Private Athena Workstation Owner's Guide -- Draft(AC-103)

Table of Contents || Revision history || Copyright information

Introduction

Information Systems provides Athena workstations in "public" clusters around the MIT campus. Any MIT student, faculty member, or staff member can obtain an Athena account and log into any of these workstations. (In this context, "public" specifies the MIT community, not the general public.) Upon logging into one of these workstations, the user gains access to his or her files and also to certain Athena-provided services.

Some members of the community also have "private" Athena workstations in their offices or other private areas. These are, by default, configured like workstations in public clusters. They have the same access to Athena services, and logging into these workstations is identical to logging into a workstation in a public cluster. This private workstation may be shared by a few users in the department (for example, a few graduate students working with the same faculty member).

A workstation designated for private use can be configured to provide additional services to those users who log into it, either directly (at the keyboard) or from a remote site. With these software configuration changes, the workstation becomes a customized private workstation. You can configure the software on your workstation to allow remote logins, to personalize the workstation, add software, and to restrict access to the workstation's services.

NOTE: It is against the Athena Public Facilities Rules of Use to customize any public Athena workstation. If you are not sure about the status of a particular workstation, check with your manager, department head, or other appropriate authority.

This document is intended for workstation owners who want to customize and provide ongoing care for their private Athena workstations. This document is not intended to be an introduction to the Athena system. There are several free introductory documents available at the CopyTech Center in 11-004 or see our web site: http://web.mit.edu/olh/.

Athena Support

Hardware Problems: Athena Hardware Hotline

When you buy an Athena workstation through Information Systems, it comes with a one year carry-in warranty which is upgraded to an on-site warranty through Information Systems. If you have hardware problems, the action you take depends on the coverage you chose at the time of purchase.

Unless you are a Minimal Standard Athena (zero-cost) customer, you should still use the Hardware Hotline to make service calls. They also handle problems relating to Athena facilities such as the workstations and printers in the public clusters. They can be contacted as follows:

phone 253-1410
email hotline@mit.edu
hours M-F 8am-10:30pm (at other times, leave a message)

During their business hours, the hotline often uses a pager dispatch system. If you're asked to leave a voice-mail message, provide the information requested, including a phone number where you can be reached. A hotline staffer will be paged, and will contact you as soon as they can.

You should contact the Athena Hardware Hotline if you want to report:

If you suspect a hardware malfunction, but are not sure (i.e., if the problem might actually be software-related), you should first seek out an Athena User Consultant to analyze the situation. Most problems are not hardware problems. If no consultant is available, call the Hardware Hotline. To expedite the process, please provide the following information when reporting a problem:

A customer service representative will contact you and verify the problem on site within two business days. If you call outside of live service hours, leave a message. Staff members monitor the messages fairly frequently in the evenings and on the weekends. (Of course, response is not as rapid as during weekdays.)

Software Problems: Athena User Consultants

If you can't figure something out, if you're stuck, or just curious, you can reach an Athena User Consultant from your Athena workstation. They can be reached as follows:

office W20-021B The basement of the Student Center
phone 253-4435 ("Consulting Hotline")
online type olc at the athena% prompt to connect to On-Line Consulting
URL http://web.mit.edu/consult/

Whether contacted on-line or in person, Athena Consultants can help with questions or problems with supported Athena software. They can also answer more general questions about Athena, such as locations of facilities or whom to contact with administrative questions. NOTE: The Athena Consultants support the public Athena Computing Environment only. They can try to help with private workstation issues, but you should check with your cluster manager or system administrator (if it's someone besides yourself) before customizing or rebooting the machine.

For Faculty and Teaching Assistants: Athena Faculty Liaisons

Informations Systems maintains a Faculty Liaison office to provide the faculty with better assistance in their use of Athena resources for courses, and to help improve the communications between Athena and the MIT faculty.

office N42-040
phone 253-0115
email f_l@mit.edu
URL http://web.mit.edu/acs/www/

Maintaining Your Private Workstation

Becoming Superuser

To perform most customizations on your workstation, you first need to login as superuser"become root." As superuser, you have the necessary privileges to change the software on your workstation's hard disk. Be very careful as the superuser. If you delete enough files (you have the potential as root to do this), you may have to reinstall the workstation's software.

There are two methods of becoming root:

To find out the default root password on Athena workstations, type tellme root at the athena% prompt.

Note: If the workstation is already customized you will get the default password for public workstations and a warning, as shown in the example below, that the workstation has already been customized. Contact the owner or other users of the machine to find out the root password and what changes they have already made to the defaults. 

 athena%  tellme root 
 Warning: This is a private workstation. It may not
 have the Athena root password.

 The Athena root password is default-root-password.
Once you know the root password, use the su (superuser) command:

  athena% cd /
  athena% su - root
  Password:
  melonie.mit.edu#
(When you type the password, it does not show up on the screen.) On some platforms the prompt changes to the name of the workstation followed by a # sign when you become root.

Who Else is Logged In?

When administering a private workstation, it is often important to make sure that no one else is logged in to it. For instance, if you need to shutdown or reboot the machine, you should find out who's logged on (and give them ample warning) before proceeding.

The who command will list all users currently on the machine, and can be run either as a user or superuser. You can zwrite any users and ask them to logout. Also, the shutdown command has provisions for notifying all logged-in users that the machine they are using is about to be shutdown. (See Zephyr on Athena for more on zwrite. Type man shutdown at the athena% prompt for more information about the shutdown command.)

From Public to Private

The first steps in making your workstation private are:

  1. Edit /etc/athena/rc.conf to set the PUBLIC variable to false.
  2. Change the root password.

Step 1: Set PUBLIC=false

To check if PUBLIC is set to false in /etc/athena/rc.conf, type:

  melonie.mit.edu# grep PUBLIC /etc/athena/rc.conf
  PUBLIC=true;    export PUBLIC    # Public workstation?

If PUBLIC is set to true, become root with the su - root command and edit /etc/athena/rc.conf with your favorite text editor (such as emacs. If you get an error like emacs: Command not found, give the full pathnames:

  melonie.mit.edu# /usr/athena/bin/emacs  /etc/athena/rc.conf
Change true to false in the PUBLIC line, and save the file.

If you check the setting as before, PUBLIC should be set to false:

  melonie.mit.edu# grep PUBLIC /etc/athena/rc.conf
  PUBLIC=false;    export PUBLIC    # Public workstation?

Step 2: Changing the Root Password

It is very important to change your root password from the default. The password on public workstations is public knowledge, and should be changed on private workstations to prevent security breaches.

Before changing the root password on your workstation, think of a good, unguessable password. You can read about the guidelines for choosing a good password at http://web.mit.edu/olh/Working/Working.html#passwd_choose.

Next, while you are logged in as root, run the passwd program. Since you are already the superuser, it will not ask you for the old password.

  melonie.mit.edu# /usr/athena/bin/passwd
  Running local password-changing program for root.  
  New password: new-password
  Re-enter new password: new-password
  passwd (SYSTEM): passwd successfully changed for root
  Updating /etc/shadow.local with new passwd entry.
  melonie.mit.edu# exit
Note that passwd updates /etc/shadow.local or /etc/passwd.local for you as appropriate.

Shutting Down and Rebooting Your Workstation

Shutting Down Your Workstation

Athena workstations are typically left running all the time, even when no one is logged in. There are very few reasons you would ever have to turn off the power to your workstation. The most likely are an impending weather disaster or other emergency, a planned power outage, or when moving your workstation from one physical location to another.

A proper shutdown of a workstation has two steps:

CAUTION: Do not turn off the workstation until you have halted it. Turning off workstation power before the machine is halted can have several bad effects, including ruining the disk drive with a permanent loss of much or all of its data.

Use the halt command to halt a workstation (see man halt for details). Login as root and type:

  melonie.mit.edu# cd  /
  melonie.mit.edu# halt
Once the display says system halted you can use the power switch to shut off the power. The power switch is on the front of the machine on SGI's and at the back of the machine on Sun workstations. It is also safe to hit the power button on the front of an SGI once. Hitting the button once will halt the machine and do a clean shutdown. Hitting the button multiple times skips halting the machine and may cause damage.

Rebooting Your Workstation

You often have to reboot after a new Athena software release or an update to a release is installed, or as a quick fix to some workstation problems (e.g., the X Window System isn't running, the mouse doesn't work, the printing daemon isn't working, or everything's frozen). There are two common ways to reboot a workstation: soft and hard. Soft reboot is preferred because it avoids causing damage to the software on the disk. Hard reboot should only be used when soft reboot is not possible, because the hard reboot can cause damage to the filesystem on the local disk.

"Soft" Reboots

Make sure no one else is logged in. Then become root with the su command, and type:

  melonie.mit.edu# cd  /
  melonie.mit.edu# reboot
A message appears and the screen turns different colors. The workstation then runs some self tests, printing lots of system text to the screen. Everything should soon return to normal and the login screen should appear on the display. If you are using an Indy or other older/slower machine, it may take up to 10 minutes for the login screen to appear.

