Re: [CentOS] After update to 8 (2004) ... system is unbootable - UEFI Secure boot

[Fabian Arrotin]

On 17/06/2020 04:03, Leon Fauster via CentOS wrote:
> Am 16.06.20 um 22:04 schrieb Fabian Arrotin:
>> On 16/06/2020 15:06, Leon Fauster via CentOS wrote:
>>> Hi all,
>>>
>>> I updated a Dell XPS laptop from CentOS 8.1 (1911) to 8.2 (2004).
>>>
>>> Installed kernels are
>>> kernel-4.18.0-147.5.1.el8_1.x86_64
>>> kernel-4.18.0-147.8.1.el8_1.x86_64
>>> kernel-4.18.0-193.6.3.el8_2.x86_64
>>>
>>> Unfortunately I can not boot into the latest
>>> kernel-4.18.0-193.6.3.el8_2.x86_64.
>>>
>>> After grub2 screen I only see following line:
>>>
>>> EFI stub: UEFI Secure Boot is enabled
>>>
>>> Booting into the older kernel is still possible. The
>>> above line appears and after that the normal kernel
>>> output scrolls over the screen (rhgb quiet disabled).
>>>
>>> Is the new kernel correctly signed?
>>>
>>> What can I do?
>>>
>>> -- 
>>> Thanks
>>> Leon
>>
>> Hi Leon,
>>
>> Don't think that it's due to secureboot, as on my work laptop (thinkpad
>> t490s), I have secureboot on, and kernel working fine.
>>
>> OTOH, on my family laptop (also in secureboot mode), when I updated from
>> 8.1.1011 to 8.2.2004, laptop became unresponsive during the
>> microcode_ctl update (in scriptlet) and after that it auto-reset itself
>> , so in the middle of the whole rpm transaction.
>> I tried to recover it but it was to a point where it was faster to just
>> reinstall from scratch with 8.2.2004, which I did ... and in gnome,
>> everything was fine, etc (adding repo, pkgs) but then on the *same*
>> kernel it was installed with, just tried a reboot, and nothing  : grub
>> shows menu, you select kernel and on upper left there is only cursor
>> (fixed) and nothing happens ..
>>
>> I'll try to diagnose what's the issue as actually that means troubles
>> with family using that laptop :)
> 
> 
> Hi Fabian,
> 
> an earlyprintk=efi kernel option shows a slowly executed kernel
> (at least the output). I disabled the early_microcode dracut option
> and rebuilded the initramfs image but no success in booting the kernel
> 4.18.0-193.6.3.el8_2.x86_64. Unfortunately no more time for more
> heuristics ...
> 
> -- 
> Leon
> 

I finally had reinstalled the laptop over pxe at home *but* pointing to
kickstart repo (so GA content without updates, and so local mirror of
http://mirror.centos.org/centos/8/BaseOS/x86_64/kickstart/), to ensure
that microcode_ctl wouldn't be installed, and in some minutes laptop was
back in action.
Excluding it from updates and updated the rest and all is ok.

I've seen some people mentioning strange problems like this due to
microcode, and it seems Ubuntu even had a second update a in row to fix
issues :
- https://usn.ubuntu.com/4385-1/ (introducing issue)
- https://usn.ubuntu.com/4385-2/ (fixing the introduced issue)

All that was reported for centos 7 as we had the same issue there too
(see https://bugs.centos.org//view.php?id=17452)

So for people impacted, I guess we have to wait for a new update to
land, and excluding it from updates for now

-- 
Fabian Arrotin
The CentOS Project | https://www.centos.org
gpg key: 17F3B7A1 | twitter: @arrfab



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request (solved)

[Simon Matter via CentOS]

> At 03:47 PM 6/16/2020, Kenneth Porter wrote:
>>The rule is in the wrong chain. The INPUT chain affects packets that
>>terminate at the same machine. You want to block packets that will
>>be passed on to the Internet, so your rule needs to be in the
>>FORWARD chain. (The OUTPUT chain affects packets that originate at
>>your machine.)
>>
>>Here's a nice collection of diagrams showing how packets flow
>>through the system:
>>
>>
>
>
> Ah ... Caught it.  So here is the IPTABLES method to block output on
> port 22 from internal machines on a gateway:
>
>iptables -I FORWARD -p tcp --dport 22 -i
> {name-of-internal-interface} -j DROP
>
> So, for example, if your internal interface is, for example,
> /dev/enp2s0, you'd write
>
>iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP
>
> If you want to log such attempts, preceed it with a log
> request.  Since I'm using the -I command (insert at top), it means
> the log request is entered second:
>
>iptables -I FORWARD -p tcp --dport 22 -i
> {name-of-internal-interface} -j LOG --log-prefix "LOOK HERE"
>
>
> If someone can suggest a firewall-cmd equivalent, it would be nice.

For that kind of firewalling, I suggest to use Shorewall instead:

https://shorewall.org/

IMHO it's the better tool for where you need more than a "personal" firewall.

Regards,
Simon

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] After update to 8 (2004) ... system is unbootable - UEFI Secure boot

[Leon Fauster via CentOS]

Am 16.06.20 um 22:04 schrieb Fabian Arrotin:

On 16/06/2020 15:06, Leon Fauster via CentOS wrote:

Hi all,

I updated a Dell XPS laptop from CentOS 8.1 (1911) to 8.2 (2004).

Installed kernels are
kernel-4.18.0-147.5.1.el8_1.x86_64
kernel-4.18.0-147.8.1.el8_1.x86_64
kernel-4.18.0-193.6.3.el8_2.x86_64

Unfortunately I can not boot into the latest
kernel-4.18.0-193.6.3.el8_2.x86_64.

After grub2 screen I only see following line:

EFI stub: UEFI Secure Boot is enabled

Booting into the older kernel is still possible. The
above line appears and after that the normal kernel
output scrolls over the screen (rhgb quiet disabled).

Is the new kernel correctly signed?

What can I do?

--
Thanks
Leon


Hi Leon,

Don't think that it's due to secureboot, as on my work laptop (thinkpad
t490s), I have secureboot on, and kernel working fine.

OTOH, on my family laptop (also in secureboot mode), when I updated from
8.1.1011 to 8.2.2004, laptop became unresponsive during the
microcode_ctl update (in scriptlet) and after that it auto-reset itself
, so in the middle of the whole rpm transaction.
I tried to recover it but it was to a point where it was faster to just
reinstall from scratch with 8.2.2004, which I did ... and in gnome,
everything was fine, etc (adding repo, pkgs) but then on the *same*
kernel it was installed with, just tried a reboot, and nothing  : grub
shows menu, you select kernel and on upper left there is only cursor
(fixed) and nothing happens ..

I'll try to diagnose what's the issue as actually that means troubles
with family using that laptop :)



Hi Fabian,

an earlyprintk=efi kernel option shows a slowly executed kernel
(at least the output). I disabled the early_microcode dracut option
and rebuilded the initramfs image but no success in booting the kernel
4.18.0-193.6.3.el8_2.x86_64. Unfortunately no more time for more 
heuristics ...


