====== Cluster network ======
\\
===== DHCP Server =====
External resources :
* http://www.unixmen.com/setup-dhcp-server-centos-6-5/
* http://www.unixmen.com/setup-dhcp-server-ubuntu-14-04-lts-server/
First part is to configure the DHCP server for Ethernet network. The DHCP server will provide ip for nodes, DNS, location for pxe boot, etc.
Set ip to static :
cat /etc/sysconfig/network-scripts/ifcfg-enp0s8
localhost:~# cat /etc/sysconfig/network-scripts/ifcfg-enp0s8
TYPE="Ethernet"
BOOTPROTO="static"
NAME="enp0s8"
NETMASK=255.255.255.0
NM_CONTROLLED=no
ONBOOT="yes"
IPADDR0="172.16.0.1"
HWADDR=08:00:27:50:76:ac
yum install dhcp -y
Since recent CentOS, there is no need to add interface in /etc/sysconfig/dhcpd file. Let's edit configuration file immediately.
localhost:~# cat /etc/dhcp/dhcpd.conf
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.example
# see dhcpd.conf(5) man page
#
option domain-name "sphen.fr";
option domain-name-servers server.sphen.fr;
authoritative;
# A slightly different configuration for an internal subnet.
subnet 172.16.0.0 netmask 255.255.255.0 {
range 172.16.0.2 172.16.0.30;
option domain-name-servers server.sphen.fr;
option domain-name "sphen.fr";
option routers 172.16.0.1;
option broadcast-address 172.16.0.255;
default-lease-time 600;
max-lease-time 7200;
host client1 {
hardware ethernet 08:00:27:96:79:db;
fixed-address 172.16.0.2;
}
}
Now start dhcp server and enable it on startup, then watch logs :
systemctl start dhcpd.service
systemctl enable dhcpd.service
tail -f /var/log/messages
Try to launch client with mac address 08:00:27:96:79:db :
May 20 16:19:13 localhost dhcpd: DHCPDISCOVER from 08:00:27:96:79:db via enp0s8
May 20 16:19:23 localhost dhcpd: server.sphen.fr: host unknown.
May 20 16:19:23 localhost dhcpd: DHCPOFFER on 172.16.0.2 to 08:00:27:96:79:db via enp0s8
May 20 16:19:23 localhost dhcpd: DHCPDISCOVER from 08:00:27:96:79:db via enp0s8
May 20 16:19:23 localhost dhcpd: DHCPOFFER on 172.16.0.2 to 08:00:27:96:79:db via enp0s8
May 20 16:19:23 localhost dhcpd: Dynamic and static leases present for 172.16.0.2.
May 20 16:19:23 localhost dhcpd: Remove host declaration client1 or remove 172.16.0.2
May 20 16:19:23 localhost dhcpd: from the dynamic address pool for 172.16.0.0/24
May 20 16:19:23 localhost dhcpd: DHCPREQUEST for 172.16.0.2 (172.16.0.1) from 08:00:27:96:79:db via enp0s8
May 20 16:19:23 localhost dhcpd: DHCPACK on 172.16.0.2 to 08:00:27:96:79:db via enp0s8
In client side, there will be no need for specific configuration, just to remove any file for the interface in network-scripts.
====== PXE server ======
External resources :
* http://www.unixmen.com/install-pxe-server-centos-7/
* http://www.petenetlive.com/KB/Article/0000998.htm
I used CentOS-7-x86_64-Minimal-1503-01.iso image.
