With some SELinux & systemd challenges, we’ve upgraded Messinet Secure Services from
Fedora 24 to Fedora 25. It is clear that upstream Fedora is not getting
enough testing for systemd daemons and SELinux 1398854, 1398856.
In addition, it’s a bit disappointing that SELinux doesn’t really have policy
support for systemd-nspawn and full OS containers.
Fedora 25’s systemd contains a regression 1398886 where CPUQuota= values
greater than 100% are invalid. This was fixed upstream in August 2016,
but didn’t get backported.
Kerberized NFS support via rpc.gssd is broken due to 1264556, now fixed
as described in 1398370. This can be temporarily resolved by running
rpc.gssd in the foreground by updating
/usr/lib/systemd/system/rpc-gssd.service as shown below, though you’ll run
into 1398857.
[Unit]
Description=RPC security service for NFS client and server
DefaultDependencies=no
Conflicts=umount.target
Requires=var-lib-nfs-rpc_pipefs.mount
After=var-lib-nfs-rpc_pipefs.mount
ConditionPathExists=/etc/krb5.keytab
PartOf=nfs-utils.service
Wants=nfs-config.service
After=nfs-config.service
[Service]
EnvironmentFile=-/run/sysconfig/nfs-utils
#Type=forking
#ExecStart=/usr/sbin/rpc.gssd $RPCSVCGSSDARGS
Type=simple
ExecStart=/usr/sbin/rpc.gssd -f $RPCSVCGSSDARGS
All that aside, the upgrades are complete and I’m no longer building for Fedora 24, which is removed from the Fedora Linux RPM Repository.