--
Leon

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos7 and Vlan

[Gordon Messmer]

On 6/16/20 1:56 AM, Alfredo De Luca wrote:

I have centos7 with 1 network interface and on that IFwe have 2 vlan.
 From both vlan we'd like to reach the internet independently so basically
with 2 different gateways.



Look for documentation on "multi-homing":

https://blogs.oracle.com/networking/advance-routing-for-multi-homed-hosts

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] LUKS layer / best practice

[Leon Fauster via CentOS]

Am 16.06.20 um 23:07 schrieb Erick Perez - Quadrian Enterprises:


On Tue, Jun 16, 2020 at 3:00 PM Jason Edgecombe  wrote:


I recommend having LUKS be "under" LVM. the layers would be:
/dev/sda -> partition (/dev/sda1) -> LUKS (/dev/sda1_crypt) -> LVM physical
volume -> volume group -> logical volume -> filesystem

The layers described above are how the Ubuntu installer sets up an
encrypted LVM filesystem. As far as I know, TRIM is passed through LUKS and
the LVM layers if it's available in the hardware.

Sincerely,
Jason


> Also, if you want to use deduplication (via VDO) then you must
> remember to "dedupe then encrypt"
> Storage > LUKS > VDO > LVM
> old but good reference to: https://access.redhat.com/articles/2106521

Thats a good point. Thank you!

--
Leon


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request (solved)

[Kenneth Porter]

--On Tuesday, June 16, 2020 5:20 PM -0700 david  wrote:


If someone can suggest a firewall-cmd equivalent, it would be nice.


Alas, firewalld is targeted at end nodes and doesn't really provide much 
facility for routers. Its big advantage there is in setting up a reasonable 
default firewall for the gateway itself. The only real gateway support is 
to enable masquerade on the external interface.


I use firewalld direct rules for controlling the forwarded packets. They 
look like iptables rules and get injected into firewalld's own subchains. 
Use "iptables -L -v -n" to dump the whole mess into a file for examination.


In /etc/firewalld/direct.xml, you could add an XML passthrough node like 
this:


-I FWDI_internal_deny 1 -p tcp --dport 22 -j 
DROP


This assumes your internal zone is named internal. Change the chain name to 
match your zone name. You don't need to specify the interface name here 
because the FWDI_internal chain is only invoked if the inbound interface 
matches an interface in that zone.


Also note that the -I option takes a chain name and a number indicating 
where to insert a rule. I use 1 to put the rule at the start of any rules 
that firewalld has already inserted. So if you need a LOG rule, you'll want 
to put the nodes in reverse order in the XML file so they get inserted 
backwards, last rule first. Ie. insert the DROP rule, then the LOG rule.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request (solved)

[david]

At 03:47 PM 6/16/2020, Kenneth Porter wrote:
The rule is in the wrong chain. The INPUT chain affects packets that 
terminate at the same machine. You want to block packets that will 
be passed on to the Internet, so your rule needs to be in the 
FORWARD chain. (The OUTPUT chain affects packets that originate at 
your machine.)


Here's a nice collection of diagrams showing how packets flow 
through the system:






Ah ... Caught it.  So here is the IPTABLES method to block output on 
port 22 from internal machines on a gateway:


  iptables -I FORWARD -p tcp --dport 22 -i 
{name-of-internal-interface} -j DROP


So, for example, if your internal interface is, for example, 
/dev/enp2s0, you'd write


  iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP

If you want to log such attempts, preceed it with a log 
request.  Since I'm using the -I command (insert at top), it means 
the log request is entered second:


  iptables -I FORWARD -p tcp --dport 22 -i 
{name-of-internal-interface} -j LOG --log-prefix "LOOK HERE"



If someone can suggest a firewall-cmd equivalent, it would be nice.

David in SF

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[Kenneth Porter]

The rule is in the wrong chain. The INPUT chain affects packets that 
terminate at the same machine. You want to block packets that will be 
passed on to the Internet, so your rule needs to be in the FORWARD chain. 
(The OUTPUT chain affects packets that originate at your machine.)


Here's a nice collection of diagrams showing how packets flow through the 
system:




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache (httpd) fails to start at boot - Centos 8.1

[Alan McRae via CentOS]

Thank you Gordon. That works for me. 8.2 needs the same fix.

Alan

On 16/06/2020 16:21, Gordon Messmer wrote:

On 6/15/20 7:06 PM, Jay Hart wrote:
If I do 'systemctl start httpd', apache will start right up.  But 
during boot, it doesn't and I

get the resulting errors below.

Jun 15 21:17:28 dream httpd[1534]: (99)Cannot assign requested 
address: AH00072: make_sock: could

not bind to address 10.20.30.11:80



httpd is starting before an interface has been configured with 
10.20.30.11.


The default configuration starts httpd after "network.target" but you 
want to start it after "network-online.target".


IIRC: run "systemctl edit httpd.service" and insert:

[Unit]
After=network-online.target

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[Paul Heinlein]

On Tue, 16 Jun 2020, Leroy Tennison wrote:


I have a gateway machine (currently Centos 7 with IPV4 only) with two
NICs.  One is connected to the internet, the other to an internal
network (10.0.0.0/24) of mixed hardware (windows7, android tablets,
android phones, linux boxes) using NAT.  I wish to block all outgoing
connects to any external IP address on port 22 (ssh) originating from
any internal machine except one (which has a known internal IP address).

I've tried some commands using 'iptables' to accomplish this, but so
far have failed.  If anyone has a suggestion, I'd really appreciate
it.  In addition, a suitable version for 'firewalld' could be useful,
as an upgrade to Centos 8 is in plan.

Examples of what I've tried, and then tested.  None of them stopped
an outgoing SSH from an internal system.

  iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
  iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP


I'm not sure it's your INPUT table that needs that rule. I don't have 
any NAT machines for experimentation, but my initial hunch is that 
you'd want OUTPUT rules, e.g.,


iptables -A OUTPUT -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -s 10.0.0.0/24  -j REJECT

--
Paul Heinlein
heinl...@madboa.com
45°38' N, 122°6' W
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] LUKS layer / best practice

[Erick Perez - Quadrian Enterprises]

Also, if you want to use deduplication (via VDO) then you must
remember to "dedupe then encrypt"
Storage > LUKS > VDO > LVM
old but good reference to: https://access.redhat.com/articles/2106521

On Tue, Jun 16, 2020 at 3:00 PM Jason Edgecombe  wrote:
>
> I recommend having LUKS be "under" LVM. the layers would be:
> /dev/sda -> partition (/dev/sda1) -> LUKS (/dev/sda1_crypt) -> LVM physical
> volume -> volume group -> logical volume -> filesystem
>
> The layers described above are how the Ubuntu installer sets up an
> encrypted LVM filesystem. As far as I know, TRIM is passed through LUKS and
> the LVM layers if it's available in the hardware.
>
> Sincerely,
> Jason
>
> ---
> Jason Edgecombe | Linux Administrator
> UNC Charlotte | The William States Lee College of Engineering
> 9201 University City Blvd. | Charlotte, NC 28223-0001
> Phone: 704-687-1943
> jwedg...@uncc.edu | http://engr.uncc.edu |  Facebook
> ---
> If you are not the intended recipient of this transmission or a person
> responsible for delivering it to the intended recipient, any disclosure,
> copying, distribution, or other use of any of the information in this
> transmission is strictly prohibited. If you have received this transmission
> in error, please notify me immediately by reply e-mail or by telephone at
> 704-687-1943.  Thank you.
>
>
> On Tue, Jun 16, 2020 at 1:42 PM Leon Fauster via CentOS 
> wrote:
>
> > Hi all,
> >
> > with regard to LUKS; should it placed before LVM or after? Any
> > recommendations? TRIM command fully supported through all layers etc?
> >
> > --
> > Leon
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos



-- 

-
Erick Perez
Quadrian Enterprises S.A. - Panama, Republica de Panama
Skype chat: eaperezh
WhatsApp IM: +507-6675-5083
-
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[John Pierce]

On Tue, Jun 16, 2020 at 1:26 PM david  wrote:

>
> ...  I'm assuming
> that your advice about LAN represents the internal network because on
> most routers, it is, and WAN is the internet connection.
>
>
>
yeah, LAN == Local Area Network,  WAN == Wide Area Network, generally
meaning the internet.


-- 
-john r pierce
  recycling used bits in santa cruz
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[david]

At 12:30 PM 6/16/2020, John Pierce wrote:

On Tue, Jun 16, 2020 at 12:26 PM david  wrote:

>
> Examples of what I've tried, and then tested.  None of them stopped
> an outgoing SSH from an internal system.
>
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>
>
>
which interface is that bound to?   I don't see a -i eth0 or whatever, but
you want that rule on your LAN interface.

note these rules will also prevent any host on 10.0.0.0/24 from ssh'ing to
the gateway machine itself.


At your suggestion, the command became

iptables -I INPUT -p tcp --dport 22 -i enp3s0 -s 10.0.0.0/24 -j DROP

where enp3s0 is the internal NIC with address 10.0.0.1.  I'm assuming 
that your advice about LAN represents the internal network because on 
most routers, it is, and WAN is the internet connection.


And ssh worked :-(
unfortunately

I know that many ISPs block outgoing port 25, so I know this is do-able.

David 


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] After update to 8 (2004) ... system is unbootable - UEFI Secure boot

[Fabian Arrotin]

On 16/06/2020 15:06, Leon Fauster via CentOS wrote:
> Hi all,
> 
> I updated a Dell XPS laptop from CentOS 8.1 (1911) to 8.2 (2004).
> 
> Installed kernels are
> kernel-4.18.0-147.5.1.el8_1.x86_64
> kernel-4.18.0-147.8.1.el8_1.x86_64
> kernel-4.18.0-193.6.3.el8_2.x86_64
> 
> Unfortunately I can not boot into the latest
> kernel-4.18.0-193.6.3.el8_2.x86_64.
> 
> After grub2 screen I only see following line:
> 
> EFI stub: UEFI Secure Boot is enabled
> 
> Booting into the older kernel is still possible. The
> above line appears and after that the normal kernel
> output scrolls over the screen (rhgb quiet disabled).
> 
> Is the new kernel correctly signed?
> 
> What can I do?
> 
> -- 
> Thanks
> Leon

Hi Leon,

Don't think that it's due to secureboot, as on my work laptop (thinkpad
t490s), I have secureboot on, and kernel working fine.

OTOH, on my family laptop (also in secureboot mode), when I updated from
8.1.1011 to 8.2.2004, laptop became unresponsive during the
microcode_ctl update (in scriptlet) and after that it auto-reset itself
, so in the middle of the whole rpm transaction.
I tried to recover it but it was to a point where it was faster to just
reinstall from scratch with 8.2.2004, which I did ... and in gnome,
everything was fine, etc (adding repo, pkgs) but then on the *same*
kernel it was installed with, just tried a reboot, and nothing  : grub
shows menu, you select kernel and on upper left there is only cursor
(fixed) and nothing happens ..

I'll try to diagnose what's the issue as actually that means troubles
with family using that laptop :)


-- 
Fabian Arrotin
The CentOS Project | https://www.centos.org
gpg key: 17F3B7A1 | twitter: @arrfab



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] LUKS layer / best practice

[Jason Edgecombe]

I recommend having LUKS be "under" LVM. the layers would be:
/dev/sda -> partition (/dev/sda1) -> LUKS (/dev/sda1_crypt) -> LVM physical
volume -> volume group -> logical volume -> filesystem

The layers described above are how the Ubuntu installer sets up an
encrypted LVM filesystem. As far as I know, TRIM is passed through LUKS and
the LVM layers if it's available in the hardware.

Sincerely,
Jason

---
Jason Edgecombe | Linux Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-1943
jwedg...@uncc.edu | http://engr.uncc.edu |  Facebook
---
If you are not the intended recipient of this transmission or a person
responsible for delivering it to the intended recipient, any disclosure,
copying, distribution, or other use of any of the information in this
transmission is strictly prohibited. If you have received this transmission
in error, please notify me immediately by reply e-mail or by telephone at
704-687-1943.  Thank you.


On Tue, Jun 16, 2020 at 1:42 PM Leon Fauster via CentOS 
wrote:

> Hi all,
>
> with regard to LUKS; should it placed before LVM or after? Any
> recommendations? TRIM command fully supported through all layers etc?
>
> --
> Leon
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewall help request

[Leroy Tennison]

Is your policy accept?  It is possible to trace the packet through the 
netfilter path by setting up raw table rules with TRACE as the target and 
logging turned on (search the web for details - probably too much to post here) 
but be aware that you need a very controlled test because the syslog entries 
will likely be an order of magnitude greater than the actual packet count.


From: CentOS  on behalf of david 
Sent: Tuesday, June 16, 2020 2:21 PM
To: CentOS mailing list 
Subject: [EXTERNAL] [CentOS] firewall help request

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.


Folks

I'm struggling with my firewall settings, and would appreciate some help.

I have a gateway machine (currently Centos 7 with IPV4 only) with two
NICs.  One is connected to the internet, the other to an internal
network (10.0.0.0/24) of mixed hardware (windows7, android tablets,
android phones, linux boxes) using NAT.  I wish to block all outgoing
connects to any external IP address on port 22 (ssh) originating from
any internal machine except one (which has a known internal IP address).

I've tried some commands using 'iptables' to accomplish this, but so
far have failed.  If anyone has a suggestion, I'd really appreciate
it.  In addition, a suitable version for 'firewalld' could be useful,
as an upgrade to Centos 8 is in plan.

Examples of what I've tried, and then tested.  None of them stopped
an outgoing SSH from an internal system.

   iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
   iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP

Much thanks

David

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify 
us.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[John Pierce]

On Tue, Jun 16, 2020 at 12:26 PM david  wrote:

>
> Examples of what I've tried, and then tested.  None of them stopped
> an outgoing SSH from an internal system.
>
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>
>
>
which interface is that bound to?   I don't see a -i eth0 or whatever, but
you want that rule on your LAN interface.

note these rules will also prevent any host on 10.0.0.0/24 from ssh'ing to
the gateway machine itself.


-- 
-john r pierce
  recycling used bits in santa cruz
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewall help request

[david]

Folks

I'm struggling with my firewall settings, and would appreciate some help.

I have a gateway machine (currently Centos 7 with IPV4 only) with two 
NICs.  One is connected to the internet, the other to an internal 
network (10.0.0.0/24) of mixed hardware (windows7, android tablets, 
android phones, linux boxes) using NAT.  I wish to block all outgoing 
connects to any external IP address on port 22 (ssh) originating from 
any internal machine except one (which has a known internal IP address).


I've tried some commands using 'iptables' to accomplish this, but so 
far have failed.  If anyone has a suggestion, I'd really appreciate 
it.  In addition, a suitable version for 'firewalld' could be useful, 
as an upgrade to Centos 8 is in plan.


Examples of what I've tried, and then tested.  None of them stopped 
an outgoing SSH from an internal system.


  iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
  iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP

Much thanks

David

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Missing Quote from latest Update

[Natassia S]

Du-oh!  My bad, I was thinking that this was something that downloaded with
the updates.  I found my error.

Thanks,
Natassia S.

On Tue, Jun 16, 2020 at 12:10 PM John Pierce  wrote:

> On Tue, Jun 16, 2020 at 8:56 AM Natassia S  wrote:
>
> > Received these error message during update 16Jun2020.
> >
> > Running scriptlet: kmod-kvdo-6.2.1.138-58.el8_1.x86_64
> > 750/1181
> >
> > /etc/sysconfig/network-scripts/ifcfg-eno1: line 21: unexpected EOF while
> > looking for matching `"'
> >
> > /etc/sysconfig/network-scripts/ifcfg-eno1: line 22: syntax error:
> > unexpected end of file...
> >
>
> um, what does your /etc/sysconfig/network-scripts/ifcfg-eno1 file look like
> ?
>
> --
> -john r pierce
>   recycling used bits in santa cruz
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


-- 
Software updates are like hand-washing for computers.  So simple that it
doesn't seem like it could make much of a difference, but it does.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Missing Quote from latest Update

[John Pierce]

On Tue, Jun 16, 2020 at 8:56 AM Natassia S  wrote:

> Received these error message during update 16Jun2020.
>
> Running scriptlet: kmod-kvdo-6.2.1.138-58.el8_1.x86_64
> 750/1181
>
> /etc/sysconfig/network-scripts/ifcfg-eno1: line 21: unexpected EOF while
> looking for matching `"'
>
> /etc/sysconfig/network-scripts/ifcfg-eno1: line 22: syntax error:
> unexpected end of file...
>

um, what does your /etc/sysconfig/network-scripts/ifcfg-eno1 file look like
?

-- 
-john r pierce
  recycling used bits in santa cruz
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Upgrade to 8.2 from 7.8

[Natassia S]

Yeah, I've decided to get a new virtual server.

Natassia

On Tue, Jun 16, 2020 at 11:29 AM Stephen John Smoogen 
wrote:

> On Tue, 16 Jun 2020 at 14:08, Jerry Geis  wrote:
> >
> > So now that 8 is out - is it still "frowned" upon to do that in place
> > update ?
> > Is that not a good / valid solution ?
>
> It really isn't a good solution without a lot of hand work. It can be
> done but the person doing the updates needs to figure out all the
> problems before hand and probably do it multiple times to work out
> various kinks. You are basically trying to upgrade from Fedora 18 to
> Fedora 29 without anything in between. Lots of little changes have
> built up over time from packages having things as different
> dependencies to RPM modules existing in RHEL8 but not RHEL7.
>
>
> > Thanks,
> >
> > Jerry
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
>
>
>
> --
> Stephen J Smoogen.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


-- 
Software updates are like hand-washing for computers.  So simple that it
doesn't seem like it could make much of a difference, but it does.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Upgrade to 8.2 from 7.8

[Stephen John Smoogen]

On Tue, 16 Jun 2020 at 14:08, Jerry Geis  wrote:
>
> So now that 8 is out - is it still "frowned" upon to do that in place
> update ?
> Is that not a good / valid solution ?

It really isn't a good solution without a lot of hand work. It can be
done but the person doing the updates needs to figure out all the
problems before hand and probably do it multiple times to work out
various kinks. You are basically trying to upgrade from Fedora 18 to
Fedora 29 without anything in between. Lots of little changes have
built up over time from packages having things as different
dependencies to RPM modules existing in RHEL8 but not RHEL7.


> Thanks,
>
> Jerry
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos



-- 
Stephen J Smoogen.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Upgrade to 8.2 from 7.8

[Jerry Geis]

So now that 8 is out - is it still "frowned" upon to do that in place
update ?
Is that not a good / valid solution ?
Thanks,

Jerry
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] LUKS layer / best practice

[Leon Fauster via CentOS]

Hi all,

with regard to LUKS; should it placed before LVM or after? Any
recommendations? TRIM command fully supported through all layers etc?

--
Leon
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Simple scan in CentOS 7

[H]

On 06/16/2020 01:08 PM, H wrote:
> On 06/15/2020 08:58 PM, Fred Smith wrote:
>> On Mon, Jun 15, 2020 at 04:28:17PM -0400, H wrote:
>>> I just installed C7 on a new computer and despite Simple Scan being 
>>> installed as part of C7, I have not been able to get it to recognize my 
>>> Canon scanner connected to a USB port. I did have it running on another 
>>> computer with C7 so there should not be any inherent issues.
>>>
>>> On a lark I installed gscan2pdf and sane-backends-drivers-scanners and 
>>> sane-find-scanner found it:
>>>
>>> found USB scanner (vendor=0x04a9 [Canon], product=0x1908 [CanoScan]) at 
>>> libusb:001:010
>>>
>>> I perused my notes for the old computer but did not see I installed any 
>>> additional software to get it going but I might be wrong.
>>>
>>> What have I missed?
>>>
>> On my C7 box, simple-scan requires libsane. try: ldd simple-scan |grep -i 
>> sane.
>>
>> # ldd /usr/bin/simple-scan | grep -i sane
>>  libsane.so.1 => /lib64/libsane.so.1 (0x7f3668291000)
>>
>>
>> ldd doesn't show any other sane dependencies, but I'd sorta think
>> that simple-scan would also need sane-backends as well. Here's all
>> the sane things I have installed, FYI:
>>
>> # ldd /usr/bin/simple-scan | grep -i sane
>>  libsane.so.1 => /lib64/libsane.so.1 (0x7f3668291000)
>> [root@fcshome log]# yum list installed | grep -i sane
>> libsane-hpaio.x86_64  3.15.9-5.el7   @base   
>>
>> sane-backends.x86_64  1.0.24-12.el7  @base   
>>
>> sane-backends-devel.i686  1.0.24-12.el7  @base   
>>
>> sane-backends-devel.x86_641.0.24-12.el7  @base   
>>
>> sane-backends-doc.noarch  1.0.24-12.el7  @base   
>>
>> sane-backends-drivers-cameras.i6861.0.24-12.el7  @base   
>>
>> sane-backends-drivers-cameras.x86_64  1.0.24-12.el7  @base   
>>
>> sane-backends-drivers-scanners.i686   1.0.24-12.el7  @base   
>>
>> sane-backends-drivers-scanners.x86_64 1.0.24-12.el7  @base   
>>
>> sane-backends-libs.i686   1.0.24-12.el7  @base   
>>
>> sane-backends-libs.x86_64 1.0.24-12.el7  @base   
>>
>> sane-frontends.x86_64 1.0.14-19.el7  @base   
>>
>> xsane.x86_64  0.999-9.el7@base   
>>
>> xsane-common.x86_64   0.999-9.el7@base   
>>
>> xsane-gimp.x86_64 0.999-9.el7@base
>>
>> also FYI, I'm using a Canon LiDE 210, which works fine for me.
>>
>> Good luck!
>>
>> Fred
>>
> I get:
>
> #ldd /usr/bin/simple-scan | grep -i sane
>     libsane.so.1 => /lib64/libsane.so.1 (0x7f0d4ab47000)
>
> and
>
> #yum list installed | grep -i sane
> perl-Sane.x86_64   0.05-8.el7.nux  
> @nux-dextop 
> sane-backends.x86_64   1.0.24-12.el7   @base  
>  
> sane-backends-drivers-scanners.x86_64  1.0.24-12.el7   @base  
>  
> sane-backends-libs.x86_64  1.0.24-12.el7   @base  
>  
> sane-frontends.x86_64  1.0.14-19.el7   @base
>
>
Problem solved, I had forgotten to launch the saned daemon... Scanning now 
works.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Simple scan in CentOS 7