add next-server in DHCP configuration
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.example
# see dhcpd.conf(5) man page
#
option domain-name "sphen.fr";
option domain-name-servers server.sphen.fr;
authoritative;
subnet 172.16.0.0 netmask 255.255.255.0 {
range 172.16.0.2 172.16.0.30;
option domain-name-servers server.sphen.fr;
option domain-name "sphen.fr";
option routers 172.16.0.1;
option broadcast-address 172.16.0.255;
default-lease-time 600;
max-lease-time 7200;
next-server 172.16.0.2; # pxe server ip
filename "pxelinux.0";
host client1 {
hardware ethernet 08:00:27:A5:CD:D7;
fixed-address 172.16.0.3;
}
}
yum install tftp tftp-server xinetd -y
vi /etc/xinetd.d/tftp
# default: off
# description: The tftp server serves files using the trivial file transfer \
# protocol. The tftp protocol is often used to boot diskless \
# workstations, download configuration files to network-aware printers, \
# and to start the installation process for some operating systems.
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -c -s /var/lib/tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
chmod 777 /var/lib/tftpboot
19 setsebool -P tftp_anon_write 1
IPtables
28 systemctl start xinetd
yum install syslinux wget vsftpd
39 cp -v /usr/share/syslinux/pxelinux.0 /var/lib/tftpboot
40 cp -v /usr/share/syslinux/menu.c32 /var/lib/tftpboot
41 cp -v /usr/share/syslinux/memdisk /var/lib/tftpboot
42 cp -v /usr/share/syslinux/mboot.c32 /var/lib/tftpboot
43 cp -v /usr/share/syslinux/chain.c32 /var/lib/tftpboot
45 mkdir /var/lib/tftpboot/pxelinux.cfg
46 mkdir -p /var/lib/tftpboot/netboot/
55 mkdir /var/ftp/pub/iso
56 mount CentOS-7-x86_64-Minimal-1503-01.iso /var/ftp/pub/iso/
57 cp /var/ftp/pub/iso/images/pxeboot/vmlinuz /var/lib/tftpboot/netboot/
58 cp /var/ftp/pub/iso/images/pxeboot/initrd.img /var/lib/tftpboot/netboot/
60 vim /var/ftp/pub/ks.cfg
#version=RHEL7
# System authorization information
auth --enableshadow --passalgo=sha512
# Use network installation
url --url="http://mirrors.sonic.net/centos/7/os/x86_64/"
# Use graphical install
graphical
# Run the Setup Agent on first boot
firstboot --enable
ignoredisk --only-use=sda
# Keyboard layouts
keyboard --vckeymap=fr --xlayouts='fr'
# System language
lang en_US.UTF-8
# Network information
network --bootproto=dhcp --device=enp0s3 --ipv6=auto --activate
network --hostname=localhost.localdomain
# Root password
rootpw --iscrypted $6$RpI6GoKThfq1sVgx$j1p7R7q9YEltgrHAlKwjYz3HNtPtTrlRJOZi2ZGaEVaIjQAXbxVhfbi0Puyebd7Ke5vzROh33wwc08yesm08e1
# System services
services --enabled="chronyd"
# System timezone
timezone Europe/Paris --isUtc
user --name=sphen --password=$6$3/q7MhkzKtgrWHLq$3Kf7w0bG7yVIh6QI8UCLxK/q/L7CPYVCzmlQJPSgAEB4rAPgQlqFSKltqCxgYsyxyQrcapJaxHlljn5I1STFU1 --iscrypted --gecos="sphen"
# System bootloader configuration
bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sda
autopart --type=lvm
# Partition clearing information
clearpart --all --initlabel --drives=sda
# Reboot after installation?
reboot
%packages
@core
chrony
kexec-tools
%end
%addon com_redhat_kdump --enable --reserve-mb='auto'
%end
vi /var/lib/tftpboot/pxelinux.cfg/default
default menu.c32
prompt 0
timeout 30
MENU TITLE unixme.com PXE Menu
LABEL centos7_x64
MENU LABEL CentOS 7 X64
KERNEL /netboot/vmlinuz
APPEND initrd=/netboot/initrd.img inst.repo=ftp://172.16.0.2/pub/iso ks=ftp://172.16.0.2/pub/ks.cfg
108 systemctl start xinetd
109 systemctl start vsftpd
110 systemctl | grep vft
111 systemctl | grep vs
112 systemctl restart vsftpd
113 systemctl restart xinetd
VRAC VRAC VRAC
Global
sphen.local
Master
generate root password
ssh key
====== Vital Pets ======
First of all, we will install vital pets, i.e. minimal services needed to deploy and run the cluster. In this first part, we will assume that you already have done os minimal installations with static ip, so that the following hosts (without any configuration) are listenning on ssh :
* 10.0.0.20 (will be repository)
* 10.0.0.30 (will be dhcp)
* 10.0.0.40 (will be pxe/kickstart)
* 10.0.0.50 (will be dns)
* 10.0.0.60 (will be slurmctld)
Other servers will be deploy next, but these are the absolute minimal to be able to run parallel runs.
