS: check NIS netgroup: ypcat -k netgroup
== Install memtest and PXE boot ==
** if no NIS, create /etc/netgroup: @daqmachines (deap00,,) (deap01,,) (deap02,,)
 
** if no NIS, edit /etc/nsswitch.conf, make the netgrooup line read: "netgroup: files"
!!!DO NOT DO THIS!!!
* enable things, start them:
 
<pre>
<pre>
firewall-cmd --get-services
cd /boot
firewall-cmd --permanent --add-service=nfs
wget http://ladd00.triumf.ca/tftpboot/memtest86+-5.01.bin.gz
firewall-cmd --reload
wget http://ladd00.triumf.ca/tftpboot/memtest86+-4.20.bin.gz
firewall-cmd --list-all
wget http://ladd00.triumf.ca/tftpboot/memtest86+-4.10
systemctl enable nfs-server
wget http://ladd00.triumf.ca/tftpboot/gpxe-1.0.1+-gpxe.lkrn
systemctl start nfs-server
 
systemctl status nfs
emacs -nw /boot/grub/grub.conf
title memtest86+-5.01
      root (hd0,0)
      kernel /boot/memtest86+-5.01.bin.gz
title memtest86+-4.20
      root (hd0,0)
      kernel /boot/memtest86+-4.20.bin.gz
title memtest86+-4.10
      root (hd0,0)
      kernel /boot/memtest86+-4.10
title pxeboot
      root (hd0,0)
      kernel /boot/gpxe-1.0.1+-gpxe.lkrn
</pre>
</pre>


== Enable NFS V3 server (CentOS7) ==
== Install node monitoring ==
 
!!! OBSOLETE, DO NOT DO THIS !!!
 
(+CentOS7)


<pre>
<pre>
ps -efw | grep rpc.mountd # should be running!
yum --disablerepo=\* --enablerepo=triumf-daq --skip-broken install triumf_nodeinfo
firewall-cmd --get-services
/usr/sbin/sendnodeinfo.perl --config ladd00.triumf.ca:8600
firewall-cmd --permanent --add-service=mountd
emacs -nw /etc/nodeinfo
firewall-cmd --permanent --add-service=rpc-bind
/usr/sbin/sendnodeinfo.perl ladd00.triumf.ca:8600
firewall-cmd --reload
firewall-cmd --list-all
</pre>
</pre>


== Enable NFS V3 server ==
== Install gonodeinfo node monitoring ==
 
(+Ubuntu, +CentOS7, +CentOS8)


* edit /etc/hosts.allow, add or uncomment "mountd: 142.90.0.0/255.255.0.0"
go to https://bitbucket.org/dd1/gonodeinfo
* create /etc/exports. example:
follow instructions:
<pre>
<pre>
/home1  @home_export(rw,no_root_squash,async)
yum -y install golang
/data1  @data_export(rw,no_root_squash,async)
mkdir ~/git
cd ~/git
git clone https://bitbucket.org/dd1/gonodeinfo.git
# or git clone https://daq.triumf.ca/~olchansk/git/gonodeinfo.git
cd gonodeinfo
git pull
make
make install # install gonodeinfo agent
cd ~ # this is important
</pre>
</pre>
* check the netgroup file
** if using NIS: check NIS netgroup: ypcat -k netgroup
** if no NIS, create /etc/netgroup: @daqmachines (deap00,,) (deap01,,) (deap02,,)
** if no NIS, edit /etc/nsswitch.conf, make the netgrooup line read: "netgroup: files"
* chkconfig nfs on
* chkconfig nfslock on
* service nfs restart


Then on ladd00 need to do
* emacs -nw /etc/gonodeinfo.conf
* ssh to root@ladd00
* change "Description", "Location", "User" and "Administrator" as appropriate (or delete them)
* edit /etc/auto.daq to add new machine...
* change "Servers" to read: Servers: daq00.triumf.ca:8601
* make -C /var/yp
* run gonodeinfo -e
* if error is "connection refused". go to the nodeinfo server to add this client to the access control list:
* on the gonodeinfo server: run /opt/gonodeinfo/gonodereceive.exe -a daq13
* try gonodeinfo again, there should be no error
* on the gonodeinfo server: run gonodereport, look at the web pages, the new machine should be listed now
 
== Install latest system updates ==


== Enable NFS V4 SERVER (SL6) ==
(+CentOS7)


* if used with NIS, same as NFSv3
<pre>
* if used as standalone, need to edit idmapd.conf - set the "Domain" name to the same value on NFS server and NFS slave (default automagically determined value does not always work). More TBW.
yum update -y
</pre>


== Enable AMANDA backups ==
== Configure TRIUMF Printers (CentOS7) ==
 
AMANDA backups are already enabled by TRIUMF kickstart installs. For non-kickstart installation, follow instructions at [[http://amanda/~amanda http://amanda/~amanda]], or look at "/triumfcs/trshare/olchansk/linux/amanda/amanda-enable.perl". As final step, use [[https://helpdesk.triumf.ca https://helpdesk.triumf.ca]] to contact TRIUMF CS to add this new machine to the amanda backup list.
 
* yum install triumf-amanda
 
== Enable AMANDA backups (CentOS7) ==


<pre>
<pre>
yum install amanda-client
systemctl stop cups
list-unit-files | grep -i amanda
systemctl disable cups
#systemctl enable amanda
echo "ServerName printers.triumf.ca" > /etc/cups/client.conf
systemctl enable amanda.socket
lpstat -a
systemctl enable amanda-udp.socket
systemctl restart amanda.socket
systemctl restart amanda-udp.socket
firewall-cmd --get-services
firewall-cmd --permanent --add-service=amanda-client
firewall-cmd --reload
firewall-cmd --list-all
echo amanda.triumf.ca amanda amdump >> /var/lib/amanda/.amandahosts
</pre>
</pre>


On amanda server, add new machine to the disklist, then:
== Disable syslog spam (CentOS7) ==
 
Default el7 config is spamming the syslog with useless messages "systemd: Starting Session", etc. Disable this:


<pre>
<pre>
amcheck -c daily titan00
echo auditctl -e 0 >> /etc/rc.local
echo /usr/bin/systemd-analyze set-log-level notice >> /etc/rc.local
/etc/rc.local
</pre>
</pre>


== Enable DCACHE ==
== Install basic system packages (CentOS7) ==


DAQ dcache server is mounted as
(if starting from minimal system, basic system packages required:)
 
/daq/pnfs/triumf.ca/data/
 
For Centos-7 machines, you need to adjust the firewall rules in order to be able to communicate with the trdata machines; this is only necessary if you are copying data to trdata.  The firewall changes are


<pre>
<pre>
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.100.212/32" port protocol="tcp" port="0-65535" accept"
yum install -y which psmisc redhat-lsb-core xorg-x11-xauth xterm emacs-nox rsync tcpdump strace nfs-utils sysstat iftop tcsh
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.107.156/32" port protocol="tcp" port="0-65535" accept"
yum install -y gcc gcc-c++ gdb glibc-static libstdc++-static zlib zlib-devel openssl-devel httpd-tools
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.100.219/32" port protocol="tcp" port="0-65535" accept"
firewall-cmd --reload
firewall-cmd --list-all
</pre>
</pre>


This instructions are unnecessary
== Install packages needed for QUARTUS, ROOT, EPICS and MIDAS DAQ ==
* # mkdir -p /pnfs
* # edit /etc/rc.local, add to the end of file: "mount -o intr,rw,noac,hard,nfsvers=3 trdata00:/pnfs /pnfs &"
* # . /etc/rc.local


For more information on, see [[TrdataDcache]] dcache page.
(+CentOS7)


== Configure CPU speed (CentOS7) ==
yum install --skip-broken giflib.x86_64 sysstat "libusb-devel*" "libusbx-devel*" unixODBC-devel postgresql-devel libxml2-devel libXpm-devel libgfortran git compat-readline43 "graphviz*" dcap "tigervnc*" telnet glibc"*" strace "fftw*" libpng "freetype*" xpdf "xemacs*" tkcvs xterm mutt "*-g77*" joe "libXmu*" dcap-devel gsl-devel pcre-devel h5py gd-devel xorg-x11-fonts"*" minicom xfig"*" perl-BSD-Resource "net-snmp-*" readline-static git-all nasm imake tcl-devel gv xorg-x11-twm expat-devel screen compat-readline5 ImageMagick ImageMagick-devel wget alacarte scipy numpy sympy nedit gnuplot php-cli php-domxml-php4-php5 php-gd php-fpdf php-cli kdebase cmake tcpdump sqlite sqlite-devel kdegraphics gdisk lsof gconf-editor iftop tk-devel mcelog kdm blt itcl lz4 bzip2 pbzip2 apr-devel apr-util-devel net-tools golang"*" --exclude golang-cover"*"hg"*" --exclude golang"*"hg"*" --exclude golang-pkg"*" --exclude golang-github"*" --exclude golang"*"git"*" mesa"*" xerces-c"*" diffuse clang i2c-tools  texlive-revtex texlive-revtex4 kile kbibtex xrdp glibc.i686 gimp gimp-data-extras perl-GD"*" perl-Math"*" perl-Statistics-Basic cmake3 cmake3-gui extra-cmake-modules python2-pip  mariadb-devel glibc-devel.i686 libzstd zlib-devel.i686


In el7 the CPU frequency selection is confused. On some machines
== Install optional packages ==
the default governor is "conservative", on other machines it is "powersave".


The current configuration can be seen by: "cpupower frequency-info -p"
!! DO NOT DO THIS !!


The actual cpu frequency can be seen by "cat /proc/cpuinfo | grep -i mhz" and by "cpupower monitor" (run them under "watch -d -n1").
(do not install boost on 32-bit machines)


The linux kernel documentation says "powersave" will set CPU frequency to the minimum value, forever.
yum install --skip-broken "boost-*"  
But on some machines (i.e. daq06, daq14) it is easy to see that the CPU frequency actually changes
according to the CPU load. This is explained in the documentation for the intel_pstate" driver.


On machines where CPU frequency seems always stuck at mimimum, try this:
(packages for 32-bit software compilation on 64-bit machines. this is optional)
* set the governor to "performance": cpupower frequency-set -g performance
* see if frequency now changes according to load (good) or is stuck at maximum (not so good, but ok)
* make it permanent by adding this command to /etc/rc.local - echo cpupower frequency-set -g performance >> /etc/rc.local


== Configure Ganglia ==
yum install --skip-broken giflib.i386 giflib.i686 compat-libf2c-34.i386 compat-libf2c-34.i686 mysql-devel.i686 openssl-devel.i686 unixODBC-devel.i686 libstdc++-devel.i386 libstdc++-devel.i686 "zlib-*.i686" "libXext-*.i686" "libXtst-*.i686" glibc-static.i686 freetype.i686 fontconfig.i686 libpng.i686 libXrender.i686 glibc-devel.i686 libX11-devel.i686 libXpm-devel.i686 libXft-devel.i686 mysql-devel.i686 dcap-devel.i686 gsl-devel.i686 pcre-devel.i686 fontconfig-devel.i686 freetype-devel.i686 libpng-devel.i686 libjpeg-devel.i686 libgfortran.i686 libxml2-devel.i686 gd-devel.i686 readline-devel.i686 ncurses-devel.i686 libXdmcp.i686 readline-static.i686 compat-readline5.i686


SL6 Ganglia instructions (EPEL6 ganglia-3.7.2)
yum install boost-devel.i686


<pre>
(separately install these packages - they collide with the big bunch above)
/bin/rm /etc/gmond.conf
yum install "*gmond*"
/bin/rm /etc/ganglia/conf.d/ganglia-triumf-daq.conf
/bin/cp -v /dev/null /etc/ganglia/conf.d/multicpu.conf
/bin/cp -v /dev/null /etc/ganglia/conf.d/netstats.pyconf
/bin/cp -v /dev/null /etc/ganglia/conf.d/diskstat.pyconf
/bin/cp -v /dev/null /etc/ganglia/conf.d/procstat.pyconf
/bin/cp ~/git/scripts/etc/gmond.conf /etc/ganglia/gmond.conf
chkconfig gmond on
service gmond restart
</pre>


== Configure Ganglia (Centos7) ==
yum install rdesktop


CentOS7 Ganglia instructions (EPEL7 ganglia-3.7.2)
yum reinstall urw-fonts


<pre>
== Install libraries for PHYSICA (CentOS7) ==
/bin/rm /etc/gmond.conf
yum -y install "ganglia-gmond*"
/bin/cp -v /dev/null /etc/ganglia/conf.d/multicpu.conf  # collects useless data
/bin/cp -v /dev/null /etc/ganglia/conf.d/netstats.pyconf # spews errors into syslog
/bin/cp -v /dev/null /etc/ganglia/conf.d/diskstat.pyconf # collects useless data
/bin/cp -v /dev/null /etc/ganglia/conf.d/procstat.pyconf # do not create /tmp/gmond.conf
/bin/cp ~/git/scripts/etc/gmond.conf /etc/ganglia/gmond.conf
systemctl enable gmond
systemctl restart gmond
systemctl status gmond
</pre>


== Configure TRIUMF DAQ packages ==
To run physica built on el6 from git sources on el7, do this:


(+CentOS7)
(building physica on el7 is nort supported at this time)


<pre>
(see more http://www.triumf.info/wiki/DAQwiki/index.php/PHYSICA)
cd /etc/yum.repos.d
wget http://daq.triumf.ca/~daqweb/yum/triumf-daq.repo
</pre>
 
== Install Konstantin's packages ==
 
(+CentOS7)


<pre>
<pre>
yum --disablerepo=\* --enablerepo=triumf-daq --skip-broken install diskscrub emailonreboot monitor_nfs "ganglia-*" triumf_nodeinfo
yum -y install libX11.i686 gd.i686 libpng12.i686 readline.i686 compat-libf2c-34.i686
</pre>
</pre>


== Install memtest and PXE boot ==
== Install additional desktop environements (CentOS7) ==


<pre>
<pre>
cd /boot
# LXQT (from EPEL)
wget http://ladd00.triumf.ca/tftpboot/memtest86+-5.01.bin.gz
# NOT COMPATIBLE WITH el7.7 # yum -y install "lxqt*"
wget http://ladd00.triumf.ca/tftpboot/memtest86+-4.20.bin.gz
# Cinnamon desktop (from EPEL)
wget http://ladd00.triumf.ca/tftpboot/memtest86+-4.10
yum -y install cinnamon
wget http://ladd00.triumf.ca/tftpboot/gpxe-1.0.1+-gpxe.lkrn
# KDE5 not available yet
# MATE (from epel)
yum -y groupinstall "MATE Desktop"
yum -y install mate-common mate-icon-theme-faenza mate-netspeed mate-sensors-applet mate-themes-extras mate-utils
yum -y erase ModemManager abrt abrt-libs abrt-gui-libs
# XFCE4 (from EPEL)
yum -y groupinstall xfce
yum -y install "xfce*plugin" xfce4-about --exclude xfce4-hamster-plugin
yum -y erase bash-completion
</pre>
 
* make the MATE desktop as default


emacs -nw /boot/grub/grub.conf
<pre>
title memtest86+-5.01
cd ~root/git/scripts/
      root (hd0,0)
git pull
      kernel /boot/memtest86+-5.01.bin.gz
/bin/cp -v etc/lightdm_default_mate.conf /etc/lightdm/lightdm.conf.d/
title memtest86+-4.20
</pre>
      root (hd0,0)
 
      kernel /boot/memtest86+-4.20.bin.gz
* lighdm login manager (from EPEL)
title memtest86+-4.10
<pre>
      root (hd0,0)
yum install lightdm lightdm-kde lightdm-qt lightdm-qt5
      kernel /boot/memtest86+-4.10
</pre>
title pxeboot
 
      root (hd0,0)
* and switch from gdm to lighdm
      kernel /boot/gpxe-1.0.1+-gpxe.lkrn
<pre>
systemctl disable gdm.service
systemctl enable lightdm.service
(systemctl stop gdm; systemctl restart lightdm) &
</pre>
</pre>


== Install node monitoring ==
== Install SMART scripts ==


(+CentOS7)
(+CentOS7)


<pre>
<pre>
yum --disablerepo=\* --enablerepo=triumf-daq --skip-broken install triumf_nodeinfo
ln -sf ~/git/scripts/smart-status/smart-status.perl ~/
/usr/sbin/sendnodeinfo.perl --config ladd00.triumf.ca:8600
emacs -nw /etc/nodeinfo
/usr/sbin/sendnodeinfo.perl ladd00.triumf.ca:8600
</pre>
</pre>


== Install gonodeinfo node monitoring ==
== Install NTFS drivers ==


(+Ubuntu, +CentOS7)
yum install ntfs-3g ntfsprogs (from EPEL)


go to https://bitbucket.org/dd1/gonodeinfo
== Install HFS and HFS+ drivers (CentOS7) ==
follow instructions:
<pre>
yum -y install golang
mkdir ~/git
cd ~/git
git clone https://bitbucket.org/dd1/gonodeinfo.git
cd gonodeinfo
git pull
make
make install # install gonodeinfo agent
cd ~ # this is important
</pre>


* edit /etc/gonodeinfo.conf
yum --disablerepo=\* --enablerepo=elrepo install kmod-hfs kmod-hfsplus
* change "Description", "Location", "User" and "Administrator" as appropriate (or delete them)
* change "Servers" to read: Servers: ladd00.triumf.ca:8601
* run gonodeinfo
* if error is "connection refused". go to the nodeinfo server to add this client to the access control list:
* on the gonodeinfo server: run gonodereceive -a daq13
* try gonodeinfo again, there should be no error
* on the gonodeinfo server: run gonodereport, look at the web pages, the new machine should be listed now


== Install latest system updates ==
== Install Google Chrome web browser (64-bit CentOS7) ==


(+CentOS7)
DOES NOT WORK AS OF google-chrome-stable-114 because google uses signature incompatible with CentOS-7, see https://www.reddit.com/r/chrome/comments/13s799o/googlechromebeta_1140573545_rpm_invalid_signature/


automatic updates will fail with signature check error, to defeat it lock old version of google-chrome:
<pre>
<pre>
yum update -y
yum versionlock google-chrome-stable
</pre>
</pre>


== Configure TRIUMF Printers ==
THIS DOES NOT WORK ANYMORE:


<pre>
<pre>
chkconfig cups off
/bin/cp ~/git/scripts/etc/google-chrome-64.repo /etc/yum.repos.d/
service cups stop
yum install google-chrome-stable
yum install triumf-printers
</pre>
</pre>


== Configure TRIUMF Printers (CentOS7) ==
== Enable monitoring of HTTPS certificates ==
 
On SL6, CentOS7:


<pre>
<pre>
systemctl stop cups
yum install crypto-utils
systemctl disable cups
/etc/cron.daily/certwatch
echo "ServerName printers.triumf.ca" > /etc/cups/client.conf
strace -f /etc/cron.daily/certwatch  |& grep open  | grep crt
lpstat -a
</pre>
</pre>


== Disable syslog spam (CentOS7) ==
== Enable 100dpi fonts for EPICS ==


Default el7 config is spamming the syslog with useless messages "systemd: Starting Session", etc. Disable this:
(+CentOS7)


<pre>
<pre>
echo auditctl -e 0 >> /etc/rc.local
ln -s /usr/share/X11/fonts/100dpi /etc/X11/fontpath.d/
echo /usr/bin/systemd-analyze set-log-level notice >> /etc/rc.local
/etc/rc.local
</pre>
</pre>


== Install basic system packages (CentOS7) ==
== Enable crontab @reboot for MIDAS (CentOS7) ==


(if starting from minimal system, basic system packages required:)
el7 has a bug - cron @reboot entries for normal users can run before autofs is ready, so if the home directory
is on autofs/NFS, it cannot be accessed and the cron job fails. If MIDAS is supposed to be
started by cron @reboot, it will not start (there *will* be an error message in /var/log/cron).


yum install -y which psmisc redhat-lsb-core xorg-x11-xauth xterm emacs-nox rsync tcpdump strace nfs-utils sysstat iftop tcsh
<pre>
mkdir /etc/systemd/system/crond.service.d
echo -e "[Unit]\nAfter=ypbind.service autofs.service\n" > /etc/systemd/system/crond.service.d/local.conf
systemctl daemon-reload
systemctl cat crond.service
</pre>


yum install -y gcc gcc-c++ gdb glibc-static libstdc++-static zlib zlib-devel openssl-devel httpd-tools
el7 has a second bug, sometimes it thinks the network is running when it is not, specifically,
DNS is not working and autofs mount of user home directory fails. So not only cron has
to wait for ypbind and autofs to be ready, we also have to wait for DNS to be ready:


== Install packages needed for QUARTUS, ROOT, EPICS and MIDAS DAQ ==
<pre>
cd ~/git/scripts
git pull
cp etc/wait-for-dns.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable wait-for-dns
systemctl restart wait-for-dns # should return immediately. if there is a 30 second time, script is broken, disable it
systemctl status wait-for-dns # to see what went wrong.
</pre>


(+CentOS7)
Explore the systemd dependacy tree using "systemctl list-dependencies" maybe with "--all".


yum install --skip-broken giflib.x86_64 sysstat "libusb-devel*" unixODBC-devel postgresql-devel libxml2-devel libXpm-devel libgfortran git compat-readline43 "graphviz*" dcap "tigervnc*" telnet glibc"*" strace "fftw*" libpng "freetype*" xpdf "xemacs*" tkcvs xterm mutt "*-g77*" joe "libXmu*" dcap-devel gsl-devel pcre-devel h5py gd-devel xorg-x11-fonts"*" minicom xfig"*" perl-BSD-Resource "net-snmp-*" readline-static git-all nasm imake tcl-devel gv xorg-x11-twm expat-devel screen compat-readline5 ImageMagick ImageMagick-devel wget alacarte scipy numpy sympy nedit gnuplot php-cli php-domxml-php4-php5 php-gd php-fpdf php-cli kdebase cmake tcpdump sqlite sqlite-devel kdegraphics gdisk lsof gconf-editor iftop tk-devel mcelog kdm blt itcl lz4 bzip2 pbzip2 apr-devel apr-util-devel net-tools golang"*" --exclude golang-cover"*"hg"*" --exclude golang"*"hg"*" --exclude golang-pkg"*" --exclude golang-github"*" --exclude golang"*"git"*" mesa"*" xerces-c"*" diffuse clang i2c-tools  texlive-revtex texlive-revtex4 kile kbibtex xrdp glibc.i686 gimp gimp-data-extras perl-GD"*" perl-Math"*" perl-Statistics-Basic cmake3 cmake3-gui extra-cmake-modules python2-pip x2go"*"
Visualize the exact boot sequence from previous boot: "systemd-analyze plot > xxx.svg", look at the svg file using a web browser.


(do not install boost on 32-bit machines)
== Enable firewall for MIDAS (CentOS7) ==


yum install --skip-broken "boost-*"
Default el7 configuration prevents all access to servers running on the local machine, including access to MIDAS mhttpd (tcp port 8443) and mserver (all tcp ports).


(packages for 32-bit software compilation on 64-bit machines. this is optional)
To enable access to mhttpd:


yum install --skip-broken giflib.i386 giflib.i686 compat-libf2c-34.i386 compat-libf2c-34.i686 mysql-devel.i686 openssl-devel.i686 unixODBC-devel.i686 libstdc++-devel.i386 libstdc++-devel.i686 "zlib-*.i686" "libXext-*.i686" "libXtst-*.i686" glibc-static.i686 freetype.i686 fontconfig.i686 libpng.i686 libXrender.i686 glibc-devel.i686 libX11-devel.i686 libXpm-devel.i686 libXft-devel.i686 mysql-devel.i686 dcap-devel.i686 gsl-devel.i686 pcre-devel.i686 fontconfig-devel.i686 freetype-devel.i686 libpng-devel.i686 libjpeg-devel.i686 libgfortran.i686 libxml2-devel.i686 gd-devel.i686 readline-devel.i686 ncurses-devel.i686 libXdmcp.i686 readline-static.i686 compat-readline5.i686
<pre>
firewall-cmd --add-port=8443/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-all
</pre>


yum install boost-devel.i686
To enable access to the mserver from a specific host: (replace 142.90.111.175 with the IP address of the permitted host)


(separately install these packages - they collide with the big bunch above)
<pre>
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.111.175/32" port protocol="tcp" port="0-65535" accept"
firewall-cmd --reload
firewall-cmd --list-all
</pre>


yum install rdesktop
To enable access from the private network (replace "192.168.1.0" with your private network number):


yum reinstall urw-fonts
<pre>
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="0-65535" accept"
firewall-cmd --reload
firewall-cmd --list-all
</pre>


== Install libraries for PHYSICA (CentOS7) ==
== Enable firewall for EPICS (CentOS7) ==


To run physica built on el6 from git sources on el7, do this:
To enable access to TRIUMF EPICS servers, do this:


(building physica on el7 is nort supported at this time)
<pre>
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.132.0/23" accept"
firewall-cmd --reload
firewall-cmd --list-all
</pre>


(see more http://www.triumf.info/wiki/DAQwiki/index.php/PHYSICA)
For UCN the controls people seem to have EPICS setup on a different server; this might be true for CMMS as well. In this case the firewall rule change should be


<pre>
<pre>
yum -y install libX11.i686 gd.i686 libpng12.i686 readline.i686 compat-libf2c-34.i686
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.139.0/23" accept"
firewall-cmd --reload
firewall-cmd --list-all
</pre>
</pre>


== Install additional desktop environements (CentOS7) ==
== Disable gdm and X11 (OPTIONAL) ==


<pre>
<pre>
# LXQT (from EPEL)
initctl stop prefdm
yum -y install "lxqt*"
echo "start on never" > /etc/init/prefdm.override
# Cinnamon desktop (from EPEL)
echo "start on never" > /etc/init/splash-manager.override
yum -y install cinnamon
initctl reload-configuration
# KDE5 not available yet
# MATE (from epel)
yum -y groupinstall "MATE Desktop"
yum -y install mate-common mate-icon-theme-faenza mate-netspeed mate-sensors-applet mate-themes-extras mate-utils
yum -y erase ModemManager abrt abrt-libs abrt-gui-libs
# XFCE4 (from EPEL)
yum -y groupinstall xfce
yum -y install "xfce*plugin" xfce4-about --exclude xfce4-hamster-plugin
yum -y erase bash-completion
</pre>
</pre>


* make the MATE desktop as default
then enable login on default console:
 
<pre>
<pre>
cd ~root/git/scripts/
echo "plymouth quit" >> /etc/rc.local
git pull
echo "X_TTY=xxx/dev/tty1" >> /etc/sysconfig/init
/bin/cp -v etc/lightdm_default_mate.conf /etc/lightdm/lightdm.conf.d/
</pre>
</pre>


* lighdm login manager (from EPEL)
== Install JAVAWS (OPTIONAL) ==
<pre>
 
yum install lightdm lightdm-kde lightdm-qt lightdm-qt5
* to run Java "web start" jnlp files (EVO, SEEVOGH, etc): javaws Downloads/spider.jnlp
</pre>
* install javaws:
* yum install icedtea-web icedtea-web-javadoc


* and switch from gdm to lighdm
== Install firefox java plugin (OPTIONAL, DO NOT DO THIS) ==
<pre>
systemctl disable gdm.service
systemctl enable lightdm.service
(systemctl stop gdm; systemctl restart lightdm) &
</pre>


== Make installation smaller (optional) ==
This installs the Oracle Java plugin:
 
* rpm -vh --install ~deap/jdk-7u15-linux-x64.rpm
* ls -l /usr/lib64/mozilla/plugins/
* ln -s /usr/java/jdk1.7.0_15/jre/lib/amd64/libnpjp2.so /usr/lib64/mozilla/plugins/
* start firefox, go edit->preferences->general->manage add-ons->plugins
* "java plugin 1.7.0_15" should be listed


This is optional. Only do this if reducing the size of the OS image is very important.


