Difference between revisions of "Client Configuration"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
 
(12 intermediate revisions by 2 users not shown)
Line 7: Line 7:
 
== Choose a Partition Layout==
 
== Choose a Partition Layout==
  
For most general purpose workstations it's safe to accept the default partition layout from the installer (in most cases this makes a 100 MB /boot partition and a second partition that contains an LVM with separate volumes for / and swap). For special cases (especially servers) you'll probably have to spend some time thinking about how the system will be used to determine the best partitioning layout. Look [http://tldp.org/LDP/intro-linux/html/sect_03_01.html here] for a fairly comprehensive introduction to the Linux filesystem. Generally it's a good idea to put /boot on a separate partition, which only needs to be about 100 MB.  
+
For most general purpose workstations it's safe to accept the default partition layout from the installer (in most cases this makes a 500 MB /boot partition and a second partition that contains an LVM with separate volumes for / and swap). For special cases (especially servers) you'll probably have to spend some time thinking about how the system will be used to determine the best partitioning layout. Look [http://tldp.org/LDP/intro-linux/html/sect_03_01.html here] for a fairly comprehensive introduction to the Linux filesystem. Generally it's a good idea to put /boot on a separate partition, which only needs to be about 500 MB.
  
 
== Networking ==  
 
== Networking ==  
Line 31: Line 31:
 
*<strong>Secondary DNS:</strong> 10.0.0.251
 
*<strong>Secondary DNS:</strong> 10.0.0.251
 
<em>Note: Farm Connections do not use a default gateway.</em>
 
<em>Note: Farm Connections do not use a default gateway.</em>
 +
 +
When you are first setting up the network, a good starting point is to run system-config-network and enter the details listed above. However after that it is still possible (in fact likely) you will need to edit the network scripts in /etc/sysconfig/network-scripts/ by hand. Specifically you will probably need to set NM_CONTROLLED=no and ONBOOT=yes. Also remember to run service NetworkManager stop.
 +
 +
Below are two example configuration files for what the network scripts on a new system that has a connection to the farm and unh might look like. Remember to make eth0 for the farm and eth1 for unh.
 +
 +
<em>/etc/sysconfig/network-scripts/ifcfg-eth0</em>
 +
DEVICE=eth0
 +
HWADDR=00:0c:29:b3:a2:68
 +
NETMASK=255.0.0.0
 +
NM_CONTROLLED=no
 +
ONBOOT=yes
 +
IPADDR=10.0.0.235
 +
DNS2=10.0.0.251
 +
TYPE=Ethernet
 +
BOOTPROTO=none
 +
DNS1=10.0.0.253
 +
IPV6INIT=no
 +
USERCTL=no
 +
 +
<em>/etc/sysconfig/network-scripts/ifcfg-eth1</em>
 +
DEVICE=eth1
 +
NETMASK=255.255.252.0
 +
HWADDR=00:0c:29:b3:a2:72
 +
NM_CONTROLLED=no
 +
ONBOOT=yes
 +
IPADDR=132.177.88.174
 +
DNS2=132.177.88.76
 +
TYPE=Ethernet
 +
GATEWAY=132.177.88.1
 +
BOOTPROTO=none
 +
DNS1=132.177.88.37
 +
IPV6INIT=no
 +
USERCTL=no
  
 
===Vlans===
 
===Vlans===
Line 42: Line 75:
 
  vconfig add eth0 2
 
  vconfig add eth0 2
 
would create a vlan inteface called <code>eth0.2</code> which can now be configured as if it were a normal interface connected to the UNH network.
 
would create a vlan inteface called <code>eth0.2</code> which can now be configured as if it were a normal interface connected to the UNH network.
 +
*Make sure in the /etc/sysconfig/network-scripts/ifcfg-eth0.2 you add VLAN=yes or else it wont start up probably
  
 
== Downloading Install Disks ==
 
== Downloading Install Disks ==
Line 77: Line 111:
 
* [http://mirror.sr.unh.edu/centos/6/isos/i386/CentOS-6.0-i386-netinstall.iso CentOS 6 net install CD]
 
* [http://mirror.sr.unh.edu/centos/6/isos/i386/CentOS-6.0-i386-netinstall.iso CentOS 6 net install CD]
  
= Installing CentOS 5 =
+
= Installing CentOS =
 
This guide assumes you're using the CentOS 5 DVD install image. See here for notes on using the netinstall disk.  
 
