Re: [xcat-user] [External] xCAT forcibly disabling SELinux and firewalld
for the superfluous complexity. Anyway, that’s my personal thoughts, feedback is of course always welcome. From: Vinícius Ferrão Sent: Monday, October 14, 2019 1:14 PM To: Jarrod Johnson Cc: xCAT Users Mailing list Subject: Re: [External] [xcat-user] xCAT forcibly disabling SELinux and firewalld Thanks Jarrod. Opened the issue: https://github.com/xcat2/xcat-core/issues/6445 Just for the sake of completude: what’s the difference between the upstream and the Lenovo build? Theres nothing explaining on hpc.lenovo.com<http://hpc.lenovo.com>. It appears to be tight with Confluent. I heard that Confluent would eventually replace xcatd and become the xCAT 3.0 release. Is this still true? Thanks. On 14 Oct 2019, at 09:38, Jarrod Johnson mailto:jjohns...@lenovo.com>> wrote: I think it is fine, but on the other hand, I can only personally provide such a meta package in the lenovo branches. I could open a pull request but I can't guarantee that it would be accepted. From: Vinícius Ferrão mailto:fer...@versatushpc.com.br>> Sent: Saturday, October 12, 2019 11:13 PM To: Jarrod Johnson Cc: xCAT Users Mailing list Subject: Re: [External] [xcat-user] xCAT forcibly disabling SELinux and firewalld Jarrod, do you think it’s okay to raise an issue on https://github.com/xcat2/xcat-core/issues to request this new meta package? [Image removed by sender.]<https://github.com/xcat2/xcat-core/issues> Issues · xcat2/xcat-core · GitHub<https://github.com/xcat2/xcat-core/issues> github.com<http://github.com/> Code repo for xCAT core packages. Contribute to xcat2/xcat-core development by creating an account on GitHub. Thanks, On 26 Sep 2019, at 03:54, Jarrod Johnson mailto:jjohns...@lenovo.com>> wrote: I've been considering removing all of that from executing on rpm install (also enabling services to start on boot just by installing rpm) It was added for convenience of not asking to run a setup after install but it is inconsistent with general rpm behavior and limits ability to use flags to customize behavior. On the flip side, this would be a change that people would have to learn and would surprise new installs. I might make variant of the xCAT meta package with no auto setup so that people won't be surprised unless they opt into the other package. Looking for thoughts. For wider information, it doesn't yet have os deployment, but confluent has been developing and designing specifically with firewall and selinux in mind, as well as trying to mitigate the initial setup complexity that drove us to create xcatconfig in the first place. For example no more tls certs required for local access and os import will no longer loop mount isos (one of the biggest selinux problems) and avoid rewriting other service etc files in daemon context. More straightforward network usage and a documented set of firewalld commands. From: Vinícius Ferrão via xCAT-user mailto:xcat-user@lists.sourceforge.net>> Sent: Thursday, September 26, 2019 2:27:10 AM To: xCAT Users Mailing list Cc: Vinícius Ferrão Subject: [External] [xcat-user] xCAT forcibly disabling SELinux and firewalld Hello, When installing xCAT in EL7 with yum install xCAT it’s just put SELinux in permissive mode and disables firewalld. It does not even ask about it. It just does. [root@headnode ~]# getenforce Permissive [root@headnode ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1) Sep 26 02:55:55 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Starting firewalld - dynamic firewall daemon... Sep 26 02:55:56 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Started firewalld - dynamic firewall daemon. Sep 26 03:09:18 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Stopping firewalld - dynamic firewall daemon... Sep 26 03:09:21 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Stopped firewalld - dynamic firewall daemon. There’s a way to avoid this behaviour? Thanks, PS: I’m aware of the consequences of firewalld and SELinux in xCAT environments. ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/xcat-user ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
Re: [xcat-user] [External] xCAT forcibly disabling SELinux and firewalld
