[CentOS] Puppet + Passenger SELinux issues
I recently setup my Puppetmaster server to run through Passenger via Apache
instead of on the default webrick web server. SELinux made that not work
and I've found some documentation on making rules to allow it however mine
won't load. This is the policy I found via this website,
http://sandcat.nl/~stijn/2012/01/20/selinux-passenger-and-puppet-oh-my/comment-page-1/
.
module puppet_passenger 1.7;
require {
type bin_t;
type devpts_t;
type httpd_t;
type passenger_t;
type port_t;
type proc_net_t;
class process { getattr siginh setexec sigchld noatsecure transition
rlimitinh };
class unix_stream_socket { getattr accept read write };
class capability { sys_resource sys_ptrace };
class file { entrypoint open create relabelfrom relabelto getattr
setattr read write append ioctl lock rename link unlink };
class lnk_file { getattr read };
class udp_socket name_bind;
class dir { getattr setattr add_name remove_name search open read write
ioctl lock };
}
#= httpd_t ==
allow httpd_t port_t:udp_socket name_bind;
allow httpd_t proc_net_t:file { read getattr open };
allow httpd_t bin_t:file entrypoint;
allow httpd_t passenger_t:process sigchld;
allow httpd_t passenger_t:unix_stream_socket { getattr accept read write };
optional_policy(`
puppet_manage_lib(httpd_t)
puppet_search_log(httpd_t)
puppet_search_pid(httpd_t)
allow httpd_t puppet_var_lib_t:file { relabelfrom relabelto };
')
#= passenger_t ==
allow passenger_t devpts_t:dir search;
allow passenger_t httpd_t:process { siginh rlimitinh transition noatsecure
};
allow passenger_t self:capability { sys_resource sys_ptrace };
allow passenger_t self:process setexec;
ps_process_pattern(passenger_t, httpd_t)
domain_read_all_domains_state(passenger_t)
Using the SELinux Make file works but when I try to add the new policy via
"semodule -i puppet_passenger.pp" I get the following
# semodule -i puppet_passenger.pp
libsepol.print_missing_requirements: puppet_passenger's global requirements
were not met: type/attribute passenger_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule: Failed!
The blog I got the policy from mentioned disabling the rubygem_passenger
policy, is that where passenger_t is defined? I've looked at the source of
selinux-policy and see the required type of passenger_t is working so
unsure why it doesn't work in my policy.
The policy from audit2allow generates this when using "grep -e
'httpd\|passenger'" but it seems like too much allowance
module passenger 1.0;
require {
type unconfined_t;
type semanage_t;
type init_t;
type system_cronjob_t;
type mysqld_t;
type syslogd_t;
type apmd_t;
type initrc_t;
type postfix_local_t;
type puppet_etc_t;
type setfiles_t;
type rpm_t;
type unlabeled_t;
type var_run_t;
type kernel_t;
type puppet_var_run_t;
type puppet_var_lib_t;
type auditd_t;
type httpd_t;
type rpm_var_lib_t;
type postfix_cleanup_t;
type postfix_master_t;
type inetd_t;
type udev_t;
type mysqld_safe_t;
type postfix_pickup_t;
type sshd_t;
type crond_t;
type getty_t;
type postfix_qmgr_t;
type ntpd_t;
class sock_file { write unlink open };
class capability { sys_resource sys_ptrace };
class process setexec;
class dir { write getattr read create search add_name };
class file { execute read create execute_no_trans write open append
};
}
#= httpd_t ==
allow httpd_t apmd_t:dir { getattr search };
allow httpd_t apmd_t:file { read open };
allow httpd_t auditd_t:dir { getattr search };
allow httpd_t auditd_t:file { read open };
allow httpd_t crond_t:dir { getattr search };
allow httpd_t crond_t:file { read open };
allow httpd_t getty_t:dir { getattr search };
allow httpd_t getty_t:file { read open };
allow httpd_t inetd_t:dir { getattr search };
allow httpd_t inetd_t:file { read open };
allow httpd_t init_t:dir { getattr search };
allow httpd_t init_t:file { read open };
allow httpd_t initrc_t:dir { getattr search };
allow httpd_t initrc_t:file { read open };
allow httpd_t kernel_t:dir { getattr search };
allow httpd_t kernel_t:file { read open };
allow httpd_t mysqld_safe_t:dir { getattr search };
allow httpd_t mysqld_safe_t:file { read open };
allow httpd_t mysqld_t:dir { getattr search };
allow httpd_t mysqld_t:file { read open };
allow httpd_t ntpd_t:dir { getattr search };
allow httpd_t ntpd_t:file { read open };
allow httpd_t postfix_cleanup_t:dir { getattr search };
allow httpd_t postfix_cleanup_t:file { read open };
allow httpd_t postfix_local_t:dir { getattr search };
allow httpd_t postfix_local_t:file { read open };
allow httpd_t postf
Re: [CentOS] centos security
On Feb 18, 2012 10:41 PM, "Al" wrote: > > > On Feb 18, 2012, at 9:34 PM, Les Bell wrote: > > > > > Al wrote: > > > >>> > > Any suggestions on what to run on a centos box to verify that the > > server isn't compromised or being sniffed? Thanks! > > << > > > > For "isn't compromised", you need a host integrity verification > > system like > > Tripwire or AIDE (which is in the base repo). Expect to have to > > tweak the > > config to cover the stuff you've got installed. > > > > You can detect sniffing by checking for promiscuous interfaces on > > the LAN - > > use proDETECT (http://sourceforge.net/projects/prodetect/) or a > > similar > > tool for this purpose. > > > > Alternatively, if you have the time and resources, you could run a > > full-blown network intrusion detection system like Snort > > (http://www.snort.org). > > > > Best, > > > > --- Les Bell > > [http://www.lesbell.com.au] > > Tel: +61 2 9451 1144 > > > > > Les, > > Thanks for the suggestion, I will run through all the methods stated > to me... > > > ___ > > CentOS mailing list > > CentOS@centos.org > > http://lists.centos.org/mailman/listinfo/centos > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos I use OSSEC on all my production systems. Can be configured to block hosts who trigger known attack patterns. - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEV guest tools
On Thu, Dec 29, 2011 at 1:05 PM, Johnny Hughes wrote: > On 12/29/2011 10:26 AM, Trey Dockendorf wrote: > > On Dec 29, 2011 9:50 AM, "Karanbir Singh" wrote: > >> > >> On 12/29/2011 02:21 PM, Johnny Hughes wrote: > >>> > >>> Would this spec file (and source tar ball) built the proper package? > >>> > >>> If not, where would I get it. > >>> > >>> I would be happy to build the proper source for centos extras for > CentOS > >>> guests. > >> > >> lets see if we can get the entire ovirt stack done - its quite a pain > >> building it at the moment though, but if a couple of people want to help > >> - we might be able to get that in > >> > >> - KB > >> ___ > >> CentOS mailing list > >> CentOS@centos.org > >> http://lists.centos.org/mailman/listinfo/centos > > > > I can attest to the difficulty of that build. I tried using FC16 srpms > > against 6.1 using mock and I spent an entire day with no luck. Wrote > > scripts that would yumdownload srpms then attempt a build the download > > missing deps and retry. Got to the point where only one new package > would > > build then failed on kernel versions. Though 6.2 should much more > closely > > match what upstream uses as I believe RHEV 3 will be released for 6.2. > > > > Any idea if the full RHEV suite will be open sourced and eventually > > available in CentOS? Both the rhev hypervisor and manager. Ive lost the > > fight at my org to buy the product. > > > > If you need any extra help with the build Id be willing to assist. Been > > following Ovirt closely. > > Do you specifically have the guest tools SRPMS, which is something we > can do first and also come up with the whole stack later. > > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > > I don't have the guest tools no. I only got as far as about 1/2 of the Maven2 deps and maybe half the jboss deps. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEV guest tools
On Dec 29, 2011 9:50 AM, "Karanbir Singh" wrote: > > On 12/29/2011 02:21 PM, Johnny Hughes wrote: > > > > Would this spec file (and source tar ball) built the proper package? > > > > If not, where would I get it. > > > > I would be happy to build the proper source for centos extras for CentOS > > guests. > > lets see if we can get the entire ovirt stack done - its quite a pain > building it at the moment though, but if a couple of people want to help > - we might be able to get that in > > - KB > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos I can attest to the difficulty of that build. I tried using FC16 srpms against 6.1 using mock and I spent an entire day with no luck. Wrote scripts that would yumdownload srpms then attempt a build the download missing deps and retry. Got to the point where only one new package would build then failed on kernel versions. Though 6.2 should much more closely match what upstream uses as I believe RHEV 3 will be released for 6.2. Any idea if the full RHEV suite will be open sourced and eventually available in CentOS? Both the rhev hypervisor and manager. Ive lost the fight at my org to buy the product. If you need any extra help with the build Id be willing to assist. Been following Ovirt closely. - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEV guest tools
On Dec 29, 2011 2:25 AM, "Johan Kooijman" wrote: > > Hi all, > > We're running RHEV as our main virtualization platform. Most of our > guests are CentOS though. Do you guys know if there's a guest tools > package for CentOS available like there is for Windows for example? > Can't really find an answer here. > > -- > Met vriendelijke groeten / With kind regards, > Johan Kooijman > > T +31(0) 6 43 44 45 27 > F +31(0) 162 82 00 01 > E m...@johankooijman.com > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos I dont use RHEV (yet) but being that its based on KVM and libvirt I dont think you need guest tools. When you configure in RHEV Manager does it identify the paravirtual devices as virtio? If so then its standard in the kernel used by CentOS since around 5.5. I run all my CentOS VMs on the KVM / libvirt platform and systems install fine without any additional tools. The only additional thing I install is acpid to allow the VM manager to perform shutdowns and reboots. - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Ad integration with centos 6
I wrote an article some time ago for CentOS 6 and have been using this setup in production since. http://itscblog.tamu.edu/joining-samba-to-a-windows-2008-r2-domain/ My servers that interact with AD allow both AD based file sharing and also SSH access. The most updated configs I use can be found here, https://github.com/treydock/puppet-samba. I just added recent changes where I use AD groups to delegate access to the Linux server. This works with 2008 R2. - Trey On Fri, Dec 23, 2011 at 12:23 AM, dnk wrote: > Can anyone point me to a tutorial on using Active Directory to authenticate > a centos 6 server? I just want to use it to authenticate, ssh and restrict > access to a particular ad group. I prefer to use the lightest method > possible. I know you can use ldap, or winbind, etc. I have been trying to > follow the ones I have been googling, but none of them seem "quit complete. > My issue is that I have no ldap experience. > > Dnk > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Setting up a Virtual Machine
