Yes, work on implementing SL5 at DESY Zeuthen has started. Fedora Core 6 was used to get a first glimpse. From there we moved to RHEL5 beta (now 2), and will later to SL5 beta as soon as it becomes available.

Status

• working with SL5 alpha2, plus selected recompiled packages
  • kernel, glibc, gcc, xen selinux and a few errata (firefox, thunderbird)
• profile generation works
• adding to tftpboot works
• kickstart installation with DHCP works
• SLU.pl works
• post, selection, firstboot are preliminary but working
• openafs-1.4.4 works - with PAGs through the kernel keyring
• initial yum configuration ok (no errata yet, but mechanism in place)
• software installation (through both aaru/yum/yumsel and ppm) works
  • basic software volumes exist, not fully populated yet
• AI client works
• kvm.pl works (X autoconfiguration), gdm/kvm features provide desktop, xdmcp server, guest account
• script for installing free MS TT fonts works, cabextract.rpm from FC5 extras in repo

• gssapi authentication works, including token generation (login, gdm, sshd w/o PrivSep); k5login works

• ticket/token refresh upon screen unlock works (KDE)
• autoinstallation complete
• most cfengine features are ready
• vamos_cmd and arcx work with perl-5.8.8 from SL4
• afs_admin, quota, afscp and Atrans working
• cups for the client is ready

Features with major known problems:

Features to do:

scout vamos

Features not rpefect yet:

• syslog
  • should steer audit (is this useful? on which systems?)

  • tried to port netconsole from SL4 (the module is there, init script is missing due to netdump->kdump), but it does not work

  • should the syslog feature deal with kdump as well?

Features to keep an eye on:

• kernel - needed lots of hacks to support kmod (gfs) and xen

Features we may not use:

• trusted
• inetd

Features finished/checked:

aaru afs_client automount conmgr cfengine gdm group hosts inetd kerberos kernel klogin kvm ldap linux localdisks motd nagios netgroup nsswitch pam passwd passwd_prog products security ssh sue syslog tcp_wrapper tidy_up trusted xntp ypclient zzz

Differences w.r.t SL4

• kernels:

  • no more UP, all are SMP; package name -s kernel, not kernel-smp

  • kernel-PAE for systems w/ more than 4 GB RAM (i686 only)

  • kernel-xen for VM host & guest systems (different use in grub.conf!)

• no more /proc/pci (-> use lspci)

• ionice(1)

• /usr/X11R6 still exists, but most usual content is somehwere else

  • app-defaults is in /usr/share/X11/
  • so is fonts

• there now is a restorecond watching over some files and directories

  • restores security context if file changes
  • may come in handy, an maybe is a good candidate for a backport to SL4
  • configuration is in /etc/selinux/restorecond.conf; needs adjustment!

• gdm default configuration is in /usr/share/gdm/default.conf now

  • customization is supposed to go into /etc/gdm/custom.conf (done in gdm feature)
  • themes are in the same place as on SL4 and work unmodified

• GNOME

  • GCONFD_LOCAL_LOCKS=1 seems not to be necessary, the lock is cerated in /tmp by default
    • it turns out this is the same on SL4
  • sessions fail to start gnome-settings-daemon for our AFS default user
    • the problem: ~/.Xdefaults with mode 000 makes gnome-settings-daemon crash

    • BZ: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216601

  • xscreensaver was replaced by gnome-screensaver

• slocate -> mlocate

• amd had real problems in FC6T2 although normal NFS mounts worked (2.6.17-1.2517.fc6)

  kernel BUG at fs/nfs/client.c:351!
  invalid opcode: 0000 [#1]

  • => use autofs; v5 seems very usable (done in automount feature, seems to work well)

• yum: and yum.repos.d in RHEL5 are part of the yum package => overwritten by updates

  • different on SL, easier to work around

• SELinux

  • much more restrictive (and useful!) in general

  • /tmp being a symlink seems to be a bad idea:

    • for example, could not start xfs (avc:denied message for the socket)

      • reason: the /tmp -> /usr1/tmp link must be of type root_t, not tmp_t !

