For the cases of firewall oddities, I’ll see about doing ipset based rules for
temporary allowances to reply to multicast.
Of course, a firewall that’s tough on an ‘external’ network but permissive on
cluster facing is generally easy enough.
To share various thoughts moving forward:
-Moving from loop mount to libarchive to manipulate isos for importing (step
toward more functionality without root privilege)
-No longer having to update dhcpd.conf (integrated PXE for static-minded
environments)
-For DNS, have one utility to bootstrap the config that runs locally, daemon
only ever updating DNS through DDNS packets
-More consistent use of distribution default locations for serving tftp and web
content
-Testing with SElinux on
-No longer make boot config files available over tftp (only first stage boot
loader)
Basically, the hope is that down the road we can have a short list of required
security configuration and procedures, contrasted with the likely long list of
things to change today.
From: Kevin Keane <kke...@sandiego.edu>
Sent: Thursday, September 6, 2018 12:41 PM
To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
Subject: Re: [xcat-user] [External] is it possible to use xCAT having firewall
and selinux on
Turning on the firewall shouldn't be a problem; all the ports required are
documented. I hadn't found any problems with it. But Jarrod's note may indeed
explain some oddities I have observed.
There have been quite a few discussions about SELinux going back ten years; you
may want to go to the mailing list archive and search for that term.
But the bottom line is that while the issues can be addressed, you are likely
going to go down a rabbit hole discovering one issue after the other. That is
the one major complaint I have about xCAT. Having to turn off selinux is a very
big deal.
Things that I'm aware of (this is about a year old, so some things may have
changed):
- makedns will produce a warning, and won't produce all the DNS configuration
files.
- xCAT uses HTTP heavily during booting, but the HTTP server cannot serve files
from /tftpboot .
- selinux can interfere with mounting home directories via NFS.
- outside of xCAT, we noticed yet more issues with our resource managers and
schedulers (Torque and Moab).
_______________________________________________________________________
Kevin Keane | Systems Architect | University of San Diego ITS |
kke...@sandiego.edu<mailto:kke...@sandiego.edu>
Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859
REMEMBER! No one from IT at USD will ever ask to confirm or supply your
password.
These messages are an attempt to steal your username and password. Please do
not reply to, click the links within, or open the attachments of these
messages. Delete them!
On Thu, Sep 6, 2018 at 5:59 AM, Jarrod Johnson
<jjohns...@lenovo.com<mailto:jjohns...@lenovo.com>> wrote:
It is possible, but we don’t have crafted policies ready to go for the services
and the linux firewall may have some limitations with respect to some multicast
related commands that you probably don’t use anyway. Depending on the
functionality you use, you could spend a short while or a long while creating
some selinux policies and also using chcon to manually fix up contexts in some
cases. In short, it should be possible, but we don’t have it documented.
It has been a focus to be more firewall and selinux friendly as confluent comes
along, more carefully documenting rules and limitations, but it can’t deploy
operating systems yet (also the web forwarding feature is currently
incompatible with firewall, and discovery bumps into an unfortunate reality
that RELATED,ESTABLISHED does not seem to do a good job of matching unicast
replies to multicast queries (or we’ve missed something).
From: Pharthiphan Asokan <paso...@ddn.com<mailto:paso...@ddn.com>>
Sent: Thursday, September 6, 2018 4:06 AM
To: xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net>
Subject: [External] [xcat-user] is it possible to use xCAT having firewall and
selinux on
Hi All,
is it possible to use xCAT having firewall and selinux on. By opening up the
ports which are required by xCAT
by default, it disables the firewall while installation.
Any thoughts !
Regards,
Pharthiphan
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/xcat-user
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user
