[CentOS] SecureBoot : rolling out new shim pkgs for CentOS 7.5.1804 in CR repository - asking for testers/feedback
When we consolidated all CentOS Distro builders in a new centralized setup, covering all arches (so basically x86_64, i386, ppc64le, ppc64, aarch64 and armhfp those days), we wanted also to add redundancy where it was possible to. The interesting "SecureBoot" corner case came on the table and we had to find a different way to build the following packages: - shim (both signed and unsigned) - grub2 - fwupdate - kernel The other reason why we considered rebuilding it is that the cert we were using has expired : curl --location --silent https://github.com/CentOS/sig-core-SecureBoot/raw/master/CentOS_7/kernel/SOURCES/centos.cer | openssl x509 -inform der -text -noout|grep -A2 Validity While technically it doesn't really matter for Secureboot itself, it was better to get a new key/cert rolled-in and use the new one for new builds. That's where it's interesting as because shim embeds the certs in the Machine Owner Key (MOK), and that each other component used in the boot chain is validated against that (so grub2 first, then kernel and kernel modules) that means that once deployed , the new shim would not be able to boot previous grub2/kernel. But there is a solution for that : instead of "embedding" only the new cert, we can have both the old one and new one, permitting us to still boot older kernels but also the new ones we'll build/push soon (built on the new build system), and that's what we used for that new shim package. That's where we'd like you (SecureBoot users) to give us feedback about that new shim pkg. It was already validated on some hardware nodes, passed some QA tests, but we'd prefer to have more feedback. Worth noting that such rebuild has also a patch that should fix an issue we had with shim not allowing to import key in MOK through mokutil (see https://bugs.centos.org/view.php?id=14050) How can you test ? If you're using UEFI with SecureBoot enabled , we have signed/pushed those pkgs to the CR repository (see https://wiki.centos.org/AdditionalResources/Repositories/CR) That repo is by default disabled, but following command would let you update shim : yum update shim --enablerepo=cr Then reboot and it should work like before, so validating the boot chain (while still using grub2/kernel packages signed with previous key) We'd appreciate feedback on this list, or #centos-devel on irc.freenode.net I'd like to thank Patrick Uiterwijk and Peter Jones for their help for the patch and validation for that shim -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 56BEC54E | twitter: @arrfab signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Panic / EL6 / KVM / kernel-2.6.32-754.2.1.el6.x86_64
> Since the update from kernel-2.6.32-754.2.1.el6.x86_64 > to kernel-2.6.32-754.3.5.el6.x86_64 I can not boot my > KVM guests anymore!? The workstation panics immediately! > > I would not have expected this behavior now (last phase of OS). > It was very robust until now (Optiplex Workstation). I see some KVM > related lines in the changelog.diff. Before swimming upstream: > > Does some one have problems related to KVM with > kernel-2.6.32-754.3.5.el6.x86_64 ?? Is there any chance that this is related? Could you try downgrading qemu-img/qemu-kvm and see if it helps? https://bugs.centos.org/view.php?id=15067 Regards, Simon ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] TUTORIAL: How to Install Apache Web Server in CentOS 7.5 (1805) Linux in Amazon AWS Cloud with URL/HTTP/HTTPS Redirection
TUTORIAL: How to Install Apache Web Server in CentOS 7.5 (1805) Linux in Amazon AWS Cloud with URL/HTTP/HTTPS Redirection AUTHOR OF THIS TUTORIAL: MR. TURRITOPSIS DOHRNII TEO EN MING (ZHANG ENMING) @ TIME TRAVELLER AGE: 40 YEARS OLD COUNTRY OF RESIDENCE: SINGAPORE DATE: 30TH AUGUST 2018 THURSDAY TIME: 10:49 AM SINGAPORE TIME Greenwich Mean Time+8 1. Sign up for Amazon AWS Cloud or Google Cloud Platform or Microsoft Azure Cloud or Ali Baba Cloud account (your preference). 2. Login to Amazon AWS Management Console. 3. Click EC2 under Compute. 4. Click Elastic IPs under Network and Security. 5. Click Allocate New Address. 6. Click the Allocate button. 7. You will receive a permanent public IPv4 address from Amazon AWS Cloud, eg. 18.223.148.223. Alternative IPv4 address: 18.220.9.93. IPv6 address is not applicable. 8. Click Instances under INSTANCES. 9. Click Launch Instance. 10. Click AWS Marketplace. 11. Search for CentOS in the Search box. Press ENTER. 12. Select CentOS 7 (x86_64) - with Updates HVM 1805_1 Amazon Machine Image (AMI). 