Post on 11-Jan-2016
TarHeel LinuxTarHeel LinuxITS Research Computing
University of North Carolina at Chapel Hill
Anne Blanchard, C.D. Poon
Agenda
• Introduction• Building TarHeel Linux on Test
Machine• Details in TarHeel Linux Build• Break• UNCCH-ITS-RC Software Repository• Variation in TarHeel Linux Build• Future Work• Exercise After Build
2
3
Test Machine
• Test Machine – CCI Desktop Running Windows XP
• Current ITS Lab Machines • Lenovo ThinkCentre M58 7479-UN3
• Intel Core 2 E8400 @ 3GHz Processor 250 GB SATA II Hard Drive 2GB DDR3 Memory Integrated 10/100/1000 Ethernet
• Distributed as CCI Desktop between 2/2009 and 5/2010
4
Building THL
Let’s Build TarHeel Linux1. Power Up the Machine
2. Put the NetInstall Disc into the CDROM Drive
3. Hit F12 to select booting from CDROM
4. Wait to see the “boot:” prompt
5. Hit Return to take standard desktop installation
6. Wait 30 minutes for the build
What and Why?
• Capability to build a desktop Linux distribution on CCI equipment without needing advanced computer expertise
• Integration with existing ITS Research Computing systems
• Access to a software repository containing a core set of research applications
• Easily managed and modified – but SECURE
5
Faculty Requests :
Which Penguin?
• Fedora Core is bleeding-edge Linux
• RedHat Enterprise Linux (RHEL) is mostly stable, but has corporate overhead
• CentOS is a more stable Open Source version of RHEL
• Ubuntu is Debian-based and different
6
Why CentOS?
• Same kernel and libraries as our Research Computing Linux clusters
• Shared applications with our Research Computing Linux clusters
• 100% RHEL Clone with no licensing overhead
• Easy integration into UNC computing environment
7
TarHeel Linux TarHeel Linux based on CentOS
Welcome TarHeel TarHeel LinuxLinux
The New Penguin in Town
8
9
Building THL
Before you begin …….
• Register the MAC address for DHCP at onyen.unc.edu
• Download 19MB TarHeel Linux TarHeel Linux NetInstall 5.5 ISO image from linux.unc.edu and burn to a dvd/cdrom
• Think of a very strong root password:- 8-12 characters
- mixed case alpha, numeric, and special characters
- no dictionary words 4 characters or greater
- leading capital and trailing digit don’t count
• Obtain ONYEN of root user and primary user if any
10
NetInstall
One NetInstall ISO – Two ArchitecturesIs that box 32-bit or 64-bit?
You might be (pleasantly) surprised!
• TarHeel Linux TarHeel Linux NetInstall can determine the difference
• The Kickstart file for either i386 or x86_64 will load automatically
11
boot:
Options at the boot: prompt• Standard Install – either carriage return or wait 60 sec IMPORTANT NOTE: This will REFORMAT your hard drive!
• Server Install – boot: server
• Rescue Mode – boot: rescue
12
Installation
First 30 minutes:• Format the hard drive
Fixed system spaceRemainder of drive for home directories
• Load the OS onto the hard drive from linux.unc.edu
• PostInstallIPtablesKerberosOther security enhancements
13
After First Boot
• Change of Ownership
• Enter ONYEN of root user• Establish a strong root password• Enter ONYEN of primary user if different from root user
• All recent Updates and Patches are applied
• Final boot to TarHeel Linux TarHeel Linux !
14
Root Password
• May not contain any dictionary word of 4 characters or greater
• Has 8 -12 Characters
• Includes upper and lower case letters
• Contains at least 1 number
• Contains at least 1 special character
15
Root Password Cont’d
No Luggage Combinations Allowed!
• Machine builds with a strong default password
• Person holding root is the first (and only) member of /etc/sudoers
• A new (strong) password is chosen at build time
• If initial password selection fails (too many tries!), default can be changed by “sudo passwd root” once the machine comes up
16
Login
• Root Login with Local Password, only local password in the system
• Onyen Login with Onyen Password for root user and primary user if any
• Granted sudo access for root user
17
Build and Break
• Continue Building TarHeel Linux
• Take a Break for 10 minutes
• Questions?
18
Applications
What can TarHeel Linux TarHeel Linux do for me?Latest stable versions of:
• Firefox browser
• Thunderbird email client
• OpenOffice productivity tools
• Large selection of multi-media
applications
AND THERE’S MORE: UNC’s own local repository containing research applications – about 1000 RPMs and growing!