<pre>
yum erase "texlive*" "java*" "boost*"
yum erase "xemacs*"
yum erase "libstdc++-docs"
</pre>


== Install SMART scripts ==
== Configure USB device permissions ==


(+CentOS7)
(+CentOS7)


<pre>
Configure USB device permissions for user access to USB-serial devices, Altera USB Blaster, etc.
ln -sf ~/git/scripts/smart-status/smart-status.perl ~/
</pre>


== Install NTFS drivers ==
* create file /etc/udev/rules.d/99-usb-chmod.rules with this contents:


yum install ntfs-3g ntfsprogs (from EPEL)
<pre>
 
emacs -nw /etc/udev/rules.d/99-usb-chmod.rules
== Install HFS and HFS+ drivers (CentOS7) ==
ACTION=="add", SUBSYSTEM=="usbmisc", RUN+="/bin/chmod a+wr $env{DEVNAME}"
ACTION=="add", SUBSYSTEM=="usb_device", RUN+="/bin/chmod a+wr /dev/%c"
ACTION=="add", SUBSYSTEM=="usb_device", RUN+="/bin/chmod a+wr /proc/%c"
ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="/bin/chmod a+wr $env{DEVNAME}"
ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="/bin/chmod a+wr $env{DEVICE}"
ACTION=="add", ENV{PHYSDEVBUS}=="usb-serial", RUN+="/bin/chmod a+wr $env{DEVNAME}"
ACTION=="add", ENV{DEVPATH}=="/class/tty/ttyS*", RUN+="/bin/chmod a+wr $env{DEVNAME}"
ACTION=="add", SUBSYSTEM=="tty", DEVPATH=="*ttyUSB*", RUN+="/bin/chmod a+rw $env{DEVNAME}"
ACTION=="add", SUBSYSTEM=="tty", DEVPATH=="*ttyACM*", RUN+="/bin/chmod a+rw $env{DEVNAME}"
ACTION=="add", SUBSYSTEM=="tty", DEVPATH=="*ttyS*", RUN+="/bin/chmod a+rw $env{DEVNAME}"
ACTION=="add", DEVPATH=="*video*", RUN+="/bin/chmod a+rw $env{DEVNAME}"
</pre>


yum --disablerepo=\* --enablerepo=elrepo install kmod-hfs kmod-hfsplus
* reload udev rules: udevadm control --reload-rules
* apply new permissions: udevadm trigger --action=add
* watch udev activity: udevadm monitor -p
 
== Disable modem-manager ==
 
The modem-manager will try to talk to any serial devices attached to USB serial ports. It assumes that those devices are modems and will send out modem-specific commands. if the devices are not modems and do not understand or do not like modem commands, well that's too bad. modem-manager is installed by the ModemManager package required by the NetworkManager package, and there is no configuration setting to turn modem-manager off.


== Install Google Chrome web browser (64-bit SL6) ==
One way to disable it is: chmod a= /usr/sbin/modem-manager


Google-chrome 27 is too old to using with recent MIDAS but it has working Flash:
Another way to disable it is by forced uninstall: rpm --erase --nodeps ModemManager


<pre>
Remember to kill the running copy: killall -KILL modem-manager
rpm -vh --install https://daqshare.triumf.ca/~olchansk/google-chrome/google-chrome-stable-27.0.1453.110-202711.x86_64.rpm
/bin/rm /etc/cron.daily/google-chrome
yum-config-manager --disable google-chrome
yum-config-manager --disable google-chrome-64
google-chrome
</pre>


Chromium 38 works with current MIDAS. No Flash, no PDF viewer:
Caveat: it is not clear if modem-manager would not be resurrected by an update to the NetworkManager or ModemManager packages.


<pre>
== Configure Altera jtagd ==
yum install -y policycoreutils-python
rpm -vh --install https://daqshare.triumf.ca/~olchansk/google-chrome/chromium-browser-38.0.2125.111-1.el6.centos.x86_64.rpm
chromium-browser
</pre>


== Install Google Chrome web browser (64-bit CentOS7) ==
(if needed)


<pre>
<pre>
/bin/cp ~/git/scripts/etc/google-chrome-64.repo /etc/yum.repos.d/
mkdir /etc/jtagd
yum install google-chrome-stable
echo 'Password = "123";' > /etc/jtagd/jtagd.conf
cp -pv  /daq/daqshare/olchansk/altera/11.0/quartus/linux/pgm_parts.txt /etc/jtagd/jtagd.pgm_parts
</pre>
</pre>


== Enable monitoring of HTTPS certificates ==
* start local jtagd: /daq/daqshare/olchansk/altera/11.0/quartus/bin/jtagd
* test local connection: /daq/daqshare/olchansk/altera/11.0/quartus/bin/jtagconfig
* test remote connection (add this machine to your .jtag.conf, run jtagconfig


On SL6, CentOS7:
For more information, go to [[Quartus]]


<pre>
== Install EOS ==
yum install crypto-utils
/etc/cron.daily/certwatch
strace -f /etc/cron.daily/certwatch  |& grep open  | grep crt
</pre>


== Enable 100dpi fonts for EPICS ==
Instructions from here:
 
http://eos-docs.web.cern.ch/eos-docs/quickstart/setup_repo.html
(+CentOS7)


<pre>
<pre>
ln -s /usr/share/X11/fonts/100dpi /etc/X11/fontpath.d/
rpm -vh --install https://dss-ci-repo.web.cern.ch/dss-ci-repo/eos/citrine/tag/el-7/x86_64/eos-repo-el7-generic-1.noarch.rpm
yum-config-manager --disable eos-citrine # disable auto-update because all packages are not signed
yum-config-manager --disable eos-dep # disable auto-update because all packages are not signed.
yum install eos-client eos-fuse --enablerepo=eos-citrine
</pre>
</pre>


== Enable crontab @reboot for MIDAS (CentOS7) ==
== Install fix for the el7 systemd dbus boot hang ==


el7 has a bug - cron @reboot entries for normal users before autofs is ready, so if the home directory
Around early Summer 2018 el7 started showing a boot problem. In the nutshell,
is on autofs/NFS, it is usually cannot be accessed yet and the cron job fails. If MIDAS is started
there is a problem with the dbus connection between dbus and systemd that
by user cron @reboot, it will not be started (there *will* be an error message in /var/log/cron).
prevents polkit, firewalld, etc from starting. The system eventually boots
enough that one can ssh into it, but most things do not work. Notably,
polkit is not running, firewalld is not running, ssh login takes about 15-30 second.


<pre>
Solution is to add a special systemd service to check that dbus started correctly.
mkdir /etc/systemd/system/crond.service.d
It that runs after dbus is started, but before it is used, and it restarts dbus in a loop
echo -e "[Unit]\nAfter=ypbind.service autofs.service\n" > /etc/systemd/system/crond.service.d/local.conf
with a delay until dbus starts correctly. In testing, dbus always starts correctly after
the first retry.
 
<pre>
cd ~root/git/scripts/etc
git pull
/bin/cp -vf systemd-check-dbus.perl /usr/bin/
/bin/cp -vf systemd-check-dbus.service /etc/systemd/system/
systemctl daemon-reload
systemctl daemon-reload
systemctl cat crond.service
systemctl enable systemd-check-dbus
systemctl start systemd-check-dbus
systemctl status systemd-check-dbus
</pre>
</pre>


Explore the systemd dependacy tree using "systemctl list-dependencies" maybe with "--all".
After linux boots, if everything was okey, the script will report this:
<pre>
[root@iris01 ~]# systemctl status systemd-check-dbus
...
Feb 08 17:15:49 iris01.triumf.ca systemd[1]: Starting Check that systemd is registered with dbus...
Feb 08 17:15:49 iris01.triumf.ca sh[4283]: Starting check for systemd dbus connection
Feb 08 17:15:50 iris01.triumf.ca sh[4283]: List:      string "org.freedesktop.DBus"
Feb 08 17:15:50 iris01.triumf.ca sh[4283]: List:      string "org.freedesktop.systemd1"
Feb 08 17:15:50 iris01.triumf.ca sh[4283]: systemd1 dbus service exists, success!
Feb 08 17:15:50 iris01.triumf.ca sh[4283]: Finished check for systemd dbus connection
Feb 08 17:15:50 iris01.triumf.ca systemd[1]: Started Check that systemd is registered with dbus.
</pre>


Visualize the exact boot sequence from previous boot: "systemd-analyze plot > xxx.svg", look at the svg file using a web browser.
If the boot problem happened, the script will report about restarting dbus.


== Enable firewall for MIDAS (CentOS7) ==
Note: the systemd service file adjusts the start order of other services, this adjustment seems to reduce the probability of the problem.


Default el7 configuration prevents all access to servers running on the local machine, including access to MIDAS mhttpd (tcp port 8443) and mserver (all tcp ports).
== Configure GRUB boot loader (CentOS7, CentOS8) ==
 
* emacs -nw /etc/default/grub, remove "rhgb" and "quiet" from GRUB_CMDLINE_LINUX
* grub2-mkconfig -o /boot/grub2/grub.cfg
* grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
* grub2-editenv list # show contents of boot environement file
* /bin/rm /boot/grub2/grubenv # remove stale settings, make grub2 boot from first entry in config file


To enable access to mhttpd:
== Install memtest86+ (CentOS7, CentOS8) ==


<pre>
<pre>
firewall-cmd --add-port=8443/tcp --permanent
yum -y install memtest86+
firewall-cmd --reload
/bin/cp -vf /usr/share/memtest86+/20_memtest86+ /etc/grub.d/
firewall-cmd --list-all
/bin/chmod a+x /etc/grub.d/20_memtest86+
grub2-mkconfig -o /boot/grub2/grub.cfg
</pre>
</pre>


To enable access to the mserver from a specific host: (replace 142.90.111.175 with the IP address of the permitted host)
== Disable ELREPO ==


<pre>
<pre>
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.111.175/32" port protocol="tcp" port="0-65535" accept"
sed 's/enabled=.*/enabled=0/' -i /etc/yum.repos.d/elrepo_triumf.repo
firewall-cmd --reload
sed 's/enabled=.*/enabled=0/' -i /etc/yum.repos.d/elrepo.repo
firewall-cmd --list-all
</pre>
</pre>


== Enable firewall for EPICS (CentOS7) ==
== Reduce install size (optional) ==
 
This is optional. Only do this if reducing the size of the OS image is very important.


To enable access to TRIUMF EPICS servers, do this:
Do this for VME processors.


<pre>
<pre>
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.132.0/23" accept"
yum erase "texlive*" "java*" "boost*" libreoffice"*"
firewall-cmd --reload
#yum erase "xemacs*"
firewall-cmd --list-all
yum erase "libstdc++-docs"
yum erase firefox google-chrome"*"
yum clean all
</pre>
</pre>
For UCN the controls people seem to have EPICS setup on a different server; this might be true for CMMS as well.  In this case the firewall rule change should be


<pre>
<pre>
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.139.0/23" accept"
/bin/rm -rf /usr/share/help
firewall-cmd --reload
/bin/rm -rf /usr/share/doc
firewall-cmd --list-all
</pre>
</pre>


== Disable gdm and X11 (OPTIONAL) ==
== Update from el7.6 to el7.7 ==


<pre>
<pre>
initctl stop prefdm
yum-config-manager --disable zfs
echo "start on never" > /etc/init/prefdm.override
yum-config-manager --disable zfs-kmod
echo "start on never" > /etc/init/splash-manager.override
yum-config-manager --disable zfs-testing-kmod
initctl reload-configuration
yum versionlock delete zfs
yum versionlock delete kernel
yum -y update "yum*" "rpm*"
yum -y erase libqtxdg lxqt-qtplugin ### LXQT is not compatible
yum update
after rebooting into el7.7, follow instructions for updating ZFS from version 0.7 to 0.8.
</pre>
</pre>


then enable login on default console:
== Update ZFS ==
 
* CentOS-7: 0.8.5 to 2.0.7
** update kernel to latest version, reboot
** check /etc/yum.repos.d/zfs.repo has [zfs-kmod] baseurl=http://download.zfsonlinux.org/epel/7.9/kmod/$basearch/
** yum --enablerepo=zfs-kmod update
** reboot, login as root
** run "zfs version"
** run "zfs upgrade"
 
== Switch from LADD-NIS to DAQ-NIS ==
 
<pre>
<pre>
echo "plymouth quit" >> /etc/rc.local
domainname DAQ-NIS
echo "X_TTY=xxx/dev/tty1" >> /etc/sysconfig/init
/usr/lib64/yp/ypinit -s daq00
ls -l /var/yp
sed -i s/LADD-NIS/DAQ-NIS/ /etc/yp.conf
sed -i s/LADD-NIS/DAQ-NIS/ /etc/sysconfig/network
systemctl restart ypserv
systemctl restart ypbind
ypwhich
ypwhich -m
</pre>
</pre>


== Install JAVAWS (OPTIONAL) ==
== Finish installation ==


* to run Java "web start" jnlp files (EVO, SEEVOGH, etc): javaws Downloads/spider.jnlp
reboot
* install javaws:
* yum install icedtea-web icedtea-web-javadoc


== Install firefox java plugin (OPTIONAL, DO NOT DO THIS) ==
== Special hardware settings ==


This installs the Oracle Java plugin:
=== ASUS Crosshair mobo ===


* rpm -vh --install ~deap/jdk-7u15-linux-x64.rpm
* use BIOS version 1207 or newer
* ls -l /usr/lib64/mozilla/plugins/
* (before CentOS7) sensors need these drivers from ELREPO: yum install --noplugins kmod-it87 kmod-k10temp; sensors-detect; service lm_sensors restart; sensors
* ln -s /usr/java/jdk1.7.0_15/jre/lib/amd64/libnpjp2.so /usr/lib64/mozilla/plugins/
* CentOS7: installs correct drivers automatically
* start firefox, go edit->preferences->general->manage add-ons->plugins
* "java plugin 1.7.0_15" should be listed


=== ASUS Crosshair-II mobo ===


* use BIOS version 2607 or newer
* for the onboard IDE to work, add "all-generic-ide" to kernel boot options in grub.conf
* sensors need these drivers from ELREPO: yum install --noplugins kmod-it87 kmod-k10temp; sensors-detect; service lm_sensors restart; sensors


== Configure USB device permissions ==
=== ASUS P7P55D EVO mobo ===


(+CentOS7)
* use BIOS version 2004 or newer
* SL6 - install special driver for on board PCIe GigE network port and disable on board PCI GigE network port:
** yum --enablerepo elrepo install kmod-r8168 kmod-r8169
** # do not do this: sed 's/^blacklist/#blacklist/' -i /etc/modprobe.d/blacklist-r8169.conf
** reboot
** verify that correct drivers are loaded: ethtool -i eth0; ethtool -i eth1
** note: there will be no eth1 - r8169 driver is disabled.


Configure USB device permissions for user access to USB-serial devices, Altera USB Blaster, etc.
=== ASUS P6X58-E-WS mobo ===


* create file /etc/udev/rules.d/99-usb-chmod.rules with this contents:
* BIOS settings
 
** F1 or DEL to enter BIOS setup, F8 boot menu
<pre>
** go to POWER->HW mon, confirm CPU temperature is around 30C. (heatsink is installed correctly. Bad heatsink temperature quickly goes up to 50-70C).
emacs -nw /etc/udev/rules.d/99-usb-chmod.rules
** Main menu: Storage config - SATA change IDE->AHCI
ACTION=="add", SUBSYSTEM=="usb_device", RUN+="/bin/chmod a+wr /dev/%c"
** System information: confirm BIOS version 301, CPU type, memory size
ACTION=="add", SUBSYSTEM=="usb_device", RUN+="/bin/chmod a+wr /proc/%c"
** AI Tweak: set DRAM frequency - AUTO->DDR3-1333
ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="/bin/chmod a+wr $env{DEVNAME}"
** Advanced->Onboard devices: LAN BOOT: enabled
ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="/bin/chmod a+wr $env{DEVICE}"
** Power->HW monitor: CPU Q-FAN: enabled
ACTION=="add", ENV{PHYSDEVBUS}=="usb-serial", RUN+="/bin/chmod a+wr $env{DEVNAME}"
** Boot->Settings: Quick boot: enabled; Full screen logo: disabled; Wait for F1: disabled
ACTION=="add", ENV{DEVPATH}=="/class/tty/ttyS*", RUN+="/bin/chmod a+wr $env{DEVNAME}"
** Save and exit
ACTION=="add", SUBSYSTEM=="tty", DEVPATH=="*ttyUSB*", RUN+="/bin/chmod a+rw $env{DEVNAME}"
ACTION=="add", SUBSYSTEM=="tty", DEVPATH=="*ttyS*", RUN+="/bin/chmod a+rw $env{DEVNAME}"
</pre>


* apply new permissions: udevadm trigger --action=add
=== ASUS E35M1-M PRO mobo ===


== Disable modem-manager ==
* http://www.asus.com/Motherboards/E35M1M_PRO/#specifications
* use BIOS version 1002 or newer
* for CPU temperature: install kmod-k10temp from ELREPO (kmod-k10temp-0.0-4.el6.elrepo.x86_64.rpm)
* for Sensors: yum --enablerepo elrepo install kmod-w83627ehf; modprobe w83627ehf; sensors
* for Graphics: yum --enablerepo elrepo install kmod-fglrx fglrx-x11-drv
* to enable booting from USB3, edit /etc/dracut.conf, change line "add_drivers" to read: add_drivers+="xhci-hcd"
* to use multiple monitors, run "aticonfig --initial --heads=2 --adapter=1 --xinerama=on", to change screen layout, edit /etc/X11/xorg.conf. Only dual monitors DVI+HDMI seem to work. Tripple monitors does not seem to work.


The modem-manager will try to talk to any serial devices attached to USB serial ports. It assumes that those devices are modems and will send out modem-specific commands. if the devices are not modems and do not understand or do not like modem commands, well that's too bad. modem-manager is installed by the ModemManager package required by the NetworkManager package, and there is no configuration setting to turn modem-manager off.
Sensors instructions below are obolete (use driver from ELREPO)
* for Sensors, install driver for NCT6776F chip from https://github.com/groeck/w83627ehf/archives/master (in the Makefile, change the line "KERNEL_BUILD=" to read: "KERNEL_BUILD:=/usr/src/kernels/$(TARGET)"):
<pre>
cd ~root
wget http://ladd00.triumf.ca/~olchansk/linux/groeck-w83627ehf-dd3e543/w83627ehf.ko
echo "modprobe hwmon; modprobe hwmon-vid; modprobe k10temp; rmmod w83627ehf; insmod /root/w83627ehf.ko" >> /etc/rc.local
</pre>


One way to disable it is: chmod a= /usr/sbin/modem-manager
=== ASUS E45M1-M PRO mobo ===


Another way to disable it is by forced uninstall: rpm --erase --nodeps ModemManager
* https://www.asus.com/Motherboards/E45M1M_PRO/#specifications
* use BIOS 1202 or newer
* follow the E35M1-M PRO instructions above


Remember to kill the running copy: killall -KILL modem-manager
=== ASUS P9X79 WS ===


Caveat: it is not clear if modem-manager would not be resurrected by an update to the NetworkManager or ModemManager packages.
* http://www.asus.com/Motherboard/P9X79_WS/
* use BIOS version 4901. Older versions seem to be ok: 3101, 3401, 4701, 4802 or newer. If BIOS is 1305 or older, install P9X79-WS-CAP-Converter.ROM (BIOS 2902/3101), then the new BIOS.
* (not needed for CentOS7) for CPU temperature, install coretemp
* (not needed for CentOS7) for sensors, install driver for NCT6776F chip same as E35M1-M above.
* BIOS Settings:
** enter "Advanced mode"
** Ai Tweaker -> Ai Overclock Tuner -> Set to "XMP" - this enables DDR3-1600 RAM speed vs DDR3-1333 by default
** ### NOT THIS: Monitor -> CPU fan speed low limit -> Set to "200 RPM" - we are using high efficiency slow turning CPU coolers and the default 600 RPM is right on the edge of firing false warnings
** Monitor -> disable Q-fan on for all fans - let all fans always run at maximum RPMs
** Boot -> Full screen logo -> Set to "disabled"
** Wait for F1 -> Set to "disabled"


== Configure Altera jtagd ==
=== ASUS P8B-M ===


(if needed)
* use BIOS version 6103 or newer
* for CPU temperature, install coretemp
* for sensors, install driver for NCT6776F chip same as E35M1-M above.


=== SUPERMICRO X9SCL ===
* yum install kmod-w83627ehf.x86_64 coretemp
* xemacs -nw /etc/rc.local, add:
<pre>
<pre>
mkdir /etc/jtagd
modprobe coretemp
echo 'Password = "123";' > /etc/jtagd/jtagd.conf
modprobe w83627ehf
cp -pv /triumfcs/trshare/olchansk/altera/11.0/quartus/linux/pgm_parts.txt /etc/jtagd/jtagd.pgm_parts
</pre>
</pre>


* start local jtagd: /triumfcs/trshare/olchansk/altera/11.0/quartus/bin/jtagd
=== ASUS Z87-WS ===
* test local connection: /triumfcs/trshare/olchansk/altera/11.0/quartus/bin/jtagconfig
 
* test remote connection (add this machine to your .jtag.conf, run jtagconfig
<pre>
cd ~root
wget http://ladd00.triumf.ca/~olchansk/linux/nct6775.ko
echo modprobe hwmon-vid >> /etc/rc.local
echo insmod /root/nct6775.ko >> /etc/rc.local
/etc/rc.local
sensors
</pre>


For more information, go to [[Quartus]]
=== ASUS Z97-WS ===


== Install EOS ==
the nct6775 driver does not work because of conflict with ACPI.


Instructions from here:
=== ASUS Z170-DELUXE ===
http://eos-docs.web.cern.ch/eos-docs/quickstart/setup_repo.html


<pre>
* use bios 3801
rpm -vh --install https://dss-ci-repo.web.cern.ch/dss-ci-repo/eos/citrine/tag/el-7/x86_64/eos-repo-el7-generic-1.noarch.rpm
* set XMP mode (DDR4-2400)
yum-config-manager --disable eos-citrine # disable auto-update because all packages are not signed
* Advanced->On board devices: set sata mode to "M2", set PCIe slot 3 to "x4"
yum-config-manager --disable eos-dep # disable auto-update because all packages are not signed.
* boot: disable f1, disable logo, disable numlock
yum install eos-client eos-fuse --enablerepo=eos-citrine
</pre>


== Install fix for the el7 systemd dbus boot hang ==
=== ASUS AM1M-A ===
 
Around early Summer 2018 el7 started showing a boot problem. In the nutshell,
there is a problem with the dbus connection between dbus and systemd that
prevents polkit, firewalld, etc from starting. The system eventually boots
enough that one can ssh into it, but most things do not work. Notably,
polkit is not running, firewalld is not running, ssh login takes about 15-30 second.
 
Solution is to add a special systemd service to check that dbus started correctly.
It that runs after dbus is started, but before it is used, and it restarts dbus in a loop
with a delay until dbus starts correctly. In testing, dbus always starts correctly after
the first retry.


* use BIOS 602 or later
* SL6.5 installer cannot use USB2 ports and the network. Use USB3 ports (blue colour) to boot USB installer (memtest, rescue, etc)
* SL6.5 kernels require boot option "iommu=soft" or USB2 and network do not work. (USB3 - blue ports - seems okey)
* install ATI/AMD video drivers from ELREPO (see below)
* sensors chip is ITE IT8623E, for SL6, use standalone driver from lm_sensors. (2 fans rpm, 2 temperatures):
<pre>
<pre>
cd ~root/git/scripts/etc
cd ~root
git pull
wget http://ladd00.triumf.ca/~olchansk/linux/it87.ko
cp systemd-check-dbus.perl /usr/bin/
echo modprobe hwmon_vid >> /etc/rc.local
cp systemd-check-dbus.service /etc/systemd/system/
echo insmod /root/it87.ko >> /etc/rc.local
systemctl daemon-reload
. /etc/rc.local
systemctl enable systemd-check-dbus
systemctl start systemd-check-dbus
systemctl status systemd-check-dbus
</pre>
</pre>
 
* for el7 use it87.ko driver:
After linux boots, if everything was okey, the script will report this:
<pre>
<pre>
[root@iris01 ~]# systemctl status systemd-check-dbus
cd ~root
...
wget https://daqshare.triumf.ca/~olchansk/linux/CentOS7/it87.ko
Feb 08 17:15:49 iris01.triumf.ca systemd[1]: Starting Check that systemd is registered with dbus...
echo modprobe hwmon_vid >> /etc/rc.local
Feb 08 17:15:49 iris01.triumf.ca sh[4283]: Starting check for systemd dbus connection
echo insmod /root/it87.ko >> /etc/rc.local
Feb 08 17:15:50 iris01.triumf.ca sh[4283]: List:      string "org.freedesktop.DBus"
. /etc/rc.local
Feb 08 17:15:50 iris01.triumf.ca sh[4283]: List:      string "org.freedesktop.systemd1"
Feb 08 17:15:50 iris01.triumf.ca sh[4283]: systemd1 dbus service exists, success!
Feb 08 17:15:50 iris01.triumf.ca sh[4283]: Finished check for systemd dbus connection
Feb 08 17:15:50 iris01.triumf.ca systemd[1]: Started Check that systemd is registered with dbus.
</pre>
</pre>
* sensors output:
<pre>
[root@midemma02 ~]# sensors
radeon-pci-0008
Adapter: PCI adapter
temp1:        +22.0°C  (crit = +120.0°C, hyst = +90.0°C)


If the boot problem happened, the script will report about restarting dbus.
fam15h_power-pci-00c4
Adapter: PCI adapter
power1:          N/A  (crit =  25.00 W)


Note: the systemd service file adjusts the start order of other services, this adjustment seems to reduce the probability of the problem.
k10temp-pci-00c3
Adapter: PCI adapter
temp1:        +22.2°C  (high = +70.0°C)
                      (crit = +70.0°C, hyst = +69.0°C)


== Configure GRUB boot loader ==
it8603-isa-0290
Adapter: ISA adapter
in0:          +0.96 V  (min = +2.50 V, max = +2.95 V)  ALARM
in1:          +2.23 V  (min = +0.94 V, max = +1.22 V)  ALARM
in2:          +2.03 V  (min =  +0.74 V, max =  +0.77 V)  ALARM
in3:          +2.00 V  (min =  +1.26 V, max =  +0.13 V)  ALARM
in4:          +2.23 V  (min =  +2.95 V, max =  +2.15 V)  ALARM
3VSB:        +3.36 V  (min =  +6.00 V, max =  +2.50 V)  ALARM
Vbat:        +3.22 V 
+3.3V:        +3.36 V 
fan1:        611 RPM  (min =  200 RPM)
fan2:        707 RPM  (min =  600 RPM)  ALARM
temp1:        +38.0°C  (low  = +122.0°C, high = +122.0°C)  sensor = thermistor
temp2:        +22.0°C  (low  = +119.0°C, high = -35.0°C)  ALARM  sensor = thermistor
temp3:      -128.0°C  (low  = +16.0°C, high = +93.0°C)  sensor = thermistor
intrusion0:  ALARM


* edit /boot/grub/grub.conf, remove the "quiet" and "rhgb" options
[root@midemma02 ~]#  
* edit /boot/grub/grub.conf, comment out (with "#") the "splashimage=" line
* check that GRUB boot loader is installed on all system disks:
** dd if=/dev/sda bs=1 count=1024 2>&1 | strings | grep GRUB
** dd if=/dev/sdb bs=1 count=1024 2>&1 | strings | grep GRUB
* if GRUB is not installed, (i.e. on the 2nd disk of machines with mirrored system disk), (but check that /dev/sdb is the right disk):
<pre>
# grub
grub&gt; device (hd0) /dev/sdb
grub&gt; root (hd0,0)
grub&gt; setup (hd0)
</pre>
</pre>
* AMD "Athlon(tm) 5350 APU" graphics supports 2 monitors maximum (mobo has 3 video outputs, only 2 can be used together)


== Configure GRUB boot loader (CENTOS7) ==
=== Intel SE7230NH1 ===


* edit /etc/default/grub, remove "rhgb" and "quiet" from GRUB_CMDLINE_LINUX
* front panel header connector pinout is like this:
* grub2-mkconfig -o /boot/grub2/grub.cfg
<pre>
* grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
PWR LED | 1  2|
* grub2-editenv list # show contents of boot environement file
        | 3  4|
* /bin/rm /boot/grub2/grubenv # remove stale settings, make grub2 boot from first entry in config file
PWR LED | 5  6|
HDD LED | 7  8|
HDD LED | 9 10|
PWR SW  |11 12| NIC1 LED
PWR SW  |13 14| NIC1 LED
RST SW  |15 16|
RST SW  |17 18|
        |19 20|
NMI SW  |21 22| NIC2 LED
NMI SW  |23 24| NIC2 LED
...    |...  |
        |33 34|
</pre>


== Configure GRUB boot loader (CentOS7) ==
=== ASUS H110M-A/M.2 ===
 
DO NOT DO ANY OF THIS.
 