13. Click Continue. 14. Select General purpose, t2.micro, 1 vCPU, 1 GB RAM (FREE TIER ELIGIBLE). 15. Click Next: Configure Instance Details. 16. Select Network: . 17. Select Subnet: | Public subnet | us-east-2a. 18. Click Protect against accidental termination. 19. Click Next: Add Storage. 20. Click Next: Add Tags. 21. Click Next: Configure Security Group. 22. Click Select an existing security group. 23. Select VS_SG (Virtual Server Security Group). 24. Click Review and Launch. 25. Click Launch. 26. Select a Secure Shell (SSH) key pair. 27. Click Launch Instances. 28. Click Elastic IPs under Network and Security. 29. Select the Elastic IP 18.223.148.223. 30. Click Actions. 31. Click Associate address. 32. Select the Instance you have created previously. 33. Click Allow Elastic IP to be reassociated if already attached. 34. Click Associate. 35. Open Putty/SSH client and login to CentOS 7.5 (1805). 36. Login as username centos. 37. Sign Out from Amazon AWS Management Console. 38. Install Apache web server with the Secure Sockets Layer (SSL) module: sudo yum install httpd mod_ssl 39. Start the Apache web server process: sudo /usr/sbin/apachectl start 40. Visit and test your web server at 18.223.148.223 Using Google Chrome. 41. You should see an Apache Web Server test page. 42. Install the nano text editor in Linux: sudo yum install nano 43. Go to the main Apache web server configuration directory: cd /etc/httpd/conf 44. Edit the main Apache web server configuration file: sudo nano httpd.conf 45. Append the following code to the end of httpd.conf: ServerName blogger.teo-en-ming.com Redirect / https://tdtemcerts.blogspot.sg Alternative Code: ServerName wordpress.teo-en-ming.com Redirect / https://tdtemcerts.wordpress.com 46. Restart the Apache web server process: sudo /usr/sbin/apachectl restart 47. Open an Internet Protocol Security (IPsec) Virtual Private Networking (VPN) connection to your corporate network using Shrew Soft VPN client. 48. Open a Remote Desktop Connection to your Windows Server 2019 Active Directory Domain Controller. 49. Under Server Manager, click Tools. Then Click DNS (Domain Name Service). 50. Click Forward Lookup Zones. 51. Click TEO-EN-MING.COM 52. Right Click, select New Host (A or ). 53. Fill in Hostname: blogger 54. Fill in IP address: 18.223.148.223 55. Click Add Host. 56. Alternative DNS Host Record: Fully Qualified Domain Name (FQDN): WORDPRESS.TEO-EN-MING.COM IP address: 18.220.9.93 57. Test http://blogger.teo-en-ming.com. It should redirect to https://tdtemcerts.blogspot.sg 58. Alternative test: http://wordpress.teo-en-ming.com. It should redirect to https://tdtemcerts.wordpress.com 59. Go to Apache web server alternative configuration directory: cd /etc/httpd/conf.d 60. Edit the Apache web server Secure Socket Layer (SSL) configuration file: sudo nano ssl.conf 61. Find the section that says 62. Insert the following code: ServerName blogger.teo-en-ming.com Redirect / https://tdtemcerts.blogspot.sg Alternative Code: ServerName wordpress.teo-en-ming.com Redirect / https://tdtemcerts.wordpress.com 63. Restart the Apache web server process: sudo /usr/sbin/apachectl restart 64. Test https://blogger.teo-en-ming.com. It should redirect to https://tdtemcerts.blogspot.sg 65. Alternative test: https://wordpress.teo-en-ming.com. It should redirect to https://tdtemcerts.wordpress.com 66. USEFUL REFERENCES: (A) Article: Install Apache and PHP on CentOS 6 Link/URL: https://support.rackspace.com/how-to/centos-6-apache-and-php-install/ (B) Article: How To Create Temporary and Permanent Redirects with Apache and Nginx Link/URL: https://www.digitalocean.com/community/tutorials/how-to-create-temporary-and-permanent-redirects-with-apache-and-nginx 67. Exit Putty/SSH client. 68. END OF TUTORIAL. ===BEGIN SIGNATURE===
Re: [CentOS] Mail has quit working
Added back the IPV6 to /etc/hosts a couple days ago for grins and giggles. No longer getting IPV6 errors in logwatch for bind. Everything working. I think removing my ISP's nameservers from /etc/resolv.conf was the fix. They have been in there forever so still have my fingers crossed. Again, many thanks!! ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] missing CESA-2018:2571 Important CentOS 6 bind Security Update
On 08/29/2018 05:17 PM, Ian Mortimer wrote: > On Wed, 2018-08-29 at 19:20 +0200, Ulf Volmer wrote: > >> i'm running bind on an up to date CentOS 6.10 and missing the bind >> update from the announcement above. > > I looked for them yesterday on AU mirrors and a few in the US and > Europe but didn't find them. Still not there this morning. > > Let me take a look guys .. looks like it passed the QA tests but didn't push out I'll get them pushed live now. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bash completion in C7
