#acl DvGroup:read,write,revert All:read Yes, work on implementing SL5 at DESY Zeuthen has started. Fedora Core 6 was used to get a first glimpse. From there we moved to RHEL5 beta (now 2), and will later to SL5 beta as soon as it becomes available. [[TableOfContents]] == Status == * working with SL5 alpha2, plus selected recompiled packages * kernel, glibc, gcc, xen selinux and a few errata (firefox, thunderbird) * profile generation works * adding to tftpboot works * kickstart installation with DHCP works * SLU.pl works * post, selection, firstboot are preliminary but working * openafs-1.4.4 works - with PAGs through the kernel keyring * initial yum configuration ok (no errata yet, but mechanism in place) * software installation (through both aaru/yum/yumsel and ppm) works * basic software volumes exist, not fully populated yet * AI client works * kvm.pl works (X autoconfiguration), gdm/kvm features provide desktop, xdmcp server, guest account * script for installing free MS TT fonts works, cabextract.rpm from FC5 extras in repo * gssapi authentication works, including token generation (login, gdm, sshd w/o PrivSep); k5login works * ticket/token refresh upon screen unlock works (KDE) * autoinstallation complete * most cfengine features are ready * vamos_cmd and arcx work with perl-5.8.8 from SL4 * cups for the client is ready '''Features with major known problems:''' '''Features to do:''' scout syslog vamos * syslog: * should steer audit (is this useful? on which systems?) * port netconsole from SL4 (the module is there, init script is missing due to netdump->kdump) * should the syslog feature deal with kdump as well? '''Features to keep an eye on:''' * kernel - needed lots of hacks to support kmod (gfs) and xen '''Features we may not do:''' * trusted * inetd '''Features finished/checked:''' aaru afs_client automount conmgr cfengine gdm group hosts kerberos kernel klogin kvm ldap linux localdisks motd nagios netgroup nsswitch pam passwd passwd_prog products security ssh sue tcp_wrapper tidy_up xntp ypclient zzz == Differences w.r.t SL4 == * kernels: * no more UP, all are SMP; package name -s ''kernel'', '''not''' ''kernel-smp'' * kernel-PAE for systems w/ more than 4 GB RAM (i686 only) * kernel-xen for VM host & guest systems (different use in grub.conf!) * no more '''/proc/pci''' (-> use lspci) * ionice(1) * '''/usr/X11``R6''' still exists, but most usual content is somehwere else * app-defaults is in /usr/share/X11/ * so is fonts * there now is a '''restorecond''' watching over some files and directories * restores security context if file changes * may come in handy, an maybe is a good candidate for a backport to SL4 * configuration is in /etc/selinux/restorecond.conf; needs adjustment! * '''gdm''' default configuration is in /usr/share/gdm/default.conf now * customization is supposed to go into /etc/gdm/custom.conf (done in gdm feature) * themes are in the same place as on SL4 and work unmodified * '''GNOME''' * GCONFD_LOCAL_LOCKS=1 seems not to be necessary, the lock is cerated in /tmp by default * it turns out this is the same on SL4 * sessions fail to start gnome-settings-daemon for our AFS default user * the problem: ~/.Xdefaults with mode 000 makes gnome-settings-daemon crash * BZ: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216601 * xscreensaver was replaced by gnome-screensaver * slocate -> '''mlocate''' * '''amd''' had ''real'' problems in FC6T2 although normal NFS mounts worked (2.6.17-1.2517.fc6) {{{kernel BUG at fs/nfs/client.c:351! invalid opcode: 0000 [#1] }}} * => use autofs; v5 seems very usable (done in automount feature, seems to work well) * '''yum''': and yum.repos.d in RHEL5 are part of the yum package => overwritten by updates * different on SL, easier to work around * '''SELinux''' * ''much'' more restrictive (and useful!) in general * '''/tmp''' being a symlink seems to be a bad idea: * for example, could not start xfs (avc:denied message for the socket) * reason: the /tmp -> /usr1/tmp link must be of type root_t, not tmp_t ! * => make it a separate filesystem (backward compatibility nightmare!) or mount --bind instead * the latter is now implemented (in %post) and seems to work well * CKS.pl will ignore such mounts, hence no problem here. Just make sure it's dealt with in %post. * some information on the "write xor execute" restrictions, and how to deal with them: * http://people.redhat.com/~drepper/selinux-mem.html * http://people.redhat.com/~drepper/textrelocs.html * http://people.redhat.com/~drepper/dsohowto.pdf * with GA, booleans have been relaxed a bit: * beta2: {{{ allow_execheap --> off allow_execmem --> off allow_execmod --> off allow_execstack --> on }}} * GA: {{{ allow_execheap --> off allow_execmem --> on allow_execmod --> off allow_execstack --> on }}} We should try to turn allow_execmem off on servers, though. * '''X''' * NEC FE750 + will get a 100Hz, 91.6 kHz mode with autoconfig - it displays, but 85Hz would probably be much better (dealt with in kvm.pl now) * a DefaultDepth entry in the screen section is necessary now, to use only the modes for this depth * or the NEC above will run at 1600x1200 with a different depth * in EL5beta2, X will not pick the highest possible refresh rate * again the NEC: specified sync ranges allow 75 or 85 HZ - it will come up with 75 Hz! * not yet checked on GA * '''hotplug''' * now handled by hal/dbus * no more modifications to /etc/fstab * users now have to use `gnome-mount`, hal decides what user is allowed to do * NB that's the same mechanism deciding that it's a clever idea to start a new X server on the console whenever an X-Session ends - even if that's a session in Xvnc or Xnest over ssh X-( * that bug is present in GA; filed a BZ (#232777) with no response yet * '''FORTRAN''': g77 -> gfrotran (the g77 command is from gcc34) == New Possibilities of Installer (verified in EL5 GA) == * using additional repositories * updates and additional packages * could alleviate need for SL's ''sites'' * from /usr/share/doc/anaconda-11.1.0.77/kickstart-docs.txt (package anaconda): {{{ repo (optional) - EXPERIMENTAL Configures additional yum repositories that may be used as sources for package installation. Multiple repo lines may be specified. repo --name= [--baseurl=|--mirrorlist=] --name= The repo id. This option is required. --baseurl= The URL for the repository. The variables that may be used in yum repo config files are not supported here. You may use one of either this option or --mirrorlist, not both. --mirrorlist= The URL pointing at a list of mirrors for the repository. The variables that may be used in yum repo config files are not supported here. You may use one of either this option or --baseurl, not both. }}} * working example: {{{ #Additional yum repositories to be used during installation: repo --name=50post --baseurl=http://141.34.32.17/SL/50/i386_post/ #Package install information: %packages --resolvedeps ... openafs-client }}} == pam/krb5/AFS/ssh == This now works out of the box with minor configuration tweaks: * in krb5.conf add the ''external'' and ''tokens'' options fom pam_krb5: {{{ tokens = sshd login external = sshd }}} * no need to change any pam.d files (pam_krb5.so ok, need not use pam_krb5afs.so) * turn off ''Use``Privilege``Separation'' in sshd_config * otherwise, no token is generated from the forwarded ticket * pam_krb5's use_shmem = sshd does not work :-( * since you don't get a PAG either, when testing this functionality: * make sure you destroy your existing tokens before logging in again... * also check you got a PAG (groups) * well, I think the openssh server has been patched to death by RedHat. I have put an unpatched version to /opt/products/openssh/4.3p2 which will work correctly with privsep switched on - you don't even need the "use_shmem = sshd" hack in krb5.conf. But providing an own openssh is no alternative, I know. * ssh client fully working (including kerberos ticket forwarding) with those two lines in /etc/ssh/ssh_config: {{{ GSSAPIAuthentication yes GSSAPIDelegateCredentials yes }}} * kdesktop_lock now uses the ''kscreensaver'' pam service - finally! * and it does the right thing :) just make sure there's no ''tokens'' option in pam.d/system-auth Complete working /etc/pam.d/system-auth: {{{ #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass debug auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5afs.so use_first_pass debug auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5afs.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nis nullok try_first_pass use_a uthtok password sufficient pam_krb5afs.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session required pam_unix.so session optional pam_krb5afs.so }}} Complete working example of appdefaults section in /etc/krb5.conf: {{{ [appdefaults] pam = { external = sshd tokens = sshd login debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } }}} == TODO == === minor items === * pkinit-nss was removed (default.ys) to work around gnome-screensaver problem - needed? * afs_admin does not work {{{ % PATH=/opt/products/perl/5.8.8/bin:$PATH /opt/products/perl/5.8.8/bin/afs_admin create -q 500k $PWD/root sa5.p.root [info]: (client) SASL: Negotiation complete. User is authenticated. [err]: (client) Connection closed by foreign host. Connection closed by foreign host. [err]: (client) SendLine only available when connection and select is set. [err]: (client) Sending command CMD failed. Sending command CMD failed. maybe caused by: SendLine only available when connection and select is set. [err]: (client) SendLine only available when connection and select is set. [err]: (client) Sending command CMD failed. Sending command CMD failed. maybe caused by: SendLine only available when connection and select is set. [err]: (client) SendLine only available when connection and select is set. [err]: (client) Sending command CMD failed. Sending command CMD failed. maybe