"Hard" reboots

To perform a hard reboot on a Sun workstation, perhaps because the system does not respond to the keyboard, hold the Stop key (on the left side of the keyboard) and press the a key. (This may very well work, even if the keyboard is not doing anything else!) When the ok prompt appears, type boot.

(If you change your mind about booting after you type Stop a, you can type go at the ok prompt to return to your session. You may need to refresh your windows:

  athena% xrefresh

On an SGI workstation there is a small recessed button underneath the power button on the front of the workstation. To do a hard reboot, use an unfolded paperclip to press the small recessed button.

If you encounter any trouble, please contact an Athena Consultant (253-4435) or report the problem to the Athena Hardware Hotline (253-1410).

Booting your workstation single user mode

It's uncommon to render a Sun workstation unbootable, but on Linux Athena workstations it is sometimes the case that you'll need to boot into a single user mode (also known as recovery mode). Single user mode does not bring the machine up on the network, so it is also appropriate for when you need to boot the workstation off network without waiting for the network services to time-out and allow the booting process to continue (or when the processes are failing to time-out for whatever reason).

On a Sun, type boot -s at the ok prompt to boot in single user mode. On a Linux box there are two methods. If you see a lilo: prompt as you are booting up, typing linux single at the prompt and hitting enter will instruct the workstation to boot in single user mode. On newer workstations you should get a menu at boot time which will allow you to make this choice.

When you do this you'll be given a root shell without having to type your password. Since the system is not on the network, files in afs will be unavailable and many services will be turned off.

Backing Up and Restoring Your Files

Although Athena regularly clones your personal locker and backs up all user files to tape, it may not be possible or feasible to restore some files that you permanently delete. Also, Athena does not backup the files that you store on your local hard disk (e.g., under /var). For this reason, we recommend that you make regular backups of any files you store on your local disk. You can backup files onto your own tape, diskette, or other removable media, or use the TSM utility to backup your files over MITnet to a server.

The Athena document Working on Athena (AC-11), http://web.mit.edu/olh/Working/, covers the details of backing up files to removeable media. Please read those notes and establish a backup routine for your files.

TSM

Tivoli Storage Manager (TSM) is an IBM software product that lets you back up and restore, as well as archive and retrieve, the data files on your computer, via a network to an IBM mainframe computer.

At MIT, TSM runs as a client program on Athena workstations (as well as PCs and Macs) over MITnet to the mainframe-managed "tape farm" in W91. It is available to individual users (including students) and network administrators. TSM is intended for backup of files on your local disk, rather than for files stored on the network by AFS.

TSM offers storage under two different retention policies: backup and archive.

Backup

Backup is intended for short-term recovery of the current state of your directories and files after a data disaster (user mistake, machine crash, natural disaster, et cetera). When a new backup copy is made, it is considered active, and the previous copy is classed as inactive. In addition to the active version, the system will keep up to nine previous, inactive versions. This active (most recent) copy is kept indefinitely, while the inactive ones expire after 30 days and are deleted from server storage.

The first time you run a backup, you may specify which directories are to be maintained, and a full copy of those directories will be made. Subsequent backups are incremental, storing only the changes made since the previous backup. You may also register for the server's predefined schedules, to have full or incremental backups run each week.

TSM backup gives limited protection for deleted files, so you need to be careful. Suppose you delete some files (or subdirectories) from a directory for which you are maintaining backups. When you next make a backup of that directory, the system will notice the change and remove all of the inactive copies of those deleted files. The active copy of each deleted file is kept as a safety measure, but for only 60 more days. But after an accidental deletion of a needed file, you'd better recover the file within 2 months or it will be gone for good.

Archive

Archive is intended as long-term storage of particular files of historical interest. In contrast to backups: archives do not depend on the previous copy date; there is no limit on the number of previous versions stored; and instead of a fixed 60 days, you can specify an archive copy's expiration date (up to 1220 days, a little more than three years). Also, archive copies are not subject to the same comparison and removal of currently deleted files.

The document Backup for a Private Athena Workstation: Quick Guide for an Individual User, found at http://web.mit.edu/is/help/adsm/athena.html describes the ADSM utility in detail. Here are some points that may help you decide if ADSM is an appropriate tool for you.

The Computing Help Desk manages ADSM, registers users, and provides telephone and walk-in support for Macintosh (x3-1101) and Windows (x3-1102). For any other operating system, call x3-1104.

Software Updates

Athena staff are continually updating the Athena software and fixing bugs. These changes are collected, tested, and then released to Athena workstations all over campus. Major changes are usually released during the summer; smaller releases, including bug fixes and non-user-visible changes may happen at any time.

Major Athena Releases are announced via the release-announce mailing listand Release Notes are made available before each release. The System Release Notes cover all the technical changes to the system, and the User Release Notes cover the user-visible changes, including any new software, or new versions of existing software.

To subscribe to the release-announce list visit the MIT mailman web interface at:

http://mailman.mit.edu/mailman/listinfo/release-announce

Document Where to get
System Release Notes http://web.mit.edu/olh/Release/
User Release Notes http://web.mit.edu/olh/Release/

To see what version you currently have, look at the last line of the /etc/athena/version file:

  athena% tail -1 /etc/athena/version

It should be in the format:

  Athena Server (SUN4m) Version #.#.# update-time

where #.#.# is the version you are running. If, instead, the last line gives an update time but no version number, your workstation failed to take an update properly. See Problems with Updating.

Getting Athena Software Updates

By default, your workstation updates automatically when an Athena release is ready. To prevent this from happening (in case you install your own versions of system software), you need to change the AUTOUPDATE variable from true to false in /etc/athena/rc.conf.

Once you have done this, whenever a new release is available, a message will be displayed (the message is displayed in the console, if the workstation has had a chance to reactivate between logins, and at boot time):

  The workstation software version (8.2.13) does not match the version
  on the
  system packs (8.2.15).  A new version of software may be available.
  Please contact Athena Operations (x3-1410) to have your workstation
  updated.
We encourage you to take the update as soon as possible (see Updating Your Workstation Manually). If you need help upgrading course software that doesn't work under the new release, the Faculty Liaisons can help.

Updating Your Workstation Manually

Each new Athena release (system update) will either be a major or minor release, and will have its own identifying number, two or three integer fields, separated by periods, eg. 8.1.3, 8.1.4, or 8.2. If a release identifier has only two fields, the third, rightmost field is understood as "0" (8.2 is taken as 8.2.0 and could be followed by 8.2.1). To indicate:

To update your machine manually to the latest Athena software (if you have set AUTOUPDATE to false):

  1. Login as root on the console.

    Make sure no one else is logged in (use who). Shutdown the X Window System by hitting Ctrl-p at the login screen. Then login as root.

    Note: If your workstation is running Linux or this is a minor release, skip to step 4. You do not need to switch from old to new system packs.

  2. Detach the old packs. To detach whatever packs are currently attached, 
      melonie.mit.edu# detach -a

  3. Attach the new packs. To get the name of the correct packs, type: 
      hesinfo hostname cluster
    then select the syslib in the line with the desired version number. For instance, an example from a Sun:
      melonie.mit.edu# hesinfo melonie cluster
  lpr cretaceous
  syslib athena-sun4sys-80 8.0
  syslib public-sunsys
  syslib athena-sun4sys-81 8.1
  syslib athena-sun4sys-82 8.2
    If you want to update to Athena version 8.2, choose the syslib in the last line and attach those packs: 
      melonie.mit.edu# attach -O athena-sun4sys-82
    Note that "-O" above uses a capital letter "O" (i.e., not the number "0").

  4. Start the update process: 
      melonie.mit.edu# /etc/athena/update_ws
    This may ask you to press Return or prompt you for other information. The prompts should be self-explanatory.

  5. Reboot the machine. After the update says it has updated the version number and another # prompt has appeared, type: 
      melonie.mit.edu# reboot -q

When Updates Affect Customizations

When your machine takes a new release, one of the first things it does is search the root disk for non-standard files and replaces standard files with newer versions. Because of this, the process of taking a release destroys any changes you have made to certain system files. In addition, it destroys any non-standard files on the root disk. As a general rule, you should not put critical files on the root disk. If you put non-standard software on your workstation, the recommended place to put it is in /var/local, which is preserved across updates.

To preserve customizations across an update, you can also create a file called /var/server/.private. The .private script (a /bin/sh shell script) runs after the mkserv scripts and further customizes the workstation. For example:

  #!/bin/sh
  echo "Running .private script..."
  echo
  cp -p /var/local/motd /etc/motd
  echo "*loginName: milano" >
  /etc/athena/login/Xlogin.local
This script would copy the file motd from /var/local to /etc, and create the file /etc/athena/login/Xlogin.local with the line *loginName: milano in it. (Use a real username.)

These methods should ensure that your customizations are preserved; however, they may not cover all cases. Making regular backups of your whole workstation cannot be overemphasized.

Linux-Specific Update Problems

It's fairly common for owners of Linux workstations to add extra RPMs to their systems. Sometimes this causes problems taking Athena updates, so it seems worth a note here.

If an RPM that you installed has a dependancy, which would no longer be satisfied after an update, the update will fail. The easiest way to deal with this is to remove the offending RPM, if you notice an update fail, and then proceed with the Athena update. Finally, when you've successfully updated the machine, download and install an up to date version of the package you removed.

To find out which RPMs are installed that aren't part of the release, you can run:

 athena% /etc/athena/rpmupdate -np /dev/null /var/athena/release-rpms
 Erase package ImageMagick-devel
 Erase package ImageMagick-perl

Be careful! The -n is crucial to making sure you don't accidentally remove the extra packages.

To remove a package that you installed with RPM, you'll need to use the --erase option to rpm. For example:

  bash-2.05a# rpm --erase ImageMagick-devel ImageMagick-perl

Even if none of your extra packages cause errors, it's important to keep them up to date, and to check with the distributor periodically for more recent versions. The only packages that will ever update automatically are those which are part of the RedHat distribution. Even for these, you can't count on them updating; if RedHat renames the package, or replaces the functionality in other packages, you will be left with the old one.

Problems with Updating

If a workstation does not update successfully, you might need to rerun the update in order to catch errors. To do this, you must edit the /etc/athena/version file. The update procedure adds lines to the /etc/athena/version file that look like this, customized for Suns or SGIs:

  Athena Workstation (sun4) Version Update update-time
  Athena Workstation (sun4) Version #.#.# update-time
  Athena Server (sun4) Version Update update-time
  Athena Server (sun4) Version #.#.# update-time
  Athena Server (sun4) Version Update update-time
  Athena Server (sun4) Version #.#.# update-time
The "Athena Workstation" lines are appended by the update, the "Athena Server" lines by mkserv. The first "Athena Workstation" line is added when a machine starts updating to a new version; the "Version #.#" line is added when the update finishes successfully. If an update fails, an "Athena Workstation...Version Update" line will be the last line in the version file, and this message appears next time you try to update:

  This system is in the middle of an update.  Please contact Athena
  Operations at x3-1410. Thank you. -Athena Operations
To recover from this problem, use any text editor (e.g. Emacs) to delete the last line of the file /etc/athena/version. Then re-run the update, and watch carefully for errors. (You can look at the file /var/athena/update.log for a record of all the messages generated during the update.) If the update fails again, note the reason and call 253-1410 for assistance.

Customizing Your Workstation via Software

Acquiring Personal Third Party Software

To license and install third party software for educational use on Athena, please contact the Faculty Liaisons (253-0115, e-mail f_l@mit.edu). They will direct you to the appropriate resources for assistance. The rest of this section on acquiring third party software focuses on software intended to be used locally, i.e., on a single machine or local network, and is not available to everyone on Athena. Third party software should never be installed on a public workstation.

You can write to 3partysw@mit.edu with questions about third party software. You can see a list of the software already available on Athena at http://web.mit.edu/acs/www/whereruns.html.

Licensing Software

MIT has volume licensing agreements in place for several software packages. Look at http://web.mit.edu/is/products/vsls/ to see what is currently available. If you require software not currently available, the following guidelines may be of assistance.

To initiate licensing, users should determine which product they want and should negotiate directly with vendor representatives over business terms and prices. You should always ask about academic discounts; many vendors offer these, but not all volunteer the information. Some vendors may be willing to pool individual MIT licenses into a discounted volume license or a site license. It is a good idea to ask about this as well.

It is strongly advised that users get a free evaluation copy of any software intended for use on Athena machines before committing to purchase. There are a number of known cases where third party software cannot be made to run on an Athena machine.

If the vendor does NOT require a signed license, users can license the software directly from the vendor. The users are responsible for honoring the license terms that come with the software ("shrink-wrap license").

If the vendor DOES require a signed license, users should make initial contact with the vendor representative and negotiate business terms as above. They should also get a copy of the proposed license from the vendor. This license should then be sent (along with the requisition and other accompanying paperwork) to be reviewed by an MIT intellectual property attorney. (Call 253-1348 for details.) Under no circumstances should MIT end-users sign licenses on their own.

Installing Third Party Software

Before ordering the software package:

Before installing the software:

Choosing directories in which to install the software:

When you have determined that you can write to all directories required by the installation, follow the vendor's installation instructions.

Installing software as superuser:

Installing RedHat packages on Linux workstations:

It's possible to install RPM packages on Linux workstations using rpm as you would on a non-Athena RedHat Linux system.

To do this, you will need to obtain the appropriate rpm file, become root, and then run: 

  bash-2.05a# rpm -ivh some-package.i386.rpm
  Preparing...                ########################################### [100%]
     1:some-package           ########################################### [100%]
Tips:

Setting Appropriate File Ownership and Permissions

Software installed on the local disk almost always follows the standard UNIX file permission scheme (UFS). Make sure that unauthorized outsiders cannot access the software through network connections or copy it.

Some Pre-login Defaults: Username and MOTD

Setting Default Login Username

You can configure xlogin to automatically fill in a specific username as a default in the login screen of your private workstation. Then that specific user only has to press Return and type his or her password. This can be convenient, for instance, if you have a workstation in your private office and are the sole user of the machine you can set your own username as the default. (Someone else logging in can backspace over the name, or type Ctrl-u, then enter their own username.)

As root, set the default login-screen username by putting a line of the form 

*loginName: username
in the file /etc/athena/login/Xlogin.local (you may need to create this file).

Suppressing the Pre-login MOTD

The pre-login idle screen of any Athena workstation can display a short text as "Message Of The Day" (MOTD) beneath the standard Welcome to Athena banner. You can disable this behavior (i.e., have no extra text message displayed) by putting a line of the following form in the file /etc/athena/login/Xlogin.local (you may need to create this file):

  *showMotd: off

Adding Your Own MOTD

The pre-login message is read from a standard system file maintained in AFS; this allows the system to broadcast important operational messages. You can also specify a second file (to append a local message to the standard text) by putting a line of the following form in the file /etc/athena/login/Xlogin.local:

  *motd2File: motd-filename

Getting Long Kerberos Tickets to Run Batch Jobs

If you need to run a program longer than 10 hours but less than 21 hours (the maximum possible Kerberos ticket lifetime) then you need to get extra-long tickets before you start your job. (See Working on Athena for more information about Kerberos tickets.) Use the kinit command to get these special tickets on your workstation, and use the fsid command to get new AFS tokens:

  athena% kinit -l 1275m $user
  MIT Athena (melonie.mit.edu)
  Kerberos Initialization for "doughboy"
  Kerberos ticket lifetime (minutes): 1275
  Password: <enter your password here>
  athena% fsid -a
  fsid: doughboy mapped
  fsid: matlab mapped
  fsid: library mapped
You need the -l option to kinit to be prompted for a ticket lifetime other than the default; 1275 is the maximum Kerberos ticket lifetime in minutes (about 21 hours). The fsid command gets new AFS tokens that are valid for the lifetime of the Kerberos tickets. Now start your job.

If your job will take longer to run than the maximum Kerberos ticket lifetime, then, in general, you must make a copy of everything the program needs to use during the execution. That is, the software should not try to use anything out of any lockers, or by going through the AFS hierarchy; once your tickets have expired, the program can no longer read or write anything on a remote file system, and your program could die in some unexpected way. This depends on the filesystems your software attempts to contact during the run, since it is possible for owners of lockers to set up the protections such that users without tickets can access the files. Most third party software on Athena (such as MATLAB and Maple) does require that the user have tickets to start it, and many lockers require the user have valid tickets to read or write there.

Giving Users Access to Your Workstation

User Authorization

User authorization has improved significantly from the old method that used the questions from running mkserv remote and editing your password files to control local and remote user authorization for your private workstation. Now the file /etc/athena/access gives you control over who has access to your machine locally and remotely in one simple text file.

In order to limit local access to your machine, all you need to do is create the /etc/athena/access file as outlined below. In that file you can limit local login access to just yourself or or expand it to include other users.

In order allow remote access to your machine, you must run mkserv remote as outlined in the remote access section of this document. Then you can control that access with your /etc/athena/access file as outlined below.

/etc/athena/access

The file /etc/athena/access is used to control remote and local user access to the machine. This access file contains the list of authorized users, with the allowed login permissions for each user: whether local or remote or both. The file can also reference the pre-existing list of users in the /etc/passwd file. A sample /etc/athena/access file might look like this:

  ##########################################################################
  # /etc/athena/access for Joe User's workstation MELONIE.MIT.EDU
  joeuser     lr
  janeuser    lr
  # Don't let Badminton T. Guyerson  log in anymore!
  badguy      -- Sorry Badguy, you are not allowed to login here.
  *inpasswd   l  Access allowed from Joe User's office, not remotely.
  *           -- This is a private workstation. Questions to
  <joeuser@mit.edu>
In this example, joeuser and janeuser both have local and remote access. The user badguy is explicitly given no access, and he gets the special message shown whenever he tries to login. The field "*inpasswd" controls permissions for users listed in /etc/passwd, who in this case are given local login permission only. Finally, "*" matches any other username; those users are given no access to this workstation, and will see an e-mail address in case they need to contact Joe User about their status. In general then, whitespace-delimited fields in each line are:

  1. the first field in each line specifies a user,
  2. the second field lists access bits, where
    • "r" = remote
    • "l" = local
    • "L" = the account is local (Athena-specific login activities are supressed)
    • "-" is a placeholder for "no access bits," (i.e. login not allowed)
  3. any additional whitespace followed by text will be displayed to users who are not allowed to login
In addition, any lines beginning with "#" are ignored as comments. See man access for more about this file.

