Scientific Linux Fermi 5.11 i386/x86_64 December 8, 2014 --------------------------------------------------------------------------- Items marked with a "*" have changed since SLF 5.10 Please read the Release Notes for Scientific Linux. It is located at SL.releasenote Also read the Upstream Vendor release notes . They are located in Upstream.vendor.releasenote All of the info in the SL.releasenote is valid unless this document states otherwise. This document only contains info that is specific to the Fermi site. Any reference to SL.releasenote is done to emphasis that it contains important information. ---------------------------------------------------------------------------- This is based on the rebuilding of RPMS out of SRPMS's that form Scientific Linux. Please read this entire document before installing. Table of contents INSTALLATION INFO ADDED compared to Scientific Linux 5.11 UPDATED compared to Scientific Linux 5.11 Installer modifications /contrib /docs /notsupported MISC Notes HARDWARE SPECIFIC ISSUES SOFTWARE ISSUES/BUGS SUPPORT INFO vendor ERRATA Each has a "---" line above and below it. _____________________________________________________________________________ INSTALLATION INFO _____________________________________________________________________________ Installation Locations Paths for both arches are provided. Please select the correct arch for your system. Via NETWORK: nfs: ftp: http: And our easy to remember location Network install with CDROM There is a boot.iso which is small iso image which includes all the drivers. After download you can use cdrecord to create a cdr with this image on it. Install via DVD image Download and then burn the dvd iso image from Installing a Xen Paravirtualized Guest When installing a Xen Paravirtualized Guest, the location is ----------------------------------------------------------------------------- ADDED compared to Scientific Linux 511 ----------------------------------------------------------------------------- *Fermi-release *Fermi-release-notes * Fermi-release-5.11-2.slf.x86_64.rpm * Fermi-release-5.11-2.slf.i386.rpm * Fermi-release-notes-5.11-2.noarch.rpm Made change so that /etc/redhat-release, /etc/issue and /etc/ show Scientific Linux Fermi instead of just Scientific Linux. augeas augeas-1.0.0-1.el5 augeas-devel-1.0.0-1.el5 augeas-libs-1.0.0-1.el5 Added as a dependency for zz_apache_no_browsable_directory Updated to the latest EPEL version, this fixes many parsing bugs This rpm was built from an EPEL source package Clam Anti Virus Clam Anti-Virus. Obtained from the DAG and EPEL repositories and rebuilt from src.rpm. perl packages were added so that clamtk would work clamav-0.97.3-3.el5 clamav-db-0.97.3-3.el5 clamav-devel-0.97.3-3.el5 clamav-milter-0.97.3-3.el5 clamd-0.97.3-3.el5 clamtk-3.09-1.rf clamav-unofficial-sigs-3.7.1-6.el5 perl-Config-Tiny-2.12-1.rf perl-ExtUtils-Depends-0.301-1.rf perl-ExtUtils-PkgConfig-1.11-1.rf perl-File-Find-Rule-0.30-1.rf perl-gettext-1.05-1.rf perl-Glib-1.200-1.rf perl-Gtk2-1.183-1.rf perl-Number-Compare-0.01-1.2.rf perl-Text-Glob-0.08-1.rf drbd DRBD mirrors a block device over the network to another machine. Think of it as networked raid 1. It is a building block for setting up high availability (HA) clusters. kernel-module-drbd x86_64 * kernel-module-drbd-2.6.18-398.el5-8.3.7-1.sl5.x86_64.rpm * kernel-module-drbd-2.6.18-398.el5xen-8.3.7-1.sl5.x86_64.rpm i386 * kernel-module-drbd-2.6.18-398.el5-8.3.7-1.sl5.i686.rpm * kernel-module-drbd-2.6.18-398.el5PAE-8.3.7-1.sl5.i686.rpm * kernel-module-drbd-2.6.18-398.el5xen-8.3.7-1.sl5.i686.rpm Added for dependency resolution bash-completion-1.3-5 libpacemaker3-1.0.1-6.2.sl5 libpacemaker-devel-1.0.1-6.2.sl5 pacemaker-1.0.1-6.2.sl5 epel-release Installes the epel repo disabled by default epel-release-5-5.SLF.noarch.rpm elrepo-release Installes the elrepo repo disabled by default It also excludes any OpenAFS packages to avoid compatibility issues elrepo-release-5-5.el5.SLF.noarch.rpm flpr Installed by default. This does NOT require ups/upd. The flpr binary will reside in /usr/local/bin/ flpr-2.4-4f.9x.i386.rpm heartbeat heartbeat is a basic high-availability subsystem for Linux-HA. It will run scripts at initialization, and when machines go up or down. This version will also perform IP address takeover using gratuitous ARPs. It supports "n-node" clusters with significant capabilities for managing resources and dependencies. Updated to a more current version heartbeat-2.99.2-6.1.sl5.1 heartbeat-common-2.99.2-6.1.sl5.1 heartbeat-devel-2.99.2-6.1.sl5.1 