Skip to content

Virtual Machine CentOS Stream 8

This guide is very similar to Creating a CentOS CC7 Virtual Machine, yet focuses on the CentOS Stream 8 image, which comes with less pre-configuration, than CC7.

After this guide you will have a virtual CentOS Stream 8 machine, with afs, eos and htcondor enabled.

Create SSH Key pair

Create an ssh-public-private-key pair for authentication.

ssh-keygen -t rsa -f your-key-name

where your-key-name is the name you want to give your key, e.g. centos8key. The keys will be saved in ~/.ssh/.

Create virtual machine

Go to CERN Openstack: Project -> Compute -> Instaces -> Launch Instance

  • On Details choose a cern-unique name for your instance. It will be available under

  • On Source select the CS8_x86_64 image

  • On Flavour select the Volume and RAM size that you think you will need.

  • On Key Pair select Import Key Pair and choose as ssh-key the in Step 1 created Public Key, e.g.

Now you have to wait until your instance is created, you can see the progress in the Project -> Compute -> Instances view. When the Power State reads Running your machine is ready.

Create new User

Unlike in CC7 only the root user will be created.

  • Login to your virtual machine as this user via ssh:

    ssh -i your-key-name
    where your-key-name from the examples above would be centos8key and your-machine-name would be mycentoscs8.

  • Create user with the same name as your cern name with sudo rights:

    export USERNAME=your-cern-username
    adduser $USERNAME
    passwd $USERNAME
    usermod -aG wheel $USERNAME
    The password does not need to match your CERN password.

  • Allow ssh-authorization for this user for the same ssh-keys

    mkdir /home/$USERNAME/.ssh
    cp .ssh/authorized_keys /home/$USERNAME/.ssh/
    chown -R $USERNAME:$USERNAME /home/$USERNAME/.ssh/

And you're done.
You will probably never use this root user again. So log out now.

And you should now be able to login as:

ssh -i your-key-name

Disable SSH-Root-Login

For security reasons it might make sense now to deactivate ssh-login via root-user account. Before you do this, make sure you can login as your-user-name and you have root-rights (e.g. sudo su works). You can now disallow login as root by modifying (with sudo) the line in /etc/ssh/sshd_config

PermitRootLogin yes
PermitRootLogin no
and restart the ssh daemon
systemctl restart sshd

SSH Config

To make your life easier you can add the following lines to your ssh-config ~/.ssh/config:

# connect to virtual machine from inside GPN
Host *your-machine-name
  User your-user-name
  IdentityFile path/to/your-ssh-key-name

# connect through proxy from outside GPN
Host ext*

with the your-xxxx-names replaced accordingly. This allows you to ssh into your machine simply with

ssh your-machine-name
ssh extyour-machine-name

Install afs/eos/etc.

This follows the installation hints found on the CERN centos step-by-step installation guide.

First install locmap which manages CERN installations and then let it install and reconfigure the CERN-default packages:

sudo dnf install locmap-release
sudo  dnf install locmap
for module in afs eosclient chrony cvmfs kerberos lpadmin postfix ssh sudo; do sudo locmap --enable $module; done
sudo locmap --configure all

Now you should have access to afs, eos and kerberos (kinit and aklog).

Install HTCondor

This is adapted from the HTCondor installation guide on this webpage, but with some modifications. First of all we don't need to install the kerberos packages, as this is done by locmap in the step above.

Configure KERBEROS

We only need to configure kerberos for HTCondor:

export USERNAME=your-user-name

scp $ .
chmod +x batch_krb5_credential
sudo mv batch_krb5_credential /usr/bin/

scp $ .
sudo mv ngauth_batch_crypt_pub.pem /etc/

scp $ .
sudo mv krb5.conf.no_rdns /etc/krb5.conf.no_rdns 

scp $ .
sudo mv ngbauth-submit /etc/sysconfig/

verify the installation via:


There should be an output like:


and nothing else (i.e. no missing files or errors). Make sure you have valid credentials already (run kinit). Also see the debugging help.

Install HTCondor

This follows the guide in the develop branch on the HTCondor website. The development brach is needed for now as CERN requires HTCondor v8.9.7+ as of June 2021.

sudo yum install wget

sudo wget
sudo rpm --import RPM-GPG-KEY-HTCondor 

cd /etc/yum.repos.d
sudo wget

sudo yum install condor-all

Configure HTCondor

The configuration is then as in the default HTCondor guide.

  • Create the config file /etc/condor/config.d/10-local.config. Please set as scheduler (SCHEDD_HOST) the default one you get on lxplus, e.g. in your condor_q output. You can also find it out by running (on lxplus):

    condor_config_val SCHEDD_HOST
    An example content is provided here:
    SEC_CREDENTIAL_PRODUCER = /usr/bin/batch_krb5_credential

  • Start the service:

    sudo systemctl start condor
    sudo systemctl enable condor

  • Check:

    See the debugging help.

Congratulations! You have now a very lxplus-like machine at your own disposal.