On 08/29/2018 09:22 AM, wwp wrote: On Wed, 29 Aug 2018 08:27:06 -0700 Gordon Messmer wrote: On 08/28/2018 11:33 PM, wwp wrote: - it doesn't expand *foo whereas there are *foo-named files in current dir, for instance: # rm *foo will show nothing whereas there's a file barfoo in curdir. Tab completion finishes a single word, given a string that appears at the beginning of a list of candidates. Wrong, tab completion proposes the list of candidates if there are several, and it only finishes a single word automatically if there's only one match for the pattern. At least I never experienced tab completion how you're describing it. Perhaps a miscommunication. What I mean is that tab completion's final outcome would be a single word, though it can suggest multiple candidates if there are several with matching prefix strings. Wildcard expansion (Ctrl+x, e) will expand a word containing a wildcard to multiple words on the command line, usually so that you can remove some matches. Neither will do specifically what you're trying to do, as far as I know. I think it's simply too ambiguous. This works fine in CentOS 6 $ docker run -i -t --rm centos:6 /bin/bash --login [root@9880736fa3ce ~]# touch 1.foo-named [root@9880736fa3ce ~]# touch 2.foo-named [root@9880736fa3ce ~]# ls *.fo Tab completion doesn't work the way you're suggesting, on CentOS 6. It's possible that such a feature exists in some shell, but not one that I'm aware of. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Stuck on loading of CentOS
On Aug 29, 2018, at 02:57, Dhanasekaran Balakrishnan wrote: > > Yes nvidia driver is installed in the computer. I am not sure how my > colleague did this and presently he is not in my lab. You will need to fix the nvidia driver. I suggest using the packages from elrepo.org if you aren’t already. Most likely you rebooted into a new kernel that didn’t have the nvidia kernel module available. — Jonathan Billings ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Panic / EL6 / KVM / kernel-2.6.32-754.2.1.el6.x86_64
On Wed, 29 Aug 2018 at 18:16, Leon Fauster via CentOS
wrote:
> Am 29.08.2018 um 23:46 schrieb Stephen John Smoogen :
> >
> > On Wed, 29 Aug 2018 at 17:41, Leon Fauster via CentOS
> wrote:
> >> Since the update from kernel-2.6.32-754.2.1.el6.x86_64
> >> to kernel-2.6.32-754.3.5.el6.x86_64 I can not boot my
> >> KVM guests anymore!? The workstation panics immediately!
> >>
> >> I would not have expected this behavior now (last phase of OS).
> >> It was very robust until now (Optiplex Workstation). I see some KVM
> >> related lines in the changelog.diff. Before swimming upstream:
> >>
> >> Does some one have problems related to KVM with
> kernel-2.6.32-754.3.5.el6.x86_64 ??
> >>
> >
> > Not that I know of.
> > * Does the problem go away if you back off to 2.1 ?
>
> Yes
>
>
> > * And what type of panic does it say?
>
> I will try to grep some lines at the console tomorrow.
>
>
> > * What kind of Optiplex Workstation with memory/cpu type/cores?
>
> # virsh sysinfo
>
>
>Dell Inc.
>A19
>05/31/2011
>18.0
>
>
So looking at the kernel changelog, there are a lot of KVM changes which
look related to the Spectre and related CVE items. All of them seem to have
landed in a non-released kernel.. I am going to guess you are tickling one
of them so hopefully the oops will help figure it out. The only other item
I would wonder is if there is a BIOS update need again due to Spectre but
that would be a last thing to try.
* Tue Jul 31 2018 Phillip Lougher [2.6.32-754.3.2.el6]
- [kvm] VMX: Fix host GDT.LIMIT corruption (CVE-2018-10301) (Paolo Bonzini)
[1601851] {CVE-2018-10901}
..
- [x86] KVM/VMX: Initialize the vmx_l1d_flush_pages' content (Waiman Long)
[1593376] {CVE-2018-3620}
- [x86] kvm: Don't flush L1D cache if VMENTER_L1D_FLUSH_NEVER (Waiman Long)
[1593376] {CVE-2018-3620}
- [x86] kvm: Take out the unused nosmt module parameter (Waiman Long)
[1593376] {CVE-2018-3620}
...
- [x86] bugs, kvm: Introduce boot-time control of L1TF mitigations (Waiman
Long) [1593376] {CVE-2018-3620}
...
- [x86] kvm: Allow runtime control of L1D flush (Waiman Long) [1593376]
{CVE-2018-3620}
- [x86] kvm: Serialize L1D flush parameter setter (Waiman Long) [1593376]
{CVE-2018-3620}
- [x86] kvm: Move l1tf setup function (Waiman Long) [1593376]
{CVE-2018-3620}
...
- [x86] kvm: Drop L1TF MSR list approach (Waiman Long) [1593376]
{CVE-2018-3620}
...
