mokutil --import /etc/pki/secure-boot/SECURE-BOOT-KEY-fnal-sl7-exp-2017-07-26
Send comments/issues/test reports to scientific-linux-users@fnal.gov
Upstream provides a very comprehensive set of release notes. We have not duplicated them here, and are unlikely to do so.
Please review the Upstream Notes
Note
|
This section documents changes made to SL specific packages since
the last SL release. This section does not list changes inherited from Upstream unless absolutely necessary. |
SL 7.1 now includes easy access to the ZFS on Linux yum repos.
With SL 7.1 OpenAFS has been updated to version 1.6.11 the latest upstream stable.
A small set of packages are directly added to Scientific Linux. Each of these is noted here to clarify their purpose and targeted use.
This package contains the ELRepo driver yum repo and GPG key.
This is primarily targeted at users who require drivers not packaged within SL.
It is packaged in this manner to easily allow ELRepo to issue updates to their repos.
SL 7.0 is the first release to feature this package.
This package contains the EPEL driver yum repo and GPG key.
This is primarily targeted at users who require software not packaged within SL.
It is packaged in this manner to easily allow EPEL to issue updates to their repos.
SL 7.0 is the first release to feature this package.
This package contains the OpenAFS driver and client utilities.
This is primarily targeted at AFS users.
After installation OpenAFS client services can be modified via the afs.service systemd unit
SL 7.0 is the first release to feature this package.
This package will disable the GDM user list in the chooser.
This is primarily targeted at users whose security policy requires the user
lists to be disabled. With this RPM compliance can be set from kickstart or
via yum install SL_gdm_no_user_list.
SL 7.0 is the first release to feature this package.
SL_enable_serialconsole will setup a serial console for login.
This is primarily targeted at users who could not set this up at kickstart.
SL 7.0 is the first release to feature this package.
SL_no_colorls will disable the automatic colorized ls output.
This is primarily targeted at crash cart users who find the dark colors hard to read.
SL 7.0 is the first release to feature this package.
This package is for for reverting the SL change to yum-cron where
security updates are applied automatically.
This same change can be performed by editing /etc/yum/yum-cron.conf,
this RPM allows for you to set this change via kickstart.
See Also:
- Packages Changed in SL from the Upstream Release
- SL Provides Automatic Updates
SL 7.0 is the first release to feature this package.
This package is for for reverting the SL change to yum-cron where
kernel related rpms are excluded from consideration by yum-cron.
This same change can be performed by editing /etc/yum/yum-cron.conf,
this RPM allows for you to set this change via kickstart.
See Also:
- Packages Changed in SL from the Upstream Release
- SL Provides Automatic Updates
SL 7.0 is the first release to feature this package.
sl-bookmarks replaces redhat-bookmarks and removes upstream branding.
SL 7.0 is the first release to feature this package.
sl-indexhtml replaces redhat-indexhtml and removes upstream branding from the index and xulrunner.
SL 7.0 is the first release to feature this package.
sl-logos replaces redhat-logos and removes upstream branding.
The spec file attempts to run some image optimization programs from EPEL.
The source RPMs are included within the SL source repo to ensure their continued avalibility.
The optimizations can be disabled with no negative effects on the package.
SL 7.0 is the first release to feature this package.
sl-release replaces redhat-release and removes upstream branding.
It also provides our Scientific Linux operating system and updates repos.
You may wish to review the section on Using SL Yum Variables
You should also review SL Specific Behavior Changes for comments on our Automatic Updates settings.
SL 7.0 is the first release to feature this package.
sl-release-notes replaces redhat-release-notes and removes upstream branding.
SL 7.0 is the first release to feature this package.
This package will modify the default repo definitions to use the latest SL release
You may wish to review the section on Using SL Yum Variables
SL 7.0 is the first release to feature this package.
This package will pull in the elrepo-release package and fastestmirror yum plugin.
Scientific Linux systems are encouraged to utilize this package for gaining access to ELRepo.
SL 7.0 is the first release to feature this package.
This package will pull in the epel-release package and fastestmirror yum plugin.
Scientific Linux systems are encouraged to utilize this package for gaining access to EPEL.
SL 7.0 is the first release to feature this package.
This package provdies the SL Extras repo.
