guide:Os/2
Contents |
requirements
- Versions
- Scientific Linux version 4.7 64 bit (NFS, Torque, cfengine, Login server, interactive node, WN)
- Scientific Linux version 4.7 32 bit (gLite 3.1 CE + sBDII + MON)
- Scientific Linux version 5.1 64 bit (OGSA-DAI, dCache, Unicore 5, Unicore 6, Globus ToolKit 4)
- Information
|
Scientific Linux is a free operating system, co-developed by Fermi National Accelerator Laboratory and the European Organization for Nuclear Research (CERN), and which aims to be 100% compatible with and based on Red Hat Enterprise Linux. Its primary purpose is to reduce duplicated effort of the labs, and to have a common install base for the various experimenters. |
- Links
- Documents
- FG3-5 Recommendations Static Firewall.pdf
- Scientific Linux 4.x installation
- Scientific Linux 5.x installation
- Update SL5x
- Images
notes
Optimizing the configuration:
Use minimal operating system installation without firewall. To verify installed packages use the command
-
rpm -qa | grep package_name
Install the following additional packages:
-
yum -y install wget yum rpm make gcc gcc-c++ tar sed zlib openssl
After the installation is complete, turn off any unnecessary services (like gpm, sendmail, cups, haldaemon, messagebus, pcmcia, anacron, atd) with the following command:
-
chkconfig <SERVICE> off
Configure the following settings for the server:
deactivate automatic update for yum
# completely stop any updates chkconfig yum off /etc/init.d/yum stop # but this will not allow to make a security updates, hence use vi /etc/yum.conf # add into repository options: exclude=java*
While in the first phase of the D-Grid project connections should be allowed from any external host, restrictions on the basis of IP-address or IP-subnet will be considered in a next step.
Re- and deinstallation, updates
There are some software managers (e.g. yum, yast) for operating systems which do the job well for update and new installation for packages. Please see the appropriate attributes for current task in the manuals for them.
Vulnerabilities issues
- Kernel RedHat Vulnerabilities
according to http://kbase.redhat.com/faq/docs/DOC-18065: "The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket."
Solution: Red Hat Enterprise Linux 4 and 5 Add the following entries to the end of the /etc/modprobe.conf file:
install pppox /bin/true install bluetooth /bin/true install sctp /bin/true
The sctp module cannot be unloaded from a running kernel if the module is already loaded; therefore, the above changes for /etc/modprobe.conf on Red Hat Enterprise Linux 4 and 5 require a reboot to take effect.
 you can use the cfengine task to do such a task. See example |
firewall
Incoming connections
Configurations for the following middleware components are separately described:
Outgoing connections
All hosts in the D-Grid reference installation must be able to communicate with external services, i.e. the firewall must allow outgoing connections to any remote host for the following ports:
| Service | Ports |
| NJS | 1128 |
| GRAM | 2119 |
| GRIS | 2135-2136 |
| BDII | 2170 |
| GridFTP | 2811 |
| WS-GRAM + WS-MDS + RFT + R-GMA + SRM + WSRF-DAI | 8443 |
| GRAM + WS-GRAM + GridFTP | 20000-25000 |
Further information can be found in the document Image:FG3-5 Recommendations Static Firewall.pdf.
