Send comments/issues/test reports to scientific-linux-users@fnal.gov

The Upstream Vendor’s Release Notes

Upstream provides a very comprehensive set of release notes. We have not duplicated them here, and are unlikely to do so.

Please review the Upstream Notes

Noteworthy SL Changes Since Last Release of SL 7

Note
This section documents changes made to SL specific packages since the last SL release.
This section does not list changes inherited from Upstream unless absolutely necessary.

SL 7.1 now includes easy access to the ZFS on Linux yum repos.

With SL 7.1 OpenAFS has been updated to version 1.6.11 the latest upstream stable.

Packages Added to SL not in Upstream

A small set of packages are directly added to Scientific Linux. Each of these is noted here to clarify their purpose and targeted use.

elrepo-release

This package contains the ELRepo driver yum repo and GPG key.
This is primarily targeted at users who require drivers not packaged within SL.
It is packaged in this manner to easily allow ELRepo to issue updates to their repos.
SL 7.0 is the first release to feature this package.

epel-release

This package contains the EPEL driver yum repo and GPG key.
This is primarily targeted at users who require software not packaged within SL.
It is packaged in this manner to easily allow EPEL to issue updates to their repos.
SL 7.0 is the first release to feature this package.

OpenAFS

This package contains the OpenAFS driver and client utilities.
This is primarily targeted at AFS users.
After installation OpenAFS client services can be modified via the afs.service systemd unit
SL 7.0 is the first release to feature this package.

SL_gdm_no_user_list

This package will disable the GDM user list in the chooser.
This is primarily targeted at users whose security policy requires the user lists to be disabled. With this RPM compliance can be set from kickstart or via yum install SL_gdm_no_user_list.
SL 7.0 is the first release to feature this package.

SL_enable_serialconsole

SL_enable_serialconsole will setup a serial console for login.
This is primarily targeted at users who could not set this up at kickstart.
SL 7.0 is the first release to feature this package.

SL_no_colorls

SL_no_colorls will disable the automatic colorized ls output.
This is primarily targeted at crash cart users who find the dark colors hard to read.
SL 7.0 is the first release to feature this package.

SL_yum-cron_no_automated_apply_updates

This package is for for reverting the SL change to yum-cron where security updates are applied automatically.
This same change can be performed by editing /etc/yum/yum-cron.conf, this RPM allows for you to set this change via kickstart.
See Also:
- Packages Changed in SL from the Upstream Release
- SL Provides Automatic Updates
SL 7.0 is the first release to feature this package.

SL_yum-cron_no_default_excludes

This package is for for reverting the SL change to yum-cron where kernel related rpms are excluded from consideration by yum-cron.
This same change can be performed by editing /etc/yum/yum-cron.conf, this RPM allows for you to set this change via kickstart.
See Also:
- Packages Changed in SL from the Upstream Release
- SL Provides Automatic Updates
SL 7.0 is the first release to feature this package.

sl-bookmarks

sl-bookmarks replaces redhat-bookmarks and removes upstream branding.
SL 7.0 is the first release to feature this package.

sl-indexhtml

sl-indexhtml replaces redhat-indexhtml and removes upstream branding from the index and xulrunner.
SL 7.0 is the first release to feature this package.

sl-logos

sl-logos replaces redhat-logos and removes upstream branding.
The spec file attempts to run some image optimization programs from EPEL. The source RPMs are included within the SL source repo to ensure their continued avalibility.
The optimizations can be disabled with no negative effects on the package.
SL 7.0 is the first release to feature this package.

sl-release

sl-release replaces redhat-release and removes upstream branding.
It also provides our Scientific Linux operating system and updates repos.
You may wish to review the section on Using SL Yum Variables
You should also review SL Specific Behavior Changes for comments on our Automatic Updates settings.
SL 7.0 is the first release to feature this package.

sl-release-notes

sl-release-notes replaces redhat-release-notes and removes upstream branding.
SL 7.0 is the first release to feature this package.

yum-conf-sl7x

This package will modify the default repo definitions to use the latest SL release
You may wish to review the section on Using SL Yum Variables
SL 7.0 is the first release to feature this package.

yum-conf-elrepo

This package will pull in the elrepo-release package and fastestmirror yum plugin.
Scientific Linux systems are encouraged to utilize this package for gaining access to ELRepo.
SL 7.0 is the first release to feature this package.

yum-conf-epel

This package will pull in the epel-release package and fastestmirror yum plugin.
Scientific Linux systems are encouraged to utilize this package for gaining access to EPEL.
SL 7.0 is the first release to feature this package.

yum-conf-extras

This package provdies the SL Extras repo.
SL 7.0 is the first release to feature this package.

yum-conf-hc

This package provdies the SL HC repo.
SL 7.0 is the first release to feature this package.

yum-conf-softwarecollections

This package provdies the SL Software Collections repo.
SL 7.0 is the first release to feature this package.

yum-conf-zfsonlinux

This package provides the ZFS on Linux repo and its requirement on EPEL.
SL 7.1 is the first release to feature this package.

zfs-release

zfs-release is the package provided by the ZFS on Linux team for their repos.
SL 7.1 is the first release to feature this package.