heartbeat-ldirectord-2.99.2-6.1.sl5.1 heartbeat-resources-2.99.2-6.1.sl5.1 libheartbeat2-2.99.2-6.1.sl5.1 libheartbeat-devel-2.99.2-6.1.sl5.1 libnet-1.1.5-1.el5 libnet-devel-1.1.5-1.el5 Kerberos We have updated the kx509 and get-cert to be able to use the newer certificate servers Update krb5.conf to v4.7 changing KDC search order to put the FCC3 Slave KDC first by default krb5-fermi-getcert-2.0-2 * krb5-fermi-addons-1.2-2.slf5 * Replace Fermilab-provided aklog executable by a scriptlet to * /usr/bin/aklog if it exists * krb5-fermi-base-2.2-2.noarch.rpm * Modify the aklog.csh/sh and z_krb5.csh/sh scripts for * /etc/profile.d/ replace "aklog" by "/usr/bin/aklog -noprdb" * Modified kinit and kinit-debug scripts to (1) invoke aklog * provided with OpenAFS (as /usr/bin/aklog) and (2) added the * -noprdb option to aklog call so it will work for both normal * user principals and compound principals * krb5-fermi-config-5.0a-1.noarch.rpm * krb5-fermi-krb5.conf-5.0a-1.noarch.rpm * Update krb5.conf to remove i-keb-3 from KDC list * Added aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 * to default tgs,tkt and permitted enctypes * krb5-devel-1.6.1-80.el5.slf5 * krb5-libs-1.6.1-80.el5.slf5 * krb5-server-1.6.1-80.el5.slf5. * krb5-server-ldap-1.6.1-80.el5.slf5 * krb5-workstation-1.6.1-80.el5.slf5 krb5-auth-dialog-0.7-1.slf5 Patched to fix kshd hang problem. OpenAFS See SL.releasenote Here is the procedure for installing openafs, using yum yum install openafs-client kernel-module-openafs-`uname -r` yum install openafs-krb5 openafs-thiscell openafs-thiscell-FNAL now changes CellAlias so that /afs/fnal is really /afs/ openafs-thiscell-FNAL-6.noarch.rpm pidgin-sipe purple-sipe A pidgin plugin for Microsoft Chat protocols pssh A high performance parallel ssh client with many options redhat-logos-4.9.16-1.SLF.4.noarch.rpm This version of redhat-logo's has all of the generic changes that were made with Scientific Linux as well as changes to make it look like SLF. rrdtool Round Robin Database Tool to store and display time-series data rrdtool-1.3.9-2.sl5 rrdtool-devel-1.3.9-2.sl5 rrdtool-perl-1.3.9-2.sl5 rrdtool-python-1.3.9-2.sl5 rrdtool-ruby-1.3.9-2.sl5 rrdtool-tcl-1.3.9-2.sl5 SLIP Scientific Linux Inventory Project client Name changed to be compatible with SLF6, installs asking for the previous name (ocsinventory-client) will still work as before on SLF5 Now has an /etc/sysconfig/ocsinventory-fermi for behavior control Can enable "DEBUG mode" * Fixed issue where ethernet can be named eth or en . * ocsinventory-fermi-0.9.9-17.noarch.rpm *rgang * rgang-3.4-2.noarch.rpm * RGANG is a tool which allows one to execute commands on or distribute * files to many nodes (computers). revtex tetex-natbib-8.31a-1.sl5.1.noarch.rpm tetex-revtex-4.1-1.sl5.1.noarch.rpm Added to simplify creating articles for publication upsupdbootstrap Not installed by default. Links from /usr/local/bin are NOT made anymore. upsupdbootstrap-5.0-0.i386.rpm upsupdbootstrap-fnal-5.0-0.i386.rpm conflicts with upsupdbootstrap-local Installs ups/upd to /fnal/ups upsupdbootstrap-local-5.0-0.i386.rpm conflicts with upsupdbootstrap-fnal Installs ups/upd to /local/ups yum-conf Modified to give Fermi's rpm's a priority, as well as point to Fermi's linux distribution servers instead of scientific linux's. * yum-conf-511-2.slf.noarch.rpm * Point to release yum-conf-5x Will keep you at 5x which is the current stable 5x release. So when we release the next 5 release yum will automatically yum install it except for the kernel. Starting with SL 5.9, yum-conf-5x is automatically installed. Users wishing for the historical behavior can remove the package with 'yum remove yum-conf-5x' This rpm will also pull in the yum-conf-adobe package to create the adobe repos. The adobe repos were previously created by the yum-conf and yum-conf-5x repos. yum-conf-5x-2-0.slf5.noarch.rpm yum-conf-fermi-internal Adds the fermi-internal yum repository yum-conf-fermi-internal-5-1.noarch.rpm yum-autoupdate-1.2-3.SLF.noarch.rpm yum-autoupdate has the nightly yum cron job in it. The nightly cron job has been modified to check the add-ons directory. Added /etc/yum.d/yum.cron.updateexec for configuring PRERUN and POSTRUN You can now trigger events before or after yum-autoupdate like in SLF6 zz_apache_no_browsable_directory-1.0-4.noarch.rpm This modifies the /etc/httpd/conf/httpd.conf file using augeas so that mod_autoindex does not list your directories out by default. This will remove 'Indexes' from your 'Options' list for '/var/www/html' and '/var/www/icons'. It