[CentOS] Reduce existing CentOS 7 installation to "Minimal install" - services?
Hi, When I install a CentOS server/desktop/workstation, I usually start from scratch with a barebone minimal installation, then add packages as needed. Some machines (like dedicated servers in a datacenter) come preconfigured by the hosting company, so I thought it wouldn't be a bad idea to start stripping that stuff first. Here's a little script I wrote, which essentially strips down any CentOS-7 installation to a minimal core system: https://github.com/kikinovak/centos/blob/master/7.x/scripts/00-elaguer-paquets.sh The script parses the 'minimal' package list and then just removes everything that's not on the list. Now I tried running that on an existing CentOS-7 "Web Server" installation. I ran it, rebooted... and I got dropped to a console that suggested to run journalctl. Uh oh. I'm currently catching up with systemd and its specificities, working through a bunch of online tutorials. But here's what I figured out so far. Before stripping down my system, I have to reduce services to a minimum. (On a Slackware system, which is what I'm using most of the time, that's where I would disable pretty much all services besides rc.syslog and rc.sshd.) Now what would be the simple systemd equivalent of doing that? E. g. on any CentOS installation (be it graphical, "Web Server", "File Server", whatever), strip down services to the status that they're at just after installing a "Minimal Install"? Cheers from the sunny South of France, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Web : http://www.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] After restart, user's gnome autostart seems broken
Hello there, CentOS6.7 64-bit up-to-date running on my laptop.. This night I had to restart (did it properly). Since then, my ~/.config/autostart/ contains some new broken .desktop files and /var/log/messages complains: gnome-session[7280]: WARNING: Could not parse desktop file /home/wwp/.config/autostart/gnome-keyring-daemon.desktop: Key file does not have key 'Name' gnome-session[7280]: WARNING: could not read /home/wwp/.config/autostart/gnome-keyring-daemon.desktop [snip] the log tells the same story about other desktop files: gnome-settings-daemon gnome-settings-daemon-helper gnome-power-manager gnome-screensaver gdu-notification-daemon at-spi-registryd user-dirs-update-gtk seahorse-daemon evolution-alarm-notify xfce4-settings-helper-autostart xfce4-notes-autostart IOW, stuff that sounds a bit critical from a GNOME desktop user PoV, explaining my concern. ALl the new broken .desktop files show the same date (Jul 3, 2014) and seem to be related to default services (/etc/xdg/autostart) that should normally NOT be there, as least from what I see on other similar systems running here. The services related to those files are NOT present anymore in my "Startup Applications Preferences", and I start wondering if the broken local desktop files are not shadowing system ones (that seem to run fine, according to `ps ax` and to my running GNOME desktop, showing no defect). I show you the contents of one of them, representative: [Desktop Entry] X-XFCE-Autostart-Override=false Hidden=true On another CentOS 6.7 box, I notice that those services (gnome keyring, at spi registry wrapper, etc.) are present in the "Startup Applications Preferences" but NOT in ~/.config/autostart/, so I assume that default system things are taken into account there. BTW, my user desktop settings are NOT to "automatically remember running applications when logging out". I have a complete backup of the system after last reboot (and a differential backup from one day ago), so I'm not risking anything apparently, but does anybody understand what happened? Is it safe to remove those broken desktop files are relogin my user? Regards, -- wwp pgpmsilvfNawY.pgp Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7 and 4K display
perhaps you should be report to mate forum's. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7 and 4K display
