This repository contains RPMs to assist with using the Fermilab General Computing Environment on EL8 systems.

Packages in this repository are signed by GPG Key:

pub   4096R/ABEC1471 2020-01-30
uid                  Fermilab RPM Key (Used for signing RPMs built at Fermilab) <LINUX-USERS@LISTSERV.FNAL.GOV>
sub   4096R/804610A8 2020-01-30

Source Repos

The source for packages in these repos can be found at https://github.com/fermilab-context-rpms. You can review it for recomendations on how to configure your system if use of these packages is not right for your environment.

Installation Instructions

There are three clear ways to load the relevant RPMs onto your system. You may use more than one if you desire.

Note These RPMs will own their configuration files. Any local changes will be reverted upon upgrade. Your modified files will be saved off as .rpmsave files.

1. Full Automation

Tip The "Full Automation" RPM is targeted at systems on-site at Fermilab. It may not be suitable for all off-site environments.
Warning The following command will make a number of changes on your behalf! These changes are not totally visable to you during installation!
yum install https://linux-mirrors.fnal.gov/linux/fermilab/almalinux/8/fermilab-apply-site-config.rpm
Note This RPM will remove itself from the system automatically. This permits you to re-run this as often as you wish with one command.

2. Interactive Steps

Tip This method should work for any admin who wishes to install some or all of the Fermilab packages.

You will need to install the fermilab yum repo

yum install https://linux-mirrors.fnal.gov/linux/fermilab/almalinux/8/yum-conf-fermilab.rpm
  • To get specific packages, you can install them as normal now:

    yum install ${SOMEPACKAGE}
  • To get the minimum requirements for on-site computing:

    yum install fermilab-base_on-site
  • To get all the recommended packages run:

    yum group install fermilab
  • To get all the recommended and optional packages run:

    yum group install --with-optional fermilab
Note You can run these yum commands multiple times if you wish.

3. From Kickstart

Add the yum repo to your known repos:

repo --name=fermilab --baseurl=https://linux-mirrors.fnal.gov/linux/fermilab/almalinux/$releasever/$basearch/
%packages
@fermilab

Or you may specify any specific packages you wish to select from this repo

Additional Information on Packages

fermilab-apply-site-config

This package will install the Fermilab RPMs repo and fork off a second task to install any expected RPMs.

fermilab-base_on-site

This package depends on the config RPMs that will alter your system settings for use at Fermilab.

fermilab-conf_ca-certs

Adds the Fermilab CA Certificates (for our local CA) to your CA Trust Store. You can fetch them directly from https://authentication.fnal.gov/certs/

fermilab-conf_doe-banner-cockpit

Add a notification banner to the cockpit login screen regarding your rights and restrictions on the Fermilab Network.

fermilab-conf_doe-banner-console

Add a notification banner to the text console regarding your rights and restrictions on the Fermilab Network.

fermilab-conf_doe-banner-login-screen

Add a notification banner to the GDM login window regarding your rights and restrictions on the Fermilab Network.

fermilab-conf_email-gateway

Setup postfix to route outbound email through an approved mail gateway.

fermilab-conf_install-updates

Ensure all system updates are applied nightly.

fermilab-conf_kerberos

Load the Fermilab Kerberos configuration settings.

Note fermilab-conf_kerberos no longer uses /etc/kdc.list to customize the default kdc list. You should instead create a custom entry in /etc/krb5.conf.d/00-my-kdcs.conf with your expected settings.
fermilab-conf_login-screen-no-user-list

Do not show a list of valid users on the GDM login window.

fermilab-conf_screenlock

Setup Gnome, KDE, and Mate screensaver to lock automatically after inactivity.

fermilab-conf_ssh-client

Add SSH client settings useful for connecting to Fermilab SSH Servers.

fermilab-conf_ssh-server

Configure your SSH Server for use on the Fermilab Network.

fermilab-conf_sssd

Configure SSSD to permit Kerberos or local password authentication. This package also provides behavior similar to fermilab-conf_kerberos-local-passwords from the SL7 Fermilab Context.

Note fermilab-conf_sssd will attempt to reconfigure authentication on your system.
fermilab-conf_system-logger

Forward your system logs from rsyslogd to the Central Log Server.

fermilab-conf_timesync

Setup chronyd to use the Fermilab approved timeservers.

fermilab-util_kcron

Setup Kerberos rights for scheduled jobs and daemons.

fermilab-util_makehostkeys

A simple utility to fetch Kerberos keytabs.

fermilab-util_ocsinventory

Configuration for the Fermilab OCS Inventory Server.

yum-conf-fermilab

The yum repo definitions for the Fermilab repos.