Creating Local Accounts for Athena Users

Many private workstation owners use the local hard disk to set up local accounts for certain users. This can give users extra storage space beyond their Athena locker quota. Note that once users begin using their local workstation storage, they are responsible for backing up their own files. (See Backing Up and Restoring Your Files.) Athena will not and cannot automatically back up this filespace. Make sure each user is aware of the backup situation.

Also note that Information Systems will not support local accounts for users who do not have Athena accounts. An experienced UNIX administrator who wishes to create, and be responsible for, such local accounts can refer to the man pages for useradd and access for some of the information they will need. The rest of this section concerns creating accounts for users who already have Athena accounts.

The procedure for creating a permanent local account involves two main tasks:

There's also a more simple proceedure, if you wish to create a local account for a user who won't need a local home directory, nor will need to leave jobs running after he logs out. This is described in Section 5.5.1, User authorization.

Otherwise, here are the steps:

  1. Become root.

  2. Check to see if the file /etc/passwd.local exists.

      ls /etc

    If it does not alredy exist, create it by making a copy of /etc/passwd.

       cp /etc/passwd /etc/passwd.local

  3. Get the user's password entry from the Hesiod nameservice; add it to the local database.
      hesinfo username passwd >>
  /etc/passwd.local

  melonie.mit.edu# hesinfo cmonster passwd >>
  /etc/passwd.local

  4. Create a local directory for the user in the /var directory. (Reboots and system updates do not affect directories in /var)
      mkdir /var/username

  melonie.mit.edu# mkdir /var/cmonster

  5. Give the user ownership of the new directory. 
      chown username /var/username

  melonie.mit.edu# chown cmonster /var/cmonster

  6. If you want to keep the user's Athena AFS locker as his or her home directory, skip to step 7. To have the user's home directory default to the new local directory instead, change the home directory field in the /etc/password.local file. A password entry contains these fields:
      username:*:uid:gid:User
  name,Nickname,Office,WorkPhone#,HomePhone#:HomeDir:LoginShell
    In this case: 
      cmonster:*:29999:101:Cookie Monster,Cookie,W20-105,5550733,
  :/mit/cmonster:/bin/csh
    replace /mit/cmonster with the directory created on the local disk in step 3:
      cmonster:*:29999:101:Cookie Monster,Cookie,W20-105,5550733,
  :/var/cmonster:/bin/csh
    When the user logs into this private workstation, the home directory is set according to the HomeDir field in the user's password entry, in this case, to /var/cmonster instead of /mit/cmonster. Note: even if the local directory is set here as the default home directory, the user's AFS locker will also be mounted at login.

  7. When you have completed installing the account, the new local directory is empty. The user can now copy "dotfiles" from his or her Athena locker to this local account, or obtain default "dotfiles" from /usr/prototype_user:
      melonie.mit.edu# cp -r /usr/prototype_user
  /var/cmonster

  8. If you have more local accounts to create, repeat this procedure until you have installed them all.

  9. Next copy the .local backup passwd file to the active version:
      melonie.mit.edu# cp /etc/passwd.local /etc/passwd
    This step is needed because whenever your machine reactivates, /etc/passwd.local replaces /etc/passwd, the active version. If you had changed only /etc/passwd.local, your changes would not take effect until the next time your machine reactivated. Note that anyone who was currently logged in would have an entry in /etc/passwd, which would be eliminated when you do this cp command, which could have odd effects for them. That's one reason it's important to make sure that no one else is logged in during this process. (See Who Else is Logged In?)

Note that local hard disks are under UFS instead of AFS, so file permissions work differently. See Working on Athena for details about both kinds of file permissions.

Guidelines for Editing the passwd File

When you change the /etc/passwd or /etc/passwd.local file, be sure to follow these guidelines:

Giving Users Remote Access

This is covered under Using mkserv remote to Allow Remote Logins.

Using mkserv to Add Services

About mkserv

There are a number of useful services that you can add to your private Athena workstation or cluster, for example, the ability to login remotely. It can be difficult to install and maintain these services, as the procedures can vary across platforms. The best way to deal with most of these is the mkserv ("make server") program. Mkserv automates the installation process, and allows workstations to maintain local customizations across release updates.

Of the more than 20 services that mkserv can create, most are used only by Athena operations staff. This document covers the remote access services (including telnet, ssh, and ftp) and the file server knfs.

Note: It is against Athena Rules of Use to perform these mkserv modifications on any public Athena workstation; it is intended for use only by private Athena workstation owners or private Athena cluster managers.

Note: It may take as long as 15 minutes or more for mkserv to run on the SGI. Do not stop mkserv in the middle of adding a service, be patient, adding some services just takes time on an SGI. Stopping the process could cause damage to your machine and should not be attempted.

Preparations for mkserv

To see what services (mkserv options) are already installed on your machine, look at /var/server/.services:

  melonie.mit.edu# cat /var/server/.services
  remote 1.14

If the file /var/server/.services does not exist, there are no mkserv-installed services running on your workstation.

Before using mkserv for the first time, be sure that:

Each time you use mkserv:

Using mkserv

The syntax of the mkserv command is:

  mkserv [-v] [ -service... ] [ service...]
Prefixing a service with a - indicates that the specified service should be removed from the workstation. A service not preceded by the - operator indicates that the service should be added to the workstation. You may mix and match as well as specify multiple services on the same command line.

For convenience, there are three special purpose services. They are:

Obtaining a srvtab or keytab

Some of the server applications enabled by mkserv, including telnetd and knfs, use Kerberos to authenticate the user who connects to your workstation. In order for the Kerberos server to verify that user, your workstation needs a small file that acts as a key. For Kerberos version 4, this file is called a srvtab (pronounced "serve tab"); in version 5, a keytab. Since some of the applications you use may rely on the Kerberos v4 server and others on the v5, you can have both a srvtab and a keytab. These instructions for obtaining and storing a srvtab also apply to a keytab.

You can run the mkserv command before you have installed the srvtab, but you cannot use the service until it is installed.

To get a srvtab, fill out the servtab request form, and request a srvtab for your workstation. They will need to know your username, the machine name, and the type of service:

The Athena Accounts Consultants create the srvtab and notify you by electronic mail when it's ready. This will usually take 3-5 business days. With the srvtab, you will also receive directions for installing it.

As root, copy the srvtab from the specified location into /etc/athena/srvtab. (Some srvtab might belong in a different directory; the specific directory will be in the directions from the Accounts Consultants.)

Change the owner of the srvtab file to "root."

  melonie.mit.edu# cd /etc/athena
  melonie.mit.edu# chown root /etc/athena/srvtab

Change the access mode of the file to 400 (read-only by user "root"):

  melonie.mit.edu# chmod 400 /etc/athena/srvtab
Once you move a srvtab into place, you should change its version. The AFS copy is not completely secure, so changing the version makes certain that an unauthorized eavesdropper doesn't end up with a valid key. To change the version of the srvtab, type:

  melonie.mit.edu# /usr/athena/bin/ksrvutil change -f
  /etc/athena/srvtab
  Principal: rcmd.melonie@ATHENA.MIT.EDU; version 1 
  Changing to version 2.
  Key changed.
  Old keyfile in /etc/athena/srvtab.old.
As long as you didn't get any error messages when you ran this, you don't need to keep the old version /etc/athena/srvtab.old .

You can also create a Kerberos 5 keytab so your machine can accept Kerberos 5 connections. To create the keytab from the srvtab, type: 

  melonie.mit.edu# /usr/athena/etc/ktutil
  ktutil: rst /etc/athena/srvtab
  ktutil: wkt /etc/krb5.keytab
  ktutil: exit

Using mkserv remote to Allow Remote Logins

The mkserv remote option configures your workstation so that users can access it from another machine, via programs like telnet, ssh and ftp. The remote option also lets you specify that access (both local and remote) is restricted to a list of authorized users.

When you run mkserv remote,

  melonie.mit.edu# mkserv remote
  Running /mit/mkserv/services/8.2/remote.add (1.14)
you are asked a series of questions:

  Do you wish to restrict remote access to only those in /etc/passwd
  [no] ==>
  Do you wish to restrict all login access, remote and local, to only
  those in /etc/passwd [no] ==>
  Do you wish to allow users to use access_off to turn off remote
  access? [no] ==>
  Do you wish to require encrypted passwords on remote connections?
  [yes] ==>
The first two questions relate to user authorization and are irrelevant once you create the /etc/athena/access file. That file specifies which users are allowed to access your machine remotely and locally. Follow the instructions in User Authorization to set the personal authorization preferences for your workstation.