On Thu, May 5, 2016 4:35 pm, Frank Cox wrote: > On Thu, 5 May 2016 19:05:00 +0100 (BST) > Nux! wrote: > >> I believe there is no support for 4K in MATE yet > > My monitor runs at 2560x1440 with Centos 7 and Mate. I have to use the > displayport connection between the computer and the monitor to make it > work, though. On my Fujitsu Ultrabook U904 I have screen 3200x1800 and under mate it uses full resolution. The only catch here is: I run FreeBSD (10.3), but still I would agree: it will be a good idea to check how the screen is connected. E.G., if it is DVI, then it should be dual link DVI cable, not just regular one... Valeri Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Copying CentOS to new drive
On Wed, May 4, 2016 at 3:38 AM, Timothy Murphy wrote: > I recently asked about copying a running system to a new drive. > > As a postscript, I'm wondering if it would have been preferable > to run the machine under a Live OS, and simply copy the root partition > to the new drive? > Eg while running under the LiveOS, > # mkdir /mnt/old /mnt/new > # mount /dev/sda7 /mnt/old > # mount /dev/sdb6 /mnt/new > # cp -avx /mnt/old /mnt/new > or > # rsync -ax --progress /mnt/old /mnt/new As has been discussed, doing file copies from a running system is not recommended. If by "Live OS" you mean booting the system with a LiveCD, then clonezilla would all of the above. note: target (new) disk >= disk of the old system -- Arun Khan ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7 and 4K display
On Thu, 5 May 2016 19:05:00 +0100 (BST) Nux! wrote: > I believe there is no support for 4K in MATE yet My monitor runs at 2560x1440 with Centos 7 and Mate. I have to use the displayport connection between the computer and the monitor to make it work, though. -- MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] FirewallD and FTP passive mode
On 5 May 2016 4:54 p.m., "Gordon Messmer" wrote: > > On 05/05/2016 06:15 AM, Marcin Trendota wrote: >> >> Also this IP looks weird - shouldn't it be public IP? > > > > Yes, it should. Are you using FTPS (FTP with TLS)? > > You probably need to set the pasv_address option. > > > Although of course FTPS (FTP over SSL) breaks the snooping required for the related conntracking which makes firewall configuration hell. Do yourself a favour and drop FTP, switching over to SFTP instead as that's far easier to secure and you only have to care about the single TCP port for firewalls. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7 and 4K display
Hi Jerry, I believe there is no support for 4K in MATE yet, a nice problem to have though. I'd check Gnome or KDE. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - > From: "Jerry Geis" > To: "CentOS mailing list" > Sent: Thursday, 5 May, 2016 18:39:47 > Subject: [CentOS] CentOS 7 and 4K display > I installed C7 along with MATE desktop... > > My monitor is a 4K unit but when I goto the > System -> preferences -> hardware -> Displays > there is selection for the 4K display. It stops at 1920x1080. > > The var log x file shows the 4K resolutions in the file so that is good. > > How do I get the selections for 4K to show up? > > Thanks, > > Jerry > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 7 and 4K display
I installed C7 along with MATE desktop... My monitor is a 4K unit but when I goto the System -> preferences -> hardware -> Displays there is selection for the 4K display. It stops at 1920x1080. The var log x file shows the 4K resolutions in the file so that is good. How do I get the selections for 4K to show up? Thanks, Jerry ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [MASSMAIL] Re: yum update (first in a long time) - /var/log/dovecot no longer used
On Thu, May 5, 2016 9:58 am, Gary Stainburn wrote: > On Thursday 05 May 2016 15:19:47 John Hodrien wrote: >> I'd take a stab at: >> journalctl -fu dovecot >> The full RHEL7 System Administrators Guide is well worth a read, but here's >> the bit you're probably after. >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/ht >>ml/System_Administrators_Guide/s1-Using_the_Journal.html >> Or maybe: >> https://www.digitalocean.com/community/tutorials/how-to-use-journalctl-to-v >>iew-and-manipulate-systemd-logs >> jh > > Thanks John. Another example of systemd project creep - AKA systemd's plan > for world domination There were several heated discussions on this list, and elsewhere. This is not intended to start the new one, but to help someone who missed them to define their statute. People split into two groups: Opponents of systemd (, firewqalld, etc.) who argue that from formerly Unix-like system Linux becomes Unix-unlike (or more MS Windows-like), and this is bad. Proponents of systemd etc. who argue that the