Project 312 - inf-unit initial SL7 work

Original description

"There's some inf-unit work required in order to get the DICE SL7 port up and running, specifically making bare minimum desktop/client versions of the LDAP, DNS and Kerberos LCFG components."

Project home page:

https://wiki.inf.ed.ac.uk/DICE/Project312InfSL7

Work done

The work undertaken is described in the project page above. Areas of note were:

  • Changes to both kdcregister itself and the way in which we now run it. The changes are descibed in the blog post mentioned below. As part of a machine install, we now run kdcregister from a wrapper script, which loops to ensure the required host principals are created.
  • A move to using a standard client/server LDAP model using sssd for caching. This is described in the relevant blog posts and bug entries below. Although it's not relevant for the client-side, we should be aware that rfed (server-side) currently uses the dice-authorize package, which depends on an ldap server being present on localhost. It should be (fairly) trivial to change rfed to use lcfg-authorize, which queries netgroups via nss and so has no such dependency.
  • The interaction of the dns component with systemd was complicated by the need on the one hand to have systemd manage named itself, but on the other hand have the component start before systemd starts named in order that configurations can be correctly generated and zones pre-fetched. Eventually, after some experimentation and false starts, and with Stephen's help, the component can now be started as a systemd "pre" script, allowing it to perform any necessary tasks before the daemon is started.
  • iptables was not originally expected to be part of this project, but had to be added to cover the exam-lockdown setup. Work on the component was done in parallel with IPv6 changes. On SL6 and earlier the component is started very early to load the existing rules, and then configured very late in the boot process by a separate init-script to generate and load new rules. On SL7 the initial load of the rules is done automatically from the "save" versions, and the component is only started later to generate new rules as required. The main complicating factor here was the need for stability for the exams, which meant that the final stage in bringing this into service did not actually happen until the first stable release of 2017.

Blog posts

Time taken

  • Toby: 153 hours
  • Ian: 15 hours
  • George: 90 hours

-- TobyBlake - 26 May 2015

Topic revision: r5 - 24 Jan 2017 - 14:36:15 - GeorgeRoss
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies