The updated X.509 kernel module signing key for UEFI Secure Boot systems is available. Kernel module packages built in our Fedora Linux RPM Repository on or after 2018-11-11 will be signed with the new key.
Fedora 29 Upgrades Complete
Messinet Secure Services has upgraded from Fedora 28 to Fedora 29 with the notable
exception of our FreeIPA hosts which will remain on Fedora 28 until updated
Fedora 29 FreeIPA packages including the fix for 7654 are released, so a
replica can be installed successfully.
With this upgrade complete, we’re no longer building Fedora 28 RPMs in our Fedora Linux RPM Repository. Please check out our builds in the Copr Fedora community build service.
Fedora 28 Upgrades Complete
Messinet Secure Services has migrated to brand new hardware and also upgraded from
Fedora 27 to Fedora 28 with a few notable exceptions. Based on the
upstream recommendation, our FreeIPA hosts will remain on Fedora 27
until FreeIPA in Fedora 28 is ready. We’ve also elected to keep our MythTV
server on Fedora 27 until 13263 is properly resolved.
We’re quite happy to see that SELinux & systemd integration issues
1471545 & 1486567 that plagued us throughout earlier Fedora releases
seem to be resolved in Fedora 28.
Fedora 28 includes systemd sypport for Dynamic Users, which is a little
rough around the edges, but progress is being made in 1559281 and
1572200.
SELinux still lacks functional policy support for machinectl, systemd-nspawn and full OS containers. So unfortunately SELinux and systemd integration issues continue to occur regularly at release since Fedora 25 and it remains clear that upstream Fedora isn’t prioritizing SELinux testing prior to release, even with respect to systemd, the init daemon of choice.
With the applicable Messinet Secure Services upgrades complete, we’re no longer building RPMs for Fedora 27 in the Fedora Linux RPM Repository, though encourage you to check out our builds in the Copr Fedora community build service.
Retiring Mailman Mailing Lists
The Messinet Secure Services mailing lists have been in operation since May 6, 2006 and it’s time to retire the Mailman software that runs our lists. While a new version of Mailman does exist, it’s far more complex than the needs of the low volume lists served here. So after many years of service, the lists will be shut down this week.
Thank you for being a part of the community!
Migration to Git over HTTPS
Messinet Secure Services has migrated to using git-http-backend for remote Smart HTTPS access to our Git repositories. To update the connection information, you will need to reset the git remote url in each of your repositories.
For development projects, use:
$ git remote set-url origin https://messinet.com/git/<project>.git
For RPM package development, use:
$ git remote set-url origin https://messinet.com/git/rpms/<package>.git
Authentication, authorization, and access are Kerberos/GSSAPI aware. You may
want to set a few Git configuration options to make things easier. emptyAuth
allows libcurl to use the Negotiate authentication mechanism, and cookieFile
saves the authentication cookie to speed up sequential requests. See the
git-config documentation for more information.
[http "https://messinet.com"]
cookieFile = /tmp/my-git.cookieFile
emptyAuth = true
saveCookies = true
sslVerify = true
sslVersion = tlsv1.2
We have also released a new version of msspkg
(msspkg-1.30-3.git433ba8f)
for packagers in the Fedora Linux RPM Repository.
Fedora 27 Upgrades Complete
We’ve upgraded Messinet Secure Services from Fedora 26 to Fedora 27. Again there
are a number of SELinux, systemd, gssproxy, and nfs-utils bugs 1494852,
1497267, 1507817, 1514241 affecting our systems that probably should
have received more attention before release.
One of the most challenging SELinux & systemd integration bugs is 1471545,
whereby the wrong SELinux file context label is placed on
/run/systemd/resolve/resolv.conf
, causing SELinux AVCs and daemon failures
throughout. Unfortunately, the bug’s assignee continues to close the bug as
fixed with each new selinux-policy release and no information as to how the
fix is to work.
After using MariaDB’s GSSAPI Authentication Plugin with great success in
Fedora 26, I was looking to expand GSSAPI/SSO usage in F27, but I was unable to
get things to work, and filed 1514820 for more information.
SELinux still doesn’t really have functional policy support for machinectl, systemd-nspawn and full OS containers. The same SELinux and systemd integration issues occurred with the Fedora 25 to Fedora 26 upgrade and it is clear that upstream Fedora doesn’t prioritize SELinux testing enough, especially with respect to systemd, it’s init daemon of choice.
All this too, shall pass and with the Messinet Secure Services upgrades complete, I’m no longer building for Fedora 26, which has been removed from the Fedora Linux RPM Repository.
Fedora 26 Upgrades Complete
With even more SELinux & systemd challenges, we’ve upgraded Messinet Secure Services from Fedora 25 to Fedora 26. This same lack of attention to SELinux and systemd integration occurred with the Fedora 24 to Fedora 25 upgrade and it is abundantly clear that upstream Fedora doesn’t value SELinux support for systemd daemons.
Another continuing disappointment is that SELinux still doesn’t really have functional policy support for machinectl, systemd-nspawn and full OS containers.
Even so, the Messinet Secure Services upgrades are complete and I’m no longer building for Fedora 25, which will soon be removed from the Fedora Linux RPM Repository. Of special note, I’ll only be building RPMs for x86_64, as i686 has been downgraded to a secondary arch in Fedora upstream.
Updated X.509 Kernel Module Signing Key
The updated X.509 kernel module signing key for UEFI Secure Boot systems is available. Kernel module packages built in our Fedora Linux RPM Repository on or after 2016-12-18 will be signed with the new key.
Goodbye Fedora 24 & Hello Fedora 25
With some SELinux & systemd challenges, we’ve upgraded Messinet Secure Services from
Fedora 24 to Fedora 25. It is clear that upstream Fedora is not getting
enough testing for systemd daemons and SELinux 1398854, 1398856.
In addition, it’s a bit disappointing that SELinux doesn’t really have policy
support for systemd-nspawn and full OS containers.
Fedora 25’s systemd contains a regression 1398886 where CPUQuota=
values
greater than 100% are invalid. This was fixed upstream in August 2016,
but didn’t get backported.
Kerberized NFS support via rpc.gssd is broken due to 1264556, now fixed
as described in 1398370. This can be temporarily resolved by running
rpc.gssd in the foreground by updating
/usr/lib/systemd/system/rpc-gssd.service
as shown below, though you’ll run
into 1398857.
[Unit]
Description=RPC security service for NFS client and server
DefaultDependencies=no
Conflicts=umount.target
Requires=var-lib-nfs-rpc_pipefs.mount
After=var-lib-nfs-rpc_pipefs.mount
ConditionPathExists=/etc/krb5.keytab
PartOf=nfs-utils.service
Wants=nfs-config.service
After=nfs-config.service
[Service]
EnvironmentFile=-/run/sysconfig/nfs-utils
#Type=forking
#ExecStart=/usr/sbin/rpc.gssd $RPCSVCGSSDARGS
Type=simple
ExecStart=/usr/sbin/rpc.gssd -f $RPCSVCGSSDARGS
All that aside, the upgrades are complete and I’m no longer building for Fedora 24, which is removed from the Fedora Linux RPM Repository.
Chicago Cubs Win the World Series!
Cubs Win! Cubs Win! Cubs Win! #FlyTheW!
Congratulations to our Chicago Cubs who overtook the Cleveland Indians 8 to 7 in 10 innings to win the World Series for their first time since 1908!
Thank you Cubs for bringing this win to our city!