    • => make it a separate filesystem (backward compatibility nightmare!) or mount --bind instead

      • the latter is now implemented (in %post) and seems to work well
      • CKS.pl will ignore such mounts, hence no problem here. Just make sure it's dealt with in %post.
    • some information on the "write xor execute" restrictions, and how to deal with them:

      • http://people.redhat.com/~drepper/selinux-mem.html

      • http://people.redhat.com/~drepper/textrelocs.html

      • http://people.redhat.com/~drepper/dsohowto.pdf

    • with GA, booleans have been relaxed a bit:
      • beta2:

        allow_execheap --> off
        allow_execmem --> off
        allow_execmod --> off
        allow_execstack --> on

    • GA:

      allow_execheap --> off
      allow_execmem --> on
      allow_execmod --> off
      allow_execstack --> on

      We should try to turn allow_execmem off on servers, though.

• X

  • NEC FE750 + will get a 100Hz, 91.6 kHz mode with autoconfig - it displays, but 85Hz would probably be much better (dealt with in kvm.pl now)

  • a DefaultDepth entry in the screen section is necessary now, to use only the modes for this depth

    • or the NEC above will run at 1600x1200 with a different depth
  • in EL5beta2, X will not pick the highest possible refresh rate
    • again the NEC: specified sync ranges allow 75 or 85 HZ - it will come up with 75 Hz!
    • not yet checked on GA

• hotplug

  • now handled by hal/dbus
  • no more modifications to /etc/fstab

  • users now have to use gnome-mount, hal decides what user is allowed to do

    • NB that's the same mechanism deciding that it's a clever idea to start a new X server on the console whenever an X-Session ends - even if that's a session in Xvnc or Xnest over ssh

      • that bug is present in GA; filed a BZ (#232777) with no response yet

• FORTRAN: g77 -> gfortran (the g77 command is from gcc34)

New Possibilities of Installer (verified in EL5 GA)

• using additional repositories
  • updates and additional packages

  • could alleviate need for SL's sites

  • from /usr/share/doc/anaconda-11.1.0.77/kickstart-docs.txt (package anaconda):

           repo (optional) - EXPERIMENTAL
    
           Configures additional yum repositories that may be used as sources
           for package installation.  Multiple repo lines may be specified.
    
           repo --name=<repoid> [--baseurl=<url>|--mirrorlist=<url>]
    
           --name=
    
               The repo id.  This option is required.
    
           --baseurl=
    
               The URL for the repository.  The variables that may be used in
               yum repo config files are not supported here.  You may use one
               of either this option or --mirrorlist, not both.
    
           --mirrorlist=
    
               The URL pointing at a list of mirrors for the repository.  The
               variables that may be used in yum repo config files are not
               supported here.  You may use one of either this option or
               --baseurl, not both.

  • working example:

    #Additional yum repositories to be used during installation:
    repo --name=50post --baseurl=http://141.34.32.17/SL/50/i386_post/
    #Package install information:
    %packages --resolvedeps
    ...
    openafs-client

pam/krb5/AFS/ssh

This now works out of the box with minor configuration tweaks:

• in krb5.conf add the external and tokens options fom pam_krb5:

   tokens = sshd login
   external = sshd

• no need to change any pam.d files (pam_krb5.so ok, need not use pam_krb5afs.so)

• turn off UsePrivilegeSeparation in sshd_config

  • otherwise, no token is generated from the forwarded ticket

    • pam_krb5's use_shmem = sshd does not work

  • since you don't get a PAG either, when testing this functionality:
    • make sure you destroy your existing tokens before logging in again...
    • also check you got a PAG (groups)

  • well, I think the openssh server has been patched to death by RedHat. I have put an unpatched version to /opt/products/openssh/4.3p2 which will work correctly with privsep switched on - you don't even need the "use_shmem = sshd" hack in krb5.conf. But providing an own openssh is no alternative, I know.