Thanks Jarrod. Opened the issue: https://github.com/xcat2/xcat-core/issues/6445 Just for the sake of completude: what’s the difference between the upstream and the Lenovo build? Theres nothing explaining on hpc.lenovo.com<http://hpc.lenovo.com>. It appears to be tight with Confluent. I heard that Confluent would eventually replace xcatd and become the xCAT 3.0 release. Is this still true? Thanks. On 14 Oct 2019, at 09:38, Jarrod Johnson mailto:jjohns...@lenovo.com>> wrote: I think it is fine, but on the other hand, I can only personally provide such a meta package in the lenovo branches. I could open a pull request but I can't guarantee that it would be accepted. From: Vinícius Ferrão mailto:fer...@versatushpc.com.br>> Sent: Saturday, October 12, 2019 11:13 PM To: Jarrod Johnson Cc: xCAT Users Mailing list Subject: Re: [External] [xcat-user] xCAT forcibly disabling SELinux and firewalld Jarrod, do you think it’s okay to raise an issue on https://github.com/xcat2/xcat-core/issues to request this new meta package? [https://avatars3.githubusercontent.com/u/10124414?s=400=4]<https://github.com/xcat2/xcat-core/issues> Issues · xcat2/xcat-core · GitHub<https://github.com/xcat2/xcat-core/issues> github.com<http://github.com/> Code repo for xCAT core packages. Contribute to xcat2/xcat-core development by creating an account on GitHub. Thanks, On 26 Sep 2019, at 03:54, Jarrod Johnson mailto:jjohns...@lenovo.com>> wrote: I've been considering removing all of that from executing on rpm install (also enabling services to start on boot just by installing rpm) It was added for convenience of not asking to run a setup after install but it is inconsistent with general rpm behavior and limits ability to use flags to customize behavior. On the flip side, this would be a change that people would have to learn and would surprise new installs. I might make variant of the xCAT meta package with no auto setup so that people won't be surprised unless they opt into the other package. Looking for thoughts. For wider information, it doesn't yet have os deployment, but confluent has been developing and designing specifically with firewall and selinux in mind, as well as trying to mitigate the initial setup complexity that drove us to create xcatconfig in the first place. For example no more tls certs required for local access and os import will no longer loop mount isos (one of the biggest selinux problems) and avoid rewriting other service etc files in daemon context. More straightforward network usage and a documented set of firewalld commands. From: Vinícius Ferrão via xCAT-user mailto:xcat-user@lists.sourceforge.net>> Sent: Thursday, September 26, 2019 2:27:10 AM To: xCAT Users Mailing list Cc: Vinícius Ferrão Subject: [External] [xcat-user] xCAT forcibly disabling SELinux and firewalld Hello, When installing xCAT in EL7 with yum install xCAT it’s just put SELinux in permissive mode and disables firewalld. It does not even ask about it. It just does. [root@headnode ~]# getenforce Permissive [root@headnode ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1) Sep 26 02:55:55 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Starting firewalld - dynamic firewall daemon... Sep 26 02:55:56 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Started firewalld - dynamic firewall daemon. Sep 26 03:09:18 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Stopping firewalld - dynamic firewall daemon... Sep 26 03:09:21 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Stopped firewalld - dynamic firewall daemon. There’s a way to avoid this behaviour? Thanks, PS: I’m aware of the consequences of firewalld and SELinux in xCAT environments. ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/xcat-user ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
Re: [xcat-user] [External] xCAT forcibly disabling SELinux and firewalld
I think it is fine, but on the other hand, I can only personally provide such a meta package in the lenovo branches. I could open a pull request but I can't guarantee that it would be accepted. From: Vinícius Ferrão Sent: Saturday, October 12, 2019 11:13 PM To: Jarrod Johnson Cc: xCAT Users Mailing list Subject: Re: [External] [xcat-user] xCAT forcibly disabling SELinux and firewalld Jarrod, do you think it’s okay to raise an issue on https://github.com/xcat2/xcat-core/issues to request this new meta package? [https://avatars3.githubusercontent.com/u/10124414?s=400=4]<https://github.com/xcat2/xcat-core/issues> Issues · xcat2/xcat-core · GitHub<https://github.com/xcat2/xcat-core/issues> github.com Code repo for xCAT core packages. Contribute to xcat2/xcat-core development by creating an account on GitHub. Thanks, On 26 Sep 2019, at 03:54, Jarrod Johnson mailto:jjohns...