* (maybe) grub2-install /dev/sda
* check that GRUB boot loader is installed on all system disks:
** dd if=/dev/sda bs=1 count=1024 2>&1 | strings | grep GRUB
** dd if=/dev/sdb bs=1 count=1024 2>&1 | strings | grep GRUB
* if GRUB is not installed, (--- unfinished)
 
== Disable ELREPO ==


* use BIOS 2003 or later
* dmidecode | grep -i nct reports: Nuvoton NCT5539D
* sensors chip is "NCT6793D or compatible chip", for el7, use this driver:
<pre>
<pre>
sed 's/enabled=.*/enabled=0/' -i /etc/yum.repos.d/elrepo_triumf.repo
cd ~root
sed 's/enabled=.*/enabled=0/' -i /etc/yum.repos.d/elrepo.repo
wget http://ladd00.triumf.ca/~olchansk/linux/nct6775.ko
echo modprobe hwmon-vid >> /etc/rc.local
echo insmod /root/nct6775.ko >> /etc/rc.local
/etc/rc.local
sensors
</pre>
</pre>


== Special hardware settings ==
* sensors output:
 
<pre>
=== ASUS Crosshair mobo ===
[root@daq03 ~]# sensors
acpitz-virtual-0
Adapter: Virtual device
temp1:        +27.8°C  (crit = +119.0°C)
temp2:        +29.8°C  (crit = +119.0°C)


* use BIOS version 1207 or newer
nct6793-isa-0290
* (before CentOS7) sensors need these drivers from ELREPO: yum install --noplugins kmod-it87 kmod-k10temp; sensors-detect; service lm_sensors restart; sensors
Adapter: ISA adapter
* CentOS7: installs correct drivers automatically
in0:                      +0.34 V  (min =  +0.00 V, max =  +1.74 V)
 
in1:                      +1.02 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
=== ASUS Crosshair-II mobo ===
in2:                      +3.39 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
 
in3:                      +3.39 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
* use BIOS version 2607 or newer
in4:                      +1.02 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
* for the onboard IDE to work, add "all-generic-ide" to kernel boot options in grub.conf
in5:                      +0.15 V  (min =  +0.00 V, max =  +0.00 V) ALARM
* sensors need these drivers from ELREPO: yum install --noplugins kmod-it87 kmod-k10temp; sensors-detect; service lm_sensors restart; sensors
in6:                       +0.97 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
 
in7:                       +3.38 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
=== ASUS P7P55D EVO mobo ===
in8:                      +3.12 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
 
in9:                      +1.00 V  (min = +0.00 V, max = +0.00 V)  ALARM
* use BIOS version 2004 or newer
in10:                      +0.14 V  (min = +0.00 V, max = +0.00 V)  ALARM
* SL6 - install special driver for on board PCIe GigE network port and disable on board PCI GigE network port:
in11:                      +0.12 V  (min = +0.00 V, max = +0.00 V)  ALARM
** yum --enablerepo elrepo install kmod-r8168 kmod-r8169
in12:                      +0.14 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
** # do not do this: sed 's/^blacklist/#blacklist/' -i /etc/modprobe.d/blacklist-r8169.conf
in13:                      +0.12 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
** reboot
in14:                      +0.13 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
** verify that correct drivers are loaded: ethtool -i eth0; ethtool -i eth1
fan1:                    1041 RPM  (min =    0 RPM)
** note: there will be no eth1 - r8169 driver is disabled.
fan2:                     1020 RPM  (min =    0 RPM)
fan5:                        0 RPM  (min =    0 RPM)
fan6:                        0 RPM
SYSTIN:                  +119.0°C  (high = +98.0°C, hyst = +95.0°C)  sensor = thermistor
CPUTIN:                    +26.5°C  (high = +80.0°C, hyst = +75.0°C)  sensor = thermistor
AUXTIN0:                  +27.5°C    sensor = thermistor
AUXTIN1:                  +112.0°C    sensor = thermistor
AUXTIN2:                  +111.0°C    sensor = thermistor
AUXTIN3:                 +111.0°C    sensor = thermistor
PECI Agent 0:              +28.0°C  (high = +98.0°C, hyst = +95.0°C)
                                    (crit = +100.0°C)
PECI Agent 0 Calibration:  +25.5°C 
PCH_CHIP_CPU_MAX_TEMP:     +0.0°C 
PCH_CHIP_TEMP:              +0.0°C 
intrusion0:              ALARM
intrusion1:               ALARM
beep_enable:             disabled


=== ASUS P6X58-E-WS mobo ===
coretemp-isa-0000
Adapter: ISA adapter
Physical id 0:  +31.0°C  (high = +80.0°C, crit = +100.0°C)
Core 0:        +31.0°C  (high = +80.0°C, crit = +100.0°C)
Core 1:        +28.0°C  (high = +80.0°C, crit = +100.0°C)


* BIOS settings
[root@daq03 ~]#
** F1 or DEL to enter BIOS setup, F8 boot menu
</pre>
** go to POWER->HW mon, confirm CPU temperature is around 30C. (heatsink is installed correctly. Bad heatsink temperature quickly goes up to 50-70C).
** Main menu: Storage config - SATA change IDE->AHCI
** System information: confirm BIOS version 301, CPU type, memory size
** AI Tweak: set DRAM frequency - AUTO->DDR3-1333
** Advanced->Onboard devices: LAN BOOT: enabled
** Power->HW monitor: CPU Q-FAN: enabled
** Boot->Settings: Quick boot: enabled; Full screen logo: disabled; Wait for F1: disabled
** Save and exit


=== ASUS E35M1-M PRO mobo ===
=== Supermicro X11SSH-F ===


* http://www.asus.com/Motherboards/E35M1M_PRO/#specifications
* blacklist the mei and mei_me drivers per http://www.supermicro.com/support/faqs/faq.cfm?faq=14537
* use BIOS version 1002 or newer
<pre>
* for CPU temperature: install kmod-k10temp from ELREPO (kmod-k10temp-0.0-4.el6.elrepo.x86_64.rpm)
[root@alpha00 ~]# more /etc/modprobe.d/blacklist.conf
* for Sensors: yum --enablerepo elrepo install kmod-w83627ehf; modprobe w83627ehf; sensors
blacklist mei
* for Graphics: yum --enablerepo elrepo install kmod-fglrx fglrx-x11-drv
blacklist mei_me
* to enable booting from USB3, edit /etc/dracut.conf, change line "add_drivers" to read: add_drivers+="xhci-hcd"
[root@alpha00 ~]#  
* to use multiple monitors, run "aticonfig --initial --heads=2 --adapter=1 --xinerama=on", to change screen layout, edit /etc/X11/xorg.conf. Only dual monitors DVI+HDMI seem to work. Tripple monitors does not seem to work.
</pre>
* mobo requires M.2 PCIe SSD (M.2 SATA SSD would not work. SATA SATA SSD ok)
* boot from M.2 PCIe SSD requires UEFI boot (from an MSDOS partition on the SSD)
 
=== ASUS TUF Z390M-PRO GAMING (WI-FI) ===


Sensors instructions below are obolete (use driver from ELREPO)
* BIOS 2417 is okey, upgrade to this if older
* for Sensors, install driver for NCT6776F chip from https://github.com/groeck/w83627ehf/archives/master (in the Makefile, change the line "KERNEL_BUILD=" to read: "KERNEL_BUILD:=/usr/src/kernels/$(TARGET)"):
* do not set XMP memory mode
* in the BIOS, enable the boot compatibility support module mode: BIOS (press DEL) -> Advanced mode -> BOOT -> CSM Module -> Enable CSM "yes".
* for SL6, install e1000e driver from ELREPO:
<pre>
<pre>
cd ~root
yum install --enablerepo=elrepo kmod-e1000e
wget http://ladd00.triumf.ca/~olchansk/linux/groeck-w83627ehf-dd3e543/w83627ehf.ko
echo "modprobe hwmon; modprobe hwmon-vid; modprobe k10temp; rmmod w83627ehf; insmod /root/w83627ehf.ko" >> /etc/rc.local
</pre>
</pre>
* sensors chip appears to be "Nuvoton NCT6798D" not clear what driver to use
* dmidecode | grep -i nct reports: Nuvoton NCT6798D
* kmod-nct6775-0.0-5.el7_7.elrepo.x86_64.rpm from ELrepo finds the chip but bombs because of conflict with ACPI


=== ASUS E45M1-M PRO mobo ===
=== ASUS PRIME X399-A ===


* https://www.asus.com/Motherboards/E45M1M_PRO/#specifications
* BIOS 1002
* use BIOS 1202 or newer
* for reading temperatures and fan rotations, install driver: https://github.com/electrified/asus-wmi-sensors/issues/29
* follow the E35M1-M PRO instructions above


=== ASUS P9X79 WS ===
== Configure X11 graphics ==


* http://www.asus.com/Motherboard/P9X79_WS/
=== Special settings for DAQ ===
* use BIOS version 3101, 3401, 4701 or newer. If BIOS is 1305 or older, install P9X79-WS-CAP-Converter.ROM (BIOS 2902/3101), then the new BIOS.
* (not needed for CentOS7) for CPU temperature, install coretemp
* (not needed for CentOS7) for sensors, install driver for NCT6776F chip same as E35M1-M above.
* BIOS Settings:
** enter "Advanced mode"
** Ai Tweaker -> Ai Overclock Tuner -> Set to "XMP" - this enables DDR3-1600 RAM speed vs DDR3-1333 by default
** Monitor -> CPU fan speed low limit -> Set to "200 RPM" - we are using high efficiency slow turning CPU coolers and the default 600 RPM is right on the edge of firing false warnings
** Boot -> Full screen logo -> Set to "disabled"
** Wait for F1 -> Set to "disabled"


=== ASUS P8B-M ===
* add the following at the end of /etc/X11/xorg.conf. The enables Ctrl-Alt-KP-/ and Ctrl-Alt-KP-* to unlock the keyboard after Altera Quartus crash:
<pre>Section "ServerFlags"
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Option "AllowDeactivateGrabs" "true"
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Option "AllowClosedownGrabs" "true"
EndSection</pre>
 
=== Install NVIDIA drivers ===


* use BIOS version 6103 or newer
* yum --enablerepo=elrepo install nvidia-detect
* for CPU temperature, install coretemp
* run: nvidia-detect
* for sensors, install driver for NCT6776F chip same as E35M1-M above.
* as instructed by nvidia-detect, install correct driver:
** yum --enablerepo=elrepo install kmod-nvidia
** yum --enablerepo=elrepo install kmod-nvidia-304xx
** yum --enablerepo=elrepo install kmod-nvidia-173xx
* (before SL6.x:  if it fails due to conflict with module-init-tools, run "yum --disablerepo \* --enablerepo elrepo update module-init-tools")
* yum erase xorg-x11-glamor ### see http://elrepo.org/tiki/kmod-nvidia (search for glamor)
* mv /etc/X11/xorg.conf /etc/X11/xorg.conf-xxx
* nvidia-xconfig
* (SL6) reboot
* (SL5) /dev/MAKEDEV nvidia
* (SL5) restart the X11 server (Ctrl-Alt-Backspace or "killall Xorg gdm-binary")
* observe that X11 server restarts using the NVIDIA driver (big NVIDIA logo on startup)
* if needed, login as root and run "nvidia-settings" to setup dual-screen configuration, etc


=== SUPERMICRO X9SCL ===
=== Install legacy NVIDIA drivers ===


* yum install kmod-w83627ehf.x86_64 coretemp
For old NVIDIA cards:
* xemacs -nw /etc/rc.local, add:
* GeForce FX 5500
<pre>
modprobe coretemp
modprobe w83627ehf
</pre>
 
=== ASUS Z87-WS ===


<pre>
<pre>
cd ~root
wget http://us.download.nvidia.com/XFree86/Linux-x86/173.14.31/NVIDIA-Linux-x86-173.14.31-pkg1.run
wget http://ladd00.triumf.ca/~olchansk/linux/nct6775/nct6775.ko
sh ./NVIDIA-Linux-x86-173.14.31-pkg1.run
</pre>
</pre>


Place the modprobe and insmod lines in /etc/rc.local to load the drivers at boot time
* GeForce 6200 - NVIDIA Corporation NV44A [GeForce 6200]
<pre>
<pre>
modprobe hwmon-vid
yum install nvidia-x11-drv-304xx-304.121 --enablerepo=elrepo
insmod /root/nct6775.ko
nvidia-xconfig
rmmod nvidia
killall gdm-binary
login as root
nvidia-settings to setup multiple displays
</pre>
</pre>


=== ASUS AM1M-A ===
=== Install ATI/AMD drivers ===


* use BIOS 602 or later
* yum --enablerepo elrepo install kmod-fglrx fglrx-x11-drv
* SL6.5 installer cannot use USB2 ports and the network. Use USB3 ports (blue colour) to boot USB installer (memtest, rescue, etc)
* check that /etc/X11/xorg.conf section "Device" entry "Driver" says "fglrx"
* SL6.5 kernels require boot option "iommu=soft" or USB2 and network do not work. (USB3 - blue ports - seems okey)
* run "aticonfig --initial" to create xorg.conf if existing one is not good
* install ATI/AMD video drivers from ELREPO (see below)
* run "amdcccle" as root to configure dual-screens, etc
* sensors chip is ITE IT8623E, for SL6, use standalone driver from lm_sensors. (2 fans rpm, 2 temperatures):
  Note: 'amdcccle' is a GUI, so you must run this command from within a running X session
<pre>
* killall Xorg
cd ~root
wget http://ladd00.triumf.ca/~olchansk/linux/it87.ko
echo modprobe hwmon_vid >> /etc/rc.local
echo insmod /root/it87.ko >> /etc/rc.local
. /etc/rc.local
</pre>
* for el7 use it87.ko driver:
<pre>
cd ~root
wget https://daqshare.triumf.ca/~olchansk/linux/CentOS7/it87.ko
echo modprobe hwmon_vid >> /etc/rc.local
echo insmod /root/it87.ko >> /etc/rc.local
. /etc/rc.local
</pre>
* sensors output:
<pre>
[root@midemma02 ~]# sensors
radeon-pci-0008
Adapter: PCI adapter
temp1:        +22.0°C  (crit = +120.0°C, hyst = +90.0°C)


fam15h_power-pci-00c4
=== Install ATI/AMD drivers (CentOS7) ===
Adapter: PCI adapter
power1:          N/(crit = 25.00 W)


k10temp-pci-00c3
* wget http://elrepo.org/linux/testing/el7/x86_64/RPMS/fglrx-x11-drv-15.12-3.el7.elrepo.x86_64.rpm
Adapter: PCI adapter
* wget http://elrepo.org/linux/testing/el7/x86_64/RPMS/kmod-fglrx-15.12-3.el7.elrepo.x86_64.rpm
temp1:        +22.2°C  (high = +70.0°C)
* yum install acpid
                      (crit = +70.0°C, hyst = +69.0°C)
* rpm -vh --install kmod-fglrx-15.12-3.el7.elrepo.x86_64.rpm fglrx-x11-drv-15.12-3.el7.elrepo.x86_64.rpm
* amdconfig -f --initial
* grub2-mkconfig -o /boot/grub2/grub.cfg
* reboot
* login as root
* amdcccle


it8603-isa-0290
NOTE: if both drivers - radeon and fglrx are loaded, boot will hang. the radeon driver is supposed to be blacklisted through grub rdblacklist=radeon entry which is installed by running grub2-mkconfig.
Adapter: ISA adapter
in0:          +0.96 V  (min =  +2.50 V, max =  +2.95 V)  ALARM
in1:          +2.23 V  (min =  +0.94 V, max =  +1.22 V)  ALARM
in2:          +2.03 V  (min =  +0.74 V, max =  +0.77 V)  ALARM
in3:          +2.00 V  (min =  +1.26 V, max =  +0.13 V)  ALARM
in4:          +2.23 V  (min =  +2.95 V, max =  +2.15 V)  ALARM
3VSB:        +3.36 V  (min =  +6.00 V, max =  +2.50 V)  ALARM
Vbat:        +3.22 V 
+3.3V:        +3.36 V 
fan1:        611 RPM  (min =  200 RPM)
fan2:        707 RPM  (min =  600 RPM)  ALARM
temp1:        +38.0°C  (low  = +122.0°C, high = +122.0°C)  sensor = thermistor
temp2:        +22.0°C  (low  = +119.0°C, high = -35.0°C)  ALARM  sensor = thermistor
temp3:      -128.0°C  (low  = +16.0°C, high = +93.0°C)  sensor = thermistor
intrusion0:  ALARM


[root@midemma02 ~]#
=== Install Intel drivers for HD4600/Z87 ===
</pre>
* AMD "Athlon(tm) 5350 APU" graphics supports 2 monitors maximum (mobo has 3 video outputs, only 2 can be used together)


=== Intel SE7230NH1 ===
SL6.5 has the required drivers for the socket 1150 machines with Intel HD4600 graphics and Z87 chipset.


* front panel header connector pinout is like this:
ASUS Z87 WS motherboard has these video connections with corresponding Intel video port assignements, as reported by "xrandr":
<pre>
* DisplayPort - DP1/HDMI1
PWR LED | 1  2|
* MiniDisplayPort - DP2/HDMI2
        | 3  4|
* HDMI - HDMI3
PWR LED | 5  6|
HDD LED | 7  8|
HDD LED | 9 10|
PWR SW  |11 12| NIC1 LED
PWR SW  |13 14| NIC1 LED
RST SW  |15 16|
RST SW  |17 18|
        |19 20|
NMI SW  |21 22| NIC2 LED
NMI SW  |23 24| NIC2 LED
...    |...  |
        |33 34|
</pre>


=== ASUS H110M-A/M.2 ===
Due to hardware limitations, 3 HDMI monitors using 2 passive DP-HDMI adapters (and 1 straight HDMI) cannot be used.


* use BIOS 2003 or later
To use 3 monitors do this:
* sensors chip is ??? for el7, use this driver:
* 1st monitor: DisplayPort - DP-to-HDMI-passive-adapter - HDMI monitor (not tried: DP-to-DP-cable - DisplayPort monitor).
<pre>
* 2nd monitor: MiniDisplayPort - MiniDP-to-DP-cable - DisplayPort monitor
cd ~root
* 3rd monitor: HDMI - HDMI-cable - HDMI monitor
wget https://daqshare.triumf.ca/~olchansk/linux/CentOS7/nct6775.ko
 
echo modprobe hwmon_vid >> /etc/rc.local
With the monitors I have (Dell 1920x1200 VGA-HDMI-DP), the software thinks that there are 4 monitors: somehow both DP2 and HDMI2 see 1 minitor each, but the hardware cannot drive 4 monitors, so everything goes blank. To fix, disable HDMI2 (xrandr -display :0 --output HDMI2 --off) and enable DP2 (xrandr -display :0 --output DP2 --auto).
echo modprobe coretemp >> /etc/rc.local
 
echo insmod /root/nct6775.ko >> /etc/rc.local
How to make this configuration permanent and how to assign monitor locations (left-right, etc), you figure it out.
. /etc/rc.local
 
</pre>
=== Manual selection of monitor, video mode and resolution ===


* sensors output:
Automatic selection of monitor and video mode usually works. When it does not, configure it manualls:
<pre>
[root@daq03 ~]# sensors
acpitz-virtual-0
Adapter: Virtual device
temp1:        +27.8°C  (crit = +119.0°C)
temp2:       +29.8°C  (crit = +119.0°C)


nct6793-isa-0290
* physically go to the computer
Adapter: ISA adapter
* login as root
in0:                      +0.34 V  (min =  +0.00 V, max =  +1.74 V)
* run "nvidia-settings" on machines using the NVIDIA driver
in1:                      +1.02 V  (min =  +0.00 V, max =  +0.00 V) ALARM
* run "aticonfig" on machines with the ATI/AMD driver (use "aticonfig --initial" for initial setup, and good luck with anything more complicated)
in2:                      +3.39 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
* run "system-config-display".
in3:                      +3.39 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
** In the "hardware" tab, select monitor type: "generic LCD 1280x1024" or "generic LCD 1600x1200".
in4:                       +1.02 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
** In the "settings" tab, select "1280x1024" or "1600x1200" and "Thousands of colors".
in5:                      +0.15 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
** Press "ok", the display settings application should close.
in6:                      +0.97 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
* Logout, the new login window should use the new settings.
in7:                      +3.38 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
 
in8:                      +3.12 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
=== Disable screen saver ===
in9:                      +1.00 V  (min = +0.00 V, max = +0.00 V)  ALARM
 
in10:                      +0.14 V  (min = +0.00 V, max = +0.00 V)  ALARM
If machine is booted without any monitor connected, current video cards to not enable any video outputs. If a monitor is connected later, there is no video image and there is no easy way to get a video image.
in11:                      +0.12 V  (min = +0.00 V, max = +0.00 V)  ALARM
 
in12:                      +0.14 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
This can be solved by configuring X11 to always enable some video output. Because the monitor type is not known when X11 starts, one has to select some standard video mode (i.e. VESA 1280x1024) on some video output (VGA, DVI or HDMI).
in13:                      +0.12 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
in14:                      +0.13 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
fan1:                    1041 RPM  (min =    0 RPM)
fan2:                    1020 RPM  (min =    0 RPM)
fan5:                        0 RPM  (min =    0 RPM)
fan6:                        0 RPM
SYSTIN:                  +119.0°C  (high = +98.0°C, hyst = +95.0°C)  sensor = thermistor
CPUTIN:                    +26.5°C  (high = +80.0°C, hyst = +75.0°C) sensor = thermistor
AUXTIN0:                  +27.5°C    sensor = thermistor
AUXTIN1:                  +112.0°C    sensor = thermistor
AUXTIN2:                  +111.0°C    sensor = thermistor
AUXTIN3:                  +111.0°C    sensor = thermistor
PECI Agent 0:              +28.0°C  (high = +98.0°C, hyst = +95.0°C)
                                    (crit = +100.0°C)
PECI Agent 0 Calibration:  +25.5°C 
PCH_CHIP_CPU_MAX_TEMP:      +0.0°C 
PCH_CHIP_TEMP:              +0.0°C 
intrusion0:              ALARM
intrusion1:              ALARM
beep_enable:              disabled


coretemp-isa-0000
Only NVIDIA cards with the NVIDIA driver (from EPEL) is supported by these instructions.
Adapter: ISA adapter
Physical id 0:  +31.0°C  (high = +80.0°C, crit = +100.0°C)
Core 0:        +31.0°C  (high = +80.0°C, crit = +100.0°C)
Core 1:        +28.0°C  (high = +80.0°C, crit = +100.0°C)


[root@daq03 ~]#
* create default xorg.conf: nvidia-xconfig
</pre>
* edit /etc/X11/xorg.conf
 
* add monitor section for the fake monitor:
=== Supermicro X11SSH-F ===
<pre>
 
Section "Monitor"
* blacklist the mei and mei_me drivers per http://www.supermicro.com/support/faqs/faq.cfm?faq=14537
    Identifier    "Monitor0"
    VendorName    "Unknown"
    ModelName      "Unknown"
    HorizSync      31.0 - 83.0
    VertRefresh    59.0 - 61.0
    Option        "DPMS" "off"
    ModeLine "1280x1024"  108.00  1280 1328 1440 1688  1024 1025 1028 1066 +hsync +vsync
EndSection
</pre>
* add output selection in the "Device" section:
<pre>
<pre>
[root@alpha00 ~]# more /etc/modprobe.d/blacklist.conf
Section "Device"
blacklist mei
    Identifier    "Device0"
blacklist mei_me
    Driver        "nvidia"
[root@alpha00 ~]#
    VendorName    "NVIDIA Corporation"
    BoardName      "GeForce 210"
    #Option "ConnectedMonitor" "DFP"
    #Option "ConnectedMonitor" "CRT"
    Option "ConnectedMonitor" "CRT-1"
    Option "UseEDID" "no"
EndSection
</pre>
</pre>
* mobo requires M.2 PCIe SSD (M.2 SATA SSD would not work. SATA SATA SSD ok)
* add fake video mode to the "Screen" section:
* boot from M.2 PCIe SSD requires UEFI boot (from an MSDOS partition on the SSD)
<pre>
Section "Screen"
    Identifier    "Screen0"
    Device        "Device0"
    Monitor        "Monitor0"
    DefaultDepth    24
    SubSection    "Display"
        Depth      24
        Modes      "1280x1024"
    EndSubSection
EndSection
</pre>
* disable screen saver and DPMS power off in the "ServerLayout" or "ServerFlags" section:
<pre>
Section "ServerLayout"
    Identifier    "Layout0"
    Screen      0  "Screen0" 0 0
    InputDevice    "Keyboard0" "CoreKeyboard"
    InputDevice    "Mouse0" "CorePointer"
    Option        "Xinerama" "0"
    Option        "BlankTime" "0"
    Option        "StandbyTime" "0"
    Option        "SuspendTime" "0"
    Option        "OffTime" "0"
EndSection


