Fermilab RPMs for Alma Linux 9, (RHEL9, CentOS Stream 9, and similar)

This repository contains RPMs to assist with using the Fermilab General Computing Environment on EL9 systems.

Packages in this repository are signed by GPG Key:

pub   4096R/ABEC1471 2020-01-30
uid                  Fermilab RPM Key (Used for signing RPMs built at Fermilab) <LINUX-USERS@LISTSERV.FNAL.GOV>
sub   4096R/804610A8 2020-01-30

Source Repos

The source for packages in these repos can be found at https://github.com/fermilab-context-rpms. You can review it for recomendations on how to configure your system if use of these packages is not right for your environment.

Installation Instructions

RPMs can be loaded interactively with dnf/yum and/or at install time with Kickstart.

These RPMs will own their configuration files. Any local changes will be reverted upon upgrade. Your modified files will be saved off as .rpmsave files.

You are expected to have working access to the OS repos. If you require use of the local Fermilab mirrors you should install the yum-conf-fermilab-mirror package first.

1. Interactive Steps

This method should work for any admin who wishes to install some or all of the Fermilab packages.

You will need to install the fermilab yum repo

sudo yum install https://linux-mirrors.fnal.gov/linux/fermilab/almalinux/9/yum-conf-fermilab.rpm

To get specific packages, you can install them as normal now:
```
sudo yum install ${SOMEPACKAGE}
```

To get the minimum requirements for on-site computing:

sudo yum install --setopt=install_weak_deps=False fermilab-base_on-site

To get all the recommended packages run:

sudo yum install --setopt=install_weak_deps=True fermilab-base_on-site

sudo yum group install fermilab

To get all the recommended and optional packages run:
```
sudo yum group install --with-optional fermilab
```

These yum commands should not cause errors if run multiple times.

2. From Kickstart

Add the yum repo to your known repos:

repo --name=fermilab --baseurl=https://linux-mirrors.fnal.gov/linux/fermilab/almalinux/$releasever/$basearch/
%packages
@fermilab

Or you may specify any specific packages you wish to select from this repo

Additional Information on Fermilab Packages

fermilab-base_on-site: This package requires the config RPMs that will alter your system settings for use at Fermilab. A sudo yum install on this package will install those dependencies automatically. It uses RPM’s rich dependencies to suggest additional, optional, packages that may be useful.
fermilab-conf_ca-certs: Place the Fermilab CA Certificates (for our local CA) in /usr/share/fermilab-conf_ca-certs. You can fetch them directly from https://authentication.fnal.gov/certs/
fermilab-conf_ca-certs-trust: Adds the Fermilab CA Certificates (for our local CA) to your CA Trust Store. You can fetch them directly from https://authentication.fnal.gov/certs/
fermilab-conf_doe-banner: Contains the standardized banner messages for use at Fermilab.
fermilab-conf_doe-banner-cockpit: Add a notification banner to the cockpit login screen regarding your rights and restrictions on the Fermilab Network.
fermilab-conf_doe-banner-console: Add a notification banner to the text console regarding your rights and restrictions on the Fermilab Network.
fermilab-conf_doe-banner-gdm: Add a notification banner to the GDM login window regarding your rights and restrictions on the Fermilab Network.
fermilab-conf_doe-banner-login-screen: Add a notification banner to the recognized login windows regarding your rights and restrictions on the Fermilab Network.
fermilab-conf_email-gateway: Setup postfix to route outbound email through an approved mail gateway.
fermilab-conf_firewall: Add a firewall zone with the FNAL IP ranges.
fermilab-conf_firewall-firewalld: Add a firewalld zone with the FNAL IP ranges.

This rpm will reload the firewalld config.

fermilab-conf_http-use-syslog: Setup webservers to log into syslog.
fermilab-conf_http-use-syslog-apache-httpd: Setup apache-httpd to log to syslog.

This rpm may result in double logging on your system.

The apache-httpd ErrorLog may only be defined once. The definition closest to access is the one used.

fermilab-conf_http-use-syslog-nginx: Setup nginx to log to syslog

This rpm may result in double logging on your system.

fermilab-conf_install-updates: Ensure all system updates are applied nightly.
fermilab-conf_kerberos: Load the Fermilab Kerberos configuration settings.

fermilab-conf_kerberos no longer uses /etc/kdc.list to customize the default kdc list. You should instead create a custom entry in /etc/krb5.conf.d/00-my-kdcs.conf with your expected settings.

fermilab-conf_login-screen-no-user-list: Do not show a list of valid users on the recognized login windows.
fermilab-conf_login-screen-no-user-list-gdm: Do not show a list of valid users on the GDM login window.
fermilab-conf_ocsinventory: Configuration for the Fermilab OCS Inventory Server.
fermilab-conf_screenlock: Setup screensaver to lock automatically after inactivity on recognized desktops.
fermilab-conf_screenlock-gnome: Setup GNOME desktop to lock automatically after inactivity.
fermilab-conf_screenlock-weston: Setup Weston desktop to lock automatically after inactivity.
fermilab-conf_ssh: Pull in SSH config settings useful for Fermilab SSH Servers.
fermilab-conf_ssh-client: Add SSH client settings useful for connecting to Fermilab SSH Servers.
fermilab-conf_ssh-server: Configure your SSH Server for use on the Fermilab Network.
fermilab-conf_sssd: Configure SSSD to permit Kerberos or local password authentication. This package also provides behavior similar to fermilab-conf_kerberos-local-passwords from the SL7 Fermilab Context.

fermilab-conf_sssd will attempt to reconfigure authentication on your system. If this fails, you will need to manually run authselect for your system.

fermilab-conf_system-logger: Forward your system logs to the Central Log Server.
fermilab-conf_system-logger-rsyslog: Forward your system logs via rsyslog to the Central Log Server.
fermilab-conf_timesync: Setup a supported NTP client to use the Fermilab approved timeservers.
fermilab-conf_timesync-chrony: Setup the chrony NTP client to use the Fermilab approved timeservers.
fermilab-util_kcron: Setup Kerberos rights for scheduled jobs and daemons.
fermilab-util_kx509: A simple utility to fetch CI Logon certificates for Fermilab.
fermilab-util_makehostkeys: A simple utility to fetch Kerberos keytabs.
yum-conf-fermilab: The yum repo definitions for the Fermilab repos.
yum-conf-fermilab-gpgkey: The GPG key used in the yum repo definitions for the Fermilab repos.
yum-conf-fermilab-mirror: DNF/Yum repo definitions for Fermilab’s local mirrors.
yum-conf-fermilab-mirror-almalinux: DNF/Yum repo definitions for Fermilab’s local mirror of AlmaLinux.
yum-conf-fermilab-mirror-centos-stream: DNF/Yum repo definitions for Fermilab’s local mirror of CentOS Stream.
yum-conf-fermilab-mirror-epel: DNF/Yum repo definitions for Fermilab’s local mirror of EPEL.
yum-conf-fermilab-mirror-epel-next: DNF/Yum repo definitions for Fermilab’s local mirror of EPEL-Next.