life goes on, systems evolve and you better keep up with changes. Therefore, for new person who is about to, let's say, upgrade Linux system to the version with systemd, there is a decision that will define that person's future maintenance of this new system. And the decision has to be made before upgrade. Luckily for those who do decide to go with systemd, bugs (that always are present in new software) are being solved. Luckily for those who do not accept fundamental changes systemd brings (like binary logs or config files infested with XML garbage - sorry if I'm missing or misinterpreting something) there are Unix system one can migrate machine to. Either way one has to read and estimate what making that step (upgrading to systemd, firewalld based Linux or switching to some flavor of Unix) will entail in a long run for that server and the server admin. Either way, as in one of Unix handbooks they stress: read carefully the upgrade notes! I hope, this helps someone. Valeri Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] FirewallD and FTP passive mode
On 05/05/2016 06:15 AM, Marcin Trendota wrote: Also this IP looks weird - shouldn't it be public IP? Yes, it should. Are you using FTPS (FTP with TLS)? You probably need to set the pasv_address option. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [MASSMAIL] Re: yum update (first in a long time) - /var/log/dovecot no longer used
On Thursday 05 May 2016 15:19:47 John Hodrien wrote: > > I'd take a stab at: > > journalctl -fu dovecot > > The full RHEL7 System Administrators Guide is well worth a read, but here's > the bit you're probably after. > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/ht >ml/System_Administrators_Guide/s1-Using_the_Journal.html > > Or maybe: > > https://www.digitalocean.com/community/tutorials/how-to-use-journalctl-to-v >iew-and-manipulate-systemd-logs > > jh Thanks John. Another example of systemd project creep - AKA systemd's plan for world domination ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [MASSMAIL] Dovecot on C7.2 - secure internet access
On Thursday 05 May 2016 15:34:48 Alexander Dalloz wrote: > Connect with: > > openssl s_client -connect :143 -starttls imap > > Then issue IMAP commands: > > 01 CAPABILITY > 02 LOGIN user password > 03 LOGOUT > > That should be successful and you should have seen the configured AUTH > mechanisms. Now try without transport layer security: > > telnet 143 > > 01 LOGIN user password > > That should be forbidden because of LOGINDISABLED. > > Regards > > Alexander Thanks for this Alexander. I tried this from inside my LAN and both the openssl and the telnet sessions worked. I then tried it from outside my LAN and the openssl session worked while the telnet session failed. Exactly what I wanted. That does beg the question as to why Thunderbird failed. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [MASSMAIL] Dovecot on C7.2 - secure internet access
Am 05.05.2016 um 16:18 schrieb Gary Stainburn: I've tried the changes that I put below. Users are still able to log in from the LAN. However, despite putting the appropriate rule in my firewall allowing port 143 I cannot create a user on a PC outside my network. I'm using Thunderbird to do the testing. Is there a better way to test my setup? Thunderbird doesn't give any diagnostic data, it just says it's failed to test the account. Connect with: openssl s_client -connect :143 -starttls imap Then issue IMAP commands: 01 CAPABILITY 02 LOGIN user password 03 LOGOUT That should be successful and you should have seen the configured AUTH mechanisms. Now try without transport layer security: telnet 143 01 LOGIN user password That should be forbidden because of LOGINDISABLED. Regards Alexander ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CnetOS 7, hostname, and rsyslogd
A current system, but this has been happening since I built this box last fall: the system gets its name via DHCP, not from a hostname file. On reboot, such as after a yum update, it *appears* as though rsyslogd is started before the network is up, and so it doesn't have its hostname yet... so /var/log/messages shows the hostname as localhost. If I restart rsyslogd, and everything's fine. Has anyone else seen this behaviour? mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] yum update (first in a long time) - /var/log/dovecot no longer used