• ssh client fully working (including kerberos ticket forwarding) with those two lines in /etc/ssh/ssh_config:

   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes

• kdesktop_lock now uses the kscreensaver pam service - finally!

  • and it does the right thing just make sure there's no tokens option in pam.d/system-auth

Complete working /etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass debug
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5afs.so use_first_pass debug
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5afs.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_a
uthtok
password    sufficient    pam_krb5afs.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_krb5afs.so

Complete working example of appdefaults section in /etc/krb5.conf:

[appdefaults]
 pam = {
   external = sshd
   tokens = sshd login
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

TODO

minor items

• pkinit-nss was removed (default.ys) to work around gnome-screensaver problem - needed?
  • looks like it is now (release 5rolling) save to let this package installed

Software

• ROOT
  • new default version (5.14.00, built and tested incl. dcache, pending rollout)
    • 32bit on amd64 needs 32bit python libs - simply install pyton.i386?
  • will need SL3 compatibility
    • provide older versions than default as SL3 binaries only?
• compilers
  • SL4 compatibility (3.4.3) - comes with release
  • SL3 compatibility (3.2.3) - possible to take from SL4 ?
  • DL5 compatibility (3.3.3) - required?
  • DL4 compatibility (2.95.3) - required? possible to take from SL3?

• OpenOffice

  • as coming w/ EL, or use packages from openoffice.org as on SL4? switch later?
  • using packages from distro for the time being

  • missing: "soffice" etc. links, DL_openoffice

• matlab, labview, ...
  • working?

Finished

Software

• Adobe Reader + asian fonts + tweak package to fix the acroread script
• cernlib: version 2005, 32/64-bit, gfortran build?
• dcache client
• flash player: beta 2 in current DL_firefox works fine
• java:
  • 1.4.2/32 in /opt/products
  • 1.5.0/32 in System
    • jpp packages from SL4 work,including javaws and the plugin

    • the fonts look terrible problem seems to have vanished

  • 1.5.0/64 in /opt/products on amd64
  • 1.6.0/native in /opt/products
• most additional System packages
  • auctex, plan, qps, rdesktop update, sunbird, xmgrace, xv
• mathematica, maple
• oracle client
• afs_admin, quota, afscp and Atrans

restorecond configuration

• adjust /etc/selinux/restorecond.conf so that ~ isn't touched...
  • now done in %post.
• cater for prpm ?
  • not necessary unless they reintroduce this idea of running the scripts in a special domain

Problems to Solve

utmp

There's no /var/log/utmp. The who and w commands are completely broken.

• the file is actually named /var/run/utmp
• xterm does not modify it - gnome and kde console do
• we should find out why the window manager itself (icewm, kde, gnome) does not insert data for the logged in user

GNOME Trash in AFS

Longstanding issue, see GNOME_Trash_in_AFS_problem

X won't pick highest possible refresh rate

See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216409

Perl and SELinux ...

FC6 comes with a new SELinux policy. Some things, like execution of code from the stack, are disallowed even for processes running in the unconfined_t domain. Obviously this is a huge improvement for security. Unfortunately, our perl is not always playing along.

This can be remedied by allowing executable stacks: setsebool -P allow_execstack on. (this is the default since RHEL5 beta 1, hasn't changed with beta 2). Vamos_cmd now works, but here goes part of our improved security

Some of these problems have been solved with new build of modules. Some are solved because RH allows executable stacks again since RHEL5beta1.

Remedy in some other cases: setsebool -P allow_execmod on It should also help to relabel the shared object: chcon -t textrel_shlib_t .../Krb5.so. But that's impossible in AFS.

NB setsebool is buggy in FC6T2: -P doesn't work.

Perl modules that need to be linked against prebuilt static libraries will not work out of the box. Cure: chcon -t textrel_shlib_t /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/AFS/AFS.so

Currently the only modules where this needs to be done are the AFS related modules AFS.so and Quota.so and most probably Oracle.so (untested)

The solution for all this to install perl-5.8.8 locally, which also means it must be kept to a minmum, and have a trigger package to set the contexts where required.

Remote X with local fonts

Remote X connections get the local font server appended to the font path. For this to work, the host must have the remote-x-host modifier set. Unfortunately the xset fp command fails if called from /etc/X11/xinit/xinitrc.d/desy-zn.sh with this error: xset: bad font path element (#59)

Problems Solved

gnome-screensaver fails to unlock screen

• not working with kerberos up to and including EL5beta2, obvious bugs on x86_64

• BZ: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216615

• workaround: rpm -e pkinit-nss

• now being tracked under https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216718

  • severity high, priority urgent blocks what is probably the EL5 release blocker

apache and SELinux

basically the procedure described for SL4 applies with some modifications. First do check the settings of the booleans httpd_enable_homedirs and use_nfs_home_dirs and set them to on if they are off.

getsebool -a |egrep 'httpd_enable_homedirs|use_nfs_home_dirs'
setsebool use_nfs_home_dirs=1
setsebool httpd_enable_homedirs=1

Then add new policy modules to allow key searches (new feature for keyrings in the kernel) by creating a script mysearch.te

module mysearch 1.0;

require {
        class key search;
        type httpd_t;
        type unconfined_t;
        role system_r;
};

allow httpd_t unconfined_t:key search;

and executing

checkmodule -M -m -o mysearch.mod mysearch.te
semodule_package -o mysearch.pp -m mysearch.mod
semodule -i mysearch.pp

and another script to allow for udp packets in AFS

module myafs 1.0;

require {
        class udp_socket write;
        type httpd_t;
        type initrc_t;
        type unconfined_t;
        role system_r;
};

allow httpd_t initrc_t:udp_socket write;
# needed if afs is ever restarted:
allow httpd_t unconfined_t:udp_socket write;

and executing

checkmodule -M -m -o myafs.mod myafs.te
semodule_package -o myafs.pp -m myafs.mod
semodule -i myafs.pp

rsh access from trusted hosts does not work

No matter what I tried, I couldn't get this going - with or without .rhosts. Maybe this is good and we should finally accept that rsh's time has passed.

Update: adding the following line to /etc/xinet.d/rsh and /etc/xinet.d/rlogin (as written in the man page...) does the trick:

   server_args             = -h

However only the rsh works correctly, rlogin doesn't. This seems to be a SELinux problem:

[a] ~ # rsh em64t whoami
root
[a] ~ # rsh em64t
Last login: Wed Sep  6 10:13:08 from a
login: no shell: Permission denied.
rlogin: connection closed.
[a] ~ # 

If SELinux is disabled ("setenforce 0") it will work:

[a] ~ # rsh em64t
Last login: Wed Sep  6 10:17:41 from a
[root@em64t ~]# 

Alas, according to the daemons' syslog output, this shouldn't work anymore and the pam config would be the right place for tis option.

Anyway, we should get rid of this...

This one solved itself: It works like on SL3/4 since SL5beta1.

Perl and SELinux ...

Wolfgang sorted this out with new builds of modules:

[root@em64t ~]# /afs/ifh.de/project/linux/SL/scripts/SLU.pl yes please -shell
boot/grub/menu.lst exists
loader    : grub
site      : HH
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Crypt/OpenSSL/RSA/RSA.so' for module Crypt::OpenSSL::RSA: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /project/VAMOS/prod//client/Auth/RSA.pm line 9
Compilation failed in require at /project/VAMOS/prod//client/Auth/RSA.pm line 9.

[root@em64t ~]# /opt/products/perl/5.8.8/bin/perl /project/VAMOS/prod/scripts/Vamos_GUI.pl
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so' for module Authen::Krb5: /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so: cannot restore segment prot after reloc: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34
Compilation failed in require at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34.

arcx doesn't work

Wolfgang has new modules alleviating this. They are rolled out meanwhile.

• [wiesand@em64t]~% /opt/products/perl/5.8.8/bin/arcx vos release p.rpm.i586_rhel50
  Could not connect to 'arcdsrv:4242':  Evaluation of command _RAUTHTYPE failed (). maybe caused by: SASL: Negotiation failed. User is not authenticated. SASL error: ( -4 )  no mechanism available SASL(-4): no mechanism available: No worthy mechs found client_start error. (Callbacks?)

This is not SELinux related. Setting the mode to permissive doesn't help, and there are no avc:denied messages.

Update: installing the needed sasl plugins (e.g. cyrus-sasl-gssapi) helps...

[ahaupt@em64t]~% /opt/products/perl/5.8.8/bin/arcx whoami       
ahaupt coming from em64t.ifh.de [141.34.2.11] Port 54328
[ahaupt@em64t]~% 

With cyrus-sasl-gssapi added to defaut.ys and the current modules, arcx works.

vamos_cmd w/ krb5 works - but on amd64 only

• solved by removing perl_5.8.8-manymodules
  • amd64 was already using a minimal set of single module packages

afslive doesn't work because their perl module doesn't

• fixed by local installation of perl-5.8.8 and perl_5.8.8-selinux-triggers

Atrans dumping core fixed

• in a few places the API was changed from AFS 1.2 to 1.4. Adjusting the calls fixed the problem

(P)RPM and SELinux

Default installation of prpm (4.x.y from SL4) will fail to execute pre/post scripts. Reason: Only processes running in the rpm_t domain are allowed to do this. Possible remedies:

1. Relabel the rpm executable rpm_exec_t. Pity: this is impossible in AFS.

2. Execute prpm in the rpm_t domain:

   runcon -t rpm_t -- /opt/products/bin/prpm -ivh ...

   We'll probably have to teach ppm&co how to do this. Relabelling the exectables is probably still a good idea. How to do this correctly? In prpm's %post?

After sorting this out, you run into problems with beecrypt very similar to those described for Crypt::OpenSSL::RSA above. Remedy: Bernd built a new prpm package from the sources coming with FC6T2.

In addition, this behaviour was obviously reverted in RHEL5beta2.

Cups server and SELinux

• problem: https admin port not available, permission denied, AVC messages are missing

• information from http://fedoraproject.org/wiki/SELinux/Troubleshooting

    yum install audit, start audit
    semodule -b /usr/share/selinux/targeted/enableaudit.pp
    mkdir /usr/share/policy-module-cups; cd /usr/share/policy-module-cups
    /etc/init.d/cups restart 
    tail -50 /var/log/audit/audit.log | audit2allow -m cups >|cups.te
    checkmodule -M -m -o cups.mod cups.te
    semodule_package -o cups.pp -m cups.mod
    semodule -i cups.pp
    semodule -l
    /etc/init.d/cups restart
    netstat -ltn | grep 443  # I'm soo happy! 
    semodule -b /usr/share/selinux/targeted/base.pp
    stop audit

init scripts and SELinux

• problem: init script needs to do something not allowed in initrc_t domain
  • example: panfs needs to mount/umount

• solution 1: use runcon inside the script

• solution 2: relabel the script: chcon -t unconfined_exec_t /etc/init.d/panfs

Notes from manual FC6T2 installation

• network install using DHCP - no media
• first attempt with a rather large set of packages including Xen failed
  • system got stuck when starting firstboot
• second attempt with smaller package set and without Xen worked
• X came up with some 1900x1400 resolution, just about usable
  • minimal xorg.conf prefers highest mode possible
  • could not be changed with system-config-display (monitor could not be chosen)