Answering myself: "rpm -q --scripts xCAT" done the trick.
Looking through the output, there’s a call to xcatconfig -i. This guy is the responsible for everything. So it nails down to disable this xcatconfig command after installation and doing almost everything manually. With this information I think I can undo what xcatconfig does automatically, just after the installation. It’s a stop-gap solution that I can use. If you guys are willing to change this behaviour it will be welcoming, at least for me. Thanks, Vinicius. PS: I rerun the xcatconfig command on my test machine with -V so here’s the output: [root@headnode ~]# xcatconfig -i -V Running /opt/xcat/sbin/xcatconfig -i -V Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/rm /etc/xcat/hostkeys/ssh_host* 2>&1 Generating new node hostkeys... Generating SSH2 RSA Key... Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /usr/bin/ssh-keygen -t rsa -f /etc/xcat/hostkeys/ssh_host_rsa_key -C '' -N '' 2>&1 Generating SSH2 DSA Key... Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /usr/bin/ssh-keygen -t dsa -f /etc/xcat/hostkeys/ssh_host_dsa_key -C '' -N '' 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: rm -rf /tmp/ecdsa_key >/dev/null 2>&1 ; /usr/bin/ssh-keygen -t ecdsa -f /tmp/ecdsa_key -P "" &>/dev/null 2>&1 Generating SSH2 ECDSA Key... Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /usr/bin/ssh-keygen -t ecdsa -f /etc/xcat/hostkeys/ssh_host_ecdsa_key -C '' -N '' 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/cp /etc/xcat/hostkeys/*.pub /install/postscripts/hostkeys/. 2>&1 /bin/cp /etc/xcat/hostkeys/*.pub /install/postscripts/hostkeys/. is successful Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/echo '1024' >/proc/sys/net/ipv4/neigh/default/gc_thresh1 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/echo '4096' >/proc/sys/net/ipv4/neigh/default/gc_thresh2 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/echo '8192' >/proc/sys/net/ipv4/neigh/default/gc_thresh3 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/cat /root/.ssh/config | grep 'StrictHostKeyChecking no' 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/cp -p /root/.ssh/id_rsa.pub /install/postscripts/_ssh/authorized_keys 2>&1 Copied /root/.ssh/id_rsa.pub to /install/postscripts/_ssh/authorized_keys. Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/cat /etc/exports | grep '/tftpboot' 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/cat /etc/exports | grep '/install' 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/rm -rf /install/postscripts/ca >/dev/null 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/mkdir -m 755 -p /install/postscripts/ca 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/cp -p /etc/xcat/ca/ca-cert.pem /install/postscripts/ca/ca-cert.pem 2>&1 /bin/cp -p /etc/xcat/ca/ca-cert.pem /install/postscripts/ca/ca-cert.pem succeeded. Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/rm -rf /install/postscripts/cert >/dev/null 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/rm -rf /install/postscripts/_xcat >/dev/null 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/mkdir -m 755 -p /install/postscripts/_xcat 2>&1 Created /install/postscripts/_xcat directory. Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/cp -p /root/.xcat/ca.pem /install/postscripts/_xcat/ca.pem 2>&1 Copied /root/.xcat/ca.pem to /install/postscripts/_xcat directory. Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: ip -4 --oneline addr show |awk -F ' ' '{print $4}'|awk -F '/' '{print $1}' 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /bin/grep ^[^#]*nameserver /etc/resolv.conf | awk '{print $2}' 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: grep Subject /etc/xcat/cert/server-cert.pem 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: find /usr/share/zoneinfo -xtype f -exec cmp -s /etc/localtime {} \; -print | grep -v posix | grep -v SystemV | grep -v right | grep -v localtime 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: /install/postscripts/syslog 2>&1 syslog has been set up. Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: systemctl set-environment TERM=xterm-256color 2>&1 Imported TERM=xterm-256color into systemd. Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: systemctl enable named 2>&1 Could not enable dns server. Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: XCATBYPASS=Y /opt/xcat/sbin/makenetworks 2>&1 The makenetworks command was run with no error. httpd has been restarted. Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: systemctl enable httpd 2>&1 httpd has been enabled. Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: systemctl enable dhcpd 2>&1 SELINUX is not disabled, disabling it now... Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: echo 0 > /sys/fs/selinux/enforce 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: sed -i 's/^SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: type -P SuSEfirewall2 >/dev/null 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: type -P SuSEfirewall2 >/dev/null 2>&1 Running command on headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br>: systemctl disable firewalld 2>&1 xCAT is now running, it is recommended to tabedit networks and set a dynamic ip address range on any networks where nodes are to be discovered. Then, run makedhcp -n to create a new dhcpd configuration file, and /etc/init.d/dhcpd restart. Either examine sample configuration templates, or write your own, or specify a value per node with nodeadd or tabedit. On 26 Sep 2019, at 13:11, Vinícius Ferrão via xCAT-user <[email protected]<mailto:[email protected]>> wrote: Hello Jarod, so you’re the guy who can help it out :) The message was originally about firewalld and SELinux but can be extended to a lot of other things. Like the automatic names that xCAT creates for networks and things like this. So I think a package without automatic installation is really welcoming. But to this there’s a place we’re it’s documented everything that the xCAT package install do? If not there’s a way to get this from the package? I think the commands are sufficient. In a complex or custom environment manual installation, with other tools automating, things is a good ideia. Thanks. Sent from my iPhone On 26 Sep 2019, at 03:54, Jarrod Johnson <[email protected]<mailto:[email protected]>> wrote: I've been considering removing all of that from executing on rpm install (also enabling services to start on boot just by installing rpm) It was added for convenience of not asking to run a setup after install but it is inconsistent with general rpm behavior and limits ability to use flags to customize behavior. On the flip side, this would be a change that people would have to learn and would surprise new installs. I might make variant of the xCAT meta package with no auto setup so that people won't be surprised unless they opt into the other package. Looking for thoughts. For wider information, it doesn't yet have os deployment, but confluent has been developing and designing specifically with firewall and selinux in mind, as well as trying to mitigate the initial setup complexity that drove us to create xcatconfig in the first place. For example no more tls certs required for local access and os import will no longer loop mount isos (one of the biggest selinux problems) and avoid rewriting other service etc files in daemon context. More straightforward network usage and a documented set of firewalld commands. ________________________________ From: Vinícius Ferrão via xCAT-user <[email protected]<mailto:[email protected]>> Sent: Thursday, September 26, 2019 2:27:10 AM To: xCAT Users Mailing list Cc: Vinícius Ferrão Subject: [External] [xcat-user] xCAT forcibly disabling SELinux and firewalld Hello, When installing xCAT in EL7 with yum install xCAT it’s just put SELinux in permissive mode and disables firewalld. It does not even ask about it. It just does. [root@headnode ~]# getenforce Permissive [root@headnode ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1) Sep 26 02:55:55 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br> systemd[1]: Starting firewalld - dynamic firewall daemon... Sep 26 02:55:56 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br> systemd[1]: Started firewalld - dynamic firewall daemon. Sep 26 03:09:18 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br> systemd[1]: Stopping firewalld - dynamic firewall daemon... Sep 26 03:09:21 headnode.cluster.iq.ufrj.br<http://headnode.cluster.iq.ufrj.br> systemd[1]: Stopped firewalld - dynamic firewall daemon. There’s a way to avoid this behaviour? Thanks, PS: I’m aware of the consequences of firewalld and SELinux in xCAT environments. _______________________________________________ xCAT-user mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/xcat-user _______________________________________________ xCAT-user mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/xcat-user
_______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