Packages Changed in SL from the Upstream Release

Scientific Linux attempts to deviate only when absolutely necessary.
Each of these changes is noted here with some notes as to why these changes were made.

Tip
The source for these packages contains the exact configuration our automated patching tool used to modify the upstream source.
It should be clear exactly what was changed and for what reason.

Changed in This Release

abrt

Removed the recommendation to open an upstream support case.
This change went into effect with SL 7.0 and continues in this release.

anaconda

Modified the installclass library so that it correctly identifies SL.
This change went into effect with SL 7.0 and continues in this release.

dhcp

Changed to remove upstream’s bugreport url.
This change went into effect with SL 7.0 and continues in this release.

grub2

This package has been modified to recognize the SL Secure Boot key.
This change went into effect with SL 7.0 and continues in this release.

httpd

Changed the default index.html to remove upstream’s branding.
This change went into effect with SL 7.0 and continues in this release.

ipa

Changed package requirements to remove upstream’s branding.
This change went into effect with SL 7.1 and continues in this release.

kernel

This package has been modified to recognize the SL Secure Boot key.
This change went into effect with SL 7.0 and continues in this release.

libreport

Changed the defaults to remove upstream’s branding.
This change went into effect with SL 7.0 and continues in this release.

PackageKit

Removed the Upstream Vendor ID to avoid confusion.
This change went into effect with SL 7.0 and continues in this release.

pesign

Made the signing key names into an rpm macro for ease of customization.
This change went into effect with SL 7.0 and continues in this release.

plymouth

Removed the Upstream color scheme to avoid confusion.
This change went into effect with SL 7.0 and continues in this release.

redhat-rpm-config

Changed to recognize Scientific Linux as an Enterprise Linux.
This change went into effect with SL 7.0 and continues in this release.

shim

Added recognition of the SL UEFI key.
This change went into effect with SL 7.0 and continues in this release.

subscription-manager

Removed RHN branded warnings and disabled default RHN service.
This change went into effect with SL 7.0 and continues in this release.

yum

Changed the defaults for yum-cron to automatically apply updates for non-kernel packages nightly. These are the same settings from yum-autoupdate from SL5 and SL6.
See Also:
- Packages Added to SL not in Upstream
- SL Provides Automatic Updates
This change went into effect with SL 7.0 and continues in this release.

No Longer Changing

Note
For long term tracking, packages we no longer modify are listed here.
firstboot

Modified the package Requires per BZ#1116921
This change went into effect with SL 7.0 and ended with SL 7.1 since the upstream bug is now fixed.

Packages Removed from Upstream

Some packages provided by upstream are not part of Scientific Linux. The exact reasons we’ve removed them are listed below.

redhat-access-gui

We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.

redhat-bookmarks

redhat-bookmarks is replaced by sl-bookmarks.
SL 7.0 is the first release without this package.

redhat-indexhtml

redhat-indexhtml is replaced by sl-indexhtml.
SL 7.0 is the first release without this package.

redhat-logos

redhat-logos is replaced by sl-logos.
SL 7.0 is the first release without this package.

redhat-release

redhat-release is replaced by sl-release.
SL 7.0 is the first release without this package.

redhat-release-notes

redhat-release-notes is replaced by sl-release-notes.
SL 7.0 is the first release without this package.

redhat-support-lib-python

We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.

redhat-support-tool

We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.

rhn-client-tools

We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.

rhnlib

We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.

rhnsd

We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.

subscription-manager-migration

We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.

yum-rhn-plugin

We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.

Using SL Yum Variables

The yum application is highly extensible via its plugin and variable APIs.

The Scientific Linux repos utilize the following yum variables:

Name

Purpose

Source

Example Values

$basearch

Describe the architecture of the system

yum determines automatically from sl-release

x86_64

$releasever

What is the vendor neutral version

yum determines automatically from sl-release

7.0 7

$slreleasever

What is the version of SL

Provided by sl-release or yum-conf-7x

7x 7rolling 7.0

Tip
You can define any variable you want in yum by setting it in /etc/yum/vars/ Simply echo value > /etc/yum/vars/name an you’ve got $name defined.