===== Repository server =====
The repository server offer to all other systems needed packages for soft installation. This local repository will host a copy of Centos 7 Everything DVD, but also other home made packages (slurm, munge), and/or any other repository you will need (centos update, epel, etc).
First, let's push root master key :
cat .ssh/id_rsa.pub | ssh 10.0.0.20 " mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod 600 ~/.ssh/* ; restorecon -R -v ~/.ssh "
Now, ssh to the node and set local hostname and configure red color for root shell, then reboot :
ssh 10.0.0.20
ssh 10.0.0.20 " hostnamectl set-hostname repo0
echo 'PS1="\[\e[01;31m\]\h:\w#\[\e[00;m\] "' >> /root/.bashrc
reboot
When node is ready again (ping it if impatient), push the Centos 7 Everything DVD using scp (adapt to yout centos version) :
scp /root/iso/CentOS-7-x86_64-Everything-1503-01.iso root@10.0.0.20:/root
When done, ssh on the node. Now, we will mount the DVD and install manually few packages (still no repository available, manually required), and start the vsftpd server (ftp server to share packages with the others) :
mkdir /mnt
mount ????????????????
cd /mnt/Packages/
rpm -ivh vsftpd-3.0.2-9.el7.x86_64.rpm
systemctl enable vsftpd
systemctl start vsftpd
rpm -ivh libxml2-python-2.9.1-5.el7_0.1.x86_64.rpm
rpm -ivh deltarpm-3.6-3.el7.x86_64.rpm
rpm -ivh python-deltarpm-3.6-3.el7.x86_64.rpm
rpm -ivh createrepo-0.9.9-23.el7.noarch.rpm
Lets copy centos packages from ISO, and create the repository database. It may takes some time depending of your computer performances. Note that in the future, if you need to add packages to a repository, you can update the database using the same commande, but adding --update ???????
mkdir /var/ftp/pub/localrepo
chmod -R 0755 /var/ftp/pub/localrepo
cp -ar /mnt/Packages/*.* /var/ftp/pub/localrepo/
createrepo -v /var/ftp/pub/localrepo/
restorecon -R /var/ftp
Packages are available and repository ready, we now need to add the repository file, so that the local system know where packages are.
vi /etc/yum.repos.d/localrepo.repo
And add the following in the file :
[localrepo]
name=Sphen Local Repo
baseurl=file:///var/ftp/pub/localrepo
gpgcheck=0
enabled=1
Save, and set file rights :
chown root:root /etc/yum.repos.d/localrepo.repo
chmod 0640 /etc/yum.repos.d/localrepo.repo
We will remove CentOs original repository files, but for safety, let's backup them, and update yum :
mkdir /etc/yum.repos.d.old/
mv /etc/yum.repos.d/CentOS-* /etc/yum.repos.d.old
yum clean all
yum update
To finish, we will do something not recommanded, but the security part will be covered later, and for this tutorial it will makes things easyer : we will deactivate firewall and set selinux in permissive mode (do not disable it).
First, edit /etc/selinux/config file and replace enforcing by permissive, like this :
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
And disable firewalld service (we will replace it by iptables in the security part of this tutorial) :
systemctl disable firewalld
systemctl stop firewalld
Remmeber these last actions, we will do the same on other servers.
Umount Centos 7 Evrything iso, and remove if if you want to save disk.
umount /mnt
rm /root/CentOS-7-x86_64-Everything-1503-01.iso
Now reboot the host, it is ready for production.
===== Dhcp server =====
DHCP server is used to assign ip adresses to computes nodes and logins nodes. It is the first server seen by a new node booting in pxe for installation. It will indicate to this node where pxe server is, and where dns server is.
In this configuration, we assume you now the MAC adresses of your nodes (should be provided by the manufacturer). Now that we have setup the repository server, things should be easyer.
Like for repository, push the root key, set localhostname, and red root, and reboot :
cat .ssh/id_rsa.pub | ssh 10.0.0.30 " mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys; chmod 700 ~/.ssh; chmod 600 ~/.ssh/* ; restorecon -R -v ~/.ssh "
ssh 10.0.0.30
ssh 10.0.0.30 " hostnamectl set-hostname dhcp0
echo 'PS1="\[\e[01;31m\]\h:\w#\[\e[00;m\] "' >> /root/.bashrc
reboot
Now, like for repository, set SELinux to permissive, and disable firewalld (see repository server just in the upper section).\\
Then, add the repository file so that this server can use repository server to get needed packages :
vi /etc/yum.repos.d/localrepo.repo
The file is slightly different than before, because now files are not local but on the ftp :
[localrepo]
name=Sphen Local Repo
baseurl=ftp://10.0.0.20/pub/localrepo
gpgcheck=0
enabled=1
Then set rights to the file, and remove/backup CentOS default repository :
chown root:root /etc/yum.repos.d/localrepo.repo
chmod 0640 /etc/yum.repos.d/localrepo.repo
mkdir /etc/yum.repos.d.old/
mv /etc/yum.repos.d/CentOS-* /etc/yum.repos.d.old
yum clean all
yum update
Time to install dhcp server :
yum install dhcpd ??????
Do not start it now, let's configure it first. The configuration file is /etc/dhcp/dhcpd.conf . Copy past the following :
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.example
# see dhcpd.conf(5) man page
#
authoritative;
subnet 10.0.0.0 netmask 255.255.0.0 {
# range 10.0.1.0 10.0.1.254; # storage, should be static
range 10.0.2.0 10.0.2.254; # login
range 10.0.3.0 10.0.4.254; # compute
option domain-name "sphen.local";
option domain-name-servers 10.0.0.50; # dns ip
option routers 10.0.0.30; # dhcp ip
option broadcast-address 10.0.255.255;
default-lease-time 600;
max-lease-time 7200;
next-server 10.0.0.40; # pxe server ip
filename "pxelinux.0";
# List of logins nodes
host login0 {
hardware ethernet 08:00:27:18:68:BC;
fixed-address 10.0.2.0;
}
# List of compute nodes
host node0 {
hardware ethernet 08:00:27:05:7F:C5;
fixed-address 10.0.3.0;
}
}
You can refer to online documentation for further explainations. The important part here are the servers ip, the ranges covered by the dhcp, and the list of hosts MAC covered by the DHCP server with their assigned ip.
?????? Do not accept if MAC not set ?????
When booting in pxe mode, the node will get all servers ip.
Now, you can start and enable the dhcp service :
systemctl enable dhcpd.service
systemctl start dhcpd.service
Reboot the node, it is ready for production.
===== Pxe server =====
The pxe server host the minimal kernel for pxe booting, the kickstart file for remote hosts to know how they should be installed, and the minimal centos 7 iso for minimal packages distribution.
As for all servers, push root ssh key, set hostname manually (pxe0), set red shell, and reboot. Then, as for dhcp server, set SELinux into permissive mode, disable firewalld, and add local repository.
Now, from master host, push the centos 7 minimal iso on this server :
scp /root/iso/CentOS-7-x86_64-Minimal-1503-01.iso root@10.0.0.40:/root
Ssh on the host, and mount the iso :
mkdir /mnt
mount ???????????????
