Scientific Linux Fermi LTS 304 for x86_64 February 22, 2005 Please send bug reports to dawson@fnal.gov,csieh@fnal.gov ---------------------------------------------------------------------------- Please read the Release Notes for Scientific Linux. They are located at SL.releasenote All of the info in the SL.releasenote is valid unless this document states otherwise. This document only contains info that is specific to the Fermi site. I may specifically say to read the SL.releasenote file, this is only done to emphasize this item. ---------------------------------------------------------------------------- This is based on Scientific Linux 3.0.4, which is a rebuild of AS 3 including Update 4, with the following changes. There has not been any FUE certification done yet. Please read this entire document before installing. Table of contents HARDWARE REQUIREMENTS INSTALLATION INFO ADDED compared to Scientific Linux 3.0.4 UPDATED compared to Scientific Linux 3.0.4 Installer modifications /contrib /docs MISC Notes HARDWARE SPECIFIC ISSUES SOFTWARE ISSUES/BUGS SUPPORT INFO vendor ERRATA Each has a "---" line above and below it. _____________________________________________________________________________ HARDWARE REQUIREMENTS _____________________________________________________________________________ The following information represents the minimum hardware requirements necessary to successfully install Scientific Linux Fermi LTS 3.0.4 : - Minimum: Athlon 64, Opteron , Intel EM64T enabled Pentium 4/Xeon - Recommended for text-mode: - Minimum of 256MB Memory - Recommended for graphical: - Recommended: 256MB Hard Disk Space (NOTE: Additional space will be required for user data): - Common "Fermi Generic Desktop" Installation : 4.5GB _____________________________________________________________________________ INSTALLATION INFO _____________________________________________________________________________ Installation Locations Via NFS linux.fnal.gov:/export/linux/lts304/x86_64/ with cdrom There is also a boot.iso which is small iso image which includes all the drivers on the driver floppies and the generic boot info. This can be used instead of the above floppies. After download you can use cdrecord to create a cdr with this image on it. ftp://linux.fnal.gov/linux/lts304/x86_64/images/Fermi/boot.iso Via CDROM Download and then burn cdrom iso images from ftp://linux.fnal.gov/linux/lts304/x86_64/sites/Fermi/iso/ ----------------------------------------------------------------------------- ADDED compared to SL 3.0.4 ----------------------------------------------------------------------------- Acrobat acroread-5.010-1.i386.rpm acroread-plugin-5.010-1.i386.rpm flpr I am installing the flpr rpm by default. I got the latest version from Randy. This does NOT require ups/upd. The flpr binary will reside in /usr/local/bin/ . This should just make using flpr easier for all. flpr-2.4-4f.9x.i386.rpm Java Sun currently allows us to distribute their java rpms. j2re is just the runtime enviroment j2sdk is the runtime enviroment, plus compilors. So you do not need both of these. Version 1.4.2_07 fixes a security hole with the plugins. Version 1.4.2_07 works with the CD helpdesk web pages. We are putting in Sun's j2sdk rpm straight from Sun so that the new java from jpackage can make all the correct links to setup the java correctly. j2sdk-1.4.2_07-fcs.i586.rpm The j2re-blackdown was discontinued because it wasn't keep up with security plugins as fast as we had liked. Kerberos -- Fermi version krb5-fermi-config-1.9-4.LTS.noarch.rpm krb5-fermi-krb5.conf-1.9-3.LTS.noarch.rpm krb5-libs-fermi-1.8a-LTS30x.1.i386.rpm krb5-workstation-fermi-1.8a-LTS30x.1.i386.rpm release 1.8a-LTS30x.1 fixes a security problem. Correct permissions were put on all files your old krb5.conf is now checked to see if it needs to be completely fresh or not. If it does not need a fesh krb5.conf then only the top half is changed. kx509 and kxlist were added. krb5-fermi-krb5.conf will ONLY put on a /etc/krb5.conf that points to the fermi domain. If you have krb5-fermi-config you DO NOT need this. This is intended for use with the Redhat provided kerberos. Many offsite users will find this of use. krb5-fermi-config-1.9-4 and later has a seperate script that only adds or removes aklog from your krb5.conf. This script now get's run (via triggers) whenever openafs get's added or removed. OpenAFS See SL.releasenote