Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Domino on Astra Linux Feedback

Daniel Nashed – 27 July 2019 21:02:15


For the
Russian Notes UserGroup #RNUG  in Moscow 10 and 11 October I am preparing myself to see what is special in the Russian market.
I am really looking forward to be at the conference!


Vlad explained to me that Astra Linux is widely used on the Russian market. It is a Debian derived distribution and is used by the Russian government!
There is a strategic move away from Microsoft in government organisations. So Astra Linux will probably more important in future.


According to Wikipedia (
https://en.wikipedia.org/wiki/Astra_Linux) it is very secure and can be used to store top secret information. This alone makes it quite impressive!

So I had a look into it this morning and installed Domino including my start script on it.


It is not a supported distribution! But I would be interested to get your feedback.

Who is using it? Would you like to use it? Would this help to provide better services on the Russian market?

What are the issues/special cases you ran into?


I can only support my start script on Astra Linux. Support for Domino would be something for HCL.

So I am really interested to understand who is using it and getting feedback from the field.


For CentOS support it was quite easy to get support from HCL. CentOS is source code compatible to RHEL and HCL changed their build environment to CentOS 7.4.

For Astra Linux it would be a lot more difficult to get official support.

So I am really interested in your feedback (either as a comment or via email).


Below you find my first impressions an findings installing it on my own.


-- Daniel


Image:Domino on Astra Linux Feedback


Download/Install


After downloading the current AstraLinux Common Edition ISO from
https://astralinux.ru/ it was very straight forward to install it.
The GUI can be changed to English and supports different locates including German.


I installed the graphical version which was kind of easier for the first tests.

The installation is pretty straight forward and it comes with a couple of extra security questions.

I did not enable extra security like the hardened kernel and the more strict security settings.
But most of it was still enabled by default. So I had to re-enable ptrace to allow NSD and memcheck to access processes.

The extra hardened kernel seemed not to make any difference. The grub boad-loader selected the kernel by default.


Some minor differences


When adding a new user with adduser I noticed that the -U option to create a matching group wasn't available but generating a group before with addgroup and using that group-id when creating the user via --gid worked as expected.


The installation of Domino went well even the installer said the environment isn't supported.

Also the configuration via remote setup just worked.


There are no packages that you have to install to get it up and running (bc, perl have been already installed in the selections I made).

I installed sysstat and the gdb (GNU Debugger needed by NSD) using the graphical package manager.


Start Script


My start script could not completely installed automatically because there wasn't a /etc/sysconfig directory.

So I just created an empty directory, because the start script does always look for configuration data in it's config file located in this directory.


With this minor tweak also the start script works out of the box.


NSD Debugging requires ptrace, which is disabled by default.

This isn't new for me. We had the same limitations on our first Docker installations. For Docker you have to allow the container to use ptrace on it's running processes.


Even I haven't enabled it, ptrace wasn't allowed and NSD and memcheck could not attach to processes.

It turned out that ptrace was disabled, even the graphical installation and configuration said it was disabled.


So I used the following settings:


Check if ptrace lock is enabled


systemctl is-enabled astra-ptrace-lock

enabled


Disable ptrace lock


astra-ptrace-lock disable


Check again that it is disabled:


systemctl is-enabled astra-ptrace-lock

disabled


You have to boot your server to have this change effective

But afterwards NSD and memcheck run as expected.


Performance Tuning


Most other distributions have changed the I/O scheduler already from "cfg" at least to "deadline".

But Astra Linux still uses "cfg" as the default. So you have to add "elevator=noop" to your grub kernel boot line.

It was surprisingly easy to change the grub configuration. I just went into the graphical grub configuration and made the change.

The tool automatically wrote the right grub configuration. After a reboot the disk used "noop" as the I/O scheduler.


You can check the settings via:


cat /sys/block/sda/queue/scheduler

[noop]
deadline cfq



Summary


With a couple of smaller changes to my standard install procedure, I was able to install Domino 10.0.1 FP2 on Astra Linux.

Astra Linux looks like an interesting and secure distribution. So I look forward to your feedback and requirements.
I have no idea how many customers and partners from Russia are reading my blog.
But I would really like to hear from you and I am looking forward to see many of you In Moscow in October.

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]