This guide assumes you're using the CentOS 5 DVD install image. See here for notes on using the netinstall disk.  
  
Line 85: Line 119:
 
# Partition the hard drive. If you followed my advice and planned your partition layout ahead of time you already know what you need to do. In any case make sure you're at least 99.98% certain that you've got everything configured the way it should be before you apply your partitioning layout (both because in certain cases you could accidentally erase some data you shouldn't, and that it'snot possible to reconfigure partitioning after the fact).  
 
# Partition the hard drive. If you followed my advice and planned your partition layout ahead of time you already know what you need to do. In any case make sure you're at least 99.98% certain that you've got everything configured the way it should be before you apply your partitioning layout (both because in certain cases you could accidentally erase some data you shouldn't, and that it'snot possible to reconfigure partitioning after the fact).  
 
# At this point if you opted to review your layout you may be asked to configure your bootloader preferences. It's generally safe to accept defaults here.
 
# At this point if you opted to review your layout you may be asked to configure your bootloader preferences. It's generally safe to accept defaults here.
# Configure the Network (see above for details).
+
# Configure the [[Client_Configuration#Networking|Network]] (see above for details).
 
#*Set a static IPv4 address/netmask and disable IPv6 for each interface.
 
#*Set a static IPv4 address/netmask and disable IPv6 for each interface.
 
#*Set the hostname for the system manually
 
#*Set the hostname for the system manually
Line 91: Line 125:
 
#Set the region / Time Zone to America/New_York (though this is probably the default).  
 
#Set the region / Time Zone to America/New_York (though this is probably the default).  
 
#Set the root password using the standard admin password scheme
 
#Set the root password using the standard admin password scheme
#At the package configuration screen just select Customize later and move to the next step.  
+
#At the package configuration screen select whichever package set you think you will need and then choose Customize later and move to the next step.  
#At this point the system is going to format the disk(s) and copy the OS onto the system. It'll take a while. This is a good time to go grab a snack and a cup of coffee. Once this finishes you'll be prompted to reboot the system. Make sure to take the install CD out to ensure the system boots from the new CentOS install. Once the system reboots you need to make some configuration changes.
+
#At this point the system is going to format the disk(s) and copy the OS onto the system. It will probably take a little while. This is a good time to go grab a snack and a cup of coffee. Once this finishes you'll be prompted to reboot the system. Make sure to take the install CD out to ensure the system boots from the new CentOS install. Once the system reboots you need to make some configuration changes.
 
#If this system will be a server just choose the default firewall configuration (you'll reconfigure it later anyway). If it will be a workstation just make sure the firewall is enabled and access is restricted for all but the SSH service.  
 
#If this system will be a server just choose the default firewall configuration (you'll reconfigure it later anyway). If it will be a workstation just make sure the firewall is enabled and access is restricted for all but the SSH service.  
 
#Set SELinux to Disabled  
 
#Set SELinux to Disabled  
Line 105: Line 139:
 
#*Under the Authentication tab check Enable LDAP Support
 
#*Under the Authentication tab check Enable LDAP Support
 
#*Set the Base DN to <code>dc=physics,dc=unh,dc=edu</code>
 
#*Set the Base DN to <code>dc=physics,dc=unh,dc=edu</code>
 +
#*Under the advanced settings tab set the password hashing algorithm to MD5
 
#At this point your install should be finished. Reboot and continue on to [[#Post-Install Configuration | Post-Install Configuration]]
 
#At this point your install should be finished. Reboot and continue on to [[#Post-Install Configuration | Post-Install Configuration]]
  
Line 113: Line 148:
  
 
#Make sure SSH starts on boot:<br/><code>chkconfig sshd on</code>
 
#Make sure SSH starts on boot:<br/><code>chkconfig sshd on</code>
 +
#Edit visudo, uncomment wheel and change it to domain_admins.
 
