Tar Heel Linux ITS Research Computing University of

Tar. Heel Linux ITS Research Computing University of North Carolina at Chapel Hill Anne Blanchard, C. D. Poon

Agenda • • Introduction Building Tar. Heel Linux on Test Machine Details in Tar. Heel Linux Build Break UNCCH-ITS-RC Software Repository Variation in Tar. Heel Linux Build Future Work Exercise After Build 2

Test Machine • Test Machine – CCI Desktop Running Windows XP • Current ITS Lab Machines • Lenovo Think. Centre M 58 7479 -UN 3 • Intel Core 2 E 8400 @ 3 GHz Processor 250 GB SATA II Hard Drive 2 GB DDR 3 Memory Integrated 10/1000 Ethernet • Distributed as CCI Desktop between 2/2009 and 5/2010 3

Building THL Let’s Build Tar. Heel Linux 1. Power Up the Machine 2. Put the Net. Install Disc into the CDROM Drive 3. Hit F 12 to select booting from CDROM 4. Wait to see the “boot: ” prompt 5. Hit Return to take standard desktop installation 6. Wait 30 minutes for the build 4

What and Why? Faculty Requests : • Capability to build a desktop Linux distribution on CCI equipment without needing advanced computer expertise • Integration with existing ITS Research Computing systems • Access to a software repository containing a core set of research applications • Easily managed and modified – but SECURE 5

Which Penguin? • Fedora Core is bleeding-edge Linux • Red. Hat Enterprise Linux (RHEL) is mostly stable, but has corporate overhead • Cent. OS is a more stable Open Source version of RHEL • Ubuntu is Debian-based and different 6

Why Cent. OS? Tar. Heel Linux based on Cent. OS • Same kernel and libraries as our Research Computing Linux clusters • Shared applications with our Research Computing Linux clusters • 100% RHEL Clone with no licensing overhead • Easy integration into UNC computing environment 7

Welcome Tar. Heel Linux The New Penguin in Town 8

Building THL Before you begin ……. • Register the MAC address for DHCP at onyen. unc. edu • Download 19 MB Tar. Heel Linux Net. Install 5. 5 ISO image from linux. unc. edu and burn to a dvd/cdrom • Think of a very strong root password: - 8 -12 characters - mixed case alpha, numeric, and special characters - no dictionary words 4 characters or greater - leading capital and trailing digit don’t count • Obtain ONYEN of root user and primary user if any 9

Net. Install One Net. Install ISO – Two Architectures Is that box 32 -bit or 64 -bit? You might be (pleasantly) surprised! • Tar. Heel Linux Net. Install can determine the difference • The Kickstart file for either i 386 or x 86_64 will load automatically 10

boot: Options at the boot: prompt • Standard Install – either carriage return or wait 60 sec IMPORTANT NOTE: This will REFORMAT your hard drive! • Server Install – boot: server • Rescue Mode – boot: rescue 11

Installation First 30 minutes: • Format the hard drive Fixed system space Remainder of drive for home directories • Load the OS onto the hard drive from linux. unc. edu • Post. Install IPtables Kerberos Other security enhancements 12

After First Boot • Change of Ownership • Enter ONYEN of root user • Establish a strong root password • Enter ONYEN of primary user if different from root user • All recent Updates and Patches are applied • Final boot to Tar. Heel Linux ! 13

Root Password • May not contain any dictionary word of 4 characters or greater • Has 8 -12 Characters • Includes upper and lower case letters • Contains at least 1 number • Contains at least 1 special character 14

Root Password Cont’d No Luggage Combinations Allowed! • Machine builds with a strong default password • Person holding root is the first (and only) member of /etc/sudoers • A new (strong) password is chosen at build time • If initial password selection fails (too many tries!), default can be changed by “sudo passwd root” once the machine comes up 15

Login • Root Login with Local Password, only local password in the system • Onyen Login with Onyen Password for root user and primary user if any • Granted sudo access for root user 16

Build and Break • Continue Building Tar. Heel Linux • Take a Break for 10 minutes • Questions? 17

Applications What can Tar. Heel Linux do for me? Latest stable versions of: • Firefox browser • Thunderbird email client • Open. Office productivity tools • Large selection of multi-media applications AND THERE’S MORE: UNC’s own local repository containing research applications – about 1000 RPMs and growing! 18

Tar. Heel Linux Repository Net. CDF What’s in the Box? Te. X Live ccp 4 TINKER grace Coot PHONON R • Open Source Scientific Applications: Mathematics & Applied Mathematics Statistics & Operations Research Free. Mat Chemistry & Biochemistry gtkmathview Physics Py. VTK Qt 4 Maya. Vi buster malaga fftw • Open Source Libraries VTK gv hdf 5 imlib 2 wv CERNLIB • Open Source Visualization Tools ffmpeg inkscape lib. Vorbis • Open Source RDBMS Tools lua Pixman firebird • Open Source Programming Language Support Octave Amber maxima Open. MPI gambas Num. Py Py. Mol Gromacs cairo 19

yum! Yellowdog Updater Modified prompt# yum search ccp 4 prompt# yum install openafs-client prompt# yum provides “*/libkudzu*” prompt# yum info coot All RPM Packages are protected with GPG key. 20

Other Options Not all software is Open or Free! There are several options: • Purchase the software from the vendor and install it locally ($$$$) • Get a copy of the software from ITS Software Acquisitions and install it locally ($) • Install the environment locally to run it out of AFS (only a few packages are licensed for us to do this) Example: # yum install matlab-env This provides a path to the version in AFS and a local environment is set up to run it properly 21

X 86_64 vs i 386 • Architecture x 86_64 (64 bit) and i 386 (32 bit) available • In x 86_64 repository, some i 386 binaries are available. • Yum figures out what to install to satisfy dependence. • In x 86_64, /usr/lib 64 and /usr/lib coexist. 22

RPM • Install into /usr as prefix if possible • Put into /opt if the package is too complex • Create startup scripts in /etc/profile. d to set up environment for packages in /opt • Use “module” to set up environment 23

Security! • In Research, a computer is just another tool • A good tool is a reliable tool • Reliability = Security! • Make Tar. Heel Linux secure “out of the box” • Provide tools and nightly system checks and updates to keep it that way 24

ONYENs The Only Name You’ll Ever Need! • All user accounts are added by ONYEN • Information directly from UNC ITS LDAP Server • Authentication via UNC ITS Kerberos Server • Only one local encrypted password on a Tar. Heel Linux host! • Command “adduser_unc” adds accounts for new UNC users 25

Ports & Services “off by default” • Firewall up from first boot • ssh (port 22) is the only port open, and is limited to access from the UNC campus • All unnecessary services are turned off • Email from the root account is outbound and does not require an open port • Sendmail uses privilege separation 26

Patches & Updates Nightly Updates • Latest Cent. OS patches and updates installed automatically • New versions of software installed from Tar. Heel Linux repository • New versions of software from Adobe, Graph. Viz, Mozilla, etc. , downloaded and placed in our repository • New Linux kernel put in place and notice sent to the root user (reboot needed) 27

Logs & Reports Things that go bump in the night: • logwatch report – Reader’s Digest Condensed Version • rpm –V - do you have what you asked for? • New kernel announcement – stay up-to-date! • All the usual logs in all the usual places 28

Logwatch Sample Logwatch message to root user: ########## Logwatch 7. 3 (03/24/06) ########## Processing Initiated: Thu Oct 7 04: 02 2010 Date Range Processed: yesterday ( 2010 -Oct-06 ) Period is day. Detail Level of Output: 0 Type of Output: unformatted Logfiles for Host: zircon. its. unc. edu ################################# ----------- pam_unix Begin ------------gnome-screensaver: Unknown Entries: authentication failure; logname= uid=29049 euid=29049 tty=: 0. 0 ruser= rhost= …. . sshd: Authentication Failures: cdpoon (dhcp 27052. vpn. unc. edu): 1 Time(s) ----------- pam_unix End ------------- 29

rpm -V Sample rpm -V message to root user: Changes Reported: 48 c 48 < /var/tmp/rpm-tmp. 44275: line 851: Integrate. With. GNOME: command not found --/var/tmp/rpm-tmp. 36971: line 851: Integrate. With. GNOME: command not found Errors Reported: prelink: /usr/lib. ORBit-2. so. 0. 1. 0: at least one of file's dependencies has changed since prelinking prelink: /usr/libgconf-2. so. 4. 1. 0: at least one of file's dependencies has changed since prelinking 30

New Kernel Sample New Kernel message to root user: Subject: A new kernel is waiting on zircon. its. unc. edu Date: Fri, 24 Sep 2010 04: 02: 03 -0400 From: root@zircon. its. unc. edu To: root@zircon. its. unc. edu <root@zircon. its. unc. edu> To: Chi-Duen Poon zircon. its. unc. edu is currently running the following kernel: vmlinuz-2. 6. 18 -194. 11. 3. el 5 which dates to Mon Aug 30 16: 19: 16 EDT 2010. A new kernel is now available: vmlinuz-2. 6. 18 -194. 11. 4. el 5 All current patches and updates have already been installed; the exception being the new kernel. zircon. its. unc. edu has been set up to find and run the most recent kernel on the next reboot. Please find a time in the very near future when the host is quiescent, and schedule a shutdown -r Thank you - and Secure Computing for All! The Tar. Heel Linux Team 31

