devel September 2015

devel@lists.centos.org

41 participants
37 discussions

Intent to participate to a ppc64le beta test
by Takashi Ohsawa 15 Sep '15

15 Sep '15

Hi, We are using CentOS on x86 server to our system. I appreciate your contribution in CentOS community. Your cooperation is really helping our system infrastructure. We are evaluating the new server of OpenPOWER community. We can find the technology innovation in this community, such as fast I/O accelerator, fast GPGPU. We would like to use CentOS on OpenPOWER because our skill and some operation tools are optimized on CentOS. I would like to contribute of evaluation CentOS ppc64le beta build when we can use it. -- -- Takashi Ohsawa --

3 2

Intent to Participate in CentOS for ppc64le Beta Validation
by Sameer Kumar 15 Sep '15

15 Sep '15

Hi, We, at Ashnik, are enterprise open source experts providing Operating system, virtualization, Infrastructure, database, Web server and Business Intelligence services and solutions across India and South East Asia. Ashnik is partner with EnterpriseDB, MongoDB, Pentaho, NGINX, Red Hat. We are excited about goods of open source coming to the hardware world with OpenPOWER. We wish to help in best way we can in bringing choice to enterprise segment and a cost effective Linux on Power Platform. The customer segment we work with and kind of solution which we have seen picking up works on Little Endian platform. Ashnik team from India is keen to be involved in CentOS initiative and build for ppc64le. We are keen to be part of Open Power consortium and contribute towards Beta Validations as CentOS ppc64le build progresses -- -- Best Regards Sameer Kumar | DB Solution Architect *ASHNIK PTE. LTD.* 101 Cecil Street, #11-11 Tong Eng Building, Singapore 069 533 T: +65 6438 3504 | M: +65 8110 0350 | www.ashnik.com

2 3

The Right Way to mount tmpfs using systemd with the right selinux security context
by George Dunlap 14 Sep '15

14 Sep '15

In the context of packaging Xen, I'm looking for the Right Way(tm) to mount a tmpfs with a suitable security context. = Background = xenstored is a daemon run in a Xen domain 0 (control domain). It acts as a sort of registry that domains and the toolstack can use to communicate and store important information. xenstored uses a simple database stored in /var/lib/xenstored/tdb . This file is not persistent across reboots, it is fairly small, and the access speed has a major impact on the speed of the system. For this reason, mounting /var/lib/xenstored as a tmpfs results is highly recommended. The Xen project ships a number of recommended systemd initscripts with its distribution. One of these is var-lib-xenstored.mount, which simply mounts tmpfs on /var/lib/xenstored. xenstored.service requires var-lib-xenstored.mount. The default CentOS selinux policies in /etc/selinux/targeted/modules/active/file_contexts contain labels for xenstored: /var/lib/xenstored(/.*)? system_u:object_r:xenstored_var_lib_t:s0 /usr/sbin/xenstored -- system_u:object_r:xenstored_exec_t:s0 (Presumably somewhere there's a connection defined between the two labels; I haven't found it yet.) The security context for /var/lib/xenstored is set automatically (I presume due to the above rule): # ls -aZ /var/lib/xenstored/ drwxr-xr-x. root root system_u:object_r:xenstored_var_lib_t:s0 . = The Problem = When var-lib-xenstored.mount mounts tmpfs at /var/lib/xenstored, the security context reverts to the default for tmpfs: # systemctl start var-lib-xenstored.mount # ls -aZ /var/lib/xenstored/ drwxr-xr-x. root root system_u:object_r:tmpfs_t:s0 . SELinux subsequently denies permission to xenstored to access the location, and xenstore fails. = Discussion = The version of var-lib-xenstored.mount in Xen 4.5 contains a security context in the mount options, which can be set at configure time; the result looks something like this: Options=mode=755,context=system_u:object_r:xenstored_var_lib_t:s0 Unfortunately, the way this was set up meant that if your system did *not* have selinux, then the mount would fail. So this was removed, leaving us the way things are above. I *could* patch var-lib-xenstored.mount in my xen package; but I would like to avoid patches as much as possible. Furthermore, as someone whose main job is to be an upstream Xen developer, I would prefer to make var-lib-xenstored.mount as useful as possible *by default*, without needing to be patched / modified by people downstream using selinux. One solution which has been proposed is to use a config file (say, /etc/sysconfig/xenstored) which contains a custom set of options for var-lib-xenstored.mount. However, when poking around, I couldn't find any other places where a context is manually added to a mounted place like that, which made me wonder if there was a better, more generic way to automatically get things to work properly. I did some poking around, and found that /usr/lib/systemd/rhel-readonly mounts things with tmpfs, and sorts out the selinux stuff by running restorecon after mounting it. I tried that, and it seems to work: # restorecon -R /var/lib/xenstored # ls -aZ /var/lib/xenstored/ drwxr-xr-x. root root system_u:object_r:xenstored_var_lib_t:s0 . Running "systemctl start xenstored.sevrice" afterwards gets a working xenstore. So I guess I was wondering if there was a better way to get /var/lib/xenstored labelled with the right contexts than trying to shove the contexts in at mount time. Is there a way to have systemd automatically call restorecon after mounting the filesystem? Or is there a better way to get systemd to mount a suitable tmpfs at /var/lib/xenstored? Thanks, -George

1 0

Request to join CentOS Atomic SIG
by Dusty Mabe 14 Sep '15

14 Sep '15

Hey Everyone, As a member of the Fedora Cloud Working Group (the group within Fedora that is most focused on atomic) I am interested in joining the CentOS Atomic SIG. My hopes are to find differences in the Fedora and CentOS versions of Atomic and try to minimize those where it makes sense so that we can provide a more consistent approach for people using Atomic Host. Additionally it would be nice to find places where Fedora and CentOS can re-use the same or similar processes to generate these deliverables. What are the steps I need to take to become a SIG member? Thanks, Dusty

6 6

CentOS-7 / powerpc BE bring up
by Karanbir Singh 14 Sep '15

14 Sep '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi Ashish, Fabian is putting together a VM ( or 2 if you need more ), for the BE bringup. This would be a fedora19 VM. Fabian: Ashish has confirmed that he has all the mock configs required to bringup the CentOS 7.1406 os/ release content, then build the updates upto May 2015 content. So here is what I see happening, 1) Fabian to setup a VM for ppc64 BE 2) Fabian to setup a VM for ppc ( multilib, 32 bit ) 3) Ashish to file a bug report at bugs.centos.org to req direct access, include ssh key 4) Fabian to get Ashish setup, and get Ashish an account on the ipv4 jumphost. 5) One that is in place, Ashish to build mock itself on the machines for either 64bit or 32bit 6) Fabian to let Ashish know the mirror url for fedora19, which would be the base of the builds 7) Ashish should then be able to kick off the first bringup cycle, with mock configs he already has in place. 8) build to CentOS-7 1406 content being complete. 9) Checkpoint at this stage, to evaluate payload, build process, build delivery and workout path to automating builds from there on. We are going to use the centos-devel mailing list for communications, and irc channel #centos-ppc I am going to once again request everyone to keep AWAY from private conversations, and stick to the community visible avenues, so we can all track ( and help! ) as things evolve. We can repeat the same process for LE, s/Ashish/James/ for that. I would defer to letting Ashish and James to include other people in the process as needed, however - all user accounts MUST be created via the bugs.centos.org process, and its important that Fabian is able to execute the creation + access ( so its logged and auditable ). Once we have step-5 in place, we can engage with Jim Perrin, and workout the modalities and process of including the effort into the CentOS AltArch SIG - which would give us a distro, test, delivery proces s. does this work for everyone involved here ? regards, - -- Karanbir Singh, Project Lead, The CentOS Project +44-207-0999389 | http://www.centos.org/ | twitter.com/CentOS GnuPG Key : http://www.karan.org/publickey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJV8ro0AAoJEI3Oi2Mx7xbtdV8IAIJTE2kiEXZNUpWo5K+q0OMh ArYZCdquv/ZHD6/HqO0Q3IkeuBEacm/yxtoAyDF3fE3j6TvO4WT1zmpAxGq3RtAS 0PwTqTjeqoFChXxmHu17IwSDgCCCtZr8KKQgbT42RYWdMtU01jFC/LxM1PPOfABR 4adO74Gp1Pl+Zprxd8x384nH3bppUq0Br7sz0jyIWG3AKgBchRoRwvIBnj6//zqo wkX9KtajxtpmJPrZh1n0ZKndyDiXAMWDkUTk6YQX4aVOqOI5ELgjjKiiR7GY1NFy NPSI/7lNLjyDtehl+NpcwJ+6UWd8oLTltA885f0ieSGfiuMOTb7+vBq9tA/R+cI= =Vrbc -----END PGP SIGNATURE-----

6 12

CentOS-7 / ppc64le System Architectures
by Aaron Sullivan 13 Sep '15

13 Sep '15

This message is intended as follow-up to this thread: https://lists.centos.org/pipermail/centos-devel/2015-September/013792.html Rackspace is building a POWER8 based OpenPOWER server, in an Open Compute form factor. Its codename is Barreleye. Specs and target use cases are as follows: Specs: * CPU / Memory o 2 sockets o 32 DIMM slots o 8 Centaurs * IO o 2 x8 OCP Mezzanine slots o 1 x16 FHFL PCI-E slot o 1 x8 HHFL PCI-E slot o 1 x8 HHHL PCI-E slot * Storage o Systems are currently using LSI / Avago 3108 ROCs (9361-8i), but could support other ROCs o LSI / Avago SAS Expander o 15 x2.5" hot swap drives o 1 internal M.2 SATA card slot * BMC o AST2400 Chip, with internal development targeting OpenBMC ? More here: http://www.datacenterknowledge.com/archives/2015/08/14/facebooks-openbmc-ca… -- there's similar, collaborative work going on for Barreleye. There's a picture of a Barreleye rack, at Rackspace, here: https://twitter.com/Calista_Redmond/status/636367178355245056/photo/1 Use cases: * OpenStack with KVM (for an IaaS platform) * Container Platform (LXC, Docker, etc) * Bare metal host for popular applications like LAMP, Nginx, Wordpress, Go environments, and so forth * Big data apps starting with Mongo, but also including Cassandra, Redis, Hadoop, and Spark * CAPI accelerator environments We believe demand for POWER-based CentOS will be similar to our x86 demand (which is to say, significant). We hope to see it get to launch-grade quality for at least virtual machines, if not bare metal, over the next few months. --Aaron [outlook-signature-distinguished]

3 4

cloud-init - [PATCH] Add power-state-change to cloud_final_modules list
by Sebastiaan Glazenborg 11 Sep '15

11 Sep '15

According to this page: https://wiki.centos.org/Sources, at the end of that page under "Contributing code to existing Git repos" I read that I am supposed to email the centos-devel mailing list with my git patch file as an attachment... I hope this works :) 1 attachment: Add-power-state-change-to-cloud_final_modules-list.patch

2 3

Problem creating CentOS cloud image, selinux bug with cloud-init?
by Sebastiaan Glazenborg 11 Sep '15

11 Sep '15

Hello, I am trying to build my own CentOS cloud image, one reason is to better understand this process and learn from it, but am having troubles completing a fully functional image. I have read various how-to and other documentation but I keep running in to the same issue, maybe a bug? Very interested in how the CentOS cloud images were created and if the people building these ran in to the same issue. I am following these few steps: 1. create new CentOS 7 installation using virt-install and a kickstart to create base_image. nothing special is done, just using the CentOS 7 iso contents to do a minimal install + cloud-init 2. run virt-sysprep on this created base_image 3. create new kvm vm using a copy of the sysprepped disk file Because I do this all locally on my laptop I am using a config-drive iso that cloud-init is using to read meta-data and user-data files. The newly created vm is booted up, console connected, and the arrives at the prompt without having completed the various cloud-init steps. <snip boot messages> [ 6.683676] ip_tables: (C) 2000-2006 Netfilter Core Team [ 6.823284] nf_conntrack version 0.5.0 (7947 buckets, 31788 max) [ 6.885987] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 7.076775] Ebtables v2.0 registered [ 7.099351] Bridge firewalling registered cloud-init[576]: Cloud-init v. 0.7.5 running 'init-local' at Fri, 11 Sep 2015 20:02:31 +0000. Up 7.13 seconds. CentOS Linux 7 (Core) Kernel 3.10.0-229.el7.x86_64 on an x86_64 localhost login: And then nothing.. investigating [root@localhost ~]# systemctl status cloud-init-local.service -l cloud-init-local.service - Initial cloud-init job (pre-networking) Loaded: loaded (/usr/lib/systemd/system/cloud-init-local.service; enabled) Active: activating (start) since Fri 2015-09-11 22:18:45 CEST; 41s ago Main PID: 583 (cloud-init) CGroup: /system.slice/cloud-init-local.service ├─ 583 /usr/bin/python /usr/bin/cloud-init init --local ├─ 879 tee -a /var/log/cloud-init-output.log ├─1114 /bin/bash /etc/sysconfig/network-scripts/ifup-eth ifcfg-eth0 └─4433 /usr/bin/python -Es /usr/bin/firewall-cmd --zone= --change-interface=eth0 Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Writing to /etc/sysconfig/network-scripts/ifcfg-eth0 - wb: [420] 253 bytes Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Restoring selinux mode for /etc/sysconfig/network-scripts/ifcfg-eth0 (recursive=False) Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Restoring selinux mode for /etc/sysconfig/network-scripts/ifcfg-eth0 (recursive=False) Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Reading from /etc/sysconfig/network (quiet=False) Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Read 37 bytes from /etc/sysconfig/network Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Writing to /etc/sysconfig/network - wb: [420] 52 bytes Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Restoring selinux mode for /etc/sysconfig/network (recursive=False) Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Restoring selinux mode for /etc/sysconfig/network (recursive=False) Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] __init__.py[DEBUG]: Attempting to run bring up interface eth0 using command ['ifup', 'eth0'] Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Running command ['ifup', 'eth0'] with allowed return codes [0] (shell=False, capture=True) [root@localhost ~]# grep denied /var/log/audit/audit.log type=USER_AVC msg=audit(1442002754.912:331): pid=589 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.4 spid=578 tpid=4433 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' [root@localhost ~]# audit2allow -a -M test module test 1.0; require { type cloud_init_t; type firewalld_t; class dbus send_msg; } #============= firewalld_t ============== allow firewalld_t cloud_init_t:dbus send_msg; Now with SElinux disabled everything works fine; but thats not really something I prefer to do outside of initial testing. Googling: 'Running command ['ifup', 'eth0'] with allowed return codes [0] (shell=False, capture=True)' returned this: https://bugzilla.redhat.com/show_bug.cgi?id=1126096 But that bug report is now 1 year old... Either I am doing something wrong or other people have run in to this same issue no?

1 0

Re: [CentOS-devel] CentOS-7 / powerpc BE bring up
by Lance Albertson 11 Sep '15

11 Sep '15

[I just subscribed to the list, so bare with me and sorry for the top post] I have a lot of interest in getting CentOS ppc64le going for here at the lab. For now I'd prefer having LE over BE as that is where most of the arch seems to be going. If there's anything I can do to help with this process, please let me know. I've had a lot of experience in the past several years with this architecture on Fedora. Thanks! <snip> > does this work for everyone involved here ? What's the outlook for > getting LE VMs so that the this started as well. I'm getting lots of pressure > for LE CentOS from customers, partners, and clients. Perhaps we can get folks who have shown interest in having Power on CentOS to post their preferred architecture here? -- Lance Albertson Director Oregon State University | Open Source Lab

1 0

CentOS 7 on power64 status
by James O'Connor 11 Sep '15

11 Sep '15

Just an email to summarize where we stand with CentOS 7 ppc64le (Little Endian) and ppc64 (Big Endian). We don’t have an official CentOS power64 SIG yet but I am interested in enlisting further community participation and testing when the time is appropriate. I have working proof of concept builds of c7-ppc64le and c7-ppc64. Both ports were done using Fedora 22 based PowerKVM guests. The LE port was done cleanly and involved developing a c7 based Linux From Scratch toolchain to get around a thorny issue with glibc-2.20 in Fedora 21 LE but glibc-2.17 in CentOS 7. This issue further prevents the use of Fedora 21 LE rpms because they all require GLIBC_2.18 and c7 provides GLIBC_2.17. The BE port is much more straightforward as Fedora 19 ppc64/ppc rpms are used to bootstrap the initial CentOS 7 ppc64/ppc rpms. As of yesterday we have IBM POWER8 systems up and running PowerKVM in the CentOS datacenter. Similar development and test systems are available at http://osuosl.org/ Work is underway to get Fedora ppc64le and ppc64 builders up and running and replicate the proof of concept builds. Stay tuned to the centos-devel email list or drop by #centos-ppc on irc.freenode.net to say hello.

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

devel September 2015