- [x86] KVM/VMX: Use MSR save list for IA32_FLUSH_CMD if required (Waiman
Long) [1593376] {CVE-2018-3620}
- [x86] KVM/VMX: Extend add_atomic_switch_msr() to allow VMENTER only MSRs
(Waiman Long) [1593376] {CVE-2018-3620}
- [x86] KVM/VMX: Separate the VMX AUTOLOAD guest/host number accounting
(Waiman Long) [1593376] {CVE-2018-3620}
- [x86] KVM/VMX: Add find_msr() helper function (Waiman Long) [1593376]
{CVE-2018-3620}
- [x86] KVM/VMX: Split the VMX MSR LOAD structures to have an host/guest
numbers (Waiman Long) [1593376] {CVE-2018-3620}
- [x86] KVM/VMX: Add L1D flush logic (Waiman Long) [1593376] {CVE-2018-3620}
- [kvm] VMX: Make indirect call speculation safe (Waiman Long) [1593376]
{CVE-2018-3620}
- [kvm] VMX: Enable acknowledge interupt on vmexit (Waiman Long) [1593376]
{CVE-2018-3620}
- [x86] KVM/VMX: Add L1D MSR based flush (Waiman Long) [1593376]
{CVE-2018-3620}
- [x86] KVM/VMX: Add L1D flush algorithm (Waiman Long) [1593376]
{CVE-2018-3620}
- [x86] KVM/VMX: Add module argument for L1TF mitigation (Waiman Long)
[1593376] {CVE-2018-3620}
- [x86] KVM: Warn user if KVM is loaded SMT and L1TF CPU bug being present
(Waiman Long) [1593376] {CVE-2018-3620}
- [kvm] x86: Introducing kvm_x86_ops VM init/destroy hooks (Waiman Long)
[1593376] {CVE-2018-3620}
...
it keeps going and going. rpm -q kernel-2.6.32-754.3.5 --changelog will
give you the gory details.
--
Stephen J Smoogen.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] grub.cfg
Just as I saw your email as grep found it. [root@hxx grub2]# cat /etc/default/grub GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet" GRUB_DISABLE_RECOVERY="true" GRUB_CMDLINE_XEN_DEFAULT="dom0_mem=1024M,max:1024M cpuinfo com1=115200,8n1 console=com1,tty loglvl=all guest_loglvl=all" GRUB_CMDLINE_LINUX_XEN_REPLACE_DEFAULT="console=hvc0 earlyprintk=xen nomodeset” Looks like if I update it here, I’m safe or is there somewhere else I should be looking? Steffan A. Cline stef...@hldns.com 602-793-0014 > On Aug 29, 2018, at 2:15 PM, mark wrote: > > Steffan A. Cline wrote: >> I’ve looked and looked and can’t seem to find anything which would >> explain why grub.cfg would have been rewritten with a whole new volume >> group name. >> >> Suggestions? >> > C6 or C7? In either case, have you looked in /etc/default/grub? > >mark > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bash completion in C7
On Wed, 29 Aug 2018, wwp wrote: >while bash completion was working great to me in CentOS6, since I'm >using C7 I spend my day stuck on completion not working the way it >should. Since you don't want what it provides you can either remove the bash-completions* packages or append "complete -r" to your ~/.bashrc which turns off all custom completions leaving just pathname completion -- I also use "complete -o dirnames cd" so that the completions for the cd command are limited to directory names. The bash-completions project didn't stand still nor did the tools it uses so you might consider submitting an upstream bug report. /mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] missing CESA-2018:2571 Important CentOS 6 bind Security Update
On Wed, 2018-08-29 at 19:20 +0200, Ulf Volmer wrote: > i'm running bind on an up to date CentOS 6.10 and missing the bind > update from the announcement above. I looked for them yesterday on AU mirrors and a few in the US and Europe but didn't find them. Still not there this morning. -- Ian ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Panic / EL6 / KVM / kernel-2.6.32-754.2.1.el6.x86_64
Am 29.08.2018 um 23:46 schrieb Stephen John Smoogen : > > On Wed, 29 Aug 2018 at 17:41, Leon Fauster via CentOS > wrote: >> Since the update from kernel-2.6.32-754.2.1.el6.x86_64 >> to kernel-2.6.32-754.3.5.el6.x86_64 I can not boot my >> KVM guests anymore!? The workstation panics immediately! >> >> I would not have expected this behavior now (last phase of OS). >> It was very robust until now (Optiplex Workstation). I see some KVM >> related lines in the changelog.diff. Before swimming upstream: >> >> Does some one have problems related to KVM with >> kernel-2.6.32-754.3.5.el6.x86_64 ?? >> > > Not that I know of. > * Does the problem go away if you back off to 2.1 ? Yes > * And what type of panic does it say? I will try to grep some lines at the console tomorrow. > * What kind of Optiplex Workstation with memory/cpu type/cores? # virsh sysinfo Dell Inc. A19 05/31/2011 18.0 Dell Inc. OptiPlex 755 Not Specified Not Specified -3700-1058-8047- Not Specified Not Specified CPU Central Processor Core 2 Duo Intel Type 0, Family 6, Model 15, Stepping 11 Not Specified 1333 MHz 5200 MHz Populated, Enabled Not Specified Not Specified 2048 MB DIMM DIMM_1 Not Specified DDR2 Synchronous 800 MHz CE00 DELETED M3 78T5663DZ3-CF7 2048 MB DIMM DIMM_3 Not Specified DDR2 Synchronous 800 MHz 7F98 DELETED 2048 MB DIMM DIMM_2 Not Specified DDR2 Synchronous 800 MHz CE00 DELETED M3 78T5663DZ3-CF7 2048 MB DIMM DIMM_4 Not Specified DDR2 Synchronous 800 MHz 7F98 DELETED -- LF ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Panic / EL6 / KVM / kernel-2.6.32-754.2.1.el6.x86_64