[H]

On 06/16/2020 07:54 AM, Louis Lagendijk wrote:
> On Mon, 2020-06-15 at 16:28 -0400, H wrote:
>> I just installed C7 on a new computer and despite Simple Scan being
>> installed as part of C7, I have not been able to get it to recognize
>> my Canon scanner connected to a USB port. I did have it running on
>> another computer with C7 so there should not be any inherent issues.
>>
>> On a lark I installed gscan2pdf and sane-backends-drivers-scanners
>> and sane-find-scanner found it:
>>
>> found USB scanner (vendor=0x04a9 [Canon], product=0x1908 [CanoScan])
>> at libusb:001:010
> So this is a CanoScan 9000. According to 
> http://sane-project.org/sane-mfgs.html#Z-CANON it is supported since
> sane-1.0.27. Centos 78 apparently has Sane 1.0.24. So you must have
> downloaded a later version of Sane somewhere or compiled it yourself
> (not too difficult)
>
> BR, Louis
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

Hmm, I have no recollection of compiling sane. Btw, it is not clear to me where 
you saw that version 1.0.27 is needed? This scanner seems to be fully supported 
in the sane-pixma library.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Simple scan in CentOS 7

[H]

On 06/15/2020 08:58 PM, Fred Smith wrote:
> On Mon, Jun 15, 2020 at 04:28:17PM -0400, H wrote:
>> I just installed C7 on a new computer and despite Simple Scan being 
>> installed as part of C7, I have not been able to get it to recognize my 
>> Canon scanner connected to a USB port. I did have it running on another 
>> computer with C7 so there should not be any inherent issues.
>>
>> On a lark I installed gscan2pdf and sane-backends-drivers-scanners and 
>> sane-find-scanner found it:
>>
>> found USB scanner (vendor=0x04a9 [Canon], product=0x1908 [CanoScan]) at 
>> libusb:001:010
>>
>> I perused my notes for the old computer but did not see I installed any 
>> additional software to get it going but I might be wrong.
>>
>> What have I missed?
>>
> On my C7 box, simple-scan requires libsane. try: ldd simple-scan |grep -i 
> sane.
>
> # ldd /usr/bin/simple-scan | grep -i sane
>   libsane.so.1 => /lib64/libsane.so.1 (0x7f3668291000)
>
>
> ldd doesn't show any other sane dependencies, but I'd sorta think
> that simple-scan would also need sane-backends as well. Here's all
> the sane things I have installed, FYI:
>
> # ldd /usr/bin/simple-scan | grep -i sane
>   libsane.so.1 => /lib64/libsane.so.1 (0x7f3668291000)
> [root@fcshome log]# yum list installed | grep -i sane
> libsane-hpaio.x86_64  3.15.9-5.el7   @base
>   
> sane-backends.x86_64  1.0.24-12.el7  @base
>   
> sane-backends-devel.i686  1.0.24-12.el7  @base
>   
> sane-backends-devel.x86_641.0.24-12.el7  @base
>   
> sane-backends-doc.noarch  1.0.24-12.el7  @base
>   
> sane-backends-drivers-cameras.i6861.0.24-12.el7  @base
>   
> sane-backends-drivers-cameras.x86_64  1.0.24-12.el7  @base
>   
> sane-backends-drivers-scanners.i686   1.0.24-12.el7  @base
>   
> sane-backends-drivers-scanners.x86_64 1.0.24-12.el7  @base
>   
> sane-backends-libs.i686   1.0.24-12.el7  @base
>   
> sane-backends-libs.x86_64 1.0.24-12.el7  @base
>   
> sane-frontends.x86_64 1.0.14-19.el7  @base
>   
> xsane.x86_64  0.999-9.el7@base
>   
> xsane-common.x86_64   0.999-9.el7@base
>   
> xsane-gimp.x86_64 0.999-9.el7@base
>
> also FYI, I'm using a Canon LiDE 210, which works fine for me.
>
> Good luck!
>
> Fred
>
I get:

#ldd /usr/bin/simple-scan | grep -i sane
    libsane.so.1 => /lib64/libsane.so.1 (0x7f0d4ab47000)

and

#yum list installed | grep -i sane
perl-Sane.x86_64   0.05-8.el7.nux  @nux-dextop 
sane-backends.x86_64   1.0.24-12.el7   @base   
sane-backends-drivers-scanners.x86_64  1.0.24-12.el7   @base   
sane-backends-libs.x86_64  1.0.24-12.el7   @base   
sane-frontends.x86_64  1.0.14-19.el7   @base


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Missing Quote from latest Update

[Natassia S]

Received these error message during update 16Jun2020.

Running scriptlet: kmod-kvdo-6.2.1.138-58.el8_1.x86_64
750/1181

/etc/sysconfig/network-scripts/ifcfg-eno1: line 21: unexpected EOF while
looking for matching `"'

/etc/sysconfig/network-scripts/ifcfg-eno1: line 22: syntax error:
unexpected end of file

/etc/sysconfig/network-scripts/ifcfg-eno1: line 21: unexpected EOF while
looking for matching `"'

/etc/sysconfig/network-scripts/ifcfg-eno1: line 22: syntax error:
unexpected end of file

/etc/sysconfig/network-scripts/ifcfg-eno1: line 21: unexpected EOF while
looking for matching `"'

/etc/sysconfig/network-scripts/ifcfg-eno1: line 22: syntax error:
unexpected end of file









/etc/sysconfig/network-scripts/ifcfg-eno1: line 21: unexpected EOF while
looking for matching `"'

/etc/sysconfig/network-scripts/ifcfg-eno1: line 22: syntax error:
unexpected end of file

Natassia S.


