Yes, work on implementing SL5 at DESY Zeuthen has started. Fedora Core 6 is used to get a first glimpse. From there we'll move to the RHEL5 beta and later to the SL5 beta as soon as they become available.

TableOfContents

Status

• working with FC6T2 (50 is a link to that, script to create SL-like layout)

• profiles generation works
• adding to tftpboot works
• kickstart installation with DHCP works
• post, selection, firstboot are preliminary but working
• openafs-1.4.2rc1 works - with PAGs through the kernel keyring
  • installation in %post (yum does not work in %post, and NFS still needs portmap start)
  • also tested succcessfully: add a yum repository for anaconda to use, and simply add to selection (see below)

• initial yum configuration ok (development->errata not yet mirrored)

• aaru.yum.create works, basic software volumes exist (System onl;y partially populated)
• AI client works
• kvm.pl works (X autoconfiguration), gdm/kvm features provide desktop, xdmcp server, guest account
• script for installing free MS TT fonts works, cabextract.rpm from FC5 extras in repo
• gssapi authentication works, including token generation (login, gdm, sshd); k5login works
• ticket/token refresh upon screen unlock works (KDE)
• autoinstallation complete to the point where we can run sue.update
• some (non-trivial and important) features are ready
• vamos_cmd works with perl-5.8.8 (if some security booleans are off, see below) from SL4; arcx does not

Features with major known problems:

Features to do:

aaru afs_client cfengine conmgr group hosts inetd kerberos kernel kloginldap localdisks motd nagios netgroup nsswitch pam passwd passwd_prog printing products scout security ssh sue syslog tcp_wrapper tidy_up trusted vamos xntp ypclient zzz

Features finished/checked:

automount gdm kvm linux products(i386 only, minimal configuration)

Differences w.r.t SL4 (FC6T2; to be verified for RHEL5)

• kernels:

  • no more UP, all are SMP; package name -s kernel, not kernel-smp

  • kernel-PAE for systems w/ more than 4 GB RAM
  • kernel-xen for VM guest systems

• no more /proc/pci (-> use lspci)

• /usr/X11R6 still exists, but most usual content is somehwere else

  • app-defaults is in /usr/share/X11/
  • so is fonts

• there now is a restorecond watching over some files and directories

  • restores security context if file changes
  • may come in handy, an maybe is a good candidate for a backport to SL4
  • configuration is in /etc/selinux/restorecond.conf; needs adjustment!

• gdm default configuration is in /usr/share/gdm/default.conf now

  • customization is supposed to go into /etc/gdm/custom.conf (done in gdm feature)
  • themes are in the same place as on SL4 and work unmodified

• GNOME

  • GCONFD_LOCAL_LOCKS=1 seems not to be necessary, the lock is cerated in /tmp by default
    • it turns out this is the same on SL4
  • the Trash bug is still there
  • now also the desktop fails to display new files
  • sessions fail to start gnome-settings-daemon if ~ is in AFS
    • probably also responsible for the desktop problem
  • xscreensaver was replaced by gnome-screensaver (not working in FC6T2)

  • => GNOME considerd unusable in our environment

  • KDE works well; set DESKTOP= in /etc/sysconfig/dekstop

• slocate -> mlocate

• amd has real problems although normal NFS mounts work (FC6T2, 2.6.17-1.2517.fc6) {{{kernel BUG at fs/nfs/client.c:351!

invalid opcode: 0000 [#1] }}}

• => use autofs; v5 seems very usable (done in automount feature, seems to work well)

• yum: and yum.repos.d are part of the yum package => overwritten by updates

  • now dealt with by a trigger in DL_FC6.rpm

• SELinux

  • much more restrictive (and useful!) in general

  • /tmp being a symlink seems to be a bad idea:

    • for example, could start xfs (avc:denied message for the socket)

      • reason: the /tmp -> /usr1/tmp link must be of type root_t, not tmp_t !

    • => make it a separate filesystem (backward compatibility nightmare!) or mount --bind instead

      • the latter is now implemented (in %post) and seems to work well
      • CKS.pl will ignore such mounts, hence no problem here. Just make sure it's dealt with in %post.

• X

  • NEC FE750 + will get a 100Hz, 91.6 kHz mode with autoconfig - it displays, but 85Hz would probably be much better (dealt with in kvm.pl now)

New Possibilities of Installer (FC6T2; to be verified for RHEL5)

• using additional repositories
  • updates and additional packages

  • could alleviate need for SL's sites

  • from /usr/share/doc/anaconda-11.1.0.77/kickstart-docs.txt (package anaconda): {{{ repo (optional) - EXPERIMENTAL
    • Configures additional yum repositories that may be used as sources for package installation. Multiple repo lines may be specified.

      repo --name=<repoid> [--baseurl=<url>|--mirrorlist=<url>] --name=

      • The repo id. This option is required.
      --baseurl=
      • The URL for the repository. The variables that may be used in yum repo config files are not supported here. You may use one of either this option or --mirrorlist, not both.
      --mirrorlist=
      • The URL pointing at a list of mirrors for the repository. The variables that may be used in yum repo config files are not supported here. You may use one of either this option or --baseurl, not both.