@lenovo.com>> wrote: I've been considering removing all of that from executing on rpm install (also enabling services to start on boot just by installing rpm) It was added for convenience of not asking to run a setup after install but it is inconsistent with general rpm behavior and limits ability to use flags to customize behavior. On the flip side, this would be a change that people would have to learn and would surprise new installs. I might make variant of the xCAT meta package with no auto setup so that people won't be surprised unless they opt into the other package. Looking for thoughts. For wider information, it doesn't yet have os deployment, but confluent has been developing and designing specifically with firewall and selinux in mind, as well as trying to mitigate the initial setup complexity that drove us to create xcatconfig in the first place. For example no more tls certs required for local access and os import will no longer loop mount isos (one of the biggest selinux problems) and avoid rewriting other service etc files in daemon context. More straightforward network usage and a documented set of firewalld commands. From: Vinícius Ferrão via xCAT-user mailto:xcat-user@lists.sourceforge.net>> Sent: Thursday, September 26, 2019 2:27:10 AM To: xCAT Users Mailing list Cc: Vinícius Ferrão Subject: [External] [xcat-user] xCAT forcibly disabling SELinux and firewalld Hello, When installing xCAT in EL7 with yum install xCAT it’s just put SELinux in permissive mode and disables firewalld. It does not even ask about it. It just does. [root@headnode ~]# getenforce Permissive [root@headnode ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1) Sep 26 02:55:55 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br> systemd[1]: Starting firewalld - dynamic firewall daemon... Sep 26 02:55:56 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br> systemd[1]: Started firewalld - dynamic firewall daemon. Sep 26 03:09:18 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br> systemd[1]: Stopping firewalld - dynamic firewall daemon... Sep 26 03:09:21 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br> systemd[1]: Stopped firewalld - dynamic firewall daemon. There’s a way to avoid this behaviour? Thanks, PS: I’m aware of the consequences of firewalld and SELinux in xCAT environments. ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/xcat-user ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
Re: [xcat-user] [External] xCAT forcibly disabling SELinux and firewalld
Jarrod, do you think it’s okay to raise an issue on https://github.com/xcat2/xcat-core/issues to request this new meta package? Thanks, On 26 Sep 2019, at 03:54, Jarrod Johnson mailto:jjohns...@lenovo.com>> wrote: I've been considering removing all of that from executing on rpm install (also enabling services to start on boot just by installing rpm) It was added for convenience of not asking to run a setup after install but it is inconsistent with general rpm behavior and limits ability to use flags to customize behavior. On the flip side, this would be a change that people would have to learn and would surprise new installs. I might make variant of the xCAT meta package with no auto setup so that people won't be surprised unless they opt into the other package. Looking for thoughts. For wider information, it doesn't yet have os deployment, but confluent has been developing and designing specifically with firewall and selinux in mind, as well as trying to mitigate the initial setup complexity that drove us to create xcatconfig in the first place. For example no more tls certs required for local access and os import will no longer loop mount isos (one of the biggest selinux problems) and avoid rewriting other service etc files in daemon context. More straightforward network usage and a documented set of firewalld commands. From: Vinícius Ferrão via xCAT-user mailto:xcat-user@lists.sourceforge.net>> Sent: Thursday, September 26, 2019 2:27:10 AM To: xCAT Users Mailing list Cc: Vinícius Ferrão Subject: [External] [xcat-user] xCAT forcibly disabling SELinux and firewalld Hello, When installing xCAT in EL7 with yum install xCAT it’s just put SELinux in permissive mode and disables firewalld. It does not even ask about it. It just does. [root@headnode ~]# getenforce Permissive [root@headnode ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1) Sep 26 02:55:55 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br> systemd[1]: Starting firewalld - dynamic firewall daemon... Sep 26 02:55:56 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br> systemd[1]: Started firewalld - dynamic firewall daemon. Sep 26 03:09:18 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br> systemd[1]: Stopping firewalld - dynamic firewall daemon... Sep 26 03:09:21 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br> systemd[1]: Stopped firewalld - dynamic firewall daemon. There’s a way to avoid this behaviour? Thanks, PS: I’m aware of the consequences of firewalld and SELinux in xCAT environments. ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/xcat-user ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
Re: [xcat-user] [External] xCAT forcibly disabling SELinux and firewalld
Hi, I'm trying to automate some details that we use during the deploy and one of them are the default network names, having this feature would work like a charm for automated setups. Jarrod, I agreed with a new meta package, this way it would not break old behavior, this way users would not take by surprise and documentation wont change. The new behavior may be triggered by a flag on go-xcat, maybe? Regards! De: Vinícius Ferrão via xCAT-user Enviado: quinta-feira, 26 de setembro de 2019 13:46 Para: xCAT Users Mailing list Cc: Vinícius Ferrão Assunto: Re: [xcat-user] [External] xCAT forcibly disabling SELinux and firewalld Hello Kevin, I’ve answered at the same time. Take a look at the answer, there’s a command that does everything. It really nails down to avoid running the command. In the xCAT package only runs on the first time: . /etc/profile.d/xcat.sh if [ "$1" = "1" ]; then #Only if installing for the first time.. $RPM_INSTALL_PREFIX0/sbin/xcatconfig -i else if [ -r "/tmp/xcat/installservice.pid" ]; then mv /tmp/xcat/installservice.pid /var/run/xcat/installservice.pid fi if [ -r "/tmp/xcat/udpservice.pid" ]; then mv /tmp/xcat/udpservice.pid /var/run/xcat/udpservice.pid fi if [ -r "/tmp/xcat/mainservice.pid" ]; then mv /tmp/xcat/mainservice.pid /var/run/xcat/mainservice.pid fi On 26 Sep 2019, at 13:38, Kevin Keane mailto:kke...@sandiego.edu>> wrote: Just a thought - you could get the best of both worlds by removing this behavior from the RPMs, and creating a separate "setup" RPM that does all these things. This behavior should really be removed from the main RPMs because otherwise, these actions are repeated on updates. ___ Kevin Keane | Systems Architect | University of San Diego ITS | kke...@sandiego.edu<mailto:kke...@sandiego.edu> Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859 | Text: 760-721-8339 REMEMBER! No one from IT at USD will ever ask to confirm or supply your password. These messages are an attempt to steal your username and password. Please do not reply to, click the links within, or open the attachments of these messages. Delete them! On Wed, Sep 25, 2019 at 11:54 PM Jarrod Johnson mailto:jjohns...@lenovo.com>> wrote: I've been considering removing all of that from executing on rpm install (also enabling services to start on boot just by installing rpm) It was added for convenience of not asking to run a setup after install but it is inconsistent with general rpm behavior and limits ability to use flags to customize behavior. On the flip side, this would be a change that people would have to learn and would surprise new installs. I might make variant of the xCAT meta package with no auto setup so that people won't be surprised unless they opt into the other package. Looking for thoughts. For wider information, it doesn't yet have os deployment, but confluent has been developing and designing specifically with firewall and selinux in mind, as well as trying to mitigate the initial setup complexity that drove us to create xcatconfig in the first place. For example no more tls certs required for local access and os import will no longer loop mount isos (one of the biggest selinux problems) and avoid rewriting other service etc files in daemon context. More straightforward network usage and a documented set of firewalld commands. From: Vinícius Ferrão via xCAT-user mailto:xcat-user@lists.sourceforge.net>> Sent: Thursday, September 26, 2019 2:27:10 AM To: xCAT Users Mailing list Cc: Vinícius Ferrão Subject: [External] [xcat-user] xCAT forcibly disabling SELinux and firewalld Hello, When installing xCAT in EL7 with yum install xCAT it’s just put