The third question controls a privilege users are sometimes given. The fourth affects a network security option.

Finishing mkserv remote

The third question:

  Do you wish to allow users to use access_off to turn off remote
  access? [no] ==>
concerns a command users are sometimes allowed to run. A `yes' answer will let a user who is already logged in prevent other users from sharing the machine by remote login.

The option works by setting the variable ACCESSON=true in /etc/athena/rc.conf. Once this is set, any user can give the command access_off, which prevents other users from logging in. (It won't affect users who are already logged in.) Any logged-in user can turn remote access back on with access_on, otherwise the exclusion remains in effect until everyone logs out and the machine does a full reactivation.

When accesson=false, access_off and access_on have no effect.

The pros and cons of this option should be weighed by each workstation owner, or discussed by the appropriate department or group.

The fourth question:

  Do you wish to require encrypted passwords on remote connections?
  [yes] ==>
is a matter of network security. If the answer is yes, and you probably want it to be yes, the workstation will not allow remote users to log in with cleartext passwords. The use of this option is strongly encouraged to protect users and workstations from any "packet sniffers" and other network evildoers. Current versions of telnet and ssh can comply with this restriction, and users logging in from other Athena workstations will be using these newer, more secure versions. The kerberized versions are also available to the PC/Mac community. (See http://web.mit.edu/is/help/ktelnet/ .)

At this point, mkserv remote finishes running...

  ssh host key already exists.
  Re-pointing root symlinks before synctree...
  Updating /var/server
  Updating root symlinks...
  ===> Remember to change the root password, if you have not
  already done so.
  Update finished.
  The service change requests will take effect upon the next reboot
  of the machine.
  /var/server has been used for the server specific files.
  Do not modify these files as they can be replaced during an update.
  melonie.mit.edu#
...and reminds you to reboot the workstation in order to have the requested changes take effect. In releases before 8.2, these last two questions were not asked. If you had run mkserv remote under previous versions of the Athena release, you should run it again in order to set these last two options. You can also take the opportunity to create an /etc/athena/access file, which will eventually be required in some future Athena release.

Keeping Unwanted Users Out

For various reasons, you may find it desirable to allow a large and unknown number of people to log in, but deny access to specific users. Private workstation owners whose machines are used by a group of people, as in a lab or departmental setting, may find this approach useful.

There are a significant number of users on Athena and non-Athena systems who probe around for remotely-accessible workstations to use when the dialup machines are overloaded. These people may think they are just using "spare" cycles, but in fact, their memory and other resource usage can cause demanding programs to freeze up and ruin the work of the legitimate users on the machine. Keeping such people off of your workstation is simply a matter of finding out who they are and excluding them.

Use the last program to find the list of recent users. For example, to see today's last three logins:

  athena% last -3
  cmonster   pts/4  melonie.mit.edu  Fri Jun  2    13:29
  still logged in
  elves      ttyp0  :0.0             Fri Jun  2    10:07 - 17:52
  (07:45)
  doughboy   pts/0  MACE.LCS.MIT.EDU Fri Jun  2    09:30 - 12:16
  (02:46)
The third column lists the host from which the user connected. Local logins are indicated by :0.0. You can often tell who is not really a privileged user from an unfamiliar host, or by fingering them to see what department they are in.

The logfiles last uses are /var/adm/wtmpx on Sun workstations and /var/log/wtmp on Linux. As of Athena release 8.2, the logfiles are rolled by date: wtmpx is the current one, wtmpx.0 the one previous, et cetera, with wtmpx.10 the oldest. You can list the logfiles to see which one contains information for a particular day, and then point last to that file:

  athena% ls -ltr /var/adm/wtmpx*
  -rw-r--r--   1 root     other	     1488 Dec  5 16:50
  /var/adm/wtmpx.10
  -rw-r--r--   1 root     other	     2604 Dec  6 22:42
  /var/adm/wtmpx.9
  -rw-r--r--   1 root     other	    13764 Dec  7 22:16
  /var/adm/wtmpx.8
  -rw-r--r--   1 root     other	     1488 Dec  8 00:54
  /var/adm/wtmpx.7
  -rw-r--r--   1 root     other	     2976 Dec  9 20:55
  /var/adm/wtmpx.6
  -rw-r--r--   1 root     other	     2232 Dec 10 18:29
  /var/adm/wtmpx.5
  -rw-r--r--   1 root     other	     4836 Dec 11 10:47
  /var/adm/wtmpx.4
  -rw-r--r--   1 root     other	        0 Dec 12 03:32
  /var/adm/wtmpx.3
  -rw-r--r--   1 root     other	        0 Dec 13 03:32
  /var/adm/wtmpx.2
  -rw-r--r--   1 root     other	     2604 Dec 14 18:13
  /var/adm/wtmpx.1
  -rw-r--r--   1 root     other	     2232 Dec 15 18:19
  /var/adm/wtmpx.0
  -rw-r--r--   1 root     other	     1116 Dec 16 11:32 /var/adm/wtmpx

  athena% last -f /var/adm/wtmpx.8
  joeuser   ttyp0       :0.0              Mon Dec  7 16:50 - 22:16
  (05:25)
  reboot    system boot                   Mon Dec  7 16:40
  joeuser   ttyp0       :0.0              Mon Dec  7 16:28 - down
  (00:12)
  reboot    system boot                   Mon Dec  7 16:26
  joeuser   ttyp0       :0.0              Mon Dec  7 16:04 - 16:25
  (00:21)
  joeuser   ttyp0       :0.0              Mon Dec  7 15:56 - 16:03
  (00:07)
  reboot    system boot                   Mon Dec  7 15:53
  joeuser   ttyp0       :0.0              Mon Dec  7 12:07 - down
  (03:45)
If you want to see the information from all of your logfiles, use the following:

  athena% foreach log (/var/adm/wtmpx*)
  foreach? last -f $log
  foreach? end
Once you have identified your unwanted "guests," add them to your /etc/athena/access file with no access bits. (See User Authorization.)

Setting up Applications Enabled by mkserv remote

telnet

Your workstation can receive secure telnet connections using Athena's Kerberized telnetd. This allows users to connect from another machine without sending their password over the net in the clear. To enable this secure feature, contact accounts@mit.edu and request a rcmd.host srvtab (substituting your machine name for host).

Once you obtain and install the srvtab file (see Obtaining a srvtab or keytab), you can reboot and test telnet; try to connect as permitted and non-permitted users.

ssh

After you run mkserv remote, sshd will be in place; you won't need to do anything else to serve ssh connections.

ftp

The file /etc/shells contains a list of the shell programs that your workstation will accept for ftp connections. (A shell is the program that provides your athena% prompt, interprets your commands and passes them along to the operating system.) An ftp user who uses a non-standard shell will be refused connection.

You can find out which shell a user is running from their hesiod information:

  hesinfo username passwd

  athena% hesinfo gscout passwd
  gscout:*:29998:101:Girl Scouts of America,,W20-105,5550733,
  :/mit/gscout:/afs/sipb/project/tcsh/tcsh
Ordinarily, the last field in that entry (i.e., the field after the last colon) specifies their shell. However, if the user has an entry in your workstation's /etc/passwd file, the shell field in that entry will override the one in their hesiod information.

If a user's chosen shell is not listed in /etc/shells, you can:

Some shells may be insecure or otherwise inappropriate (you can ask olc about this). If you don't want to add some particular shell to /etc/shells, for whatever reason, edit /etc/passwd.local instead, and have the user run a more conventional shell.

Anonymous ftp

Anonymous ftp allows any internet user to access certain directories on your workstation. When this is enabled, the ftp server will accept the username anonymous with any password (by convention, users should give their own hostname or username@hostname as a password.)

This can be a useful way of providing public access to some of your files, but it entails greater security risks to your machine, the files on it, and possibly even to the other machines in your cluster and to other Athena users. It is your responsibility to understand the risks involved, and to take the appropriate steps to maintain a high level of security. Allowing anonymous ftp also may also greatly increase net traffic and the load on your workstation.

The file /etc/ftpusers contains a list of usernames, one per line, that ftp will reject (for instance, root -- no one should ever be allowed to ftp into your workstation as root!). To enable anonymous ftp, edit that file to remove the entry for anonymous. Then you will need to do the following as root:

melonie.mit.edu# mknod /var/local/ftp/dev/zero c 13 12
melonie.mit.edu# chmod 666 /var/local/ftp/dev/zero
Now that you know how to enable anonymous ftp, DON'T! Not yet. To maintain the security of your workstation, there are a few directories and files to create and configure. We strongly suggest you take care of all of that first, and make editing /etc/ftpusers the final step in the process.