#If for some reason you did not configure LDAP login settings during the OS install you can use the "system-config-authentication" utility complete those steps. This tool is also in the GUI menus at <code>System->Administration->Authentication.</code>
 
#If for some reason you did not configure LDAP login settings during the OS install you can use the "system-config-authentication" utility complete those steps. This tool is also in the GUI menus at <code>System->Administration->Authentication.</code>
 
#Configure the automounter
 
#Configure the automounter
 
#*Copy the automount configuration from another NPG system using the following command:<br/><code>scp <user>@<npg-hostname>:/etc/auto.* /etc/</code>
 
#*Copy the automount configuration from another NPG system using the following command:<br/><code>scp <user>@<npg-hostname>:/etc/auto.* /etc/</code>
#*restart the autofs service: <br/><code>service autofs restart</code>
+
#*restart the autofs service: <br/><code>service autofs restart</code> <br/>You may need run: <br/><code>service autofs stop</code><br/>Followed by<br/><code>service autofs start</code>
 
#*make sure autofs runs at boot time: <br/><code>chkconfig autofs on </code>
 
#*make sure autofs runs at boot time: <br/><code>chkconfig autofs on </code>
 +
#*Lastly check that automount is working by going to /net/home/. It should not be there at first but once you cd there, it should auto mount.
 
#Configure the firewall. If this system is a workstation and not a server you can skip this step and make sure that the default firewall is configured only to allow access to SSH and no other services.  
 
#Configure the firewall. If this system is a workstation and not a server you can skip this step and make sure that the default firewall is configured only to allow access to SSH and no other services.  
 
#*Install the package <code>perl-LDAP</code> via yum. This is needed for the firewall to function.
 
#*Install the package <code>perl-LDAP</code> via yum. This is needed for the firewall to function.
Line 133: Line 170:
 
#*Start denyhosts:<br/><code>service denyhosts start</code>
 
#*Start denyhosts:<br/><code>service denyhosts start</code>
 
#*Make sure denyhosts starts at boot:<br/><code>chkconfig denyhosts on</code>
 
#*Make sure denyhosts starts at boot:<br/><code>chkconfig denyhosts on</code>
 +
#Edit visudo and make domain_admins the wheel group.
 +
#Set the following in the ldap config file.
 +
#*File in CentOS 5 <em>/etc/ldap.conf</em>
 +
#*File in CentOS 6 <em>/etc/nslcd.conf</em>
 +
#*timelimit 120
 +
#*bind_timelimit 120
 +
#* bind_policy soft
 +
#*idle_timelimit 3600
 +
#*uri ldap://einstein.farm.physics.unh.edu/ (Or ldap://einstein.unh.edu/ if you have no farm connection)
 +
#*ssl start_tls
 +
#*tls_cacertdir /etc/openldap/cacerts
 +
#*pam_password md5
 +
#Install emacs.

Latest revision as of 16:03, 19 January 2012

Follow these step-by-step instructions to configure a new client system on the NPG network. NPG servers generally run Red Hat Enterprise Linux 5 (or CentOS 5), and workstation run CentOS 6. These setup instructions are written based on the CentOS installer, but the RHEL install process isn't much different so these directions should work for setting up RHEL systems as well.

Pre-Install Preparation

Here are some things you should know before you start installing Linux on a system.

Choose a Partition Layout

For most general purpose workstations it's safe to accept the default partition layout from the installer (in most cases this makes a 500 MB /boot partition and a second partition that contains an LVM with separate volumes for / and swap). For special cases (especially servers) you'll probably have to spend some time thinking about how the system will be used to determine the best partitioning layout. Look here for a fairly comprehensive introduction to the Linux filesystem. Generally it's a good idea to put /boot on a separate partition, which only needs to be about 500 MB.

Networking

Before you set up a machine it's a good idea to collect the IP addresses and other configuration information you'll need to have on hand before you start the OS install. As a general rule NPG machines should have a static IP address and hostname reserved for them by UNH. If this is a brand new machine and there aren't any spare hostnames lying around you'll have to register a new one before you start. Make sure to add any new hostnames to the DNS (for farm addresses) and LDAP netgroup configurations in order for them to be able to access necessary network services (the firewall is configured to block connections to things like LDAP and NFS from machines it doesn't know about).