SELinux in permissive mode and disables firewalld. It does not even ask about it. It just does. [root@headnode ~]# getenforce Permissive [root@headnode ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1) Sep 26 02:55:55 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Starting firewalld - dynamic firewall daemon... Sep 26 02:55:56 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Started firewalld - dynamic firewall daemon. Sep 26 03:09:18 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Stopping firewalld - dynamic firewall daemon... Sep 26 03:09:21 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Stopped firewalld - dynamic firewall daemon. There’s a way to avoid this behaviour? Thanks, PS: I’m aware of the cons
Re: [xcat-user] [External] xCAT forcibly disabling SELinux and firewalld
Hello Kevin, I’ve answered at the same time. Take a look at the answer, there’s a command that does everything. It really nails down to avoid running the command. In the xCAT package only runs on the first time: . /etc/profile.d/xcat.sh if [ "$1" = "1" ]; then #Only if installing for the first time.. $RPM_INSTALL_PREFIX0/sbin/xcatconfig -i else if [ -r "/tmp/xcat/installservice.pid" ]; then mv /tmp/xcat/installservice.pid /var/run/xcat/installservice.pid fi if [ -r "/tmp/xcat/udpservice.pid" ]; then mv /tmp/xcat/udpservice.pid /var/run/xcat/udpservice.pid fi if [ -r "/tmp/xcat/mainservice.pid" ]; then mv /tmp/xcat/mainservice.pid /var/run/xcat/mainservice.pid fi On 26 Sep 2019, at 13:38, Kevin Keane mailto:kke...@sandiego.edu>> wrote: Just a thought - you could get the best of both worlds by removing this behavior from the RPMs, and creating a separate "setup" RPM that does all these things. This behavior should really be removed from the main RPMs because otherwise, these actions are repeated on updates. ___ Kevin Keane | Systems Architect | University of San Diego ITS | kke...@sandiego.edu<mailto:kke...@sandiego.edu> Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859 | Text: 760-721-8339 REMEMBER! No one from IT at USD will ever ask to confirm or supply your password. These messages are an attempt to steal your username and password. Please do not reply to, click the links within, or open the attachments of these messages. Delete them! On Wed, Sep 25, 2019 at 11:54 PM Jarrod Johnson mailto:jjohns...@lenovo.com>> wrote: I've been considering removing all of that from executing on rpm install (also enabling services to start on boot just by installing rpm) It was added for convenience of not asking to run a setup after install but it is inconsistent with general rpm behavior and limits ability to use flags to customize behavior. On the flip side, this would be a change that people would have to learn and would surprise new installs. I might make variant of the xCAT meta package with no auto setup so that people won't be surprised unless they opt into the other package. Looking for thoughts. For wider information, it doesn't yet have os deployment, but confluent has been developing and designing specifically with firewall and selinux in mind, as well as trying to mitigate the initial setup complexity that drove us to create xcatconfig in the first place. For example no more tls certs required for local access and os import will no longer loop mount isos (one of the biggest selinux problems) and avoid rewriting other service etc files in daemon context. More straightforward network usage and a documented set of firewalld commands. From: Vinícius Ferrão via xCAT-user mailto:xcat-user@lists.sourceforge.net>> Sent: Thursday, September 26, 2019 2:27:10 AM To: xCAT Users Mailing list Cc: Vinícius Ferrão Subject: [External] [xcat-user] xCAT forcibly disabling SELinux and firewalld Hello, When installing xCAT in EL7 with yum install xCAT it’s just put SELinux in permissive mode and disables firewalld. It does not even ask about it. It just does. [root@headnode ~]# getenforce Permissive [root@headnode ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1) Sep 26 02:55:55 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Starting firewalld - dynamic firewall daemon... Sep 26 02:55:56 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Started firewalld - dynamic firewall daemon. Sep 26 03:09:18 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Stopping firewalld - dynamic firewall daemon... Sep 26 03:09:21 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br/> systemd[1]: Stopped firewalld - dynamic firewall daemon. There’s a way to avoid this behaviour? Thanks, PS: I’m aware of the consequences of firewalld and SELinux in xCAT environments. ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/xcat-user ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/xcat-user ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/xcat-user __