On Wed, 29 Aug 2018 at 17:41, Leon Fauster via CentOS wrote: > Since the update from kernel-2.6.32-754.2.1.el6.x86_64 > to kernel-2.6.32-754.3.5.el6.x86_64 I can not boot my > KVM guests anymore!? The workstation panics immediately! > > I would not have expected this behavior now (last phase of OS). > It was very robust until now (Optiplex Workstation). I see some KVM > related lines in the changelog.diff. Before swimming upstream: > > Does some one have problems related to KVM with > kernel-2.6.32-754.3.5.el6.x86_64 ?? > > Not that I know of. * Does the problem go away if you back off to 2.1 ? * And what type of panic does it say? * What kind of Optiplex Workstation with memory/cpu type/cores? > -- > LF > > > > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Panic / EL6 / KVM / kernel-2.6.32-754.2.1.el6.x86_64
Since the update from kernel-2.6.32-754.2.1.el6.x86_64 to kernel-2.6.32-754.3.5.el6.x86_64 I can not boot my KVM guests anymore!? The workstation panics immediately! I would not have expected this behavior now (last phase of OS). It was very robust until now (Optiplex Workstation). I see some KVM related lines in the changelog.diff. Before swimming upstream: Does some one have problems related to KVM with kernel-2.6.32-754.3.5.el6.x86_64 ?? -- LF ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] grub.cfg
Steffan A. Cline wrote: > I’ve looked and looked and can’t seem to find anything which would > explain why grub.cfg would have been rewritten with a whole new volume > group name. > > Suggestions? > C6 or C7? In either case, have you looked in /etc/default/grub? mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] grub.cfg
I’ve looked and looked and can’t seem to find anything which would explain why grub.cfg would have been rewritten with a whole new volume group name. Suggestions? Steffan A. Cline stef...@hldns.com 602-793-0014 > On Aug 21, 2018, at 11:27 PM, Steffan A. Cline wrote: > > I ran into something with a recent batch of updates on CentOS 7. It seems > that possibly one of the kernel updates running dracut changed all of the > volume groups in the grub.cfg file making the system unable to boot until I > manually edited each line putting it back to the way it was originally. My > volume group is called vg_h1 but it changed them all to the default “centos”. > > Is there a config somewhere I need to edit so this never happens again? > > > Steffan A. Cline > stef...@hldns.com > 602-793-0014 > > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] C7, system-auth-ac, and authconfig
I read the clear-as-mud docs, and it appears that if we want to modify system-auth-ac, we can create a local, and point system-auth to it. Howver.. in the default, I see auth[success=3 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid Now, we'd like to add sudo to that list. Does anyone know *where* authconfig gets that list in the first place? I haven't been able to find anything yet, and I've been looking. mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kickstart file for software raid
Hi Stephen, Thanks! So I think this is what I need then. part raid.0011 --usepart/dev/sda1 part raid.0021 --usepart/dev/sdb2 part raid.0013 --usepart/dev/sda3 part raid.0022 --usepart/dev/sdb3 raid / --device=md0 --fstype="xfs" --level=1 --useexisting raid.0011 raid.0021 raid /home --noformat --device=md1 --level=1 --useexisting raid.0013 raid.0023 for /dev/sda and /dev/sdb with the 1 partition being / and 3 partition being /home to reformat /root and noformat of /home Thanks, Jerry ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kickstart file for software raid
On Wed, 29 Aug 2018 at 15:50, Jerry Geis wrote: > I am using a kickstart file for CentOS 7 > > raid / --device=md0 --fstype="xfs" > --level=1 --useexisting > raid /home --noformat --device=md1 > --level=1 --useexisting > > It is erroring out on the --useexisting. > > It still needs to know what partitions are being used for that device. So it is parsing --useexisting as the drives which make up md0 I am guessing the syntax is supposed to be: part raid.0011 --usepart=/dev/sda1 part raid.0012 --usepart=/dev/sdb1 raid /--device=md0 --fstype="xfs" --level=1 --useexisting raid.0011 raid.0012 This will still reformat the raid device from the man page: --useexisting - Use an existing RAID device and reformat it. > The exact text is: > RAID volume "0" specified with "--useexisting" does not exist. > > What did I do wrong? > > Jerry > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kickstart file for software raid
Sorry - I did not include that I am actually "updating" a system from C6 to C7 and it has an existing RAID /dev/md0 and /dev/md1. Hit send to quick. Jerry On Wed, Aug 29, 2018 at 3:52 PM Jerry Geis wrote: > I am using a kickstart file for CentOS 7 > > raid / --device=md0 --fstype="xfs" > --level=1 --useexisting > raid /home --noformat --device=md1 > --level=1 --useexisting > > It is erroring out on the --useexisting. > > The exact text is: > RAID volume "0" specified with "--useexisting" does not exist. > > What did I do wrong? > > Jerry > > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Kickstart file for software raid