The directories and files to set up (as described in the man page for ftpd) are as follows:

Directory File Owned by Mode
/var/local/ftp/
ftp 555
/var/local/ftp/bin/
root 555

/var/local/ftp/bin/ls root 111
/var/local/ftp/etc/
root 555

/var/local/ftp/etc/passwd root 444

/var/local/ftp/etc/group root 444
/var/local/ftp/pub/
ftp 777 *

publicly accessible directories and files workstation mgr or users 777 or 755
/var/local/ftp/usr/
root 555
/var/local/ftp/usr/lib/
root 555

ld.so.1 root 555

libc.so.1 root 555

libdl.so.1 root 555

libintl.so.1 root 555

libw.so.1 root 555

* If you want to let others create directories and insert files into /var/local/ftp/pub set it to mode 777. Use mode 755 if you want to restrict other users to read-only access.

To set or change the ownership of a file or directory, use chown:

  chown owner file-or-directory
To set or change the permissions mode of a file or directory, use chmod:

  chmod mode file-or-directory
Suggestion: If you don't understand how those 3-digit octal numbers in chmod commands relate to the files' read/write/execute permissions, you should read the chmod man page (man chmod) before proceeding.

As an example, the following will create the directory /var/local/ftp/etc, set its owner to root, and its permission mode to 555:

  melonie.mit.edu# cd /var/local/ftp
  melonie.mit.edu# mkdir etc
  melonie.mit.edu# chown root etc
  melonie.mit.edu# chmod 555
To get the file ls, copy it from its usual location:

  melonie.mit.edu# where ls
  /usr/bin/ls

  melonie.mit.edu# cp /usr/bin/ls
  /var/local/ftp/bin/ls
The files in /var/local/ftp/usr/lib/ are copied from /usr/lib/.

In contrast, the files /var/local/ftp/etc/passwd and /var/local/ftp/etc/group should NOT be copies of the system's /etc/passwd or /etc/group files. Create dummy versions of these files, unwriteable and owned by root as shown above.

There is a CERT advisory Anonymous FTP Configuration Guidelines with more information about making anonymous ftp as secure as possible.

Running mkserv remote doesn't install the software you need to make your workstation an http server. Various on-line sites will let you download the necessary files and installation info. We recommend an MIT site, http://web.mit.edu/apache-ssl/www/. The apache-ssl locker contains software supported and recommended by the MIT Web Services group of MIT Information Systems for providing secure web servers, as well as contact information for advice and questions.

Creating an NFS Server: mkserv knfs

This is only applicable to Suns; currently mkserv knfs and mkserv nfs are not available for Linux.

You may find it desirable to designate directories on your workstation as exportable filesystems. When you have done this:

However, remember that backup takes time and technical competence. (See Backing Up and Restoring Your Files) You are also responsible for the cost of additional supplies (i.e., tapes), and for limiting access to third party software as specified in license terms.

What Kind of Fileserver is Best For You?

There are a few kinds of filesystems on Athena, most notably AFS (Andrew File System) and NFS (Network File System). The document Working on Athena explains many of the differences between AFS and NFS. Athena's version of NFS uses the Kerberos authentication system and so is known as "kerberized NFS" or knfs.

Most Athena lockers are stored on AFS fileservers, but running your own AFS server involves a great deal of managerial overhead. If you want to set your workstation up as a fileserver, it should be an NFS fileserver.

With NFS, you will have to maintain your own credentials file. For a small number of users, this is something you'll be able to handle on your own. However, if your proposed filesystem will be accessed by a large number of users, managing the necessary credentials files will create extra ongoing responsibility for you or your group. In this case, instead of setting up an NFS locker on your own workstation, you might find it preferable to ask the Faculty Liaisons (f_l@mit.edu) or Accounts (accounts@mit.edu) about getting an AFS locker on an Athena-administered server.

Running mkserv knfs

To create an NFS server, become root and use the mkserv command:

  thelonious.mit.edu# mkserv knfs

  Running /mit/mkserv/services/8.2/knfs.add (1.13)
  patching file `/usr/sbin/shutdown'

  Re-pointing root symlinks before synctree...
  Updating /var/server
  Updating root symlinks...
  Not linking /etc/athena/zshutdown_notify because the target was not
  a symlink.  Use -f to override.

  ===> Remember to get a srvtab with a 'rvdsrv.thelonious.mit.edu'
  key
  ===> Remember to set up a credentials file in /usr/etc
  ===> Remember to arrange the appropriate Moira entries for NFS
  service.

  Update finished.

  The service change requests will take effect upon the next reboot
  of the machine.

  /var/server has been used for the server specific files.
  Do not modify these files as they can be replaced during an update.
As the output of mkserv reminds you, there are still a few more steps in the process:

  1. Contact accounts@mit.edu to request a srvtab for rvdsrv.host (substituting your machine name for host). When you receive it by e-mail, install it into /etc/athena/srvtab. (See Obtaining a srvtab or keytab for more details.)

  2. If you want users to be able to use attach to get to lockers on your workstation, write to hesreq@mit.edu. You'll need to provide: hostname, partition (mount point), your chosen locker name, and whether the locker should be mounted read-only or read-write by default.

  3. Set up a credentials file in /usr/etc. Or, if you will have a large number of users accessing the server, contact ops@mit.edu and ask them about registering your server to get the Athena credentials file on a regular basis. (See What Kind of Fileserver is Best For You? for alternatives.)

  4. Add an entry to /etc/dfs/dfstab for each of the exported directories, e.g.: 
      share -F nfs -o rw /var/proj
  share -F nfs -o ro /var/proj-ref
    For more about /etc/dfs/dfstab, see the discussion of Specifying nfs Access with dfstab.

  5. Reboot the workstation.
Once this is done, and after the nightly moira propagation, you'll be all set. To find out what filesystems you can export, type: 
  athena% /usr/sbin/showmount -e $host
  export list for melonie.mit.edu:
  /var (everyone)
In this example, /var is the exportable filesystem. This means that you can create directories under /var (e.g. /var/proj) that other users can attach to their client workstations.

Maintaining and Adding Hardware

Physical Security

We strongly suggest that you secure each workstation to a desk or table in order to protect it from theft. Our recommended vendor for the security hardware is Anchor Pad (617 628-1863). If you have any questions, call the Athena Hardware Hotline (253-1410).

Please note that if the equipment is not secured in an appropriate manner and if the equipment is stolen, your department is responsible for paying the $1000 insurance deductible.

Moving Your Athena Workstation

Moving an Athena workstation is a much more complex operation than moving a personal computer:

When your machine needs to be moved a short distance, or shut off and kept elsewhere temporarily (during construction, for example), follow the shutdown procedures under Shutting Down Your Workstation. If you need help shutting down or moving a machine, contact the Athena Hardware Hotline at 253-1410 or hotline@mit.edu.

If the move involves changing network drops (from one office to another or across a large room), see http://web.mit.edu/is/help/network/. You will need to provide the following information:

A consultant will schedule a visit with you to determine what needs to be done to accommodate your workstation at its new location, and to answer any questions you may have.

Environment Requirements

Your Athena workstation should be set up in an environment which meets the requirements detailed in the documentation that comes with the workstation. Please check these manuals for specific requirements for temperature, humidity, and power, for your workstation as well as any peripherals. This section covers some general considerations:

Climate

Cleanliness

Interference

Ergonomics

There are several guidelines for setting up your environment to reduce strain and prevent injury. Please refer to the document Repetitive Strain Injuries (IS-13 -- To request a copy, send e-mail to sendpubs@mit.edu or call 253-5150; to read it online, open URL http://web.mit.edu/is/pubs/is-13 from a Web browser).

Configuring External Devices

If you want to add external devices to your workstation, such as tape drives or external disks, use the SCSI ("Small Computer System Interface") connector on the back of the workstation. (See below for Ultras.) Counting the internal drives, a SCSI connector can accommodate up to seven devices, which are linked together in a chain.

Each SCSI device should have two connector jacks: one to connect to your workstation (or previous device in the chain) and another to allow a further device to link to it. The last device in the chain should have a SCSI terminator in its second connector. If you need to get a terminator, we recommend the slightly more expensive "force perfect terminator" version ("FPT").

The maximum length of a SCSI chain is 6 meters (18 feet). This is the standard length specified by the protocol, but vendors may have restrictions which limit the SCSI chain to less than 6 meters. To calculate the maximum length of external devices, be sure to include the length of the internal SCSI bus. If the length of the SCSI chain exceeds the maximum, you could lose data or have intermittent device problems.

An online copy of the Indy Workstation Owner's Guide can be found here, as can the O2 Hardware Reference Guide

Special note for Sun Ultras

In their default configuration, our recommended workstations have no SCSI connector. If you want to expand them, you'll have to start by putting a SCSI card into the workstation. You can ask the Hardware Hotline (see above) about approved cards and help with installation. For more information, see http://web.mit.edu/is/desktop/saws_configs.html.

Finding the SCSI ID codes (Sun)

Each SCSI device must have a unique SCSI ID between 0-6. If two or more devices have the same ID, your system won't operate correctly.