For Scientific Linux 7 we’ve adopted a stronger use of yum variables to help simplify the customization for individual administrators.

Now any customizations to your repo files, such as use of local mirrors, are easily kept between releases as the SL provided repository files are not expected to change.

This does, however, provide unexpected behavior during our Release Candidate process. If the 7x config is enabled, you will point to the 7x repo rather than the Release Candidate repo. At that time the 7x repo will contain some older software than the Release Candidate.

Chart of $slreleasever

System State

SL7 Alpha/Beta

SL7 Alpha/Beta +7x

SL7 RC

SL7 RC +7x

SL7 GA

SL7 GA +7x

SL7 GA removed yum-conf-sl7x

Fresh Install

7rolling

7rolling

7.0

7x

7.0

7x

7.0

Upgrade From 7.0

7rolling

7rolling

7.1

7x

7.1

7x

7.1

Important
Users wishing to test packages from the Release Candidate during the Release Candidate process may need to remove yum-conf-sl7x.
As per the chart above, if yum-conf-sl7x is installed, your system will point towards the 7x repos rather than the as yet unreleased Release Candidate.
Caution
If you remove yum-conf-sl7x during the Release Candidate process, you should consider reinstalling it after the offical release.

Upgrading from SL 6

Caution
There is no supported upgrade path from Scientific Linux 6 to Scientific Linux 7.

While it may be possible to move from SL 6 to SL7, Scientific Linux does not recommend or support such action. We have deliberately not provided any tools for such a migration.

Warning
We believe any attempt to upgrade SL 6 to SL 7 will leave your system in an unknown and probably unsupportable state.
Tip
Upstream provides an upgrade toolkit for migrating their product from EL6 to EL7. Users who need this functionality should consider deploying TUV’s supported product line instead of Scientific Linux.

Noteworthy SL Changes Since SL 6

Note
This section documents changes made to SL specific packages since the SL 6 release.
This section does not list changes inherited from Upstream unless absolutely necessary.

No Longer Packaged By SL

alpine

The alpine package is present in EPEL6. This is available in EPEL7.

SL_desktop_tweaks

The default configuration provided by upstream already fulfills this function.

SL_password_for_singleuser

The default configuration provided by upstream already fulfills this function.

yum-autoupdate

With SL7 yum-cron has nearly all the functionality of yum-autoupdate and
features upstream support. The yum-autoupdate code should still function on
SL7; however, we do not include it within the release.
See also:
- SL Provides Automatic Updates

yum-conf-adobe

The Scientific Linux bundled PDF tools provide a wide range of functionality. The Adobe flash player is migrating to the "Pepper" API and away from the native plugin. - For more information see the Adobe Flash Roadmap

No Longer Packaged By Upstream

krb5-appl

These legacy kerberos services are no longer packaged with the upstream product. A request for EPEL7 has been filed in the upstream bugzilla (BZ#1130608)

SL Specific Behavior Changes

SL-7-x86_64-Everything-Dual-Layer-DVD.iso

The Everything Dual Layer DVD image requires a Dual-Layer (DL) compatible drive for both burning and booting off of. This image can be converted to USB.

sl-release and yum-conf-sl7x

The official SL repos are now packaged as one repo per config file. In this way customizations that you make to a specific repo will not prevent others from being updated.

A further change in SL7 is the sl7-fastbugs repo, featuring bugfixes and enhancements, is enabled by default. In SL6 it was installed, but disabled by default. Your changes to this repo will persist through system upgrades if you wish to alter it.

Also, the SL repos now utilize the yum variable $slreleasever in their config entries.

Since those changes are in place, SL 7 installs yum-conf-sl7x by default.

You may wish to review the section on Using SL Yum Variables.

Upstream Specific Behavior Changes

systemd

Following upstream SL7 uses systemd as its init system. The System’s Administrators Guide published by upstream provides a helpful introduction to systemd commands.

SL Provides Automatic Updates

The default Scientific Linux 7 installation provides automatic updates via the yum-cron package.

Note
Updates from all enabled repos are provided automatically each night and a summary email is set to the root account.
You are strongly encouraged to set a delivery address for root on your system.
This can be easily done as an email alias via /etc/aliases

When setting defaults for updates, there are a few choices: do not apply, notify the user, apply and notify the admin, and apply but do not notify.