Re: [xcat-user] [External] xCAT forcibly disabling SELinux and firewalld
gt;: grep Subject /etc/xcat/cert/server-cert.pem 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: find /usr/share/zoneinfo -xtype f -exec cmp -s /etc/localtime {} \; -print | grep -v posix | grep -v SystemV | grep -v right | grep -v localtime 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /install/postscripts/syslog 2>&1 syslog has been set up. Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: systemctl set-environment TERM=xterm-256color 2>&1 Imported TERM=xterm-256color into systemd. Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: systemctl enable named 2>&1 Could not enable dns server. Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: XCATBYPASS=Y /opt/xcat/sbin/makenetworks 2>&1 The makenetworks command was run with no error. httpd has been restarted. Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: systemctl enable httpd 2>&1 httpd has been enabled. Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: systemctl enable dhcpd 2>&1 SELINUX is not disabled, disabling it now... Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: echo 0 > /sys/fs/selinux/enforce 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: sed -i 's/^SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: type -P SuSEfirewall2 >/dev/null 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: type -P SuSEfirewall2 >/dev/null 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: systemctl disable firewalld 2>&1 xCAT is now running, it is recommended to tabedit networks and set a dynamic ip address range on any networks where nodes are to be discovered. Then, run makedhcp -n to create a new dhcpd configuration file, and /etc/init.d/dhcpd restart. Either examine sample configuration templates, or write your own, or specify a value per node with nodeadd or tabedit. On 26 Sep 2019, at 13:11, Vinícius Ferrão via xCAT-user mailto:xcat-user@lists.sourceforge.net>> wrote: Hello Jarod, so you’re the guy who can help it out :) The message was originally about firewalld and SELinux but can be extended to a lot of other things. Like the automatic names that xCAT creates for networks and things like this. So I think a package without automatic installation is really welcoming. But to this there’s a place we’re it’s documented everything that the xCAT package install do? If not there’s a way to get this from the package? I think the commands are sufficient. In a complex or custom environment manual installation, with other tools automating, things is a good ideia. Thanks. Sent from my iPhone On 26 Sep 2019, at 03:54, Jarrod Johnson mailto:jjohns...@lenovo.com>> wrote: I've been considering removing all of that from executing on rpm install (also enabling services to start on boot just by installing rpm) It was added for convenience of not asking to run a setup after install but it is inconsistent with general rpm behavior and limits ability to use flags to customize behavior. On the flip side, this would be a change that people would have to learn and would surprise new installs. I might make variant of the xCAT meta package with no auto setup so that people won't be surprised unless they opt into the other package. Looking for thoughts. For wider information, it doesn't yet have os deployment, but confluent has been developing and designing specifically with firewall and selinux in mind, as well as trying to mitigate the initial setup complexity that drove us to create xcatconfig in the first place. For example no more tls certs required for local access and os import will no longer loop mount isos (one of the biggest selinux problems) and avoid rewriting other service etc files in daemon context. More straightforward network usage and a documented set of firewalld commands. From: Vinícius Ferrão via xCAT-user mailto:xcat-user@lists.sourceforge.net>> Sent: Thursday, September 26, 2019 2:27:10 AM To: xCAT Users Mailing list Cc: Vinícius Ferrão Subject: [External] [xcat-user] xCAT forcibly disabling SELinux and firewalld Hello, When installing xCAT in EL7 with yum install xCAT it’s just put SELinux in permissive mode and disables firewalld. It does not even ask about it. It just does. [root@headnode ~]# getenforce Permissive [root@headnode ~]# systemctl status firewalld ●