Before you add a new device, you need to know which SCSI IDs are already in use. To determine the IDs of the SCSI devices, follow these steps:

Shut down the machine (Shutting Down Your Workstation), then type probe-scsi at the ok prompt:

  ok probe-scsi
  Target 3
    Unit 0  Disk  CONNER  CP30548  SUN0535B0CD9404PGPJ
  Target 6
    Unit 0  Removable  Read Only device  TOSHIBA
  XM-4101TASUNSLCD108404/18/94
(For Sun Ultras with more than one SCSI card, use the command probe-scsi-all.)

This command gives a list of devices connected on the SCSI bus. Each separate SCSI ID number is listed after the word Target, followed by a description on the next line. In this case, the hard disk drive has SCSI ID 3 (Target 3), and the CD-ROM has ID 6 (Target 6).

Check the owner's manual for a device to set the SCSI ID for that device.

Creating the Device Files

To make the files you need for the devices, follow these steps:

Preparing a New Hard Disk Drive (for Suns)

If the device you have installed is a hard disk drive, you will need to take special steps to prepare it:

  1. partition the blank disk
  2. create a file system on it
  3. make a file directory ("mount point") for it
  4. edit some files that help manage attached devices
The following example shows the preparation of a newly-attached hard drive, in this case, a 2GB Seagate.

Partition the Disk

The useful capacity of a disk can be divided up among several partitions, which can be accessed as separate file directories. The disk has, as part of its basic formatting, a partition table which defines that partitioning. The first step in preparing the new disk is to define a partition table. The command format performs a variety of disk maintenance functions, including modification of partition tables. It displays menus and submenus for these functions as you proceed. First, format displays a list of devices:

  melonie.mit.edu# format
  Searching for disks...done
  AVAILABLE DISK SELECTIONS:
         0. c0t0d0 <SEAGATE-ST42400N-0119 cyl 2604 alt 2 hd 19 sec 84>
            /iommu@0,10000000/sbus@0,10001000/espdma@5,8400000/esp@5,8800000/sd@0,0
         1. c0t3d0 <SUN2.1G cyl 2733 alt 2 hd 19 sec 80>
            /iommu@0,10000000/sbus@0,10001000/espdma@5,8400000/esp@5,8800000/sd@3,0
In the disk listing format above, c?t?d? (?=digit 0-7) indicates:

c? = SCSI controller -- which SCSI chain
? = SCSI ID or "target" -- which device in the chain
d? = local unit number (For a disk drive this will be 0. In the case of a stacking CD-ROM device, each disk would have its own number.)

In this example, we want to partition the new Seagate drive at c0t0d0, listed as choice "0".

  Specify disk (enter its number): 0
  selecting c0t0d0
The main format menu then shows the functions available:

  FORMAT MENU:
          disk       - select a disk
          type       - select (define) a disk type
          partition  - select (define) a partition table
          current    - describe the current disk
          format     - format and analyze the disk
          repair     - repair a defective sector
          label      - write label to the disk
          analyze    - surface analysis
          defect     - defect list management
          backup     - search for backup labels
          verify     - read and display labels
          save       - save new disk/partition definitions
          inquiry    - show vendor, product and revision
          volname    - set 8-character volume name
          !<cmd>     - execute <cmd>, then return
          quit
DO NOT select format. The disk should already have an existing formatting on it. (If it doesn't, return it and get one that does. Finding and setting up the appropriate low-level format is well beyond the scope of this document.) All you need to do is modify its partition table. Select partition (part is sufficient) and then, in the partition sub-menu, choose modify.

  format> part
  PARTITION MENU:
          0      - change `0' partition
          1      - change `1' partition
          2      - change `2' partition
          3      - change `3' partition
          4      - change `4' partition
          5      - change `5' partition
          6      - change `6' partition
          7      - change `7' partition
          select - select a predefined table
          modify - modify a predefined partition table
          name   - name the current table
          print  - display the current table
          label  - write partition map and label to the disk
          !<cmd> - execute <cmd>, then return
          quit
  partition> modify
Instead of dividing the disk's capacity up among the partitions, you can have all of its free space regarded as one large partition, available in a single file directory. The next inputs (including [ret] to accept the suggested defaults) will set up the new disk with a single partition, number 6.

  Select partitioning base:
          0. Current partition table (original)
          1. All Free Hog
  Choose base (enter number) [0]? 1

  Part       Tag    Flag     Cylinders        Size            Blocks  
    0        root    wm       0               0         (0/0/0)
    0  
    1        swap    wu       0               0         (0/0/0)
    0  
    2      backup    wu       0 - 2603        1.98GB    (2604/0/0)
    4155984  
    3  unassigned    wm       0               0         (0/0/0)
    0  
    4  unassigned    wm       0               0         (0/0/0)
    0  
    5  unassigned    wm       0               0         (0/0/0)
    0  
    6         usr    wm       0               0         (0/0/0)
    0  
    7  unassigned    wm       0               0         (0/0/0)
    0

  Do you wish to continue creating a new partition
  table based on above table[yes]? [ret]
  Free Hog partition[6]? [ret]
  Enter size of partition `0' [0b, 0c, 0.00mb, 0.00gb]:
  [ret]
  Enter size of partition `1' [0b, 0c, 0.00mb, 0.00gb]:
  [ret]
  Enter size of partition `3' [0b, 0c, 0.00mb, 0.00gb]:
  [ret]
  Enter size of partition `4' [0b, 0c, 0.00mb, 0.00gb]:
  [ret]
  Enter size of partition `5' [0b, 0c, 0.00mb, 0.00gb]:
  [ret]
  Enter size of partition `7' [0b, 0c, 0.00mb, 0.00gb]:
  [ret]
At this point, the program displays the proposed version of the partition table before rewriting it.

  Part       Tag    Flag     Cylinders        Size            Blocks  
    0        root    wm       0               0         (0/0/0)
  0  
    1        swap    wu       0               0         (0/0/0)
  0  
    2      backup    wu       0 - 2603        1.98GB    (2604/0/0)
  4155984  
    3  unassigned    wm       0               0         (0/0/0)
  0  
    4  unassigned    wm       0               0         (0/0/0)
  0  
    5  unassigned    wm       0               0         (0/0/0)
  0  
    6         usr    wm       0 - 2603        1.98GB    (2604/0/0)
  4155984  
    7  unassigned    wm       0               0         (0/0/0)
  0
  Okay to make this the current partition table[yes]?
  [ret]
The display shows that the disk will, as intended, have just the one big partition number 6, so let it rewrite the partition table. (Partition 2, "backup", is not ordinarily used. It is a default arrangement to facilitate disk-recovery, if needed.)

Next, the partition table needs a name; "original" is often used. After that, you are finished with the partition sub-menu.

  Enter table name (remember quotes):
  "original"
  Ready to label disk, continue? yes
  partition> q

    [the FORMAT MENU is redisplayed]
At this point, select verify, after which you can quit the format command.

  format> verify
  Primary label contents:
  Volume name = <        >
  ascii name  = <SEAGATE-ST42400N-0119 cyl 2604 alt 2 hd 19 sec
  84>
  pcyl        = 2606
  ncyl        = 2604
  acyl        = 2
  nhead       = 19
  nsect       = 84
  Part      Tag  Flag     Cylinders        Size          Blocks
    0       root  wm       0               0       (0/0/0)          0
    1       swap  wu       0               0       (0/0/0)          0
    2     backup  wu       0 - 2603        1.98GB  (2604/0/0) 4155984
    3 unassigned  wm       0               0       (0/0/0)          0
    4 unassigned  wm       0               0       (0/0/0)          0
    5 unassigned  wm       0               0       (0/0/0)          0
    6        usr  wm       0 - 2603        1.98GB  (2604/0/0) 4155984
    7 unassigned  wm       0               0       (0/0/0)          0
  format> q
  melonie.mit.edu#

Create a File System

The next step is to create a new UFS file system on the raw disk device you have just set up, using the command newfs. The device is specified using the same c?t?d? format as previously, but with an additional s? to indicate the partition number:

  melonie.mit.edu# newfs /dev/dsk/c0t0d0s6
  newfs: construct a new file system /dev/rdsk/c0t0d0s6: (y/n)?
  y
  /dev/rdsk/c0t0d0s6:     4155984 sectors in 2604 cylinders of 19
  tracks, 84 sectors
          2029.3MB in 82 cyl groups (32 c/g, 24.94MB/g, 6208 i/g)
  super-block backups (for fsck -F ufs -o b=#) at:
   32, 51200, 102368, 153536, 204704, 255872, 307040, 358208, 409376,
  460544,
   511712, 562880, 614048, 665216, 716384, 767552, 818720, 869888,
  921056,
   972224, 1023392, 1074560, 1125728, 1176896, 1228064, 1279232,
  1330400,
   1381568, 1432736, 1483904, 1535072, 1586240, 1634336, 1685504,
  1736672,
   1787840, 1839008, 1890176, 1941344, 1992512, 2043680, 2094848,
  2146016,
   2197184, 2248352, 2299520, 2350688, 2401856, 2453024, 2504192,
  2555360,
   2606528, 2657696, 2708864, 2760032, 2811200, 2862368, 2913536,
  2964704,
   3015872, 3067040, 3118208, 3169376, 3220544, 3268640, 3319808,
  3370976,
   3422144, 3473312, 3524480, 3575648, 3626816, 3677984, 3729152,
  3780320,
   3831488, 3882656, 3933824, 3984992, 4036160, 4087328, 4138496,
After your reply, you'll need to wait a few minutes for all the super-block backups to be created and all the sector numbers to be printed. (For a 9GB drive, for instance, you may have to wait more than 30 minutes to get your prompt back.)