On Sun, Nov 20, 2011 at 7:29 PM, John J. Boyer wrote: > On Sun, Nov 20, 2011 at 02:54:34PM -0800, John R Pierce wrote: > > > imho, the easiest way to do this would be to install VirtualBox. > > So I tried to install the latest version of VirtualBox from > virtualbox.org It turned out that it deleted a previous version, which I > suppose was provided with CentOS and then couldn't install itself. The > error lmessage said it could not find the kernel source. What should I > do now? > > John > > > memory assigned to the VM is only in use when the VM is active, you can > > 'standby' a virtualbox and it releases all its resources, then resume it > > at another time. > > > > > > > > > > -- > > john r pierceN 37, W 122 > > santa cruz ca mid-left coast > > > > ___ > > CentOS mailing list > > CentOS@centos.org > > http://lists.centos.org/mailman/listinfo/centos > > -- > John J. Boyer; President, Chief Software Developer > Abilitiessoft, Inc. > http://www.abilitiessoft.com > Madison, Wisconsin USA > Developing software for people with disabilities > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > For Virtualbox this article may be helpful, http://www.if-not-true-then-false.com/2010/install-virtualbox-with-yum-on-fedora-centos-red-hat-rhel/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] redhat vs centos
On Mon, Nov 7, 2011 at 8:38 PM, Marko Vojinovic wrote: > On Monday 07 November 2011 22:23:09 Reindl Harald wrote: > > Am 07.11.2011 22:50, schrieb Marko Vojinovic: > > > Typically, you have no way of knowing the physical structure of the > > > "cloud machine" where your virtual machine is being hosted. Also, this > > > structure may even change over time due to upgrades of the cloud > > > hardware (by the cloud provider). You wouldn't even know about it. > > > > again: > > > > the physical structure does not matter > > you pay for virtaul CPUs as you do also for virtual appliances > > of some vendors where you can get a license with 2 vCPUs or > > 4 vCPUs - independent if you have your own hardware or using > > any hsoting service > > > > what is there so difficulty to understand? > > Well, what I don't understand is how many vCPU's are equal to one socket. > > Or, to be explicit, let me invent an example: suppose that I have leased > virtual hardware from some 3rd party, and have obtained a virtual machine > with > 6 vCPU's. I want to buy RHEL licences to install on that machine. AFAIK, RH > counts licences in sockets. How many licences should I buy? Or, iow, how > many > sockets is equal to 6 vCPU's? > > Does RH have a formula for the number of sockets as a function of the > number > of vCPU's (and vice versa)? > > Best, :-) > Marko > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > Socket != vCPU. There is no need for a formula. The licensing is done based on the hosting hardware. That does not mean it has to be a RHEL hypervisor. When I got my quotes it was to put 4 guests on a 2-socket VMware ESXi server. That would be a single license for 2-socket w/ 4 guests. That wouldn't change no matter how many vCPUs I used. It's much easier to ensure license compliance on the hosting hardware than on something as dynamic as the vCPU count. I'd recommend contacting Red Hat to get a definitive answer as I am basing what I know on my talks with my campus' Red Hat rep several months ago. - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] redhat vs centos
On Mon, Nov 7, 2011 at 2:29 PM, wrote: > Trey Dockendorf wrote: > > On Mon, Nov 7, 2011 at 10:42 AM, John Beranek wrote: > >> On 02/11/2011 10:31, Patrick Lists wrote: > >> > On 11/02/2011 11:02 AM, Tony Mountifield wrote: > >> >> What is a "socket" in their pricing model? The word can mean so many > >> >> different things... > >> > > >> > Afaik it refers to a physical cpu socket. So they count actual cpu's, > >> > not the amount of cores in each cpu. > >> > > The sockets refers to the literal, physical CPUs. Virtual CPUs (for > > guests) or cores do not count. Unless your running some kind of > mainframe > > you will likely have a server with anywhere from 1-2 sockets. My > > understanding of the licensing is that you pay for the > > host/hypervisor/machine to have RHEL, plus however many guests the > license > > includes. So 4 or unlimited. > > Heh. Depends on where you work: we've been getting in servers with 4, like > the Dell PE 810, and some Penguins we've got, and I think the new ones > (haven't opened any up) have more. > >mark > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > . That is very true. Your organization must also value Linux. Mine doesn't and is poor. State funded University :-/. - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and SETroubleshootd woes in CR
On Mon, Nov 7, 2011 at 3:02 PM, Daniel J Walsh wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 11/07/2011 03:23 PM, Trey Dockendorf wrote: > > > > > > On Wed, Nov 2, 2011 at 8:54 AM, Daniel J Walsh > <mailto:dwa...@redhat.com>> wrote: > > > > On 11/01/2011 09:12 PM, Trey Dockendorf wrote: > > > >> Do you have the > > > > > >> allow_httpd_mod_auth_pam > > > >> boolean turned on? > > > > > >> > > > > > > > > > Sorry for the late reply... > > > > I've disabled the dontaudits for now, hopefully that may shed some > > light on this. > > > > Are there any other methods to debug or troubleshoot > > setroubleshootd? Or even to verify it's working? I'd like to rule > > out that the CR update is the culprit to this no longer sending > > emails on denials. > > > > I also can't seem to get the sealert GUI to work over X11 > > forwarding. --- $ sealert -b -V 2011-11-07 14:20:57,507 > > [dbus.ERROR] could not start dbus: > > org.freedesktop.DBus.Error.Spawn.ExecFailed: /bin/dbus-launch > > terminated abnormally without any error message > > > > > > The text version seems to work fine though. However I would really > > like the alerts via email as I begin to leave SELinux enabled on > > all new servers I provision, and force myself to learn this. > > > > Thanks - Trey > > grep email /etc/setroubleshoot/setroubleshoot.conf > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk64R1AACgkQrlYvE4MpobMflwCgu1xX/ns76ypnuBkI0CUmOTZE > W4gAnjey2F71uNUTN8b9jacOu1CXpuLL > =lF+c > -END PGP SIGNATURE- > This configuration is on my KVM server which is almost static...the host I began noticing this on has the same results from that command... # grep email /etc/setroubleshoot/setroubleshoot.cfg [email] # recipients_filepath: Path name of file with email recipients. One address recipients_filepath = /var/lib/setroubleshoot/email_alert_recipients # from_address: The From: email header # subject: The Subject: email header # categories is: [rpc, xml, cfg, alert, sig, plugin, avc, email, gui, # categories is: [rpc, xml, cfg, alert, sig, plugin, avc, email, gui, ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and SETroubleshootd woes in CR
On Wed, Nov 2, 2011 at 8:54 AM, Daniel J Walsh wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 11/01/2011 09:12 PM, Trey Dockendorf wrote: > > > > Do you have the > > > > > > allow_httpd_mod_auth_pam > > > > boolean turned on? > > > > > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > > > iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ20iBhAQnCoTvZVU > > NfUAoLz5TplWxxflLWscqc7Vc7RHahvj =UYqX -END PGP SIGNATURE- > > > > > > (Accidentally sent as quote ) > > > > Ah! I did not know about setsebool. > > > > It's now not failing on SELinux (at least that I can tell). Now I > > get this in /var/log/secure... > > > > Nov 1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown > > Nov 1 16:08:07 host unix_chkpwd[22541]: password check failed for > > user (treydock) Nov 1 16:08:07 host httpd: pam_unix(httpd:auth): > > authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= > > user=treydock Nov 1 16:08:07 host httpd: pam_krb5[8049]: error > > reading keytab 'FILE:/etc/krb5.keytab' Nov 1 16:08:07 host httpd: > > pam_krb5[8049]: TGT verified Nov 1 16:08:07 host httpd: > > pam_krb5[8049]: authentication succeeds for 'treydock' > > (treyd...@tamu.edu <mailto:treyd...@tamu.edu>) Nov 1 16:08:07 host > > unix_chkpwd[22545]: could not obtain user info (treydock) > > > > > > The keytab error is expected, because to authenticate with my > > university's Kerberos system it's without adding my server to the > > their databases. I have other servers on CentOS 5 and 6 running > > this just fine, so and right now SELinux is the only difference > > between them. > > > > Also, I'm still concerned I never got an email from > > setroubleshootd about the denials that are now fixed by using > > setsebool. Any steps I can take to troubleshoot the problem? > > > > Thanks - Trey > > > It was probably blocked by a dontaudit rule. semodule -DB will turn > off dontaudit rules, but be prepared for a flood of useless avc's. > > semodule -B > > Turns it back on. > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk6xS6IACgkQrlYvE4MpobONngCgrGChcDJ4GdOSPwmrU4Qez1ls > QAkAoKCknm5qx4lAxjPx1cZsUYbD51P8 > =7Fou > -END PGP SIGNATURE- > Sorry for the late reply... I've disabled the dontaudits for now, hopefully that may shed some light on this. Are there any other methods to debug or troubleshoot setroubleshootd? Or even to verify it's working? I'd like to rule out that the CR update is the culprit to this no longer sending emails on denials. I also can't seem to get the sealert GUI to work over X11 forwarding. --- $ sealert -b -V 2011-11-07 14:20:57,507 [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.Spawn.ExecFailed: /bin/dbus-launch terminated abnormally without any error message The text version seems to work fine though. However I would really like the alerts via email as I begin to leave SELinux enabled on all new servers I provision, and force myself to learn this. Thanks - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] redhat vs centos