THL Hardware • Based on CCI desktop originally • Extended to other kinds of machines, server, laptop, Mac, etc. • Should be able to run on machines with Intel and AMD chips • Limited by driver availability, such as Wifi driver 32

THL Server • At boot prompt, type “server” • Same as desktop excluding thl-theme package • For low end video card with low resolution • Without THL login screen • Without THL screen saver 33

THL Virtualization • Tested extensively with Virtualbox on CCI machines • THL as host OS and Windows 7 as guest OS • Windows 7 as host OS and THL as guest OS 34

THL Laptop • Virtualization vs. Dual Boot • Tested extensively with Virtual. Box • Windows 7 as host OS and THL as guest OS • Borrowed video/sound/Wifi capability from Windows 7 • Dual Boot – Issues with Wifi 35

THL in USB Key • At boot prompt, type “usb” • THL build in 16 GB USB key drive • Slower but with write capabilities (Live. CD without write capabilities) • Extremely portable • Required machine to boot from USB drive 36

VPN in THL • Installed vpnc in THL, used Onyen and Onyen password to access VPN • With Virtual. Box Windows 7 as host OS, used VPN client in Windows 7, allowed VPN access in THL as guest OS 37

THL in i. Mac • Applied Math lab in Phillips Hall basement as pilot project • Dual Boot Mac. OS X and THL using r. EFIT as boot agent • Used Virtual. Box with Mac. OS X as host OS and THL as guest OS 38

Message Passing • Open. MPI in UNCCH-ITS-RC repository • Used “module load openmpi-x 86_64” to set up environment for x 86_64 machine • Gromacs compiled over Open. MPI • Tested in CCI Think. Centre E 20 running 4 way parallel Gromacs jobs 39

THL in VCL • Virtual Computer Lab (VCL) from ITS Research Computing, http: //vcl. unc. edu • THL build in VCL • Customized for different needs and purposes 40

THL in GPU Computing • Tested GPU Computing on a Lenovo S 20 with Nvidia Tesla C 1060 GPU • Started compiling applications for running jobs in GPU 41

Future Works • Root User/Primary User/Root Password confirmation during installation • RPM Packages update • Extensive documentation in THL Wiki • Encrypted filesystem for sensitive data • Vmware Player for virtualization 42

Future Works Cont’d • Tar. Heel Linux 6 with better user interface • Static IP address build • Review drive partition • Gparted to re-partition drive partition • Any other recommendation? 43

Tar. Heel Born! What makes Tar. Heel Linux Specific to UNC? • Accounts are created using information from the UNC LDAP Server • Authentication uses ITS Kerberos Server • ISO for OS is only available from the UNC Campus Network • Software repositories are only available from the UNC Campus Network or via VPN 44

A Bigger Hammer? What happens if my research outgrows my desktop’s capabilities? • CCI Desktops are mostly dual-core 64 -bit machines (although we support 32 -bit) • New CCI quad-core machines have arrived! • Applications developed on a Tar. Heel Linux machine will run on our Research Clusters • Applications can be run on remote hosts from the Tar. Heel Linux desktop 45

Documentation & Support Tar. Heel Linux wiki • Public section for general information • ~root for Tar. Heel Linux root users • thl_admin for developers tarheellinux@listserv. unc. edu maillist • General announcements from THL developers • Can be used for community discussions help. unc. edu - Online Help Request (Remedy) • Research Computing – Tar. Heel Linux Support 46

Contact Information Tar. Heel Linux Wiki: http: //tarheellinux. unc. edu Tar. Heel Linux Net. Install ISO Download: http: //linux. unc. edu/centos/5. 5/iso/noarch/Tar. Heel. Linux-5. 5 -netinstall. iso (find it in the wiki!) Tar. Heel Linux : research@unc. edu Anne C. Blanchard – blanchar@unc. edu Chi-Duen Poon – cdpoon@unc. edu 47

Yum Exercise • Use yum to look for AFS client • Install AFS client • Get AFS token and access AFS Isis space • Use yum to look for Matlab environment • Install Matlab environment • Run Matlab • Use yum to look for Kompo. Zer • Install Kompo. Zer • Run Kompo. Zer 48