Instrument computer setup guide

The setup process for the instrument computers (ICC, RTC, AOC) is automated (to the extent possible) by scripts in the `setup/ <>`__ folder of magao-x/MagAOX.

Unfortunately, not everything can be automated when real hardware is involved. To set up a new instrument computer, follow the steps below. Once the BIOS and OS are setup, you can run the provisioning scripts.

The instrument computers use CentOS 7 for two reasons:

  • It has a long window of support, and will receive security and bug-fix updates until June 30, 2024.

  • It (or, equivalently, RHEL 7) is a supported platform for our more niche hardware like DMs and framegrabbers.

Once the hardware has been connected up, setup proceeds as follows.


For a new main board, the BIOS should be updated to the latest version. This is necessary to ensure that the USB ports behave properly, as well as to ensure that the iKVM module works.

For all of AOC/ICC/RTC

 -- Network Device BBS Priorities -- set all to "disabled"
 -- Hard Drive BBS Priorities -- set "disabled" for all non-boot SSDs

 -- ACPI Settings
    -- Enable Hibernation [Disabled]
    -- ACPI Suspend State [Suspend Disabled]
 -- APM
    -- Restore AC Power Loss [Power OFF]

(Note that the BIOS likes to reshuffle boot order when drives appear and disappear in testing or RAID swapping. Disabling non-boot drives ensures it doesn’t accidentally try to boot from them.)


AI Tweaker
 -- Spread Spectrum [Disabled] {This is critical for allowing PCIe expanion to work}

 -- PCI Subsystem Settings
     -- Above 4G Decoding [Enabled] {This is critical for allowing PCIe expansion to work}

 --Processor Configuration
   -- DCU Mode [16KB 4Way With ECC] {This is critical for allowing PCIe expansion to work}
 --Miscellaneous Configuration
   -- Active Video [Onboard Device] {Prevents sending video to a GPU}

OS Installation

Boot into CentOS 7 x86_64 install media (ISOs here) and proceed with interactive installation following these choices.


Language: English (United States)

Network & Hostname

In the box at lower left, fill in the machine name (i.e. exao1 for AOC, exao2 for RTC, exao3 for ICC).

For each Ethernet controller listed on the left, click to select and click “Configure” to bring up the settings, and select the “IPv4 Settings” panel.

If the IP address in the table from the Networking Doc is not “n/a (DHCP)”, select Method: “Manual” from the dropdown under “IPv4 Settings”.

In the “Addresses” panel, click “Add” and enter the appropriate address from the Networking Doc table under “Network Connections”.

To confirm the link works, Ctrl-Alt-F2 gets you to a command prompt.

Try pinging Google:

$ ping
# Hit Ctrl-C after a few seconds

Verify “0% packet loss”.

And the MagAO-X internal router:

$ ping
# Hit Ctrl-C after a few seconds

Verify “0% packet loss”.

To return to the main installer, hit Ctrl-Alt-F6.

Date & Time

  • Timezone: America/Phoenix


  • Select all disks

  • Select “I will configure partitioning”

  • On 2x 512 drives:

    • 500 MiB /boot - RAID 1

    • 16 GiB swap - RAID 1

    • The rest as / - RAID 1

  • On the data drives (should be 3 or more identical drives):

    • All space as /data - RAID 5

Detailed steps

  • If this is a reinstall:

    • Click on the arrow next to “CentOS Linux…” to expand the list of existing partitions.

    • Click one to select and click the - button at the bottom of the list

    • Check the box saying Delete all filesystems which are only used by CentOS Linux ... and confirm

  • Choose partitioning scheme = Standard Partition in drop down menu

  • Then press + button:

    • Mount Point: /boot

    • Desired Capacity: 500 MiB

    • Now press Modify

      • Select the 2x 500 GB O/S drives (Ctrl-click)

      • Press select

    • Device Type: RAID - RAID 1

    • File System: XFS

  • Press Update Settings

  • Then press + button:

    • Mount Point: swap

    • Desired Capacity: 16 GiB

    • Now press Modify

      • Select the 2 500 GB O/S drives (Ctrl-click)

      • Press select

    • Device Type: RAID - RAID 1

    • File System: XFS

    • Press Update Settings

  • Then press + button:

    • Mount Point: /

    • Desired Capacity: blank

    • Now press Modify

      • Select the 2x 500 GB O/S drives (Ctrl-click)

