Yes, work on implementing SL5 at DESY Zeuthen has started. Fedora Core 6 is used to get a first glimpse. From there we'll move to the RHEL5 beta and later to the SL5 beta as soon as they become available.

TableOfContents

Status

• working with FC6T2 (50 is a link to that, script to create SL-like layout)

• profiles generation works
• adding to tftpboot works
• kickstart installation with DHCP works
• post, selection, firstboot are preliminary but working
• openafs-1.4.2rc1 works - with PAGs through the kernel keyring
  • installation in %post (yum does not work in %post, and NFS still needs portmap start)
  • also tested succcessfully: add a yum repository for anaconda to use, and simply add to selection (see below)

• initial yum configuration ok (development->errata not yet mirrored)

• aaru.yum.create works, basic software volumes exist (System onl;y partially populated)
• AI client works
• kvm.pl works (X autoconfiguration), gdm/kvm features provide desktop, xdmcp server, guest account
• script for installing free MS TT fonts works, cabextract.rpm from FC5 extras in repo
• gssapi authentication works, including token generation (login, gdm, sshd); k5login works
• ticket/token refresh upon screen unlock works (KDE)
• autoinstallation complete to the point where we can run sue.update
• some (non-trivial and important) features are ready
• vamos_cmd works with perl-5.8.8 from SL4; arcx does not

Features with major known problems:

Features to do:

aaru afs_client cfengine conmgr group hosts inetd kerberos kernel kloginldap localdisks motd nagios netgroup nsswitch pam passwd passwd_prog printing products scout security ssh sue syslog tcp_wrapper tidy_up trusted vamos xntp ypclient zzz

Features finished/checked:

automount gdm kvm linux products(i386 only, minimal configuration)

Differences w.r.t SL4 (FC6T2; to be verified for RHEL5)

• kernels:

  • no more UP, all are SMP; package name -s kernel, not kernel-smp

  • kernel-PAE for systems w/ more than 4 GB RAM
  • kernel-xen for VM guest systems

• no more /proc/pci (-> use lspci)

• /usr/X11R6 still exists, but most usual content is somehwere else

  • app-defaults is in /usr/share/X11/
  • so is fonts

• there now is a restorecond watching over some files and directories

  • restores security context if file changes
  • may come in handy, an maybe is a good candidate for a backport to SL4
  • configuration is in /etc/selinux/restorecond.conf; needs adjustment!

• gdm default configuration is in /usr/share/gdm/default.conf now

  • customization is supposed to go into /etc/gdm/custom.conf (done in gdm feature)
  • themes are in the same place as on SL4 and work unmodified

• GNOME

  • GCONFD_LOCAL_LOCKS=1 seems not to be necessary, the lock is cerated in /tmp by default
    • it turns out this is the same on SL4
  • the Trash bug is still there
  • now also the desktop fails to display new files
  • sessions fail to start gnome-settings-daemon if ~ is in AFS
    • probably also responsible for the desktop problem
  • xscreensaver was replaced by gnome-screensaver (not working in FC6T2)

  • => GNOME considerd unusable in our environment

  • KDE works well; set DESKTOP= in /etc/sysconfig/dekstop

• slocate -> mlocate

• amd has real problems although normal NFS mounts work (FC6T2, 2.6.17-1.2517.fc6) {{{kernel BUG at fs/nfs/client.c:351!

invalid opcode: 0000 [#1] }}}

• => use autofs; v5 seems very usable (done in automount feature, seems to work well)

• yum: and yum.repos.d are part of the yum package => overwritten by updates

  • now dealt with by a trigger in DL_FC6.rpm

• SELinux

  • much more restrictive (and useful!) in general

  • /tmp being a symlink seems to be a bad idea:

    • for example, could start xfs (avc:denied message for the socket)

      • reason: the /tmp -> /usr1/tmp link must be of type root_t, not tmp_t !

    • => make it a separate filesystem (backward compatibility nightmare!) or mount --bind instead

      • the latter is now implemented (in %post) and seems to work well

• X

  • NEC FE750 + will get a 100Hz, 91.6 kHz mode with autoconfig - it displays, but 85Hz would probably be much better (dealt with in kvm.pl now)

New Possibilities of Installer (FC6T2; to be verified for RHEL5)

• using additional repositories (how to configure kickstart for this?)
  • updates and additional packages

  • could alleviate need for SL's sites

  • from /usr/share/doc/anaconda-11.1.0.77/kickstart-docs.txt (package anaconda): {{{ repo (optional) - EXPERIMENTAL
    • Configures additional yum repositories that may be used as sources for package installation. Multiple repo lines may be specified.

      repo --name=<repoid> [--baseurl=<url>|--mirrorlist=<url>] --name=

      • The repo id. This option is required.
      --baseurl=
      • The URL for the repository. The variables that may be used in yum repo config files are not supported here. You may use one of either this option or --mirrorlist, not both.
      --mirrorlist=
      • The URL pointing at a list of mirrors for the repository. The variables that may be used in yum repo config files are not supported here. You may use one of either this option or --baseurl, not both.

