Issues and features that need to be resolved/included in SLC4.

Firstboot

• should ideally (finally) include user creation from LanDB, root mail setup. (low priority, can drop)
• should configure NTP servers [JP: DONE for SLC4.3]

Kerberos5

SLC4 should get Kerberos5 credentials by default (and still have Kerberos4 and AFS creds). Investigate implications on all services including Web auth, proxy credentials for Web/Grid, ORACLE.

• also see KerberosFuture page

• can we use only MIT on the client? avoids to lug around a full Heimdal (which still can be used on the servers)
  • MIT kinit works with proper config file (strip down, only 10h lifetime)
  • MIT krb524init works
  • MIT/system afslog (from krbafs-utils RPM) works with MIT credentials but requires Kerberos4? May need to use aklog, e.g. from /afs/cern.ch/project/afs/dev/afs-krb5/
  • requires a "wrapper" kinit script that gets AFS credentials and do the KRB4 conversion in one go, e.g. /usr/sue/bin/kinit (DONE). Do we need a pagsh in there as well? (yes, DONE) Do we need Rainer's trick of computing the KRBTKFILE and KRB5CCNAME from the AFS pag "additional" group ids? (no)
  • pam_krb5 from RH/Fedora is required.
    
  • to be seen: SSH server, cvs client (apparently unhappy with Heimdal KRB4 ticket format, at least on 64bit?) (solved?)
    
• If Heimdal is required:
  • need "compatible" config file or new config file location
  • pam-krb5 needs to be recompiled against Heimdal (see Bernard's /afs/cern.ch/project/afs/dev/krb/pam_krb5-1.3-rc7) (with different name?)
  • if different name: need to update authconfig (and integrate into firstboot/install procedure)
  • clarify maintainership - who is responsible (looks for sec issues, deploys new versions)

• KerberosMigrationTests - things that should get checked

• new service principals ( cdb/host@CERN.CH, HTTP/host@CERN.CH) can be created by a selected few via =arc -h afsdb1 kas ext cdb/somehost.cern.ch > /tmp/tttt . Contact B.Antoine for details. =

OpenSSH

should have working Kerberos5-auth including TGT forwarding and AFS-token-getting, via SSH-2. Hopefully without requiring Heimdal on the client, the current openssh-4.1p1-3.hpn_cern_test7 links against both MIT (through openssl) and Heimdal = pain. Douglas E. Engert has pam_afs2 at ftp://achilles.ctd.anl.gov/DEE, instructions in private mail.

XFS

• 2.6.9-22.0.1.EL has problems properly determining extents for fragmentation info
• can our XFS live with 4k stacks, or do we need to disable them? decision: ignore for now, not sure whether there will be issues without SW RAID/LVM/nfsd, most production systems expected on x86_64 anyway)

Toy ideas for CASTOR/RFIO

• hugetlb
• posix_fadvise()
• O_DIRECT, please see TsiTpSrvRfioDirect
• XFS preallocation ( ioctl(..XFS_IOC_RESVSP64)) or posix_fallocate() or (too large) ftruncate()

possibly a (benchmarked) combination of these.

CERN utilities

• Printer Wizard: patches need forward-porting, drop 'no number as first char' workaround? (low prio, unassigned) [JP: DONE for SLC4.3]
• ncm/lcm: accept local overrides, look for "default" profile on CDB (JI → German)
• ncm-krb5clt: rewrite, deploy with new config (JI)

Misc changes proposed

• ORACLE "wrapper" RPM (JI → IT-DES), then go for instantclient including dependencies.
• do we want to split security and bugfix updates (new repo)? No, sec updates (may) rely on all previous updates (Fermi experience)
• which updating system to use on SLC4: yum [JP: DONE for SLC4.3 - yum !]
• do we want XFS in the installer/anaconda: no, not used on root/boot, FIO-DS has own setup procedure for /data
• need ARECA driver and (perhaps) newer 3w-9xxx driver in install image (also on SLC3?). [JP: DONE for both SLC3/4]
• RPM deployment monitoring: talk to DTF first, lots of solutions

-- JanIven - 10 Jan 2006