Re: [xcat-user] [External] xCAT forcibly disabling SELinux and firewalld
Just a thought - you could get the best of both worlds by removing this behavior from the RPMs, and creating a separate "setup" RPM that does all these things. This behavior should really be removed from the main RPMs because otherwise, these actions are repeated on updates. ___ Kevin Keane | Systems Architect | University of San Diego ITS | kke...@sandiego.edu Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859 | Text: 760-721-8339 *REMEMBER! **No one from IT at USD will ever ask to confirm or supply your password*. These messages are an attempt to steal your username and password. Please do not reply to, click the links within, or open the attachments of these messages. Delete them! On Wed, Sep 25, 2019 at 11:54 PM Jarrod Johnson wrote: > I've been considering removing all of that from executing on rpm install > (also enabling services to start on boot just by installing rpm) > > It was added for convenience of not asking to run a setup after install > but it is inconsistent with general rpm behavior and limits ability to use > flags to customize behavior. > > On the flip side, this would be a change that people would have to learn > and would surprise new installs. > > I might make variant of the xCAT meta package with no auto setup so that > people won't be surprised unless they opt into the other package. > > Looking for thoughts. > > For wider information, it doesn't yet have os deployment, but confluent > has been developing and designing specifically with firewall and selinux in > mind, as well as trying to mitigate the initial setup complexity that drove > us to create xcatconfig in the first place. For example no more tls certs > required for local access and os import will no longer loop mount isos (one > of the biggest selinux problems) and avoid rewriting other service etc > files in daemon context. More straightforward network usage and a > documented set of firewalld commands. > -- > *From:* Vinícius Ferrão via xCAT-user > *Sent:* Thursday, September 26, 2019 2:27:10 AM > *To:* xCAT Users Mailing list > *Cc:* Vinícius Ferrão > *Subject:* [External] [xcat-user] xCAT forcibly disabling SELinux and > firewalld > > Hello, > > When installing xCAT in EL7 with yum install xCAT it’s just put SELinux in > permissive mode and disables firewalld. > > It does not even ask about it. It just does. > > [root@headnode ~]# getenforce > Permissive > [root@headnode ~]# systemctl status firewalld > ● firewalld.service - firewalld - dynamic firewall daemon >Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; > vendor preset: enabled) >Active: inactive (dead) > Docs: man:firewalld(1) > > Sep 26 02:55:55 headnode.cluster.iq.ufrj.br systemd[1]: Starting > firewalld - dynamic firewall daemon... > Sep 26 02:55:56 headnode.cluster.iq.ufrj.br systemd[1]: Started firewalld > - dynamic firewall daemon. > Sep 26 03:09:18 headnode.cluster.iq.ufrj.br systemd[1]: Stopping > firewalld - dynamic firewall daemon... > Sep 26 03:09:21 headnode.cluster.iq.ufrj.br systemd[1]: Stopped firewalld > - dynamic firewall daemon. > > There’s a way to avoid this behaviour? > > Thanks, > > PS: I’m aware of the consequences of firewalld and SELinux in xCAT > environments. > ___ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user > ___ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user > ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
Re: [xcat-user] [External] xCAT forcibly disabling SELinux and firewalld
Hello Jarod, so you’re the guy who can help it out :) The message was originally about firewalld and SELinux but can be extended to a lot of other things. Like the automatic names that xCAT creates for networks and things like this. So I think a package without automatic installation is really welcoming. But to this there’s a place we’re it’s documented everything that the xCAT package install do? If not there’s a way to get this from the package? I think the commands are sufficient. In a complex or custom environment manual installation, with other tools automating, things is a good ideia. Thanks. Sent from my iPhone On 26 Sep 2019, at 03:54, Jarrod Johnson wrote: I've been considering removing all of that from executing on rpm install (also enabling services to start on boot just by installing rpm) It was added for convenience of not asking to run a setup after install but it is inconsistent with general rpm behavior and limits ability to use flags to customize behavior. On the flip side, this would be a change that people would have to learn and would surprise new installs. I might make variant of the xCAT meta package with no auto setup so that people won't be surprised unless they opt into the other package. Looking for thoughts. For wider information, it doesn't yet have os deployment, but confluent has been developing and designing specifically with firewall and selinux in mind, as well as trying to mitigate the initial setup complexity that drove us to create xcatconfig in the first place. For example no more tls certs required for local access and os import will no longer loop mount isos (one of the biggest selinux problems) and avoid rewriting other service etc files in daemon context. More straightforward network usage and a documented set of firewalld commands. From: Vinícius Ferrão via xCAT-user Sent: Thursday, September 26, 2019 2:27:10 AM To: xCAT Users Mailing list Cc: Vinícius Ferrão Subject: [External] [xcat-user] xCAT forcibly disabling SELinux and firewalld Hello, When installing xCAT in EL7 with yum install xCAT it’s just put SELinux in permissive mode and disables firewalld. It does not even ask about it. It just does. [root@headnode ~]# getenforce Permissive [root@headnode ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1) Sep 26 02:55:55 headnode.cluster.iq.ufrj.br systemd[1]: Starting firewalld - dynamic firewall daemon... Sep 26 02:55:56 headnode.cluster.iq.ufrj.br systemd[1]: Started firewalld - dynamic firewall daemon. Sep 26 03:09:18 headnode.cluster.iq.ufrj.br systemd[1]: Stopping firewalld - dynamic firewall daemon... Sep 26 03:09:21 headnode.cluster.iq.ufrj.br systemd[1]: Stopped firewalld - dynamic firewall daemon. There’s a way to avoid this behaviour? Thanks, PS: I’m aware of the consequences of firewalld and SELinux in xCAT environments. ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
Re: [xcat-user] [External] xCAT forcibly disabling SELinux and firewalld
I've been considering removing all of that from executing on rpm install (also enabling services to start on boot just by installing rpm) It was added for convenience of not asking to run a setup after install but it is inconsistent with general rpm behavior and limits ability to use flags to customize behavior. On the flip side, this would be a change that people would have to learn and would surprise new installs. I might make variant of the xCAT meta package with no auto setup so that people won't be surprised unless they opt into the other package. Looking for thoughts. For wider information, it doesn't yet have os deployment, but confluent has been developing and designing specifically with firewall and selinux in mind, as well as trying to mitigate the initial setup complexity that drove us to create xcatconfig in the first place. For example no more tls certs required for local access and os import will no longer loop mount isos (one of the biggest selinux problems) and avoid rewriting other service etc files in daemon context. More straightforward network usage and a documented set of firewalld commands. From: Vinícius Ferrão via xCAT-user Sent: Thursday, September 26, 2019 2:27:10 AM To: xCAT Users Mailing list Cc: Vinícius Ferrão Subject: [External] [xcat-user] xCAT forcibly disabling SELinux and firewalld Hello, When installing xCAT in EL7 with yum install xCAT it’s just put SELinux in permissive mode and disables firewalld. It does not even ask about it. It just does. [root@headnode ~]# getenforce Permissive [root@headnode ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1) Sep 26 02:55:55 headnode.cluster.iq.ufrj.br systemd[1]: Starting firewalld - dynamic firewall daemon... Sep 26 02:55:56 headnode.cluster.iq.ufrj.br systemd[1]: Started firewalld - dynamic firewall daemon. Sep 26 03:09:18 headnode.cluster.iq.ufrj.br systemd[1]: Stopping firewalld - dynamic firewall daemon... Sep 26 03:09:21 headnode.cluster.iq.ufrj.br systemd[1]: Stopped firewalld - dynamic firewall daemon. There’s a way to avoid this behaviour? Thanks, PS: I’m aware of the consequences of firewalld and SELinux in xCAT environments. ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user