SL 7.0 is the first release to feature this package.
This package provdies the SL HC repo.
SL 7.0 is the first release to feature this package.
This package provdies the SL Software Collections repo.
SL 7.0 is the first release to feature this package.
This package provides the ZFS on Linux repo and its requirement on EPEL.
SL 7.1 is the first release to feature this package.
zfs-release is the package provided by the ZFS on Linux team for their repos.
SL 7.1 is the first release to feature this package.
Scientific Linux attempts to deviate only when absolutely necessary.
Each of these changes is noted here with some notes as to why these
changes were made.
Tip
|
The source for these packages contains the exact configuration
our automated patching tool used to modify the upstream source. It should be clear exactly what was changed and for what reason. |
Removed the recommendation to open an upstream support case.
This change went into effect with SL 7.0 and continues in this release.
Modified the installclass library so that it correctly identifies SL.
This change went into effect with SL 7.0 and continues in this release.
Changed to remove upstream’s bugreport url.
This change went into effect with SL 7.0 and continues in this release.
This package has been modified to recognize the SL Secure Boot key.
This change went into effect with SL 7.0 and continues in this release.
Changed the default index.html to remove upstream’s branding.
This change went into effect with SL 7.0 and continues in this release.
Changed package requirements to remove upstream’s branding.
This change went into effect with SL 7.1 and continues in this release.
This package has been modified to recognize the SL Secure Boot key.
This change went into effect with SL 7.0 and continues in this release.
Changed the defaults to remove upstream’s branding.
This change went into effect with SL 7.0 and continues in this release.
Removed the Upstream Vendor ID to avoid confusion.
This change went into effect with SL 7.0 and continues in this release.
Made the signing key names into an rpm macro for ease of customization.
This change went into effect with SL 7.0 and continues in this release.
Removed the Upstream color scheme to avoid confusion.
This change went into effect with SL 7.0 and continues in this release.
Changed to recognize Scientific Linux as an Enterprise Linux.
This change went into effect with SL 7.0 and continues in this release.
Added recognition of the SL UEFI key.
This change went into effect with SL 7.0 and continues in this release.
Removed RHN branded warnings and disabled default RHN service.
This change went into effect with SL 7.0 and continues in this release.
Changed the defaults for yum-cron to automatically apply updates
for non-kernel packages nightly. These are the same settings from
yum-autoupdate from SL5 and SL6.
See Also:
- Packages Added to SL not in Upstream
- SL Provides Automatic Updates
This change went into effect with SL 7.0 and continues in this release.
Note
|
For long term tracking, packages we no longer modify are listed here. |
Modified the package Requires per BZ#1116921
This change went into effect with SL 7.0 and ended with SL 7.1 since the upstream bug is now fixed.
Some packages provided by upstream are not part of Scientific Linux. The exact reasons we’ve removed them are listed below.
We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.
redhat-bookmarks is replaced by sl-bookmarks.
SL 7.0 is the first release without this package.
redhat-indexhtml is replaced by sl-indexhtml.
SL 7.0 is the first release without this package.
redhat-logos is replaced by sl-logos.
SL 7.0 is the first release without this package.
redhat-release is replaced by sl-release.
SL 7.0 is the first release without this package.
redhat-release-notes is replaced by sl-release-notes.
SL 7.0 is the first release without this package.
We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.
We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.
We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.
We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.
We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.
We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.
We cannot provide RHN connections, so we have removed the RHN tools. People requiring RHN must use Enterprise Linux from upstream. SL 7.0 is the first release without this package.
The yum application is highly extensible via its plugin and variable APIs.
The Scientific Linux repos utilize the following yum variables:
Name |
Purpose |
Source |
Example Values |
$basearch |
Describe the architecture of the system |
yum determines automatically from sl-release |
x86_64 |
$releasever |
What is the vendor neutral version |
yum determines automatically from sl-release |
7.0 7 |
$slreleasever |
What is the version of SL |
Provided by sl-release or yum-conf-7x |
7x 7rolling 7.0 |
Tip
|
You can define any variable you want in yum by setting it in /etc/yum/vars/ Simply echo value > /etc/yum/vars/name an you’ve got $name defined. |
For Scientific Linux 7 we’ve adopted a stronger use of yum variables to help simplify the customization for individual administrators.
