7.4 KiB
Selecting Package Repositories
Package Repository Lists
Also for configuring package repositories our configuration management works with lists containing the names of the repositories to be installed.
The default list (except for nodes with the bootpc and appliances::lenovo::* Puppet roles) is rpm_repos::default.
If repositories are managed in Hiera, feel free to add them to rpm_repos::default like
rpm_repos::default:
- 'gfa'
Note that repositories for different versions of RHEL can be added and only the fitting ones will be configured on the node.
If the package repositories are managed by a Puppet module, then it is good practice is to define a specific package repository list in common.yaml and then to install it only when needed. An example is profile::telegraf which only installes the repositories listed in rpm_repos::influx when needed.
Package Repository Definition
An individual package repository is configured in Hiera within the namespace rpm_repos::repo::*, like following example:
rpm_repos::repo::epel_rhel8:
name: 'epel'
descr: "Extra Packages for Enterprise Linux 8"
baseurl: 'https://repos.psi.ch/rhel8/tags/$pli_repo_tag/epel/'
gpgkey: 'https://repos.psi.ch/rhel8/keys/epel.gpg'
disable: false
gpgcheck: true
osversion: 8
exclude:
- "slurm*"
Package Repository Name
The reference name used in Hiera (the part after rpm_repos::repo:: should be globally unique. An unfortunate practice is to use the same name for different package repositories. A current example is the gfa repository which has different URLs on different sysdb environments.
Note for name attribute, that only has to be unique on the machine where they are installed. So if there are two repositories defined to provide the same software for two different OS versions, then it is fine to have the same name there.
Package Repository URL
Overriding the URL of a package repository definition on a stricter scope is considered bad practice. The URL defines the actual "identiy" of the package repository definition. It is confusing if it gets different meanings at different places. It is like one passport which will identify different persons in different countries.
If different sources are needed, define and name them appropriately. They point to one given repository and the package repository lists are the place to select what should be applied on a given node.
Also feel free to define all your package repositories in common.yaml.
Select Package Repository by OS Version
Usually a package repository only serves packages for one major OS version. This can be stated by the osversion attribute. When a package repository list is installed, only the repositories fitting the version of the OS installed on the node are selected and configured.
If the osversion attribute is not set, then it is always installed.
Package Repository GPG Verification
GPG verification is optional, so gpgkey may not be defined and gpgcheck is false by default. But ideally the packages are signed and checked for tampering and corruption.
Exclude Packages
If certain packages provided by given repository should be ignored on the nodes, then add them to the exclude list.
Using Specific Package Repository Snapshot
Most of the externally sourced package repositories on https://repos.psi.ch/rhel7 (RHEL7), https://repos.psi.ch/rhel8 (RHEL 8) and https://repos.psi.ch/rhel9 (RHEL 9) have snapshots which can be used to freeze the available package versions to a given date.
The tags are different per major OS version and are definied in the Hiera hash rpm_repos::tag, below you see the default:
yum_client::repo_tag: 'prod'
rpm_repos::tag:
redhat7: "%{lookup('yum_client::repo_tag')}"
redhat8: 'rhel-8'
redhat9: 'rhel-9'
So for RHEL 7 the default is prod and can be overriden on yum_client::repo_tag (backwards compatibility) or on the redhat7 attribute of rpm_repos::tag.
To fix to a specific snapshot on RHEL 8, the redhat8 attribute has to be set on rpm_repos::tag, the default is rhel-8 which points to the latest snapshot.
The available tags your find at
- https://repos.psi.ch/rhel9/tags/ for RHEL 9
- https://repos.psi.ch/rhel8/tags/ for RHEL 8 (note the
prodtag will phase out) - https://repos.psi.ch/rhel7/tags/ for RHEL 7
Package Repositories made Available by the Linux Group
Availabe on all systems are:
- RedHat BaseOS, AppStream and CodeReady repositories
- Extra Packages for Enterprise Linux (EPEL) repositories
- Puppet 7 repository
- Auristor repository for YFS and AFS related packages (RHEL 7 and 8 only)
- Google Chrome repository
- pli-misc (not tagged for RHEL7, but on RHEL 8/9)
- Code (Visual Studio Code from Microsoft)
- Microsoft Teams
- PowerScript et. al. (Microsoft)
- HashiCorp (
vault,terraform,vagrant, ...) - Oracle Instant Client 19 and 21
- Opera
Predefined and used when needed are:
- Influx (
influxdb,telegraf, ...) - CUDA
- Nomachine
To be added/defined in common.yaml?
- GPFS
- Epics (available for RHEL7)
pli-misc Repository
A small list of packages managed by the Linux Team.
- RHEL8: make v4.3 from CentOS as v4.2.1 has been reported to to make trouble
- latest Zoom client
- latest Webex client
- latest Slack client
- latest NoMachine Enterprise Client
- latest Real VNC Viewer, recommended for VNC remote access to Windows machines
pli-assetscontaining the PSI and the Customer Self Service logo, any hints about the source rpm are welcome- RHEL8: mod_gearman v4.0.1
- RHEL8: lightdm-gtk v2.0.8-3.pli, a patched lightdm-gtk-greeter (SRPM, PR) which allows to limit the presented keyboard layouts
- Code Beamer Office pluging v9.5.0 managed by Gilles Martin
- storecli 007.2007.0000.0000 managed by Marc Caubet Serrabou
- pam_single_kcm_cache PAM Module managed by Konrad Bucheli
- nvidia-detect copied over from ElRepo to make it generally available
- bob
Package Repositories made Available by other PSI Groups
tivoli, IBM backup software for Arema, managed by Datacenter and DB Services, AITnxserverfor NoMachine NX