Yes, work on implementing SL5 at DESY Zeuthen has started. Fedora Core 6 is used to get a first glimpse. From there we'll move to the RHEL5 beta and later to the SL5 beta as soon as they become available.
Status
working with FC6T2 (50 is a link to that, script to create SL-like layout)
- profiles generation works
- adding to tftpboot works
- kickstart installation with DHCP works
- post, selection, firstboot are preliminary but working
- openafs-1.4.2rc1 works - with PAGs through the kernel keyring
- installation in %post (yum does not work in %post, and NFS still needs portmap start)
- also tested succcessfully: add a yum repository for anaconda to use, and simply add to selection (see below)
initial yum configuration ok (development->errata not yet mirrored)
- aaru.yum.create works, basic software volumes exist (System onl;y partially populated)
- AI client works
- kvm.pl works (X autoconfiguration), gdm/kvm features provide desktop, xdmcp server, guest account
- script for installing free MS TT fonts works, cabextract.rpm from FC5 extras in repo
- gssapi authentication works, including token generation (login, gdm, sshd); k5login works
- ticket/token refresh upon screen unlock works (KDE)
- autoinstallation complete to the point where we can run sue.update
- some (non-trivial and important) features are ready
- vamos_cmd works with perl-5.8.8 (if some security booleans are off, see below) from SL4; arcx does not
Features with major known problems:
Features to do:
aaru afs_client cfengine conmgr group hosts inetd kerberos kernel kloginldap localdisks motd nagios netgroup nsswitch pam passwd passwd_prog printing products scout security ssh sue syslog tcp_wrapper tidy_up trusted vamos xntp ypclient zzz
Features finished/checked:
automount gdm kvm linux products(i386 only, minimal configuration)
Differences w.r.t SL4 (FC6T2; to be verified for RHEL5)
- kernels:
no more UP, all are SMP; package name -s kernel, not kernel-smp
- kernel-PAE for systems w/ more than 4 GB RAM
- kernel-xen for VM guest systems
no more /proc/pci (-> use lspci)
/usr/X11R6 still exists, but most usual content is somehwere else
- app-defaults is in /usr/share/X11/
- so is fonts
there now is a restorecond watching over some files and directories
- restores security context if file changes
- may come in handy, an maybe is a good candidate for a backport to SL4
- configuration is in /etc/selinux/restorecond.conf; needs adjustment!
gdm default configuration is in /usr/share/gdm/default.conf now
- customization is supposed to go into /etc/gdm/custom.conf (done in gdm feature)
- themes are in the same place as on SL4 and work unmodified
GNOME
- GCONFD_LOCAL_LOCKS=1 seems not to be necessary, the lock is cerated in /tmp by default
- it turns out this is the same on SL4
- the Trash bug is still there
- now also the desktop fails to display new files
- sessions fail to start gnome-settings-daemon if ~ is in AFS
- probably also responsible for the desktop problem
- xscreensaver was replaced by gnome-screensaver (not working in FC6T2)
=> GNOME considerd unusable in our environment
- KDE works well; set DESKTOP= in /etc/sysconfig/dekstop
- GCONFD_LOCAL_LOCKS=1 seems not to be necessary, the lock is cerated in /tmp by default
slocate -> mlocate
amd has real problems although normal NFS mounts work (FC6T2, 2.6.17-1.2517.fc6) {{{kernel BUG at fs/nfs/client.c:351!
invalid opcode: 0000 [#1] }}}
=> use autofs; v5 seems very usable (done in automount feature, seems to work well)
yum: and yum.repos.d are part of the yum package => overwritten by updates
- now dealt with by a trigger in DL_FC6.rpm
SELinux
much more restrictive (and useful!) in general
/tmp being a symlink seems to be a bad idea:
- for example, could start xfs (avc:denied message for the socket)
reason: the /tmp -> /usr1/tmp link must be of type root_t, not tmp_t !
=> make it a separate filesystem (backward compatibility nightmare!) or mount --bind instead
- the latter is now implemented (in %post) and seems to work well
- CKS.pl will ignore such mounts, hence no problem here. Just make sure it's dealt with in %post.
- for example, could start xfs (avc:denied message for the socket)
X
- NEC FE750 + will get a 100Hz, 91.6 kHz mode with autoconfig - it displays, but 85Hz would probably be much better (dealt with in kvm.pl now)
New Possibilities of Installer (FC6T2; to be verified for RHEL5)
- using additional repositories
- updates and additional packages
could alleviate need for SL's sites
- from /usr/share/doc/anaconda-11.1.0.77/kickstart-docs.txt (package anaconda): {{{ repo (optional) - EXPERIMENTAL
- Configures additional yum repositories that may be used as sources for package installation. Multiple repo lines may be specified.
repo --name=<repoid> [--baseurl=<url>|--mirrorlist=<url>] --name=
- The repo id. This option is required.
- The URL for the repository. The variables that may be used in yum repo config files are not supported here. You may use one of either this option or --mirrorlist, not both.