openafs-thiscell-FNAL-4.noarch.rpm This sets up the "thiscell" to point to Fermi. Performance Co-Pilot (PCP) config Config file specific for Fermi site. pcp-config-2.3.0-LTS3x.2.i386.rpm SL_rpm_show_arch-1.0-1.noarch.rpm Changes the default output of "rpm -q " from "name-version" to "name-version.arch" upsupdbootstrap upsupdbootstrap-3.0-7.i386.rpm upsupdbootstrap-generic-3.0-5.i386.rpm upsupdbootstrap-local-3.0-5.i386.rpm Workgroup tag files These are used to specify which workgroup you belong to. Astro-tag-3.0-4.noarch.rpm BooNE-tag-3.0-4.noarch.rpm BooNEDataServer-tag-3.0-5.noarch.rpm BTeV-tag-3.0-5.noarch.rpm BTeVTrigger-tag-3.0-5.noarch.rpm BTeVSimulation-tag-3.0-7.noarch.rpm BTeVWorker-tag-3.0-7.noarch.rpm CDFCAFworker-tag-3.0-4.noarch.rpm CDFlevel3-tag-3.0-4.noarch.rpm CDFoffsite-tag-3.0-4.noarch.rpm CDFonline-tag-3.0-4.noarch.rpm CDF-tag-3.0-4.noarch.rpm ClueD0Workstation-tag-3.0-4.noarch.rpm CMSdesktop-tag-3.0-4.noarch.rpm CMSfarm-tag-3.0-4.noarch.rpm CMSserver-tag-3.0-4.noarch.rpm ConsoleServer-tag-3.0-4.noarch.rpm CPD-tag-3.0-4.noarch.rpm CPDserver-tag-3.0-5.noarch.rpm CSS-tag-3.0-4.noarch.rpm FarmsConsole-tag-3.0-4.noarch.rpm Farms-tag-3.0-4.noarch.rpm FermiStandAlone-tag-3.0-4.noarch.rpm FermiVeryGeneric-tag-3.0-4.noarch.rpm FnaluBatch-tag-3.0-4.noarch.rpm FnaluInteractive-tag-3.0-4.noarch.rpm FOCUS-tag-3.0-4.noarch.rpm GenericFarm-tag-3.0-4.noarch.rpm Minos-tag-3.0-4.noarch.rpm OAA-tag-3.0-4.noarch.rpm RIP-tag-3.0-4.noarch.rpm SDSS-tag-3.0-4.noarch.rpm Sidet-tag-3.0-4.noarch.rpm Theory-tag-3.0-4.noarch.rpm FermiGenericDesktopOffsite-tag-3.0-6.noarch.rpm zz_a2ps_stdout-1.0-2.noarch.rpm Changed from i386 to noarch as that is what they should have been in the first place. Change the output of a2ps to go to stdout vs the printer. zz_cups_nobrowse-1.0-4.noarch.rpm Changed from i386 to noarch as that is what they should have been in the first place. By default the cups deamon constantly searches the network to find and check on other cups printers. This rpm turns that feature off. It also turns off the cupd server as it is not really needed. zz_dhcp_resolv-2.2-1.noarch.rpm Changed from i386 to noarch as that is what they should have been in the first place. This rpm fixes that so that when your network starts, as it checks your resolv.conf, if you have dhcp.fnal.gov, but not fnal.gov it will put it in, so that you will have "search fnal.gov dhcp.fnal.gov" in your /etc/resolv.conf file. zz_emacs_link-1.1-3.noarch.rpm Changed from i386 to noarch as that is what they should have been in the first place. Make a symbolic link from "emacs" to "xemacs" when xemacs is installed and emacs is not installed. This version uses triggers to make or remove the link when emacs, or xemacs is added or removed. zz_fermi-logos Changed from i386 to noarch as that is what they should have been in the first place. zz_fermi-logos-3.0.2-1.noarch.rpm redhat-artwork-0.73.2-1.LTS.x86_64.rpm redhat-logos-1.1.14.3-5.LTS.noarch.rpm Because we were required to change redhat-logos, we didn't have to do all the little tweeks that we were doing in zz_fermi-logos This version has most of those tweeks taken out. Since it is related, and the license permits us, we have also taken out the most glaring redhat logo's from redhat-artwork. Fixed a bug with the gdm greeeter theme. Put in gnome-foot for menu icon so you can tell it is gnome. zz_firstboot_fix-1.0-1.noarch.rpm Changed from i386 to noarch as that is what they should have been in the first place. Make changes to firstboot. 1.0 - removes the question about adding users zz_lang_collate-1.0-2.noarch.rpm Changed from i386 to noarch as that is what they should have been in the first place. Changes LANG so that sorting is done the same as 6.1 and earlier. (ABCabc instead of AaBbCc). This is not installed by default except for a few workgroups. Can be added later with a "yum install zz_lang_collate" . zz_logwatch_df-1.0-2.noarch.rpm Changed from i386 to noarch as that is what they should have been in the first place. By default logwatch does a df -h when looking at disk usage. This can be unwanted if you have alot of NFS mounted disks. This rpm change the command to be df -h -l, which looks at local disks only. zz_ntp_configure-4.0-1.noarch.rpm Changed from i386 to noarch as that is what they should have been in the first place. Configure ntp for Fermi site network. zz_pine_user_domain-1.0-1.noarch.rpm Changed from i386 to noarch