Yes, work on implementing SL5 at DESY Zeuthen has started. Fedora Core 6 is used to get a first glimpse. From there we'll move to the RHEL5 beta and later to the SL5 beta as soon as they become available.
Status
working with FC6T2 (50 is a link to that, script to create SL-like layout)
- profiles generation works
- adding to tftpboot works
- kickstart installation with DHCP works
- post, selection, firstboot are preliminary but working
- openafs-1.4.2beta3 works (with some ugly ugly hacks in the SPEC)
- without PAGs (syscall table is r/o)
- need to rebuild kernel or use openafs-1.5 with keyring pag support
- 1.5.6 still too hard to build
- need to rebuild kernel or use openafs-1.5 with keyring pag support
- installation in %post (yum does not work in %post, and NFS still needs portmap start)
- without PAGs (syscall table is r/o)
initial yum configuration ok (development->errata not yet mirrored)
- aaru.yum.daily works
Differences w.r.t SL4 (FC6T2; to be verified for RHEL5)
no more /proc/pci (-> use lspci)
/usr/X11R6 still exists, but most usual content is somehwere else
- app-defaults is in /usr/share/X11/
- so is fonts
there now is a restorecond watching over some files and directories
- restores security context if file changes
- may come in handy, an maybe is a good candidate for a backport to SL4
- configuration is in /etc/selinux/restorecond.conf; needs adjustment!
New Possibilities of Installer (FC6T2; to be verified for RHEL5)
- using additional repositories (how to configure kickstart for this?)
- updates and additional packages
could alleviate need for SL's sites
TODO
YUM
yum.conf and yum.repos.d are part of the yum package => overwritten by updates
=> trigger? run aaru.yum.create from it?
restorecond configuration
- adjust /etc/selinux/restorecond.conf so that ~ isn't touched...
X
- if not configured during install, cannot start xfs (avc:denied message for the socket)
reason: the /tmp -> /usr1/tmp link must be of type root_t, not tmp_t !
- NEC FE750 + will get a 100Hz, 91.6 kHz mode with autoconfig - it displays, but 85Hz would probably be much better
/tmp
- looking at the xfs issue, it's probably a bad idea to have /tmp being a symlink
=> make it a separate filesystem (backward compatibility nightmare!) or mount --bind instead
Problems to Solve
- rsh access from trusted hosts does not work
- no token upon ssh login
Perl and SELinux ...
FC6 comes with a new SELinux policy. Some things, like execution of code from the stack, are disallowed even for processes running in the unconfined_t domain. Obviously this is a huge improvement for security. Unfortunately, our perl is not playing along:
[root@em64t ~]# /afs/ifh.de/project/linux/SL/scripts/SLU.pl yes please -shell boot/grub/menu.lst exists loader : grub site : HH Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Crypt/OpenSSL/RSA/RSA.so' for module Crypt::OpenSSL::RSA: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230. at /project/VAMOS/prod//client/Auth/RSA.pm line 9 Compilation failed in require at /project/VAMOS/prod//client/Auth/RSA.pm line 9.
This can be remedied by allowing executable stacks: setsebool -P allow_execstack on. Vamos_cmd now works, but here goes part of our improved security
NB setsebool is buggy in FC6T2: -P doesn't work.
Next problem:
[root@em64t ~]# /opt/products/perl/5.8.8/bin/perl /project/VAMOS/prod/scripts/Vamos_GUI.pl Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so' for module Authen::Krb5: /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so: cannot restore segment prot after reloc: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230. at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34 Compilation failed in require at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34.
Remedy: setsebool -P allow_execmod on It should also help to relabel the shared object: chcon -t textrel_shlib_t .../Krb5.so. But that's impossible in AFS.
Temporary fix: DL_sebool package installed in %post.
Notes from manual FC6T2 installation
- network install using DHCP - no media
- first attempt with a rather large set of packages including Xen failed
- system got stuck when starting firstboot
- second attempt with smaller package set and without Xen worked
- X came up with some 1900x1400 resolution, just about usable
- minimal xorg.conf prefers highest mode possible
- could not be changed with system-config-display (monitor could not be chosen)