- The URL pointing at a list of mirrors for the repository. The variables that may be used in yum repo config files are not supported here. You may use one of either this option or --baseurl, not both.
- Configures additional yum repositories that may be used as sources for package installation. Multiple repo lines may be specified.
}}}
- working example:
#Additional yum repositories to be used during installation: repo --name=50post --baseurl=http://141.34.32.17/SL/50/i386_post/ #Package install information: %packages --resolvedeps ... openafs-client
pam/krb5/AFS/ssh
This now works out of the box with minor configuration tweaks:
in krb5.conf add the external and tokens options fom pam_krb5:
tokens = sshd login external = sshd
- no need to change any pam.d files (pam_krb5.so ok, need not use pam_krb5afs.so)
turn off UsePrivilegeSeparation in sshd_config
pam_krb5's use_shmem = sshd does not work
kdesktop_lock now uses the kscreensaver pam service - finally!
and it does the right thing just make sure there's no tokens option in pam.d/system-auth
Complete working /etc/pam.d/system-auth:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass debug auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5afs.so use_first_pass debug auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5afs.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nis nullok try_first_pass use_a uthtok password sufficient pam_krb5afs.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session required pam_unix.so session optional pam_krb5afs.so
Complete working example of appdefaults section in /etc/krb5.conf:
[appdefaults] pam = { external = sshd tokens = sshd login debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
TODO
restorecond configuration
- adjust /etc/selinux/restorecond.conf so that ~ isn't touched...
- cater for prpm ?
Problems to Solve
rsh access from trusted hosts does not work
No matter what I tried, I couldn't get this going - with or without .rhosts. Maybe this is good and we should finally accept that rsh's time has passed.
ssh login to other hosts works, but ticket/token is not delegated
Is this possibly due to the limited set of key salts supported? Could that be the reason for the arcx problem below as well?
arcx doesn't work
Wolfgang has new modules alleviating this, but they're not yet in any repository.
- {{{[wiesand@em64t]~% /opt/products/perl/5.8.8/bin/arcx vos release p.rpm.i586_rhel50
Could not connect to 'arcdsrv:4242': Evaluation of command _RAUTHTYPE failed (). maybe caused by: SASL: Negotiation failed. User is not authenticated. SASL error: ( -4 ) no mechanism available SASL(-4): no mechanism available: No worthy mechs found client_start error. (Callbacks?) }}} This is not SELinux related. Setting the mode to permissive doesn't help, and there are no avc:denied messages.
Perl and SELinux ...
Wolfgang has new modules alleviating this, but they're not yet in any repository.
FC6 comes with a new SELinux policy. Some things, like execution of code from the stack, are disallowed even for processes running in the unconfined_t domain. Obviously this is a huge improvement for security. Unfortunately, our perl is not playing along:
[root@em64t ~]# /afs/ifh.de/project/linux/SL/scripts/SLU.pl yes please -shell boot/grub/menu.lst exists loader : grub site : HH Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Crypt/OpenSSL/RSA/RSA.so' for module Crypt::OpenSSL::RSA: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230. at /project/VAMOS/prod//client/Auth/RSA.pm line 9 Compilation failed in require at /project/VAMOS/prod//client/Auth/RSA.pm line 9.
This can be remedied by allowing executable stacks: setsebool -P allow_execstack on. Vamos_cmd now works, but here goes part of our improved security
NB setsebool is buggy in FC6T2: -P doesn't work.
Next problem:
[root@em64t ~]# /opt/products/perl/5.8.8/bin/perl /project/VAMOS/prod/scripts/Vamos_GUI.pl Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so' for module Authen::Krb5: /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so: cannot restore segment prot after reloc: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230. at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34 Compilation failed in require at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34.
Remedy: setsebool -P allow_execmod on It should also help to relabel the shared object: chcon -t textrel_shlib_t .../Krb5.so. But that's impossible in AFS.
Temporary fix: DL_sebool package installed in %post.
(P)RPM and SELinux
Default installation of prpm (4.x.y from SL4) will fail to execute pre/post scripts. Reason: Only processes running in the rpm_t domain are allowed to do this. Possible remedies:
Relabel the rpm executable rpm_exec_t. Pity: this is impossible in AFS.
Execute prpm in the rpm_t domain: {{{runcon -t rpm_t -- /opt/products/bin/prpm -ivh ... }}} We'll probably have to teach ppm&co how to do this. Relabelling the exectables is probably still a good idea. How to do this correctly? In prpm's %post?
After sorting this out, you run into problems with beecrypt very similar to those described for Crypt::OpenSSL::RSA above. Remedy: Bernd built a new prpm package from the sources coming with FC6T2.
Notes from manual FC6T2 installation
- network install using DHCP - no media
- first attempt with a rather large set of packages including Xen failed
- system got stuck when starting firstboot
- second attempt with smaller package set and without Xen worked
- X came up with some 1900x1400 resolution, just about usable
- minimal xorg.conf prefers highest mode possible
- could not be changed with system-config-display (monitor could not be chosen)