-- 
Software updates are like hand-washing for computers.  So simple that it
doesn't seem like it could make much of a difference, but it does.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos7 and Vlan

[John Pierce]

Did you setup outbound NAT for both vlans via iptables?

Policy routing to multiple wan interfaces is a bit tricky,.  It's been
years since I did it, what I remember was using ip rules to categorize and
tag the traffic, then alternate named ip route tables to direct the
different tags at different gateways.

On Tue, Jun 16, 2020, 1:57 AM Alfredo De Luca 
wrote:

> Hi all.
> I wonder if you can help me here.
>
> I have centos7 with 1 network interface and on that IFwe have 2 vlan.
> From both vlan we'd like to reach the internet independently so basically
> with 2 different gateways.
>
> we tried with all the routes,rules etc but only on one vlan we are able to
> ping 8.8.8.8 for instance.
>
> Any suggestions/ideas?
> Cheers
>
>
> --
> */Alfredo*
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos7 and Vlan

[R C]

if you use more than one gateway, you have to 'decide' what traffic you 
want to go through each of them, (so you have to set up routes or


user/group pools that controls access to interfaces etc ) it would still 
be a good idea to call one of the interfaces/gateways the


"route of last resort", but bad ideas might work too.


On 6/16/20 2:56 AM, Alfredo De Luca wrote:

Hi all.
I wonder if you can help me here.

I have centos7 with 1 network interface and on that IFwe have 2 vlan.
 From both vlan we'd like to reach the internet independently so basically
with 2 different gateways.

we tried with all the routes,rules etc but only on one vlan we are able to
ping 8.8.8.8 for instance.

Any suggestions/ideas?
Cheers



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] iwlwifi problem after Centos 8.2 update

[Georgios]

Hi!
I get high cpu usage on my laptop (yes im running Centos on my laptop)
after my last update.

At the beginning i though it was libvrtd but after stopping it gnome
monitor keep showing high cpu usage although i couldnt find the app
that was responsible for it with the top command.

I searched my log files and I saw alot of iwlwifi message.

I had to turn off wifi in order to stop high cpu usage.

Any ideas how to solve it?

Thanks in advance!

dmesg command gives me the following output:

  649.668600] RSP: 002b:7fffaa691d60 EFLAGS: 0293 ORIG_RAX:
002e
[  649.668602] RAX: ffda RBX: 000e RCX:
7f21aecdeb07
[  649.668603] RDX:  RSI: 7fffaa691db0 RDI:
000e
[  649.668604] RBP: 7fffaa691db0 R08:  R09:

[  649.668605] R10: 0012 R11: 0293 R12:

[  649.668605] R13:  R14: 7fffaa691f68 R15:
7fffaa691f5c
[  649.756674] iwlwifi :00:14.3: Found debug destination:
EXTERNAL_DRAM
[  649.756676] iwlwifi :00:14.3: Found debug configuration: 0
[  649.757247] iwlwifi :00:14.3: loaded firmware version
46.6bf1df06.0 op_mode iwlmvm
[  649.757275] iwlwifi :00:14.3: Detected Intel(R) Dual Band
Wireless AC 9462, REV=0x318
[  649.765604] iwlwifi :00:14.3: Applying debug destination
EXTERNAL_DRAM
[  649.765843] iwlwifi :00:14.3: Allocated 0x0040 bytes for
firmware monitor.
[  649.806204] iwlwifi :00:14.3: base HW address: a0:a4:c5:dd:0c:52
[  649.852141] ieee80211 phy644: Selected rate control algorithm 'iwl-
mvm-rs'
[  649.853603] thermal thermal_zone8: failed to read out thermal zone
(-61)
[  649.860442] iwlwifi :00:14.3 wlo1: renamed from wlan0
[  649.881196] IPv6: ADDRCONF(NETDEV_UP): wlo1: link is not ready
[  649.887951] iwlwifi :00:14.3: Applying debug destination
EXTERNAL_DRAM
[  649.977952] iwlwifi :00:14.3: Applying debug destination
EXTERNAL_DRAM
[  650.042990] iwlwifi :00:14.3: FW already configured (0) - re-
configuring
[  650.050559] iwlwifi :00:14.3: Conflict between TLV & NVM
regarding enabling LAR (TLV = enabled NVM =disabled)
[  650.250610] iwlwifi :00:14.3: Microcode SW error detected.
Restarting 0x0.
[  650.250685] iwlwifi :00:14.3: Start IWL Error Log Dump:
[  650.250686] iwlwifi :00:14.3: Status: 0x0040, count: 6
[  650.250687] iwlwifi :00:14.3: Loaded firmware version:
46.6bf1df06.0
[  650.250688] iwlwifi :00:14.3: 0x0071 |
NMI_INTERRUPT_UMAC_FATAL
[  650.250689] iwlwifi :00:14.3: 0x00A0A2B1 | trm_hw_status0
[  650.250690] iwlwifi :00:14.3: 0x | trm_hw_status1
[  650.250690] iwlwifi :00:14.3: 0x004882DA | branchlink2
[  650.250691] iwlwifi :00:14.3: 0x0047932A | interruptlink1
[  650.250692] iwlwifi :00:14.3: 0xB0D0 | interruptlink2
[  650.250692] iwlwifi :00:14.3: 0x0001A83E | data1
[  650.250693] iwlwifi :00:14.3: 0x1000 | data2
[  650.250694] iwlwifi :00:14.3: 0xF008 | data3
[  650.250695] iwlwifi :00:14.3: 0x | beacon time
[  650.250695] iwlwifi :00:14.3: 0x00038F74 | tsf low
[  650.250696] iwlwifi :00:14.3: 0x | tsf hi
[  650.250697] iwlwifi :00:14.3: 0x | time gp1
[  650.250697] iwlwifi :00:14.3: 0x00038F75 | time gp2
[  650.250698] iwlwifi :00:14.3: 0x0001 | uCode revision type
[  650.250699] iwlwifi :00:14.3: 0x002E | uCode version major
[  650.250700] iwlwifi :00:14.3: 0x6BF1DF06 | uCode version minor
[  650.250700] iwlwifi :00:14.3: 0x0312 | hw version
[  650.250701] iwlwifi :00:14.3: 0x18C89008 | board version
[  650.250702] iwlwifi :00:14.3: 0x001E0177 | hcmd
[  650.250702] iwlwifi :00:14.3: 0x20122080 | isr0
[  650.250703] iwlwifi :00:14.3: 0x | isr1
[  650.250704] iwlwifi :00:14.3: 0x08001802 | isr2
[  650.250704] iwlwifi :00:14.3: 0x404001C0 | isr3
[  650.250705] iwlwifi :00:14.3: 0x | isr4
[  650.250706] iwlwifi :00:14.3: 0x001E0177 | last cmd Id
[  650.250707] iwlwifi :00:14.3: 0x0001A83E | wait_event
[  650.250707] iwlwifi :00:14.3: 0x | l2p_control
[  650.250708] iwlwifi :00:14.3: 0x00010820 | l2p_duration
[  650.250709] iwlwifi :00:14.3: 0x | l2p_mhvalid
[  650.250709] iwlwifi :00:14.3: 0x | l2p_addr_match
[  650.250710] iwlwifi :00:14.3: 0x000D | lmpm_pmg_sel
[  650.250711] iwlwifi :00:14.3: 0x08081425 | timestamp
[  650.250711] iwlwifi :00:14.3: 0x183C | flow_handler
[  650.250744] iwlwifi :00:14.3: Start IWL Error Log Dump:
[  650.250744] iwlwifi :00:14.3: Status: 0x0040, count: 7
[  650.250746] iwlwifi :00:14.3: 0x2034 | NMI_INTERRUPT_WDG
[  650.250746] iwlwifi :00:14.3: 0x | umac branchlink1
[  650.250747] iwlwifi :00:14.3: 0xC008885E | umac branchlink2
[  650.250748] iwlwifi :00:14.3: 0x80454D04 | umac interruptlink1
[  650.250748] iwlwifi :00:14.3: 