== Configure X11 graphics ==
Section "ServerFlags"
    Option        "BlankTime" "0"
    Option        "StandbyTime" "0"
    Option        "SuspendTime" "0"
    Option        "OffTime" "0"
EndSection
</pre>
 
== Finish installation ==


=== Special settings for DAQ ===
* logout and reboot the computer to have all the changes to take effect
 
== Configure HTTPS server (CentOS7) ==


* add the following at the end of /etc/X11/xorg.conf. The enables Ctrl-Alt-KP-/ and Ctrl-Alt-KP-* to unlock the keyboard after Altera Quartus crash:
This will configure the HTTPS/SSL certificate using "certbot" and "letsencrypt" and configure an HTTPS web server using apache httpd.
<pre>Section "ServerFlags"
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Option "AllowDeactivateGrabs" "true"
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Option "AllowClosedownGrabs" "true"
EndSection</pre>


=== Install NVIDIA drivers ===
First, configure apache httpd:
 
* yum --enablerepo=elrepo install nvidia-detect
* run: nvidia-detect
* as instructed by nvidia-detect, install correct driver:
** yum --enablerepo=elrepo install kmod-nvidia
** yum --enablerepo=elrepo install kmod-nvidia-304xx
** yum --enablerepo=elrepo install kmod-nvidia-173xx
* (before SL6.x:  if it fails due to conflict with module-init-tools, run "yum --disablerepo \* --enablerepo elrepo update module-init-tools")
* yum erase xorg-x11-glamor ### see http://elrepo.org/tiki/kmod-nvidia (search for glamor)
* mv /etc/X11/xorg.conf /etc/X11/xorg.conf-xxx
* nvidia-xconfig
* (SL6) reboot
* (SL5) /dev/MAKEDEV nvidia
* (SL5) restart the X11 server (Ctrl-Alt-Backspace or "killall Xorg gdm-binary")
* observe that X11 server restarts using the NVIDIA driver (big NVIDIA logo on startup)
* if needed, login as root and run "nvidia-settings" to setup dual-screen configuration, etc
 
=== Install legacy NVIDIA drivers ===
 
For old NVIDIA cards:
* GeForce FX 5500


* execute these commands:
<pre>
yum install -y mod_ssl certwatch crypto-utils
cd /etc/httpd/conf.d/
mv ssl.conf ssl.conf-not-used ### remove the stock ssl.conf which refers to the localhost certificate that will expire in 1 year
touch ssl.conf ### create a blank file to prevent automatic updates from installing a stock ssl.conf file
# this is done later: rm /etc/pki/tls/certs/localhost.crt
</pre>
* create new file ssl-daq12.conf # use actual hostname instead of daq12
<pre>
<pre>
wget http://us.download.nvidia.com/XFree86/Linux-x86/173.14.31/NVIDIA-Linux-x86-173.14.31-pkg1.run
Listen 443 https
sh ./NVIDIA-Linux-x86-173.14.31-pkg1.run
#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
</pre>
SSLSessionCache        shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin


* GeForce 6200 - NVIDIA Corporation NV44A [GeForce 6200]
<VirtualHost *:443>
<pre>
ServerName daq12.triumf.ca
yum install nvidia-x11-drv-304xx-304.121 --enablerepo=elrepo
DocumentRoot /var/www/html
nvidia-xconfig
ErrorLog /var/log/httpd/daq12.log
rmmod nvidia
SSLEngine on
killall gdm-binary
# note SSLProtocol, SSLCipherSuite and some other settings are overwritten by /etc/letsencrypt/options-ssl-apache.conf
login as root
# new SSL settings: K.O. Jan 2020, SSLlabs rating "A+"
nvidia-settings to setup multiple displays
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4:!RSA
SSLHonorCipherOrder on
# pervious SSL settings:
#SSLProtocol all -SSLv2 -SSLv3
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
#ProxyPass /elog/ http://localhost:8082/ retry=1
#ProxyPass /      http://localhost:8080/ retry=1
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
<Location />
SSLRequireSSL
AuthType Basic
AuthName "DAQ password protected site"
Require valid-user
# create password file: touch /etc/httpd/htpasswd
# to add new user or change password: htpasswd /etc/httpd/htpasswd username
AuthUserFile /etc/httpd/htpasswd
</Location>
</VirtualHost>
</pre>
</pre>
* stop httpd from listening on port 80: edit /etc/httpd/conf/httpd.conf, comment-out the line "Listen 80"
* enable and start httpd:
<pre>
systemctl enable httpd
systemctl restart httpd
systemctl status httpd
</pre>
* try to access https://daq12.triumf.ca
** you should see a complaint about self-signed certificate
** you should see a request for password (do not login yet)
** if you get "connection refused", HTTPS port 443 may need to be enabled in the local firewall, then try again:
<pre>
firewall-cmd --add-port=443/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-all
</pre>
Second, configure certbot:


=== Install ATI/AMD drivers ===
(Note: as of 2018-01-18 certbot requires use of http port 80 to get the initial https certificate,
 
renewal can continue to use the https port 443)
* yum --enablerepo elrepo install kmod-fglrx fglrx-x11-drv
* check that /etc/X11/xorg.conf section "Device" entry "Driver" says "fglrx"
* run "aticonfig --initial" to create xorg.conf if existing one is not good
* run "amdcccle" as root to configure dual-screens, etc
  Note: 'amdcccle' is a GUI, so you must run this command from within a running X session
* killall Xorg


=== Install ATI/AMD drivers (CentOS7) ===
(Note: as of 2019-01-?? certbot requires use of port 80 for renewals)


* wget http://elrepo.org/linux/testing/el7/x86_64/RPMS/fglrx-x11-drv-15.12-3.el7.elrepo.x86_64.rpm
* check that port 80 is not used by anything:
* wget http://elrepo.org/linux/testing/el7/x86_64/RPMS/kmod-fglrx-15.12-3.el7.elrepo.x86_64.rpm
* netstat -an | grep LISTEN | grep ^tcp | grep 80
* yum install acpid
* lsof -P | grep -i tcp | grep LISTEN | grep 80
* rpm -vh --install kmod-fglrx-15.12-3.el7.elrepo.x86_64.rpm fglrx-x11-drv-15.12-3.el7.elrepo.x86_64.rpm
* if lsof reports that httpd is listening on port 80, follow the httpd instructions above (remove "listen 80" from httpd.conf
* amdconfig -f --initial
* grub2-mkconfig -o /boot/grub2/grub.cfg
* reboot
* login as root
* amdcccle


NOTE: if both drivers - radeon and fglrx are loaded, boot will hang. the radeon driver is supposed to be blacklisted through grub rdblacklist=radeon entry which is installed by running grub2-mkconfig.
* install certbot and open tcp port 80 in the firewall:
<pre>
yum install -y certbot python2-certbot-apache # (from EPEL)
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-all
</pre>
* certbot certonly --standalone --installer apache # then answer questions:
* "activate HTTPS for daq12.triumf.ca" - say ok
* "enter email address" - enter your own email address
* "please read terms..." - read the terms and say "agree"
* it will take a few moments...
* "please choose..." - say "easy" (http access is disabled (a) by firewall, (b) by local configuration
* "congratulations..." - say ok.
* certbot install --apache --cert-name daq12.triumf.ca # then answer questions:
* "choose redirect..." - say "1" (no redirect)
* look inside ssl-daq12.conf to see that SSLCertificateFile & co point to certbot certificates in /etc/letsencrypt/live/daq12.triumf.ca/
* remove self-signed localhost certificate, it will expire in 1 year and cause warnings and complaints: rm /etc/pki/tls/certs/localhost.crt
* enable automatic renewal
<pre>
systemctl enable certbot-renew.timer
systemctl start certbot-renew.timer
systemctl list-timers --all
</pre>


=== Install Intel drivers for HD4600/Z87 ===
* to check corrent renewal and to update the certbot config file in /etc/letsencrypt/renewal, run this:
<pre>
certbot renew --standalone --installer apache --force-renewal
</pre>


SL6.5 has the required drivers for the socket 1150 machines with Intel HD4600 graphics and Z87 chipset.
NOTE: this certificate will expire in 3 months, automatic renewal should work starting with certbot-0.12.0-4.el7.noarch.
Certificate expiration should be automatically detected by "certwatch" and email
will be sent to local root user, to be forwarded to an actual person by ~root/.forward.


ASUS Z87 WS motherboard has these video connections with corresponding Intel video port assignements, as reported by "xrandr":
Third, activate password protection:
* DisplayPort - DP1/HDMI1
* MiniDisplayPort - DP2/HDMI2
* HDMI - HDMI3


Due to hardware limitations, 3 HDMI monitors using 2 passive DP-HDMI adapters (and 1 straight HDMI) cannot be used.
* as shown in the config file above, create password file and initial user: (replace "midas" with specific username)
<pre>
touch /etc/httpd/htpasswd
htpasswd /etc/httpd/htpasswd midas
</pre>


To use 3 monitors do this:
Final test:
* 1st monitor: DisplayPort - DP-to-HDMI-passive-adapter - HDMI monitor (not tried: DP-to-DP-cable - DisplayPort monitor).
* access https://daq12.triumf.ca - https status should be "green"
* 2nd monitor: MiniDisplayPort - MiniDP-to-DP-cable - DisplayPort monitor
* login with password should work
* 3rd monitor: HDMI - HDMI-cable - HDMI monitor
* the apache httpd test page should load
* check site security using the SSLlabs https tester. (I get grade "A-"): https://www.ssllabs.com/ssltest/


With the monitors I have (Dell 1920x1200 VGA-HDMI-DP), the software thinks that there are 4 monitors: somehow both DP2 and HDMI2 see 1 minitor each, but the hardware cannot drive 4 monitors, so everything goes blank. To fix, disable HDMI2 (xrandr -display :0 --output HDMI2 --off) and enable DP2 (xrandr -display :0 --output DP2 --auto).
From here:
* Configure selinux to allow proxying
<pre>
setsebool -P httpd_can_network_connect 1
systemctl restart httpd
</pre>
* enable proxy for MIDAS mhttpd - uncomment redirect in the config file above
* enable proxy for ELOG - ditto


How to make this configuration permanent and how to assign monitor locations (left-right, etc), you figure it out.
NOTE: if certbot fails with errors about 'module' object has no attribute 'pyopenssl',
try this: pip install requests==2.6.0


=== Manual selection of monitor, video mode and resolution ===
== Configure large RAID6 arrays ==


Automatic selection of monitor and video mode usually works. When it does not, configure it manualls:
* connect the disks
 
* check the disks health
* physically go to the computer
** run smart-status.perl
* login as root
* partition the disks
* run "nvidia-settings" on machines using the NVIDIA driver
** yum install gdisk
* run "aticonfig" on machines with the ATI/AMD driver (use "aticonfig --initial" for initial setup, and good luck with anything more complicated)
** gdisk /dev/sdX
* run "system-config-display".
** delete all partitions: o
** In the "hardware" tab, select monitor type: "generic LCD 1280x1024" or "generic LCD 1600x1200".
** create new partition: n, enter, enter, enter, fd00 (default sizes, partition type fd00)
** In the "settings" tab, select "1280x1024" or "1600x1200" and "Thousands of colors".
** write and exit: w
** Press "ok", the display settings application should close.
* check presence of all partitions:
* Logout, the new login window should use the new settings.
** /bin/ls -l /dev/sd*1
* prepare to use an external bitmap file
** touch /md6bitmap
** edit /etc/fstab, change entry for root filesystem from: "defaults 1 1" to "defaults 0 0"
** edit /boot/grub/grub.conf, change entry "kernel ... ro ..." to "kernel ... rw ..."
* create raid array:
** mdadm --create /dev/md6 --level=6 --bitmap=/md6bitmap --raid-devices=10 /dev/sd[b-k]1
** mdadm -Ds >> /etc/mdadm.conf
** cleanup /etc/mdadm.conf
** echo "echo 16384 > /sys/block/md6/md/stripe_cache_size" >> /etc/rc.local
** echo "echo 1    > /sys/block/md6/md/sync_speed_min" >> /etc/rc.local
** source /etc/rc.local
* observe raid array rebuild:
** watch -d -n1 "cat /proc/mdstat"


=== Disable screen saver ===
== Configure ZFS ==


If machine is booted without any monitor connected, current video cards to not enable any video outputs. If a monitor is connected later, there is no video image and there is no easy way to get a video image.
=== Install ZFS ===


This can be solved by configuring X11 to always enable some video output. Because the monitor type is not known when X11 starts, one has to select some standard video mode (i.e. VESA 1280x1024) on some video output (VGA, DVI or HDMI).
(from here: https://github.com/zfsonlinux/zfs/wiki/RHEL-%26-CentOS)


Only NVIDIA cards with the NVIDIA driver (from EPEL) is supported by these instructions.
Follow the instructions for "kABI-tracking kmod" - dkms modules seem to always mess up the system when upgrading to next release of zfs.


* create default xorg.conf: nvidia-xconfig
* edit /etc/X11/xorg.conf
* add monitor section for the fake monitor:
<pre>
<pre>
Section "Monitor"
#rpm -vh --install http://archive.zfsonlinux.org/epel/zfs-release.el7.noarch.rpm
    Identifier    "Monitor0"
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7.noarch.rpm
    VendorName    "Unknown"
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_3.noarch.rpm
    ModelName      "Unknown"
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_4.noarch.rpm
    HorizSync      31.0 - 83.0
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_5.noarch.rpm
    VertRefresh    59.0 - 61.0
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_6.noarch.rpm
    Option        "DPMS" "off"
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_7.noarch.rpm
    ModeLine "1280x1024"  108.00  1280 1328 1440 1688  1024 1025 1028 1066 +hsync +vsync
yum install http://download.zfsonlinux.org/epel/zfs-release.el7_9.noarch.rpm
EndSection
yum-config-manager --disable zfs
yum-config-manager --disable zfs-kmod
yum --enablerepo=zfs-kmod clean all
yum --enablerepo=zfs-kmod install zfs
#sed 's/^SELINUX=.*/SELINUX=disabled/' -i /etc/selinux/config
echo USE_DISK_BY_ID=\'yes\' >> /etc/default/zfs
#systemctl enable zfs-import-cache
#systemctl enable zfs-mount
#systemctl enable zfs-share
#systemctl enable zfs-zed
#shutdown -r now # required to load the zfs kernel modules and to disable selinux
modprobe zfs # should work
zpool status # should report no pools available
</pre>
</pre>
* add output selection in the "Device" section:
 
#Note: zfs and selinux and not compatible: with selinux enabled, files on zfs cannot be deleted (files are gone, but "df" does not go down, zfs-0.6.5.7-1.el7.centos.x86_64), see #https://github.com/zfsonlinux/zfs/issues/4845
 
* http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/zfs-quickstart.html)
* http://www.freebsd.org/cgi/man.cgi?query=zpool&sektion=8
 
If ZFS kernel module does not load automatically at boot time, add this to load it manually:
<pre>
<pre>
Section "Device"
ls -l /etc/sysconfig/modules/
    Identifier    "Device0"
cat > /etc/sysconfig/modules/zfs.modules <<EOF
    Driver        "nvidia"
if [ ! -e /sys/module/zfs ] ; then
    VendorName    "NVIDIA Corporation"
  modprobe zfs;
    BoardName      "GeForce 210"
fi
    #Option "ConnectedMonitor" "DFP"
EOF
    #Option "ConnectedMonitor" "CRT"
chmod +x /etc/sysconfig/modules/zfs.modules
    Option "ConnectedMonitor" "CRT-1"
</pre>
    Option "UseEDID" "no"
 
EndSection
=== Update ZFS (CentOS-7.9) ===
 
* update CentOS-7.x to latest point release
* reboot to latest kernel
* check that currently installed ZFS is 0.8.x (not 0.7 or older)
* then update ZFS:
<pre>
[root@daq16 ~]# zfs version
zfs-0.8.4-1
zfs-kmod-0.8.4-1
[root@daq16 ~]# yum --enablerepo=kmod-zfs update
...
[root@daq16 ~]# zfs version ### observe mismatched version numbers: 0.8.5 userspace vs 0.8.4 kernel module
zfs-0.8.5-1
zfs-kmod-0.8.4-1
</pre>
</pre>
* add fake video mode to the "Screen" section:
* reboot to activate the updated kernel module
* zfs version again
<pre>
<pre>
Section "Screen"
[root@daq16 ~]# zpool version
    Identifier    "Screen0"
zfs-0.8.5-1
    Device        "Device0"
zfs-kmod-0.8.5-1
    Monitor        "Monitor0"
    DefaultDepth    24
    SubSection    "Display"
        Depth      24
        Modes      "1280x1024"
    EndSubSection
EndSection
</pre>
</pre>
* disable screen saver and DPMS power off in the "ServerLayout" or "ServerFlags" section:
* zpool status in case some ZFS volume needs to be updated
<pre>
<pre>
Section "ServerLayout"
[root@daq16 ~]# zpool status
    Identifier    "Layout0"
  pool: z12tb
    Screen      0 "Screen0" 0 0
  state: ONLINE
    InputDevice    "Keyboard0" "CoreKeyboard"
...
    InputDevice    "Mouse0" "CorePointer"
</pre>
    Option        "Xinerama" "0"
 
    Option        "BlankTime" "0"
=== Update ZFS 0.7 to 0.8 ===
    Option        "StandbyTime" "0"
    Option        "SuspendTime" "0"
    Option        "OffTime" "0"
EndSection


Section "ServerFlags"
How to identify zfs 0.7: "zfs version" does not work, also "rpm -q zfs"
    Option        "BlankTime" "0"  
    Option        "StandbyTime" "0"
    Option        "SuspendTime" "0"
    Option        "OffTime" "0"
EndSection
</pre>


== Finish installation ==
zfs 0.7 is obsolete.


* logout and reboot the computer to have all the changes to take effect
To opdate to zfs 0.8 or newer, remove 0.7, then install
new version per instructions above.


== Configure HTTPS server (CentOS7) ==
* remove zfs 0.7
<pre>
yum versionlock delete zfs ### versionlock not needed anymore
yum versionlock delete kernel ### versionlock not needed anymore
rm /etc/yum.repos.d/zfs.repo* ### delete old repo files
yum erase zfs spl
</pre>
* reboot
* install new zfs per instructions above
* zpool import -as
* zpool status ### check if any pool needs to be upgraded
* zpool upgrade zssd ### upgrade zfs pool features


This will configure the HTTPS/SSL certificate using "certbot" and "letsencrypt" and configure an HTTPS web server using apache httpd.
=== Lock kernel and zfs packages ===


First, configure apache httpd:
!!! THIS IS NOT NEEDED ANYMORE !!!


* yum install mod_ssl certwatch crypto-utils
* cd /etc/httpd/conf.d/
* mv ssl.conf ssl.conf-not-used ### remove the stock ssl.conf which refers to the localhost certificate that will expire in 1 year
* touch ssl.conf ### create a blank file to prevent automatic updates from installing a stock ssl.conf file
* rm /etc/pki/tls/certs/localhost.crt
* create new file ssl-daq12.conf # use actual hostname instead of daq12
<pre>
<pre>
Listen 443 https
yum versionlock kernel
#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
yum versionlock zfs
SSLSessionCache        shmcb:/run/httpd/sslcache(512000)
yum-config-manager --disable zfs
SSLSessionCacheTimeout  300
yum-config-manager --disable zfs-kmod
SSLRandomSeed startup file:/dev/urandom  256
</pre>
SSLRandomSeed connect builtin
 
SSLCryptoDevice builtin
=== Follow generic ZFS instructions ===
 
Here: [[ZFS]]
 
== performance notes ==
 
Go here: [[disk_benchmarks]]
 
== Configure UEFI boot ==
 
Some mobo can boot from NVME (PCIe) SSDs only via UEFI boot. Do this:


<VirtualHost *:443>
* partition the NVME SSD using gdisk (must be GPT partition table, must have MSDOS EFI partition size 512MiB)
ServerName daq12.triumf.ca
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/daq12.log
SSLEngine on
# note SSLProtocol, SSLCipherSuite and some other settings are overwritten by /etc/letsencrypt/options-ssl-apache.conf
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
#ProxyPass /elog/ http://localhost:8082/ retry=1
#ProxyPass /      http://localhost:8080/ retry=1
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
<Location />
SSLRequireSSL
AuthType Basic
AuthName "DAQ password protected site"
Require valid-user
# create password file: touch /etc/httpd/htpasswd
# to add new user or change password: htpasswd /etc/httpd/htpasswd username
AuthUserFile /etc/httpd/htpasswd
</Location>
</VirtualHost>
</pre>
* stop httpd from listening on port 80: edit /etc/httpd/conf/httpd.conf, comment-out the line "Listen 80"
* systemctl enable httpd
* systemctl restart httpd
* systemctl status httpd
* try to access https://daq12.triumf.ca
** you should see a complaint about self-signed certificate
** you should see a request for password (do not login yet)
** if you get "connection refused", HTTPS port 443 may need to be enabled in the local firewall, then try again:
<pre>
<pre>
firewall-cmd --add-port=443/tcp --permanent
[root@alpha00 ~]# gdisk -l /dev/nvme0n1
firewall-cmd --reload
GPT fdisk (gdisk) version 0.8.6 ...
firewall-cmd --list-all
Found valid GPT with protective MBR; using GPT.
</pre>
Disk /dev/nvme0n1: 500118192 sectors, 238.5 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 1A82CC87-2757-44ED-980F-C78E3681D9D3
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 500118158
Partitions will be aligned on 2048-sector boundaries
Total free space is 2014 sectors (1007.0 KiB)


Second, configure certbot:
Number  Start (sector)    End (sector) Size      Code  Name
 
  1            2048        1050623  512.0 MiB  EF00  EFI System
(Note: as of 2018-01-18 certbot requires use of http port 80 to get the initial https certificate,
  2        1050624      500118158  238.0 GiB  8300  Linux filesystem
renewal can continue to use the https port 443)
[root@alpha00 ~]#
 
</pre>
(Note: as of 2019-01-?? certbot requires use of port 80 for renewals)
* create filesystems
 
<pre>
* check that port 80 is not used by anything:
mkfs.msdos /dev/nvme0n1p1
* netstat -an | grep LISTEN | grep ^tcp | grep 80
mkfs.xfs /dev/nvme0n1p2
* lsof -P | grep -i tcp | grep LISTEN | grep 80
</pre>
* if lsof reports that httpd is listening on port 80, follow the httpd instructions above (remove "listen 80" from httpd.conf
* prepare EFI partition
 
<pre>
* yum install certbot python2-certbot-apache # (from EPEL)
mkdir /mnt/efi
* firewall-cmd --add-port=80/tcp --permanent
mount /dev/nvme0n1p1 /mnt/efi
* firewall-cmd --reload
mkdir -p /mnt/efi/efi/boot
* firewall-cmd --list-all
cd /mnt/efi/efi/boot
* certbot certonly --standalone --installer apache # then answer questions:
# with Ubuntu LTS 20.04
* "activate HTTPS for daq12.triumf.ca" - say ok
cp /boot/vmlinuz vmlinuz # copy the desired linux kernel
* "enter email address" - enter your own email address
#cp /boot/initramfs initramfs.img # copy the matching initramfs file
* "please read terms..." - read the terms and say "agree"
cp /boot/initrd.img initrd.img # copy the matching initrd file
* it will take a few moments...
#from /home/olchansk/sysadm/syslinux/syslinux-6.03 copy
* "please choose..." - say "easy" (http access is disabled (a) by firewall, (b) by local configuration
cp /home/olchansk/sysadm/syslinux/syslinux-6.03/efi64/efi/syslinux.efi .
* "congratulations..." - say ok.
cp /home/olchansk/sysadm/syslinux/syslinux-6.03/efi64/com32/elflink/ldlinux/ldlinux.e64 .
* certbot install --apache --cert-name daq12.triumf.ca # then answer questions:
cp syslinux.efi bootx64.efi
* "choose redirect..." - say "1" (no redirect)
</pre>
* look inside ssl-daq12.conf to see that SSLCertificateFile & co point to certbot certificates in /etc/letsencrypt/live/daq12.triumf.ca/
* create syslinux config file: syslinux.cfg
* enable automatic renewal
<pre>
<pre>
systemctl enable certbot-renew.timer
default linux
systemctl start certbot-renew.timer
label linux
systemctl list-timers --all
kernel vmlinuz
append ro root=/dev/nvme0n1p2 nomodeset initrd=initrd.img
</pre>
</pre>
* prepare system partition
<pre>
mkdir /mnt/tmp
mount /dev/nvme0n1p2 /mnt/tmp
rsync -avx / /mnt/tmp
cd /mnt/tmp
#edit etc/fstab
#edit etc/syslinux/selinux # set selinux to permissive mode because rsync did not copy the selinux labels
</pre>
* unmount and reboot
* restore selinux labels after first boot
<pre>
#login as root
cd /
restorecon -R / # can also add "-v" to see progress, but runs much slower
#edit /etc/sysconfig/selinux # enable selinux
#shutdown -r now # reboot with selinux enabled
</pre>
= Configure UEFI secure  boot =
The above instructions do not quite work if "secure boot" is enabled.


* to check corrent renewal and to update the certbot config file in /etc/letsencrypt/renewal, run this:
These modifications are needed:
* certbot renew --standalone --installer apache --force-renewal
 
NOTE: this certificate will expire in 3 months, automatic renewal should work starting with certbot-0.12.0-4.el7.noarch.
Certificate expiration should be automatically detected by "certwatch" and email
will be sent to local root user, to be forwarded to an actual person by ~root/.forward.
 
