RHEL 8

by

Installing and Configuring Chrony with Ansible on Rocky 8

If you are using Ansible to configure chrony which is a versatile implementation of the Network Time Protocol (NTP), you may want to take a look at the simple script below

- hosts: all
  tasks:

  - name: Install Chrony package
    dnf:
        name: chrony
        state: present
    when: ansible_distribution == "Rocky"

  - name: Configure Chrony servers
    lineinfile:
        path: /etc/chrony.conf
        line: "server sg.pool.ntp.org iburst"
        insertafter: '^#.*server 3.centos.pool.ntp.org iburst'
        state: present
    when: ansible_distribution == "Rocky"

  - name: Enable Chrony service
    service:
        name: chronyd
        state: started
        enabled: yes
    when: ansible_distribution == "Rocky"

You may want to consider Block Function to improve the code.

Further Read Up:

  1. Grouping Tasks with Block in Ansible
by

Unable to Install hdf5, hdf5-devel and hdf5-static on Rocky Linux 8.7

If you are doing a dnf install on hdf5 packages, you will notice errors like the one below

nothing provides libsz.so.2()(64bit) needed by hdf5-1.10.5-4.el8.x86_64
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

To resolve the issue, you will need to install and enable PowerTools

Step 1: Install DNF plugins package

dnf install dnf-plugins-core

Step 2: Install EPEL

The reason is that some software from its source code requires some dependencies that are available in EPEL

dnf install epel-release

Step 3: Enable PowerTools repository on Rocky Linux 8

dnf config-manager --set-enabled powertools

Step 4: Now try installing HDF5

dnf install hdf5 hdf5-devel hdf5-static
by

Could not load the Qt platform plugin “xcb” in “” even though it was found for Rocky Linux 8

If you encounter this issue 

qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: xcb.

You can resolve the issue by installing the xcb package

# dnf install xcb*
Last metadata expiration check: 1:39:51 ago on Tue 09 May 2023 11:47:04 AM +08.
Package xcb-util-0.4.0-10.el8.x86_64 is already installed.
Dependencies resolved.
====================================================================================================================================================================================================================
 Package                                                   Architecture                                 Version                                               Repository                                       Size
====================================================================================================================================================================================================================
Installing:
 xcb-util-image                                            x86_64                                       0.4.0-9.el8                                           appstream                                        20 k
 xcb-util-keysyms                                          x86_64                                       0.4.0-7.el8                                           appstream                                        15 k
 xcb-util-renderutil                                       x86_64                                       0.3.9-10.el8                                          appstream                                        18 k
 xcb-util-wm                                               x86_64                                       0.4.1-12.el8                                          appstream                                        31 k

Transaction Summary
====================================================================================================================================================================================================================
Install  4 Packages

Total download size: 83 k
Installed size: 134 k
Is this ok [y/N]: y

by

Setting up 2 Gateways with a Default Gateway for most Traffic and the 2nd Gateway for selected Subnet Traffic on Rocky Linux 8

Issues:

Suppose you have 2 network cards and their own gateway. The challenge is that you can only have 1 default gateway. How do we work this out?

Solution:

Type the following command

$ ip route show
default via 192.168.1.254 dev eno0 proto static metric 104
192.168.2.0/24 via 192.168.2.254 dev eno1 proto static metric 103
10.10.1.0/24 via 192.168.2.254 dev eno1 proto static metric 103

That means the default route for traffic is via eno1. All traffic except 192.168.2.0 and 10.10.1.0 will pass through the second gateway. How do we do it?

Set Default Route for all traffic

To set all traffic through the default gateway, do the following

$ ip route add default via 192.168.1.254 dev eno0 proto static metric 104

Set Selected IP Subnet for 2nd Gateway

$ ip route add 192.168.2.0/24 via 192.168.2.254 dev eno1 proto static metric 103
$ ip route add 10.10.1.0/24 via 192.168.2.254 dev eno1 proto static metric 103

Setting the DNS Correctly for each Network Card

If each of the Network Cards requires a different DNS, do make sure you put in the /etc/sysconfig/network-scripts

$ vim /etc/sysconfig/network-scripts/ifcfg-eno0
....
....
DEVICE=eno0
ONBOOT=yes
IPADDR=192.168.1.1
GATEWAY=192.168.1.254
DNS1=192.168.1.252
DNS2=192.168.1.253
NETMASK=255.255.255.0