as that is what they should have been in the first place. By default when a user sends mail from pine their email address is myname@mycomputer.fnal.gov. This rpm changes it so that the default is myname@fnal.gov by modifying the /etc/pine.conf config file. zz_rhnsd_off-1.0-1.noarch.rpm Changed from i386 to noarch as that is what they should have been in the first place. This rpm turns off rhnsd, which is on by default. zz_sshd_aklog-1.1-6.noarch.rpm Changed from i386 to noarch as that is what they should have been in the first place. This rpm contains a script that will ensure that you have the correct path to aklog in your sshd_config script. It you do not have AFS installed it comments out the aklog line. This script is 'trigger'able, so that when you update your openssh-server or your afs client, it will re-run to keep the sshd_config file up to date. zz_sshd_nonkerberized-1.0-0.7.noarch.rpm Changed from i386 to noarch as that is what they should have been in the first place. Fermi's openssh is normally kerberized out of the box. This rpm will make it non-kerberized. Should only be used offsite. version 1.0-0.7 fixes the privilege seperation user - server start problem. zz_tcp_wrappers_change-3.0-1.noarch.rpm Changed from i386 to noarch as that is what they should have been in the first place. Disable all offsite access to common network services. Also puts in the "DOE required login banners". If it determines that you have already modified /etc/hosts.allow or host.deny it leaves them alone. zz_tex_tweaks-1.0-1.noarch.rpm Changed from i386 to noarch as that is what they should have been in the first place. Changes the default paper size to 8.5 x 11 vs A3 --------------------------------------------------------------------------- UPDATED compared to SL 3.0.4 ---------------------------------------------------------------------------- apt-get Scientific Linux Fermi x86_64 is NOT aptable as apt does NOT understand a multiarch release and this release is multiarch. It has both i386 and x86_64 versions of some rpms. Only YUM is installed by default and ONLY YUM is SUPPORTED at Fermi. authconfig Authconfig needed to be tweeked because it was putting a line into the /etc/pam.d/system-auth that would not allow you to log into root or a group account if there was a .k5login file in the accounts home area. This is the same change that was done in Fermi Linux 9.0.x We also changed it so that it quit putting the kerberos realm, as a line by itself in the top of krb.conf. This was causing some authentications to never return. authconfig-4.3.7-1f2.x86_64.rpm authconfig-gtk-4.3.7-1f2.x86_64.rpm Fermi-release Made change so that /etc/issue and /etc/issue.net showed Fermi LTS. This is a modified SL-release. Changed release number from 304 to 3.0.4 Mozilla With the latest security release of mozilla it was decided to upgrade to the latest mozilla rather than try to backport the patch. Note that you can only install one arch of Mozilla. We have selected the i386 version by default as this allows for all the i386 version plugins to work. If you want the x86_64 version you will have to remove the i386 version before installing the x86_64 version. yum remove mozilla* yum install mozilla.i386 mozilla-1.7.5-LTS3x.1.i386.rpm mozilla-chat-1.7.5-LTS3x.1.i386.rpm mozilla-devel-1.7.5-LTS3x.1.i386.rpm mozilla-dom-inspector-1.7.5-LTS3x.1.i386.rpm mozilla-js-debugger-1.7.5-LTS3x.1.i386.rpm mozilla-mail-1.7.5-LTS3x.1.i386.rpm mozilla-nspr-1.7.5-LTS3x.1.i386.rpm mozilla-nspr-devel-1.7.5-LTS3x.1.i386.rpm mozilla-nss-1.7.5-LTS3x.1.i386.rpm mozilla-nss-devel-1.7.5-LTS3x.1.i386.rpm mozilla-1.7.5-LTS3x.1.x86_64.rpm mozilla-chat-1.7.5-LTS3x.1.x86_64.rpm mozilla-devel-1.7.5-LTS3x.1.x86_64.rpm mozilla-dom-inspector-1.7.5-LTS3x.1.x86_64.rpm mozilla-js-debugger-1.7.5-LTS3x.1.x86_64.rpm mozilla-mail-1.7.5-LTS3x.1.x86_64.rpm mozilla-nspr-1.7.5-LTS3x.1.x86_64.rpm mozilla-nspr-devel-1.7.5-LTS3x.1.x86_64.rpm mozilla-nss-1.7.5-LTS3x.1.x86_64.rpm mozilla-nss-devel-1.7.5-LTS3x.1.x86_64.rpm openSSH Fermi version of openssh with kerberos cryptocard changes. If a workgroup wants to install openssh-server then they just need to add the entry from their "comps" file as it is NOT installed by default. openssh-3.5p1f11-1rh7x.i386.rpm openssh-askpass-3.5p1f11-1rh7x.i386.rpm openssh-askpass-gnome-3.5p1f11-1rh7x.i386.rpm openssh-clients-3.5p1f11-1rh7x.i386.rpm openssh-server-3.5p1f11-1rh7x.i386.rpm Yum -- From Duke University yum-2.0.7-8.SL.noarch.rpm Added a patch to enable a ia32e(EM64T) kernel to be upgraded. yum-conf-304-2.LTS.noarch.rpm vnc Issue with vnc allowing more than just localhost to connect by default. The starting point was the latest Fedora Core SRPM of vnc, back-ported to use the XFree86-4.3.0-78.EL sources instead of x.org and javac instead of the (too-old) gcc-java, and patched to set the "localhostOnly" parameter to true by default. Note that it is still possible to return to RISKY behavior by invoking: vncserver -localhost="no" (or 0, or "off") Note that vncviewer has the new option "-via", meaning that the command line: vncviewer -via .fnal.gov localhost:1 will set up an SSH tunnel and use it to access the local vncserver running on .fnal.gov, all in one step. NOTE that vnc is ONLY allowed if used with a SSH tunnel onsite at Fermi. See the above info. Thanks to Chris Green for this patched vnc. ---------------------------------------------------------------------------- Installer modifications --------------------------------------------------------------------------- Kerberos is enabled by default on the normal authentication screen. The installer does NOT know if what you put in here is accurate so if you change something make sure it is right because that is what you are going to get. Changes to "defaults" from vendor installer. Firewall is off by default. vendor default was Medium. US/Central is default timezone. vendor default was New York. Kerberos is on by default with a realm of FNAL.GOV . vendor default was off. flpr Now installed by default. No need for ups/upd as this is a rpm. Updated post.sh to do a full chroot to /mnt/sysimage for increased install RPM reliability. (thanks to Chris Green) --------------------------------------------------------------------------- /contrib/ --------------------------------------------------------------------------- The packges in this section have been contributed by various people. They are presented AS IS and there is no guarantee of them working. These packages are NOT supported by us. They will only get security updates if the contributor provides them. If you have questions about them then ask the contributor. There are really 2 contrib trees. One for the base Scientific Linux and one for the Fermi site. To use with yum you will need to uncomment out either/both of the "contrib" lines in /etc/yum.conf See README's in the RPMS/ directorys for specific info. /sites/Fermi/contrib/RPMS/ /contrib/RPMS/ --------------------------------------------------------------------------- MISC NOTES --------------------------------------------------------------------------- --------------------------------------------------------------------------- SUPPORT INFO --------------------------------------------------------------------------- Fermi site users should start with the "Fermi" specific support areas and use the Scientific Linux next. Fermi Linux web pages http://www.fnal.gov/cd/unix/linux Fermi Linux Community support mailing list linux-users@fnal.gov Which is archived at http://listserv.fnal.gov/archives/linux-users.html Scientific Linux web page http://www.scientificlinux.org -------------------------------------------------------------------------- ERRATA rebuilt from SRPMS --------------------------------------------------------------------------- First See SL.releasenote There were errata released after the release of Scientific Linux 3.0.4 . These errata are included here. cpio-2.5-3e.3.x86_64.rpm cups-1.1.17-13.3.27.x86_64.rpm cups-devel-1.1.17-13.3.27.x86_64.rpm cups-libs-1.1.17-13.3.27.i386.rpm cups-libs-1.1.17-13.3.27.x86_64.rpm python-2.2.3-6.1.x86_64.rpm python-devel-2.2.3-6.1.x86_64.rpm python-docs-2.2.3-6.1.x86_64.rpm python-tools-2.2.3-6.1.x86_64.rpm tkinter-2.2.3-6.1.x86_64.rpm rh-postgresql-7.3.9-2.x86_64.rpm rh-postgresql-contrib-7.3.9-2.x86_64.rpm rh-postgresql-devel-7.3.9-2.x86_64.rpm rh-postgresql-docs-7.3.9-2.x86_64.rpm rh-postgresql-jdbc-7.3.9-2.x86_64.rpm rh-postgresql-libs-7.3.9-2.i386.rpm rh-postgresql-libs-7.3.9-2.x86_64.rpm rh-postgresql-pl-7.3.9-2.x86_64.rpm rh-postgresql-python-7.3.9-2.x86_64.rpm rh-postgresql-server-7.3.9-2.x86_64.rpm rh-postgresql-tcl-7.3.9-2.x86_64.rpm rh-postgresql-test-7.3.9-2.x86_64.rpm vim-common-6.3.046-0.30E.3.x86_64.rpm vim-enhanced-6.3.046-0.30E.3.x86_64.rpm vim-minimal-6.3.046-0.30E.3.x86_64.rpm vim-X11-6.3.046-0.30E.3.x86_64.rpm