Now any customizations to your repo files, such as use of local mirrors, are easily kept between releases as the SL provided repository files are not expected to change.
This does, however, provide unexpected behavior during our Release Candidate process. If the 7x config is enabled, you will point to the 7x repo rather than the Release Candidate repo. At that time the 7x repo will contain some older software than the Release Candidate.
System State |
SL7 Alpha/Beta |
SL7 Alpha/Beta +7x |
SL7 RC |
SL7 RC +7x |
SL7 GA |
SL7 GA +7x |
SL7 GA removed yum-conf-sl7x |
Fresh Install |
7rolling |
7rolling |
7.0 |
7x |
7.0 |
7x |
7.0 |
Upgrade From 7.0 |
7rolling |
7rolling |
7.1 |
7x |
7.1 |
7x |
7.1 |
Important
|
Users wishing to test packages from the Release Candidate during
the Release Candidate process may need to remove yum-conf-sl7x. As per the chart above, if yum-conf-sl7x is installed, your system will point towards the 7x repos rather than the as yet unreleased Release Candidate. |
Caution
|
If you remove yum-conf-sl7x during the Release Candidate process, you should consider reinstalling it after the offical release. |
Caution
|
There is no supported upgrade path from Scientific Linux 6 to Scientific Linux 7. |
While it may be possible to move from SL 6 to SL7, Scientific Linux does not
recommend or support such action. We have deliberately not provided any tools
for such a migration.
Warning
|
We believe any attempt to upgrade SL 6 to SL 7 will leave your system in an unknown and probably unsupportable state. |
Tip
|
Upstream provides an upgrade toolkit for migrating their product from EL6 to EL7. Users who need this functionality should consider deploying TUV’s supported product line instead of Scientific Linux. |
Note
|
This section documents changes made to SL specific packages since
the SL 6 release. This section does not list changes inherited from Upstream unless absolutely necessary. |
The alpine package is present in EPEL6. This is available in EPEL7.
The default configuration provided by upstream already fulfills this function.
The default configuration provided by upstream already fulfills this function.
With SL7 yum-cron has nearly all the functionality of yum-autoupdate and
features upstream support. The yum-autoupdate code should still function on
SL7; however, we do not include it within the release.
See also:
- SL Provides Automatic Updates
The Scientific Linux bundled PDF tools provide a wide range of functionality. The Adobe flash player is migrating to the "Pepper" API and away from the native plugin. - For more information see the Adobe Flash Roadmap
These legacy kerberos services are no longer packaged with the upstream product. A request for EPEL7 has been filed in the upstream bugzilla (BZ#1130608)
The Everything Dual Layer DVD image requires a Dual-Layer (DL) compatible drive for both burning and booting off of. This image can be converted to USB.
The official SL repos are now packaged as one repo per config file. In this way customizations that you make to a specific repo will not prevent others from being updated.
A further change in SL7 is the sl7-fastbugs repo, featuring bugfixes and enhancements, is enabled by default. In SL6 it was installed, but disabled by default. Your changes to this repo will persist through system upgrades if you wish to alter it.
Also, the SL repos now utilize the yum variable $slreleasever in their config entries.
Since those changes are in place, SL 7 installs yum-conf-sl7x by default.
You may wish to review the section on Using SL Yum Variables.
Following upstream SL7 uses systemd as its init system. The System’s Administrators Guide published by upstream provides a helpful introduction to systemd commands.
The default Scientific Linux 7 installation provides automatic updates via the yum-cron package.
Note
|
Updates from all enabled repos are provided automatically each night and a
summary email is set to the root account. You are strongly encouraged to set a delivery address for root on your system. This can be easily done as an email alias via /etc/aliases |
When setting defaults for updates, there are a few choices: do not apply, notify the user, apply and notify the admin, and apply but do not notify.
For Scientific Linux we’ve chosen apply and notify the admin.
The Scientific Linux user base spans from professional systems admins to graduate students with little training in systems administration. So, we’ve elected to reduce the security risks for a novice by applying security updates automatically. Expirenced Systems Administrators are fully capable of disabling automatic updates and applying the changes during a scheduled downtime. By applying updates by default we believe that the systems are left in a 'default less hackable' state. This helps protect less experienced users as well as the wider internet from the possible side effects of unpatched systems.