Install needed services :
yum install tftp
yum install tftp-server
yum install xinetd
Let's configure tftp server, the file is /etc/xinetd.d/tftp. The only change is the add on line server_args :
# default: off
# description: The tftp server serves files using the trivial file transfer \
# protocol. The tftp protocol is often used to boot diskless \
# workstations, download configuration files to network-aware printers, \
# and to start the installation process for some operating systems.
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -c -s /var/lib/tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
Now, resorecon in case of, and start service :
restorecon /etc/xinetd.d/tftp
systemctl start xinetd
systemctl enable xinetd
Now, let's install pxe files part :
yum install syslinux
yum install wget
yum install vsftpd
Copy needed files into desired locations :
cp -v /usr/share/syslinux/pxelinux.0 /var/lib/tftpboot
cp -v /usr/share/syslinux/menu.c32 /var/lib/tftpboot
cp -v /usr/share/syslinux/memdisk /var/lib/tftpboot
cp -v /usr/share/syslinux/mboot.c32 /var/lib/tftpboot
cp -v /usr/share/syslinux/chain.c32 /var/lib/tftpboot
mkdir /var/lib/tftpboot/pxelinux.cfg
mkdir /var/lib/tftpboot/netboot/
mkdir /var/ftp/pub/iso
cp /mnt/images/pxeboot/vmlinuz /var/lib/tftpboot/netboot/
cp /mnt/images/pxeboot/initrd.img /var/lib/tftpboot/netboot/
restorecon -R /var/lib/tftpboot
cp -Rv /mnt/* /var/ftp/pub/iso/
restorecon -R /var/ftp/pub/
Now add kickstart and pxelinux files as following :
vi /var/ftp/pub/ks.cfg
And add :
#version=RHEL7
# System authorization information
auth --enableshadow --passalgo=sha512
# Do not use graphical install
text
# Run the Setup Agent on first boot
firstboot --enable
ignoredisk --only-use=sda
# Keyboard layouts
keyboard --vckeymap=fr --xlayouts='fr'
# System language
lang en_US.UTF-8
# Network information
network --bootproto=dhcp --device=enp0s3 --ipv6=auto --activate
network --hostname=localhost.localdomain ????????
# Root password
rootpw --iscrypted $6$rJ2xMRxbzIk6pBjL$fSClcUjfftsd7WLdilG6FVgjtcN1y5g3Dpl0Z2NQVHcNgWNgQmI1xU5L8ullHv59sLsmbRQAGj8KMP1H1Sg3Q.
# System timezone
timezone Europe/Paris --isUtc
# System bootloader configuration
bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sda
autopart --type=lvm
# Partition clearing information
clearpart --all --initlabel --drives=sda
# Reboot after installation?
reboot
%packages
@core
%end
%post
mkdir /root/.ssh
cat << xxEOFxx >> /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd/D8djP1pi56KQokGb3V2KWU7sEFP4oHNh7MlKPp4ZdkQUa7wfR3xbsDYiEN+UrF9AEHGqUF3DHhJMhj+soXuBysIIimZyDLPn5GoHanQ/FtjKPVpiRpTcxprDVtuhcDOKbl58aSXCsfDM3cahUm0Y0Jk+Dp84NDWc7Ve0SOtCgWchYmgJUExYNBDWFPcZSRs20nQZ2aShFZemqzkKY2cgIR5PYvdwr+A9ZCrjNkmW02K2gk+qRdIYW2sVmMictmY6KrrbtYIiucsSpC805wGk+V4+DkDOJek9a9EH0/6n0CShXVjpXjsbJ9/Y4xA/qIBl7oizEImsZ8rYCT4pkz/ root@ansiblemaster.sphen
xxEOFxx
restorecon -R -v /root/.ssh
echo 'PS1="\[\e[01;31m\]\h:\w#\[\e[00;m\] "' >> /root/.bashrc
%end
Few important comments :
* This file is important and should be setup according to your needs.