      • Press select

    • Device Type: RAID - RAID 1

    • File System: XFS

    • Change Desired Capacity to blank (again)

    • Press Update Settings

      • should be using all available space for /

  • Then press + button:

    • Mount Point: /data

    • Desired Capacity: blank

    • Now press Modify

      • Ctrl-click to select all the data drives (>500GB)

      • Press select

    • Device Type: RAID - RAID 5

    • File System: XFS

    • Change Desired Capacity to blank (again)

    • Press Update Settings

      • Should now have the full capacity for RAID 5 (N-1)

If you are prompted for a location to install the UEFI boot loader, you have somehow booted in UEFI mode instead of Legacy Boot / BIOS mode. (This has been observed booting from a liveUSB, despite UEFI boot being disabled in BIOS, but it goes away after reordering boot options in the BIOS interface and attempting to boot again.)



From the list on the Left:

  • Select “Minimal install”

From the list on the right:

  • Select “Development Tools”

  • Select “Debugging Tools”

  • Select “System Administration Tools”


From the list on the Left:

  • Select “KDE Plasma Workspaces”

From the list on the right:

  • Select “Development Tools”

Begin the installation


  • Set root password

  • Create normal (admin) user account for use after reboot

After OS installation

Note: For AOC, multiple monitors seem to confuse the default NVIDIA drivers. Stick to the VGA output until the NVIDIA drivers are set up (see below).


  • Log in as root

  • Run yum update -y

Check RAID status

Check RAID mirroring status: cat /proc/mdstat. On new installs, it takes some time for the initial synchronization of the drives. (Like, “leave it overnight” time.)

Configure network interface naming

SystemD, udev, and Dell have conspired to implement something called “predictable network interface names” that could more accurately be called “unpredictable network interface names”.

To prevent the network interface names from changing every time we move a PCIe card in our instrument, we use the almost-undocumented Scheme 4 naming scheme, where the entire hardware MAC address is placed in the interface name to guarantee it never changes.

To enable this scheme, follow the procedure from this ServerFault answer.

  1. sudo cp /usr/lib/udev/rules.d/80-net-name-slot.rules /etc/udev/rules.d

  2. Edit /etc/udev/rules.d/80-net-name-slot.rules to replace



  3. Reboot

Configure network connections

Names for network interfaces are now tied to their hardware MAC address, not their location on the PCI bus. The flip side is that replacing a NIC with a new card will require repeating the below process, probably from a seat at the computer. (However, this happens much less often than rearranging GPUs and confusing NetworkManager with renumbered enXpY devices.)

  • Use ip a or nmcli to verify the new network names. For example, this nmcli output is from RTC:

    $ nmcli
    enx2cfda1c6db1b: connected to www-lco
        "Intel I210"
        ethernet (igb), 2C:FD:A1:C6:DB:1B, hw, mtu 1500
        ip4 default
        inet6 fe80::e645:b705:d502:3b34/64
        route6 fe80::/64
        route6 ff00::/8
    enx2cfda1c6db1a: connected to instrument
            "Intel I210"
            ethernet (igb), 2C:FD:A1:C6:DB:1A, hw, mtu 1500
            inet6 fe80::58e3:d9ad:61be:f235/64
            route6 fe80::/64
            route6 ff00::/8
  • If the strings ``connected to www-lco`` or ``www-ua``, and ``connected to instrument`` appear in the ``nmcli`` output, you may be finished. If the connection profiles do not automatically find the renamed devices, read on.

  • Unplug the instrument and other interfaces and run nmcli again, noting which of the interfaces shows up as connected

  • Copy the full name (enxaabbccddeeff) of the interface that is showing up as connected

  • In sudo nmtui, rename or delete connections as necessary until there is only www-ua, www-lco, and instrument (Note: ICC has icc-to-rtc and RTC has rtc-to-icc to configure, which are a pair of NICs for low-latency transfer. ICC additionally has camsci1 and camsci2. Until we rewrite this document, consult the Networking doc for their config.)