I am using a kickstart file for CentOS 7 raid / --device=md0 --fstype="xfs" --level=1 --useexisting raid /home --noformat --device=md1 --level=1 --useexisting It is erroring out on the --useexisting. The exact text is: RAID volume "0" specified with "--useexisting" does not exist. What did I do wrong? Jerry ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] missing CESA-2018:2571 Important CentOS 6 bind Security Update
Hello, i'm running bind on an up to date CentOS 6.10 and missing the bind update from the announcement above. [root@fw ~]# yum list bind Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * epel: ftp.nluug.nl Installed Packages bind.x86_64 32:9.8.2-0.68.rc1.el6 @base is there is something wrong on my side? Or with the CentOS- repo? (My repo config is on https://cloud.u-v.de/index.php/s/ksNcosfmBrN57SQ ) best regards Ulf ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bash completion in C7
Hello Gordon, On Wed, 29 Aug 2018 08:27:06 -0700 Gordon Messmer wrote: > On 08/28/2018 11:33 PM, wwp wrote: > > - it doesn't expand *foo whereas there are *foo-named files in current > > dir, for instance: > > # rm *foo > > will show nothing whereas there's a file barfoo in curdir. > > Tab completion finishes a single word, given a string that appears at the > beginning of a list of candidates. Wrong, tab completion proposes the list of candidates if there are several, and it only finishes a single word automatically if there's only one match for the pattern. At least I never experienced tab completion how you're describing it. > Wildcard expansion (Ctrl+x, e) will expand a word containing a wildcard to > multiple words on the command line, usually so that you can remove some > matches. > > Neither will do specifically what you're trying to do, as far as I know. I > think it's simply too ambiguous. This works fine in CentOS 6, and anywhere with bash 2 and 3, I used such completion pattern (ls *foo) for years on various systems. I hardly see how this is ambiguous unless completion doesn't prioritize *foo matching on files. > > - completion takes 10 sec to propose me something, I don't have an > > example right here but I'd prefer no completion instead of a > > completion that hangs for more than 3 sec. > > Some completions can take a while. For example, tab completing a > path on a remote system in an scp command, or completing a local path > if it's matched against command output rather than the filesystem. > IIRC, if you run "git diff path/...", the shell will use the output > of "git status" to determine which paths have changed. Irrelevant example here, I'm not talking about remote shells. On a remote shell I would expect extra delays, anyway, but this is not what I'm dealing with here. > I don't know any way to set an upper limit on completions, and while > "complete -r " is expected to disable programmable completion > for a single command, I can't actually clear completion for the > ssh/scp commands on my laptop. "complete -r" turns off programmable > completion entirely, in which case you simply have simple local path > completion, if you'd honestly rather not have potentially slow > options. I tried disabling programmable completion entirely (`complete -r`), since I don't need it and find it unreliable and it now works as always for file matching patterns. That was a tip, thanks! Regards, -- wwp pgp0uYlH3QJDz.pgp Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bash completion in C7
On 08/28/2018 11:33 PM, wwp wrote: - it doesn't expand *foo whereas there are *foo-named files in current dir, for instance: # rm *foo will show nothing whereas there's a file barfoo in curdir. Tab completion finishes a single word, given a string that appears at the beginning of a list of candidates. Wildcard expansion (Ctrl+x, e) will expand a word containing a wildcard to multiple words on the command line, usually so that you can remove some matches. Neither will do specifically what you're trying to do, as far as I know. I think it's simply too ambiguous. - completion takes 10 sec to propose me something, I don't have an example right here but I'd prefer no completion instead of a completion that hangs for more than 3 sec. Some completions can take a while. For example, tab completing a path on a remote system in an scp command, or completing a local path if it's matched against command output rather than the filesystem. IIRC, if you run "git diff path/...", the shell will use the output of "git status" to determine which paths have changed. I don't know any way to set an upper limit on completions, and while "complete -r " is expected to disable programmable completion for a single command, I can't actually clear completion for the ssh/scp commands on my laptop. "complete -r" turns off programmable completion entirely, in which case you simply have simple local path completion, if you'd honestly rather not have potentially slow options. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Remote update OS from 6 to 7
Hi, Jerry,
Jerry Geis wrote:
> I have a remote machine running C6. I desire to update it to C7. Not
> possible to be on-site. Can I copy the Everything ISO for C7 to the
> machine, mount -o loop C7.Everything.iso /media/cdrom
>
> then do a "yum upgrade" ?