If you're using an existing NPG hostname, run this command on an NPG system to find its IP address:

nslookup <hostname> 

Network Configuration Details You Should Know

UNH

  • Netmask: 255.255.252.0
  • Default Gateway: 132.177.88.1
  • Primary DNS: 132.177.88.37
  • Secondary DNS: 132.177.88.76

Farm

  • Netmask: 255.0.0.0
  • Primary DNS: 10.0.0.253
  • Secondary DNS: 10.0.0.251

Note: Farm Connections do not use a default gateway.

When you are first setting up the network, a good starting point is to run system-config-network and enter the details listed above. However after that it is still possible (in fact likely) you will need to edit the network scripts in /etc/sysconfig/network-scripts/ by hand. Specifically you will probably need to set NM_CONTROLLED=no and ONBOOT=yes. Also remember to run service NetworkManager stop.

Below are two example configuration files for what the network scripts on a new system that has a connection to the farm and unh might look like. Remember to make eth0 for the farm and eth1 for unh.

/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
HWADDR=00:0c:29:b3:a2:68
NETMASK=255.0.0.0
NM_CONTROLLED=no
ONBOOT=yes
IPADDR=10.0.0.235
DNS2=10.0.0.251
TYPE=Ethernet
BOOTPROTO=none
DNS1=10.0.0.253
IPV6INIT=no
USERCTL=no

/etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1
NETMASK=255.255.252.0
HWADDR=00:0c:29:b3:a2:72
NM_CONTROLLED=no
ONBOOT=yes
IPADDR=132.177.88.174
DNS2=132.177.88.76
TYPE=Ethernet
GATEWAY=132.177.88.1
BOOTPROTO=none
DNS1=132.177.88.37
IPV6INIT=no
USERCTL=no

Vlans

If the machine you're configuring is located in the server room and only has a connection to the Farm switch you can configure a vlan interface to connect to the outside world. You won't be able to set it up during the install process, which means that you shouldn't try to use a netinstall disk to install the system. Once you've installed the OS here's how you configure the VLAN:

  • Make sure the interface connected to the switch is configured and running.
  • Run this command:
vconfig add <interface-name> <vlan-id> 

where <interface-name> is the name of the network device (e.g. eth0) and the vlan-id is the ID number you want to use. For example the following command:

vconfig add eth0 2

would create a vlan inteface called eth0.2 which can now be configured as if it were a normal interface connected to the UNH network.

  • Make sure in the /etc/sysconfig/network-scripts/ifcfg-eth0.2 you add VLAN=yes or else it wont start up probably

Downloading Install Disks

The Research Computing Center in Morse Hall hosts repository mirrors for CentOS and Fedora, so if you're looking to Download a DVD or CD iso to install one of these operating systems it's probably fastest to download from there. The URL is

http://mirror.sr.unh.edu/

Here are some quick links for various ISO images you might want to use:

CentOS 5 (for servers)

64 Bit

32 Bit

CentOS 6 (for workstations)

64 Bit

32 Bit

Installing CentOS

This guide assumes you're using the CentOS 5 DVD install image. See here for notes on using the netinstall disk.

  1. Download a CentOS CD or DVD image and burn it to a disk.
  2. Boot from the disk. You may need to change the system's boot device settings in the BIOS to get this to work. Often pressing F12 during startup will bring up a menu of devices you can choose from.
  3. Select the language and keyboard layout. Unless you have a really good reason not to, just pick U.S. English.
  4. Partition the hard drive. If you followed my advice and planned your partition layout ahead of time you already know what you need to do. In any case make sure you're at least 99.98% certain that you've got everything configured the way it should be before you apply your partitioning layout (both because in certain cases you could accidentally erase some data you shouldn't, and that it'snot possible to reconfigure partitioning after the fact).
  5. At this point if you opted to review your layout you may be asked to configure your bootloader preferences. It's generally safe to accept defaults here.
  6. Configure the Network (see above for details).
    • Set a static IPv4 address/netmask and disable IPv6 for each interface.
    • Set the hostname for the system manually
    • Set the Gateway and DNS configuration
  7. Set the region / Time Zone to America/New_York (though this is probably the default).
  8. Set the root password using the standard admin password scheme
  9. At the package configuration screen select whichever package set you think you will need and then choose Customize later and move to the next step.
  10. At this point the system is going to format the disk(s) and copy the OS onto the system. It will probably take a little while. This is a good time to go grab a snack and a cup of coffee. Once this finishes you'll be prompted to reboot the system. Make sure to take the install CD out to ensure the system boots from the new CentOS install. Once the system reboots you need to make some configuration changes.
  11. If this system will be a server just choose the default firewall configuration (you'll reconfigure it later anyway). If it will be a workstation just make sure the firewall is enabled and access is restricted for all but the SSH service.
  12. Set SELinux to Disabled
  13. Enable Network Time Protocol
  14. Create User
    • First, create a local user for the system to use in case LDAP is unavailable. I usually just set the username to "admin", and the password to the standard administrator password.
    • Click Use Network Login to configure LDAP authentication
    • Under the User Information tab check Enable LDAP Support and then click Configure LDAP
    • Set the LDAP Server to ldap://einstein.unh.edu (if you're setting up a machine with a connection to the farm network use ldap://einstein.farm.physics.unh.edu)
    • Check Use TLS to encrypt connections and then click Download CA Certificate
    • Under the Authentication tab check Enable LDAP Support
    • Set the Base DN to dc=physics,dc=unh,dc=edu
    • Under the advanced settings tab set the password hashing algorithm to MD5
  15. At this point your install should be finished. Reboot and continue on to Post-Install Configuration


