openafs on F12

March 10, 2010

Moving straight on from getting kerberized logins working it’s time to get openafs running. The packages for F12 are all pre-compiled and the official repository supports yum so that’s the easiest approach. Here is the yum repository config file (openafs.repo) for 1.4.11:

[openafs]
name=Openafs 1.4.11 for F12
baseurl=http://dl.openafs.org/dl/openafs/1.4.11/fedora-12/$basearch/
enabled=1
metadata_expire=1d
gpgcheck=0

Once that is in /etc/yum.repos.d, it is possible to do:

yum install openafs-authlibs openafs-client openafs-server openafs-krb5 openafs-docs

It is also necessary to grab a kmod-openafs package, for some reason I have experienced problems with the automatic support for this on F12 so it’s best to grab the correct version of the RPM for the running kernel from the openafs website and install it manually.

Once that is done:

echo inf.ed.ac.uk > /usr/vice/etc/ThisCell
/etc/init.d/openafs-client start

it might be necessary to also edit /etc/sysconfig/openafs. I made it contain:

AFSD_ARGS="-dynroot -afsdb -fakestat -daemons 5 -volumes 200 -chunksize 20  -nosettime"

Network, Kerberos and openssh on F12

March 10, 2010

Firstly we need to deactivate the nastiness that is NetworkManager and switch to configuring the network interface so that it comes up at boot time and uses DHCP to get an address and DNS configuration. This is done by using the system-config-network tool as root and doing an “Edit” on the eth0 device. After finishing the alterations the networking needs restarting with /etc/init.d/network restart

To make sure this continues to work after a reboot, as root, do:

chkconfig --levels 2345 NetworkManager off
chkconfig --levels 2345 network on

As well as this, to get the machine to have the correct hostname and domain name, I had to edit /etc/hosts to look like:

127.0.0.1   localhost
::1         localhost
129.215.24.207 bowmore.inf.ed.ac.uk bowmore

and set the domainname like:

domainname inf.ed.ac.uk

The next step is to start using kerberos for authentication and LDAP for user info. That is done using the system-config-authentication tool, again as root. The LDAP base DN is dc=inf,dc=ed,dc=ac,dc=uk and I used ldap://infdir.inf.ed.ac.uk for the server.

For kerberos authentication the realm is INF.ED.AC.UK, I didn’t list any KDCs but rather ticked both options to use DNS. The admin server is kdc.inf.ed.ac.uk:749.

If you don’t have AFS available then on the “Options” tab you probably want to select “Create home directories on first login”.

I can never be bothered with typing in my password all the time so the next step is to get kerberos up and running and then configure openssh appropriately. Nicely Fedora finally includes all the patches provided by Simon which we have been applying locally for years so no rebuilding is necessary.

The next step is to grab the hostclient and host principals for the specific machine. If it is a new machine you will need to create it first, if it already exists then (as root) you can do something like:

kadmin -p squinney/admin \
            -q 'ktadd -k /etc/krb5.keytab host/foo.inf.ed.ac.uk'
kadmin -p squinney/admin \
            -q 'ktadd -k /etc/krb5.keytab hostclient/foo.inf.ed.ac.uk'

You can now configure openssh to work like a normal DICE machine. You will need to copy over /etc/ssh/ssh_config and /etc/ssh/sshd_config to your f12 machine. Note that the daemon config file is only visible by root. After reconfiguration restart the sshd.

It should now be possible to ssh in without a password!


Starting on F12/x86_64

March 10, 2010

I’ve made a start on the F12/x86_64 port. The first thing I did was to install from the F12 CD and make a base packages list:

 rpm -qa --queryformat '%{NAME}-%{VERSION}-%{RELEASE}/%{ARCH}\n' \ 
| perl -pe 's{/x86_64$}{}; > lcfg_f12_64_base.rpms

On this platform, at this stage, there are no packages with architectures other than x86_64 and noarch so I did not have to worry any more about getting the formatting correct.

The next stage was to get yum working with our local repositories:

su -
perl -pi -e 's/enabled=1/enabled=0/' /etc/yum.repos.d/* /etc/yum/pluginconf.d/presto.conf
cd /etc/yum.repos.d/
wget http://homepages.inf.ed.ac.uk/squinney/inf-f12.repo
yum check-update

This deactivates any existing repositories in use and turns off the presto plugin which does the delta-rpm stuff which we do not need.

I have put together a yum configuration file for our Informatics F12 repository. Note that, by default, only the base directory is enabled. This makes it possible to easily install extra base packages with yum and know that the changes are directly applicable to the LCFG F12 base package lists. At a later point when updaterpms is installed and being run the updates can be applied.