NC State University

Realm Linux Frequently Asked Questions. If you have questions and answers that should be included here please add them.

Introduction to Realm Linux

What is Realm Linux and How Does it Relate to Red Hat Enterprise Linux?

Realm Linux (RL) is Red Hat Enterprise Linux (RHEL). The terminology of "Realm Linux" refers to the name given to the project to build and maintain a managed RHEL deployment at NC State University. Realm Linux comes out of the box with additional configuration such as NCSU's authentication, authorization and network file space as well as additional management tools not present in RHEL. Therefore, any application or vendor that supports RHEL will also support our Realm Linux platform.

What is Realm Linux Designed to Do?

Realm Linux is designed to be a single Linux platform for NC State University. It supports x86 hardware in both 32 bit and 64 bit mode. Realm Linux is suited for lab deployments, workstations for students/faculty/staff, server environments, and cloud based solutions.

The goal of Realm Linux is to create a computing environment where your NCSU authentication grants you access to your files, settings, and applications no matter what physical computer is used. Realm Linux strives to build a unified platform where all machines have the same security model, authentication sources, security errata, and configuration while the local system administrators still have full control over his/her machines. Realm Linux can be rapidly provisioned onto existing hardware or virtual machines with a hands-off and fully automated installation tool. Full configuration management abilities are present in Realm Linux 6 and above.

In cloud based settings Realm Linux fits in at the PaaS (Platform as a Service) level. It facilitates deployment of services and applications without the cost and complexity of managing the underlying software layers.

The long standing goal of Realm Linux is to encourage low cost solutions on campus, allow IT staff to scale out their deployments by automating as many system administration tasks as possible, and allow IT staff to share resources and work together to make a better computing environment.

Does Red Hat Officially Support Realm Linux?

Yes. NC State University has a support contract with Red Hat that provides support for every RHEL machine on campus. As Realm Linux machines are RHEL they are fully covered by vendor support. To inquire about creating a vendor support ticket please open an NCSU SupportTicket.

Where is Realm Linux Being Used?

Realm Linux is used throughout many of OIT's services. Such as MySQL databases, LDAP, Kerberos, NTP, Web Services including www.ncsu.edu, service load balancing, the AFS file system, QIP, Configuration Management, Printing, Nagios Monitoring, MJ2 mailing lists, Cyrus IMAP, License servers, file/data backup systems, PXE, OS Installation services, SSH, SFTP, and other services. OIT's Linux infrastructure serves over 35,000 active users and scales to over 100,000 accounts. The Realm Linux powered web services serve 6 million hits per day.

Colleges and Departments in the university also make use of Realm Linux for various server/service needs as well as faculty/staff workstations and student labs. The College of Engineering has more than 250 Realm Linux lab seats available to students. The College of Physical and Mathematical Sciences has over 100.

Staff, faculty, and students also have the ability to use Realm Linux or parts thereof on their personally owned machines to bring the NCSU computing environment closer to where they are most comfortable working.

The numbers for this FAQ entry were researched on December 21st, 2011.

Who Maintains the Realm Linux Project?

The Realm Linux Project is led by a pair of positions within NCSU's Office of Information Technology. These positions have a primary/secondary relationship. Students and IT staff throughout the university can and do offer contributions, suggestions, and new methodologies in a similar way to any Open Source project. There are multiple people throughout the university with knowledge of how Realm Linux fits together. In a strategic sense, Realm Linux is led by a committee of IT staff and directors from many of the colleges, departments, and other units that make use of Realm Linux.

What Versions of RHEL Are Used with Realm Linux?

A major goal of the Realm Linux Project is to use current versions of RHEL with the most recent security updates and bug fixes. This includes supporting a specific version of Realm Linux throughout Red Hat's timeline of support for the matching RHEL version.

The version numbers for Realm Linux reflect RHEL's versioning scheme. So Realm Linux 6 is RHEL 6. Realm Linux 5 uses RHEL 5.

Why Should I Use Realm Linux Rather than RHEL or Another Distribution?

See The Realm Linux Advantage pages.

Where Is the Realm Linux Documentation?

The documentation to introduce system administrators to running and managing Realm Linux installs can be found in the Realm Linux Administrators' Guide.

What Are the Realm Linux Management Tools?

The Realm Linux Management Tools is a collection of command line tools and a web application that allow departmental system administrators view their installed Realm Linux base, gather statistics, see error reports, and set attributes (such as your printer) that the Configuration Management tool pushes to the machine.

The Realm Linux Management Tools are also known as "RLMTools" and "Project Liquid Dragon."