  • Edit the www-* connections to ensure the “Device” field is set to the interface name you just copied

  • Copy the full name for the instrument interface, plug its cable back in, and repeat the last step for the instrument connection

  • Activate the appropriate connections in nmtui (or with nmcli con down www-lco; nmcli con up www-ua; nmcli con up instrument, swap www-ua and www-lco if necessary)

  • Choose Edit a connection in nmtui

  • Highlight instrument and hit Enter

    • Under IPv4 CONFIGURATION ensure Never use this network for default route is checked with an [X]

    • At the bottom of the list, ensure Automatically connect and Available to all users are checked

  • Highlight www-ua and hit Enter

    • Under IPv4 CONFIGURATION ensure Never use this network for default route is not checked

    • At the bottom of the list, ensure Automatically connect and Available to all users are checked

  • Repeat for www-lco

  • Trust connections internal to the instrument: sudo nmcli con modify instrument trusted

  • Verify they are both active with the appropriate connection profile in nmcli. Example from AOC:

    $ nmcli
    enx2cfda1c61ddf: connected to www-lco
            "Intel I210"
            ethernet (igb), 2C:FD:A1:C6:1D:DF, hw, mtu 1500
            ip4 default
            inet6 fe80::f8dd:82f0:237d:a4f1/64
            route6 fe80::/64
            route6 ff00::/8
    enx2cfda1c61dde: connected to instrument
            "Intel I210"
            ethernet (igb), 2C:FD:A1:C6:1D:DE, hw, mtu 1500
            inet6 fe80::e992:1899:f32c:95cf/64
            route6 ff00::/8
            route6 fe80::/64
  • Verify that the internet is reachable from the instrument (e.g. ping and the new config works to ping the machine from outside

Configure /data array options

We should be able to boot with zero of the drives in the /data array without systemd dropping to a recovery prompt.

Edit /etc/fstab, and on the line for /data replace defaults with the options noauto,x-systemd.automount.

Setup ssh

  • Install a key for at least one user in their .ssh folder, and make sure they can log in with it without requiring a password.

  • Now configure sshd. Do this by editing /etc/ssh/sshd_config as follows:

    Allow only ecdsa and ed25519: #HostKey /etc/ssh/ssh_host_rsa_key   #HostKey /etc/ssh/ssh_host_dsa_key   HostKey /etc/ssh/ssh_host_ecdsa_key   HostKey /etc/ssh/ssh_host_ed25519_key

    Disable password authentication: PasswordAuthentication no

  • And finally, restart the sshd systemctl restart sshd

AOC only: GPU drivers setup

Since we actually use the AOC GPU for graphics (shockingly enough), you will need to install NVIDIA’s CUDA package with drivers before the monitors will work right. You’ll want ``ssh`` access in case anything goes wrong, so make sure it’s working!

  1. Before starting, make sure everything’s up to date: yum update -y

  2. Download CUDA 10.1 from (or whatever version is current in setup/steps/ and take note of where it is saved

  3. Install prerequisites: sudo yum install -y kernel-devel kernel-headers

  4. As root, edit the line in /etc/default/grub that reads

    GRUB_CMDLINE_LINUX="[parts omitted] rhgb quiet"

    to read

    GRUB_CMDLINE_LINUX="[parts omitted] rhgb quiet rd.driver.blacklist=nouveau nouveau.modeset=0"
  5. Install the new grub config with sudo grub2-mkconfig -o /boot/grub2/grub.cfg

  6. Create /etc/modprobe.d/blacklist-nouveau.conf with the contents

    blacklist nouveau
    options nouveau modeset=0
  7. Execute sudo systemctl set-default

  8. Shut down

  9. Disconnect all monitors from the NVIDIA card

  10. Connect a monitor to the VGA port from the motherboard’s onboard graphics

  11. Reboot to a text-mode prompt

  12. Log in as root

  13. Run CUDA installer with bash --silent --driver --toolkit --samples (or whatever version is downloaded)

  14. Default to graphical boot: systemctl set-default

  15. Shut down

  16. Disconnect the VGA port, reconnect the battle station monitors

  17. Open up System Settings -> Display & Monitor and arrange the monitor geometry to reflect reality

  18. Edit /etc/default/grub to remove rd.driver.blacklist=nouveau nouveau.modeset=0 from GRUB_CMDLINE_LINUX and run grub2-mkconfig -o /boot/grub2/grub.cfg

  19. Once everything’s working satisfactorily, we want to lock the kernel version (so that we don’t end up accidentally removing graphical boot capabilities with a yum update -y):

    1. sudo yum install -y yum-versionlock

    2. sudo yum versionlock kernel kernel-headers kernel-devel

Perform (mostly) automated provisioning

Log in via ssh as a normal user with sudo access.

  1. Clone magao-x/MagAOX into your home directory (not into /opt/MagAOX, yet)

    $ cd
    $ git clone
  2. Switch to the setup subdirectory in the MagAOX directory you cloned (in this example: ~/MagAOX/setup) to perform pre-provisioning steps (i.e. steps requiring a reboot to take effect)

    $ cd ~/MagAOX/setup
    $ ./

    This sets up an xsup user and the magaox and magaox-dev groups. Because this step adds whoever ran it to magaox-dev, you will have to log out and back in.

    On ICC and RTC, this step also installs the CentOS realtime kernel and updates the kernel command line for ALPAO compatibility reasons. It also adds settings to disable the open-source nouveau drivers for the NVIDIA card. This is so that the CUDA install proceeds without errors. You must reboot before continuing.

  3. Reboot, verify groups

    $ sudo reboot
    [log in again]
    $ groups
    yourname magaox-dev ...
  4. (optional) Install tmux for convenience

    tmux allows you to preserve a running session across ssh disconnection and reconnection. (Ten second tutorial: Running tmux with no arguments starts a new self-contained session. Ctrl-b followed by d detatches from it, while any scripts you started continue to run. The tmux attach command reattaches.)

    $ sudo yum install -y tmux

    (It’s used by the system, so it’ll get installed anyway, but you might want it when you run the install.)

    To start a new session for the installation:

    $ tmux
  5. RTC/ICC only: Obtain proprietary / non-redistributable software from the team Box folder

    Go to MagAO-X/vendor_software/ (invite required), click the “…” on bundle and choose “Download”. Save in MagAOX/setup/ next to

    Screenshot of Box interface to download bundle

    Screenshot of Box interface to download bundle

    This bundle includes software for the Andor, ALPAO, and Boston Micromachines hardware.

  6. Run the provisioning script as a normal user

    $ cd ~/MagAOX/setup
    $ bash ./

    If you installed and invoked tmux in the previous step, this would be a good time to Ctrl-b + d and go get a coffee.

Successful provisioning will end with the message “Finished!” and installed copies of MagAOX and its dependencies.

A lot of the things this script installs need environment variables set, so source /etc/profile.d/*.sh to keep working in the same terminal (or just log in again).

Perform xsup key management

A new installation will generate new SSH keys for xsup. If you have an existing .ssh folder for the machine role (ICC, RTC, AOC) you’re setting up, you can just copy its contents over the new /home/xsup/.ssh/ (taking care not to change permissions).

If not, you must ensure passwordless SSH works bidirectionally by installing other servers’ xsup keys and installing your own in their /home/xsup/.ssh/authorized_keys.

In the guide below, $NEW_ROLE is the role we just set up and $OTHER_ROLE is each of the other roles in turn. (For example, if we just set up the RTC, $NEW_ROLE == RTC and $OTHER_ROLE would be ICC and AOC.)


For each of the $OTHER_ROLEs:

  1. On $NEW_ROLE, copy /home/xsup/.ssh/ to the clipboard

  2. Connect to $OTHER_ROLE with your normal user account over SSH

  3. Become xsup on $OTHER_ROLE and edit /home/xsup/.ssh/authorized_keys to insert the one you copied

  4. On $OTHER_ROLE, copy /home/xsup/.ssh/ to the clipboard

  5. Back on $NEW_ROLE, append the key you just copied to /home/xsup/.ssh/authorized_keys

  6. On $NEW_ROLE, test you can ssh $OTHER_ROLE as xsup (potentially amending ~/.ssh/known_hosts)

  7. On $OTHER_ROLE, test you can ssh $NEW_ROLE as xsup (potentially amending ~/.ssh/known_hosts)

Verify bootloader installation / RAID correctness

  • Ensure RAID arrays are fully built with cat /proc/mdstat

  • shutdown

  • Pop one of the two boot drives from the SSD cage

  • Boot, verify that 1) grub appears and 2) the OS comes up (after a longer boot delay)

  • Replace that boot drive, reboot

  • Ensure RAID arrays are fully rebuilt with cat /proc/mdstat

  • Pop the other drive

  • Repeat verification steps

  • Replace boot drive

  • Boot with both in place

  • Shutdown, pop all data drives

  • Ensure boot proceeds without dropping to recovery prompt

  • Replace all data drives, boot with everything in place