Important
|
This is a change from the upstream defaults. |
People who are willing to apply security updates automatically can leave it.
People who disagree with this can change it a number of ways.
For example, there are packages to perform this listed under
Packages Added to SL not in Upstream
And people who don’t know what to do are left protected.
There is a Fedora page on automatic updates that is worth reviewing: http://fedoraproject.org/wiki/AutoUpdates
A detailed document discussing secure boot is published at:
http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf
Note
|
If UEFI Secure Boot is NOT enabled then the signing of operating system boot loaders is NOT required to boot. |
If UEFI Secure Boot is enabled then the following are required to be true in order to boot.
Signed EFI operating system boot loaders
shim — Signed with SL signing certificate
The signature of shim needs to be validated by either
UEFI CA certificate in the UEFI firmware (installed by hardware vendor)
MOK (Machine Owner Key) enrolled manually by Owner
grub2 — Signed with SL signing certificate
shim starts grub2 which validates its trust with shim
Signed Linux Kernel — Signed with SL signing certificate
Signed Kernel modules — Signed
Booting with Secure Boot enabled works but requires a manual step. This is because the "shim" has not been signed by the UEFI CA . As seen in the above Secure Boot requirements the UEFI CA is not the only certificate that can be used to validate the "shim". The SL signing certificate can also be used. The SL signing certificate has to be enrolled in the MOK (Machine Owner Key) database. This can be accomplished by using the "mokutil" command specifying the SL signing certificate.
Caution
|
The "mokutil" command may ask for a "password". This "Mokmanager password" will be asked by mokmanager during the MOK key enrollment step. |
Note
|
All mokutil commands must be run by the root user. |
mokutil --import /etc/pki/secure-boot/SECURE-BOOT-KEY-fnal-sl7-exp-2017-07-26
Important
|
The system needs to be rebooted for the MOK database to be updated. On reboot the Mokmanager program will automatically start. |
Select "Enroll MOK" Select "View Key" if you wish to see the key. Then select "Continue". Select "Yes" to enroll the key (If you really want to enroll it). The "Mokmanager password" will be asked to verify the user has permission to update the MOK database.
Screenshots are available, thanks to the Systemtap team.
After installation of the MOK key, you may wish to verify it loaded successfully.
mokutil --list-enrolled
The above command will list which MOK keys are enrolled.
Note
|
We are currently in negotiations with the UEFI Certificate Authority on agreeable requirements for submitting "shim" for signing. We hope to be able to support this functionality in the future. |
The upstream documentation on this can be found at:
The Scientific Linux installation iso files can be converted to bootable USB devices.
Note
|
The Everything DVD image requires USB device of sufficient size. |
Caution
|
You will be expected to provide the full device name of your USB disk. If you provide the path to your existing operating system, it will be erased. |
sudo dd if=SL-7-x86_64-DVD.iso of=/dev/sd<x>
Where <x> is the name of your USB device node. For example, /dev/sdv
Note
|
livecd-tools may not be available for all versions of Scientific
Linux. It may be packaged in external repos such as EPEL. |
sudo yum install livecd-tools man livecd-iso-to-disk
Caution
|
You will be expected to provide the full device name of your USB disk. If you provide the path to your existing operating system, it will be erased. |
livecd-iso-to-disk --format --reset-mbr --efi SL-7-x86_64-DVD.iso /dev/sd<x>
Where <x> is the name of your USB device node. For example, /dev/sdv
Tip
|
The Scientific Linux Website contains helpful information about our releases and updates. |
Tip
|
A mirror closer to you might result in faster downloads. Feel free to consult our mirror list. |
Note
|
The everything dvd image requires a Dual-Layer DVD (DVD-DL) compatible drive for both burning and booting. |
scientific-linux-users@fnal.gov - Users of Scientific Linux supporting each other
scientific-linux-devel@fnal.gov - Development of Scientific Linux
scientific-linux-announce@fnal.gov - Announcements concerning Scientific Linux
scientific-linux-errata@fnal.gov - Announcements about Security Errata
scientific-linux-mirrors@fnal.gov - Announcements about Scientific Linux related to mirroring
Note
|
How To Subscribe Follow the instructions at our website for the SL lists |