On Mon, Nov 7, 2011 at 10:42 AM, John Beranek wrote: > On 02/11/2011 10:31, Patrick Lists wrote: > > On 11/02/2011 11:02 AM, Tony Mountifield wrote: > >> What is a "socket" in their pricing model? The word can mean so many > >> different things... > > > > Afaik it refers to a physical cpu socket. So they count actual cpu's, > > not the amount of cores in each cpu. > > I was just asking myself this very question the other day, and I > couldn't determine how many sockets you are using if you use, say, 2 > _virtual_ processors. > > John. > > -- > John Beranek To generalise is to be an idiot. > http://redux.org.uk/ -- William Blake > > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > > The sockets refers to the literal, physical CPUs. Virtual CPUs (for guests) or cores do not count. Unless your running some kind of mainframe you will likely have a server with anywhere from 1-2 sockets. My understanding of the licensing is that you pay for the host/hypervisor/machine to have RHEL, plus however many guests the license includes. So 4 or unlimited. Example: my server has 2 sockets, 4 cores each. If i paid for RHEL unlimited guests on 2 sockets...I could have only 2 virtual machines each with 4 virtual CPUs, or 8 VMs with 1 vCPU each. That's still within the license. Sockets is referring to the things that are LGA775 or AM3+. - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] School cloud solution
On Sun, Nov 6, 2011 at 12:57 PM, Daniel Bird wrote: > On 06/11/2011 00:49, Ljubomir Ljubojevic wrote: > > Look into google 'apps' (which is really corporatized google > > > documents). you edit your documents via your web browser, everything > > > is hosted in googles cloud so its accessible everywhere. It supports > > > written 'word' style documents, spreadsheets, presentations (powerpoint > > > like) and a few other types. > > > > > > yes, it costs money per person per year (up to 25 users are free), but > > > I'd have to assume there's an educational discount. > > > > Google apps for Education is free* > http://www.google.com/apps/intl/en/edu/ > > *in the UK at least; and "free" depends on your POV. > > D > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > My College at Texas A&M University is also looking for such capability. The issue we ran into is that Texas laws restrict where data can be stored for use by state funded institutions. Ensuring data stays in Texas is nearly impossible with "cloud" services, but apparently Google is willing to make that happen. They have told my University that they will offer their services for free. I would definitely look into it. I don't know the specifics of how it's implemented, but I doubt they would require gmail accounts, because we are looking to do it for our faculty/staff and we already discourage use of Google services for work related material. They will likely integrate it into whatever you already use. Unfortunately there aren't a lot of great open source solutions out there for "cloud storage" that can compete with Google or others. Besides what's already been mentioned there is Sparkleshare, http://sparkleshare.org/ . I use it personally on Linux and OS X with ease, but the Windows portion is still in beta. Another my organization attempted was iFolder, http://www.kablink.org/ifolder. One I haven't worked with yet, but have seen is http://owncloud.org/. - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] redhat vs centos
On Wed, Nov 2, 2011 at 5:36 PM, Dennis Jacobfeuerborn wrote: > On 11/02/2011 06:34 AM, Ned Slider wrote: > > On 01/11/11 22:26, Dennis Jacobfeuerborn wrote: > >> On 11/01/2011 09:36 PM, Ned Slider wrote: > >>> On 01/11/11 18:27, Bob Hoffman wrote: > David Miller wrote > --- > > You can go with the self support option. Seeing you are willing to go > with CentOS as long > as there are timely updates. That tells me you dont really care about > getting "support" from > the vendor. You can pick up workstation self support for $50 > and server for $350 a year. > That means you will get all the updates but just can't call or > open tickets with Redhat. > The limitations imposed by Redhat for "Support" they will > provide are artificial. > Although Redhat says it will only support 2 sockets and x > amount of virtual guests you can still do it. > > --- > From what I saw on the redhat site they have also taken away that > support/subscription model. > They have standard support as minimum, for me it would be 4,000+ or > more > for my 2 little non-commercial servers...forget it. > > >>> > >>> First option, Desktop Self-support Subscription (1 year) $49: > >>> > >>> https://www.redhat.com/apps/store/desktop/ > >>> > >>> > >>> First option, Server Self-support Subscription (1 year) $349 > >>> > >>> https://www.redhat.com/apps/store/server/ > >>> > >>> > >>> A 2 socket virtualization platform is $1,999 giving unlimited virtual > >>> guests. > >>> > >> > >> Just to be sure does that mean that for $2000 I can install on one > physical > >> system and unlimited guests on that system or does that mean the $2000 > are > >> only for the host system with the *ability* to host an unlimited number > of > >> guests and I still have to buy a subscription for each individual guest > on > >> top of that? > >> > >> Regards, > >> Dennis > >> > > > > All I can tell you is that our virtualization licenses allow you to > > install on 1 host (up to 2 sockets), and on *that* one host you can then > > install as many RHEL guests as you like and they will all be entitled to > > updates through RHN without consuming any further entitlements. So > > unlimited entitled RHEL guests. > > Is that the $2000 license or how much do you pay for that? I'm trying to > understand if the costs of licensing RHEL are actually feasible for and > right now I'm a bit perplexed that their licensing isn't all that clear. > If the license indeed includes the entitlements for RHEL guests on that > host then this actually looks manageable but if you have to pony up more > on top of that for each VM then something like debian looks indeed more > attractive. > > Regards, >Dennis > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > I don't work for Red Hat, but I had these same questions answered a few months ago when I wanted to move my employer from CentOS to RHEL, as we are moving ALL web hosting assets from IIS *shudder* to Linux. Unfortunately my employer confuses "open-source" with "free" and felt that $1500-$2500 (Education pricing) for unlimited guests was outrageous. Personally, I felt if they want enterprise level web services, and value continuity then it was worth it. If I ever left this organisation, it would be much easier to find someone who can use RHEL (or a phone) to get things working than to go with no commercial support. Anyway, The Unlimited guests means you pay for one physical machine with up to two CPU sockets (not cores). If your physical host has 20 guests, it's of no extra cost. In my case I would have to pay for 2 servers as I run them in a failover cluster, but between those two servers I would pay nothing extra no matter how many virtual guests I ran. - As for CentOS and it's future, even with the changes from RHN I don't see CentOS being any less useful. The fact that Red Hat took the time to make sure the CentOS devs understood the changes to the AUP shows some appreciation. They could have just never bothered and waited for someone to slip up then sue, and destroy CentOS. Red Hat is a business, and even as good as it is for their business to help CentOS, they cant make exceptions to their AUP. I think they did CentOS a big favor by communicating the changes. I've used Linux for about 12 years now, and never once have I been able to pick up the phone and call support. However when things require enterprise level service, and business, or in my case a University, is dependent on those services, it is good to not have to rely entirely on the in house talent for solutions. Some things I've had to tackle took probably $2,000 worth of my time to solve, which is how the "bean counters" see things. - Trey ___ CentOS mailin
Re: [CentOS] SELinux and SETroubleshootd woes in CR
> > Do you have the > > > allow_httpd_mod_auth_pam > > boolean turned on? > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ20iBhAQnCoTvZVU > NfUAoLz5TplWxxflLWscqc7Vc7RHahvj > =UYqX > -END PGP SIGNATURE- > (Accidentally sent as quote ) Ah! I did not know about setsebool. It's now not failing on SELinux (at least that I can tell). Now I get this in /var/log/secure... Nov 1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown Nov 1 16:08:07 host unix_chkpwd[22541]: password check failed for user (treydock) Nov 1 16:08:07 host httpd: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=treydock Nov 1 16:08:07 host httpd: pam_krb5[8049]: error reading keytab 'FILE:/etc/krb5.keytab' Nov 1 16:08:07 host httpd: pam_krb5[8049]: TGT verified Nov 1 16:08:07 host httpd: pam_krb5[8049]: authentication succeeds for 'treydock' (treyd...@tamu.edu) Nov 1 16:08:07 host unix_chkpwd[22545]: could not obtain user info (treydock) The keytab error is expected, because to authenticate with my university's Kerberos system it's without adding my server to the their databases. I have other servers on CentOS 5 and 6 running this just fine, so and right now SELinux is the only difference between them. Also, I'm still concerned I never got an email from setroubleshootd about the denials that are now fixed by using setsebool. Any steps I can take to troubleshoot the problem? Thanks - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux and SETroubleshootd woes in CR
> > Do you have the > > > allow_httpd_mod_auth_pam > > boolean turned on? > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk6wVZgACgkQrlYvE4MpobOg8gCgzbPmuUBJJ20iBhAQnCoTvZVU > NfUAoLz5TplWxxflLWscqc7Vc7RHahvj > =UYqX > -END PGP SIGNATURE- > Ah! I did not know about setsebool. It's now not failing on SELinux (at least that I can tell). Now I get this in /var/log/secure... Nov 1 16:08:07 host unix_chkpwd[22541]: check pass; user unknown Nov 1 16:08:07 host unix_chkpwd[22541]: password check failed for user (treydock) Nov 1 16:08:07 host httpd: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost= user=treydock Nov 1 16:08:07 host httpd: pam_krb5[8049]: error reading keytab 'FILE:/etc/krb5.keytab' Nov 1 16:08:07 host httpd: pam_krb5[8049]: TGT verified Nov 1 16:08:07 host httpd: pam_krb5[8049]: authentication succeeds for 'treydock' (treyd...@tamu.edu) Nov 1 16:08:07 host unix_chkpwd[22545]: could not obtain user info (treydock) The keytab error is expected, because to authenticate with my university's Kerberos system it's without adding my server to the their databases. I have other servers on CentOS 5 and 6 running this just fine, so and right now SELinux is the only difference between them. Also, I'm still concerned I never got an email from setroubleshootd about the denials that are now fixed by using setsebool. Any steps I can take to troubleshoot the problem? Thanks - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] SELinux and SETroubleshootd woes in CR
I'm setting up a dedicated database server, and since this will be a
central service to my various web servers I wanted it to be as secure as
possible...so I am leaving SELinux enabled. However I'm having trouble
getting Apache to use mod_auth_pam. I also now can't get setroubleshootd
working to send me notifications of the denials and provide tips to solve
the problem.
