9928
Comment:
|
10206
|
Deletions are marked like this. | Additions are marked like this. |
Line 22: | Line 22: |
* aaru.yum.create works, basic software volumes exist (still empty) | * aaru.yum.create works, basic software volumes exist (System onl;y partially populated) |
Line 26: | Line 26: |
* gssapi authentication works, including token generation (llogin, gdm, sshd); k5login works | * gssapi authentication works, including token generation (login, gdm, sshd); k5login works * ticket/token refresh upon screen unlock works (KDE) * autoinstallation complete to the point where we can run sue.update * some (non-trivial and important) features are ready |
Line 30: | Line 33: |
automount |
|
Line 36: | Line 37: |
Line 39: | Line 39: |
gdm kvm linux | automount gdm kvm linux |
Line 74: | Line 74: |
* we may have to use autofs | * => use autofs; v5 seems very usable |
Line 193: | Line 193: |
* ssh login to other hosts works, but ticket/token is not delegated |
Yes, work on implementing SL5 at DESY Zeuthen has started. Fedora Core 6 is used to get a first glimpse. From there we'll move to the RHEL5 beta and later to the SL5 beta as soon as they become available.
Status
working with FC6T2 (50 is a link to that, script to create SL-like layout)
- profiles generation works
- adding to tftpboot works
- kickstart installation with DHCP works
- post, selection, firstboot are preliminary but working
- openafs-1.4.2beta3 works (with some ugly ugly hacks in the SPEC)
- without PAGs (syscall table is r/o)
- need to rebuild kernel or use openafs-1.5 with keyring pag support
- 1.5.6 still too hard to build
- need to rebuild kernel or use openafs-1.5 with keyring pag support
- installation in %post (yum does not work in %post, and NFS still needs portmap start)
- without PAGs (syscall table is r/o)
initial yum configuration ok (development->errata not yet mirrored)
- aaru.yum.create works, basic software volumes exist (System onl;y partially populated)
- AI client works
- kvm.pl works (X autoconfiguration)
- script for installing free MS TT fonts works, cabextract.rpm from FC5 extras in repo
- gssapi authentication works, including token generation (login, gdm, sshd); k5login works
- ticket/token refresh upon screen unlock works (KDE)
- autoinstallation complete to the point where we can run sue.update
- some (non-trivial and important) features are ready
Features with major known problems:
Features to do:
aaru afs_client cfengine conmgr group hosts inetd kerberos kernel klogin kvm ldap linux localdisks motd nagios netgroup nsswitch pam passwd passwd_prog printing products scout security ssh sue syslog tcp_wrapper tidy_up trusted vamos xntp ypclient zzz
Features finished/checked:
automount gdm kvm linux
Differences w.r.t SL4 (FC6T2; to be verified for RHEL5)
- kernels:
no more UP, all are SMP; package name -s kernel, not kernel-smp
- kernel-PAE for systems w/ more than 4 GB RAM
- kernel-xen for VM guest systems
no more /proc/pci (-> use lspci)
/usr/X11R6 still exists, but most usual content is somehwere else
- app-defaults is in /usr/share/X11/
- so is fonts
there now is a restorecond watching over some files and directories
- restores security context if file changes
- may come in handy, an maybe is a good candidate for a backport to SL4
- configuration is in /etc/selinux/restorecond.conf; needs adjustment!
- GCONFD_LOCAL_LOCKS=1 seems not to be necessary, the lock is cerated in /tmp by default
- it turns out this is the same on SL4
- gdm default configuration is in /usr/share/gdm/default.conf now
- customization is supposed to go into /etc/gdm/custom.conf
- themes are in the same place as on SL4 and work unmodified
- GNOME
- the Trash bug is still there
- now also the desktop fails to display new files
- sessions fail to start gnome-settings-daemon if ~ is in AFS
- probably also responsible for the desktop problem
- xscreensaver was replaced by gnome-screensaver (not working in FC6T2)
=> GNOME considerd unusable in our environment
- KDE works well; set DESKTOP= in /etc/sysconfig/dekstop
slocate -> mlocate
amd has real problems although normal NFS mounts work (FC6T2, 2.6.17-1.2517.fc6) {{{kernel BUG at fs/nfs/client.c:351!
invalid opcode: 0000 [#1] }}}
=> use autofs; v5 seems very usable
New Possibilities of Installer (FC6T2; to be verified for RHEL5)
- using additional repositories (how to configure kickstart for this?)