19
TarHeel Linux TarHeel Linux Repository
What’s in the Box?• Open Source Scientific Applications:
Mathematics & Applied Mathematics
Statistics & Operations ResearchChemistry & BiochemistryPhysics
• Open Source Libraries
• Open Source Visualization Tools
• Open Source RDBMS Tools
• Open Source Programming Language Support
R
buster
Ambercairo
CERNLIB
fftw
ffmpeg
firebird
FreeMat
gambas
grace
Gromacs
gtkmathview
gvhdf5
imlib2
inkscape libVorbis
lua
malaga
maxima
MayaVi
PyMol
NetCDF
Octave
OpenMPI
PHONON
Pixman
PyVTK
Qt4
TeX Live
VTK
TINKER
wv
NumPy
ccp4
Coot
20
yum!
Yellowdog Updater Modified
prompt# yum search ccp4
prompt# yum install openafs-client
prompt# yum provides “*/libkudzu*”
prompt# yum info cootAll RPM Packages are protected with GPG key.
21
Other Options
Not all software is Open or Free!There are several options:
• Purchase the software from the vendor and install it locally ($$$$)
• Get a copy of the software from ITS Software Acquisitions and install it locally ($)
• Install the environment locally to run it out of AFS (only a few packages are licensed for us to do this)
Example: # yum install matlab-env This provides a path to the version in AFS and a local environment is set up to run it properly
22
X86_64 vs i386
• Architecture x86_64 (64 bit) and i386 (32 bit) available
• In x86_64 repository, some i386 binaries are available.
• Yum figures out what to install to satisfy dependence.
• In x86_64, /usr/lib64 and /usr/lib coexist.
23
RPM
• Install into /usr as prefix if possible
• Put into /opt if the package is too complex
• Create startup scripts in /etc/profile.d to set up environment for packages in /opt
• Use “module” to set up environment
Security!
• In Research, a computer is just another tool
• A good tool is a reliable tool
• Reliability = Security!
• Make TarHeel Linux TarHeel Linux secure “out of the box”
• Provide tools and nightly system checks and updates to keep it that way24
25
ONYENs
The Only Name You’ll Ever Need!• All user accounts are added by ONYEN
• Information directly from UNC ITS LDAP Server
• Authentication via UNC ITS Kerberos Server
• Only one local encrypted password on a TarHeel TarHeel Linux Linux host!
• Command “adduser_unc” adds accounts for new UNC users
26
Ports & Services“off by
default”• Firewall up from first boot
• ssh (port 22) is the only port open, and is limited to access from the UNC campus
• All unnecessary services are turned off
• Email from the root account is outbound and does not require an open port
• Sendmail uses privilege separation
27
Patches & Updates
Nightly Updates• Latest CentOS patches and updates installed
automatically
• New versions of software installed from TarHeel TarHeel LinuxLinux repository
• New versions of software from Adobe, GraphViz, Mozilla, etc., downloaded and placed in our repository
• New Linux kernel put in place and notice sent to the root user (reboot needed)
28
Logs & Reports
Things that go bump in the night:
• logwatch report – Reader’s Digest Condensed Version
• rpm –V - do you have what you asked for?
• New kernel announcement – stay up-to-date!
• All the usual logs in all the usual places
29
Logwatch
Sample Logwatch message to root user:
################### Logwatch 7.3 (03/24/06) #################### Processing Initiated: Thu Oct 7 04:02:02 2010 Date Range Processed: yesterday ( 2010-Oct-06 ) Period is day. Detail Level of Output: 0 Type of Output: unformatted Logfiles for Host: zircon.its.unc.edu ##################################################################
--------------------- pam_unix Begin ------------------------ gnome-screensaver: Unknown Entries: authentication failure; logname= uid=29049 euid=29049 tty=:0.0 ruser= rhost= ….. sshd: Authentication Failures: cdpoon (dhcp27052.vpn.unc.edu): 1 Time(s) ---------------------- pam_unix End -------------------------
30
rpm -V
Sample rpm -V message to root user:
Changes Reported:
48c48 < /var/tmp/rpm-tmp.44275: line 851: IntegrateWithGNOME: command not found --- /var/tmp/rpm-tmp.36971: line 851: IntegrateWithGNOME: command not found
Errors Reported:
prelink: /usr/lib/libORBit-2.so.0.1.0: at least one of file's dependencies has changed since prelinking prelink: /usr/lib/libgconf-2.so.4.1.0: at least one of file's dependencies has changed since prelinking
31
New Kernel
Sample New Kernel message to root user:Subject: A new kernel is waiting on zircon.its.unc.eduDate: Fri, 24 Sep 2010 04:02:03 -0400From: root root@zircon.its.unc.eduTo: root@zircon.its.unc.edu <root@zircon.its.unc.edu>
To: Chi-Duen Poon
zircon.its.unc.edu is currently running the followingkernel: vmlinuz-2.6.18-194.11.3.el5which dates to Mon Aug 30 16:19:16 EDT 2010.