[CentOS] After update to 8 (2004) ... system is unbootable - UEFI Secure boot

[Leon Fauster via CentOS]

Hi all,

I updated a Dell XPS laptop from CentOS 8.1 (1911) to 8.2 (2004).

Installed kernels are
kernel-4.18.0-147.5.1.el8_1.x86_64
kernel-4.18.0-147.8.1.el8_1.x86_64
kernel-4.18.0-193.6.3.el8_2.x86_64

Unfortunately I can not boot into the latest
kernel-4.18.0-193.6.3.el8_2.x86_64.

After grub2 screen I only see following line:

EFI stub: UEFI Secure Boot is enabled

Booting into the older kernel is still possible. The
above line appears and after that the normal kernel
output scrolls over the screen (rhgb quiet disabled).

Is the new kernel correctly signed?

What can I do?

--
Thanks
Leon

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS-announce Digest, Vol 184, Issue 6

[centos-announce-request]

Send CentOS-announce mailing list submissions to
centos-annou...@centos.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
centos-announce-requ...@centos.org

You can reach the person managing the list at
centos-announce-ow...@centos.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-announce digest..."


Today's Topics:

   1. Release for CentOS Linux 8 (2004) (Brian Stinson)


--

Message: 1
Date: Mon, 15 Jun 2020 11:29:32 -0500
From: Brian Stinson 
To: centos-annou...@centos.org
Subject: [CentOS-announce] Release for CentOS Linux 8 (2004)
Message-ID: <1491307c-4a76-1bc2-7375-9c85cdff3...@centosproject.org>
Content-Type: text/plain; charset=utf-8

Release for CentOS Linux 8 (2004)

We are pleased to announce the general availability of CentOS Linux 8.
Effectively immediately, this is the current release for CentOS Linux 8
and is tagged as 2004, derived
from Red Hat Enterprise Linux 8.2 Source Code.

As always, read through the Release Notes at :
http://wiki.centos.org/Manuals/ReleaseNotes/CentOS8.2004? - these notes
contain important information about the release and details about some
of the content inside the release from the CentOS QA team. These notes
are updated constantly to include issues and incorporate feedback from
the users.

--
Updates, Sources, and DebugInfos

Updates released since the upstream release are all posted, across all
architectures. We strongly recommend every user apply all updates,
including the content released today, on your existing CentOS Linux 8
machine by just running 'dnf update'.

As with all CentOS Linux 8 components, this release was built from sources
hosted at git.centos.org. Sources will be available from vault.centos.org in
their own dedicated directories to match the corresponding binary RPMs.
Since
there is far less traffic to the CentOS source RPMs compared with the binary
RPMs, we are not putting this content on the main mirror network. If
users wish
to mirror this content they can do so using the reposync command
available in
the yum/dnf-utils package. All CentOS source RPMs are signed with the
same key
used to sign their binary counterparts. Developers and end users looking at
inspecting and contributing patches to the CentOS Linux distro will find
the
code hosted at git.centos.org far simpler to work against. Details on how to
best consume those are documented along with a quick start at :
http://wiki.centos.org/Sources

Debuginfo packages have been signed and pushed. Yum configs
shipped in the new release file will have all the context required for
debuginfo to be available on every CentOS Linux install.

This release supersedes all previously released content for CentOS
Linux 8, and therefore we highly encourage all users to upgrade their
machines. Information on different upgrade strategies and how to
handle stale content is included in the Release Notes.

Note that older content, obsoleted by newer versions of the same
applications are trim'd off from repos like extras/ and centosplus/

--
Download

We produced the following installer images for CentOS Linux 8
# CentOS-8.2.2004-x86_64-minimal.iso: 1718616064 bytes
SHA256 (CentOS-8.2.2004-x86_64-minimal.iso) =
47ab14778c823acae2ee6d365d76a9aed3f95bb8d0add23a06536b58bb5293c0
# CentOS-8.2.2004-x86_64-boot.iso: 654311424 bytes
SHA256 (CentOS-8.2.2004-x86_64-boot.iso) =
c67876a5602faa17f68b40ccf2628799b87454aa67700f0f57eec15c6ccdd98c
# CentOS-8.2.2004-x86_64-dvd1.iso: 8231321600 bytes
SHA256 (CentOS-8.2.2004-x86_64-dvd1.iso) =
c87a2d81d67bbaeaf646aea5bedd70990078ec252fc52f5a7d65ff609871e255

# CentOS-8.2.2004-aarch64-minimal.iso: 1410226176 bytes
SHA256 (CentOS-8.2.2004-aarch64-minimal.iso) =
621d08902bfd7ca8437cd536b86631c87ddc3e36a530abc77011d230401eb158
# CentOS-8.2.2004-aarch64-boot.iso: 579823616 bytes
SHA256 (CentOS-8.2.2004-aarch64-boot.iso) =
76a9a5f84ac9581fee079d7154bf68f72661c9d941e9ab3143bccc760c23eecc
# CentOS-8.2.2004-aarch64-dvd1.iso: 5988872192 bytes
SHA256 (CentOS-8.2.2004-aarch64-dvd1.iso) =
9d2f066edfc3820fc9e4c6d52f01489a3ed57515cf608773e2b8a04f1903c838

# CentOS-8.2.2004-ppc64le-minimal.iso: 1493422080 bytes
SHA256 (CentOS-8.2.2004-ppc64le-minimal.iso) =
1d6802ce5581bd6ae22d13e491dfad65b7a32166f1484e8d6c532cd4cd7e18db
# CentOS-8.2.2004-ppc64le-boot.iso: 628408320 bytes
SHA256 (CentOS-8.2.2004-ppc64le-boot.iso) =
a039bc592e416b97914b6c99cc8cb070d6b35742dbcb7b6eccff55291659c664
# CentOS-8.2.2004-ppc64le-dvd1.iso: 7080738816 bytes
SHA256 (CentOS-8.2.2004-ppc64le-dvd1.iso) =
1a94eff60fd016ea8efb1d592eda85f0b5edde2ff2ad4c77db546ab90392421e

