Yes, work on implementing SL5 at DESY Zeuthen has started. Fedora Core 6 was used to get a first glimpse. From there we moved to RHEL5 beta (now 2), and will later to SL5 beta as soon as it becomes available.

TableOfContents

Status

• working with EL5 beta2 (50 is a link to that, scripts/notes to create SL-like layout)
• profile generation works
• adding to tftpboot works
• kickstart installation with DHCP works
• SLU.pl works
• post, selection, firstboot are preliminary but working
• openafs-1.4.2 (-31.SL5) works - with PAGs through the kernel keyring
  • installation by adding a yum repository for anaconda to use, and simply adding openafs to selection (see below)
• initial yum configuration ok (no errata for EL5beta, but mechanism in place)
• software installation (through both aaru/yum/yumsel and ppm) works
  • basic software volumes exist, not fully populated yet
• AI client works
• kvm.pl works (X autoconfiguration), gdm/kvm features provide desktop, xdmcp server, guest account
• script for installing free MS TT fonts works, cabextract.rpm from FC5 extras in repo

• gssapi authentication works, including token generation (login, gdm, sshd w/o PrivSep); k5login works

• ticket/token refresh upon screen unlock works (KDE)
• autoinstallation complete
• some (non-trivial and important) features are ready
• vamos_cmd and arcx work with perl-5.8.8 from SL4
• cups for the client is ready

Features with major known problems:

• kernel - needs adaptation to xen

Features to do:

cfengine conmgr inetd kerberos kernel localdisks pam scout syslog trusted vamos

Features finished/checked:

aaru afs_client automount gdm group hosts klogin kvm ldap linux motd nagios netgroup nsswitch passwd passwd_prog products security ssh sue tcp_wrapper tidy_up xntp ypclient zzz

Differences w.r.t SL4 (EL5beta2; to be verified for RHEL5)

• kernels:

  • no more UP, all are SMP; package name -s kernel, not kernel-smp

  • kernel-PAE for systems w/ more than 4 GB RAM (i686 only)

  • kernel-xen for VM host & guest systems

• no more /proc/pci (-> use lspci)

• ionice(1)

• /usr/X11R6 still exists, but most usual content is somehwere else

  • app-defaults is in /usr/share/X11/
  • so is fonts

• there now is a restorecond watching over some files and directories

  • restores security context if file changes
  • may come in handy, an maybe is a good candidate for a backport to SL4
  • configuration is in /etc/selinux/restorecond.conf; needs adjustment!

• gdm default configuration is in /usr/share/gdm/default.conf now

  • customization is supposed to go into /etc/gdm/custom.conf (done in gdm feature)
  • themes are in the same place as on SL4 and work unmodified

• GNOME

  • GCONFD_LOCAL_LOCKS=1 seems not to be necessary, the lock is cerated in /tmp by default
    • it turns out this is the same on SL4
  • before EL5beta2, the desktop failed to display new files, seems fixed in beta2
  • sessions fail to start gnome-settings-daemon for our AFS default user
    • the problem: ~/.Xdefaults with mode 000 makes gnome-settings-daemon crash

    • BZ: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216601

  • xscreensaver was replaced by gnome-screensaver

• slocate -> mlocate

• amd has real problems although normal NFS mounts work (FC6T2, 2.6.17-1.2517.fc6) {{{kernel BUG at fs/nfs/client.c:351!

invalid opcode: 0000 [#1] }}}

• => use autofs; v5 seems very usable (done in automount feature, seems to work well)

• yum: and yum.repos.d are part of the yum package => overwritten by updates

  • now dealt with by a trigger in DL_FC6.rpm UPDATE THIS

• SELinux

  • much more restrictive (and useful!) in general

  • /tmp being a symlink seems to be a bad idea:

    • for example, could not start xfs (avc:denied message for the socket)

      • reason: the /tmp -> /usr1/tmp link must be of type root_t, not tmp_t !

    • => make it a separate filesystem (backward compatibility nightmare!) or mount --bind instead

      • the latter is now implemented (in %post) and seems to work well
      • CKS.pl will ignore such mounts, hence no problem here. Just make sure it's dealt with in %post.
    • some information on the "write xor execute" restrictions, and how to deal with them:

      • http://people.redhat.com/~drepper/selinux-mem.html

      • http://people.redhat.com/~drepper/textrelocs.html

      • http://people.redhat.com/~drepper/dsohowto.pdf

• X

  • NEC FE750 + will get a 100Hz, 91.6 kHz mode with autoconfig - it displays, but 85Hz would probably be much better (dealt with in kvm.pl now)

  • a DefaultDepth entry in the screen section is necessary now, to use only the modes for this depth

    • or the NEC above will run at 1600x1200 with a different depth
  • in EL5beta2, X will not pick the highest possible refresh rate
    • again the NEC: specified sync ranges allow 75 or 85 HZ - it will come up with 75 Hz!

• hotplug

  • now handled by hal/dbus
  • no more modifications to /etc/fstab

  • users now have to use gnome-mount, hal decides what user is allowed to do

    • NB that's the same mechanism deciding that it's a clever idea to start a new X server on the console whenever an X-Session ends - even if that's a session in Xvnc or Xnest over ssh

New Possibilities of Installer (verified in EL5 beta2)

• using additional repositories
  • updates and additional packages

  • could alleviate need for SL's sites

  • from /usr/share/doc/anaconda-11.1.0.77/kickstart-docs.txt (package anaconda): {{{ repo (optional) - EXPERIMENTAL
    • Configures additional yum repositories that may be used as sources for package installation. Multiple repo lines may be specified.

      repo --name=<repoid> [--baseurl=<url>|--mirrorlist=<url>] --name=

      • The repo id. This option is required.
      --baseurl=
      • The URL for the repository. The variables that may be used in yum repo config files are not supported here. You may use one of either this option or --mirrorlist, not both.
      --mirrorlist=
      • The URL pointing at a list of mirrors for the repository. The variables that may be used in yum repo config files are not supported here. You may use one of either this option or --baseurl, not both.

}}}

• working example:

  #Additional yum repositories to be used during installation:
  repo --name=50post --baseurl=http://141.34.32.17/SL/50/i386_post/
  #Package install information:
  %packages --resolvedeps
  ...
  openafs-client

pam/krb5/AFS/ssh

This now works out of the box with minor configuration tweaks:

• in krb5.conf add the external and tokens options fom pam_krb5:

   tokens = sshd login
   external = sshd

• no need to change any pam.d files (pam_krb5.so ok, need not use pam_krb5afs.so)

• turn off UsePrivilegeSeparation in sshd_config

  • otherwise, no token is generated from the forwarded ticket

    • pam_krb5's use_shmem = sshd does not work

  • since you don't get a PAG either, when testing this functionality:
    • make sure you destroy your existing tokens before logging in again...
    • also check you got a PAG (groups)

  • well, I think the openssh server has been patched to death by RedHat. I have put an unpatched version to /opt/products/openssh/4.3p2 which will work correctly with privsep switched on - you don't even need the "use_shmem = sshd" hack in krb5.conf. But providing an own openssh is no alternative, I know.

• ssh client fully working (including kerberos ticket forwarding) with those two lines in /etc/ssh/ssh_config:

   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes

• kdesktop_lock now uses the kscreensaver pam service - finally!

  • and it does the right thing just make sure there's no tokens option in pam.d/system-auth

Complete working /etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass debug
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5afs.so use_first_pass debug
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5afs.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_a
uthtok
password    sufficient    pam_krb5afs.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_krb5afs.so

Complete working example of appdefaults section in /etc/krb5.conf:

[appdefaults]
 pam = {
   external = sshd
   tokens = sshd login
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

TODO

minor items

• vamos_cmd w/ krb5 works - but on amd64 only ?!
• pkinit-nss was removed (default.ys) to work around gnome-screensaver problem - needed?
• decide on default desktop: set DESKTOP= in /etc/sysconfig/dekstop
• afslive doesn't work because their perl module doesn't

Software

• ROOT
  • same versions as on SL4
  • will need SL3 compatibility
• dcache client
• compilers
  • SL4 compatibility (3.4.3)
  • SL3 compatibility (3.2.3)
  • DL5 compatibility (3.3.3)
  • DL4 compatibility (2.95.3)

• OpenOffice

  • as coming w/ EL, or use packages from openoffice.org as on SL4? switch later?
  • using packages from distro for the time being

  • missing: "soffice" etc. links, DL_openoffice

• mathematica, maple, matlab, labview, ...
  • working?
• oracle client

Finished

Software

• Adobe Reader + asian fonts + tweak package to fix the acroread script
• cernlib: version 2005, 32/64-bit, gfortran build?
• flash player: beta 2 in current DL_firefox works fine
• java:
  • 1.4.2/32 in /opt/products
  • 1.5.0/32 in System
    • jpp packages from SL4 work,including javaws and the plugin

    • the fonts look terrible problem seems to have vanished

  • 1.5.0/64 in /opt/products on amd64
  • 1.6.0/native in /opt/products
• most additional System packages
  • auctex, plan, qps, rdesktop update, sunbird, xmgrace, xv

restorecond configuration

• adjust /etc/selinux/restorecond.conf so that ~ isn't touched...
  • now done in %post.
• cater for prpm ?
  • not necessary unless they reintroduce this idea of running the scripts in a special domain

Problems to Solve

GNOME Trash in AFS

Longstanding issue, see ["GNOME Trash in AFS problem"]

X won't pick highest possible refresh rate

See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216409

rsh access from trusted hosts does not work

No matter what I tried, I couldn't get this going - with or without .rhosts. Maybe this is good and we should finally accept that rsh's time has passed.

Update: adding the following line to /etc/xinet.d/rsh and /etc/xinet.d/rlogin (as written in the man page...) does the trick:

   server_args             = -h

However only the rsh works correctly, rlogin doesn't. This seems to be a SELinux problem:

[a] ~ # rsh em64t whoami
root
[a] ~ # rsh em64t
Last login: Wed Sep  6 10:13:08 from a
login: no shell: Permission denied.
rlogin: connection closed.
[a] ~ # 

If SELinux is disabled ("setenforce 0") it will work:

[a] ~ # rsh em64t
Last login: Wed Sep  6 10:17:41 from a
[root@em64t ~]# 

Alas, according to the daemons' syslog output, this shouldn't work anymore and the pam config would be the right place for tis option.

Perl and SELinux ...

FC6 comes with a new SELinux policy. Some things, like execution of code from the stack, are disallowed even for processes running in the unconfined_t domain. Obviously this is a huge improvement for security. Unfortunately, our perl is not always playing along.

This can be remedied by allowing executable stacks: setsebool -P allow_execstack on. (this is the default since RHEL5 beta 1, hasn't changed with beta 2). Vamos_cmd now works, but here goes part of our improved security

Some of these problems have been solved with new build of modules. Some are solved because RH allows executable stacks again since RHEL5beta1.

Remedy in some other cases: setsebool -P allow_execmod on It should also help to relabel the shared object: chcon -t textrel_shlib_t .../Krb5.so. But that's impossible in AFS.

NB setsebool is buggy in FC6T2: -P doesn't work.

The AFS modules from SL4 (needed by tklife, for example) are having problems as well.

Problems Solved

gnome-screensaver fails to unlock screen

• not working with kerberos up to and including EL5beta2, obvious bugs on x86_64

• BZ: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216615

• workaround: rpm -e pkinit-nss

• now being tracked under https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216718

  • severity high, priority urgent blocks what is probably the EL5 release blocker

apache and SELinux

basically the procedure described for SL4 applies with some modifications. First do check the settings of the booleans httpd_enable_homedirs and use_nfs_home_dirs and set them to on if they are off.

getsebool -a |egrep 'httpd_enable_homedirs|use_nfs_home_dirs'
setsebool use_nfs_home_dirs=1
setsebool httpd_enable_homedirs=1

