Thanks Jarrod, Kevin
I was able to deploy diskless clients through xCAT having selinux enforcing and firewall enabled. By allowing ports that are required by xCAT and change in selinux chgrp named -R /var/named chown -v root:named /etc/named.conf restorecon -rv /var/named restorecon /etc/named.conf restorecon /etc/rndc.key restorecon /var/lib/rsyslog/imjournal.state restorecon -v /var/lib/dhcpd/dhcpd.leases chcon -R -t public_content_t /tftpboot/ chcon -R -t public_content_t /install/ Regards, Pharthiphan ________________________________ From: Jarrod Johnson <jjohns...@lenovo.com> Sent: 06 September 2018 22:44:18 To: xCAT Users Mailing list Subject: Re: [xcat-user] [External] is it possible to use xCAT having firewall and selinux on For the cases of firewall oddities, I’ll see about doing ipset based rules for temporary allowances to reply to multicast. Of course, a firewall that’s tough on an ‘external’ network but permissive on cluster facing is generally easy enough. To share various thoughts moving forward: -Moving from loop mount to libarchive to manipulate isos for importing (step toward more functionality without root privilege) -No longer having to update dhcpd.conf (integrated PXE for static-minded environments) -For DNS, have one utility to bootstrap the config that runs locally, daemon only ever updating DNS through DDNS packets -More consistent use of distribution default locations for serving tftp and web content -Testing with SElinux on -No longer make boot config files available over tftp (only first stage boot loader) Basically, the hope is that down the road we can have a short list of required security configuration and procedures, contrasted with the likely long list of things to change today. From: Kevin Keane <kke...@sandiego.edu> Sent: Thursday, September 6, 2018 12:41 PM To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> Subject: Re: [xcat-user] [External] is it possible to use xCAT having firewall and selinux on Turning on the firewall shouldn't be a problem; all the ports required are documented. I hadn't found any problems with it. But Jarrod's note may indeed explain some oddities I have observed. There have been quite a few discussions about SELinux going back ten years; you may want to go to the mailing list archive and search for that term. But the bottom line is that while the issues can be addressed, you are likely going to go down a rabbit hole discovering one issue after the other. That is the one major complaint I have about xCAT. Having to turn off selinux is a very big deal. Things that I'm aware of (this is about a year old, so some things may have changed): - makedns will produce a warning, and won't produce all the DNS configuration files. - xCAT uses HTTP heavily during booting, but the HTTP server cannot serve files from /tftpboot . - selinux can interfere with mounting home directories via NFS. - outside of xCAT, we noticed yet more issues with our resource managers and schedulers (Torque and Moab). _______________________________________________________________________ Kevin Keane | Systems Architect | University of San Diego ITS | kke...@sandiego.edu<mailto:kke...@sandiego.edu> Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859 REMEMBER! No one from IT at USD will ever ask to confirm or supply your password. These messages are an attempt to steal your username and password. Please do not reply to, click the links within, or open the attachments of these messages. Delete them! On Thu, Sep 6, 2018 at 5:59 AM, Jarrod Johnson <jjohns...@lenovo.com<mailto:jjohns...@lenovo.com>> wrote: It is possible, but we don’t have crafted policies ready to go for the services and the linux firewall may have some limitations with respect to some multicast related commands that you probably don’t use anyway. Depending on the functionality you use, you could spend a short while or a long while creating some selinux policies and also using chcon to manually fix up contexts in some cases. In short, it should be possible, but we don’t have it documented. It has been a focus to be more firewall and selinux friendly as confluent comes along, more carefully documenting rules and limitations, but it can’t deploy operating systems yet (also the web forwarding feature is currently incompatible with firewall, and discovery bumps into an unfortunate reality that RELATED,ESTABLISHED does not seem to do a good job of matching unicast replies to multicast queries (or we’ve missed something). From: Pharthiphan Asokan <paso...@ddn.com<mailto:paso...@ddn.com>> Sent: Thursday, September 6, 2018 4:06 AM To: xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net> Subject: [External] [xcat-user] is it possible to use xCAT having firewall and selinux on Hi All, is it possible to use xCAT having firewall and selinux on. By opening up the ports which are required by xCAT by default, it disables the firewall while installation. Any thoughts ! Regards, Pharthiphan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/xcat-user
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