$ vim /etc/sysconfig/network-scripts/ifcfg-eno1
....
....
DEVICE=eno1
ONBOOT=yes
IPADDR=192.168.2.1
GATEWAY=192.168.2.254
DNS1=192.168.2.252
DNS2=192.168.2.253
NETMASK=255.255.255.0

Deleting Route from Table

ip route delete 192.168.2.0/24 via 192.168.2.254 dev eno1 proto static metric 103

Different DNS Servers and Different Domains (For RHEL 8)

You can configure dnsmasq service and NetworkManager to send DNS queries for a specific domain to a selected DNS server. The Information can be found in Chapter 38. Using different DNS servers for different domains

By default, Red Hat Enterprise Linux (RHEL) sends all DNS requests to the first DNS server specified in the /etc/resolv.conf file. If this server does not reply, RHEL uses the next server in this file.

In environments where one DNS server cannot resolve all domains, administrators can configure RHEL to send DNS requests for a specific domain to a selected DNS server. For example, you can configure one DNS server to resolve queries for example.com and another DNS server to resolve queries for example.net. For all other DNS requests, RHEL uses the DNS server configured in the connection with the default gateway.

Procedure 1: Install dnsmasq package

# dnf install dnsmasq

Procedure 2: Edit the /etc/NetworkManager/NetworkManager.conf file, and set the following entry in the [main] section:

dns=dnsmasq

Procedure 3: Reload the NetworkManager service:

# systemctl reload NetworkManager

Procedure 4: Verify that the nameserver entry in the /etc/resolv.conf file refers to 127.0.0.53:

# cat /etc/resolv.conf
nameserver 127.0.0.1

Procedure 5a: Verify using TCPDump Packet Sniffer

# dnf install tcpdump

Procedure 5b: On one terminal, start tcpdump to capture DNS traffic on all interfaces:

# tcpdump -i any port 53

Procedure 5c: On a different terminal, resolve host names for a domain for which an exception exists and another domain, for example:

# host -t A www.redhat.com
# host -t A www.MyInternalDomain.com

Verify in the tcpdump output that Rocky Linux sends only DNS queries for the http://www.redhat.com domain to the designated DNS server and through the corresponding interface and vice versa for the Internal Domain

References:

  1. Chapter 38. Using different DNS servers for different domains
  2. Two Default Gateways on One System
  3. Linux Set up Routing with IP Command
by

abrt-cli status’ timed out is always shown when logging on or changing users

When change or login to specific user, ‘abrt-cli status’ timed out is always shown

Last login: Mon Dec 19 23:32:58 +08 2022 on pts/21 
'abrt-cli status' timed out

To resolve the issue, you may want to check the status of the ‘abrtd’ service, the output will indicate a locked file

# systemctl status abrtd
● abrtd.service - ABRT Automated Bug Reporting Tool
   Loaded: loaded (/usr/lib/systemd/system/abrtd.service; disabled; vendor preset: enabled)
   Active: active (running) since Mon 2022-12-19 23:34:58 +08; 2s ago
 Main PID: 273413 (abrtd)
   CGroup: /system.slice/abrtd.service
           └─273413 /usr/sbin/abrtd -d -s

Dec 19 23:34:58 node1 systemd[1]: Started ABRT Automated Bug Reporting Tool.
Dec 19 23:34:58 node1 systemd[1]: Starting ABRT Automated Bug Reporting Tool...
Dec 19 23:34:58 node1 abrtd[273413]: Lock file '.lock' is locked by process 191242
Dec 19 23:34:59 node1 abrtd[273413]: Lock file '.lock' is locked by process 191242
Dec 19 23:34:59 node1 abrtd[273413]: Lock file '.lock' is locked by process 191242
Dec 19 23:35:00 node1 abrtd[273413]: Lock file '.lock' is locked by process 191242
Dec 19 23:35:00 node1 abrtd[273413]: Lock file '.lock' is locked by process 191242

Stop the abrt Service first. 

# systemctl stop abrtd

Kill the Process holding the Lock File

# pkill -9 systemctl stop abrtd

Start the Service again

# systemctl start abrtd

The Lock File should go away.

# systemctl status abrtd
● abrtd.service - ABRT Automated Bug Reporting Tool
   Loaded: loaded (/usr/lib/systemd/system/abrtd.service; disabled; vendor preset: enabled)
   Active: active (running) since Mon 2022-12-19 23:48:02 +08; 4s ago
 Main PID: 334010 (abrtd)
   CGroup: /system.slice/abrtd.service
           └─334010 /usr/sbin/abrtd -d -s

Dec 19 23:48:02 hpc-gekko1 systemd[1]: Started ABRT Automated Bug Reporting Tool.
Dec 19 23:48:02 hpc-gekko1 systemd[1]: Starting ABRT Automated Bug Reporting Tool...
Dec 19 23:48:02 hpc-gekko1 abrtd[334010]: Init complete, entering main loop
by

Using Ethtool to query Network and Driver Information

Ethtool is a utility for configuration of Network Interface Cards (NICs). This utility allows querying and changing settings such as speed, port, auto-negotiation, PCI locations and checksum offload on many network devices, especially Ethernet devices.

1. Query the specified network device for associated driver information

# ethtool -i ens3f1np1
driver: mlx5_core
version: 5.7-1.0.2
firmware-version: 16.34.1002 (MT_0000000416)
expansion-rom-version:
bus-info: 0000:0f:00.1
supports-statistics: yes
supports-test: yes
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: yes

2. Enable an operator to easily identify the adapter by sight.
This involves blinking one or more LEDs on the specified network port.

# ethtool -p ens3f1np1 5

where integer 5 represents the time in seconds to perform the action,

3. Turn off the AutoNegotiation and fixed it at 25GB

ethtool -s ens3f1np1 --speed 25000 --autoneg off --duplex full

References:

Red Hat Documentation 11.8. Ethtool

by

Using firewall-cmd to configure gateways and isolated client network on CentOS-7 and Rocky Linux 8

Objectives:

Compute Nodes in an HPC environment are usually physically isolated from the public network and has to route through the gateway which are often found in Head Node or any delegated Node in small or small-medium size cluster to access the internet or to access company LAN to access LDAP, you can use the firewall-cmd to route the traffic through the interconnect facing the internet.

Scenario:

Traffic will be routed through the Head Node’s eno1 (internet facing) from the Head Node’s eno2 (private network). The interconnect eno1 is attached to a switch where the compute nodes are similarly attached. Some

  1. 192.168.1.0/24 is the private network subnet.
  2. 192.168.1.1 is the IP Address of the Head Node
  3. 155.1.1.2 is the IP Address of the external-facing ethernet ie eno1

Check the zones. 

# firewall-cmd --list-all-zones

Check the Active Zones

# firewall-cmd --get-active-zones
external
  interfaces: eno2
internal
  interfaces: eno1

Enable masquerade at the Head Node’s External Zone

IP masquerading is a process where one computer acts as an IP gateway for a network. For masquerading, the gateway dynamically looks up the IP of the outgoing interface all the time and replaces the source address in the packets with this address.

You use masquerading if the IP of the outgoing interface can change. A typical use case for masquerading is if a router replaces the private IP addresses, which are not routed on the internet, with the public dynamic IP address of the outgoing interface on the router.

For more information. Do take a look at 5.10. Configuring IP Address Masquerading

# firewall-cmd --zone=external --query-masquerade 
no
# firewall-cmd --zone=external --add-masquerade --permanent
# firewall-cmd --reload

Compute Nodes at the Private Network 

(Assuming that eno1 is connected to the private switch). It is very important that you input the gateway at the compute node’s /etc/sysconfig/network-scripts/ifcfg-eno1)

.....
.....
DEVICE=enp47s0f1
ONBOOT=yes
IPADDR=192.168.1.2 #Internal IP Address of the Compute Node
NETMASK=255.255.255.0
GATEWAY=192.168.1.1 #Internal IP Address of the Head Node

Next, you have to put the Network Interface of the Client in the Internal Zone of the firewall-cmd. Assuming that eno1 is also used by the Client Network 

# firewall-cmd --zone=internal --change-interface=eno1 --permanent

You may want to set the selinux to disabled

# setenforce 0

Configure the Head Node’s External Zone.

For Zoning, do take a look at 5.7.8. Using Zone Targets to Set Default Behavior for Incoming Traffic

For this setting, we have chosen target “default”

# firewall-cmd --zone=external --set-target=default

You can configure other settings. For the External Zone. For example, add SSH Service, mDNS

# firewall-cmd --permanent --zone=external --add-service=ssh
# firewall-cmd --permanent --zone=external --add-service=mdns
# firewall-cmd --runtime-to-permanent
# firewall-cmd --reload

Make sure the right Ethernet is placed in the right Zone. For External-Facing Ethernet Card, (eno2), you may want to place it 

# firewall-cmd --zone=external --change-interface=eno2 --permanent

For Internal Facing Ethernet Card, (eno1), you want want to place it

# firewall-cmd --zone=internal --change-interface=eno1 --permanent

Configure the firewall-Source of Internal Network (eno1)

# firewall-cmd --zone=internal --add-source=192.168.1.0/24

Checking the Settings in the “firewall-cmd –get-active-zones”

# firewall-cmd --get-active-zones
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno1
  sources: 192.168.1.0/32
  services: dhcpv6-client mdns ssh
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno2
  sources:
  services: dhcpv6-client ssh
  ports: 
  protocols:
  forward: no
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Check the Firewall Status

systemctl status firewalld.service
by

Compiling cmake-3.21.3 on Rocky Linux 8.5

If you are compiling the cmake-3.21.3 on Rocky Linux 8.5, and encounter the issues

-- Could NOT find OpenSSL, try to set the path to OpenSSL root folder in the system variable OPENSSL_ROOT_DIR (missing: OPENSSL_CRYPTO_LIBRARY OPENSSL_INCLUDE_DIR)

The problem is easy to resolve, you just need to install the openssl and openssl-devel libraries

# dnf install openssl openssl-devel

You should be able to bootrap easily.

Alternatively, instead of using ./boostrap, you can use the traditional configure command

#./configure --prefix=/usr/local/cmake-3.21.3
# make
# make install
by

“This system is not registered to Red Hat Insights” after log in to Rocky Linux 8.5

If you have warning messages such as after your login to your

This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register

To remove the warning permanently, you can do a 

# dnf remove insights-client

References:

by

Installing MLNX_OFED 5.5-1 on Rocky Linux 8.5

If you are installing MLNX-OFED-5.5-1 on Rocky Linux 8.5, you may want to download the drivers from Nvidia Linux Drivers

Step 1: Installing Prerequistics

# dnf install tk tcsh tcl gcc-gfortran kernel-modules-extra

Step 2a: Installing MLNX on Rocky 8.5

If you just do a ./mlnxofedinstall 

# ./mlnxofedinstall
Current operation system is not supported!

Step 2b: Force Install with the right distro.

# ./mlnxofedinstall --distro rhel8.5 --force
.....
.....
.....
Device #1:
----------

  Device Type:      ConnectX5
  Part Number:      MCX512F-ACH_Ax_Bx
  Description:      ConnectX-5 EN network interface card; with host management 25GbE Dual-port SFP28; PCIe3.0 x16; ROHS
  PSID:             MT_0000000416
  PCI Device Name:  10:00.0
  Base GUID:        xxxxxxxxxxxx
  Base MAC:         yyyyyyyyyyyy
  Versions:         Current        Available
     FW             16.31.1014     16.32.1010
     PXE            3.6.0403       3.6.0502
     UEFI           14.24.0013     14.25.0017

  Status:           Update required

After installing…….

Restart needed for updates to take effect.
Log File: /tmp/PAl8Z5mkHc
Real log file: /tmp/MLNX_OFED_LINUX.150443.logs/fw_update.log
To load the new driver, run:
/etc/init.d/openibd restart

Step 3: You have to remove and reload the drivers before you can do the /etc/init.d/openibd restart

[root@h00 media]# modprobe -rv ib_isert rpcrdma ib_srpt
rmmod ib_isert
rmmod iscsi_target_mod
rmmod rpcrdma
rmmod ib_srpt
[root@h00 media]# /etc/init.d/openibd restart
Unloading HCA driver:                                      [  OK  ]
Loading HCA driver and Access Layer:                       [  OK  ]

References:

  1. Driver Installation of Mellanox InfiniBand
  2. Mellanox NIC driver: Current Operation System is not supported