>
> Will that work? The server is using software raid.
Not a good idea. Here's a better one, that we've used here: ideally from
another system running C7 that's the same hardware (otherwise, you need to
rebuild the initrd).
mkdir /new /boot/new
rsync -HPavzx --exclude=/old --exclude=/var/log/wtmp $machine:/. /new/.
rsync -HPavzx $machine:/boot/. /boot/new/.
After the copy, check these files:
/boot/new/grub/device.map - should list the correct device name for hd0
/new/etc/fstab - should have the correct labels for file systems
Do this, too:
rsync -HPavzx /etc/sysconfig/network-scripts/ifcfg-eth*
/new/etc/sysconfig/network-scripts
rsync -HPavzx /etc/sysconfig/hwconf /new/etc/sysconfig
rsync -HPavzx /boot/grub/device.map /boot/new/grub/
rsync -HPavzx /etc/udev/rules.d/70-persistent-net.rules
/new/etc/udev/rules.d/
on the new machine, run
find /new/var/log/ -type f -exec cp /dev/null {} \;
f this system is using Linux RAID,
rsync -HPavx /old/etc/md.conf /etc/
Copy the original SSH keys:
rsync -HPavzx /etc/ssh/ssh_host* /new/etc/ssh
Finally, rotate:
zsh
zmodload zsh/files
cd /boot
mkdir old
mv * old
mv old/lost+found .
mv old/new/* .
# Root partition.
cd /
mkdir old
mv * old
mv old/lost+found .
#mv old/root . -- WHY?
mv old/scratch .
mv old/new/* .
sync
sync
Make selinux reset all the security file labels
touch /.autorelabel
Reboot, and when it comes back up, rerun grub2-install
mark
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Remote update OS from 6 to 7
On 29/08/2018 13:24, Jerry Geis wrote: Hello all... I have a remote machine running C6. I desire to update it to C7. Not possible to be on-site. Can I copy the Everything ISO for C7 to the machine, mount -o loop C7.Everything.iso /media/cdrom then do a "yum upgrade" ? Will that work? The server is using software raid. Thanks Jerry I've seen many comments discouraging trying to do this, let alone trying to do it remotely (and I assume you don't have IPMI, iLO or other 'bare metal' remote acess). However, the process does not involve yum upgrade, you can check the following link which seems to go through the process in detail: https://shaunfreeman.name/blog/upgrading-centos-6-5-to-centos-7-2 Be sure to complete the backup, and be ready to travel to site, or have remote-hands to restore the backup should the process go wrong. Best Practice would be to configure a new Centos 7 system, and ship it pre-configured ready for a data transfer and migration of service to the new system, the decomission the old system and have it sent back to you. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Remote update OS from 6 to 7
Hello all... I have a remote machine running C6. I desire to update it to C7. Not possible to be on-site. Can I copy the Everything ISO for C7 to the machine, mount -o loop C7.Everything.iso /media/cdrom then do a "yum upgrade" ? Will that work? The server is using software raid. Thanks Jerry ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-announce Digest, Vol 162, Issue 5
Send CentOS-announce mailing list submissions to
centos-annou...@centos.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
centos-announce-requ...@centos.org
You can reach the person managing the list at
centos-announce-ow...@centos.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-announce digest..."
