Skip to content

AlmaLinux 9 - Locmap

Locmap is a tool for locally applying a curated subset of puppet modules on a Linux machine without the need for a puppet master.

Locmap is typically installed by default when installing a new AlmaLinux system and selecting 'Software Development Workstation (CERN Recommended Setup)' during the installation.

In the event that locmap is not available, you may follow these instructions to install it.

$ sudo dnf -y install locmap-release
$ sudo dnf -y install locmap
$ sudo locmap --enable all
$ sudo locmap --configure all

At certain times during the life-cycle of Alma or RHEL the above commands may fail due to incompatibilities between the running kernel and the latest available AFS modules. This problem can be avoided by running locmap post reboot. See next section.

locmap on reboot

The reliable way to run locmap on a node and avoid kennel AFS mismatches is:

$ sudo dnf -y update
$ sudo dnf -y install locmap
$ sudo locmap --enable all
$ sudo systemctl enable locmap-once.service
$ sudo reboot

This will run locmap --configure all on reboot with the latest kernel running. While locmap is running non-root logins will be blocked.

The above commands can be called from kickstart %post script.

Usage

You can access the documentation by typing (as root):

# man locmap

You can list enabled modules:

# locmap --list
[Available Modules]
afs            [disabled]
cernbox        [disabled]
cernphone      [disabled]
chrony         [disabled]
cvmfs          [disabled]
eosclient      [disabled]
kerberos       [disabled]
lpadmin        [disabled]
postfix        [disabled]
resolved       [disabled]
ssh            [disabled]
sudo           [disabled]
zoom           [disabled]

You can configure all enabled module with the following command:

# locmap --configure all

You can configure a new module:

# locmap --enable modulename
# locmap --configure modulename

You can disable a module:

# locmap --disable modulename

You can remove root access to the Main Users of LanDB using the --disallow_root. It means that only Resposibles defined in LanDB will have root access. 

# locmap --disallow_root --configure modulename
# locmap --disallow_root --configure all

Locmap and Home Directory

When locmap calls useraddcern it will use the default of home directory of /home/</username>.

As always to switch an afs home directory:

cernadduser --directory --update <username>

Locmap and Openstack

It easy to run locmap during an openstack installation:

  1. Create a script with the above commands, say install.sh.
  2. Pass this as user data to openstack create. 
    openstack server create --image 'ALMA9 - x86_64' --key-name <mykey> --user-data ~/tmp/install.sh  --flavor m2.small mynode

Alternatively, the script can be uploaded via the configuration tab of the "Launch Instance" panel of OpenStack.

This web replaces the old version of the Linux website. Please check linux-old.web.cern.ch for an archived version