Operator onboarding checklist

Current priority: verify the mini, keep Shavak low-risk, and push the iMac Intune wave only after the mini services are healthy. Use only the section that matches the job you are doing.

1. Mini and network

Verify mini access and fixed-IP services

First confirm SSH, fixed IP, and service ports on the mini. Do not change SSH configuration unless validation fails.

On the mini Terminal

hostname
ipconfig getifaddr en0 || true
sudo /usr/sbin/sshd -t
sudo launchctl print system/com.openssh.sshd | head -40
sudo launchctl kickstart -k system/com.openssh.sshd

Network settings to confirm

  • Campus fixed IP is 10.3.0.237.
  • Port 22 works from the operator/admin path after the SSH fix.
  • Port 8088 serves installer artifacts on the campus LAN.
  • Register and onboarding public domains resolve through Cloudflare.

After SSH works

ssh vgrid-hq 'hostname; date; uptime'
curl -fsS https://register.vishwanathgrid.org/healthz
curl -fsS https://register.vishwanathgrid.org/pool-status
Only after this section is green should the iMac Intune wave be pushed.
2. PARAM Shavak

Access-only path for today

Use the public /onboard.sh only when the Grid operator asks for an access bootstrap. It does not install HTCondor, Slurm, OpenHPC, or GPU drivers; those are mini-side follow-up steps after access is verified.

What the operator should collect

hostname -f
hostname -I
cat /etc/os-release
nproc
free -h
nvidia-smi -L 2>/dev/null || true
ss -tlnp | grep ':22' || true

If SSH access is being tested

  • Use the account and password provided by the local Shavak/JupyterHub administrator.
  • Confirm whether shell access lands on the physical host or inside a Jupyter/container session.
  • Do not re-image, install Slurm/OpenHPC, or run HTCondor until the Grid operator confirms the lane.
For now, send the Shavak hostname, IP, OS, CPU, RAM, GPU, and access mode to the Grid operator. Full onboarding waits.
3. iMac Intune

Push one script to the iMac device group

The network operator should use Intune, not one-by-one Terminal work, for lab iMac groups.

Get the script template

curl -fsSL https://onboarding.vishwanathgrid.org/imac-intune.sh

In Intune

  1. Create a macOS Shell Script policy.
  2. Paste the script template from the URL above.
  3. Replace REPLACE_WITH_CURRENT_WAVE_SERVICE_PASSWORD.
  4. Replace REPLACE_WITH_CURRENT_REGISTER_TOKEN.
  5. Set Run script as signed-in user to No.
  6. Assign only to the target lab iMac device group.

What the script checks before changing iMacs

  • Mini installer server is reachable at http://10.3.0.237:8088/install-htcondor.sh.
  • Public register health is reachable.
  • The public iMac bootstrap downloads and passes Bash syntax check.
If the preflight fails, stop the Intune wave and fix the mini services first.

Revision 2026-06-07. This page intentionally contains no live passwords, registration tokens, private keys, or operator-only secrets.