Name Your Mount Point

Your disk needs an appropriate file directory name, a mount point, in the root directory. You might want to list / to see what directory names are already in use:

  melonie.mit.edu# ls /
A common convention for naming mount points is simply to choose the next unused number in the sequence /u1, /u2, /u3, etc. Or, since the disk is being used as a single partition, you could create a unique name based on the first two ??s in the device specifier, c0t0d0s6, (which would indicate its SCSI chain and position within that chain):

  melonie.mit.edu# mkdir /u00
Now use fsck to make sure the partition is okay:

  melonie.mit.edu# /etc/fsck /dev/rdsk/c0t0d0s6
  ** /dev/rdsk/c0t0d0s6
  ** Last Mounted on
  ** Phase 1 - Check Blocks and Sizes
  ** Phase 2 - Check Pathnames
  ** Phase 3 - Check Connectivity
  ** Phase 4 - Check Reference Counts
  ** Phase 5 - Check Cyl groups
  2 files, 9 used, 2013021 free (13 frags, 251626 blocks,  0.0%
  fragmentation)

Table Entries

Finally, you need to make an entry for the new disk in the appropriate files.

Mapping the mount point with vfstab

The file /etc/vfstab maps the device to the mount point. Use your favorite text editor to add a line with that information. In this case, the added last line identifies the device /dev/dsk/c0t0d0s6 with the directory /u00.

  #device            device              mount          FS    fsck
  mount    mount
  #to mount          to fsck             point          type  pass  at
  boot  options
  #
  /proc              -                   /proc          proc  -     no
  -
  fd                 -                   /dev/fd        fd    -     no
  -
  /dev/dsk/c0t3d0s0  /dev/rdsk/c0t3d0s0  /              ufs   1     no
  -
  /dev/dsk/c0t3d0s6  /dev/rdsk/c0t3d0s6  /var           ufs   2     no
  -
  /dev/dsk/c0t3d0s5  /dev/rdsk/c0t3d0s5  /usr           ufs   3     no
  -
  /dev/dsk/c0t3d0s3  /dev/rdsk/c0t3d0s3  /var/usr/vice  ufs   5
  yes      -
  /dev/dsk/c0t3d0s1  -                   -              swap  -     no
  -
  /dev/dsk/c0t0d0s6  /dev/rdsk/c0t0d0s6  /u00           ufs   2
  yes      -
The items don't have to line up with the column headings. Use spaces or tabs between each element of the line. The first two columns consist of the device identifier c?t?d?s? in the /dev/dsk/ and /dev/rdsk directories respectively. The third field is the mount point name. The remaining columns can be copied from the example above.

The file also sets things up so that fsck will run each time you reboot, to make sure the filesystem on the disk is okay. The vfstab man page contains more information about this file and its fields.

Specifying nfs Access With dfstab

If your new disk directory is going to be accessible through NFS (see Creating an NFS Server: mkserv knfs), then you need to add a line to the end of the file /etc/dfs/dfstab as well. Here is a version of the file with the appropriate last line for our example.

  #       place share(1M) commands here for automatic execution
  #       on entering init state 3.
  #
  #       share [-F fstype] [ -o options] [-d
  "<text>"] <pathname> [resource]
  #       .e.g,
  #       share  -F nfs  -o rw=engineering  -d "home dirs"
  /export/home2
  share -F nfs -o rw /u00
Each line is a share command for a particular resource. For the line added here:

The man pages for dfstab and share have more information about using this file.

Monitor Configuration on Linux Workstations

The Linux-Athena installer does its best to appropriately configure Xwindows to use your video hardware. Since there are a huge variety of possible graphics cards and monitors, all it can offer is its best guess, so you are running Linux-Athena on unsupported hardware, you might need to fine tune the configuration.

If at some point you want to use a different monitor, you'll also have to re-run this configuration step.

To run the configurator, you'll need to get a console login as root. At the xlogin screen (with the password box, and Athena logo), hit Ctrl-p until you get a text-mode login prompt, and login as root here.

Note that if Xwindows was never running on this machine, you may need to start the X Font Server before you can run the Xwindows configuration program. First, check if the server is already running like this:

bash# /sbin/service xfs status
It should respond with either "xfs is stopped" or "xfs is running..." If it tells you that xfs is stopped, you can type the following:

bash# /sinb/service xfs start
Which should respond with:

Starting xfs:                           [OK]
Then as root, you need to run an X configuration program. The program is Xconfigurator for Athena 9.1 and earlier and redhat-config-xfree86 for Athena 9.2. It should walk you through creating a new X configuration. If you have the documentation that came with your monitor, it might prove useful in answering some of the questions. As a guideline, most Athena cluster workstations have a resolution of 1280x1024. If you find that resolution produces fonts that are two small, you may wish to switch to 1152x864 or 1024x768, but we aware that you will sacrifice desktop space. The Color Depth should be one of "Millions of Colors" (24 bit), "Thousands of Colors" (16 bit), or "256 colors" (8 bit). Once you are satisfied with the configuration that the program shows you, logging out should allow xlogin to restart, using the new configuration.

Enabling Multi-Processor Support on Linux Workstations

Linux supports SMP, or Symmetric MultiProcessor kernels on hardware that has two or more processors. If you have such a system, when you install Athena on it, it will initially boot up with a kernel that only supports using one processor.

To enable SMP, you will need to install an appropriate kernel. It must match the kernel you have already, in version, and you'll need to figure out the RedHat version to find the new one.

  bash-2.05a# rpm -q kernel
  kernel-2.4.18-10
  bash-2.05a# uname -a
  Linux red-herring.mit.edu 2.4.18-10 #1 Wed Aug 7 11:39:21 EDT 2002 i686 unknown
  bash-2.05a# cat /etc/redhat-release
  Red Hat Linux release 7.3 (Valhalla)
In this case, kernel-smp-2.4.18-10 is the appropriate package to install and to find a copy, you'd look first for: 
  /afs/athena/system/rhlinux/redhat-7.3-updates/RPMS/kernel-smp-2.4.18-10.i686.rpm
Or if you didn't find it there, then: 
  /afs/athena/system/rhlinux/redhat-7.3/RedHat/RPMS/kernel-smp-2.4.18-10.i686.rpm
Note that you will need to adjust the version number and RedHat version in these paths as is appropriate for your system, with the information you looked up.

Once you have found the appropriate file, you will need to become root, with su, then install it by running: 

  bash-2.05a# rpm -ivh /afs/athena/system/rhlinux/redhat-7.3-updates/RPMS/kernel-smp-2.4.18-10.i686.rpm
  Preparing...                ########################################### [100%]
     1:kernel-smp             ########################################### [100%]
Rebooting will make this change take effect. Since SMP kernels are supported, you won't need to do anything special to update your kernel, when your workstation takes new Athena releases.

Using a UPS to Prevent Hardware Problems

Plugging your equipment into an Uninterruptible Power Supply (UPS) can save you a lot of time and aggravation, and help protect your data integrity. However, UPSs can also pose safety problems that you should be aware of.

About UPSs

There are two main categories of UPSs:

Overall, on-line UPSs perform better than off-line UPSs, because the transfer time from line power to battery power is much faster. Of course, on-line UPSs are more expensive than off-line.

Characteristics of the UPS

It is also important to know how your UPS provides AC power. Since batteries are generally geared for DC output, the power must be inverted to feed an AC device. The electricity you get from line power is a sinusoidal AC signal; some UPS manufacturers cut corners and make the output of their UPS a trapezoidal approximation of a sine wave. Some machines are more sensitive to the approximation than others.

WARNING: To test a UPS, DO NOT JUST UNPLUG IT FROM THE WALL. Unplugging the UPS from the wall breaks the connection to ground, and can cause a situation called a floating ground which can create a high voltage discharge when you plug the system back in (depending on how far the UPS ground is from the wall outlet ground). You could get a very nasty shock when you plug it back in. The easiest and safest way to test a UPS is plug it into a power strip and then plug that into the wall. You can then use the power switch on the power strip to simulate a power failure without loss of continuity to the ground.

Additional UPS Suggestions

Another safety issue is that someone might assume a piece of equipment is off because the power is off. Keep the UPS near its equipment and make it obvious that the equipment has its own power supply. You should label the equipment; contact the MIT Safety Office for information about power lockout procedures.

e-mail safety@mit.edu
phone 253-4736
online http://web.mit.edu/safety/

Here are some other suggestions for using your UPS:

MIT Information Systems Comments and feedback to olh-suggest@mit.edu