You can access the web tool at https://secure.linux.ncsu.edu/rlmtools

Realm Linux Technical Overview

What Services Does Realm Linux Setup For Me?

Realm Linux configures the following services out of the box to NCSU specific settings. Please note that this list is not intended to be exhaustive.

Do the Local System Administrators Have Full Control Over Realm Linux Machines?

Yes. The system administrators that setup and configure specific Realm Linux machine have the root password. Your system administrators can make decisions about who can login to these machines, who can become root, and what your policy is for access to the root password.

How Can I Install a Realm Linux Machine?

You can install Realm Linux via the WebKickstart system. See the Realm Linux Administrators' Guide for more information. Permissions to the Realm Linux provisioning systems are normally reserved for full time IT staffers at NCSU. If an exception needs to be made please create a SupportTicket.

Is OpenAFS a Required Part of Realm Linux?

Yes. The AFS filesystem provides home directories for realm users including the system administrators of the machine. Also, certain administrative functions run via the common file system that AFS provides. These include the cron system for the Emergency Mass Maintenance System, root password updates, as well as updates to the list of system administrators that may log into the machine and become root.

What is OpenAFS?

From the http://openafs.org website:

The AFS filesystem provides consistant home directories, applications, project and server space to all Realm Linux machines. Anything stored within AFS is backed up nightly and its possible for users to initiate their own restores from last night's backup.

What Happens If AFS Goes Down?

While any major service outage is more than an annoyance, and the AFS infrastructure is not unique in that context, Realm Linux is designed to handle service outages. One way Realm Linux deals with AFS outages occurs when a user home directory is not available. In this situation, Realm Linux will prompt the user and ask if you wish to continue using a temporary home directory, allowing the user to make as much use of the machine as possible even during large service outages. Automated system administration tasks, such as updating the root password, first check that AFS is operating properly before running tasks that could cause long network timeouts.

Is A Dedicated Network Connection Required?

At this time, a dedicated network connection is required as some Realm Linux services require network connectivity on boot. For this reason Realm Linux is not recommended for lap tops. However, there is work being done to improve how Realm Linux handles temporary and non-dedicated network connections.

What Happens If the Network Goes Down?

If the network goes down Realm Linux will not be able to function properly because Realm Linux requires the verification and authentication of NCSU users through access to LDAP and Kerberos. If this occurs, use the root account at the console to log in and begin repairs. Services running on the host that are not dependent on other network services should be running properly.

Can We Deploy Realm Linux with Hard Drive or Virtual Machine Images?

At present, installation via images is not supported with Realm Linux. During the installation process Realm Linux registers with several services on campus including the Red Hat Network that provide security updates. These services cannot distinguish from multiple image clones. In the Red Hat Network case this is in violation of our Red Hat contract.

A feature request has been logged to create an image that could be used to deploy Realm Linux. Work on this project is not yet completed.

What size VM or Hard Drive Image Does Realm Linux Need to Install?

When installing Realm Linux into a hard drive image you will need an image size of 30GiB for the default partitioning layout. That usually makes for a good starting point. However, you can adjust the partitioning layout in your Web-Kickstart configuration file for larger or smaller disk images. (See WebKickstart/KeyWords for more information about partitioning a logical volumes in your Web-Kickstart configuration file.) It is not recommended that you attempt to install Realm Linux in a 20GiB image or smaller.

Miscellaneous Technical Questions

Why Are Dual Boots with Realm Linux Not Supported?

Inevitably, the user with the dual boot machine will have a primary OS and a secondary OS. The secondary OS spends most of its time as if it is turned off. If that's the Realm Linux boot, it can't communicate with RHN, receive updates, or communicate with the Realm Linux Management Tools. It may need a large set of packages updated and be potentially unsafe on the network. If the machine is off long enough, RHN and the Realm Linux Management Tools may assume that the machine has been deprovisioned and no longer recognize the machine to provide package and configuration updates. This results in a machine that is too different from other Realm Linux machines to have reliable operation and OIT support.

Instead of dual boots, you may want to look into running a VM guest where the host and guests can run simultaneously.

What is the Longest Kerberos Ticket or AFS Token Lifetime?

The default AFS token lifetime is 14 hours and is set by the ticket_lifetime option in /etc/krb5.conf.

As a security feature, the maximum AFS token lifetime is 21 hours and 15 minutes. (Although your kerberos ticket's maximum lifetime is 24 hours.) By default the kreset utility will renew your kerberos tickets and AFS tokens for a full 21 hours and 15 minutes or 1275 minutes. You can specify a time in minutes to kreset like the following.

unity% kreset -l 1275

However, values more than 1275 will not grant longer lifetimes than the maximum.

How do I resize /?

If you've used the default partitioning layout from Web-Kickstart you may need to resize the logical volumes on your machine to full utilize the storage of the local hard drive(s). You can find the device path for each volume and where they are mounted by using the df or mount commands. Let's use / as an example. To resize the logical volume containing that file system to completely fill the unused space you would do the following as root.

# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/Volume00-root
                      7.9G  6.1G  1.5G  81% /
...
# lvresize -l+100%FREE /dev/mapper/Volume00-root

Next we need to do an on-line resize of the file system itself.

# resize2fs /dev/mapper/Volume00-root

You can run the vgs command as root to display the list of volume groups on the machine and how much free space they contain.

How Can I Disable the PaperCut Client?

You can disable the PaperCut client on your Realm Linux machines by doing the following as root.

# touch /etc/rc.conf.d/no-papercut

This will prevent the Java client from starting during the login process. However, you will not be able to print to WolfPrint printers. Other printers should be unaffected.

I'm Running Linux Inside VMWare and My Mouse Doesn't Work. What's Wrong?

On RHEL 6 the X drivers provided by the VMWare Tools aren't compatible with the current version of the X server. (As of this writing on 2012/08/29.) These packages conflict with the Red Hat versions preventing the Red Hat versions from being installed. You can confirm this by looking in /var/log/Xorg.0.log and see if there messages like this:

# grep EE /var/log/Xorg.0.log
(EE) Failed to load module "vmware" (module requirement mismatch, 0)
(EE) Failed to load module "vmmouse" (module requirement mismatch, 0)
(EE) No input driver matching `vmmouse'

Other diagnostic messages may be present in the above output as well.

First, remove the VMWare X drivers.

# yum erase vmware-open-vm-tools-xorg-drv-mouse \
    vmware-open-vm-tools-xorg-drv-display

Next, install the Red Hat versions of these drivers.

# yum install xorg-x11-drv-vmware \
    xorg-x11-drv-vmmouse

Finally, restart X. This can be done by logging out and back in again, or by rebooting. Afterwards, your mouse should work normally through the vSphere interface.

A User is Locked Out of SSH, How do I Check and Reset This?

By default Realm Linux enforces two types of rate limiting for new connections on port 22 and port 24. These are the ports we run SSH on. The goal for doing this is to reduce the number of password guessing attempts that a hacker or SSH scanning tool can run against a machine. However, sometimes this can affect a real user.

Realm Linux use the pam_tally2 PAM module to deny attempted logins for a user when they have entered the wrong password multiple times. If a user enters the wrong password more than 10 times then that account will be locked out of that machine for 15 minutes after the last failed attempt. This also means that if the user continues to try the wrong password after the account is locked, it will remain locked until the user stops and waits 15 minutes.

A System Administrator with root privileges on the affected machine can inspect this by looking at the database for this PAM module. Also, the failed attempts counter can be reset like so:

# pam_tally2 -u jjneely
Login           Failures Latest failure     From
jjneely             3    10/26/12 13:52:22  localhost.localdomain
# pam_tally2 -u jjneely --reset
Login           Failures Latest failure     From
jjneely             3    10/26/12 13:52:22  localhost.localdomain
# pam_tally2 -u jjneely
Login           Failures Latest failure     From
jjneely             0    

Realm Linux also rate limits the number of SYN packets destined to ports 22 and 24 by IP address. This blocks specific IP addresses that are attacking the machine by clever use of IPTables rules.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j NCSU-rate-filter
...
-A NCSU-rate-filter -m state --state NEW -s 10.32.1.32/28 -j ACCEPT
-A NCSU-rate-filter -m state --state NEW -s 10.36.1.32/28 -j ACCEPT
-A NCSU-rate-filter -m state --state NEW -m recent --name SSH --set
-A NCSU-rate-filter -m state --state NEW -m recent --name SSH --update --seconds 840 --hitcount 4 -j DROP
-A NCSU-rate-filter -j ACCEPT

The argument for seconds is randomized slightly for each machine. This imposes a rate limit that no single IP address can send more than 3 SYN packets to port 22 in a 10 to 14 minute window. (Here the windows is indeed set to 14 minutes.) As each SSH connection will allow you 3 password tries, this method would lock out a legitimate user after 9 password failures.

There is no easy way to reset the counters used in the IPTables rules other than restarting the firewall service.

# service iptables restart

I recommend that folks do not do this and simply wait out the rate limit.

RealmLinux/FAQ (last edited 2013-06-04 18:39:49 by jjneely)