Third, activate password protection:


* as shown in the config file above, create password file and initial user: (replace "midas" with specific username)
* ls -l /boot/efi/EFI/bootko/
<pre>
total 140116
-rwxr-xr-x 1 root root      108 Feb 24 15:47 BOOTX64.CSV
-rwxr-xr-x 1 root root  1334816 Feb 24 16:16 bootx64.efi
-rwxr-xr-x 1 root root  217495 Feb 24 16:16 config-4.15.0-74-generic
-rwxr-xr-x 1 root root      105 Feb 24 15:47 grub.cfg
-rwxr-xr-x 1 root root  199952 Feb 24 16:16 grubx64.efi
-rwxr-xr-x 1 root root 58986147 Feb 24 16:16 initramfs.img
-rwxr-xr-x 1 root root 58986147 Feb 24 16:16 initrd.img-4.15.0-74-generic
-rwxr-xr-x 1 root root  139968 Feb 24 16:16 ldlinux.e64
-rwxr-xr-x 1 root root  1269496 Feb 24 15:47 mmx64.efi
-rwxr-xr-x 1 root root  1334816 Feb 24 16:16 shimx64.efi
-rwxr-xr-x 1 root root      171 Feb 24 16:16 syslinux.cfg
-rwxr-xr-x 1 root root      102 Feb 24 16:16 syslinux.cfg~
-rwxr-xr-x 1 root root  199952 Feb 24 16:16 syslinux.efi
-rwxr-xr-x 1 root root  4068355 Feb 24 16:16 System.map-4.15.0-74-generic
-rwxr-xr-x 1 root root  8367768 Feb 24 16:16 vmlinuz
-rwxr-xr-x 1 root root  8367768 Feb 24 16:16 vmlinuz-4.15.0-74-generic
</pre>
** shmix64.efi is a copy from /boot/efi/EFI/ubuntu
** bootx64.efi is a copy of shimx64.efi (maybe not needed?)
** grubx64.efi is a copy of syslinux.efi
* efibootmgr -c -d /dev/nvme0n1 -p 2 -w -L bootko -l '\EFI\bootko\shimx64.efi'
* efibootmgr -v
<pre>
<pre>
touch /etc/httpd/htpasswd
root@daqubuntu:~# efibootmgr -v
htpasswd /etc/httpd/htpasswd midas
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0000,0001,0002
Boot0000* bootko        HD(2,GPT,5d1cac95-29dd-4d8a-a56e-a8f414dd4047,0x800,0x100000)/File(\EFI\BOOTKO\SHIMX64.EFI)
Boot0001* Hard Drive    BBS(HD,,0x0)..GO..NO........y.I.N.T.E.L. .S.S.D.P.E.K.K.W.1.2.8.G.7....................A.......................................<..Gd-.;.A..MQ..L.I.N.T.E.L. .S.S.D.P.E.K.K.W.1.2.8.G.7........BO
Boot0002* ubuntu        HD(2,GPT,5d1cac95-29dd-4d8a-a56e-a8f414dd4047,0x800,0x100000)/File(\EFI\UBUNTU\SHIMX64.EFI)..BO
root@daqubuntu:~#
</pre>
</pre>
* NOTE: if, after running "efibootmgr -c", the UUID is zero, then it probably did not take and the entry will vanish after reboot. In my case the mistake was to use "-p 1" instead of "-p 2".


Final test:
Boot sequence is this:
* access https://daq12.triumf.ca - https status should be "green"
* shmix64.efi - Microsoft-signed boot loader is accepted by secure boot, loads and runs
* login with password should work
* shimx64.efi loads and runs grubx64.efi, this file name is hardwired into the signed shim, cannot be changed
* the apache httpd test page should load
* grubx64.efi is syslinux.efi (could be anything)
* check site security using the SSLlabs https tester. (I get grade "A-"): https://www.ssllabs.com/ssltest/
* syslinux.efi runs, loads syslinux.cfg, loads the linux kernel, loads the initrd, runs the linux kernel with specified flags (ro root=...).


From here:
= UEFI syslinux kernel update =
* enable proxy for MIDAS mhttpd - uncomment redirect in the config file above
 
* enable proxy for ELOG - ditto
To update the linux kernel booted by UEFI syslinux, use this script:
* setsebool -P httpd_can_network_connect 1
* ~root/git/scripts/etc/update_efi.perl
* systemctl restart httpd
 
= Update SL6 ssh =
 
<pre>
WARNING!!!
WARNING!!! original instructions used openssh 9.1, vulnerable to CVE-2024-6387
WARNING!!!
WARNING!!! these updated instructions use OpenSSH_9.8. K.O. 3jul2024
WARNING!!!
WARNING!!! see https://www.openssh.com/releasenotes.html
WARNING!!!
</pre>
 
Stock SL6 ssh is now very old and by default, cannot connect to current Ubuntu and MacOS sshd. In reverse their ssh cannot connect to SL6 sshd.
 
== Workaround is to manually enable SL6-compatible settings ==
 
<pre>
root@daq00:~# ssh -oHostKeyAlgorithms=+ssh-rsa -oPubKeyAcceptedAlgorithms=+ssh-rsa ladd00
</pre>


NOTE: if certbot fails with errors about 'module' object has no attribute 'pyopenssl',
Solution is to install newer ssh on affected SL6 machines:
try this: pip install requests==2.6.0


== Configure large RAID6 arrays ==
== Install OpenSSH_9.8p1 per CVE-2024-6387 ==


* connect the disks
<pre>
* check the disks health
ssh root@sl6-machine
** run smart-status.perl
cd /opt
* partition the disks
git clone https://daq00.triumf.ca/~olchansk/git/openssh.git
** yum install gdisk
ln -s /opt/openssh/lib64/libcrypto.so.1.1 /usr/lib64/
** gdisk /dev/sdX
/bin/cp -pv /etc/ssh/*key* /opt/openssh/etc/ ### copy old ssh host keys
** delete all partitions: o
/opt/openssh/bin/ssh-keygen -A ### generate any missing ssh host keys
** create new partition: n, enter, enter, enter, fd00 (default sizes, partition type fd00)
# test sshd /opt/openssh/sbin/sshd -p 2222 -d
** write and exit: w
/bin/mv /usr/sbin/sshd /usr/sbin/sshd-SL6
* check presence of all partitions:
/bin/ln -s /opt/openssh/sbin/sshd /usr/sbin/
** /bin/ls -l /dev/sd*1
/bin/mv /usr/bin/ssh /usr/bin/ssh-SL6
* prepare to use an external bitmap file
/bin/ln -s /opt/openssh/bin/ssh /usr/bin/
** touch /md6bitmap
service sshd restart
** edit /etc/fstab, change entry for root filesystem from: "defaults 1 1" to "defaults 0 0"
</pre>
** edit /boot/grub/grub.conf, change entry "kernel ... ro ..." to "kernel ... rw ..."
 
* create raid array:
== Update openssh from 9.1 to OpenSSH_9.8p1 per CVE-2024-6387 ==
** mdadm --create /dev/md6 --level=6 --bitmap=/md6bitmap --raid-devices=10 /dev/sd[b-k]1
 
** mdadm -Ds >> /etc/mdadm.conf
Check for old version:
** cleanup /etc/mdadm.conf
** echo "echo 16384 > /sys/block/md6/md/stripe_cache_size" >> /etc/rc.local
** echo "echo 1    > /sys/block/md6/md/sync_speed_min" >> /etc/rc.local
** source /etc/rc.local
* observe raid array rebuild:
** watch -d -n1 "cat /proc/mdstat"


== Configure ZFS ==
<pre>
[root@muon openssh]# telnet localhost 22
SSH-2.0-OpenSSH_9.1
</pre>


=== Install ZFS ===
Update:


(from here: https://github.com/zfsonlinux/zfs/wiki/RHEL-%26-CentOS)
<pre>
cd /opt/openssh
git pull
ln -s /opt/openssh/lib64/libcrypto.so.1.1 /usr/lib64/
service sshd restart
</pre>


Follow the instructions for "kABI-tracking kmod" - dkms modules seem to always mess up the system when upgrading to next release of zfs.
Check for new version:


<pre>
<pre>
#rpm -vh --install http://archive.zfsonlinux.org/epel/zfs-release.el7.noarch.rpm
telnet localhost 22
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7.noarch.rpm
SSH-2.0-OpenSSH_9.8
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_3.noarch.rpm
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_4.noarch.rpm
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_5.noarch.rpm
yum install http://download.zfsonlinux.org/epel/zfs-release.el7_6.noarch.rpm
yum-config-manager --disable zfs
yum-config-manager --enable zfs-kmod
yum install zfs
#sed 's/^SELINUX=.*/SELINUX=disabled/' -i /etc/selinux/config
echo USE_DISK_BY_ID=\'yes\' >> /etc/default/zfs
#shutdown -r now # required to load the zfs kernel modules and to disable selinux
modprobe zfs # should work
zpool status # should report no pools available
</pre>
</pre>


#Note: zfs and selinux and not compatible: with selinux enabled, files on zfs cannot be deleted (files are gone, but "df" does not go down, zfs-0.6.5.7-1.el7.centos.x86_64), see #https://github.com/zfsonlinux/zfs/issues/4845
== Build openssh ==
 
* http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/zfs-quickstart.html)
* http://www.freebsd.org/cgi/man.cgi?query=zpool&sektion=8
 
=== Lock kernel and zfs packages ===


<pre>
<pre>
yum versionlock kernel
ssh sl6-machine
yum versionlock zfs
cd git
git clone git://anongit.mindrot.org/openssh.git
cd openssh
autoreconf
xemacs -nw ./configure ### fix syntax error: line 28124 empty "if/then/else" block bombs out, fill it with "AAA=aaa"
./configure --prefix=/opt/openssh
make -j
</pre>
</pre>


 
Install openssh:
 
=== Misc commands ===
 
* zpool status
* zpool get all
* zpool iostat 1
* zpool iostat -v 1
* zpool history
* zpool scrub data14
* zpool events
* arcstat.py 1
* cat /proc/spl/kstat/zfs/arcstats
* echo 30000000000 > /sys/module/zfs/parameters/zfs_arc_meta_limit
* echo 32000000000 > /sys/module/zfs/parameters/zfs_arc_max
 
* zfs get all
* zfs set dedup=verify zssd/nfsroot
 
* zpool create data14 raidz2 /dev/sd[b-h]1
* zfs create z8tb/data
* zfs destroy z8tb/data
* zpool add z10tb cache /dev/disk/by-id/ata-ADATA_SP550_2F4320041688
* parted /dev/sdx mklabel GPT
* blkid
* zpool iostat -v -q 1
* watch -d -n 1 "cat /proc/spl/kstat/zfs/arcstats | grep l2"
* zfs set primarycache=metadata tank/datab
* zfs set secondarycache=metadata tank/datab
 
* zfs userspace -p -H zssd/home1
* zfs groupspace ...
 
=== Create raid0 (mirror) volume ===


<pre>
<pre>
echo USE_DISK_BY_ID=\'yes\' >> /etc/default/zfs
ssh root@sl6-machine
dracut -vf
cd .../git/openssh
zpool create zssd mirror /dev/sdaX /dev/sdbX
make install ### copies stuff to /opt/openssh
zpool set cachefile=none zssd
/opt/openssh/sbin/sshd -p 2222 -d ### test sshd
zpool set failmode=continue zssd
/opt/openssh/bin/ssh -v sl6-machine ### test ssh
zpool status
zpool events
zpool get all
df /zssd
ls -l /zssd
</pre>
</pre>


=== Use whole disk for zfs mirror (RAID0) ===
Update for CVE-2024-6387:
 
<pre>
echo USE_DISK_BY_ID=\'yes\' >> /etc/default/zfs
[root@daq13 ~]# parted /dev/sdb
(parted) mklabel GPT
(parted) q                                                               
[root@daq13 ~]# parted /dev/sdc
(parted) mklabel GPT                                                     
(parted) q                                                               
[root@daq13 ~]# blkid                                                   
/dev/sda1: UUID="ab920e4b-40ae-4551-aab8-f3e893d38830" TYPE="xfs"
/dev/sdb: PTTYPE="gpt"
/dev/sdc: PTTYPE="gpt"
[root@daq13 ~]# zpool create z10tb mirror /dev/sdb /dev/sdc
[root@daq13 ~]# zpool status
  pool: z10tb
state: ONLINE
  scan: none requested
config:


        NAME        STATE    READ WRITE CKSUM
* cd .../git/openssh
        z10tb      ONLINE      0    0    0
* git pull
          mirror-0  ONLINE      0    0    0
* git checkout V_9_8_P1
            sdb    ONLINE      0    0    0
* ./configure --prefix=/opt/openssh --with-ssl-dir=/opt/openssl
            sdc    ONLINE      0    0    0
* make ### no go, wants openssl-1.1.1
 
* cd .../git/
errors: No known data errors
* git clone https://github.com/openssl/openssl.git
[root@daq13 ~]#
* cd openssl
[root@daq13 ~]# zfs create z10tb/emma
* git checkout OpenSSL_1_1_1w
[root@daq13 ~]# df -kl
* configure with prefix --prefix=/opt/openssl
Filesystem      1K-blocks    Used  Available Use% Mounted on
* make, install to /opt/openssl
pool          9426697856        0 9426697856  0% /pool
* cd .../openssh
pool/daqstore  9426697856        0 9426697856  0% /pool/daqstore
* configure, build, does not find openssl libraries in /opt (they forgot to set RPATH for user-sepcified location of openssl)
[root@daq13 ~]#
* LD_LIBRARY_PATH=/opt/openssl/lib, try again, now builds and installs
</pre>
* but sshd does not run, does not find libcrypto.so.1.1
 
* needs ln -s .../lib/libcrypto.so.1.1 /usr/lib64, now sshd find it, everything works.
=== Enable ZFS at boot ===
 
<pre>
systemctl enable zfs-import-cache
systemctl enable zfs-import-scan
systemctl enable zfs-mount
systemctl enable zfs-import.target
systemctl enable zfs.target
</pre>
 
=== Replace failed disk ===
 
* pull failed disk out
* zpool status # identify failed disk zfs label (it should be labeled FAULTED or OFFLINE
* safe to reboot here
* install new disk
* partition new disk, i.e. "gdisk /dev/sdh", use "o" to create new partition table, use "n" to create new partition, accept all default answers, use "w" to save and exit
* safe to reboot here
* run tests on new disk (smart, diskscrub), if unhappy go back to "install new disk"
* safe to reboot here
* identify serial number of new disk, i.e. "smartctl -a /dev/sdh | grep -i serial" yields "Serial Number:    WD-WCAVY0893313"
* identify linux id of new disk by "ls -l /dev/disk/by-id | grep -i WD-WCAVY0893313" yields "ata-WDC_WD2002FYPS-01U1B0_WD-WCAVY0893313-part1"
* zpool replace data11 zfs-label-of-failed-disk ata-WDC_WD2002FYPS-01U1B0_WD-WCAVY0893313-part1
* zpool status should look like this:
<pre>
[root@daq11 ~]# zpool status
  pool: data11
state: DEGRADED
status: One or more devices is currently being resilvered.  The pool will
        continue to function, possibly in a degraded state.
action: Wait for the resilver to complete.
  scan: resilver in progress since Fri Apr 29 11:51:03 2016
    24.7G scanned out of 795G at 32.3M/s, 6h46m to go
    3.00G resilvered, 3.11% done
config:
 
        NAME                                                  STATE    READ WRITE CKSUM
        data11                                                DEGRADED    0    0    0
          raidz2-0                                            DEGRADED    0    0    0
            ata-WDC_WD20EARS-00MVWB0_WD-WCAZA3872943-part1    ONLINE      0    0    0
            ata-WDC_WD20EARS-00MVWB0_WD-WCAZA1973466-part1    ONLINE      0    0    0
            replacing-2                                        DEGRADED    0    0    0
              17494865033746374811                            FAULTED      0    0    0  was /dev/sdi1
              ata-WDC_WD2002FYPS-01U1B0_WD-WCAVY0893313-part1  ONLINE      0    0    0  (resilvering)
            ata-WDC_WD20EARS-00MVWB0_WD-WCAZA1973369-part1    ONLINE      0    0    0
            ata-WDC_WD20EARS-00MVWB0_WD-WMAZA0858733-part1    ONLINE      0    0    0
            ata-WDC_WD20EARS-00MVWB0_WD-WMAZA0819555-part1    ONLINE      0    0    0
            ata-WDC_WD20EARS-00MVWB0_WD-WMAZA0857075-part1    ONLINE      0    0    0
            ata-WDC_WD2002FYPS-01U1B0_WD-WCAVY0347413-part1    ONLINE      0    0    0
 
errors: No known data errors
</pre>
* wait for raid rebuild ("resilvering") to complete
* zpool status should look like this:
<pre>
[root@daq11 ~]# zpool status
  pool: data11
state: ONLINE
  scan: resilvered 96.2G in 1h44m with 0 errors on Fri Apr 29 13:35:40 2016
config:
 
        NAME                                                STATE    READ WRITE CKSUM
        data11                                              ONLINE      0    0    0
          raidz2-0                                          ONLINE      0    0    0
            ata-WDC_WD20EARS-00MVWB0_WD-WCAZA3872943-part1  ONLINE      0    0    0
            ata-WDC_WD20EARS-00MVWB0_WD-WCAZA1973466-part1  ONLINE      0    0    0
            ata-WDC_WD2002FYPS-01U1B0_WD-WCAVY0893313-part1  ONLINE      0    0    0
            ata-WDC_WD20EARS-00MVWB0_WD-WCAZA1973369-part1  ONLINE      0    0    0
            ata-WDC_WD20EARS-00MVWB0_WD-WMAZA0858733-part1  ONLINE      0    0    0
            ata-WDC_WD20EARS-00MVWB0_WD-WMAZA0819555-part1  ONLINE      0    0    0
            ata-WDC_WD20EARS-00MVWB0_WD-WMAZA0857075-part1  ONLINE      0    0    0
            ata-WDC_WD2002FYPS-01U1B0_WD-WCAVY0347413-part1  ONLINE      0    0    0
 
errors: No known data errors
</pre>
 
=== Rename zfs pool ===
 
<pre>
zpool export oldname
zpool import oldname z6tb
</pre>
 
=== Misc ===
 
<pre>
ZFS tunable parameters for hopefully speeding up resilvering:
 
https://www.reddit.com/r/zfs/comments/4192js/resilvering_raidz_why_so_incredibly_slow/
echo 0 > /sys/module/zfs/parameters/zfs_resilver_delay
echo 512 > /sys/module/zfs/parameters/zfs_top_maxinflight
echo 5000 > /sys/module/zfs/parameters/zfs_resilver_min_time_ms
</pre>
 
Enable periodic scrub:
 
<pre>
cd ~/git/scripts
git pull
cd zfs
make install
</pre>
 
Working with ZFS snapshots:
 
* zfs list -t snapshot
* cd ~/git; git clone https://github.com/zfsonlinux/zfs-auto-snapshot.git; cd zfs-auto-snapshot; make install
 
If ZFS becomes 100% full, "rm" will stop working, but space can still be freed by using "echo > bigfile", afterwards "rm" works again.
 
== performance notes ==
 
Go here: [[disk_benchmarks]]
 
== Configure UEFI boot ==
 
Some mobo can boot from NVME (PCIe) SSDs only via UEFI boot. Do this:
 
* partition the NVME SSD using gdisk (must be GPT partition table, must have MSDOS EFI partition size 512MiB)
<pre>
[root@alpha00 ~]# gdisk -l /dev/nvme0n1
GPT fdisk (gdisk) version 0.8.6 ...
Found valid GPT with protective MBR; using GPT.
Disk /dev/nvme0n1: 500118192 sectors, 238.5 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 1A82CC87-2757-44ED-980F-C78E3681D9D3
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 500118158
Partitions will be aligned on 2048-sector boundaries
Total free space is 2014 sectors (1007.0 KiB)
 
Number  Start (sector)   End (sector)  Size      Code  Name
  1            2048        1050623  512.0 MiB  EF00  EFI System
  2        1050624      500118158  238.0 GiB  8300  Linux filesystem
[root@alpha00 ~]#
</pre>
* create filesystems
<pre>
mkfs.msdos /dev/nvme0n1p1
mkfs.xfs /dev/nvme0n1p2
</pre>
* prepare EFI partition
<pre>
mkdir /mnt/efi
mount /dev/nvme0n1p1 /mnt/efi
mkdir -p /mnt/efi/efi/boot
cp /boot/vmlinuz... vmlinuz # copy the desired linux kernel
cp /boot/initramfs... initramfs.img # copy the matching initramfs file
#from /home/olchansk/sysadm/syslinux/syslinux-6.03 copy
cp .../efi64/efi/syslinux.efi .
cp .../efi64/com32/elflink/ldlinux/ldlinux.e64 .
cp syslinux.efi bootx64.efi
</pre>
* create syslinux config file: syslinux.cfg
<pre>
default linux
label linux
kernel vmlinuz
append ro root=/dev/nvme0n1p2 nomodeset initrd=initramfs.img
</pre>
* prepare system partition
<pre>
mkdir /mnt/tmp
mount /dev/nvme0n1p2 /mnt/tmp
rsync -avx / /mnt/tmp
cd /mnt/tmp
#edit etc/fstab
#edit etc/syslinux/selinux # set selinux to permissive mode because rsync did not copy the selinux labels
</pre>
* unmount and reboot
* restore selinux labels after first boot
<pre>
#login as root
cd /
restorecon -R / # can also add "-v" to see progress, but runs much slower
#edit /etc/sysconfig/selinux # enable selinux
#shutdown -r now # reboot with selinux enabled
</pre>

Latest revision as of 16:00, 9 July 2024

Notes

  • these instructions are periodically updated to include items needed for older/newer versions of Linux. They are marked like this: (SL4.2+) means Scientific Linux 4.2 and newer; (SL4 is equivalent to FC3). (FC5 only) means Fedora Core 5; etc.
  • obsolete items are marked by the "#" sign at the beginning of the line and sometimes have a comment about the reason for removal.
  • typically, we do not "upgrade" machines using the Red Hat "upgrade" function. Instead, we save critical files from the old installation and do a "fresh install" from scratch
  • starting with RHEL7, the recommended OS is CentOS7 (instead of SL7).

Disk configurations

The year is 2019 and SSDs are used exclusively, except for bulk data storage, where one used 6-8-10-12 TB HDDs

For reliability, home directories and data disks must use redundant storage - mdadm raid1 or ZFS raid1/raid6.

For non-critical machines, a single SSD seems to be reliable enough to use as a boot and OS disk. But since any storage device can fail at any time without warning, home directories and data disks should use redundant storage.

Note: for data disks bigger than 4-6TB, mdadm raid1/raid6 is no longer recommended because raid rebuild, verification and repair time has become unreasonably long. Instead, use ZFS raid1/raid6 which implements online verification, repair and disk replacement without requiring machine shutdown or OS down time.

  • single SSD - 120GB min - single partition for "/", no swap partition (create a swap file if swap is needed) - for non-critical machine with no local data storage (OS only)
  • dual SSD - 2x240GB min - all partitions mirrored (RAID1), 30GB "/", rest for /home1 - for daq station with local user home directories and no bulk data storage
  • single SSD + 2x6-8-10-12TB HDD - SSD partition: all "/", HDD partition as ZFS raid1 (mirrored) - for daq station with small local bulk data storage
  • single SSD + 6-8x6-8-10-12TB HDD - for small storage server machines - for daq station with local home directories and large bulk data storage.

For VME processors:

  • network boot - VME-CPU#Network_boot - only option for V7648/V7750, do not use for V7805 (no netboot from GigE), optional for V7865/XVB-602
  • USB boot - 8GB USB for V7805, 16GB USB for V7865/XVB-602

Preparation

  • save /etc, /var, /root, /opt, (if needed: /usr/local, /tftpboot) by rsync to some data disk (/ladd/data0/root)
  • check that "/" partition (it will be overwritten) is different from /home1 and /data partitions
  • note the MAC addresses of all network interfaces, add them to ladd00 dhcpd.conf to enable PXE boot into the SL "network installer"
  • shutdown

Running installer (CentOS7)

CentOS7 can be installed from vanilla CentOS7 installation media or from a custom USB key build per there instructions: https://daqshare.triumf.ca/~olchansk/linux/CentOS7/

The custom installer makes it easy to use a custom kickstart file (ks.cfg).

