Difference between revisions of "Upgrading to Centos 7"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
Line 11: Line 11:
 
  SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:30:48:ce:e2:38", NAME="farm"
 
  SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:30:48:ce:e2:38", NAME="farm"
 
  SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:30:48:ce:e2:39", NAME="unh"
 
  SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:30:48:ce:e2:39", NAME="unh"
 +
 +
I found this whole scheme very confusing and finicky. MUCH BETTER: Set the HWADDR in the network-scripts. This will then pick up the name from the script.
 +
Example from Pepper:
 +
 +
TYPE=Ethernet
 +
NAME=farm
 +
HWADDR=52:54:00:85:bf:0e
 +
DEVICE=farm
 +
ONBOOT=yes
 +
IPADDR=10.0.0.245
 +
PREFIX=24
 +
GATEWAY=100.0.0.100
 +
DNS2=10.0.0.245
 +
DNS2=10.0.0.253
 +
DOMAIN=farm.physics.unh.edu
 +
BOOTPROTO=none
 +
DEFROUTE=yes
 +
IPV4_FAILURE_FATAL=no
 +
IPV6INIT=yes
 +
IPV6_AUTOCONF=yes
 +
IPV6_DEFROUTE=yes
 +
IPV6_FAILURE_FATAL=no
 +
IPV6_PEERDNS=yes
 +
IPV6_PEERROUTES=yes
 +
IPV6_PRIVACY=no
 +
NM_CONTROLLED=no
  
 
= Get LDAP login to work =
 
= Get LDAP login to work =

Revision as of 17:28, 9 May 2016

Turn Off SELINUX

It's a pain, we don't need it, turn it off. Edit /etc/sysconfig/selinux If you cannot reboot, you can set SELINUX into "permissive" mode with "setenforce 0", check with "sestatus"

Ethernet Device Naming

New feature makes sure the ethernet devices have a consistent name. See RedHat:

The trick is to add a line(s) to /etc/udev/rules.d/70-persistent-ipoib.rules like:

SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:30:48:ce:e2:38", NAME="farm"
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:30:48:ce:e2:39", NAME="unh"

I found this whole scheme very confusing and finicky. MUCH BETTER: Set the HWADDR in the network-scripts. This will then pick up the name from the script. Example from Pepper:

TYPE=Ethernet
NAME=farm
HWADDR=52:54:00:85:bf:0e
DEVICE=farm
ONBOOT=yes
IPADDR=10.0.0.245
PREFIX=24
GATEWAY=100.0.0.100
DNS2=10.0.0.245
DNS2=10.0.0.253
DOMAIN=farm.physics.unh.edu
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_PRIVACY=no
NM_CONTROLLED=no

Get LDAP login to work

You need to install the openldap and openldap-clients, and sssd-ldap (yum install openldap openldap-clients sssd-ldap) Create and populate /etc/openldap/cacerts (copy from gourd) Enable and start the sssd service: systemctl enable sssd && systemctl start sssd Allow sss in /etc/pam.d/password-auth and /etc/nsswitch.conf

Get Automount working

Install /etc/auto.master and /etc/auto.net Create mount point: mkdir -p /net/home /net/data /net/www systemctl enable autofs && systemctl start autofs


LOGS

Gourd

Initial

  • Gourd would not boot from a USB stick. It seems the HW doesn't support this, though it is also possible the fault is with the front USB port. Boot from installer DVD.
  • Standard server install
  • No ethernet driver: nForce ethernet "forcedeth" not available, use the kmod-forcedeth driver from elrepo.org: http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/kmod-forcedeth-0.64-1.el7.elrepo.x86_64.rpm
  • Note that Centos 7 (i.e. RHEL 7) comes standard with "firewalld". Not wanting to bother with "yet another config system for firewalls (tm)", this was disabled in favor of good old iptables, which is the underlaying system anyway. This policy may change int he future. (To disable firewalld: "systemctl stop firewalld ; systemctl mask firewalld'. To setup iptables: "yum install iptables-services; systemctl enable iptables", and then of course, configure the tables.)
  • Network interfaces are now renamed to a "consistent scheme" see: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Consistent_Network_Device_Naming.html
  • FARM network = enp0s8 = farm UNH network=enp0s9 = unh
  • Setting up bridge networking took a bit. The complication was that I just used "ifup" and "ifdown", and did not use "systemctl restart network".
  • Setting up sssd: The ldap authentication did not work when using TLS, because the MD5 encrypted certificate is no longer accepted. We need new certificates! For now, connect with ldap: instead of ldaps:
    • That does not appear to work for automount. Darn it!
  • Copied more sane iptable rules from endavour, including blacklist.

Continued

  • Copy the old ssh keys from backup to Gourd. Unfortunately, the keys in /root are not backed up. I grabbed the ones from endeavour.
  • Setup proper (not MD5 encrypted) TLS certificates on Einstein, then get ldaps to work properly.
  • Fix the NFS mounting issues. When mount nfsvers=4, the username and group do not get passed properly and everything is "nobody". Fix this by forcing automount to mount everything nfsvers=3 in the auto.net file