caused by: SendLine only available when connection and select is set. [err]: (client) SendLine only available when connection and select is set. [err]: (client) Sending command CMD failed. Sending command CMD failed. maybe caused by: SendLine only available when connection and select is set. afs_admin: WARNING: directory /usr/src/redhat/SPECS not existing or unreadable [err]: (client) SendLine only available when connection and select is set. [err]: (client) Sending command CMD failed. Sending command CMD failed. maybe caused by: SendLine only available when connection and select is set. afs_admin: ERROR: volume name and mount point not in same project volume sa5.p.root in mount point /usr/src/redhat/SPECS/root in }}} === Software === * ROOT * new default version (5.14.00, built and tested incl. dcache, pending rollout) * 32bit on amd64 needs 32bit python libs - simply install pyton.i386? * will need SL3 compatibility * provide older versions than default as SL3 binaries only? * compilers * SL4 compatibility (3.4.3) - comes with release * SL3 compatibility (3.2.3) - possible to take from SL4 ? * DL5 compatibility (3.3.3) - required? * DL4 compatibility (2.95.3) - required? possible to take from SL3? * OpenOffice * as coming w/ EL, or use packages from openoffice.org as on SL4? switch later? * using packages from distro for the time being * '''missing:''' "soffice" etc. links, DL_openoffice * matlab, labview, ... * working? == Finished == === Software === * Adobe Reader + asian fonts + tweak package to fix the acroread script * cernlib: version 2005, 32/64-bit, gfortran build? * dcache client * flash player: beta 2 in current DL_firefox works fine * java: * 1.4.2/32 in /opt/products * 1.5.0/32 in System * jpp packages from SL4 work,including javaws and the plugin * the '''fonts look terrible''' problem seems to have vanished * 1.5.0/64 in /opt/products on amd64 * 1.6.0/native in /opt/products * most additional System packages * auctex, plan, qps, rdesktop update, sunbird, xmgrace, xv * mathematica, maple * oracle client === restorecond configuration === * adjust /etc/selinux/restorecond.conf so that ~ isn't touched... * now done in %post. * cater for prpm ? * not necessary unless they reintroduce this idea of running the scripts in a special domain == Problems to Solve == === GNOME Trash in AFS === Longstanding issue, see ["GNOME Trash in AFS problem"] === X won't pick highest possible refresh rate === See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216409 === Perl and SELinux ... === FC6 comes with a new SELinux policy. Some things, like execution of code from the stack, are disallowed even for processes running in the unconfined_t domain. Obviously this is a huge improvement for security. Unfortunately, our perl is not always playing along. This can be remedied by allowing executable stacks: `setsebool -P allow_execstack on`. (this is the default since RHEL5 beta 1, hasn't changed with beta 2). Vamos_cmd now works, but here goes part of our improved security :-( Some of these problems have been solved with new build of modules. Some are solved because RH allows executable stacks again since RHEL5beta1. Remedy in some other cases: `setsebool -P allow_execmod on` X-( It should also help to relabel the shared object: `chcon -t textrel_shlib_t .../Krb5.so`. But that's impossible in AFS. NB setsebool is buggy in FC6``T2: -P doesn't work. The AFS modules from SL4 (needed by tklife, for example) are having problems as well. Cure: `chcon -t textrel_shlib_t /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/AFS/AFS.so` The solution for all this to install perl-5.8.8 locally, which also means it must be kept to a minmum, and have a trigger package to set the contexts where required. === Atrans === Just segfaults, and it's not an SELinux problem, rather looks like glibc/pthread/NPTL. Clueless... == Problems Solved == === gnome-screensaver fails to unlock screen === * not working with kerberos up to and including EL5beta2, obvious bugs on x86_64 * BZ: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216615 * workaround: rpm -e pkinit-nss * now being tracked under https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216718 * severity high, priority urgent blocks what is probably the EL5 release blocker === apache and SELinux === basically the procedure described for SL4 applies with some modifications. First do check the settings of the booleans ''httpd_enable_homedirs'' and ''use_nfs_home_dirs'' and set them to on if they are off. {{{ getsebool -a |egrep 'httpd_enable_homedirs|use_nfs_home_dirs' setsebool use_nfs_home_dirs=1 setsebool httpd_enable_homedirs=1 }}} Then add new policy modules to allow key searches (new feature for keyrings in the kernel) by creating a script ''mysearch.te'' {{{ module mysearch 1.0; require { class key search; type httpd_t; type unconfined_t; role system_r; }; allow httpd_t unconfined_t:key search; }}} and executing {{{ checkmodule -M -m -o mysearch.mod mysearch.te semodule_package -o mysearch.pp -m mysearch.mod semodule -i mysearch.pp }}} and another script to allow for udp packets in AFS {{{ module myafs 1.0; require { class udp_socket write; type httpd_t; type initrc_t; type unconfined_t; role system_r; }; allow httpd_t initrc_t:udp_socket write; # needed if afs is ever restarted: allow httpd_t unconfined_t:udp_socket write; }}} and executing {{{ checkmodule -M -m -o myafs.mod myafs.te semodule_package -o myafs.pp -m myafs.mod semodule -i myafs.pp }}} === rsh access from trusted hosts does not work === No matter what I tried, I couldn't get this going - with or without .rhosts. Maybe this is good and we should finally accept that rsh's time has passed. '''Update:''' adding the following line to /etc/xinet.d/rsh and /etc/xinet.d/rlogin (as written in the man page...) does the trick: {{{ server_args = -h }}} However only the rsh works correctly, rlogin doesn't. This seems to be a SELinux problem: {{{ [a] ~ # rsh em64t whoami root [a] ~ # rsh em64t Last login: Wed Sep 6 10:13:08 from a login: no shell: Permission denied. rlogin: connection closed. [a] ~ # }}} If SELinux is disabled ("setenforce 0") it will work: {{{ [a] ~ # rsh em64t Last login: Wed Sep 6 10:17:41 from a [root@em64t ~]# }}} Alas, according to the daemons' syslog output, this shouldn't work anymore and the pam config would be the right place for tis option. Anyway, we should get rid of this... {i} This one solved itself: It works like on SL3/4 since SL5beta1. === Perl and SELinux ... === Wolfgang sorted this out with new builds of modules: {{{ [root@em64t ~]# /afs/ifh.de/project/linux/SL/scripts/SLU.pl yes please -shell boot/grub/menu.lst exists loader : grub site : HH Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Crypt/OpenSSL/RSA/RSA.so' for module Crypt::OpenSSL::RSA: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230. at /project/VAMOS/prod//client/Auth/RSA.pm line 9 Compilation failed in require at /project/VAMOS/prod//client/Auth/RSA.pm line 9. }}} {{{ [root@em64t ~]# /opt/products/perl/5.8.8/bin/perl /project/VAMOS/prod/scripts/Vamos_GUI.pl Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so' for module Authen::Krb5: /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so: cannot restore segment prot after reloc: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230. at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34 Compilation failed in require at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34. }}} === arcx doesn't work === Wolfgang has new modules alleviating this, but they're not yet in any repository. {{{[wiesand@em64t]~% /opt/products/perl/5.8.8/bin/arcx vos release p.rpm.i586_rhel50 Could not connect to 'arcdsrv:4242': Evaluation of command _RAUTHTYPE failed (). maybe caused by: SASL: Negotiation failed. User is not authenticated. SASL error: ( -4 ) no mechanism available SASL(-4): no mechanism available: No worthy mechs found client_start error. (Callbacks?) }}} This is not SELinux related. Setting the mode to permissive doesn't help, and there are no avc:denied messages. '''Update''': installing the needed sasl plugins (e.g. cyrus-sasl-gssapi) helps... {{{ [ahaupt@em64t]~% /opt/products/perl/5.8.8/bin/arcx whoami ahaupt coming from em64t.ifh.de [141.34.2.11] Port 54328 [ahaupt@em64t]~% }}} With cyrus-sasl-gssapi added to defaut.ys and the current modules, arcx works. === vamos_cmd w/ krb5 works - but on amd64 only === * solved by removing perl_5.8.8-manymodules * amd64 was already using a minimal set of single module packages === afslive doesn't work because their perl module doesn't === * fixed by local installation of perl-5.8.8 and perl_5.8.8-selinux-triggers === (P)RPM and SELinux ==- Default installation of prpm (4.x.y from SL4) will fail to execute pre/post scripts. Reason: Only processes running in the rpm_t domain are allowed to do this. Possible remedies: 1. Relabel the `rpm` executable ''rpm_exec_t''. Pity: this is impossible in AFS. 2. Execute prpm in the ''rpm_t'' domain: {{{runcon -t rpm_t -- /opt/products/bin/prpm -ivh ... }}} We'll probably have to teach ppm&co how to do this. Relabelling the exectables is probably still a good idea. How to do this correctly? In prpm's %post? After sorting this out, you run into problems with beecrypt very similar to those described for Crypt::OpenSSL::RSA above. Remedy: Bernd built a new prpm package from the sources coming with FC6``T2. In addition, this behaviour was obviously reverted in RHEL5beta2. == Notes from manual FC6T2 installation == * network install using DHCP - no media * first attempt with a rather large set of packages including Xen failed * system got stuck when starting firstboot * second attempt with smaller package set and without Xen worked * X came up with some 1900x1400 resolution, just about usable * minimal xorg.conf prefers highest mode possible * could not be changed with system-config-display (monitor could not be chosen)