Instructions for using the usb-installer:

  • disconnect machine from network
  • plug the usb-installer into a usb3 port (blue colour)
  • reboot machine, select booting from usb (press F8 on ASUS motherboards)
  • usb-installer boot menu offers to install CentOS7, go there
  • CentOS7 should boot (many messages scroll on screen)
  • into graphical mode
  • into installer main menu
  • all installer options should "happy" except for the "installation destination"
  • go to the "installation destination" menu
    • unselect all disks except for the SSD where the OS will be installed
    • (MOST IMPORTANT: unselect the USB installer disk!)
    • select "I will configure..."
    • say "done"
    • the "manual partitionning" menu will open
      • use the "-" button to delete all existing partitions
      • select "standard partition"
      • click on the "+" button
      • in the "Add new partition" dialog, set mount point "/", capacity blank, click "add mount point"
      • check capacity (should be full size of SSD), check filesystem type (should be XFS)
      • say "done", there will be a warning about absent swap partition, say "done" again.
      • in the big useless dialog, say "accept changes"
      • should be back to the "installation summary" screen, "installation destination" should be happy now
  • after everything is happy, say "begin installation"
  • as the installation proceeds, set the password for the root user
  • after installation is complete, reboot the machine
  • unplug the usb-installer, CentOS7 should boot from SSD into the login screen
  • click on "not listed?", login as root
  • setup network connection:
    • open a terminal
    • start "nm-connection-editor"
    • click on "+" to create a new connection profile
    • select "wired ethernet"
    • select "add profile..."
    • in "Identity", set "name" to "static"
    • in "Identity", check that "Connect automatically" and "Make available..." is enabled
    • in "IPv4", set "Addresses" to "manual" instead of "dhcp"
    • enter IP address, netmask 255.255.224.0, gateway 142.90.100.18, dns 142.90.100.19, search triumf.ca
    • say "Add", then close/quit the network settings
  • connect network cable
  • network should be up, ping ladd00 should work
  • run: yum update -y
  • check new kernel is installed: ls -l /boot
  • logout and restart (good luck finding these buttons in the gui!)
  • confirm correct linux kernel is selected during boot (-229.20, not the original installer kernel)
  • login as root, confirm network is up, proceed with the rest of these instructions

Configure SSH

(+CentOS7)

  • Login from the console
  • restore the SSH keys from backup (/etc/ssh/*key*)
  • service sshd restart
  • ssh into the new machine as root
  • ssh root@localhost, ctrl-C
  • ### this is done later from Konstantin's git repository - scp root@ladd00:/root/authorized_keys ~root/.ssh/
  • (not needed for SL5.5 kickstart) check that /etc/ssh/ssh_config contains "ForwardX11 yes" and "ForwardX11Trusted yes":
echo "  ForwardX11 yes" >> /etc/ssh/ssh_config
echo "  ForwardX11Trusted yes" >> /etc/ssh/ssh_config

Set hostname

Set hostname: (use full name, i.e. daq11.triumf.ca)

emacs -nw /etc/hostname

Configure email

  • TRIUMF: use relayhost = smtp.triumf.ca
  • CERN: use relayhost = cernmx.cern.ch
  • edit /etc/postfix/main.cf, set "relayhost = smtp.triumf.ca"
  • echo "olchansk@triumf.ca amaudruz@triumf.ca lindner@triumf.ca bsmith@triumf.ca" >> ~root/.forward

Make log files readable

chmod a+r /var/log/messages
chmod a+r /var/log/yum.log

Activate /etc/rc.local

Activate rc.local:

chmod a+x /etc/rc.local
chmod a+x /etc/rc.d/rc.local  # TL edit
systemctl enable rc-local
systemctl start rc-local
systemctl status rc-local

Disable "persistent network names" (DO NOT DO THIS)

/bin/touch /etc/udev/rules.d/75-persistent-net-generator.rules
/bin/rm /etc/udev/rules.d/70-persistent-net.rules
#shutdown -r now

Configure NIS client (CentOS7)

yum -y install ypbind authconfig
echo "NISTIMEOUT=5" >> /etc/sysconfig/network
echo "NETWORKWAIT=yes" >> /etc/sysconfig/network
authconfig --enablenis --enablepreferdns --nisdomain LADD-NIS --nisserver ladd00.triumf.ca --update
ypwhich
ypcat -k passwd
systemctl restart autofs
  • On the master NIS node (ladd00), add this new node to /etc/netgroup, and update NIS maps (cd /var/yp; make)
  • Use "system-config-users" to add local user accounts
  • enable selinux ssh key login to nfs mounted home directories:
setsebool -P use_nfs_home_dirs 1

Configure NIS client (CentOS8)

  • all the same as for CentOS7
  • ensure correct boot order for ypbind (in CentOS 8.1 ypbind is started before network is ready, service file uses "Wants" instead of "After")
mkdir /etc/systemd/system/ypbind.service.d
echo -e "[Unit]\nAfter=network-online.target\n" > /etc/systemd/system/ypbind.service.d/local.conf
systemctl daemon-reload
systemctl cat ypbind.service

Configure NIS secondary server (CentOS7)

Enable local NIS server, make local machine use it:

yum -y install ypserv
/usr/lib64/yp/ypinit -s ladd00 ### (/usr/lib/yp/ypinit on 32-bit machines)
### ypinit will give lots of errors about "rpc.ypxfrd failed: RPC: Can't decode result"; can be ignored
systemctl disable ypxfrd yppasswdd
systemctl stop ypxfrd yppasswdd
systemctl enable rpcbind ypserv
systemctl start rpcbind ypserv
emacs -nw /etc/yp.conf # change "domain XXX server YYY.triumf.ca" to read "domain XXX server localhost"
systemctl restart ypbind
ypwhich # should say "localhost"
ypcat -k auto.master # should work

Punch hole in the firewall: (or "make" on NIS master will complain)

echo YPSERV_ARGS=\"-p 800\" >> /etc/sysconfig/network
systemctl restart ypserv
firewall-cmd --get-services
firewall-cmd --add-service rpc-bind --permanent
firewall-cmd --add-port=800/tcp --add-port=800/udp --permanent
firewall-cmd --reload
firewall-cmd --list-all
  • on the NIS master:
    • add the new machine to /var/yp/ypservers, run "make -C /var/yp" and also "cd /var/yp; yppush -h newmachine ypservers"
      • TL (2020-09): we not doing this anymore? I guess it doesn't work anyway...
    • if using /var/yp/securenets, copy it from NIS master to new NIS secondary server

Enable hourly NIS update cron job (DO THIS AFTER git pull scripts, see below)

cd ~/git/scripts
git pull
cd etc
cd ~/git/scripts/etc; ln -s $PWD/ypxfr-cron-hourly /etc/cron.hourly

Configure AUTOFS (CentOS7)

yum -y install autofs
systemctl enable autofs
systemctl start autofs
ls -l /daq/daqshare


Label Selinux labels

When upgrading non-selinux machines (el6) to el7 (selinux enforcing) the existing user home directories will not have the correct selinux labels and many things will not work, including ssh logins (sshd cannot access ~user/.ssh files).

semanage fcontext -a -e /home /home1 ### selinux has special rules for /home, assign them to /home1
restorecon -R -v /home1 ### apply the new rules to files in /home1
ls -Zd /home1/alpha/.ssh
# should say: drwx------. alpha users system_u:object_r:ssh_home_t:s0  /home1/alpha/.ssh

Configure time (CentOS7)

Time server ntpd was replaced by chronyd.

yum -y install chrony
echo server time1 iburst >> /etc/chrony.conf
echo server time2 iburst >> /etc/chrony.conf
echo server time3 iburst >> /etc/chrony.conf
systemctl enable chronyd
systemctl restart chronyd
chronyc sources
chronyc tracking
  • if desired, edit /etc/chrony.conf, remove non-triumf time servers

Enable automatic system updates (CentOS7)

Disable yum-cron:

rpm --erase yum-cron
/bin/rm -v /var/lock/subsys/yum-cron
/bin/rm -v /etc/cron.daily/0yum-daily.cron
/bin/rm -v /etc/cron.hourly/0yum-hourly.cron

Enable yum-autoupdate:

yum install -y epel-release
yum install -y yum-changelog yum-protectbase yum-tsflags yum-versionlock
rpm -vh --install http://linuxsoft.cern.ch/cern/centos/7.2/cern/x86_64/Packages/yum-kernel-module-1-5.el7.cern.noarch.rpm
rpm -vh --install http://linuxsoft.cern.ch/cern/centos/7.2/cern/x86_64/Packages/yum-autoupdate-4.4.2-1.el7.cern.noarch.rpm
#rpm -vh --install https://daqshare.triumf.ca/~olchansk/linux/yum-autoupdate-4.4.2-1.el7.cern.noarch.rpm https://daqshare.triumf.ca/~olchansk/linux/yum-kernel-module-1-5.el7.cern.noarch.rpm
systemctl enable yum-autoupdate
systemctl start yum-autoupdate
systemctl status yum-autoupdate

Disable automatic system updates (CentOS7)

yum -y erase yum-autoupdate
/bin/rm -f /etc/sysconfig/yum-autoupdate.rpmsave
/bin/rm -f /var/lock/subsys/yum-autoupdate

Enable automatic system updates (CentOS8)

yum -y install dnf-automatic
systemctl enable --now dnf-automatic.timer
systemctl list-timers *dnf-*

edit /etc/dnf/automatic.conf

apply_updates = yes

Configure system services (CentOS7)

  • systemctl list-unit-files | grep enabled | sort ### (to see enabled services)
  • disable unwanted services:
systemctl disable bluetooth
systemctl disable dm-event
systemctl disable dmraid-activation
systemctl disable iscsid
systemctl disable iscsi
systemctl disable iscsiuio
systemctl disable libvirtd
systemctl disable lvm2-lmetad
systemctl disable lvm2-monitor
systemctl disable ModemManager
systemctl disable multipathd
systemctl disable netcf-transaction
systemctl disable lvm2-lvmetad.socket
systemctl disable lvm2-lvmpolld.socket
systemctl disable iscsid.socket
systemctl disable iscsiuio.socket
systemctl disable ksm
systemctl disable ksmtuned
#systemctl disable 

Erase unwanted packages (CentOS7)

  • PackageKit # bugs users about security updates, hogs yum lock
  • perl-homedir # creates unwanted $HOME/perl5
  • ModemManager # thinks that all USB-attached devices are modems
  • pcp # sends error email to itself, does not work
  • abrt # sends email to root about useless crashes, i.e. crash of X when machine is rebooted
  • rear # some kind of backup and recovery tool, not clear what it does, but it sends email complaining how it is broken
  • bash-completion # "echo $HOME/<TAB>" becomes "echo \$HOME" (notice "\" added before "$") preventing tab-completion from doing anything useful.
yum -y erase PackageKit perl-homedir ModemManager pcp abrt abrt-libs abrt-gui-libs rear bash-completion

Disable unwanted package "tracker"

The "tracker" package is part of the GNOME desktop, it scans the content of all files into a database for quick searching.

When it malfunctions, bad things happen, i.e. read through https://bugzilla.redhat.com/show_bug.cgi?id=747689

Specific problem I see is that it floods the system log with error messages. Also consumes network and filesystem bandwidth for NFS mounted home directories.

This package cannot be removed by "yum erase tracker" dues to dependencies from core GNOME desktop.

Instead, do this to deactivate it:

chmod -x /usr/libexec/tracker-*
chmod -x /usr/bin/tracker
chattr +i /usr/bin/tracker
chattr +i /usr/libexec/tracker-*

Configure external package repositories (CentOS7)

EPEL: (addtional packages)

yum install epel-release

ELREPO: (kernel modules and drivers) (CentOS8)

yum install elrepo-release

ELREPO: (kernel drivers)

rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh https://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
yum -y install yum-plugin-fastestmirror

Install packages needed to continue with installation

(+CentOS7)

(these packages are sometimes missing, they are needed to follow following instructions instructions)

(SL6.5: libotf is a dependancy of emacs - SL6.5 installer fails to install it)

yum install ed patch wget git libotf gdisk emacs perl

Configure Konstantin's scripts

(+Centos7)

mkdir ~root/git
cd ~root/git
git clone http://ladd00.triumf.ca/~olchansk/git/scripts.git
cd scripts
git pull

Go back to the NIS slave server and install the hourly NIS update cron job.

Enable yum version lock

yum install yum-plugin-versionlock
#yum versionlock packagename # yum versionlock rpcbind
#yum versionlock list # list locked packages
#yum versionlock delete packagename # unlock given package
#yum versionlock clear # delete all locks

Configure trusted ssh keys

(+CentOS7)

ssh localhost
interrupt by Ctrl-C
/bin/cp ~/git/scripts/etc/authorized_keys ~/.ssh/

Configure hardware sensors

  • yum -y install lm_sensors
  • sensors-detect (accept default answer to all questions - press ENTER)
  • systemctl restart lm_sensors
  • sensors (to see available sensors)

If no sensors are detected by standard drivers, follow motherboard-specific instructions at the bottom of this page.

Configure IPMI sensors

Some machines support the IPMI interface for monitoring the hardware: fan speeds, temperatures, voltages.

  • find out if IPMI is supported. Try this:
dmidecode | grep -i ipmi

if output is not blank, IPMI is maybe supported.

  • install and enable IPMI software:
yum install "OpenIPMI*" ipmitool
service ipmi start
ipmitool sensor ### to confirm IPMI is present. If output is blank, do not go further.
chkconfig ipmi on
chkconfig ipmievd on
service ipmi restart
service ipmievd restart
tail -100 /var/log/messages ### look at messages logged by ipmievd
  • (CentOS7) install and enable IPMI software:
yum install "OpenIPMI*" ipmitool
systemctl start ipmi
ipmitool sensor ### to confirm IPMI is present. If output is blank, do not go further.
systemctl list-unit-files | grep -i ipmi
systemctl enable ipmi
systemctl restart ipmi
systemctl status ipmi
systemctl enable ipmievd
systemctl restart ipmievd
systemctl status ipmievd
tail -100 /var/log/messages ### look at messages logged by ipmievd
  • if ipmievd complains about SEL buffer overflow, clear it manually:
ipmitool sel list ### show ipmi messages in raw format
ipmitool sel elist ### show ipmi messages in useful format
ipmitool sel elist > file ### save ipmi messages into a file
ipmitool sel clear  ### clear all accumulated ipmi messages
  • useful ipmi commands:
    • ipmitool sensor -- read hardware sensors
    • ipmitool sel elist -- report all accumulated messages

Configure ECC memory

  • check that machine has ECC memory: dmidecode --type memory | grep -i ecc

Configure mcelog (machine check exception)

  • yum install mcelog
  • check that mcelog is running: ps -efw | grep mcelog
  • (el6) chkconfig mcelogd on; service mcelogd restart
  • (el7) systemctl status mcelog.service; systemctl enable mcelog.service; systemctl restart mcelog.service

Check for MCE (machine check exception) messages:

  • mcelog --client
  • grep -i mce /var/log/messages*
  • grep -i ecc /var/log/messages*

Configure EDAC

yum install edac-utils
edac-ctl --mainboard
edac-ctl --status
lsmod | grep edac
modprobe ie31200_edac ### driver for Intel E3-1200 series ECC memory

[root@grsmid00 ~]# ls -l /sys/devices/system/edac/mc/
... empty

[root@alpha00 ~]# ls -l /sys/devices/system/edac/mc/
drwxr-xr-x. 15 root root    0 Oct 25 16:40 mc0
...
[root@alpha00 ~]# ls -l /sys/devices/system/edac/mc/mc0
total 0
-r--r--r--. 1 root root 4096 Oct 25 16:40 ce_count
-r--r--r--. 1 root root 4096 Oct 25 16:40 ce_noinfo_count
drwxr-xr-x. 3 root root    0 Oct 25 16:40 csrow0
drwxr-xr-x. 3 root root    0 Oct 25 16:40 csrow1
drwxr-xr-x. 3 root root    0 Oct 25 16:40 csrow2
drwxr-xr-x. 3 root root    0 Oct 25 16:40 csrow3
-r--r--r--. 1 root root 4096 Oct 25 16:40 max_location
-r--r--r--. 1 root root 4096 Oct 25 16:40 mc_name
drwxr-xr-x. 2 root root    0 Oct 25 16:40 power
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank0
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank1
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank2
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank3
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank4
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank5
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank6
drwxr-xr-x. 3 root root    0 Oct 25 16:40 rank7
--w-------. 1 root root 4096 Oct 25 16:40 reset_counters
-r--r--r--. 1 root root 4096 Oct 25 16:40 seconds_since_reset
-r--r--r--. 1 root root 4096 Oct 25 16:40 size_mb
lrwxrwxrwx. 1 root root    0 Oct  2 12:02 subsystem -> ../../../../../bus/mc0
-r--r--r--. 1 root root 4096 Oct 25 16:40 ue_count
-r--r--r--. 1 root root 4096 Oct 25 16:40 ue_noinfo_count
-rw-r--r--. 1 root root 4096 Oct 25 16:40 uevent
[root@alpha00 ~]# 

[root@alpha00 ~]# edac-ctl --status
edac-ctl: drivers are loaded.

[root@alpha00 ~]# edac-util 
edac-util: No errors to report.

[root@alpha00 ~]# edac-util -s
edac-util: EDAC drivers are loaded. 1 MC detected

Configure SMARTD (CentOS7)

Default el7 smartd config files send deficient email notices about disk failures. Overwrite.

/bin/cp ~/git/scripts/etc/smartd.conf /etc/smartmontools/
/bin/cp ~/git/scripts/etc/smartd_warning.sh /etc/smartmontools/
systemctl enable smartd
systemctl restart smartd
systemctl status smartd

Enable User Disk Quotas (OPTIONAL)

(+CentOS7)

[root@isdaq00 home1]# grep quota /etc/fstab
UUID=5a2aefbd-45db-475e-841e-12ec89220fbd /home1 ext4 defaults,grpquota,usrquota 1 2
  • cd /; umount /home1; mount /home1
  • quotacheck -cug /home1
  • quotacheck -avug
  • quotaon -av
  • quota system is now active
  • increase the soft quota time limit from default 7days to 30 or 60 days: edquota -t
  • set quotas for all users (see below)
  • setup warnquota:
    • create warnquota config file: emacs -nw /etc/warnquota.conf
# values can be quoted:
MAIL_CMD        = "/usr/sbin/sendmail -t"
FROM            = root
SUBJECT         = User %i@%h exceeded allocated disk quota
CC_TO           = "root"
# If you set this variable CC will be used only when user has less than
# specified grace time left (examples of possible times: 5 seconds, 1 minute,
# 12 hours, 5 days)
# CC_BEFORE = 2 days
SUPPORT         = "root"
# Text in the beginning of the mail (if not specified, default text is used)
# This way text can be split to more lines
# Line breaks are done by '|' character
# The expressions %i, %h, %d, and %% are substituted for user/group name,
# host name, domain name, and '%' respectively. For backward compatibility
# %s behaves as %i but is deprecated.
MESSAGE         = User "%i" on "%h" has exceeded the allocated disk quota.||Please delete any unnecessary files on following filesystems or|contact the system administrato
r to increase your quota allocation:|
SIGNATURE       = --|automated email from warnquota
    • note that %i@%h in the SUBJECT line do not seem to work
    • create cron job: emacs -nw /etc/cron.daily/warnquota
#!/bin/sh
warnquota
#end
    • chmod a+x /etc/cron.daily/warnquota
    • touch /etc/crontab

Useful commands for managing quotas:

  • repquota -a | sort -n -k3 ### show quota of all users sorted by disk usage
  • edquota -u username ### open "vi" editor to change user quotas
  • repquote -a | grep username ### report quota for given user
  • setquota -u username 0 0 0 0 /home1 ### disable quotas for given user
  • setquota -u username 50000000 100000000 0 0 /home1 ### set quotas for 50GB soft and 100GB hard
  • edquota -t ### change user quota time limits
  • edquote -tg ### change group quota time limits

Enable NFS V4 server (CentOS7)

  • create /etc/exports. example: (fsid numbers should be unique and increase 1,2,3,...)
/home1  @home_export(rw,no_root_squash,async,fsid=1)
/data1  @data_export(rw,no_root_squash,async,fsid=2)
  • check the netgroup file
    • if using NIS: check NIS netgroup: ypcat -k netgroup
    • if no NIS, create /etc/netgroup: @daqmachines (deap00,,) (deap01,,) (deap02,,)
    • if no NIS, edit /etc/nsswitch.conf, make the netgrooup line read: "netgroup: files"
  • enable things, start them:
firewall-cmd --get-services
firewall-cmd --permanent --add-service=nfs
firewall-cmd --permanent --add-service=rpc-bind ### needed for ubuntu automounter
firewall-cmd --reload
firewall-cmd --list-all
systemctl enable nfs-server
systemctl start nfs-server
systemctl status nfs

Enable NFS V3 server (CentOS7)

ps -efw | grep rpc.mountd # should be running!
firewall-cmd --get-services
firewall-cmd --permanent --add-service=mountd
firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --reload
firewall-cmd --list-all

Enable NFS V3 server

  • edit /etc/hosts.allow, add or uncomment "mountd: 142.90.0.0/255.255.0.0"
  • create /etc/exports. example:
/home1  @home_export(rw,no_root_squash,async)
/data1  @data_export(rw,no_root_squash,async)
  • check the netgroup file
    • if using NIS: check NIS netgroup: ypcat -k netgroup
    • if no NIS, create /etc/netgroup: @daqmachines (deap00,,) (deap01,,) (deap02,,)
    • if no NIS, edit /etc/nsswitch.conf, make the netgrooup line read: "netgroup: files"
  • chkconfig nfs on
  • chkconfig nfslock on
  • service nfs restart

Then on ladd00 need to do

  • ssh to root@ladd00
  • edit /etc/auto.daq to add new machine...
  • make -C /var/yp

Enable NFS V4 SERVER (SL6)

  • if used with NIS, same as NFSv3
  • if used as standalone, need to edit idmapd.conf - set the "Domain" name to the same value on NFS server and NFS slave (default automagically determined value does not always work). More TBW.

Enable AMANDA backups

AMANDA backups are already enabled by TRIUMF kickstart installs. For non-kickstart installation, follow instructions at [http://amanda/~amanda], or look at "/triumfcs/trshare/olchansk/linux/amanda/amanda-enable.perl". As final step, use [https://helpdesk.triumf.ca] to contact TRIUMF CS to add this new machine to the amanda backup list.

  • yum install triumf-amanda

Enable AMANDA backups (CentOS7)

yum install amanda-client
systemctl list-unit-files | grep -i amanda
#systemctl enable amanda
systemctl enable amanda.socket
systemctl enable amanda-udp.socket
systemctl restart amanda.socket
systemctl restart amanda-udp.socket
firewall-cmd --get-services
firewall-cmd --permanent --add-service=amanda-client
firewall-cmd --reload
firewall-cmd --list-all
echo amanda.triumf.ca amanda amdump >> /var/lib/amanda/.amandahosts

On amanda server, add new machine to the disklist, then:

amcheck -c daily titan00

Enable DCACHE

DAQ dcache server is mounted as

/daq/pnfs/triumf.ca/data/

For Centos-7 machines, you need to adjust the firewall rules in order to be able to communicate with the trdata machines; this is only necessary if you are copying data to trdata. The firewall changes are

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.100.212/32" port protocol="tcp" port="0-65535" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.107.156/32" port protocol="tcp" port="0-65535" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.100.219/32" port protocol="tcp" port="0-65535" accept"
firewall-cmd --reload
firewall-cmd --list-all

This instructions are unnecessary

  • # mkdir -p /pnfs
  • # edit /etc/rc.local, add to the end of file: "mount -o intr,rw,noac,hard,nfsvers=3 trdata00:/pnfs /pnfs &"
  • # . /etc/rc.local

For more information on, see TrdataDcache dcache page.

Configure Ganglia (Centos7)

CentOS7 Ganglia instructions (EPEL7 ganglia-3.7.2)

/bin/rm /etc/gmond.conf
yum -y install "ganglia-gmond*"
/bin/cp -v /dev/null /etc/ganglia/conf.d/multicpu.conf   # collects useless data
/bin/cp -v /dev/null /etc/ganglia/conf.d/netstats.pyconf # spews errors into syslog
/bin/cp -v /dev/null /etc/ganglia/conf.d/diskstat.pyconf # collects useless data
/bin/cp -v /dev/null /etc/ganglia/conf.d/procstat.pyconf # do not create /tmp/gmond.conf
yum erase -y ganglia-vmstat ganglia-sensors ganglia-top ganglia-smart ganglia-cpumhz
cd ~/git/scripts
git pull
/bin/cp etc/gmond.conf /etc/ganglia/gmond.conf
systemctl enable gmond
systemctl restart gmond
systemctl status gmond
cd ganglia
./ganglia-all.perl
make install
cd ~

Configure Ganglia (Centos8)

CentOS8 Ganglia instructions (EPEL8 ganglia-3.7.2)

/bin/rm /etc/gmond.conf
yum -y install "ganglia-gmond*"
/bin/cp ~/git/scripts/etc/gmond.conf /etc/ganglia/gmond.conf
systemctl enable gmond
systemctl restart gmond
systemctl status gmond
cd ~/git/scripts/ganglia
git pull
./ganglia-all.perl
make install

Configure TRIUMF DAQ packages

(+CentOS7)

cd /etc/yum.repos.d
wget http://daq.triumf.ca/~daqweb/yum/triumf-daq.repo

Install Konstantin's packages

(+CentOS7)

yum --disablerepo=\* --enablerepo=triumf-daq --skip-broken install diskscrub emailonreboot monitor_nfs

Install memtest and PXE boot

!!!DO NOT DO THIS!!!

cd /boot
wget http://ladd00.triumf.ca/tftpboot/memtest86+-5.01.bin.gz
wget http://ladd00.triumf.ca/tftpboot/memtest86+-4.20.bin.gz
wget http://ladd00.triumf.ca/tftpboot/memtest86+-4.10
wget http://ladd00.triumf.ca/tftpboot/gpxe-1.0.1+-gpxe.lkrn

emacs -nw /boot/grub/grub.conf
title memtest86+-5.01
      root (hd0,0)
      kernel /boot/memtest86+-5.01.bin.gz
title memtest86+-4.20
      root (hd0,0)
      kernel /boot/memtest86+-4.20.bin.gz
title memtest86+-4.10
      root (hd0,0)
      kernel /boot/memtest86+-4.10
title pxeboot
      root (hd0,0)
      kernel /boot/gpxe-1.0.1+-gpxe.lkrn

Install node monitoring

!!! OBSOLETE, DO NOT DO THIS !!!

(+CentOS7)

yum --disablerepo=\* --enablerepo=triumf-daq --skip-broken install triumf_nodeinfo
/usr/sbin/sendnodeinfo.perl --config ladd00.triumf.ca:8600
emacs -nw /etc/nodeinfo
/usr/sbin/sendnodeinfo.perl ladd00.triumf.ca:8600

Install gonodeinfo node monitoring

(+Ubuntu, +CentOS7, +CentOS8)

go to https://bitbucket.org/dd1/gonodeinfo follow instructions:

yum -y install golang
mkdir ~/git
cd ~/git
git clone https://bitbucket.org/dd1/gonodeinfo.git
# or git clone https://daq.triumf.ca/~olchansk/git/gonodeinfo.git
cd gonodeinfo
git pull
make
make install # install gonodeinfo agent
cd ~ # this is important
  • emacs -nw /etc/gonodeinfo.conf
  • change "Description", "Location", "User" and "Administrator" as appropriate (or delete them)
  • change "Servers" to read: Servers: daq00.triumf.ca:8601
  • run gonodeinfo -e
  • if error is "connection refused". go to the nodeinfo server to add this client to the access control list:
  • on the gonodeinfo server: run /opt/gonodeinfo/gonodereceive.exe -a daq13
  • try gonodeinfo again, there should be no error
  • on the gonodeinfo server: run gonodereport, look at the web pages, the new machine should be listed now

Install latest system updates

(+CentOS7)

yum update -y

Configure TRIUMF Printers (CentOS7)

systemctl stop cups
systemctl disable cups
echo "ServerName printers.triumf.ca" > /etc/cups/client.conf
lpstat -a

Disable syslog spam (CentOS7)

Default el7 config is spamming the syslog with useless messages "systemd: Starting Session", etc. Disable this:

echo auditctl -e 0 >> /etc/rc.local
echo /usr/bin/systemd-analyze set-log-level notice >> /etc/rc.local
/etc/rc.local

Install basic system packages (CentOS7)

(if starting from minimal system, basic system packages required:)

yum install -y which psmisc redhat-lsb-core xorg-x11-xauth xterm emacs-nox rsync tcpdump strace nfs-utils sysstat iftop tcsh
yum install -y gcc gcc-c++ gdb glibc-static libstdc++-static zlib zlib-devel openssl-devel httpd-tools

Install packages needed for QUARTUS, ROOT, EPICS and MIDAS DAQ

(+CentOS7)

yum install --skip-broken giflib.x86_64 sysstat "libusb-devel*" "libusbx-devel*" unixODBC-devel postgresql-devel libxml2-devel libXpm-devel libgfortran git compat-readline43 "graphviz*" dcap "tigervnc*" telnet glibc"*" strace "fftw*" libpng "freetype*" xpdf "xemacs*" tkcvs xterm mutt "*-g77*" joe "libXmu*" dcap-devel gsl-devel pcre-devel h5py gd-devel xorg-x11-fonts"*" minicom xfig"*" perl-BSD-Resource "net-snmp-*" readline-static git-all nasm imake tcl-devel gv xorg-x11-twm expat-devel screen compat-readline5 ImageMagick ImageMagick-devel wget alacarte scipy numpy sympy nedit gnuplot php-cli php-domxml-php4-php5 php-gd php-fpdf php-cli kdebase cmake tcpdump sqlite sqlite-devel kdegraphics gdisk lsof gconf-editor iftop tk-devel mcelog kdm blt itcl lz4 bzip2 pbzip2 apr-devel apr-util-devel net-tools golang"*" --exclude golang-cover"*"hg"*" --exclude golang"*"hg"*" --exclude golang-pkg"*" --exclude golang-github"*" --exclude golang"*"git"*" mesa"*" xerces-c"*" diffuse clang i2c-tools texlive-revtex texlive-revtex4 kile kbibtex xrdp glibc.i686 gimp gimp-data-extras perl-GD"*" perl-Math"*" perl-Statistics-Basic cmake3 cmake3-gui extra-cmake-modules python2-pip mariadb-devel glibc-devel.i686 libzstd zlib-devel.i686

Install optional packages

!! DO NOT DO THIS !!