Information for the torrent files and sums are available at
http://mirror.centos.org/centos/8/isos/


Additional Images

Vagrant and Generic Cloud images 

Re: [CentOS] Simple scan in CentOS 7

[Louis Lagendijk]

On Mon, 2020-06-15 at 16:28 -0400, H wrote:
> I just installed C7 on a new computer and despite Simple Scan being
> installed as part of C7, I have not been able to get it to recognize
> my Canon scanner connected to a USB port. I did have it running on
> another computer with C7 so there should not be any inherent issues.
> 
> On a lark I installed gscan2pdf and sane-backends-drivers-scanners
> and sane-find-scanner found it:
> 
> found USB scanner (vendor=0x04a9 [Canon], product=0x1908 [CanoScan])
> at libusb:001:010
So this is a CanoScan 9000. According to 
http://sane-project.org/sane-mfgs.html#Z-CANON it is supported since
sane-1.0.27. Centos 78 apparently has Sane 1.0.24. So you must have
downloaded a later version of Sane somewhere or compiled it yourself
(not too difficult)

BR, Louis

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache (httpd) fails to start at boot - Centos 8.1

[Jay Hart]

Thanks to all that responded. Gordon's suggestion worked brilliantly.  I ran 
the suggested
command, saved the file, rebooted, apache came right up.

Can't thank you guys enough.

Now, lets try to solve my intermittent connectivity issue, more on that later...

Jay

> On 16/6/20 4:15 pm, Alessandro Baggi wrote:
>>
>> Note: when you will get update for httpd package all could be reverted
>> to the original status, so to avoid that your modified httpd.service
>> will get an overwrite, create an alternative httpd.service in
>> /etc/systemd/system (if I'm not wrong).
>>
>> Probably there is a new way to do this.
>>
> The new way to do this is exactly what Gordon suggested - using
> `systemctl edit ` creates an override in
> `/etc/systemd/system/httpd.service.d/override.conf`.
>
> The only issue is that there is no `systemctl` related command to remove
> this override - you will have to remember to `rm -rf
> /etc/systemd/system/httpd.service.d` if/when you want to remove that
> override.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] smb protocol version

[me]

On Mon, 15 Jun 2020, Christopher Wensink wrote:


I don't have any lines in my configuration file for any of the servers,
how can I tell what the default protocols are?

Are the defaults controlled by samba or the kernel?


samba controls this via smb.conf

See "man smb.conf" for details. The min protocols vary depending on the version
of samba you are running.

Regards,

--
Tom m...@tdiehl.org



Chris

On 6/15/2020 2:13 PM, Fred Smith wrote:

On Mon, Jun 15, 2020 at 11:23:54AM -0500, Christopher Wensink wrote:

I have a handful of Linux Servers, running Centos 6.10, and 6.8 with the
main host running openvz w/ Centos 6.10 as the main OS.? Two of the
guests are running samba, sharing directories out to windows clients.

I'm in the process of migrating servers over to vmware, using Centos
7.8.? How can I determine what smb protocol version is being used in the
shares for each server?? I don't see the protocol specified anywhere in
smb.conf?

Chris

in my Centos-7 box, /etc/samba/smb.conf contains:

server min protocol = SMB3_11
client max protocol = SMB3_11
client min protocol = SMB3_11


Some non-current windows versions don't support that version, you
may need to try different values til you find one that works.
Whatever you do, you don't want to use version 1.

I'm forcing version 3.1.1 only because all the devices I have
that support SMB also support 3.1.1, so if someone comes along with,
e.g., an old laptop with XP, it won't be able to insecurely talk
to my lan/wan. (and that's a feature, not a bug! ;=) )

Also, you may wish to peruse this page:

https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3





___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Centos7 and Vlan

[Alfredo De Luca]

Hi all.
I wonder if you can help me here.

I have centos7 with 1 network interface and on that IFwe have 2 vlan.
>From both vlan we'd like to reach the internet independently so basically
with 2 different gateways.

we tried with all the routes,rules etc but only on one vlan we are able to
ping 8.8.8.8 for instance.

Any suggestions/ideas?
Cheers


-- 
*/Alfredo*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache (httpd) fails to start at boot - Centos 8.1

[Anthony K]

On 16/6/20 4:15 pm, Alessandro Baggi wrote:


Note: when you will get update for httpd package all could be reverted 
to the original status, so to avoid that your modified httpd.service 
will get an overwrite, create an alternative httpd.service in 
/etc/systemd/system (if I'm not wrong).


Probably there is a new way to do this.

The new way to do this is exactly what Gordon suggested - using 
`systemctl edit ` creates an override in 
`/etc/systemd/system/httpd.service.d/override.conf`.


The only issue is that there is no `systemctl` related command to remove 
this override - you will have to remember to `rm -rf 
/etc/systemd/system/httpd.service.d` if/when you want to remove that 
override.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache (httpd) fails to start at boot - Centos 8.1

[John Pierce]

Just a wild guess, but it sounds like Apache is being started before the
network is online.Is this host simple static Ethernet or DHCP, or is it
something more complicated like WiFi?

I believe you can set service dependencies with systemd, ideally your
apache service isn't started before the network is online.

If you are using WiFi, running a webserver is a bit ugly, perhaps
configuring Apache to listen to 0.0.0.0 (all interfaces) would be a better
choice?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache (httpd) fails to start at boot - Centos 8.1

[Simon Matter via CentOS]

>
>
> Il 16/06/20 08:11, Alessandro Baggi ha scritto:
>>
>>
>> Il 16/06/20 06:21, Gordon Messmer ha scritto:
>>> On 6/15/20 7:06 PM, Jay Hart wrote:
 If I do 'systemctl start httpd', apache will start right up.  But
 during boot, it doesn't and I
 get the resulting errors below.

 Jun 15 21:17:28 dream httpd[1534]: (99)Cannot assign requested
 address: AH00072: make_sock: could
 not bind to address 10.20.30.11:80
>>>
>>>
>>> httpd is starting before an interface has been configured with
>>> 10.20.30.11.
>>>
>>> The default configuration starts httpd after "network.target" but you
>>> want to start it after "network-online.target".
>>>
>>> IIRC: run "systemctl edit httpd.service" and insert:
>>>
>>> [Unit]
>>> Afteretwork-online.target
>>>
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>>
>>
>> +1
>>
>> This happened to me with ssh.
>
> Note: when you will get update for httpd package all could be reverted
> to the original status, so to avoid that your modified httpd.service
> will get an overwrite, create an alternative httpd.service in
> /etc/systemd/system (if I'm not wrong).

That's half right now, but still not good enough. If the RPM provided file
changes, your copy won't get those changes. To make this work better,
don't put the full file in /etc/systemd/system but just add an
override.conf there which is like a diff to the original file. That way
updates of the RPM are handled correctly.

Simon


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos