TarHeel LinuxTarHeel LinuxITS Research Computing

University of North Carolina at Chapel Hill

Anne Blanchard, C.D. Poon

Agenda

• Introduction• Building TarHeel Linux on Test

Machine• Details in TarHeel Linux Build• Break• UNCCH-ITS-RC Software Repository• Variation in TarHeel Linux Build• Future Work• Exercise After Build

2

3

Test Machine

• Test Machine – CCI Desktop Running Windows XP

• Current ITS Lab Machines • Lenovo ThinkCentre M58 7479-UN3

• Intel Core 2 E8400 @ 3GHz Processor 250 GB SATA II Hard Drive 2GB DDR3 Memory Integrated 10/100/1000 Ethernet

• Distributed as CCI Desktop between 2/2009 and 5/2010

4

Building THL

Let’s Build TarHeel Linux1. Power Up the Machine

2. Put the NetInstall Disc into the CDROM Drive

3. Hit F12 to select booting from CDROM

4. Wait to see the “boot:” prompt

5. Hit Return to take standard desktop installation

6. Wait 30 minutes for the build

What and Why?

• Capability to build a desktop Linux distribution on CCI equipment without needing advanced computer expertise

• Integration with existing ITS Research Computing systems

• Access to a software repository containing a core set of research applications

• Easily managed and modified – but SECURE

5

Faculty Requests :

Which Penguin?

• Fedora Core is bleeding-edge Linux

• RedHat Enterprise Linux (RHEL) is mostly stable, but has corporate overhead

• CentOS is a more stable Open Source version of RHEL

• Ubuntu is Debian-based and different

6

Why CentOS?

• Same kernel and libraries as our Research Computing Linux clusters

• Shared applications with our Research Computing Linux clusters

• 100% RHEL Clone with no licensing overhead

• Easy integration into UNC computing environment

7

TarHeel Linux TarHeel Linux based on CentOS

Welcome TarHeel TarHeel LinuxLinux

The New Penguin in Town

8

9

Building THL

Before you begin …….

• Register the MAC address for DHCP at onyen.unc.edu

• Download 19MB TarHeel Linux TarHeel Linux NetInstall 5.5 ISO image from linux.unc.edu and burn to a dvd/cdrom

• Think of a very strong root password:- 8-12 characters

- mixed case alpha, numeric, and special characters

- no dictionary words 4 characters or greater

- leading capital and trailing digit don’t count

• Obtain ONYEN of root user and primary user if any

10

NetInstall

One NetInstall ISO – Two ArchitecturesIs that box 32-bit or 64-bit?

You might be (pleasantly) surprised!

• TarHeel Linux TarHeel Linux NetInstall can determine the difference

• The Kickstart file for either i386 or x86_64 will load automatically

11

boot:

Options at the boot: prompt• Standard Install – either carriage return or wait 60 sec IMPORTANT NOTE: This will REFORMAT your hard drive!

• Server Install – boot: server

• Rescue Mode – boot: rescue

12

Installation

First 30 minutes:• Format the hard drive

Fixed system spaceRemainder of drive for home directories

• Load the OS onto the hard drive from linux.unc.edu

• PostInstallIPtablesKerberosOther security enhancements

13

After First Boot

• Change of Ownership

• Enter ONYEN of root user• Establish a strong root password• Enter ONYEN of primary user if different from root user

• All recent Updates and Patches are applied

• Final boot to TarHeel Linux TarHeel Linux !

14

Root Password

• May not contain any dictionary word of 4 characters or greater

• Has 8 -12 Characters

• Includes upper and lower case letters

• Contains at least 1 number

• Contains at least 1 special character

15

Root Password Cont’d

No Luggage Combinations Allowed!

• Machine builds with a strong default password

• Person holding root is the first (and only) member of /etc/sudoers

• A new (strong) password is chosen at build time

• If initial password selection fails (too many tries!), default can be changed by “sudo passwd root” once the machine comes up

16

Login

• Root Login with Local Password, only local password in the system

• Onyen Login with Onyen Password for root user and primary user if any

• Granted sudo access for root user

17

Build and Break

• Continue Building TarHeel Linux

• Take a Break for 10 minutes

• Questions?

18

Applications

What can TarHeel Linux TarHeel Linux do for me?Latest stable versions of:

• Firefox browser

• Thunderbird email client

• OpenOffice productivity tools

• Large selection of multi-media

applications

AND THERE’S MORE: UNC’s own local repository containing research applications – about 1000 RPMs and growing!

19

TarHeel Linux TarHeel Linux Repository

What’s in the Box?• Open Source Scientific Applications:

Mathematics & Applied Mathematics

Statistics & Operations ResearchChemistry & BiochemistryPhysics

• Open Source Libraries

• Open Source Visualization Tools

• Open Source RDBMS Tools

• Open Source Programming Language Support

R

buster

Ambercairo

CERNLIB

fftw

ffmpeg

firebird

FreeMat

gambas

grace

Gromacs

gtkmathview

gvhdf5

imlib2

inkscape libVorbis

lua

malaga

maxima

MayaVi

PyMol

NetCDF

Octave

OpenMPI

PHONON

Pixman

PyVTK

Qt4

TeX Live

VTK

TINKER

wv

NumPy

ccp4

Coot

20

yum!

Yellowdog Updater Modified

prompt# yum search ccp4

prompt# yum install openafs-client

prompt# yum provides “*/libkudzu*”

prompt# yum info cootAll RPM Packages are protected with GPG key.

21

Other Options

Not all software is Open or Free!There are several options:

• Purchase the software from the vendor and install it locally ($$$$)

• Get a copy of the software from ITS Software Acquisitions and install it locally ($)

• Install the environment locally to run it out of AFS (only a few packages are licensed for us to do this)

Example: # yum install matlab-env This provides a path to the version in AFS and a local environment is set up to run it properly

22

X86_64 vs i386

• Architecture x86_64 (64 bit) and i386 (32 bit) available

• In x86_64 repository, some i386 binaries are available.

• Yum figures out what to install to satisfy dependence.

• In x86_64, /usr/lib64 and /usr/lib coexist.

23

RPM

• Install into /usr as prefix if possible

• Put into /opt if the package is too complex

• Create startup scripts in /etc/profile.d to set up environment for packages in /opt

• Use “module” to set up environment

Security!

• In Research, a computer is just another tool

• A good tool is a reliable tool

• Reliability = Security!

• Make TarHeel Linux TarHeel Linux secure “out of the box”

• Provide tools and nightly system checks and updates to keep it that way24

25

ONYENs

The Only Name You’ll Ever Need!• All user accounts are added by ONYEN

• Information directly from UNC ITS LDAP Server

• Authentication via UNC ITS Kerberos Server

• Only one local encrypted password on a TarHeel TarHeel Linux Linux host!

• Command “adduser_unc” adds accounts for new UNC users

26

Ports & Services“off by

default”• Firewall up from first boot

• ssh (port 22) is the only port open, and is limited to access from the UNC campus

• All unnecessary services are turned off

• Email from the root account is outbound and does not require an open port

• Sendmail uses privilege separation

27

Patches & Updates

Nightly Updates• Latest CentOS patches and updates installed

automatically

• New versions of software installed from TarHeel TarHeel LinuxLinux repository

• New versions of software from Adobe, GraphViz, Mozilla, etc., downloaded and placed in our repository

• New Linux kernel put in place and notice sent to the root user (reboot needed)

28

Logs & Reports

Things that go bump in the night:

• logwatch report – Reader’s Digest Condensed Version

• rpm –V - do you have what you asked for?

• New kernel announcement – stay up-to-date!

• All the usual logs in all the usual places

29

Logwatch

Sample Logwatch message to root user:

################### Logwatch 7.3 (03/24/06) #################### Processing Initiated: Thu Oct 7 04:02:02 2010 Date Range Processed: yesterday ( 2010-Oct-06 ) Period is day. Detail Level of Output: 0 Type of Output: unformatted Logfiles for Host: zircon.its.unc.edu ##################################################################

--------------------- pam_unix Begin ------------------------ gnome-screensaver: Unknown Entries: authentication failure; logname= uid=29049 euid=29049 tty=:0.0 ruser= rhost= ….. sshd: Authentication Failures: cdpoon (dhcp27052.vpn.unc.edu): 1 Time(s) ---------------------- pam_unix End -------------------------

30

rpm -V

Sample rpm -V message to root user:

Changes Reported:

48c48 < /var/tmp/rpm-tmp.44275: line 851: IntegrateWithGNOME: command not found --- /var/tmp/rpm-tmp.36971: line 851: IntegrateWithGNOME: command not found

Errors Reported:

prelink: /usr/lib/libORBit-2.so.0.1.0: at least one of file's dependencies has changed since prelinking prelink: /usr/lib/libgconf-2.so.4.1.0: at least one of file's dependencies has changed since prelinking

31

New Kernel

Sample New Kernel message to root user:Subject: A new kernel is waiting on zircon.its.unc.eduDate: Fri, 24 Sep 2010 04:02:03 -0400From: root root@zircon.its.unc.eduTo: root@zircon.its.unc.edu <root@zircon.its.unc.edu>

To: Chi-Duen Poon

zircon.its.unc.edu is currently running the followingkernel: vmlinuz-2.6.18-194.11.3.el5which dates to Mon Aug 30 16:19:16 EDT 2010.

A new kernel is now available: vmlinuz-2.6.18-194.11.4.el5All current patches and updates have already been installed;the exception being the new kernel.

zircon.its.unc.edu has been set up to find and runthe most recent kernel on the next reboot.

Please find a time in the very near future when the hostis quiescent, and schedule a shutdown -r

Thank you - and Secure Computing for All!

The TarHeel Linux Team

32

THL Hardware

• Based on CCI desktop originally

• Extended to other kinds of machines, server, laptop, Mac, etc.

• Should be able to run on machines with Intel and AMD chips

• Limited by driver availability, such as Wifi driver

33

THL Server

• At boot prompt, type “server”

• Same as desktop excluding thl-theme package

• For low end video card with low resolution

• Without THL login screen

• Without THL screen saver

34

THL Virtualization

• Tested extensively with Virtualbox on CCI machines

• THL as host OS and Windows 7 as guest OS

• Windows 7 as host OS and THL as guest OS

35

THL Laptop

• Virtualization vs. Dual Boot

• Tested extensively with VirtualBox

• Windows 7 as host OS and THL as guest OS

• Borrowed video/sound/Wifi capability from Windows 7

• Dual Boot – Issues with Wifi

36

THL in USB Key

• At boot prompt, type “usb”

• THL build in 16GB USB key drive

• Slower but with write capabilities(LiveCD without write capabilities)

• Extremely portable

• Required machine to boot from USB drive

37

VPN in THL

• Installed vpnc in THL, used Onyen and Onyen password to access VPN

• With VirtualBox Windows 7 as host OS, used VPN client in Windows 7, allowed VPN access in THL as guest OS

38

THL in iMac

• Applied Math lab in Phillips Hall basement as pilot project

• Dual Boot MacOS X and THL using rEFIT as boot agent

• Used VirtualBox with MacOS X as host OS and THL as guest OS

39

Message Passing

• OpenMPI in UNCCH-ITS-RC repository

• Used “module load openmpi-x86_64” to set up environment for x86_64 machine

• Gromacs compiled over OpenMPI

• Tested in CCI ThinkCentre E20 running 4 way parallel Gromacs jobs

40

THL in VCL

• Virtual Computer Lab (VCL) from ITS Research Computing, http://vcl.unc.edu

• THL build in VCL

• Customized for different needs and purposes

41

• Tested GPU Computing on a Lenovo S20 with Nvidia Tesla C1060 GPU

• Started compiling applications for running jobs in GPU

THL in GPU Computing

42

Future Works

• Root User/Primary User/Root Password confirmation during installation

• RPM Packages update

• Extensive documentation in THL Wiki

• Encrypted filesystem for sensitive data

• Vmware Player for virtualization

43

Future Works Cont’d

• TarHeel Linux 6 with better user interface

• Static IP address build

• Review drive partition

• Gparted to re-partition drive partition

• Any other recommendation?

44

TarHeel TarHeel Born!

What makes TarHeel Linux TarHeel Linux Specific to UNC?

•Accounts are created using information from the UNC LDAP Server

• Authentication uses ITS Kerberos Server

• ISO for OS is only available from the UNC Campus Network

• Software repositories are only available from the UNC Campus Network or via VPN

45

A Bigger Hammer?

What happens if my research outgrows my desktop’s capabilities?• CCI Desktops are mostly dual-core 64-bit

machines (although we support 32-bit)

• New CCI quad-core machines have arrived!

• Applications developed on a TarHeel Linux TarHeel Linux machine will run on our Research Clusters

• Applications can be run on remote hosts from the TarHeel Linux TarHeel Linux desktop

46

Documentation & Support

TarHeel Linux TarHeel Linux wiki• Public section for general information• ~root for TarHeel Linux TarHeel Linux root users• thl_admin for developerstarheellinux@listserv.unc.edu

maillist• General announcements from THL developers• Can be used for community discussionshelp.unc.edu - Online Help Request

(Remedy)• Research Computing – TarHeel Linux Support

47

Contact Information

TarHeel Linux TarHeel Linux Wiki:

http://tarheellinux.unc.edu

TarHeel Linux TarHeel Linux NetInstall ISO Download:

http://linux.unc.edu/centos/5.5/iso/noarch/TarHeelLinux-5.5-

netinstall.iso

(find it in the wiki!)

TarHeel Linux TarHeel Linux : research@unc.edu

Anne C. Blanchard – blanchar@unc.edu

Chi-Duen Poon – cdpoon@unc.edu

48

Yum Exercise

• Use yum to look for AFS client• Install AFS client• Get AFS token and access AFS Isis space

• Use yum to look for Matlab environment• Install Matlab environment• Run Matlab

• Use yum to look for KompoZer• Install KompoZer• Run KompoZer