Post-Install Configuration

These are the configuration steps you need to take after a successful OS install. This includes configuring the automount service, denyhosts, the npg iptables firewall, making sure LDAP logins work. Most if not all commands indicated below should be performed with administrator privileges.

  1. Make sure SSH starts on boot:
    chkconfig sshd on
  2. Edit visudo, uncomment wheel and change it to domain_admins.
  3. If for some reason you did not configure LDAP login settings during the OS install you can use the "system-config-authentication" utility complete those steps. This tool is also in the GUI menus at System->Administration->Authentication.
  4. Configure the automounter
    • Copy the automount configuration from another NPG system using the following command:
      scp <user>@<npg-hostname>:/etc/auto.* /etc/
    • restart the autofs service:
      service autofs restart
      You may need run:
      service autofs stop
      Followed by
      service autofs start
    • make sure autofs runs at boot time:
      chkconfig autofs on
    • Lastly check that automount is working by going to /net/home/. It should not be there at first but once you cd there, it should auto mount.
  5. Configure the firewall. If this system is a workstation and not a server you can skip this step and make sure that the default firewall is configured only to allow access to SSH and no other services.
    • Install the package perl-LDAP via yum. This is needed for the firewall to function.
    • Copy the following files from another NPG system (put them in the same locations, of course):
      /etc/sysconfig/iptables-npg
      /etc/sysconfig/iptables-config
      /etc/init.d/iptables-netgroups
      /usr/local/bin/netgroup2iptables.pl
    • Edit iptables-npg to make sure that the farm and unh interface rule refer to the correct network devices for this system, and that that input rules for this system are configured appropriately for the services it is running.
    • Restart iptables:
      service iptables restart
    • Start iptables-netgroups:
      service iptables-netgroups start
    • Make sure iptables and iptables-netgroups start at boot time:
      chkconfig iptables on
      chkconfig iptables-netgroups on
  6. Install Denyhosts.
    • The denyhosts RPM is available from the EPEL package repository. Use the following instructions to make this package available to yum.
      1. Download the EPEL repository install RPM:
        RHEL 5
        RHEL 6
      2. Install the rpm:
        rpm -ivh epel-release-<version>.noarch.rpm
    • Install Denyhosts via yum:
      yum install denyhosts
    • Edit /etc/denyhosts.conf and change the option BLOCK_SERVICE=sshd to BLOCK_SERVICE=ALL
    • Start denyhosts:
      service denyhosts start
    • Make sure denyhosts starts at boot:
      chkconfig denyhosts on
  7. Edit visudo and make domain_admins the wheel group.
  8. Set the following in the ldap config file.
    • File in CentOS 5 /etc/ldap.conf
    • File in CentOS 6 /etc/nslcd.conf
    • timelimit 120
    • bind_timelimit 120
    • bind_policy soft
    • idle_timelimit 3600
    • uri ldap://einstein.farm.physics.unh.edu/ (Or ldap://einstein.unh.edu/ if you have no farm connection)
    • ssl start_tls
    • tls_cacertdir /etc/openldap/cacerts
    • pam_password md5
  9. Install emacs.