will also remove 'Indexes' from the sample options list for mod_userdir (~username directories). You can still enable this option with a .htaccess file or by editing the config file yourself. To return indexes to working state you will need to add: Options +Indexes to either your apache config or your .htaccess file zz_apache_use_clogger-1.0-1.el5.noarch.rpm This rpm modifies the /etc/httpd/conf/httpd.conf file using augeas so that log events are sent to the traditional files and to clogger. It does this via use of /usr/bin/logger and should have a negligible performance impact. It only changes the default logs and is expected to run against the default /etc/httpd/conf/httpd.conf It requires rsyslog5 introduced in SLF 5.9 and will replace the standard SLF5 syslog service. zz_auto_update_kernel-1.0-1.noarch.rpm Remove the exclude of the kernel from the nightly autoyum thus allowing the kernel to be upgraded via the nightly yum. Note that this does not check if you have custom kernel modules or a custom kernel installed. You have to ensure that this will work in your environment. You will have to reboot after the kernel is upgraded. The rpm does NOT reboot the system. Watch root email for notification of all nightly auto yum updates. zz_dhcp_resolv-3.0.5-1.noarch.rpm This rpm fixes that so that when your network starts, as it checks your resolv.conf, if you have, but not it will put it in, so that you will have "search" in your /etc/resolv.conf file. Does not work with NetworkManager zz_disable_avahi-1.0-0.5.noarch.rpm This will turn off and disable the avahi daemons zz_lang_collate-1.0-4.noarch.rpm Changes LANG so that sorting is done the same as 6.1 and earlier. (ABCabc instead of AaBbCc). Can speed up programs that sort. zz_local_dns_cache-3-1.3.2.noarch.rpm This rpm will change your machine to use a local dns cache before looking for the standard dns servers There have been a large number of bug fixes for determing when and what triggers to run zz_logwatch_df-1.1-2.noarch.rpm By default logwatch does a df -h when looking at disk usage. This can be unwanted if you have alot of NFS mounted disks. This rpm changes that command to be df -lP -h, which looks at local disks only, and the output is in the POSIX output format. *zz_ntp_configure-4.2.6-7.slf5.noarch.rpm Configure ntp for Fermi site network. Startup script now pokes hole in the firewall for itself One can manually change the script by editing the file /etc/sysconfig/ntpd.fermi zz_pine_user_domain-1.0-3.noarch.rpm By default when a user sends mail from pine their email address is This rpm changes it so that the default is by modifying the /etc/alpine/pine.conf config file. zz_screenlock_kde Enables screen lock with "blanking" screen saver so power saving monitors will go into sleep mode. Ensures that the Timeout value is 15 minutes or less. Preserves existing values if they are less than required minimum value. Installed by default if KDE is installed. zz_sendmail_fermi_gateway-2.1-2.noarch.rpm zz_postfix_fermi_gateway-1.1-2.noarch.rpm This rpm is designed to configure sending outbound e-mail through the fermilab e-mail gateway( zz_tcp_wrappers_change-3.0-3.noarch.rpm Disable all offsite access to common network services. Also puts in the "DOE required login banners". If it determines that you have already modified /etc/hosts.allow or host.deny it leaves them alone. Change to add perl to requires as %post uses perl zz_tex_tweaks-1.0-1.noarch.rpm Changes the default paper size to 8.5 x 11 vs A3 zz_use_clogger-1.1-4.noarch.rpm Change /etc/syslog.conf to log to Supports rsyslog5, you can utilize rsyslog5 --------------------------------------------------------------------------- UPDATED compared to Scientific Linux 5 ---------------------------------------------------------------------------- OpenSSH This is the openssh from S.L. 5.x with some patches and modifications. The client does kerberos with both fermi's old openssh(old gssapi), as well as generic new openssh's(new gssapi) The server only does the kerberos with the newer versions of openssh It does 'kerberos only' by default It does not do cryptocard; cryptocard is enabled by pam_krb5. * Since the Fermi KDC do not support cryptocard we are removing pam_krb5. openssh-server is not installed by default. added Mark Mengel's GSS_HOSTNAME patch openssh-4.3p2-82.el5.slf openssh-askpass-4.3p2-82.el5.slf openssh-clients-4.3p2-82.el5.slf openssh-server-4.3p2-82.el5.slf *pam_krb5 * Since the Fermi KDC do not support cryptocard we are removing pam_krb5. This is a modified version of