This repository contains RPMs to assist with using the Fermilab General Computing Environment on EL9 systems.

Packages in this repository are signed by GPG Key:

pub   4096R/ABEC1471 2020-01-30
uid                  Fermilab RPM Key (Used for signing RPMs built at Fermilab) <LINUX-USERS@LISTSERV.FNAL.GOV>
sub   4096R/804610A8 2020-01-30

Source Repos

The source for packages in these repos can be found at https://github.com/fermilab-context-rpms. You can review it for recomendations on how to configure your system if use of these packages is not right for your environment.

Installation Instructions

RPMs can be loaded interactively with dnf/yum and/or at install time with Kickstart.

Note These RPMs will own their configuration files. Any local changes will be reverted upon upgrade. Your modified files will be saved off as .rpmsave files.
Note You are expected to have working access to the OS repos. If you require use of the local Fermilab mirrors you should install the yum-conf-fermilab-mirror package first.

1. Interactive Steps

Tip This method should work for any admin who wishes to install some or all of the Fermilab packages.
  • You will need to install the fermilab yum repo

    sudo yum install https://linux-mirrors.fnal.gov/linux/fermilab/almalinux/9/yum-conf-fermilab.rpm
  • To get specific packages, you can install them as normal now:

    sudo yum install ${SOMEPACKAGE}
  • To get the minimum requirements for on-site computing:

    sudo yum install --setopt=install_weak_deps=False fermilab-base_on-site
  • To get all the recommended packages run:

    sudo yum install --setopt=install_weak_deps=True fermilab-base_on-site

    or

    sudo yum group install fermilab
  • To get all the recommended and optional packages run:

    sudo yum group install --with-optional fermilab
Note These yum commands should not cause errors if run multiple times.

2. From Kickstart

Add the yum repo to your known repos:

repo --name=fermilab --baseurl=https://linux-mirrors.fnal.gov/linux/fermilab/almalinux/$releasever/$basearch/
%packages
@fermilab

Or you may specify any specific packages you wish to select from this repo

Additional Information on Fermilab Packages

fermilab-base_on-site

This package requires the config RPMs that will alter your system settings for use at Fermilab. A sudo yum install on this package will install those dependencies automatically. It uses RPM’s rich dependencies to suggest additional, optional, packages that may be useful.

fermilab-conf_ca-certs

Place the Fermilab CA Certificates (for our local CA) in /usr/share/fermilab-conf_ca-certs. You can fetch them directly from https://authentication.fnal.gov/certs/

fermilab-conf_ca-certs-trust

Adds the Fermilab CA Certificates (for our local CA) to your CA Trust Store. You can fetch them directly from https://authentication.fnal.gov/certs/

fermilab-conf_doe-banner

Contains the standardized banner messages for use at Fermilab.

fermilab-conf_doe-banner-cockpit

Add a notification banner to the cockpit login screen regarding your rights and restrictions on the Fermilab Network.

fermilab-conf_doe-banner-console

Add a notification banner to the text console regarding your rights and restrictions on the Fermilab Network.

fermilab-conf_doe-banner-gdm

Add a notification banner to the GDM login window regarding your rights and restrictions on the Fermilab Network.

fermilab-conf_doe-banner-login-screen

Add a notification banner to the recognized login windows regarding your rights and restrictions on the Fermilab Network.

fermilab-conf_email-gateway

Setup postfix to route outbound email through an approved mail gateway.

fermilab-conf_firewall

Add a firewall zone with the FNAL IP ranges.

fermilab-conf_firewall-firewalld

Add a firewalld zone with the FNAL IP ranges.

Note This rpm will reload the firewalld config.
fermilab-conf_http-use-syslog

Setup webservers to log into syslog.

fermilab-conf_http-use-syslog-apache-httpd

Setup apache-httpd to log to syslog.

Note This rpm may result in double logging on your system.
Note The apache-httpd ErrorLog may only be defined once. The definition closest to access is the one used.
fermilab-conf_http-use-syslog-nginx

Setup nginx to log to syslog

Note This rpm may result in double logging on your system.
fermilab-conf_install-updates

Ensure all system updates are applied nightly.

fermilab-conf_kerberos

Load the Fermilab Kerberos configuration settings.

Note fermilab-conf_kerberos no longer uses /etc/kdc.list to customize the default kdc list. You should instead create a custom entry in /etc/krb5.conf.d/00-my-kdcs.conf with your expected settings.
fermilab-conf_login-screen-no-user-list

Do not show a list of valid users on the recognized login windows.

fermilab-conf_login-screen-no-user-list-gdm

Do not show a list of valid users on the GDM login window.

fermilab-conf_ocsinventory

Configuration for the Fermilab OCS Inventory Server.

fermilab-conf_screenlock

Setup screensaver to lock automatically after inactivity on recognized desktops.

fermilab-conf_screenlock-gnome

Setup GNOME desktop to lock automatically after inactivity.

fermilab-conf_screenlock-weston

Setup Weston desktop to lock automatically after inactivity.

fermilab-conf_ssh

Pull in SSH config settings useful for Fermilab SSH Servers.

fermilab-conf_ssh-client

Add SSH client settings useful for connecting to Fermilab SSH Servers.

fermilab-conf_ssh-server

Configure your SSH Server for use on the Fermilab Network.

fermilab-conf_sssd

Configure SSSD to permit Kerberos or local password authentication. This package also provides behavior similar to fermilab-conf_kerberos-local-passwords from the SL7 Fermilab Context.

Note fermilab-conf_sssd will attempt to reconfigure authentication on your system. If this fails, you will need to manually run authselect for your system.
fermilab-conf_system-logger

Forward your system logs to the Central Log Server.

fermilab-conf_system-logger-rsyslog

Forward your system logs via rsyslog to the Central Log Server.

fermilab-conf_timesync

Setup a supported NTP client to use the Fermilab approved timeservers.

fermilab-conf_timesync-chrony

Setup the chrony NTP client to use the Fermilab approved timeservers.

fermilab-util_kcron

Setup Kerberos rights for scheduled jobs and daemons.

fermilab-util_kx509

A simple utility to fetch CI Logon certificates for Fermilab.

fermilab-util_makehostkeys

A simple utility to fetch Kerberos keytabs.

yum-conf-fermilab

The yum repo definitions for the Fermilab repos.

yum-conf-fermilab-gpgkey

The GPG key used in the yum repo definitions for the Fermilab repos.

yum-conf-fermilab-mirror

DNF/Yum repo definitions for Fermilab’s local mirrors.

yum-conf-fermilab-mirror-almalinux

DNF/Yum repo definitions for Fermilab’s local mirror of AlmaLinux.

yum-conf-fermilab-mirror-centos-stream

DNF/Yum repo definitions for Fermilab’s local mirror of CentOS Stream.

yum-conf-fermilab-mirror-epel

DNF/Yum repo definitions for Fermilab’s local mirror of EPEL.

yum-conf-fermilab-mirror-epel-next

DNF/Yum repo definitions for Fermilab’s local mirror of EPEL-Next.