On Thu, 5 May 2016, Gary Stainburn wrote: Another change to my Centos 7.2 system since my 'yum update' yesterday is that /var/log/dovecot is no longer written to. If I do 'systemctl status dovecot' I can see log entries. How can I now do the equiv or 'tail -f ' Also, why has this changed, and where is it documented? I'd take a stab at: journalctl -fu dovecot The full RHEL7 System Administrators Guide is well worth a read, but here's the bit you're probably after. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-Using_the_Journal.html Or maybe: https://www.digitalocean.com/community/tutorials/how-to-use-journalctl-to-view-and-manipulate-systemd-logs jh ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [MASSMAIL] Dovecot on C7.2 - secure internet access
I've tried the changes that I put below. Users are still able to log in from the LAN. However, despite putting the appropriate rule in my firewall allowing port 143 I cannot create a user on a PC outside my network. I'm using Thunderbird to do the testing. Is there a better way to test my setup? Thunderbird doesn't give any diagnostic data, it just says it's failed to test the account. On Thursday 05 May 2016 11:03:34 Gary Stainburn wrote: > I have a mail server running on Centos 7.2 which has been working for my > LAN for a long time. > > I'm at the point where I have to make it accessible to the internet. At > the moment, access can be insecure but as it's on my LAN it isn't an issue. > > However, for internet access I wish to force SSL/TLS. Having read the > documents I think it's as simple as changing 10-ssl.conf from > > ssl = yes > > to > > ssl = required > remote 10.0.0.0/8 { > ssl = yes > } > > Am I right in thinking that this would make the global value now force > SSL/TLS to be required, but for my LAN (10.0.0.0/8) override this with the > old value of 'yes' > > Is there a better way to do this? > Have I missed anything? > I believe that this means implies > > disable_plaintext_auth = no > > for all except my LAN. Is that right? > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos -- Gary Stainburn Group I.T. Manager Ringways Garages http://www.ringways.co.uk ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] yum update (first in a long time) - /var/log/dovecot no longer used
Me again, Another change to my Centos 7.2 system since my 'yum update' yesterday is that /var/log/dovecot is no longer written to. If I do 'systemctl status dovecot' I can see log entries. How can I now do the equiv or 'tail -f ' Also, why has this changed, and where is it documented? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] FirewallD and FTP passive mode
Howdy I'm trying to run FTP server behind firewall. And i can't enable passive mode from the Internet. There are plenty howtos but there aren't many with my combination. For now i have configured port forwarding and ftp server itself. On the router: # firewall-cmd --list-all --zone=external external (active) interfaces: enp3s1 sources: services: openvpn ssh ports: 1194/tcp 2666/tcp 88/tcp masquerade: yes forward-ports: port=21:proto=tcp:toport=:toaddr=10.0.32.7 port=10090-10100:proto=tcp:toport=:toaddr=10.0.32.7 port=88:proto=tcp:toport=80:toaddr=10.0.32.23 icmp-blocks: rich rules: I also did: # modprobe ip_conntrack_ftp ports=10090,10100 excerpt form vsftpd.conf on the FTP server: pasv_enable=Yes pasv_min_port=10090 pasv_max_port=10100 pasv_addr_resolve=Yes >From LAN or through VPN it works. But on the public address i can only log in, cannot turn into passive mode: Connected to ftp1.domain.com (xxx.xxx.xxx.xxx). 220 (vsFTPd 2.2.2) Name (ftp1.domain.com:root): user 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (10,0,32,7,39,111). ftp: connect: Connection timed out Also this IP looks weird - shouldn't it be public IP? What am i doing wrong? TIA. -- Over And Out MoonWolf ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Regarding upgrade from CentOS .5.5 to CentOS 7
