#acl DvGroup:read,write,revert Known:read,write All:read

Yes, work on implementing SL5 at DESY Zeuthen has started. Fedora Core 6 is used to get a
first glimpse. From there we'll move to the RHEL5 beta and later to the SL5 beta as soon
as they become available.

[[TableOfContents]]

== Status ==

 * working with FC6``T2 (50 is a link to that, script to create SL-like layout)
 * profiles generation works
 * adding to tftpboot works
 * kickstart installation with DHCP works
 * post, selection, firstboot are preliminary but working
 * openafs-1.4.2beta3 works (with some ugly ugly hacks in the SPEC)
  * without PAGs (syscall table is r/o)
   * need to rebuild kernel or use openafs-1.5 with keyring pag support
    * 1.5.6 still too hard to build
  * installation in %post (yum does not work in %post, and NFS still needs portmap start)
 * initial yum configuration ok (development->errata not yet mirrored)
 * aaru.yum.create works, basic software volumes exist (still empty)
 * AI client works
 * kvm.pl works (X autoconfiguration)
 * script for installing free MS TT fonts works, cabextract.rpm from FC5 extras in repo
 * gssapi authentication works, including token generation (llogin, gdm, sshd); k5login works

== Differences w.r.t SL4 (FC6T2; to be verified for RHEL5) ==

 * kernels:
  * no more UP, all are SMP; package name -s ''kernel'', '''not''' ''kernel-smp''
  * kernel-PAE for systems w/ more than 4 GB RAM
  * kernel-xen for VM guest systems

 * no more /proc/pci (-> use lspci)
 * /usr/X11``R6 still exists, but most usual content is somehwere else
  * app-defaults is in /usr/share/X11/
  * so is fonts
 * there now is a ''restorecond'' watching over some files and directories
  * restores security context if file changes
  * may come in handy, an maybe is a good candidate for a backport to SL4
  * configuration is in /etc/selinux/restorecond.conf; needs adjustment!
 * GCONFD_LOCAL_LOCKS=1 seems not to be necessary, the lock is cerated in /tmp by default
  * it turns out this is the same on SL4

== New Possibilities of Installer (FC6T2; to be verified for RHEL5) ==

 * using additional repositories (how to configure kickstart for this?)
  * updates and additional packages
  * could alleviate need for SL's ''sites''
  * from /usr/share/doc/anaconda-11.1.0.77/kickstart-docs.txt (package anaconda):
  {{{   repo (optional) - EXPERIMENTAL

       Configures additional yum repositories that may be used as sources
       for package installation.  Multiple repo lines may be specified.

       repo --name=<repoid> [--baseurl=<url>|--mirrorlist=<url>]

       --name=

           The repo id.  This option is required.

       --baseurl=

           The URL for the repository.  The variables that may be used in
           yum repo config files are not supported here.  You may use one
           of either this option or --mirrorlist, not both.

       --mirrorlist=

           The URL pointing at a list of mirrors for the repository.  The
           variables that may be used in yum repo config files are not
           supported here.  You may use one of either this option or
           --baseurl, not both.
}}}
  * working example:
  {{{
#Additional yum repositories to be used during installation:
repo --name=50post --baseurl=http://141.34.32.17/SL/50/i386_post/
#Package install information:
%packages --resolvedeps
...
openafs-client
}}}

== pam/krb5/AFS/ssh ==

 * this now orks out of the box with minor configuration tweaks:
  * in krb5.conf add the ''external'' and ''tokens'' options fom pam_krb5:
  {{{
  tokens = sshd login
  external = sshd
  }}}
  * no need to change any pam.d files (pam_krb5.so ok, need not use pam_krb5afs.so)
  * turn off ''Use``Privilege``Separation'' in sshd_config
   * pam_krb5's use_shm = sshd does not work :-(
 

== TODO ==

=== YUM ===
 * yum.conf and yum.repos.d are part of the yum package => overwritten by updates
  => trigger? run aaru.yum.create from it?

=== restorecond configuration ===
 * adjust /etc/selinux/restorecond.conf so that ~ isn't touched...

=== X ===
 * if not configured during install, cannot start xfs (avc:denied message for the socket)
  * reason: the /tmp -> /usr1/tmp link must be of type root_t, not tmp_t !
 * NEC FE750 + will get a 100Hz, 91.6 kHz mode with autoconfig - it displays, but 85Hz would probably be much better

=== /tmp ===
 * looking at the xfs issue, it's probably a bad idea to have /tmp being a symlink
 * => make it a separate filesystem (backward compatibility nightmare!) or mount --bind instead

== Problems to Solve ==

 * rsh access from trusted hosts does not work

== Perl and SELinux ... ==

FC6 comes with a new SELinux policy. Some things, like execution of code from the stack,
are disallowed even for processes running in the unconfined_t domain. Obviously this is a huge
improvement for security. Unfortunately, our perl is not playing along:

{{{
[root@em64t ~]# /afs/ifh.de/project/linux/SL/scripts/SLU.pl yes please -shell
boot/grub/menu.lst exists
loader    : grub
site      : HH
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Crypt/OpenSSL/RSA/RSA.so' for module Crypt::OpenSSL::RSA: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /project/VAMOS/prod//client/Auth/RSA.pm line 9
Compilation failed in require at /project/VAMOS/prod//client/Auth/RSA.pm line 9.
}}}

This can be remedied by allowing executable stacks: `setsebool -P allow_execstack on`.
Vamos_cmd now works, but here goes part of our improved security :-(

NB setsebool is buggy in FC6``T2: -P doesn't work.


Next problem:
{{{
[root@em64t ~]# /opt/products/perl/5.8.8/bin/perl /project/VAMOS/prod/scripts/Vamos_GUI.pl
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so' for module Authen::Krb5: /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so: cannot restore segment prot after reloc: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34
Compilation failed in require at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34.
}}}

Remedy: `setsebool -P allow_execmod on` X-( It should also help to relabel the shared object:
`chcon -t textrel_shlib_t .../Krb5.so`. But that's impossible in AFS.

Temporary fix: DL_sebool package installed in %post.

== Notes from manual FC6T2 installation ==

 * network install using DHCP - no media
 * first attempt with a rather large set of packages including Xen failed
  * system got stuck when starting firstboot
 * second attempt with smaller package set and without Xen worked
 * X came up with some 1900x1400 resolution, just about usable
  * minimal xorg.conf prefers highest mode possible
  * could not be changed with system-config-display (monitor could not be chosen)