}}}

• working example:

  #Additional yum repositories to be used during installation:
  repo --name=50post --baseurl=http://141.34.32.17/SL/50/i386_post/
  #Package install information:
  %packages --resolvedeps
  ...
  openafs-client

pam/krb5/AFS/ssh

This now works out of the box with minor configuration tweaks:

• in krb5.conf add the external and tokens options fom pam_krb5:

   tokens = sshd login
   external = sshd

• no need to change any pam.d files (pam_krb5.so ok, need not use pam_krb5afs.so)

• turn off UsePrivilegeSeparation in sshd_config

  • pam_krb5's use_shmem = sshd does not work

  • Update: have a look at the current situation on em64t: sshd enable with PrivSep, token generation out of forwarded ticket works!

• ssh client fully working (including kerberos ticket forwarding) with those two lines in /etc/ssh/ssh_config:

   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes

• kdesktop_lock now uses the kscreensaver pam service - finally!

  • and it does the right thing just make sure there's no tokens option in pam.d/system-auth

Complete working /etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass debug
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5afs.so use_first_pass debug
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5afs.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_a
uthtok
password    sufficient    pam_krb5afs.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_krb5afs.so

Complete working example of appdefaults section in /etc/krb5.conf:

[appdefaults]
 pam = {
   external = sshd
   tokens = sshd login
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

TODO

restorecond configuration

• adjust /etc/selinux/restorecond.conf so that ~ isn't touched...
• cater for prpm ?

Problems to Solve

rsh access from trusted hosts does not work

No matter what I tried, I couldn't get this going - with or without .rhosts. Maybe this is good and we should finally accept that rsh's time has passed.

Update: adding the following line to /etc/xinet.d/rsh and /etc/xinet.d/rlogin (as written in the man page...) does the trick:

   server_args             = -h

However only the rsh works correctly, rlogin doesn't. This seems to be a SELinux problem:

[a] ~ # rsh em64t whoami
root
[a] ~ # rsh em64t
Last login: Wed Sep  6 10:13:08 from a
login: no shell: Permission denied.
rlogin: connection closed.
[a] ~ # 

If SELinux is disabled ("setenforce 0") it will work:

[a] ~ # rsh em64t
Last login: Wed Sep  6 10:17:41 from a
[root@em64t ~]# 

arcx doesn't work

Wolfgang has new modules alleviating this, but they're not yet in any repository.

• {{{[wiesand@em64t]~% /opt/products/perl/5.8.8/bin/arcx vos release p.rpm.i586_rhel50

Could not connect to 'arcdsrv:4242': Evaluation of command _RAUTHTYPE failed (). maybe caused by: SASL: Negotiation failed. User is not authenticated. SASL error: ( -4 ) no mechanism available SASL(-4): no mechanism available: No worthy mechs found client_start error. (Callbacks?) }}} This is not SELinux related. Setting the mode to permissive doesn't help, and there are no avc:denied messages.

Update: installing the needed sasl plugins (e.g. cyrus-sasl-gssapi) helps...

[ahaupt@em64t]~% /opt/products/perl/5.8.8/bin/arcx whoami       
ahaupt coming from em64t.ifh.de [141.34.2.11] Port 54328
[ahaupt@em64t]~% 

Perl and SELinux ...

Wolfgang has new modules alleviating this, but they're not yet in any repository.

FC6 comes with a new SELinux policy. Some things, like execution of code from the stack, are disallowed even for processes running in the unconfined_t domain. Obviously this is a huge improvement for security. Unfortunately, our perl is not playing along:

[root@em64t ~]# /afs/ifh.de/project/linux/SL/scripts/SLU.pl yes please -shell
boot/grub/menu.lst exists
loader    : grub
site      : HH
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Crypt/OpenSSL/RSA/RSA.so' for module Crypt::OpenSSL::RSA: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /project/VAMOS/prod//client/Auth/RSA.pm line 9
Compilation failed in require at /project/VAMOS/prod//client/Auth/RSA.pm line 9.

This can be remedied by allowing executable stacks: setsebool -P allow_execstack on. Vamos_cmd now works, but here goes part of our improved security

NB setsebool is buggy in FC6T2: -P doesn't work.

Next problem:

[root@em64t ~]# /opt/products/perl/5.8.8/bin/perl /project/VAMOS/prod/scripts/Vamos_GUI.pl
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so' for module Authen::Krb5: /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so: cannot restore segment prot after reloc: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34
Compilation failed in require at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34.

Remedy: setsebool -P allow_execmod on It should also help to relabel the shared object: chcon -t textrel_shlib_t .../Krb5.so. But that's impossible in AFS.

Temporary fix: DL_sebool package installed in %post.

(P)RPM and SELinux

Default installation of prpm (4.x.y from SL4) will fail to execute pre/post scripts. Reason: Only processes running in the rpm_t domain are allowed to do this. Possible remedies:

1. Relabel the rpm executable rpm_exec_t. Pity: this is impossible in AFS.

2. Execute prpm in the rpm_t domain: {{{runcon -t rpm_t -- /opt/products/bin/prpm -ivh ... }}} We'll probably have to teach ppm&co how to do this. Relabelling the exectables is probably still a good idea. How to do this correctly? In prpm's %post?

After sorting this out, you run into problems with beecrypt very similar to those described for Crypt::OpenSSL::RSA above. Remedy: Bernd built a new prpm package from the sources coming with FC6T2.

Notes from manual FC6T2 installation

• network install using DHCP - no media
• first attempt with a rather large set of packages including Xen failed
  • system got stuck when starting firstboot
• second attempt with smaller package set and without Xen worked
• X came up with some 1900x1400 resolution, just about usable
  • minimal xorg.conf prefers highest mode possible
  • could not be changed with system-config-display (monitor could not be chosen)