A new kernel is now available: vmlinuz-2.6.18-194.11.4.el5All current patches and updates have already been installed;the exception being the new kernel.
zircon.its.unc.edu has been set up to find and runthe most recent kernel on the next reboot.
Please find a time in the very near future when the hostis quiescent, and schedule a shutdown -r
Thank you - and Secure Computing for All!
The TarHeel Linux Team
32
THL Hardware
• Based on CCI desktop originally
• Extended to other kinds of machines, server, laptop, Mac, etc.
• Should be able to run on machines with Intel and AMD chips
• Limited by driver availability, such as Wifi driver
33
THL Server
• At boot prompt, type “server”
• Same as desktop excluding thl-theme package
• For low end video card with low resolution
• Without THL login screen
• Without THL screen saver
34
THL Virtualization
• Tested extensively with Virtualbox on CCI machines
• THL as host OS and Windows 7 as guest OS
• Windows 7 as host OS and THL as guest OS
35
THL Laptop
• Virtualization vs. Dual Boot
• Tested extensively with VirtualBox
• Windows 7 as host OS and THL as guest OS
• Borrowed video/sound/Wifi capability from Windows 7
• Dual Boot – Issues with Wifi
36
THL in USB Key
• At boot prompt, type “usb”
• THL build in 16GB USB key drive
• Slower but with write capabilities(LiveCD without write capabilities)
• Extremely portable
• Required machine to boot from USB drive
37
VPN in THL
• Installed vpnc in THL, used Onyen and Onyen password to access VPN
• With VirtualBox Windows 7 as host OS, used VPN client in Windows 7, allowed VPN access in THL as guest OS
38
THL in iMac
• Applied Math lab in Phillips Hall basement as pilot project
• Dual Boot MacOS X and THL using rEFIT as boot agent
• Used VirtualBox with MacOS X as host OS and THL as guest OS
39
Message Passing
• OpenMPI in UNCCH-ITS-RC repository
• Used “module load openmpi-x86_64” to set up environment for x86_64 machine
• Gromacs compiled over OpenMPI
• Tested in CCI ThinkCentre E20 running 4 way parallel Gromacs jobs
40
THL in VCL
• Virtual Computer Lab (VCL) from ITS Research Computing, http://vcl.unc.edu
• THL build in VCL
• Customized for different needs and purposes
41
• Tested GPU Computing on a Lenovo S20 with Nvidia Tesla C1060 GPU
• Started compiling applications for running jobs in GPU
THL in GPU Computing
42
Future Works
• Root User/Primary User/Root Password confirmation during installation
• RPM Packages update
• Extensive documentation in THL Wiki
• Encrypted filesystem for sensitive data
• Vmware Player for virtualization
43
Future Works Cont’d
• TarHeel Linux 6 with better user interface
• Static IP address build
• Review drive partition
• Gparted to re-partition drive partition
• Any other recommendation?
44
TarHeel TarHeel Born!
What makes TarHeel Linux TarHeel Linux Specific to UNC?
•Accounts are created using information from the UNC LDAP Server
• Authentication uses ITS Kerberos Server
• ISO for OS is only available from the UNC Campus Network
• Software repositories are only available from the UNC Campus Network or via VPN
45
A Bigger Hammer?
What happens if my research outgrows my desktop’s capabilities?• CCI Desktops are mostly dual-core 64-bit
machines (although we support 32-bit)
• New CCI quad-core machines have arrived!
• Applications developed on a TarHeel Linux TarHeel Linux machine will run on our Research Clusters
• Applications can be run on remote hosts from the TarHeel Linux TarHeel Linux desktop
46
Documentation & Support
TarHeel Linux TarHeel Linux wiki• Public section for general information• ~root for TarHeel Linux TarHeel Linux root users• thl_admin for developerstarheellinux@listserv.unc.edu
maillist• General announcements from THL developers• Can be used for community discussionshelp.unc.edu - Online Help Request
(Remedy)• Research Computing – TarHeel Linux Support
47
Contact Information
TarHeel Linux TarHeel Linux Wiki:
http://tarheellinux.unc.edu
TarHeel Linux TarHeel Linux NetInstall ISO Download:
http://linux.unc.edu/centos/5.5/iso/noarch/TarHeelLinux-5.5-
netinstall.iso
(find it in the wiki!)
TarHeel Linux TarHeel Linux : research@unc.edu
Anne C. Blanchard – blanchar@unc.edu
Chi-Duen Poon – cdpoon@unc.edu
48
Yum Exercise
• Use yum to look for AFS client• Install AFS client• Get AFS token and access AFS Isis space
• Use yum to look for Matlab environment• Install Matlab environment• Run Matlab
• Use yum to look for KompoZer• Install KompoZer• Run KompoZer