* Replace "rootpw --iscrypted $6$rJ2xMRxbzIk6p..." by the root password you wish to set on nodes. Refer to master installation part of this tutorial for how to generate this password.
* Replace "ssh-rsa AAAAB3NzaC..." by the public ssh root key we already pushed on each servers.
* Replace keyboard keymap by your needs. Here it's fr/azerty, if using qwerty keyboard, choose "us" for both.
* Replace time zone by yours.
* Adjust partitions to your need, here its automatic lvm.
Now set rights :
chmod 0644 /var/ftp/pub/ks.cfg
restorecon /var/ftp/pub/ks.cfg
Now the pxelinux file, edit :
vi /var/lib/tftpboot/pxelinux.cfg/default
And add :
default menu.c32
prompt 0
timeout 30
MENU TITLE sphen PXE Menu
LABEL centos7_x64
MENU LABEL CentOS 7 X64
KERNEL /netboot/vmlinuz
APPEND initrd=/netboot/initrd.img inst.repo=ftp://10.0.40.0/pub/iso ks=ftp://10.0.40.0/pub/ks.cfg ??????? DNS
Set rights :
chmod 0644 /var/lib/tftpboot/pxelinux.cfg/default
restorecon /var/lib/tftpboot/pxelinux.cfg/default
Now start servers :
systemctl start vsftpd
systemctl enable vsftpd
systemctl restart xinetd
Adjust rights on tftpboot :
chmod -R 766 /var/lib/tftpboot
Reboot the server, it is ready for production.\\
Note : you can now check this part by booting the node0 or login0 on pxe. This should works without DNS because ip are manually set.
===== Dns server =====
DNS server provides on the network :
* ip for corresponding hostname
* hostname for corresponding ip
DNS is important as it clearly simplify systems configuration, and provides flexibility (using hostname instead of static ip, you can change the ip of a server, for maintenance purposes for example, and just adjust dns settings, the others nodes will not see differences and production can continue).
First, like for other servers, set ssh root key, adjust hostname (dns0), set red shell for root, set selinux into permissive mode, disable firewalld, and add local repository, then reboot.
Install dns server package :
yum install bind bind-utils
Now the configuration. It includes 3 files : main configuration file, forward file, and reverse file. (you can separate files into more if you wish, not needed in this tutorial).
Main configuration file : /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 10.0.0.50;};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 10.0.0.0/16;};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone"sphen.local" IN {
type master;
file "forward";
allow-update { none; };
};
zone"0.10.in-addr.arpa" IN {
type master;
file "reverse";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Recursion is disable because no internet acess is available. The server listen on 10.0.0.50, and allow queries from 10.0.0.0/16.
What contains our names and ip are the 2 last zone parts. They refer to two files : forward and reverse. These files are located in /var/named/. First one is /var/named/forward :
$TTL 86400
@ IN SOA dns0.sphen.local. root.sphen.local. (
2011071001 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
@ IN NS dns0.sphen.local.
@ IN A 10.0.0.50
ansiblemaster IN A 10.0.0.10
repo0 IN A 10.0.0.20
dhcp0 IN A 10.0.0.30
pxe0 IN A 10.0.0.40
dns0 IN A 10.0.0.50
slurmctld0 IN A 10.0.0.60
nfs1 IN A 10.0.1.1
login1 IN A 10.0.2.1
node1 IN A 10.0.3.1
Second one is /var/named/reverse :
$TTL 86400
@ IN SOA dns0.sphen.local. root.sphen.local. (
2011071001 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
@ IN NS dns0.sphen.local.
@ IN PTR sphen.local.
dns0 IN A 10.0.0.50
0.10 IN PTR ansiblemaster.sphen.local.
0.20 IN PTR repo0.sphen.local.
0.30 IN PTR dhcp0.sphen.local.
0.40 IN PTR pxe0.sphen.local.
0.50 IN PTR dns0.sphen.local.
0.60 IN PTR slurmctld0.sphen.local.
1.1 IN PTR nfs1.sphen.local.
2.1 IN PTR login1.sphen.local.
3.1 IN PTR node1.sphen.local.
You can observe the presence of local domaine name, sphen.local, and that all hosts are delared here in forward and reverse order.
Important : when using tools like dig or nslookup, you need to use full domaine name of hosts. For example, dig repo0.sphen.local . When using ping or ssh or other tools, only repo0 is enough.
Set rights on files :
chgrp named -R /var/named
chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf
Time now to start service :
systemctl enable named
systemctl start named
Reboot the node, it is ready for production. To makes other hosts to use the DNS, ssh on them, disable network manager (if active, it will erase file), and edit resolv file :
systemctl disable NetworkManager
systemctl stop NetworkManager
Then edit /etc/resolv.conf as following :
search sphen.local
nameserver 10.0.0.50
===== Ldap server =====
yum install -y openldap-servers openldap-clients
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl start slapd
systemctl status slapd
slappasswd
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}9I3Jrx9puLpX+8IuG9b13+G/oERcVdbC
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=server,dc=world" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=server,dc=world
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=server,dc=world
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}9I3Jrx9puLpX+8IuG9b13+G/oERcVdbC
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=server,dc=world" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=server,dc=world" write by * read
dn: dc=server,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Server
dn: cn=Manager,dc=server,dc=world
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=server,dc=world
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=server,dc=world
objectClass: organizationalUnit
ou: Group
dn: uid=hohoho,ou=People,dc=server,dc=world
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: hohoho
sn: Linux
userPassword: {SSHA}nrOWUqd64lbklA2HH73QJ3EE8yoQabId
loginShell: /bin/bash
uidNumber: 1011
gidNumber: 1011
homeDirectory: /home/hohoho
dn: cn=hohoho,ou=Group,dc=server,dc=world
objectClass: posixGroup
cn: hohoho
gidNumber: 1011
memberUid: hohoho
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
484 ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
485 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
486 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
487 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
488 ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
489 ldapadd -x -D cn=Manager,dc=server,dc=world -W -f basedomain.ldif
490 slappasswd
491 vi ldapuser.ldif
492 ldapadd -x -D cn=Manager,dc=server,dc=world -W -f ldapuser.ldif
497 cd /etc/pki/tls/certs
498 make server.key
499 openssl rsa -in server.key -out server.key
500 make server.csr
501 openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
502 cd
503 cp /etc/pki/tls/certs/server.key /etc/pki/tls/certs/server.crt /etc/pki/tls/certs/ca-bundle.crt /etc/openldap/certs/
504 mkdir /etc/openldap/certs/
505 cp /etc/pki/tls/certs/server.key /etc/pki/tls/certs/server.crt /etc/pki/tls/certs/ca-bundle.crt /etc/openldap/certs/
506 chown ldap. /etc/openldap/certs/server.key /etc/openldap/certs/server.crt /etc/openldap/certs/ca-bundle.crt
507 vi mod_ssl.ldif
508 ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
509 vi /etc/sysconfig/slapd
510 systemctl restart slapd
client side
708 yum -y install openldap-clients nss-pam-ldapd
709 setenforce 0
710 authconfig --enableldap --enableldapauth --ldapserver=10.0.0.70 --ldapbasedn="dc=server,dc=world" --enablemkhomedir --update
711 exit
712 echo "TLS_REQCERT allow" >> /etc/openldap/ldap.conf
713 echo "tls_reqcert allow" >> /etc/nslcd.conf
714 authconfig --enableldaptls --update
715 exit
===== Slurm server =====
Autre page :
===== nfs storage =====
In this tutorial, a simple nfsv4 storage will be used, to store /home for users, /soft for softwares and libraries, and /scratch for calculations.
Of course, using a single nfs server for /scratch is absurd, but enough for this tutorial. Distributed files systems will be discussed later.