- updates and additional packages
could alleviate need for SL's sites
- from /usr/share/doc/anaconda-11.1.0.77/kickstart-docs.txt (package anaconda): {{{ repo (optional) - EXPERIMENTAL
- Configures additional yum repositories that may be used as sources for package installation. Multiple repo lines may be specified.
repo --name=<repoid> [--baseurl=<url>|--mirrorlist=<url>] --name=
- The repo id. This option is required.
- The URL for the repository. The variables that may be used in yum repo config files are not supported here. You may use one of either this option or --mirrorlist, not both.
- The URL pointing at a list of mirrors for the repository. The variables that may be used in yum repo config files are not supported here. You may use one of either this option or --baseurl, not both.
- Configures additional yum repositories that may be used as sources for package installation. Multiple repo lines may be specified.
}}}
- working example:
#Additional yum repositories to be used during installation: repo --name=50post --baseurl=http://141.34.32.17/SL/50/i386_post/ #Package install information: %packages --resolvedeps ... openafs-client
pam/krb5/AFS/ssh
This now orks out of the box with minor configuration tweaks:
in krb5.conf add the external and tokens options fom pam_krb5:
tokens = sshd login external = sshd
- no need to change any pam.d files (pam_krb5.so ok, need not use pam_krb5afs.so)
turn off UsePrivilegeSeparation in sshd_config
pam_krb5's use_shmem = sshd does not work
kdesktop_lock now uses the kscreensaver pam service - finally!
and it does the right thing just make sure there's no tokens option in pam.d/system-auth
Complete working /etc/pam.d/system-auth:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass debug auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5afs.so use_first_pass debug auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5afs.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nis nullok try_first_pass use_a uthtok password sufficient pam_krb5afs.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session required pam_unix.so session optional pam_krb5afs.so
Complete working example of appdefaults section in /etc/krb5.conf:
[appdefaults] pam = { external = sshd tokens = sshd login debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
TODO
YUM
yum.conf and yum.repos.d are part of the yum package => overwritten by updates
=> trigger? run aaru.yum.create from it?
restorecond configuration
- adjust /etc/selinux/restorecond.conf so that ~ isn't touched...
X
- if not configured during install, cannot start xfs (avc:denied message for the socket)
reason: the /tmp -> /usr1/tmp link must be of type root_t, not tmp_t !
- NEC FE750 + will get a 100Hz, 91.6 kHz mode with autoconfig - it displays, but 85Hz would probably be much better
/tmp
- looking at the xfs issue, it's probably a bad idea to have /tmp being a symlink
=> make it a separate filesystem (backward compatibility nightmare!) or mount --bind instead
Problems to Solve
- rsh access from trusted hosts does not work
- ssh login to other hosts works, but ticket/token is not delegated
Perl and SELinux ...
FC6 comes with a new SELinux policy. Some things, like execution of code from the stack, are disallowed even for processes running in the unconfined_t domain. Obviously this is a huge improvement for security. Unfortunately, our perl is not playing along:
[root@em64t ~]# /afs/ifh.de/project/linux/SL/scripts/SLU.pl yes please -shell boot/grub/menu.lst exists loader : grub site : HH Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Crypt/OpenSSL/RSA/RSA.so' for module Crypt::OpenSSL::RSA: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230. at /project/VAMOS/prod//client/Auth/RSA.pm line 9 Compilation failed in require at /project/VAMOS/prod//client/Auth/RSA.pm line 9.
This can be remedied by allowing executable stacks: setsebool -P allow_execstack on. Vamos_cmd now works, but here goes part of our improved security
NB setsebool is buggy in FC6T2: -P doesn't work.
Next problem:
[root@em64t ~]# /opt/products/perl/5.8.8/bin/perl /project/VAMOS/prod/scripts/Vamos_GUI.pl Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so' for module Authen::Krb5: /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so: cannot restore segment prot after reloc: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230. at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34 Compilation failed in require at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34.
Remedy: setsebool -P allow_execmod on It should also help to relabel the shared object: chcon -t textrel_shlib_t .../Krb5.so. But that's impossible in AFS.
Temporary fix: DL_sebool package installed in %post.
Notes from manual FC6T2 installation
- network install using DHCP - no media
- first attempt with a rather large set of packages including Xen failed
- system got stuck when starting firstboot
- second attempt with smaller package set and without Xen worked
- X came up with some 1900x1400 resolution, just about usable
- minimal xorg.conf prefers highest mode possible
- could not be changed with system-config-display (monitor could not be chosen)