Issues and features that need to be resolved/included in SLC4.
Firstboot
- should ideally (finally) include user creation from LanDB, root mail setup. (low priority, can drop)
- should configure NTP servers [JP: DONE for SLC4.3]
Kerberos5
SLC4 should get Kerberos5 credentials by default (and still have Kerberos4 and AFS creds). Investigate implications on all services including Web auth, proxy credentials for Web/Grid, ORACLE.
- can we use only MIT on the client? avoids to lug around a full Heimdal (which still can be used on the servers)
- MIT kinit works with proper config file (strip down, only 10h lifetime)
- MIT krb524init works
- MIT/system afslog (from
krbafs-utils
RPM) works with MIT credentials but requires Kerberos4? May need to use aklog
, e.g. from /afs/cern.ch/project/afs/dev/afs-krb5/
- requires a "wrapper" kinit script that gets AFS credentials and do the KRB4 conversion in one go, e.g. /usr/sue/bin/kinit (DONE). Do we need a pagsh in there as well? (yes, DONE) Do we need Rainer's trick of computing the KRBTKFILE and KRB5CCNAME from the AFS pag "additional" group ids? (no)
- pam_krb5 from RH/Fedora is required.
- to be seen: SSH server, cvs client (apparently unhappy with Heimdal KRB4 ticket format, at least on 64bit?) (solved?)
- If Heimdal is required:
- need "compatible" config file or new config file location
- pam-krb5 needs to be recompiled against Heimdal (see Bernard's /afs/cern.ch/project/afs/dev/krb/pam_krb5-1.3-rc7) (with different name?)
- if different name: need to update
authconfig
(and integrate into firstboot/install procedure)
- clarify maintainership - who is responsible (looks for sec issues, deploys new versions)
- KerberosMigrationTests - things that should get checked
- new service principals ( cdb/host@CERN.CH, HTTP/host@CERN.CH) can be created by a selected few via =arc -h afsdb1 kas ext cdb/somehost.cern.ch > /tmp/tttt . Contact B.Antoine for details. =
OpenSSH
should have working Kerberos5-auth including TGT forwarding and AFS-token-getting, via SSH-2. Hopefully without requiring Heimdal on the client, the current
openssh-4.1p1-3.hpn_cern_test7
links against both MIT (through openssl) and Heimdal = pain.
Douglas E. Engert has pam_afs2 at
ftp://achilles.ctd.anl.gov/DEE, instructions in private mail.
XFS
- 2.6.9-22.0.1.EL has problems properly determining extents for fragmentation info
- can our XFS live with 4k stacks, or do we need to disable them? decision: ignore for now, not sure whether there will be issues without SW RAID/LVM/nfsd, most production systems expected on x86_64 anyway)
Toy ideas for CASTOR/RFIO
- hugetlb
- posix_fadvise()
- O_DIRECT, please see TsiTpSrvRfioDirect
- XFS preallocation (
ioctl(..XFS_IOC_RESVSP64)
) or posix_fallocate()
or (too large) ftruncate()
possibly a (benchmarked) combination of these.
CERN utilities
- Printer Wizard: patches need forward-porting, drop 'no number as first char' workaround? (low prio, unassigned) [JP: DONE for SLC4.3]
- ncm/lcm: accept local overrides, look for "default" profile on CDB (JI → German)
- ncm-krb5clt: rewrite, deploy with new config (JI)
Misc changes proposed
- ORACLE "wrapper" RPM (JI → IT-DES), then go for instantclient including dependencies.
- do we want to split security and bugfix updates (new repo)? No, sec updates (may) rely on all previous updates (Fermi experience)
- which updating system to use on SLC4: yum [JP: DONE for SLC4.3 - yum !]
- do we want XFS in the installer/anaconda: no, not used on root/boot, FIO-DS has own setup procedure for /data
- need ARECA driver and (perhaps) newer 3w-9xxx driver in install image (also on SLC3?). [JP: DONE for both SLC3/4]
- RPM deployment monitoring: talk to DTF first, lots of solutions
--
JanIven - 10 Jan 2006
Topic revision: r16 - 2007-09-24
- JanIven