the pam_krb5 that comes with SL5. This pam module has the ability to do cryptocard authentication. * pam_krb5-2.2.11-6.slf5 ---------------------------------------------------------------------------- Installer modifications --------------------------------------------------------------------------- Anaconda (installer) Changes to "defaults" from vendor installer. Firewall is on by default. The zz_ntp_configure-4.2.0-6 rpm pokes a hole for inbound ntp. US/Central is default timezone. vendor default was New York. Kerberos is on by default with a realm of FNAL.GOV . vendor default was off. Default install is via http. If one wishes to use nfs then type nfs at the isolinux prompt. If one wshes to use ftp then type ftp at the isolinux prompt. Support for "sites" was added. Support for workgroups was added Workgroup maintainers can now check their workgroups in an out of cvs Fixed the kernel-module bug that was in SLF 5.0 Kickstart additions: The following groups have been added to the comps.xml for SLF5 - fermi / misc-slf - clamav - drbd-group - heartbeat-group - local-printer - openafs-client - openssh-server - rrdtool-group - upsupdbootstrap --------------------------------------------------------------------------- /contrib/ --------------------------------------------------------------------------- The packages in this section have been contributed by various people. They are presented AS IS and there is no guarantee of them working. These packages are NOT supported by us. They will only get security updates if the contributor provides them. If you have questions about them then ask the contributor. To use with yum: For one time only (prefered method) yum --enablerepo=fermi-contrib install <package> To enable for all yum updates/install (including autoyum) edit the file /etc/yum.repos.d/fermi-contrib.repo and change the line enabled=0 to enabled=1 See README's in the RPMS/ directorys for specific package info. /sites/Fermi/contrib/RPMS/ --------------------------------------------------------------------------- KNOWN LIMITATIONS/BUGS --------------------------------------------------------------------------- The estimated time to install is not even close. After you have picked a workgroup on the workgroup selection page and moved to the next , you cannot go back to that page. The installer will die. --------------------------------------------------------------------------- MISC NOTES --------------------------------------------------------------------------- If you select "linux text" or you might want to type "linux text noipv6" because the install trys to do ipv6 and since there is no support at FNAL for ipv6 it takes a long time to timeout kickstart users might want to add the "noipv6" option to their ks.cfg file The SLF workgroups were frozen with SLF 5.9, this release has updated the workgroup rpm version numbers to 'slf5' rather than a specific minor release to signify this change. MySQL: Scientific Linux 5.10 provides updated versions, specifically versions 5.1 and 5.5, of the MySQL packages as software collections. In order to migrate from MySQL 5.0 to 5.5, you must first update to MySQL 5.1. Note that the MySQL 5.1 packages are not supported and are provided only for the purposes of migration to MySQL 5.5. You should not use MySQL 5.1 on any of your production systems. For more information on the migration from MySQL 5.0 to MySQL 5.5, refer to chapter Migrating from MySQL 5.0 to MySQL 5.5 provided by Upstream at: As a result of this update, we will not issue any more security advisories for the MySQL 5.0 packages (mysql-5.0.* and related packages). Security advisories will be provided only for MySQL 5.5. --------------------------------------------------------------------------- SUPPORT INFO --------------------------------------------------------------------------- Fermi site users should start with the "Fermi" specific support areas and use the Scientific Linux next. Scientific Linux Fermi web pages Fermi Linux Community support mailing list Which is archived at Scientific Linux web page ---------------------------------------------------------------------------- ERRATA included which was released after SL ---------------------------------------------------------------------------- Security errata will not be placed in the default install tree as has been done with prior releases of Scientific Linux Fermi 5. They will only reside in the updates/security/ directory. You will have to do a "yum -y update" after the installation via DVD to install all the security errata.