Then add new policy modules to allow key searches (new feature for keyrings in the kernel) by creating a script mysearch.te

module mysearch 1.0;

require {
        class key search;
        type httpd_t;
        type unconfined_t;
        role system_r;
};

allow httpd_t unconfined_t:key search;

and executing

checkmodule -M -m -o mysearch.mod mysearch.te
semodule_package -o mysearch.pp -m mysearch.mod
semodule -i mysearch.pp

and another script to allow for udp packets in AFS

module myafs 1.0;

require {
        class udp_socket write;
        type httpd_t;
        type initrc_t;
        type unconfined_t;
        role system_r;
};

allow httpd_t initrc_t:udp_socket write;
# needed if afs is ever restarted:
allow httpd_t unconfined_t:udp_socket write;

and executing

checkmodule -M -m -o myafs.mod myafs.te
semodule_package -o myafs.pp -m myafs.mod
semodule -i myafs.pp

Perl and SELinux ...

Wolfgang sorted this out with new builds of modules:

[root@em64t ~]# /afs/ifh.de/project/linux/SL/scripts/SLU.pl yes please -shell
boot/grub/menu.lst exists
loader    : grub
site      : HH
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Crypt/OpenSSL/RSA/RSA.so' for module Crypt::OpenSSL::RSA: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /project/VAMOS/prod//client/Auth/RSA.pm line 9
Compilation failed in require at /project/VAMOS/prod//client/Auth/RSA.pm line 9.

[root@em64t ~]# /opt/products/perl/5.8.8/bin/perl /project/VAMOS/prod/scripts/Vamos_GUI.pl
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so' for module Authen::Krb5: /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so: cannot restore segment prot after reloc: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34
Compilation failed in require at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34.

arcx doesn't work

Wolfgang has new modules alleviating this, but they're not yet in any repository.

• {{{[wiesand@em64t]~% /opt/products/perl/5.8.8/bin/arcx vos release p.rpm.i586_rhel50

Could not connect to 'arcdsrv:4242': Evaluation of command _RAUTHTYPE failed (). maybe caused by: SASL: Negotiation failed. User is not authenticated. SASL error: ( -4 ) no mechanism available SASL(-4): no mechanism available: No worthy mechs found client_start error. (Callbacks?) }}} This is not SELinux related. Setting the mode to permissive doesn't help, and there are no avc:denied messages.

Update: installing the needed sasl plugins (e.g. cyrus-sasl-gssapi) helps...

[ahaupt@em64t]~% /opt/products/perl/5.8.8/bin/arcx whoami       
ahaupt coming from em64t.ifh.de [141.34.2.11] Port 54328
[ahaupt@em64t]~% 

With cyrus-sasl-gssapi added to defaut.ys and the current modules, arcx works.

=== (P)RPM and SELinux ==-

Default installation of prpm (4.x.y from SL4) will fail to execute pre/post scripts. Reason: Only processes running in the rpm_t domain are allowed to do this. Possible remedies:

1. Relabel the rpm executable rpm_exec_t. Pity: this is impossible in AFS.

2. Execute prpm in the rpm_t domain: {{{runcon -t rpm_t -- /opt/products/bin/prpm -ivh ... }}} We'll probably have to teach ppm&co how to do this. Relabelling the exectables is probably still a good idea. How to do this correctly? In prpm's %post?

After sorting this out, you run into problems with beecrypt very similar to those described for Crypt::OpenSSL::RSA above. Remedy: Bernd built a new prpm package from the sources coming with FC6T2.

In addition, this behaviour was obviously reverted in RHEL5beta2.

Notes from manual FC6T2 installation

• network install using DHCP - no media
• first attempt with a rather large set of packages including Xen failed
  • system got stuck when starting firstboot
• second attempt with smaller package set and without Xen worked
• X came up with some 1900x1400 resolution, just about usable
  • minimal xorg.conf prefers highest mode possible
  • could not be changed with system-config-display (monitor could not be chosen)