(do not install boost on 32-bit machines)

yum install --skip-broken "boost-*"

(packages for 32-bit software compilation on 64-bit machines. this is optional)

yum install --skip-broken giflib.i386 giflib.i686 compat-libf2c-34.i386 compat-libf2c-34.i686 mysql-devel.i686 openssl-devel.i686 unixODBC-devel.i686 libstdc++-devel.i386 libstdc++-devel.i686 "zlib-*.i686" "libXext-*.i686" "libXtst-*.i686" glibc-static.i686 freetype.i686 fontconfig.i686 libpng.i686 libXrender.i686 glibc-devel.i686 libX11-devel.i686 libXpm-devel.i686 libXft-devel.i686 mysql-devel.i686 dcap-devel.i686 gsl-devel.i686 pcre-devel.i686 fontconfig-devel.i686 freetype-devel.i686 libpng-devel.i686 libjpeg-devel.i686 libgfortran.i686 libxml2-devel.i686 gd-devel.i686 readline-devel.i686 ncurses-devel.i686 libXdmcp.i686 readline-static.i686 compat-readline5.i686

yum install boost-devel.i686

(separately install these packages - they collide with the big bunch above)

yum install rdesktop

yum reinstall urw-fonts

Install libraries for PHYSICA (CentOS7)

To run physica built on el6 from git sources on el7, do this:

(building physica on el7 is nort supported at this time)

(see more http://www.triumf.info/wiki/DAQwiki/index.php/PHYSICA)

yum -y install libX11.i686 gd.i686 libpng12.i686 readline.i686 compat-libf2c-34.i686

Install additional desktop environements (CentOS7)

# LXQT (from EPEL)
# NOT COMPATIBLE WITH el7.7 # yum -y install "lxqt*"
# Cinnamon desktop (from EPEL)
yum -y install cinnamon
# KDE5 not available yet
# MATE (from epel)
yum -y groupinstall "MATE Desktop"
yum -y install mate-common mate-icon-theme-faenza mate-netspeed mate-sensors-applet mate-themes-extras mate-utils
yum -y erase ModemManager abrt abrt-libs abrt-gui-libs
# XFCE4 (from EPEL)
yum -y groupinstall xfce
yum -y install "xfce*plugin" xfce4-about --exclude xfce4-hamster-plugin
yum -y erase bash-completion
  • make the MATE desktop as default
cd ~root/git/scripts/
git pull
/bin/cp -v etc/lightdm_default_mate.conf /etc/lightdm/lightdm.conf.d/
  • lighdm login manager (from EPEL)
yum install lightdm lightdm-kde lightdm-qt lightdm-qt5
  • and switch from gdm to lighdm
systemctl disable gdm.service
systemctl enable lightdm.service
(systemctl stop gdm; systemctl restart lightdm) &

Install SMART scripts

(+CentOS7)

ln -sf ~/git/scripts/smart-status/smart-status.perl ~/

Install NTFS drivers

yum install ntfs-3g ntfsprogs (from EPEL)

Install HFS and HFS+ drivers (CentOS7)

yum --disablerepo=\* --enablerepo=elrepo install kmod-hfs kmod-hfsplus

Install Google Chrome web browser (64-bit CentOS7)

DOES NOT WORK AS OF google-chrome-stable-114 because google uses signature incompatible with CentOS-7, see https://www.reddit.com/r/chrome/comments/13s799o/googlechromebeta_1140573545_rpm_invalid_signature/

automatic updates will fail with signature check error, to defeat it lock old version of google-chrome:

yum versionlock google-chrome-stable

THIS DOES NOT WORK ANYMORE:

/bin/cp ~/git/scripts/etc/google-chrome-64.repo /etc/yum.repos.d/
yum install google-chrome-stable

Enable monitoring of HTTPS certificates

On SL6, CentOS7:

yum install crypto-utils
/etc/cron.daily/certwatch
strace -f /etc/cron.daily/certwatch  |& grep open  | grep crt

Enable 100dpi fonts for EPICS

(+CentOS7)

ln -s /usr/share/X11/fonts/100dpi /etc/X11/fontpath.d/

Enable crontab @reboot for MIDAS (CentOS7)

el7 has a bug - cron @reboot entries for normal users can run before autofs is ready, so if the home directory is on autofs/NFS, it cannot be accessed and the cron job fails. If MIDAS is supposed to be started by cron @reboot, it will not start (there *will* be an error message in /var/log/cron).

mkdir /etc/systemd/system/crond.service.d
echo -e "[Unit]\nAfter=ypbind.service autofs.service\n" > /etc/systemd/system/crond.service.d/local.conf
systemctl daemon-reload
systemctl cat crond.service

el7 has a second bug, sometimes it thinks the network is running when it is not, specifically, DNS is not working and autofs mount of user home directory fails. So not only cron has to wait for ypbind and autofs to be ready, we also have to wait for DNS to be ready:

cd ~/git/scripts
git pull
cp etc/wait-for-dns.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable wait-for-dns
systemctl restart wait-for-dns # should return immediately. if there is a 30 second time, script is broken, disable it
systemctl status wait-for-dns # to see what went wrong.

Explore the systemd dependacy tree using "systemctl list-dependencies" maybe with "--all".

Visualize the exact boot sequence from previous boot: "systemd-analyze plot > xxx.svg", look at the svg file using a web browser.

Enable firewall for MIDAS (CentOS7)

Default el7 configuration prevents all access to servers running on the local machine, including access to MIDAS mhttpd (tcp port 8443) and mserver (all tcp ports).

To enable access to mhttpd:

firewall-cmd --add-port=8443/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-all

To enable access to the mserver from a specific host: (replace 142.90.111.175 with the IP address of the permitted host)

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.111.175/32" port protocol="tcp" port="0-65535" accept"
firewall-cmd --reload
firewall-cmd --list-all

To enable access from the private network (replace "192.168.1.0" with your private network number):

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="0-65535" accept"
firewall-cmd --reload
firewall-cmd --list-all

Enable firewall for EPICS (CentOS7)

To enable access to TRIUMF EPICS servers, do this:

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.132.0/23" accept"
firewall-cmd --reload
firewall-cmd --list-all

For UCN the controls people seem to have EPICS setup on a different server; this might be true for CMMS as well. In this case the firewall rule change should be

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="142.90.139.0/23" accept"
firewall-cmd --reload
firewall-cmd --list-all

Disable gdm and X11 (OPTIONAL)

initctl stop prefdm
echo "start on never" > /etc/init/prefdm.override
echo "start on never" > /etc/init/splash-manager.override
initctl reload-configuration

then enable login on default console:

echo "plymouth quit" >> /etc/rc.local
echo "X_TTY=xxx/dev/tty1" >> /etc/sysconfig/init

Install JAVAWS (OPTIONAL)

  • to run Java "web start" jnlp files (EVO, SEEVOGH, etc): javaws Downloads/spider.jnlp
  • install javaws:
  • yum install icedtea-web icedtea-web-javadoc

Install firefox java plugin (OPTIONAL, DO NOT DO THIS)

This installs the Oracle Java plugin:

  • rpm -vh --install ~deap/jdk-7u15-linux-x64.rpm
  • ls -l /usr/lib64/mozilla/plugins/
  • ln -s /usr/java/jdk1.7.0_15/jre/lib/amd64/libnpjp2.so /usr/lib64/mozilla/plugins/
  • start firefox, go edit->preferences->general->manage add-ons->plugins
  • "java plugin 1.7.0_15" should be listed


Configure USB device permissions

(+CentOS7)

Configure USB device permissions for user access to USB-serial devices, Altera USB Blaster, etc.

  • create file /etc/udev/rules.d/99-usb-chmod.rules with this contents:
emacs -nw /etc/udev/rules.d/99-usb-chmod.rules
ACTION=="add", SUBSYSTEM=="usbmisc", RUN+="/bin/chmod a+wr $env{DEVNAME}" 
ACTION=="add", SUBSYSTEM=="usb_device", RUN+="/bin/chmod a+wr /dev/%c"
ACTION=="add", SUBSYSTEM=="usb_device", RUN+="/bin/chmod a+wr /proc/%c"
ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="/bin/chmod a+wr $env{DEVNAME}"
ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="/bin/chmod a+wr $env{DEVICE}"
ACTION=="add", ENV{PHYSDEVBUS}=="usb-serial", RUN+="/bin/chmod a+wr $env{DEVNAME}"
ACTION=="add", ENV{DEVPATH}=="/class/tty/ttyS*", RUN+="/bin/chmod a+wr $env{DEVNAME}"
ACTION=="add", SUBSYSTEM=="tty", DEVPATH=="*ttyUSB*", RUN+="/bin/chmod a+rw $env{DEVNAME}"
ACTION=="add", SUBSYSTEM=="tty", DEVPATH=="*ttyACM*", RUN+="/bin/chmod a+rw $env{DEVNAME}"
ACTION=="add", SUBSYSTEM=="tty", DEVPATH=="*ttyS*", RUN+="/bin/chmod a+rw $env{DEVNAME}"
ACTION=="add", DEVPATH=="*video*", RUN+="/bin/chmod a+rw $env{DEVNAME}"
  • reload udev rules: udevadm control --reload-rules
  • apply new permissions: udevadm trigger --action=add
  • watch udev activity: udevadm monitor -p

Disable modem-manager

The modem-manager will try to talk to any serial devices attached to USB serial ports. It assumes that those devices are modems and will send out modem-specific commands. if the devices are not modems and do not understand or do not like modem commands, well that's too bad. modem-manager is installed by the ModemManager package required by the NetworkManager package, and there is no configuration setting to turn modem-manager off.

One way to disable it is: chmod a= /usr/sbin/modem-manager

Another way to disable it is by forced uninstall: rpm --erase --nodeps ModemManager

Remember to kill the running copy: killall -KILL modem-manager

Caveat: it is not clear if modem-manager would not be resurrected by an update to the NetworkManager or ModemManager packages.

Configure Altera jtagd

(if needed)

mkdir /etc/jtagd
echo 'Password = "123";' > /etc/jtagd/jtagd.conf
cp -pv  /daq/daqshare/olchansk/altera/11.0/quartus/linux/pgm_parts.txt /etc/jtagd/jtagd.pgm_parts
  • start local jtagd: /daq/daqshare/olchansk/altera/11.0/quartus/bin/jtagd
  • test local connection: /daq/daqshare/olchansk/altera/11.0/quartus/bin/jtagconfig
  • test remote connection (add this machine to your .jtag.conf, run jtagconfig

For more information, go to Quartus

Install EOS

Instructions from here: http://eos-docs.web.cern.ch/eos-docs/quickstart/setup_repo.html

rpm -vh --install https://dss-ci-repo.web.cern.ch/dss-ci-repo/eos/citrine/tag/el-7/x86_64/eos-repo-el7-generic-1.noarch.rpm
yum-config-manager --disable eos-citrine # disable auto-update because all packages are not signed
yum-config-manager --disable eos-dep # disable auto-update because all packages are not signed.
yum install eos-client eos-fuse --enablerepo=eos-citrine

Install fix for the el7 systemd dbus boot hang

Around early Summer 2018 el7 started showing a boot problem. In the nutshell, there is a problem with the dbus connection between dbus and systemd that prevents polkit, firewalld, etc from starting. The system eventually boots enough that one can ssh into it, but most things do not work. Notably, polkit is not running, firewalld is not running, ssh login takes about 15-30 second.

Solution is to add a special systemd service to check that dbus started correctly. It that runs after dbus is started, but before it is used, and it restarts dbus in a loop with a delay until dbus starts correctly. In testing, dbus always starts correctly after the first retry.

cd ~root/git/scripts/etc
git pull
/bin/cp -vf systemd-check-dbus.perl /usr/bin/
/bin/cp -vf systemd-check-dbus.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable systemd-check-dbus
systemctl start systemd-check-dbus
systemctl status systemd-check-dbus

After linux boots, if everything was okey, the script will report this:

[root@iris01 ~]# systemctl status systemd-check-dbus
...
Feb 08 17:15:49 iris01.triumf.ca systemd[1]: Starting Check that systemd is registered with dbus...
Feb 08 17:15:49 iris01.triumf.ca sh[4283]: Starting check for systemd dbus connection
Feb 08 17:15:50 iris01.triumf.ca sh[4283]: List:       string "org.freedesktop.DBus"
Feb 08 17:15:50 iris01.triumf.ca sh[4283]: List:       string "org.freedesktop.systemd1"
Feb 08 17:15:50 iris01.triumf.ca sh[4283]: systemd1 dbus service exists, success!
Feb 08 17:15:50 iris01.triumf.ca sh[4283]: Finished check for systemd dbus connection
Feb 08 17:15:50 iris01.triumf.ca systemd[1]: Started Check that systemd is registered with dbus.

If the boot problem happened, the script will report about restarting dbus.

Note: the systemd service file adjusts the start order of other services, this adjustment seems to reduce the probability of the problem.

Configure GRUB boot loader (CentOS7, CentOS8)

  • emacs -nw /etc/default/grub, remove "rhgb" and "quiet" from GRUB_CMDLINE_LINUX
  • grub2-mkconfig -o /boot/grub2/grub.cfg
  • grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  • grub2-editenv list # show contents of boot environement file
  • /bin/rm /boot/grub2/grubenv # remove stale settings, make grub2 boot from first entry in config file

Install memtest86+ (CentOS7, CentOS8)

yum -y install memtest86+
/bin/cp -vf /usr/share/memtest86+/20_memtest86+ /etc/grub.d/
/bin/chmod a+x /etc/grub.d/20_memtest86+ 
grub2-mkconfig -o /boot/grub2/grub.cfg

Disable ELREPO

sed 's/enabled=.*/enabled=0/' -i /etc/yum.repos.d/elrepo_triumf.repo
sed 's/enabled=.*/enabled=0/' -i /etc/yum.repos.d/elrepo.repo

Reduce install size (optional)

This is optional. Only do this if reducing the size of the OS image is very important.

Do this for VME processors.

yum erase "texlive*" "java*" "boost*" libreoffice"*"
#yum erase "xemacs*"
yum erase "libstdc++-docs"
yum erase firefox google-chrome"*"
yum clean all
/bin/rm -rf /usr/share/help
/bin/rm -rf /usr/share/doc

Update from el7.6 to el7.7

yum-config-manager --disable zfs
yum-config-manager --disable zfs-kmod
yum-config-manager --disable zfs-testing-kmod
yum versionlock delete zfs
yum versionlock delete kernel
yum -y update "yum*" "rpm*"
yum -y erase libqtxdg lxqt-qtplugin ### LXQT is not compatible
yum update
after rebooting into el7.7, follow instructions for updating ZFS from version 0.7 to 0.8.

Update ZFS

Switch from LADD-NIS to DAQ-NIS

domainname DAQ-NIS
/usr/lib64/yp/ypinit -s daq00
ls -l /var/yp
sed -i s/LADD-NIS/DAQ-NIS/ /etc/yp.conf
sed -i s/LADD-NIS/DAQ-NIS/ /etc/sysconfig/network
systemctl restart ypserv
systemctl restart ypbind
ypwhich
ypwhich -m

Finish installation

reboot

Special hardware settings

ASUS Crosshair mobo

  • use BIOS version 1207 or newer
  • (before CentOS7) sensors need these drivers from ELREPO: yum install --noplugins kmod-it87 kmod-k10temp; sensors-detect; service lm_sensors restart; sensors
  • CentOS7: installs correct drivers automatically

ASUS Crosshair-II mobo

  • use BIOS version 2607 or newer
  • for the onboard IDE to work, add "all-generic-ide" to kernel boot options in grub.conf
  • sensors need these drivers from ELREPO: yum install --noplugins kmod-it87 kmod-k10temp; sensors-detect; service lm_sensors restart; sensors

ASUS P7P55D EVO mobo

  • use BIOS version 2004 or newer
  • SL6 - install special driver for on board PCIe GigE network port and disable on board PCI GigE network port:
    • yum --enablerepo elrepo install kmod-r8168 kmod-r8169
    • # do not do this: sed 's/^blacklist/#blacklist/' -i /etc/modprobe.d/blacklist-r8169.conf
    • reboot
    • verify that correct drivers are loaded: ethtool -i eth0; ethtool -i eth1
    • note: there will be no eth1 - r8169 driver is disabled.

ASUS P6X58-E-WS mobo

  • BIOS settings
    • F1 or DEL to enter BIOS setup, F8 boot menu
    • go to POWER->HW mon, confirm CPU temperature is around 30C. (heatsink is installed correctly. Bad heatsink temperature quickly goes up to 50-70C).
    • Main menu: Storage config - SATA change IDE->AHCI
    • System information: confirm BIOS version 301, CPU type, memory size
    • AI Tweak: set DRAM frequency - AUTO->DDR3-1333
    • Advanced->Onboard devices: LAN BOOT: enabled
    • Power->HW monitor: CPU Q-FAN: enabled
    • Boot->Settings: Quick boot: enabled; Full screen logo: disabled; Wait for F1: disabled
    • Save and exit

ASUS E35M1-M PRO mobo

  • http://www.asus.com/Motherboards/E35M1M_PRO/#specifications
  • use BIOS version 1002 or newer
  • for CPU temperature: install kmod-k10temp from ELREPO (kmod-k10temp-0.0-4.el6.elrepo.x86_64.rpm)
  • for Sensors: yum --enablerepo elrepo install kmod-w83627ehf; modprobe w83627ehf; sensors
  • for Graphics: yum --enablerepo elrepo install kmod-fglrx fglrx-x11-drv
  • to enable booting from USB3, edit /etc/dracut.conf, change line "add_drivers" to read: add_drivers+="xhci-hcd"
  • to use multiple monitors, run "aticonfig --initial --heads=2 --adapter=1 --xinerama=on", to change screen layout, edit /etc/X11/xorg.conf. Only dual monitors DVI+HDMI seem to work. Tripple monitors does not seem to work.

Sensors instructions below are obolete (use driver from ELREPO)

cd ~root
wget http://ladd00.triumf.ca/~olchansk/linux/groeck-w83627ehf-dd3e543/w83627ehf.ko
echo "modprobe hwmon; modprobe hwmon-vid; modprobe k10temp; rmmod w83627ehf; insmod /root/w83627ehf.ko" >> /etc/rc.local

ASUS E45M1-M PRO mobo

ASUS P9X79 WS

  • http://www.asus.com/Motherboard/P9X79_WS/
  • use BIOS version 4901. Older versions seem to be ok: 3101, 3401, 4701, 4802 or newer. If BIOS is 1305 or older, install P9X79-WS-CAP-Converter.ROM (BIOS 2902/3101), then the new BIOS.
  • (not needed for CentOS7) for CPU temperature, install coretemp
  • (not needed for CentOS7) for sensors, install driver for NCT6776F chip same as E35M1-M above.
  • BIOS Settings:
    • enter "Advanced mode"
    • Ai Tweaker -> Ai Overclock Tuner -> Set to "XMP" - this enables DDR3-1600 RAM speed vs DDR3-1333 by default
    • ### NOT THIS: Monitor -> CPU fan speed low limit -> Set to "200 RPM" - we are using high efficiency slow turning CPU coolers and the default 600 RPM is right on the edge of firing false warnings
    • Monitor -> disable Q-fan on for all fans - let all fans always run at maximum RPMs
    • Boot -> Full screen logo -> Set to "disabled"
    • Wait for F1 -> Set to "disabled"

ASUS P8B-M

  • use BIOS version 6103 or newer
  • for CPU temperature, install coretemp
  • for sensors, install driver for NCT6776F chip same as E35M1-M above.

SUPERMICRO X9SCL

  • yum install kmod-w83627ehf.x86_64 coretemp
  • xemacs -nw /etc/rc.local, add:
modprobe coretemp
modprobe w83627ehf

ASUS Z87-WS

cd ~root
wget http://ladd00.triumf.ca/~olchansk/linux/nct6775.ko
echo modprobe hwmon-vid >> /etc/rc.local
echo insmod /root/nct6775.ko >> /etc/rc.local
/etc/rc.local
sensors

ASUS Z97-WS

the nct6775 driver does not work because of conflict with ACPI.

ASUS Z170-DELUXE

  • use bios 3801
  • set XMP mode (DDR4-2400)
  • Advanced->On board devices: set sata mode to "M2", set PCIe slot 3 to "x4"
  • boot: disable f1, disable logo, disable numlock

ASUS AM1M-A

  • use BIOS 602 or later
  • SL6.5 installer cannot use USB2 ports and the network. Use USB3 ports (blue colour) to boot USB installer (memtest, rescue, etc)
  • SL6.5 kernels require boot option "iommu=soft" or USB2 and network do not work. (USB3 - blue ports - seems okey)
  • install ATI/AMD video drivers from ELREPO (see below)
  • sensors chip is ITE IT8623E, for SL6, use standalone driver from lm_sensors. (2 fans rpm, 2 temperatures):
cd ~root
wget http://ladd00.triumf.ca/~olchansk/linux/it87.ko
echo modprobe hwmon_vid >> /etc/rc.local
echo insmod /root/it87.ko >> /etc/rc.local
. /etc/rc.local
  • for el7 use it87.ko driver:
cd ~root
wget https://daqshare.triumf.ca/~olchansk/linux/CentOS7/it87.ko
echo modprobe hwmon_vid >> /etc/rc.local
echo insmod /root/it87.ko >> /etc/rc.local
. /etc/rc.local
  • sensors output:
[root@midemma02 ~]# sensors
radeon-pci-0008
Adapter: PCI adapter
temp1:        +22.0°C  (crit = +120.0°C, hyst = +90.0°C)

fam15h_power-pci-00c4
Adapter: PCI adapter
power1:           N/A  (crit =  25.00 W)

k10temp-pci-00c3
Adapter: PCI adapter
temp1:        +22.2°C  (high = +70.0°C)
                       (crit = +70.0°C, hyst = +69.0°C)

it8603-isa-0290
Adapter: ISA adapter
in0:          +0.96 V  (min =  +2.50 V, max =  +2.95 V)  ALARM
in1:          +2.23 V  (min =  +0.94 V, max =  +1.22 V)  ALARM
in2:          +2.03 V  (min =  +0.74 V, max =  +0.77 V)  ALARM
in3:          +2.00 V  (min =  +1.26 V, max =  +0.13 V)  ALARM
in4:          +2.23 V  (min =  +2.95 V, max =  +2.15 V)  ALARM
3VSB:         +3.36 V  (min =  +6.00 V, max =  +2.50 V)  ALARM
Vbat:         +3.22 V  
+3.3V:        +3.36 V  
fan1:         611 RPM  (min =  200 RPM)
fan2:         707 RPM  (min =  600 RPM)  ALARM
temp1:        +38.0°C  (low  = +122.0°C, high = +122.0°C)  sensor = thermistor
temp2:        +22.0°C  (low  = +119.0°C, high = -35.0°C)  ALARM  sensor = thermistor
temp3:       -128.0°C  (low  = +16.0°C, high = +93.0°C)  sensor = thermistor
intrusion0:  ALARM

[root@midemma02 ~]# 
  • AMD "Athlon(tm) 5350 APU" graphics supports 2 monitors maximum (mobo has 3 video outputs, only 2 can be used together)

Intel SE7230NH1

  • front panel header connector pinout is like this:
PWR LED | 1  2|
        | 3  4|
PWR LED | 5  6|
HDD LED | 7  8|
HDD LED | 9 10|
PWR SW  |11 12| NIC1 LED
PWR SW  |13 14| NIC1 LED
RST SW  |15 16|
RST SW  |17 18|
        |19 20|
NMI SW  |21 22| NIC2 LED
NMI SW  |23 24| NIC2 LED
...     |...  |
        |33 34|

ASUS H110M-A/M.2

  • use BIOS 2003 or later
  • dmidecode | grep -i nct reports: Nuvoton NCT5539D
  • sensors chip is "NCT6793D or compatible chip", for el7, use this driver:
cd ~root
wget http://ladd00.triumf.ca/~olchansk/linux/nct6775.ko
echo modprobe hwmon-vid >> /etc/rc.local
echo insmod /root/nct6775.ko >> /etc/rc.local
/etc/rc.local
sensors
  • sensors output:
[root@daq03 ~]# sensors
acpitz-virtual-0
Adapter: Virtual device
temp1:        +27.8°C  (crit = +119.0°C)
temp2:        +29.8°C  (crit = +119.0°C)

nct6793-isa-0290
Adapter: ISA adapter
in0:                       +0.34 V  (min =  +0.00 V, max =  +1.74 V)
in1:                       +1.02 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
in2:                       +3.39 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
in3:                       +3.39 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
in4:                       +1.02 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
in5:                       +0.15 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
in6:                       +0.97 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
in7:                       +3.38 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
in8:                       +3.12 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
in9:                       +1.00 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
in10:                      +0.14 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
in11:                      +0.12 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
in12:                      +0.14 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
in13:                      +0.12 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
in14:                      +0.13 V  (min =  +0.00 V, max =  +0.00 V)  ALARM
fan1:                     1041 RPM  (min =    0 RPM)
fan2:                     1020 RPM  (min =    0 RPM)
fan5:                        0 RPM  (min =    0 RPM)
fan6:                        0 RPM
SYSTIN:                   +119.0°C  (high = +98.0°C, hyst = +95.0°C)  sensor = thermistor
CPUTIN:                    +26.5°C  (high = +80.0°C, hyst = +75.0°C)  sensor = thermistor
AUXTIN0:                   +27.5°C    sensor = thermistor
AUXTIN1:                  +112.0°C    sensor = thermistor
AUXTIN2:                  +111.0°C    sensor = thermistor
AUXTIN3:                  +111.0°C    sensor = thermistor
PECI Agent 0:              +28.0°C  (high = +98.0°C, hyst = +95.0°C)
                                    (crit = +100.0°C)
PECI Agent 0 Calibration:  +25.5°C  
PCH_CHIP_CPU_MAX_TEMP:      +0.0°C  
PCH_CHIP_TEMP:              +0.0°C  
intrusion0:               ALARM
intrusion1:               ALARM
beep_enable:              disabled

coretemp-isa-0000
Adapter: ISA adapter
Physical id 0:  +31.0°C  (high = +80.0°C, crit = +100.0°C)
Core 0:         +31.0°C  (high = +80.0°C, crit = +100.0°C)
Core 1:         +28.0°C  (high = +80.0°C, crit = +100.0°C)

[root@daq03 ~]# 

Supermicro X11SSH-F

[root@alpha00 ~]# more /etc/modprobe.d/blacklist.conf
blacklist mei
blacklist mei_me
[root@alpha00 ~]# 
  • mobo requires M.2 PCIe SSD (M.2 SATA SSD would not work. SATA SATA SSD ok)
  • boot from M.2 PCIe SSD requires UEFI boot (from an MSDOS partition on the SSD)

ASUS TUF Z390M-PRO GAMING (WI-FI)

  • BIOS 2417 is okey, upgrade to this if older
  • do not set XMP memory mode
  • in the BIOS, enable the boot compatibility support module mode: BIOS (press DEL) -> Advanced mode -> BOOT -> CSM Module -> Enable CSM "yes".
  • for SL6, install e1000e driver from ELREPO:
yum install --enablerepo=elrepo kmod-e1000e
  • sensors chip appears to be "Nuvoton NCT6798D" not clear what driver to use
  • dmidecode | grep -i nct reports: Nuvoton NCT6798D
  • kmod-nct6775-0.0-5.el7_7.elrepo.x86_64.rpm from ELrepo finds the chip but bombs because of conflict with ACPI

ASUS PRIME X399-A

Configure X11 graphics

Special settings for DAQ

  • add the following at the end of /etc/X11/xorg.conf. The enables Ctrl-Alt-KP-/ and Ctrl-Alt-KP-* to unlock the keyboard after Altera Quartus crash:
Section "ServerFlags"
        Option "AllowDeactivateGrabs" "true"
        Option "AllowClosedownGrabs" "true"
EndSection

Install NVIDIA drivers

  • yum --enablerepo=elrepo install nvidia-detect
  • run: nvidia-detect
  • as instructed by nvidia-detect, install correct driver:
    • yum --enablerepo=elrepo install kmod-nvidia
    • yum --enablerepo=elrepo install kmod-nvidia-304xx
    • yum --enablerepo=elrepo install kmod-nvidia-173xx
  • (before SL6.x: if it fails due to conflict with module-init-tools, run "yum --disablerepo \* --enablerepo elrepo update module-init-tools")
  • yum erase xorg-x11-glamor ### see http://elrepo.org/tiki/kmod-nvidia (search for glamor)
  • mv /etc/X11/xorg.conf /etc/X11/xorg.conf-xxx
  • nvidia-xconfig
  • (SL6) reboot
  • (SL5) /dev/MAKEDEV nvidia
  • (SL5) restart the X11 server (Ctrl-Alt-Backspace or "killall Xorg gdm-binary")
  • observe that X11 server restarts using the NVIDIA driver (big NVIDIA logo on startup)
  • if needed, login as root and run "nvidia-settings" to setup dual-screen configuration, etc

Install legacy NVIDIA drivers

For old NVIDIA cards:

  • GeForce FX 5500
wget http://us.download.nvidia.com/XFree86/Linux-x86/173.14.31/NVIDIA-Linux-x86-173.14.31-pkg1.run
sh ./NVIDIA-Linux-x86-173.14.31-pkg1.run
  • GeForce 6200 - NVIDIA Corporation NV44A [GeForce 6200]
yum install nvidia-x11-drv-304xx-304.121 --enablerepo=elrepo
nvidia-xconfig
rmmod nvidia
killall gdm-binary
login as root
nvidia-settings to setup multiple displays

Install ATI/AMD drivers

  • yum --enablerepo elrepo install kmod-fglrx fglrx-x11-drv
  • check that /etc/X11/xorg.conf section "Device" entry "Driver" says "fglrx"
  • run "aticonfig --initial" to create xorg.conf if existing one is not good
  • run "amdcccle" as root to configure dual-screens, etc
 Note: 'amdcccle' is a GUI, so you must run this command from within a running X session
  • killall Xorg

Install ATI/AMD drivers (CentOS7)

NOTE: if both drivers - radeon and fglrx are loaded, boot will hang. the radeon driver is supposed to be blacklisted through grub rdblacklist=radeon entry which is installed by running grub2-mkconfig.

Install Intel drivers for HD4600/Z87

SL6.5 has the required drivers for the socket 1150 machines with Intel HD4600 graphics and Z87 chipset.

ASUS Z87 WS motherboard has these video connections with corresponding Intel video port assignements, as reported by "xrandr":

  • DisplayPort - DP1/HDMI1
  • MiniDisplayPort - DP2/HDMI2
  • HDMI - HDMI3

Due to hardware limitations, 3 HDMI monitors using 2 passive DP-HDMI adapters (and 1 straight HDMI) cannot be used.

To use 3 monitors do this:

  • 1st monitor: DisplayPort - DP-to-HDMI-passive-adapter - HDMI monitor (not tried: DP-to-DP-cable - DisplayPort monitor).
  • 2nd monitor: MiniDisplayPort - MiniDP-to-DP-cable - DisplayPort monitor
  • 3rd monitor: HDMI - HDMI-cable - HDMI monitor

With the monitors I have (Dell 1920x1200 VGA-HDMI-DP), the software thinks that there are 4 monitors: somehow both DP2 and HDMI2 see 1 minitor each, but the hardware cannot drive 4 monitors, so everything goes blank. To fix, disable HDMI2 (xrandr -display :0 --output HDMI2 --off) and enable DP2 (xrandr -display :0 --output DP2 --auto).

How to make this configuration permanent and how to assign monitor locations (left-right, etc), you figure it out.

Manual selection of monitor, video mode and resolution

Automatic selection of monitor and video mode usually works. When it does not, configure it manualls:

  • physically go to the computer
  • login as root
  • run "nvidia-settings" on machines using the NVIDIA driver
  • run "aticonfig" on machines with the ATI/AMD driver (use "aticonfig --initial" for initial setup, and good luck with anything more complicated)
  • run "system-config-display".
    • In the "hardware" tab, select monitor type: "generic LCD 1280x1024" or "generic LCD 1600x1200".
    • In the "settings" tab, select "1280x1024" or "1600x1200" and "Thousands of colors".
    • Press "ok", the display settings application should close.
  • Logout, the new login window should use the new settings.

Disable screen saver

If machine is booted without any monitor connected, current video cards to not enable any video outputs. If a monitor is connected later, there is no video image and there is no easy way to get a video image.

This can be solved by configuring X11 to always enable some video output. Because the monitor type is not known when X11 starts, one has to select some standard video mode (i.e. VESA 1280x1024) on some video output (VGA, DVI or HDMI).

Only NVIDIA cards with the NVIDIA driver (from EPEL) is supported by these instructions.

  • create default xorg.conf: nvidia-xconfig
  • edit /etc/X11/xorg.conf
  • add monitor section for the fake monitor:
Section "Monitor"
    Identifier     "Monitor0"
    VendorName     "Unknown"
    ModelName      "Unknown"
    HorizSync       31.0 - 83.0
    VertRefresh     59.0 - 61.0
    Option         "DPMS" "off"
    ModeLine "1280x1024"   108.00   1280 1328 1440 1688   1024 1025 1028 1066 +hsync +vsync
EndSection
  • add output selection in the "Device" section:
Section "Device"
    Identifier     "Device0"
    Driver         "nvidia"
    VendorName     "NVIDIA Corporation"
    BoardName      "GeForce 210"
    #Option "ConnectedMonitor" "DFP"
    #Option "ConnectedMonitor" "CRT"
    Option "ConnectedMonitor" "CRT-1"
    Option "UseEDID" "no"
EndSection
  • add fake video mode to the "Screen" section:
Section "Screen"
    Identifier     "Screen0"
    Device         "Device0"
    Monitor        "Monitor0"
    DefaultDepth    24
    SubSection     "Display"
        Depth       24
        Modes       "1280x1024"
    EndSubSection
EndSection
  • disable screen saver and DPMS power off in the "ServerLayout" or "ServerFlags" section:
Section "ServerLayout"
    Identifier     "Layout0"
    Screen      0  "Screen0" 0 0
    InputDevice    "Keyboard0" "CoreKeyboard"
    InputDevice    "Mouse0" "CorePointer"
    Option         "Xinerama" "0"
    Option         "BlankTime" "0"
    Option         "StandbyTime" "0"
    Option         "SuspendTime" "0"
    Option         "OffTime" "0"
EndSection

Section "ServerFlags" 
    Option         "BlankTime" "0" 
    Option         "StandbyTime" "0" 
    Option         "SuspendTime" "0" 
    Option         "OffTime" "0" 
EndSection 

Finish installation

  • logout and reboot the computer to have all the changes to take effect

Configure HTTPS server (CentOS7)

This will configure the HTTPS/SSL certificate using "certbot" and "letsencrypt" and configure an HTTPS web server using apache httpd.

First, configure apache httpd:

  • execute these commands:
yum install -y mod_ssl certwatch crypto-utils
cd /etc/httpd/conf.d/
mv ssl.conf ssl.conf-not-used ### remove the stock ssl.conf which refers to the localhost certificate that will expire in 1 year
touch ssl.conf ### create a blank file to prevent automatic updates from installing a stock ssl.conf file
# this is done later: rm /etc/pki/tls/certs/localhost.crt
  • create new file ssl-daq12.conf # use actual hostname instead of daq12
Listen 443 https
#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost *:443>
ServerName daq12.triumf.ca
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/daq12.log
SSLEngine on
# note SSLProtocol, SSLCipherSuite and some other settings are overwritten by /etc/letsencrypt/options-ssl-apache.conf
# new SSL settings: K.O. Jan 2020, SSLlabs rating "A+"
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4:!RSA
SSLHonorCipherOrder on
# pervious SSL settings:
#SSLProtocol all -SSLv2 -SSLv3
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
#ProxyPass /elog/ http://localhost:8082/ retry=1
#ProxyPass /      http://localhost:8080/ retry=1
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
<Location />
SSLRequireSSL
AuthType Basic
AuthName "DAQ password protected site"
Require valid-user
# create password file: touch /etc/httpd/htpasswd
# to add new user or change password: htpasswd /etc/httpd/htpasswd username
AuthUserFile /etc/httpd/htpasswd
</Location>
</VirtualHost>
  • stop httpd from listening on port 80: edit /etc/httpd/conf/httpd.conf, comment-out the line "Listen 80"
  • enable and start httpd:
systemctl enable httpd
systemctl restart httpd
systemctl status httpd
  • try to access https://daq12.triumf.ca
    • you should see a complaint about self-signed certificate
    • you should see a request for password (do not login yet)
    • if you get "connection refused", HTTPS port 443 may need to be enabled in the local firewall, then try again:
firewall-cmd --add-port=443/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-all

Second, configure certbot:

(Note: as of 2018-01-18 certbot requires use of http port 80 to get the initial https certificate, renewal can continue to use the https port 443)

(Note: as of 2019-01-?? certbot requires use of port 80 for renewals)

  • check that port 80 is not used by anything:
  • netstat -an | grep LISTEN | grep ^tcp | grep 80
  • lsof -P | grep -i tcp | grep LISTEN | grep 80
  • if lsof reports that httpd is listening on port 80, follow the httpd instructions above (remove "listen 80" from httpd.conf
  • install certbot and open tcp port 80 in the firewall:
yum install -y certbot python2-certbot-apache # (from EPEL)
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-all
  • certbot certonly --standalone --installer apache # then answer questions:
  • "activate HTTPS for daq12.triumf.ca" - say ok
  • "enter email address" - enter your own email address
  • "please read terms..." - read the terms and say "agree"
  • it will take a few moments...
  • "please choose..." - say "easy" (http access is disabled (a) by firewall, (b) by local configuration
  • "congratulations..." - say ok.
  • certbot install --apache --cert-name daq12.triumf.ca # then answer questions:
  • "choose redirect..." - say "1" (no redirect)
  • look inside ssl-daq12.conf to see that SSLCertificateFile & co point to certbot certificates in /etc/letsencrypt/live/daq12.triumf.ca/
  • remove self-signed localhost certificate, it will expire in 1 year and cause warnings and complaints: rm /etc/pki/tls/certs/localhost.crt
  • enable automatic renewal
systemctl enable certbot-renew.timer
systemctl start certbot-renew.timer
systemctl list-timers --all
  • to check corrent renewal and to update the certbot config file in /etc/letsencrypt/renewal, run this:
certbot renew --standalone --installer apache --force-renewal

NOTE: this certificate will expire in 3 months, automatic renewal should work starting with certbot-0.12.0-4.el7.noarch. Certificate expiration should be automatically detected by "certwatch" and email will be sent to local root user, to be forwarded to an actual person by ~root/.forward.

Third, activate password protection:

  • as shown in the config file above, create password file and initial user: (replace "midas" with specific username)
touch /etc/httpd/htpasswd
htpasswd /etc/httpd/htpasswd midas

Final test:

From here:

  • Configure selinux to allow proxying
 setsebool -P httpd_can_network_connect 1
 systemctl restart httpd
  • enable proxy for MIDAS mhttpd - uncomment redirect in the config file above
  • enable proxy for ELOG - ditto

NOTE: if certbot fails with errors about 'module' object has no attribute 'pyopenssl', try this: pip install requests==2.6.0

Configure large RAID6 arrays

  • connect the disks
  • check the disks health
    • run smart-status.perl
  • partition the disks
    • yum install gdisk
    • gdisk /dev/sdX
    • delete all partitions: o
    • create new partition: n, enter, enter, enter, fd00 (default sizes, partition type fd00)
    • write and exit: w
  • check presence of all partitions:
    • /bin/ls -l /dev/sd*1
  • prepare to use an external bitmap file
    • touch /md6bitmap
    • edit /etc/fstab, change entry for root filesystem from: "defaults 1 1" to "defaults 0 0"
    • edit /boot/grub/grub.conf, change entry "kernel ... ro ..." to "kernel ... rw ..."
  • create raid array:
    • mdadm --create /dev/md6 --level=6 --bitmap=/md6bitmap --raid-devices=10 /dev/sd[b-k]1
    • mdadm -Ds >> /etc/mdadm.conf
    • cleanup /etc/mdadm.conf
    • echo "echo 16384 > /sys/block/md6/md/stripe_cache_size" >> /etc/rc.local
    • echo "echo 1 > /sys/block/md6/md/sync_speed_min" >> /etc/rc.local
    • source /etc/rc.local
  • observe raid array rebuild:
    • watch -d -n1 "cat /proc/mdstat"

Configure ZFS

Install ZFS

(from here: https://github.com/zfsonlinux/zfs/wiki/RHEL-%26-CentOS)

Follow the instructions for "kABI-tracking kmod" - dkms modules seem to always mess up the system when upgrading to next release of zfs.

#rpm -vh --install http://archive.zfsonlinux.org/epel/zfs-release.el7.noarch.rpm
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7.noarch.rpm
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_3.noarch.rpm
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_4.noarch.rpm
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_5.noarch.rpm
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_6.noarch.rpm
#yum install http://download.zfsonlinux.org/epel/zfs-release.el7_7.noarch.rpm
yum install http://download.zfsonlinux.org/epel/zfs-release.el7_9.noarch.rpm
yum-config-manager --disable zfs
yum-config-manager --disable zfs-kmod
yum --enablerepo=zfs-kmod clean all
yum --enablerepo=zfs-kmod install zfs
#sed 's/^SELINUX=.*/SELINUX=disabled/' -i /etc/selinux/config
echo USE_DISK_BY_ID=\'yes\' >> /etc/default/zfs
#systemctl enable zfs-import-cache
#systemctl enable zfs-mount
#systemctl enable zfs-share
#systemctl enable zfs-zed
#shutdown -r now # required to load the zfs kernel modules and to disable selinux
modprobe zfs # should work
zpool status # should report no pools available
  1. Note: zfs and selinux and not compatible: with selinux enabled, files on zfs cannot be deleted (files are gone, but "df" does not go down, zfs-0.6.5.7-1.el7.centos.x86_64), see #https://github.com/zfsonlinux/zfs/issues/4845

If ZFS kernel module does not load automatically at boot time, add this to load it manually:

ls -l /etc/sysconfig/modules/
cat > /etc/sysconfig/modules/zfs.modules <<EOF
if [ ! -e /sys/module/zfs ] ; then
  modprobe zfs;
fi
EOF
chmod +x /etc/sysconfig/modules/zfs.modules

Update ZFS (CentOS-7.9)

  • update CentOS-7.x to latest point release
  • reboot to latest kernel
  • check that currently installed ZFS is 0.8.x (not 0.7 or older)
  • then update ZFS:
[root@daq16 ~]# zfs version
zfs-0.8.4-1
zfs-kmod-0.8.4-1
[root@daq16 ~]# yum --enablerepo=kmod-zfs update
...
[root@daq16 ~]# zfs version ### observe mismatched version numbers: 0.8.5 userspace vs 0.8.4 kernel module
zfs-0.8.5-1
zfs-kmod-0.8.4-1
  • reboot to activate the updated kernel module
  • zfs version again
[root@daq16 ~]# zpool version
zfs-0.8.5-1
zfs-kmod-0.8.5-1
  • zpool status in case some ZFS volume needs to be updated
[root@daq16 ~]# zpool status
  pool: z12tb
 state: ONLINE
...

Update ZFS 0.7 to 0.8

How to identify zfs 0.7: "zfs version" does not work, also "rpm -q zfs"

zfs 0.7 is obsolete.

To opdate to zfs 0.8 or newer, remove 0.7, then install new version per instructions above.

  • remove zfs 0.7
yum versionlock delete zfs ### versionlock not needed anymore
yum versionlock delete kernel ### versionlock not needed anymore
rm /etc/yum.repos.d/zfs.repo* ### delete old repo files
yum erase zfs spl
  • reboot
  • install new zfs per instructions above
  • zpool import -as
  • zpool status ### check if any pool needs to be upgraded
  • zpool upgrade zssd ### upgrade zfs pool features

Lock kernel and zfs packages

!!! THIS IS NOT NEEDED ANYMORE !!!

yum versionlock kernel
yum versionlock zfs
yum-config-manager --disable zfs
yum-config-manager --disable zfs-kmod

Follow generic ZFS instructions

Here: ZFS

performance notes

Go here: disk_benchmarks

Configure UEFI boot

Some mobo can boot from NVME (PCIe) SSDs only via UEFI boot. Do this:

  • partition the NVME SSD using gdisk (must be GPT partition table, must have MSDOS EFI partition size 512MiB)
[root@alpha00 ~]# gdisk -l /dev/nvme0n1
GPT fdisk (gdisk) version 0.8.6 ...
Found valid GPT with protective MBR; using GPT.
Disk /dev/nvme0n1: 500118192 sectors, 238.5 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 1A82CC87-2757-44ED-980F-C78E3681D9D3
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 500118158
Partitions will be aligned on 2048-sector boundaries
Total free space is 2014 sectors (1007.0 KiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1050623   512.0 MiB   EF00  EFI System
   2         1050624       500118158   238.0 GiB   8300  Linux filesystem
[root@alpha00 ~]# 
  • create filesystems
mkfs.msdos /dev/nvme0n1p1
mkfs.xfs /dev/nvme0n1p2
  • prepare EFI partition
mkdir /mnt/efi
mount /dev/nvme0n1p1 /mnt/efi
mkdir -p /mnt/efi/efi/boot
cd /mnt/efi/efi/boot
# with Ubuntu LTS 20.04
cp /boot/vmlinuz vmlinuz # copy the desired linux kernel
#cp /boot/initramfs initramfs.img # copy the matching initramfs file
cp /boot/initrd.img initrd.img # copy the matching initrd file
#from /home/olchansk/sysadm/syslinux/syslinux-6.03 copy
cp /home/olchansk/sysadm/syslinux/syslinux-6.03/efi64/efi/syslinux.efi .
cp /home/olchansk/sysadm/syslinux/syslinux-6.03/efi64/com32/elflink/ldlinux/ldlinux.e64 .
cp syslinux.efi bootx64.efi
  • create syslinux config file: syslinux.cfg
default linux
label linux
kernel vmlinuz
append ro root=/dev/nvme0n1p2 nomodeset initrd=initrd.img
  • prepare system partition
mkdir /mnt/tmp
mount /dev/nvme0n1p2 /mnt/tmp
rsync -avx / /mnt/tmp
cd /mnt/tmp
#edit etc/fstab
#edit etc/syslinux/selinux # set selinux to permissive mode because rsync did not copy the selinux labels
  • unmount and reboot
  • restore selinux labels after first boot
#login as root
cd /
restorecon -R / # can also add "-v" to see progress, but runs much slower
#edit /etc/sysconfig/selinux # enable selinux
#shutdown -r now # reboot with selinux enabled

Configure UEFI secure boot

The above instructions do not quite work if "secure boot" is enabled.

These modifications are needed:

  • ls -l /boot/efi/EFI/bootko/
total 140116
-rwxr-xr-x 1 root root      108 Feb 24 15:47 BOOTX64.CSV
-rwxr-xr-x 1 root root  1334816 Feb 24 16:16 bootx64.efi
-rwxr-xr-x 1 root root   217495 Feb 24 16:16 config-4.15.0-74-generic
-rwxr-xr-x 1 root root      105 Feb 24 15:47 grub.cfg
-rwxr-xr-x 1 root root   199952 Feb 24 16:16 grubx64.efi
-rwxr-xr-x 1 root root 58986147 Feb 24 16:16 initramfs.img
-rwxr-xr-x 1 root root 58986147 Feb 24 16:16 initrd.img-4.15.0-74-generic
-rwxr-xr-x 1 root root   139968 Feb 24 16:16 ldlinux.e64
-rwxr-xr-x 1 root root  1269496 Feb 24 15:47 mmx64.efi
-rwxr-xr-x 1 root root  1334816 Feb 24 16:16 shimx64.efi
-rwxr-xr-x 1 root root      171 Feb 24 16:16 syslinux.cfg
-rwxr-xr-x 1 root root      102 Feb 24 16:16 syslinux.cfg~
-rwxr-xr-x 1 root root   199952 Feb 24 16:16 syslinux.efi
-rwxr-xr-x 1 root root  4068355 Feb 24 16:16 System.map-4.15.0-74-generic
-rwxr-xr-x 1 root root  8367768 Feb 24 16:16 vmlinuz
-rwxr-xr-x 1 root root  8367768 Feb 24 16:16 vmlinuz-4.15.0-74-generic
    • shmix64.efi is a copy from /boot/efi/EFI/ubuntu
    • bootx64.efi is a copy of shimx64.efi (maybe not needed?)
    • grubx64.efi is a copy of syslinux.efi
  • efibootmgr -c -d /dev/nvme0n1 -p 2 -w -L bootko -l '\EFI\bootko\shimx64.efi'
  • efibootmgr -v
root@daqubuntu:~# efibootmgr -v
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0000,0001,0002
Boot0000* bootko        HD(2,GPT,5d1cac95-29dd-4d8a-a56e-a8f414dd4047,0x800,0x100000)/File(\EFI\BOOTKO\SHIMX64.EFI)
Boot0001* Hard Drive    BBS(HD,,0x0)..GO..NO........y.I.N.T.E.L. .S.S.D.P.E.K.K.W.1.2.8.G.7....................A.......................................<..Gd-.;.A..MQ..L.I.N.T.E.L. .S.S.D.P.E.K.K.W.1.2.8.G.7........BO
Boot0002* ubuntu        HD(2,GPT,5d1cac95-29dd-4d8a-a56e-a8f414dd4047,0x800,0x100000)/File(\EFI\UBUNTU\SHIMX64.EFI)..BO
root@daqubuntu:~# 
  • NOTE: if, after running "efibootmgr -c", the UUID is zero, then it probably did not take and the entry will vanish after reboot. In my case the mistake was to use "-p 1" instead of "-p 2".

Boot sequence is this:

  • shmix64.efi - Microsoft-signed boot loader is accepted by secure boot, loads and runs
  • shimx64.efi loads and runs grubx64.efi, this file name is hardwired into the signed shim, cannot be changed
  • grubx64.efi is syslinux.efi (could be anything)
  • syslinux.efi runs, loads syslinux.cfg, loads the linux kernel, loads the initrd, runs the linux kernel with specified flags (ro root=...).

UEFI syslinux kernel update

To update the linux kernel booted by UEFI syslinux, use this script:

  • ~root/git/scripts/etc/update_efi.perl

Update SL6 ssh

WARNING!!!
WARNING!!! original instructions used openssh 9.1, vulnerable to CVE-2024-6387
WARNING!!!
WARNING!!! these updated instructions use OpenSSH_9.8. K.O. 3jul2024
WARNING!!!
WARNING!!! see https://www.openssh.com/releasenotes.html
WARNING!!!

Stock SL6 ssh is now very old and by default, cannot connect to current Ubuntu and MacOS sshd. In reverse their ssh cannot connect to SL6 sshd.

Workaround is to manually enable SL6-compatible settings

root@daq00:~# ssh -oHostKeyAlgorithms=+ssh-rsa -oPubKeyAcceptedAlgorithms=+ssh-rsa ladd00

Solution is to install newer ssh on affected SL6 machines:

Install OpenSSH_9.8p1 per CVE-2024-6387

ssh root@sl6-machine
cd /opt
git clone https://daq00.triumf.ca/~olchansk/git/openssh.git
ln -s /opt/openssh/lib64/libcrypto.so.1.1 /usr/lib64/
/bin/cp -pv /etc/ssh/*key* /opt/openssh/etc/ ### copy old ssh host keys
/opt/openssh/bin/ssh-keygen -A ### generate any missing ssh host keys
# test sshd /opt/openssh/sbin/sshd -p 2222 -d
/bin/mv /usr/sbin/sshd /usr/sbin/sshd-SL6
/bin/ln -s /opt/openssh/sbin/sshd /usr/sbin/
/bin/mv /usr/bin/ssh /usr/bin/ssh-SL6
/bin/ln -s /opt/openssh/bin/ssh /usr/bin/
service sshd restart

Update openssh from 9.1 to OpenSSH_9.8p1 per CVE-2024-6387

Check for old version:

[root@muon openssh]# telnet localhost 22
SSH-2.0-OpenSSH_9.1

Update:

cd /opt/openssh
git pull
ln -s /opt/openssh/lib64/libcrypto.so.1.1 /usr/lib64/
service sshd restart

Check for new version:

telnet localhost 22
SSH-2.0-OpenSSH_9.8

Build openssh

ssh sl6-machine
cd git
git clone git://anongit.mindrot.org/openssh.git
cd openssh
autoreconf
xemacs -nw ./configure ### fix syntax error: line 28124 empty "if/then/else" block bombs out, fill it with "AAA=aaa"
./configure --prefix=/opt/openssh
make -j

Install openssh:

ssh root@sl6-machine
cd .../git/openssh
make install ### copies stuff to /opt/openssh
/opt/openssh/sbin/sshd -p 2222 -d ### test sshd
/opt/openssh/bin/ssh -v sl6-machine ### test ssh

Update for CVE-2024-6387:

  • cd .../git/openssh
  • git pull
  • git checkout V_9_8_P1
  • ./configure --prefix=/opt/openssh --with-ssl-dir=/opt/openssl
  • make ### no go, wants openssl-1.1.1
  • cd .../git/
  • git clone https://github.com/openssl/openssl.git
  • cd openssl
  • git checkout OpenSSL_1_1_1w
  • configure with prefix --prefix=/opt/openssl
  • make, install to /opt/openssl
  • cd .../openssh
  • configure, build, does not find openssl libraries in /opt (they forgot to set RPATH for user-sepcified location of openssl)
  • LD_LIBRARY_PATH=/opt/openssl/lib, try again, now builds and installs
  • but sshd does not run, does not find libcrypto.so.1.1
  • needs ln -s .../lib/libcrypto.so.1.1 /usr/lib64, now sshd find it, everything works.