On 05/05/2016 12:13 AM, Venkateswara Rao Dokku wrote: > Hi, > > I wanted to upgrade from centOS 5.5 to CentOS 7 without losing the data. > > Is there any upgrade path available? > > or what is the proper way to do it without affecting the existing config? > > Thnaks for the help > Others have touched on this, but you do need to consider how many versions the programs have jumped from 5.5 to 7. Configurations for many things are going to need to be completely redone. For example: Apache moves from version 2.2.3 to version 2.4.6 .. so you will need to google and read how to upgrade from apache 22 to apache 2.4 samba (if you use it) moves from version 3.0.33 to version 4.2.3, major config changes needed. mysql from 5.0.77 to mariadb 5.5.44 - data is required to be upgraded and new config. Basically, if this is a server, every service you run is going to make major version jumps and most of them will require new configurations. Some of them will require some kind of data conversion and configuuration changes. So, this is a complete process and not an upgrade. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Dovecot on C7.2 - secure internet access
I have a mail server running on Centos 7.2 which has been working for my LAN for a long time. I'm at the point where I have to make it accessible to the internet. At the moment, access can be insecure but as it's on my LAN it isn't an issue. However, for internet access I wish to force SSL/TLS. Having read the documents I think it's as simple as changing 10-ssl.conf from ssl = yes to ssl = required remote 10.0.0.0/8 { ssl = yes } Am I right in thinking that this would make the global value now force SSL/TLS to be required, but for my LAN (10.0.0.0/8) override this with the old value of 'yes' Is there a better way to do this? Have I missed anything? I believe that this means implies disable_plaintext_auth = no for all except my LAN. Is that right? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SOLVED - yum update (first in a long time) has broken clamd.exim
I restarted clamd and the run file was created. I un-commented the code in exim.conf and everything started working again. The only thing I can think of is that the updated of clamd-data may have installed stale data which was then replaced with the freshclam CRON job. Either way, we're all working again. On Wednesday 04 May 2016 16:40:48 Gary Stainburn wrote: > I have just run a 'yum update' on a Centos 7.2 server which updated several > hundred RPMs. > > The update worked fine with no errors or warnings > > I then rebooted the server and now my EXIM is rejecting emails because the > clamd service isn't running. > > So I tried: > > [root@ollie2 ~]# systemctl restart clamd.exim > Failed to restart clamd.exim.service: Unit clamd.exim.service failed to > load: No such file or directory. > [root@ollie2 ~]# systemctl list-unit-files --type=service|grep -i exim > exim.serviceenabled > [root@ollie2 ~]# systemctl list-unit-files --type=service|grep -i clam > clamd.service enabled > clamd@.service static > [root@ollie2 ~]# systemctl restart clamd > [root@ollie2 ~]# systemctl status clamd > ● clamd.service - Home brewed module for the Clam Antivirus scanner >Loaded: loaded (/usr/lib/systemd/system/clamd.service; enabled; vendor > preset: disabled) >Active: failed (Result: start-limit) since Wed 2016-05-04 16:34:16 BST; > 5s ago > Process: 14405 ExecStart=/root/bin/clamd.start (code=exited, > status=1/FAILURE) > Main PID: 14405 (code=exited, status=1/FAILURE) > > May 04 16:34:16 ollie2.ringways.co.uk systemd[1]: Unit clamd.service > entered failed state. > May 04 16:34:16 ollie2.ringways.co.uk systemd[1]: clamd.service failed. > May 04 16:34:16 ollie2.ringways.co.uk systemd[1]: clamd.service holdoff > time over, scheduling restart. > May 04 16:34:16 ollie2.ringways.co.uk systemd[1]: start request repeated > too quickly for clamd.service > May 04 16:34:16 ollie2.ringways.co.uk systemd[1]: Failed to start Home > brewed module for the Clam Antivirus scanner. > May 04 16:34:16 ollie2.ringways.co.uk systemd[1]: Unit clamd.service > entered failed state. > May 04 16:34:16 ollie2.ringways.co.uk systemd[1]: clamd.service failed. > [root@ollie2 ~]# > > Can anyone tell me what happened to clamd.exim, and what I need to do to > get it working again. For now I've had to comment out: > > # Deny if the message contains a virus. Before enabling this check, you > # must install a virus scanner and set the av_scanner option above. > # > denyset acl_m0 = clamd:/var/run/clamd.exim/clamd.sock > malware= * > set acl_c_SPAM = 1 > message= A virus has been detected ($malware_name). > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos -- Gary Stainburn Group I.T. Manager Ringways Garages http://www.ringways.co.uk ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos