Turning on the firewall shouldn't be a problem; all the ports required are
documented. I hadn't found any problems with it. But Jarrod's note may
indeed explain some oddities I have observed.
There have been quite a few discussions about SELinux going back ten years;
you may want to go to the mailing list archive and search for that term.
But the bottom line is that while the issues can be addressed, you are
likely going to go down a rabbit hole discovering one issue after the
other. That is the one major complaint I have about xCAT. Having to turn
off selinux is a very big deal.
Things that I'm aware of (this is about a year old, so some things may have
changed):
- makedns will produce a warning, and won't produce all the DNS
configuration files.
- xCAT uses HTTP heavily during booting, but the HTTP server cannot serve
files from /tftpboot .
- selinux can interfere with mounting home directories via NFS.
- outside of xCAT, we noticed yet more issues with our resource managers
and schedulers (Torque and Moab).
_______________________________________________________________________
Kevin Keane | Systems Architect | University of San Diego ITS |
kke...@sandiego.edu
Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859
*REMEMBER! **No one from IT at USD will ever ask to confirm or supply your
password*.
These messages are an attempt to steal your username and password. Please
do not reply to, click the links within, or open the attachments of these
messages. Delete them!
On Thu, Sep 6, 2018 at 5:59 AM, Jarrod Johnson <jjohns...@lenovo.com> wrote:
> It is possible, but we don’t have crafted policies ready to go for the
> services and the linux firewall may have some limitations with respect to
> some multicast related commands that you probably don’t use anyway.
> Depending on the functionality you use, you could spend a short while or a
> long while creating some selinux policies and also using chcon to manually
> fix up contexts in some cases. In short, it should be possible, but we
> don’t have it documented.
>
>
>
> It has been a focus to be more firewall and selinux friendly as confluent
> comes along, more carefully documenting rules and limitations, but it can’t
> deploy operating systems yet (also the web forwarding feature is currently
> incompatible with firewall, and discovery bumps into an unfortunate reality
> that RELATED,ESTABLISHED does not seem to do a good job of matching unicast
> replies to multicast queries (or we’ve missed something).
>
>
>
> *From:* Pharthiphan Asokan <paso...@ddn.com>
> *Sent:* Thursday, September 6, 2018 4:06 AM
> *To:* xcat-user@lists.sourceforge.net
> *Subject:* [External] [xcat-user] is it possible to use xCAT having
> firewall and selinux on
>
>
>
>
>
> Hi All,
>
>
>
> is it possible to use xCAT having firewall and selinux on. By opening up
> the ports which are required by xCAT
>
>
>
> by default, it disables the firewall while installation.
>
>
>
> Any thoughts !
>
>
>
> Regards,
>
> Pharthiphan
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> xCAT-user mailing list
> xCAT-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xcat-user
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user