For Scientific Linux we’ve chosen apply and notify the admin.

The Scientific Linux user base spans from professional systems admins to graduate students with little training in systems administration. So, we’ve elected to reduce the security risks for a novice by applying security updates automatically. Expirenced Systems Administrators are fully capable of disabling automatic updates and applying the changes during a scheduled downtime. By applying updates by default we believe that the systems are left in a 'default less hackable' state. This helps protect less experienced users as well as the wider internet from the possible side effects of unpatched systems.

Important
This is a change from the upstream defaults.

There is a Fedora page on automatic updates that is worth reviewing: http://fedoraproject.org/wiki/AutoUpdates

About UEFI Secure Boot

UEFI Secure Boot Background

A detailed document discussing secure boot is published at:
http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf

UEFI Secure Boot Validation Summary

Note
If UEFI Secure Boot is NOT enabled then the signing of operating system boot loaders is NOT required to boot.

If UEFI Secure Boot is enabled then the following are required to be true in order to boot.

  1. Signed EFI operating system boot loaders

    1. shim — Signed with SL signing certificate

      1. The signature of shim needs to be validated by either

        • UEFI CA certificate in the UEFI firmware (installed by hardware vendor)

        • MOK (Machine Owner Key) enrolled manually by Owner

    2. grub2 — Signed with SL signing certificate

      1. shim starts grub2 which validates its trust with shim

  2. Signed Linux Kernel — Signed with SL signing certificate

  3. Signed Kernel modules — Signed

Secure Boot Status in Scientific Linux 7

Booting with Secure Boot enabled works but requires a manual step. This is because the "shim" has not been signed by the UEFI CA . As seen in the above Secure Boot requirements the UEFI CA is not the only certificate that can be used to validate the "shim". The SL signing certificate can also be used. The SL signing certificate has to be enrolled in the MOK (Machine Owner Key) database. This can be accomplished by using the "mokutil" command specifying the SL signing certificate.

Caution
The "mokutil" command may ask for a "password". This "Mokmanager password" will be asked by mokmanager during the MOK key enrollment step.
Note
All mokutil commands must be run by the root user.
Example mokutil command
    mokutil --import /etc/pki/secure-boot/SECURE-BOOT-KEY-fnal-sl7-exp-2017-07-26
Important
The system needs to be rebooted for the MOK database to be updated.
On reboot the Mokmanager program will automatically start.
Steps To Enroll MOK keys in Mokmanager
    Select "Enroll MOK"

    Select "View Key" if you wish to see the key.

    Then select "Continue".

    Select "Yes" to enroll the key (If you really want to enroll it).

    The "Mokmanager password" will be asked to verify the user has permission to update the MOK database.

Screenshots are available, thanks to the Systemtap team.

After installation of the MOK key, you may wish to verify it loaded successfully.

How To Review MOK Keys
    mokutil --list-enrolled

The above command will list which MOK keys are enrolled.

Note
We are currently in negotiations with the UEFI Certificate Authority on agreeable requirements for submitting "shim" for signing. We hope to be able to support this functionality in the future.

More Information on Signing Kernel Modules

The upstream documentation on this can be found at:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html

How To Make A Bootable USB installer

The Scientific Linux installation iso files can be converted to bootable USB devices.

Note
The Everything DVD image requires USB device of sufficient size.

Using dd

Caution
You will be expected to provide the full device name of your USB disk. If you provide the path to your existing operating system, it will be erased.
Relevant Commands
sudo dd if=SL-7-x86_64-DVD.iso of=/dev/sd<x>

Where <x> is the name of your USB device node. For example, /dev/sdv

Using livecd-tools

Note
livecd-tools may not be available for all versions of Scientific Linux.
It may be packaged in external repos such as EPEL.
Relevant Commands
sudo yum install livecd-tools
man livecd-iso-to-disk
Caution
You will be expected to provide the full device name of your USB disk. If you provide the path to your existing operating system, it will be erased.
Typical Usage
livecd-iso-to-disk --format --reset-mbr --efi SL-7-x86_64-DVD.iso /dev/sd<x>

Where <x> is the name of your USB device node. For example, /dev/sdv

Our Details

Tip
The Scientific Linux Website contains helpful information about our releases and updates.
Download Areas
Tip
A mirror closer to you might result in faster downloads.
Feel free to consult our mirror list.
Note
The everything dvd image requires a Dual-Layer DVD (DVD-DL) compatible drive for both burning and booting.
Community Email Lists
Note
How To Subscribe
Follow the instructions at our website for the SL lists