Today's Topics:
1. CESA-2018:2571 Important CentOS 6 bind Security Update
(Johnny Hughes)
2. CESA-2018:2557 Important CentOS 7 postgresql Security Update
(Johnny Hughes)
3. CESA-2018:2570 Important CentOS 7 bind Security Update
(Johnny Hughes)
--
Message: 1
Date: Tue, 28 Aug 2018 15:39:55 +
From: Johnny Hughes
To: centos-annou...@centos.org
Subject: [CentOS-announce] CESA-2018:2571 Important CentOS 6 bind
SecurityUpdate
Message-ID: <20180828153955.ga34...@n04.lon1.karan.org>
Content-Type: text/plain; charset=us-ascii
CentOS Errata and Security Advisory 2018:2571 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2018:2571
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
248124b6482789bfbb5f6e656a98e915769c55168b3d23009652527526e331a8
bind-9.8.2-0.68.rc1.el6_10.1.i686.rpm
f1c0a5f60d808dafd3d67b4ce198019bc13632e07f71cefb29a75ebe2af4fd63
bind-chroot-9.8.2-0.68.rc1.el6_10.1.i686.rpm
87bffb7bd45681565d5ef4b18579169f187d4fa66fbec4741c570430ee0c06d2
bind-devel-9.8.2-0.68.rc1.el6_10.1.i686.rpm
2f6f7ac42ca47afd420d62c6f21ef2d4e7d1505fedb6a9a70bc9b2c6461e50d9
bind-libs-9.8.2-0.68.rc1.el6_10.1.i686.rpm
1ed256461a14d8fe827d6aaa3aa46a8e6ed9ce55532aa3c27a5eba1921f06257
bind-sdb-9.8.2-0.68.rc1.el6_10.1.i686.rpm
7e481a255c517a66d7222957ad199ef61455f918f1ba80160ab42a07f1b1f544
bind-utils-9.8.2-0.68.rc1.el6_10.1.i686.rpm
x86_64:
960846e8ce3a15bab85789a29ad4e9ac3e9d00b9d9fe158a07ab16eec065fabc
bind-9.8.2-0.68.rc1.el6_10.1.x86_64.rpm
09b0b1148ddb2de55b5165b51be9c3c250ccb981fbdc4e01934c8a23a1c4c098
bind-chroot-9.8.2-0.68.rc1.el6_10.1.x86_64.rpm
87bffb7bd45681565d5ef4b18579169f187d4fa66fbec4741c570430ee0c06d2
bind-devel-9.8.2-0.68.rc1.el6_10.1.i686.rpm
0018e4f38542d2d56fa15893ffb5cd34e8023fdc2b30a3b42d28666fe55d946a
bind-devel-9.8.2-0.68.rc1.el6_10.1.x86_64.rpm
2f6f7ac42ca47afd420d62c6f21ef2d4e7d1505fedb6a9a70bc9b2c6461e50d9
bind-libs-9.8.2-0.68.rc1.el6_10.1.i686.rpm
a885a7dd62446139f83677fde3dc9769ba2990463575cba4e8f4914d7ffa22a5
bind-libs-9.8.2-0.68.rc1.el6_10.1.x86_64.rpm
dc3892983716d2275054bbfea53267131b78806cb2926444a8ea6d846193929b
bind-sdb-9.8.2-0.68.rc1.el6_10.1.x86_64.rpm
baf936fc48052e6ba44bd76af3a14094c0b16c26c92923ff83ffc597a58ed23e
bind-utils-9.8.2-0.68.rc1.el6_10.1.x86_64.rpm
Source:
8564b64b5870e90091523c0fb7e9bc86d99d43faefafa91132f4be497e8eb259
bind-9.8.2-0.68.rc1.el6_10.1.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
Twitter: @JohnnyCentOS
--
Message: 2
Date: Tue, 28 Aug 2018 15:47:41 +
From: Johnny Hughes
To: centos-annou...@centos.org
Subject: [CentOS-announce] CESA-2018:2557 Important CentOS 7
postgresql Security Update
Message-ID: <20180828154741.ga34...@n04.lon1.karan.org>
Content-Type: text/plain; charset=us-ascii
CentOS Errata and Security Advisory 2018:2557 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2018:2557
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
435c54da90ac6a986123ebeed8a46ca06198945148412400bcc25165b20b0901
postgresql-9.2.24-1.el7_5.i686.rpm
88083a8c3867858fc230fb8e123d1884ad447630af3d0b7cdbc9f415a2cb7691
postgresql-9.2.24-1.el7_5.x86_64.rpm
26607e1d2c701a5a0a8203fc4a4ddd74c3f7d5ed6d9b121753535c673bf3df82
postgresql-contrib-9.2.24-1.el7_5.x86_64.rpm
fae26c6c1a2e35d21388f9e9bb601e2e65ebf6ebee491c7879fe3e841c89d2bd
postgresql-devel-9.2.24-1.el7_5.i686.rpm
97d1b913fd93b28fedcff9d9889b74a86c1c8fc80619ca2a9f9050cc21a2c840
postgresql-devel-9.2.24-1.el7_5.x86_64.rpm
f06e0c08f35f44e82d81c6a953a2095229c5c8ea6a1ed557ed3428b2d982b2a0
postgresql-docs-9.2.24-1.el7_5.x86_64.rpm
5fb3d8e7c46ef84c38761fbf8eb0fa45b3d6bb78271be062d864d7038ce42dcf
postgresql-libs-9.2.24-1.el7_5.i686.rpm
d8435352291ac2627b65f0a3a65f41906390307cf2300d020dfb793e705cdb06
postgresql-libs-9.2.24-1.el7_5.x86_64.rpm
2a20977c047a2a3e7efef79b589ba8bf95285a5fad766dd485f258d33b8b3201
postgresql-plperl-9.2.24-1.el7_5.x86_64.rpm
8b0d205949e154882da55d7d472489ba7414b856ed59039614b6590c75a45c60
postgresql-plpython-9.2.24-1.el7_5.x86_64.rpm
75fe3d5666368c6f0bc80e64c203b91286f1e4c81ed82bbd5db988b9425fcbbd
postgresql-pltcl-9.2.24-1.el7_5.x86_6