}}}

• working example:

  #Additional yum repositories to be used during installation:
  repo --name=50post --baseurl=http://141.34.32.17/SL/50/i386_post/
  #Package install information:
  %packages --resolvedeps
  ...
  openafs-client

pam/krb5/AFS/ssh

This now orks out of the box with minor configuration tweaks:

• in krb5.conf add the external and tokens options fom pam_krb5:

   tokens = sshd login
   external = sshd

• no need to change any pam.d files (pam_krb5.so ok, need not use pam_krb5afs.so)

• turn off UsePrivilegeSeparation in sshd_config

  • pam_krb5's use_shmem = sshd does not work

• kdesktop_lock now uses the kscreensaver pam service - finally!

  • and it does the right thing just make sure there's no tokens option in pam.d/system-auth

Complete working /etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass debug
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5afs.so use_first_pass debug
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5afs.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nis nullok try_first_pass use_a
uthtok
password    sufficient    pam_krb5afs.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_krb5afs.so

Complete working example of appdefaults section in /etc/krb5.conf:

[appdefaults]
 pam = {
   external = sshd
   tokens = sshd login
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

TODO

restorecond configuration

• adjust /etc/selinux/restorecond.conf so that ~ isn't touched...

Problems to Solve

rsh access from trusted hosts does not work

No matter what I tried, I couldn't get this going - with or without .rhosts. Maybe this is good and we should finally accept that rsh's time has passed.

ssh login to other hosts works, but ticket/token is not delegated

Is this possibly due to the limited set of key salts supported? Could that be the reason for the arcx problem below as well?

arcx doesn't work

• {{{[wiesand@em64t]~% /opt/products/perl/5.8.8/bin/arcx vos release p.rpm.i586_rhel50

Could not connect to 'arcdsrv:4242': Evaluation of command _RAUTHTYPE failed (). maybe caused by: SASL: Negotiation failed. User is not authenticated. SASL error: ( -4 ) no mechanism available SASL(-4): no mechanism available: No worthy mechs found client_start error. (Callbacks?) }}} This is not SELinux related. Setting the mode to permissive doesn't help, and there are no avc:denied messages.

Perl and SELinux ...

FC6 comes with a new SELinux policy. Some things, like execution of code from the stack, are disallowed even for processes running in the unconfined_t domain. Obviously this is a huge improvement for security. Unfortunately, our perl is not playing along:

[root@em64t ~]# /afs/ifh.de/project/linux/SL/scripts/SLU.pl yes please -shell
boot/grub/menu.lst exists
loader    : grub
site      : HH
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Crypt/OpenSSL/RSA/RSA.so' for module Crypt::OpenSSL::RSA: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /project/VAMOS/prod//client/Auth/RSA.pm line 9
Compilation failed in require at /project/VAMOS/prod//client/Auth/RSA.pm line 9.

This can be remedied by allowing executable stacks: setsebool -P allow_execstack on. Vamos_cmd now works, but here goes part of our improved security

NB setsebool is buggy in FC6T2: -P doesn't work.

Next problem:

[root@em64t ~]# /opt/products/perl/5.8.8/bin/perl /project/VAMOS/prod/scripts/Vamos_GUI.pl
Can't load '/opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so' for module Authen::Krb5: /opt/products/perl/5.8.8/lib/site_perl/i386-linux-thread-multi/auto/Authen/Krb5/Krb5.so: cannot restore segment prot after reloc: Permission denied at /opt/products/perl/5.8.8/lib/i386-linux-thread-multi/DynaLoader.pm line 230.
 at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34
Compilation failed in require at /opt/products/perl/5.8.8/lib/site_perl/Net/Daemon/Krb5/Client.pm line 34.

Remedy: setsebool -P allow_execmod on It should also help to relabel the shared object: chcon -t textrel_shlib_t .../Krb5.so. But that's impossible in AFS.

Temporary fix: DL_sebool package installed in %post.

(P)RPM and SELinux

Default installation of prpm (4.x.y from SL4) will fail to execute pre/post scripts. Reason: Only processes running in the rpm_t domain are allowed to do this. Possible remedies:

1. Relabel the rpm executable rpm_exec_t. Pity: this is impossible in AFS.

2. Execute prpm in the rpm_t domain: {{{runcon -t rpm_t -- /opt/products/bin/prpm -ivh ... }}} We'll probably have to teach ppm&co how to do this. Relabelling the exectables is probably still a good idea. How to do this correctly? In prpm's %post?

Notes from manual FC6T2 installation

• network install using DHCP - no media
• first attempt with a rather large set of packages including Xen failed
  • system got stuck when starting firstboot
• second attempt with smaller package set and without Xen worked
• X came up with some 1900x1400 resolution, just about usable
  • minimal xorg.conf prefers highest mode possible
  • could not be changed with system-config-display (monitor could not be chosen)