The Apache service has this directive on the default vhost,
---
AuthPAM_Enabled on
AllowOverride None
AuthName "HTTP Auth"
AuthType basic
require valid-user
When I attempt to authenticate I noticed this in /var/log/secure
Nov 1 15:06:58 host httpd: PAM audit_open() failed: Permission denied
This is the entry from the audit log...
type=AVC msg=audit(1320178016.209:919): avc: denied { create } for
pid=22689 comm="unix_chkpwd" scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1320178016.209:919): arch=c03e syscall=41
success=no exit=-13 a0=10 a1=3 a2=9 a3=7fff23386470 items=0 ppid=20102
pid=22689 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) ses=107 comm="unix_chkpwd" exe="/sbin/unix_chkpwd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1320178018.386:920): avc: denied { create } for
pid=20102 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1320178018.386:920): arch=c03e syscall=41
success=no exit=-13 a0=10 a1=3 a2=9 a3=0 items=0 ppid=20099 pid=20102
auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
tty=(none) ses=107 comm="httpd" exe="/usr/sbin/httpd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
As for setroubleshoot, I have a duplicate install working just fine on
another server, or at least it was working. I'm worried updating to CR may
have broken setroubleshootd. Mainly I'd like to know how to troubleshoot
that application. Messagebus is running.
Running setroubleshootd yields these results...
---
# setroubleshootd -f -V
2011-11-01 15:11:53,919 [database.DEBUG] created new database:
name=audit_listener, friendly_name=Audit Listener,
filepath=/var/lib/setroubleshoot/audit_listener_database.xml
2011-11-01 15:11:53,920 [database.DEBUG] database version 3.0 compatible
with current 3.0 version
2011-11-01 15:11:53,923 [plugin.DEBUG] load_plugins()
names=['httpd_bad_labels', 'allow_saslauthd_read_shadow',
'tftpd_write_content', 'allow_nfsd_anon_write', 'vbetool', 'allow_ypbind',
'httpd_use_cifs', 'file', 'allow_execheap', 'nfs_export_all_rw',
'allow_java_execstack', 'allow_httpd_sys_script_anon_write', 'samba_share',
'filesystem_associate', 'fcron_crond', 'inetd_bind_ports',
'named_write_master_zones', 'qemu_file_image', 'catchall',
'allow_mplayer_execstack', 'httpd_can_sendmail', 'httpd_enable_homedirs',
'wine', 'xen_image', 'secure_mode_policyload', 'allow_execmod',
'disable_ipv6', 'httpd_can_network_connect_db', 'sys_module', 'bind_ports',
'samba_export_all_rw', 'use_samba_home_dirs', 'rsync_data',
'allow_kerberos', 'httpd_ssi_exec', 'mmap_zero', 'global_ssp',
'allow_rsync_anon_write', 'cvs_data', 'allow_ftpd_anon_write', 'device',
'catchall_boolean', 'automount_exec_config', 'leaks', 'setenforce',
'ftpd_is_daemon', 'allow_zebra_write_config', 'firefox',
'nfs_export_all_ro', 'httpd_enable_cgi', 'httpd_tty_comm',
'public_content', 'ftp_home_dir', 'prelink_mislabled', 'allow_execstack',
'spamd_enable_home_dirs', 'sshd_root', 'samba_share_nfs',
'httpd_builtin_scripting', 'allow_ftpd_full_access', 'default',
'allow_ftpd_use_nfs', 'samba_enable_home_dirs', 'restorecon',
'selinuxpolicy', 'pppd_can_insmod', 'allow_daemons_dump_core',
'httpd_write_content', 'allow_httpd_anon_write', 'secure_mode_insmod',
'kernel_modules', 'samba_export_all_ro', 'httpd_enable_ftp_server',
'allow_postfix_local_write_mail_spool', 'execute', 'privoxy_connect_any',
'use_nfs_home_dirs', 'allow_smbd_anon_write', 'sys_resource',
'allow_ftpd_use_cifs', 'connect_ports', 'swapfile', 'httpd_use_nfs',
'httpd_can_network_relay', 'allow_cvs_read_shadow', 'squid_connect_any',
'mounton', 'qemu_blk_image', 'user_tcp_server', 'restore_source_context']
2011-11-01 15:11:53,923 [plugin.INFO] importing
/usr/share/setroubleshoot/plugins/__init__ as plugins
2011-11-01 15:11:55,114 [avc.DEBUG] Number of Plugins = 90
2011-11-01 15:11:55,116 [communication.DEBUG] parse_socket_address_list:
input='{unix}/var/run/setroubleshoot/setroubleshoot_server'
2011-11-01 15:11:55,117 [communication.DEBUG] parse_socket_address_list:
{unix}/var/run/setroubleshoot/setroubleshoot_server -->
{unix}/var/run/setroubleshoot/setroubleshoot_server socket=None
2011-11-01 15:11:55,118 [communication.DEBUG] new_listening_socket:
{unix}/var/run/setroubleshoot/setroubleshoot_server socket=None
2011-11-01 15:11:55,118 [
Re: [CentOS] NSS ldap problems
One difference I ran into with samba authentication is in cent 5 /etc/pam.d/system-auth-ac is the file to change but in cent 6 its /etc/pam.d/password-auth-ac. I found that changes I made only to system-auth-ac in 5 had to be made to both system-auth-ac and password-auth-ac in 6. This was to have authentication work for things like ssh and sudo in centos 6. - Trey On Oct 31, 2011 8:16 PM, "Jack Bailey" wrote: > On 10/31/2011 4:46 PM, Craig White wrote: > >> Here are the ldap related packaged installed on the 6.0 box: > >> > [root@vburntest02 ~]# rpm -qa | grep ldap > >> > openldap-2.4.19-15.el6_0.2.x86_64 > >> > pam_ldap-185-5.el6.x86_64 > >> > nss-pam-ldapd-0.7.5-3.el6.x86_64 > >> > openldap-clients-2.4.19-15.el6_0.2.x86_64 > >> > apr-util-ldap-1.3.9-3.el6.x86_64 > >> > > >> > Any idea what to check next? > > > > I'm not a perl person so I just check from shell with: > > getent passwd > > getent group > > > > to make sure that the LDAP Users/Groups are indeed listed... > authentication clearly won't work until they do. > > > > The same /etc/ldap.conf from CentOS 5.x should work with CentOS 6.x > > On CentOS 6 getent passwd does not return a list of users, presumably > because the list can be quite large. Try > > $ getent passwd > > If your system is set up correctly you will see the entry. > > Jack > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Failed dependencies for libxslt-ruby on CentOS 6
On Wed, Oct 19, 2011 at 10:21 AM, Trey Dockendorf wrote:
> I'm trying to install a gem named Fabulator on CentOS 6 CR x86_64. It's
> failing on libxslt-ruby. This is the error I get when trying the gem
> manually...
>
> --
> # gem install libxslt-ruby --no-rdoc --no-ri
> Building native extensions. This could take a while...
> ERROR: Error installing libxslt-ruby:
> ERROR: Failed to build gem native extension.
>
> /usr/bin/ruby extconf.rb
> checking for ruby/io.h... no
> checking for inflate() in -lz... yes
> checking for iconv_open() in -liconv... no
> checking for libiconv_open() in -liconv... no
> checking for libiconv_open() in -llibiconv... no
> checking for iconv_open() in -llibiconv... no
> checking for iconv_open() in -lc... yes
> checking for xmlXPtrNewRange() in -lxml2... yes
> checking for libxml/xmlversion.h... no
> checking for libxml/xmlversion.h in
> /opt/include/libxml2,/usr/local/include/libxml2,/usr/include/libxml2... yes
> checking for xsltApplyStylesheet() in -lxslt... yes
> checking for xslt.h... no
> checking for xslt.h in
> /opt/include/libxslt,/usr/local/include/libxslt,/usr/include/libxslt... yes
> checking for exsltRegisterAll() in -lexslt... yes
> checking for exslt.h... no
> checking for exslt.h in
> /opt/include/libexslt,/usr/local/include/libexslt,/usr/include/libexslt...
> yes
> *** extconf.rb failed ***
> Could not create Makefile due to some reason, probably lack of
> necessary libraries and/or headers. Check the mkmf.log file for more
> details. You may need configuration options.
>
> Provided configuration options:
> --with-opt-dir
> --without-opt-dir
> --with-opt-include
> --without-opt-include=${opt-dir}/include
> --with-opt-lib
> --without-opt-lib=${opt-dir}/lib
> --with-make-prog
> --without-make-prog
> --srcdir=.
> --curdir
> --ruby=/usr/bin/ruby
> --with-zlib-dir
> --without-zlib-dir
> --with-zlib-include
> --without-zlib-include=${zlib-dir}/include
> --with-zlib-lib
> --without-zlib-lib=${zlib-dir}/lib
> --with-iconv-dir
> --without-iconv-dir
> --with-iconv-include
> --without-iconv-include=${iconv-dir}/include
> --with-iconv-lib
> --without-iconv-lib=${iconv-dir}/lib
> --with-xml2-dir
> --without-xml2-dir
> --with-xml2-include
> --without-xml2-include=${xml2-dir}/include
> --with-xml2-lib
> --without-xml2-lib=${xml2-dir}/lib
> --with-xslt-dir
> --without-xslt-dir
> --with-xslt-include
> --without-xslt-include=${xslt-dir}/include
> --with-xslt-lib
> --without-xslt-lib=${xslt-dir}/lib
> --with-exslt-dir
> --without-exslt-dir
> --with-exslt-include
> --without-exslt-include=${exslt-dir}/include
> --with-exslt-lib
> --without-exslt-lib=${exslt-dir}/lib
> --with-zlib
> --without-zlib
> --with-iconvlib
> --without-iconvlib
> --with-iconvlib
> --without-iconvlib
> --with-libiconvlib
> --without-libiconvlib
> --with-libiconvlib
> --without-libiconvlib
> --with-clib
> --without-clib
> --with-xml2lib
> --without-xml2lib
> --with-xsltlib
> --without-xsltlib
> --with-exsltlib
> --without-exsltlib
> extconf.rb:114: undefined method `find_by_name' for
> Gem::Specification:Class (NoMethodError)
>
>
> Gem files will remain installed in
> /usr/lib/ruby/gems/1.8/gems/libxslt-ruby-1.0.8 for inspection.
> Results logged to
> /usr/lib/ruby/gems/1.8/gems/libxslt-ruby-1.0.8/ext/libxslt/gem_make.out
> --
>
> I have installed libxslt and libxslt-devel via yum. I'm running ruby-1.8.7
> and gem-1.3.7. Listing the gems available for xslt, and what catches my
> eye is the x86-mingw32 items. Looking on CentOS 5 I found the package
> "mingw32-iconv" in EPEL, but am unsure if that is what would solve this. If
> it is, then could I simply build a CentOS 6 RPM from the SRPM for CentOS 5?
> --
> # gem search xslt --both
>
> *** LOCAL GEMS ***
>
> libxslt-ruby19 (0.9.8)
> ruby-xslt (0.9.8)
>
> *** REMOTE GEMS ***
>
> blackwinter-libxslt-ruby (1.0.1)
> libxslt-ruby (1.0.8 ruby x86-mingw32, 0.9.6 x86-mswin32-60)
> libxslt-ruby-r19mingw1 (0.9.7)
> libxslt-ruby19 (0.9.8)
> polyrex-xslt (0.1.0)
> rexslt (0.1.4)
> ruby-xslt (0.9.8
[CentOS] Failed dependencies for libxslt-ruby on CentOS 6
I'm trying to install a gem named Fabulator on CentOS 6 CR x86_64. It's
failing on libxslt-ruby. This is the error I get when trying the gem
manually...
--
# gem install libxslt-ruby --no-rdoc --no-ri
Building native extensions. This could take a while...
ERROR: Error installing libxslt-ruby:
ERROR: Failed to build gem native extension.
/usr/bin/ruby extconf.rb
checking for ruby/io.h... no
checking for inflate() in -lz... yes
checking for iconv_open() in -liconv... no
checking for libiconv_open() in -liconv... no
checking for libiconv_open() in -llibiconv... no
checking for iconv_open() in -llibiconv... no
checking for iconv_open() in -lc... yes
checking for xmlXPtrNewRange() in -lxml2... yes
checking for libxml/xmlversion.h... no
checking for libxml/xmlversion.h in
/opt/include/libxml2,/usr/local/include/libxml2,/usr/include/libxml2... yes
checking for xsltApplyStylesheet() in -lxslt... yes
checking for xslt.h... no
checking for xslt.h in
/opt/include/libxslt,/usr/local/include/libxslt,/usr/include/libxslt... yes
checking for exsltRegisterAll() in -lexslt... yes
checking for exslt.h... no
checking for exslt.h in
/opt/include/libexslt,/usr/local/include/libexslt,/usr/include/libexslt...
yes
*** extconf.rb failed ***
Could not create Makefile due to some reason, probably lack of
necessary libraries and/or headers. Check the mkmf.log file for more
details. You may need configuration options.
Provided configuration options:
--with-opt-dir
--without-opt-dir
--with-opt-include
--without-opt-include=${opt-dir}/include
--with-opt-lib
--without-opt-lib=${opt-dir}/lib
--with-make-prog
--without-make-prog
--srcdir=.
--curdir
--ruby=/usr/bin/ruby
--with-zlib-dir
--without-zlib-dir
--with-zlib-include
--without-zlib-include=${zlib-dir}/include
--with-zlib-lib
--without-zlib-lib=${zlib-dir}/lib
--with-iconv-dir
--without-iconv-dir
--with-iconv-include
--without-iconv-include=${iconv-dir}/include
--with-iconv-lib
--without-iconv-lib=${iconv-dir}/lib
--with-xml2-dir
--without-xml2-dir
--with-xml2-include
--without-xml2-include=${xml2-dir}/include
--with-xml2-lib
--without-xml2-lib=${xml2-dir}/lib
--with-xslt-dir
--without-xslt-dir
--with-xslt-include
--without-xslt-include=${xslt-dir}/include
--with-xslt-lib
--without-xslt-lib=${xslt-dir}/lib
--with-exslt-dir
--without-exslt-dir
--with-exslt-include
--without-exslt-include=${exslt-dir}/include
--with-exslt-lib
--without-exslt-lib=${exslt-dir}/lib
--with-zlib
--without-zlib
--with-iconvlib
--without-iconvlib
--with-iconvlib
--without-iconvlib
--with-libiconvlib
--without-libiconvlib
--with-libiconvlib
--without-libiconvlib
--with-clib
--without-clib
--with-xml2lib
--without-xml2lib
--with-xsltlib
--without-xsltlib
--with-exsltlib
--without-exsltlib
extconf.rb:114: undefined method `find_by_name' for Gem::Specification:Class
(NoMethodError)
Gem files will remain installed in
/usr/lib/ruby/gems/1.8/gems/libxslt-ruby-1.0.8 for inspection.
Results logged to
/usr/lib/ruby/gems/1.8/gems/libxslt-ruby-1.0.8/ext/libxslt/gem_make.out
--
I have installed libxslt and libxslt-devel via yum. I'm running ruby-1.8.7
and gem-1.3.7. Listing the gems available for xslt, and what catches my
eye is the x86-mingw32 items. Looking on CentOS 5 I found the package
"mingw32-iconv" in EPEL, but am unsure if that is what would solve this. If
it is, then could I simply build a CentOS 6 RPM from the SRPM for CentOS 5?
--
# gem search xslt --both
*** LOCAL GEMS ***
libxslt-ruby19 (0.9.8)
ruby-xslt (0.9.8)
*** REMOTE GEMS ***
blackwinter-libxslt-ruby (1.0.1)
libxslt-ruby (1.0.8 ruby x86-mingw32, 0.9.6 x86-mswin32-60)
libxslt-ruby-r19mingw1 (0.9.7)
libxslt-ruby19 (0.9.8)
polyrex-xslt (0.1.0)
rexslt (0.1.4)
ruby-xslt (0.9.8)
The gem I'm trying to install, fabulator, has the following dependencies...
-
# gem dependency fabulator --both
Gem fabulator-0.0.16
RedCloth (>= 4.2.0, runtime)
activesupport (>= 2.3.0, runtime)
libxml-ruby (>= 1.1.3, runtime)
libxslt-ruby (>= 0.9.7, runtime)
radius (>= 0.6.1, runtime)
Please let me know what other information may be useful in this case. This
is for a series of websites running Radiant that I've inherited and this is
all working in FreeBSD though that server is barely hanging on and so I'm
moving to my existing CentOS infrastructure. I'm about to try RVM but would
prefer to stick with yum based package and version management.
Thanks
- Trey
Re: [CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots
On Tue, Oct 18, 2011 at 7:30 AM, Daniel J Walsh wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 10/17/2011 03:40 PM, Trey Dockendorf wrote:
> >
> > On Oct 17, 2011 2:06 PM, "Daniel J Walsh" > <mailto:dwa...@redhat.com>> wrote:
> >>
> > On 10/17/2011 02:09 PM, Trey Dockendorf wrote:
> >> On Oct 17, 2011 10:30 AM, "Daniel J Walsh" >> <mailto:dwa...@redhat.com> <mailto:dwa...@redhat.com
> >> <mailto:dwa...@redhat.com>>> wrote:
> >
> >> On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
> >>> Forwarding back to list. -- Forwarded message
> >>> -- From: "Trey Dockendorf" >>> <mailto:treyd...@gmail.com> <mailto:treyd...@gmail.com
> >>> <mailto:treyd...@gmail.com>>> Date: Oct
> >> 17, 2011 10:06 AM Subject:
> >>> Re: [CentOS] SELinux triggered during Libvirt snapshots To:
> >>> "Daniel J Walsh" mailto:dwa...@redhat.com>
> >> <mailto:dwa...@redhat.com <mailto:dwa...@redhat.com>>>
> >
> >
> >
> >>> On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh
> >>> mailto:dwa...@redhat.com>
> >> <mailto:dwa...@redhat.com <mailto:dwa...@redhat.com>>> wrote:
> >
> >>> On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
> >>>>>> I recently began getting periodic emails from SEalert
> >>>>>> that SELinux is preventing /usr/libexec/qemu-kvm
> >>>>>> "getattr" access from the directory I store all my
> >>>>>> virtual machines for KVM.
> >>>>>>
> >>>>>> All VMs are stored under /vmstore , which is it's own
> >>>>>> mount point, and every file and folder under /vmstore
> >>>>>> currently has the correct context that was set by doing
> >>>>>> the following:
> >>>>>>
> >>>>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?"
> >>>>>> restorecon -R /vmstore
> >>>>>>
> >>>>>> So far I've noticed then when taking snapshots and also
> >>>>>> when using virsh to make changes to a domain's XML file.
> >>>>>> I haven't had any problems for the 3 or 4 months I've
> >>>>>> run this KVM server using SELinux on Enforcing, and so
> >>>>>> I'm not really sure what information is helpful to debug
> >>>>>> this. The server is CentOS 6 x86_64 updated to CR. This
> >>>>>> is the raw audit entry, (hostname removed)
> >>>>>>
> >>>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
> >>>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm"
> >>>>>> name="/" dev=dm-2 ino=2
> >>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
> >>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> >>>>>> node=kvmhost.tld type=SYSCALL
> >>>>>> msg=audit(1318634450.285:28): arch=c03e syscall=138
> >>>>>> success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
> >>>>>> a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
> >>>>>> uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107
> >>>>>> sgid=107 fsgid=107 tty=(none) ses=4294967295
> >>>>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
> >>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
> >>>>>>
> >>>>>> I've attached the alert email as a quote below,
> >>>>>> (hostname removed)
> >>>>>>
> >>>>>> Any help is greatly appreciated, I've had to deal little
> >>>>>> with SELinux fortunately, but at the moment am not
> >>>>>> really sure if my snapshots are actually functional or if
> >>>>>> this is just some false positive.
> >>>>>>
> >>>>>> Thanks - Trey
> >>>>>>
> >>>>>> Summary
> >>>>>>>
> >>>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
> >>>>>>> access on /vmstore.
> >>>>>>>
> >>>>>>> Detailed Description
> >>&
Re: [CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots
On Oct 17, 2011 2:06 PM, "Daniel J Walsh" wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 10/17/2011 02:09 PM, Trey Dockendorf wrote:
> > On Oct 17, 2011 10:30 AM, "Daniel J Walsh" > <mailto:dwa...@redhat.com>> wrote:
> >>
> > On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
> >> Forwarding back to list. -- Forwarded message --
> >> From: "Trey Dockendorf" >> <mailto:treyd...@gmail.com>> Date: Oct 17, 2011 10:06 AM Subject:
> >> Re: [CentOS] SELinux triggered during Libvirt snapshots To:
> >> "Daniel J Walsh" mailto:dwa...@redhat.com>>
> >
> >
> >
> >> On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh
> >> mailto:dwa...@redhat.com>> wrote:
> >
> >> On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
> >>>>> I recently began getting periodic emails from SEalert that
> >>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
> >>>>> access from the directory I store all my virtual machines
> >>>>> for KVM.
> >>>>>
> >>>>> All VMs are stored under /vmstore , which is it's own
> >>>>> mount point, and every file and folder under /vmstore
> >>>>> currently has the correct context that was set by doing the
> >>>>> following:
> >>>>>
> >>>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?"
> >>>>> restorecon -R /vmstore
> >>>>>
> >>>>> So far I've noticed then when taking snapshots and also
> >>>>> when using virsh to make changes to a domain's XML file.
> >>>>> I haven't had any problems for the 3 or 4 months I've run
> >>>>> this KVM server using SELinux on Enforcing, and so I'm not
> >>>>> really sure what information is helpful to debug this. The
> >>>>> server is CentOS 6 x86_64 updated to CR. This is the raw
> >>>>> audit entry, (hostname removed)
> >>>>>
> >>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
> >>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm"
> >>>>> name="/" dev=dm-2 ino=2
> >>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
> >>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> >>>>> node=kvmhost.tld type=SYSCALL
> >>>>> msg=audit(1318634450.285:28): arch=c03e syscall=138
> >>>>> success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
> >>>>> a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
> >>>>> uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107
> >>>>> sgid=107 fsgid=107 tty=(none) ses=4294967295
> >>>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
> >>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
> >>>>>
> >>>>> I've attached the alert email as a quote below, (hostname
> >>>>> removed)
> >>>>>
> >>>>> Any help is greatly appreciated, I've had to deal little
> >>>>> with SELinux fortunately, but at the moment am not really
> >>>>> sure if my snapshots are actually functional or if this is
> >>>>> just some false positive.
> >>>>>
> >>>>> Thanks - Trey
> >>>>>
> >>>>> Summary
> >>>>>>
> >>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
> >>>>>> access on /vmstore.
> >>>>>>
> >>>>>> Detailed Description
> >>>>>>
> >>>>>> SELinux denied access requested by qemu-kvm. It is not
> >>>>>> expected that this
> >>>>>>> access is required by qemu-kvm and this access may
> >>>>>>> signal an intrusion attempt. It is also possible that
> >>>>>>> the specific version or configuration of the
> >>>>>>> application is causing it to require additional
> >>>>>>> access.
> >>>>>>
> >>>>>> Allowing Access
> >>>>>>
> >>>>>> You can generate a local policy module to allow this
> >>>>>> access - see FAQ
&g
Re: [CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots
On Oct 17, 2011 10:30 AM, "Daniel J Walsh" wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
> > Forwarding back to list. -- Forwarded message --
> > From: "Trey Dockendorf" Date: Oct 17, 2011
> > 10:06 AM Subject: Re: [CentOS] SELinux triggered during Libvirt
> > snapshots To: "Daniel J Walsh"
> >
> >
> >
> > On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh
> > wrote:
> >
> > On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
> >>>> I recently began getting periodic emails from SEalert that
> >>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr" access
> >>>> from the directory I store all my virtual machines for KVM.
> >>>>
> >>>> All VMs are stored under /vmstore , which is it's own mount
> >>>> point, and every file and folder under /vmstore currently has
> >>>> the correct context that was set by doing the following:
> >>>>
> >>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?"
> >>>> restorecon -R /vmstore
> >>>>
> >>>> So far I've noticed then when taking snapshots and also when
> >>>> using virsh to make changes to a domain's XML file. I
> >>>> haven't had any problems for the 3 or 4 months I've run this
> >>>> KVM server using SELinux on Enforcing, and so I'm not really
> >>>> sure what information is helpful to debug this. The server
> >>>> is CentOS 6 x86_64 updated to CR. This is the raw audit
> >>>> entry, (hostname removed)
> >>>>
> >>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc:
> >>>> denied { getattr } for pid=1842 comm="qemu-kvm" name="/"
> >>>> dev=dm-2 ino=2
> >>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
> >>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> >>>> node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28):
> >>>> arch=c03e syscall=138 success=no exit=-13 a0=9
> >>>> a1=7fff1cf153f0 a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
> >>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107
> >>>> egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295
> >>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
> >>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
> >>>>
> >>>> I've attached the alert email as a quote below, (hostname
> >>>> removed)
> >>>>
> >>>> Any help is greatly appreciated, I've had to deal little
> >>>> with SELinux fortunately, but at the moment am not really
> >>>> sure if my snapshots are actually functional or if this is
> >>>> just some false positive.
> >>>>
> >>>> Thanks - Trey
> >>>>
> >>>> Summary
> >>>>>
> >>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
> >>>>> access on /vmstore.
> >>>>>
> >>>>> Detailed Description
> >>>>>
> >>>>> SELinux denied access requested by qemu-kvm. It is not
> >>>>> expected that this
> >>>>>> access is required by qemu-kvm and this access may signal
> >>>>>> an intrusion attempt. It is also possible that the
> >>>>>> specific version or configuration of the application is
> >>>>>> causing it to require additional access.
> >>>>>
> >>>>> Allowing Access
> >>>>>
> >>>>> You can generate a local policy module to allow this access
> >>>>> - see FAQ
> >>>>>> Please file a bug report.
> >>>>>
> >>>>> Additional Information
> >>>>>
> >>>>> Source Context: system_u:system_r:svirt_t:s0:c772,c779
> >>>>>
> >>>>> Target Context: system_u:object_r:fs_t:s0
> >>>>>
> >>>>> Target Objects: /vmstore [ filesystem ]
> >>>>>
> >>>>> Source: qemu-kvm
> >>>>>
> >>>>> Source Path: /usr/libexec/qemu-kvm
> >>>>>
> >>>>> Port:
> >>>>>
&g
[CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots
Forwarding back to list.
-- Forwarded message --
From: "Trey Dockendorf"
Date: Oct 17, 2011 10:06 AM
Subject: Re: [CentOS] SELinux triggered during Libvirt snapshots
To: "Daniel J Walsh"
On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
> > I recently began getting periodic emails from SEalert that SELinux
> > is preventing /usr/libexec/qemu-kvm "getattr" access from the
> > directory I store all my virtual machines for KVM.
> >
> > All VMs are stored under /vmstore , which is it's own mount point,
> > and every file and folder under /vmstore currently has the correct
> > context that was set by doing the following:
> >
> > semanage fcontext -a -t virt_image_t "/vmstore(/.*)?" restorecon -R
> > /vmstore
> >
> > So far I've noticed then when taking snapshots and also when using
> > virsh to make changes to a domain's XML file. I haven't had any
> > problems for the 3 or 4 months I've run this KVM server using
> > SELinux on Enforcing, and so I'm not really sure what information
> > is helpful to debug this. The server is CentOS 6 x86_64 updated to
> > CR. This is the raw audit entry, (hostname removed)
> >
> > node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc: denied
> > { getattr } for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 ino=2
> > scontext=system_u:system_r:svirt_t:s0:c772,c779
> > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> > node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28):
> > arch=c03e syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
> > a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
> > uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107
> > fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm"
> > exe="/usr/libexec/qemu-kvm"
> > subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
> >
> > I've attached the alert email as a quote below, (hostname removed)
> >
> > Any help is greatly appreciated, I've had to deal little with
> > SELinux fortunately, but at the moment am not really sure if my
> > snapshots are actually functional or if this is just some false
> > positive.
> >
> > Thanks - Trey
> >
> > Summary
> >>
> >> SELinux is preventing /usr/libexec/qemu-kvm "getattr" access on
> >> /vmstore.
> >>
> >> Detailed Description
> >>
> >> SELinux denied access requested by qemu-kvm. It is not expected
> >> that this
> >>> access is required by qemu-kvm and this access may signal an
> >>> intrusion attempt. It is also possible that the specific
> >>> version or configuration of the application is causing it to
> >>> require additional access.
> >>
> >> Allowing Access
> >>
> >> You can generate a local policy module to allow this access - see
> >> FAQ
> >>> Please file a bug report.
> >>
> >> Additional Information
> >>
> >> Source Context: system_u:system_r:svirt_t:s0:c772,c779
> >>
> >> Target Context: system_u:object_r:fs_t:s0
> >>
> >> Target Objects: /vmstore [ filesystem ]
> >>
> >> Source: qemu-kvm
> >>
> >> Source Path: /usr/libexec/qemu-kvm
> >>
> >> Port:
> >>
> >> Host: kvmhost.tld
> >>
> >> Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
> >>
> >> Target RPM Packages:
> >>
> >> Policy RPM: selinux-policy-3.7.19-93.el6_1.7
> >>
> >> Selinux Enabled: True
> >>
> >> Policy Type: targeted
> >>
> >> Enforcing Mode: Enforcing
> >>
> >> Plugin Name: catchall
> >>
> >> Host Name: kvmhost.tld
> >>
> >> Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64 #1 SMP
> >> Mon Jun 27
> >>> 19:49:27 BST 2011 x86_64 x86_64
> >>
> >> Alert Count: 1
> >>
> >> First Seen: Fri Oct 14 18:20:50 2011
> >>
> >> Last Seen: Fri Oct 14 18:20:50 2011
> >>
> >> Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
> >>
> >> Line Numbers:
> >>
> >> Raw Audit Messages :
> >>
> >>
> >>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc:
> >>> denied { getattr }
[CentOS] SELinux triggered during Libvirt snapshots
I recently began getting periodic emails from SEalert that SELinux is
preventing /usr/libexec/qemu-kvm "getattr" access from the directory I store
all my virtual machines for KVM.
All VMs are stored under /vmstore , which is it's own mount point, and
every file and folder under /vmstore currently has the correct context that
was set by doing the following:
semanage fcontext -a -t virt_image_t "/vmstore(/.*)?"
restorecon -R /vmstore
So far I've noticed then when taking snapshots and also when using virsh to
make changes to a domain's XML file. I haven't had any problems for the 3
or 4 months I've run this KVM server using SELinux on Enforcing, and so I'm
not really sure what information is helpful to debug this. The server is
CentOS 6 x86_64 updated to CR. This is the raw audit entry, (hostname
removed)
node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc: denied {
getattr } for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 ino=2
scontext=system_u:system_r:svirt_t:s0:c772,c779
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28): arch=c03e
syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0 a3=7fff1cf15170
items=0 ppid=1 pid=1842 auid=4294967295 uid=107 gid=107 euid=107 suid=107
fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295
comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
I've attached the alert email as a quote below, (hostname removed)
Any help is greatly appreciated, I've had to deal little with SELinux
fortunately, but at the moment am not really sure if my snapshots are
actually functional or if this is just some false positive.
Thanks
- Trey
Summary
>
> SELinux is preventing /usr/libexec/qemu-kvm "getattr" access on /vmstore.
>
> Detailed Description
>
> SELinux denied access requested by qemu-kvm. It is not expected that this
>> access is required by qemu-kvm and this access may signal an intrusion
>> attempt. It is also possible that the specific version or configuration of
>> the application is causing it to require additional access.
>
> Allowing Access
>
> You can generate a local policy module to allow this access - see FAQ
>> Please file a bug report.
>
> Additional Information
>
> Source Context: system_u:system_r:svirt_t:s0:c772,c779
>
> Target Context: system_u:object_r:fs_t:s0
>
> Target Objects: /vmstore [ filesystem ]
>
> Source: qemu-kvm
>
> Source Path: /usr/libexec/qemu-kvm
>
> Port:
>
> Host: kvmhost.tld
>
> Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
>
> Target RPM Packages:
>
> Policy RPM: selinux-policy-3.7.19-93.el6_1.7
>
> Selinux Enabled: True
>
> Policy Type: targeted
>
> Enforcing Mode: Enforcing
>
> Plugin Name: catchall
>
> Host Name: kvmhost.tld
>
> Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27
>> 19:49:27 BST 2011 x86_64 x86_64
>
> Alert Count: 1
>
> First Seen: Fri Oct 14 18:20:50 2011
>
> Last Seen: Fri Oct 14 18:20:50 2011
>
> Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
>
> Line Numbers:
>
> Raw Audit Messages :
>
>
>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc: denied {
>> getattr } for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 ino=2
>> scontext=system_u:system_r:svirt_t:s0:c772,c779
>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>
> node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28): arch=c03e
>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0 a3=7fff1cf15170
>> items=0 ppid=1 pid=1842 auid=4294967295 uid=107 gid=107 euid=107 suid=107
>> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295
>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
>
>
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Virtual host package, command line, I need help
On Thu, Oct 13, 2011 at 2:52 PM, Ljubomir Ljubojevic wrote: > Vreme: 10/13/2011 04:23 PM, Bob Hoffman piše: > > the way intended for a brand new install just to install a guest via > > command line. > > I am thinking new video card. > > > > First time sorely disappointed with supermicro...very disappointed > > unless they have a fix. > > ___ > > CentOS mailing list > > CentOS@centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > > > > 1. CentOS-virt mailinglist should be still active. > > 2. Are you aware that you can have one Desktop PC with installed > Virt-Manager and use it to connect to running libvird (KVM) daemon on > your server? I have KVM Guest on my C6 Desktop and use graphical > Virt-Manager to setup new Guests. But, from that same Virt-Manager I am > connected to my C5 server with C5 KVM Guest, and I can add new systems > and manage existing ones. > > 3. Are you talking about actual VGD graphic card on the Barebone server > (KVM Host)? If yes, do you know what type of Graphics card you have? > ELRepo repository (www.elrepo.org) has newer drivers for ATI nVidia and > Inter graphic cards. > > > > -- > > Ljubomir Ljubojevic > (Love is in the Air) > PL Computers > Serbia, Europe > > Google is the Mother, Google is the Father, and traceroute is your > trusty Spiderman... > StarOS, Mikrotik and CentOS/RHEL/Linux consultant > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > As others have pointed out, a GUI is unnecessary and also a bad idea on a KVM server. You'll want to have an account remote into the KVM server that isn't root. Use PolicyKit to add a group or user to have rights to control libvirt. Then you can either run virt-manager on a Linux desktop to connect to KVM, or use X11 forwarding via SSH to view the server's virt-manager remotely, which still won't require a desktop environment to be installed. I have the process and details documented here, http://itscblog.tamu.edu/startup-guide-for-kvm-on-centos-6/. Hope that helps, - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Mock - Problems building Centos5 package on Centos6 - where can I ask for advice ?
If gmail will let u send a srpm just send to treyd...@gmail.com. might have
to tar or zip if rpm files cant be sent. I recently rebuilt PHP for centos
6 in mock so may be able to help debug.
On Oct 10, 2011 3:19 AM, "Morgan Cox" wrote:
> Hi trey.
>
> I would prefer being able to build my own packages rather than rely on an
> external repo.(that was I can always build what ever version I need to).
>
> Its not the building of the RPM it the use of mock thats failing.
>
> What is the best way of sending you the source RPM.
>
> Regards
>
>
>
>
> On 8 October 2011 14:22, Trey Dockendorf wrote:
>
>> On Oct 7, 2011 3:34 AM, "Morgan Cox" wrote:
>> >
>> > Hi
>> >
>> > Thank you for your extremely quick (and faster than support from any
>> > company..) reply.
>> >
>> > Sorry, can you give more detail ?
>> >
>> > >From the look of the error the 'mock centos5' is missing these files :-
>> >
>> > /usr/share/aclocal/ltoptions.m4
>> > /usr/share/aclocal/ltsugar.m4
>> > /usr/share/aclocal/ltversion.m4
>> > /usr/share/aclocal/lt~obsolete.m4
>> >
>> > - which come from libtool2 (on centos6)
>> >
>> > Centos5 obviously doesn't have that version...
>> >
>> > I noticed in the .spec file it has
>> >
>> >
>> > ---
>> > %build
>> > # aclocal workaround - to be improved
>> > cat `aclocal
>> > --print-ac-dir`/{libtool,ltoptions,ltsugar,ltversion,lt~obsolete}.m4
>> > >>aclocal.m4
>> >
>> > # Force use of system libtool:
>> > libtoolize --force --copy
>> > cat `aclocal
>> > --print-ac-dir`/{libtool,ltoptions,ltsugar,ltversion,lt~obsolete}.m4
>> > >build/libtool.m4
>> > ---
>> >
>> > It also has - from the original .spec file I based it on:-
>> >
>> > BuildRequires: bzip2, perl, libtool >= 1.4.3, gcc-c++
>> >
>> > I have libtool installed in the mock enviroment ...
>> >
>> > Anyone know what i'm doing wrong ?
>> >
>> > Regards !
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > On 6 October 2011 15:57, John Hodrien wrote:
>> >
>> > > On Thu, 6 Oct 2011, Morgan Cox wrote:
>> > >
>> > > > Hi.
>> > > >
>> > > > I am trying to use Mock to rebuild a .src.rpm file I have made for
>> PHP
>> > > 5.3.8
>> > > > (for Centos6)
>> > > >
>> > > > I have managed to install deps fine with mock.
>> > > >
>> > > > When I try to rebuild the package though I get.
>> > >
>> > > BuildRequires are wrong, since this SRPM requires files that aren't
>> being
>> > > pulled in. Add BuildRequires to satisfy these missing requirements
>> and
>> > > it'll
>> > > work.
>> > >
>> > > jh
>> > > ___
>> > > CentOS mailing list
>> > > CentOS@centos.org
>> > > http://lists.centos.org/mailman/listinfo/centos
>> > >
>> > ___
>> > CentOS mailing list
>> > CentOS@centos.org
>> > http://lists.centos.org/mailman/listinfo/centos
>>
>> If your wanting PHP-5.3 for CentOS5 you may want to look at the IUS repo.
>> They provide PHP 5.2 and 5.3 for CentOS5.
>>
>> If you send me your SRPM offlist Ill try to build it on my Mock
>> environment.
>>
>> - Trey
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.0 CR mdadm-3.2.2 breaks Intel BIOS RAID
On Oct 8, 2011 7:23 PM, "Ljubomir Ljubojevic" wrote: > > Vreme: 10/09/2011 12:16 AM, Trey Dockendorf piše: > > On Sat, Oct 8, 2011 at 4:31 PM, William Warren< > > hescomins...@emmanuelcomputerconsulting.com> wrote: > > >> why bother with bios FAKERAID using PIO mode(effectively). Make a > >> backup and redo using MD raid and turn off the bios raid. Then things > >> will work correctly. > > > I did the downgrade it it worked fine after. > > I just now realized that you have fakeraid (dmraid). That is very > dangerous, because if MB dies, you might need to find another one with > same chipset to make it work. On the other hand, Linux software RAID > (mdadm). That way your RAID will work on any MB. > > So I also recommend William Warren's suggestion to convert as soon as > possible. You can even use "RAID 10 - far" to gain 2 x read and 1 x > write speed of normal disk while mirroring. > > > -- > > Ljubomir Ljubojevic > (Love is in the Air) > PL Computers > Serbia, Europe > > Google is the Mother, Google is the Father, and traceroute is your > trusty Spiderman... > StarOS, Mikrotik and CentOS/RHEL/Linux consultant > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Can anyone confirm or advise how to do partionable raid with mdadm in Centos 6? I made a few attempts using methods from centos 5 with no success. Everytime I created md_d0 it did not contain any partions from the member disks. - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.0 CR mdadm-3.2.2 breaks Intel BIOS RAID
On Sat, Oct 8, 2011 at 4:31 PM, William Warren < hescomins...@emmanuelcomputerconsulting.com> wrote: > On 10/8/2011 3:14 PM, Trey Dockendorf wrote: > > On Sat, Oct 8, 2011 at 2:04 PM, Steve Brooks >wrote: > > > >> On Sat, 8 Oct 2011, Trey Dockendorf wrote: > >> > >>> I just upgraded my home KVM server to CentOS 6.0 CR to make use of the > >>> latest libvirt and now my RAID array with my VM storage is missing. It > >>> seems that the upgrade to mdadm-3.2.2 is the culprit. > >>> > >>> This is the output from mdadm when scanning that array, > >>> > >>> # mdadm --detail --scan > >>> ARRAY /dev/md0 metadata=imsm UUID=734f79cf:22200a5a:73be2b52:3388006b > >>> ARRAY /dev/md126 metadata=imsm UUID=3d135942:f0fad0b0:33255f78:29c3f50a > >>> mdadm(IMSM): Unsupported attributes : 4000 > >>> mdadm: IMSM metadata loading not allowed due to attributes > >> incompatibility. > >>> mdadm(IMSM): Unsupported attributes : 4000 > >>> mdadm: IMSM metadata loading not allowed due to attributes > >> incompatibility. > >>> ARRAY /dev/md127 container=/dev/md0 member=0 > >>> UUID=734f79cf:22200a5a:73be2b52:3388006b > >>> > >>> The error about IMSM shows up on google as something that happened to > >> Fedora > >>> users during a FC14->FC15 upgrade. > >>> > >>> The server itself isn't old, it's a Supermicro 2U with Dual Xeon 5400 > >> family > >>> of CPU. There are two RAIDs on this one controller...a RAID1 which > still > >>> functions and a RAID5 which is the one that is unable to be seen. I > >> don't > >>> know what IMSM is for, but the only thing strange about that array is > it > >> is > >>> 2.7TB so the BIOS configured it as two separate arrays, one as 2TB and > >> one > >>> as 700GB, but it was showing up to CentOS as a single volume. > >>> > >>> I downgraded to 3.2.1 , ran mdadm again and bam...it works, > >>> > >>> # mdadm --detail --scan > >>> ARRAY /dev/md0 metadata=imsm UUID=734f79cf:22200a5a:73be2b52:3388006b > >>> ARRAY /dev/md126 metadata=imsm UUID=3d135942:f0fad0b0:33255f78:29c3f50a > >>> ARRAY /dev/md127 container=/dev/md0 member=0 > >>> UUID=691f975d:6beecfd8:67b39886:b7ee7f6e > >>> > >>> Hopefully this can be fixed before this version makes it to 6.1, though > >> it's > >>> likely a problem for upstream RHEL as well. > >>> > >>> - Trey > >>> ___ > >>> CentOS mailing list > >>> CentOS@centos.org > >>> http://lists.centos.org/mailman/listinfo/centos > >> > >> > >> Hmm I recall seeing something like this on an "sl6" box. I think it > needed > >> a "/etc/mdadm.conf" with som metadata id code.. I am pretty sure I fixed > >> it with > >> > >> mdadm --detail --scan>> /etc/mdadm.conf > >> > >> and a reboot. > >> > >> Steve > >> ___ > >> CentOS mailing list > >> CentOS@centos.org > >> http://lists.centos.org/mailman/listinfo/centos > >> > > That's the problem, mdadm --detail --scan throws errors. After updating > to > > mdadm-3.2.2 , and rebooting, the entry /dev/md126 was removed, likely > > because when I run it and don't pipe the output, it shows this... > > > > # mdadm --detail --scan > > ARRAY /dev/md0 metadata=imsm UUID=734f79cf:22200a5a:73be2b52:3388006b > > ARRAY /dev/md126 metadata=imsm UUID=3d135942:f0fad0b0:33255f78:29c3f50a > > mdadm(IMSM): Unsupported attributes : 4000 > > mdadm: IMSM metadata loading not allowed due to attributes > incompatibility. > > mdadm(IMSM): Unsupported attributes : 4000 > > mdadm: IMSM metadata loading not allowed due to attributes > incompatibility. > > ARRAY /dev/md127 container=/dev/md0 member=0 > > UUID=734f79cf:22200a5a:73be2b52:3388006b > > ___ > > CentOS mailing list > > CentOS@centos.org > > http://lists.centos.org/mailman/listinfo/centos > why bother with bios FAKERAID using PIO mode(effectively). Make a > backup and redo using MD raid and turn off the bios raid. Then things > will work correctly. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > I did the downgrade it it worked fine after. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.0 CR mdadm-3.2.2 breaks Intel BIOS RAID
On Sat, Oct 8, 2011 at 2:04 PM, Steve Brooks wrote: > On Sat, 8 Oct 2011, Trey Dockendorf wrote: > > > I just upgraded my home KVM server to CentOS 6.0 CR to make use of the > > latest libvirt and now my RAID array with my VM storage is missing. It > > seems that the upgrade to mdadm-3.2.2 is the culprit. > > > > This is the output from mdadm when scanning that array, > > > > # mdadm --detail --scan > > ARRAY /dev/md0 metadata=imsm UUID=734f79cf:22200a5a:73be2b52:3388006b > > ARRAY /dev/md126 metadata=imsm UUID=3d135942:f0fad0b0:33255f78:29c3f50a > > mdadm(IMSM): Unsupported attributes : 4000 > > mdadm: IMSM metadata loading not allowed due to attributes > incompatibility. > > mdadm(IMSM): Unsupported attributes : 4000 > > mdadm: IMSM metadata loading not allowed due to attributes > incompatibility. > > ARRAY /dev/md127 container=/dev/md0 member=0 > > UUID=734f79cf:22200a5a:73be2b52:3388006b > > > > The error about IMSM shows up on google as something that happened to > Fedora > > users during a FC14->FC15 upgrade. > > > > The server itself isn't old, it's a Supermicro 2U with Dual Xeon 5400 > family > > of CPU. There are two RAIDs on this one controller...a RAID1 which still > > functions and a RAID5 which is the one that is unable to be seen. I > don't > > know what IMSM is for, but the only thing strange about that array is it > is > > 2.7TB so the BIOS configured it as two separate arrays, one as 2TB and > one > > as 700GB, but it was showing up to CentOS as a single volume. > > > > I downgraded to 3.2.1 , ran mdadm again and bam...it works, > > > > # mdadm --detail --scan > > ARRAY /dev/md0 metadata=imsm UUID=734f79cf:22200a5a:73be2b52:3388006b > > ARRAY /dev/md126 metadata=imsm UUID=3d135942:f0fad0b0:33255f78:29c3f50a > > ARRAY /dev/md127 container=/dev/md0 member=0 > > UUID=691f975d:6beecfd8:67b39886:b7ee7f6e > > > > Hopefully this can be fixed before this version makes it to 6.1, though > it's > > likely a problem for upstream RHEL as well. > > > > - Trey > > ___ > > CentOS mailing list > > CentOS@centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > > Hmm I recall seeing something like this on an "sl6" box. I think it needed > a "/etc/mdadm.conf" with som metadata id code.. I am pretty sure I fixed > it with > > mdadm --detail --scan >> /etc/mdadm.conf > > and a reboot. > > Steve > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > That's the problem, mdadm --detail --scan throws errors. After updating to mdadm-3.2.2 , and rebooting, the entry /dev/md126 was removed, likely because when I run it and don't pipe the output, it shows this... # mdadm --detail --scan ARRAY /dev/md0 metadata=imsm UUID=734f79cf:22200a5a:73be2b52:3388006b ARRAY /dev/md126 metadata=imsm UUID=3d135942:f0fad0b0:33255f78:29c3f50a mdadm(IMSM): Unsupported attributes : 4000 mdadm: IMSM metadata loading not allowed due to attributes incompatibility. mdadm(IMSM): Unsupported attributes : 4000 mdadm: IMSM metadata loading not allowed due to attributes incompatibility. ARRAY /dev/md127 container=/dev/md0 member=0 UUID=734f79cf:22200a5a:73be2b52:3388006b ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6.0 CR mdadm-3.2.2 breaks Intel BIOS RAID
I just upgraded my home KVM server to CentOS 6.0 CR to make use of the latest libvirt and now my RAID array with my VM storage is missing. It seems that the upgrade to mdadm-3.2.2 is the culprit. This is the output from mdadm when scanning that array, # mdadm --detail --scan ARRAY /dev/md0 metadata=imsm UUID=734f79cf:22200a5a:73be2b52:3388006b ARRAY /dev/md126 metadata=imsm UUID=3d135942:f0fad0b0:33255f78:29c3f50a mdadm(IMSM): Unsupported attributes : 4000 mdadm: IMSM metadata loading not allowed due to attributes incompatibility. mdadm(IMSM): Unsupported attributes : 4000 mdadm: IMSM metadata loading not allowed due to attributes incompatibility. ARRAY /dev/md127 container=/dev/md0 member=0 UUID=734f79cf:22200a5a:73be2b52:3388006b The error about IMSM shows up on google as something that happened to Fedora users during a FC14->FC15 upgrade. The server itself isn't old, it's a Supermicro 2U with Dual Xeon 5400 family of CPU. There are two RAIDs on this one controller...a RAID1 which still functions and a RAID5 which is the one that is unable to be seen. I don't know what IMSM is for, but the only thing strange about that array is it is 2.7TB so the BIOS configured it as two separate arrays, one as 2TB and one as 700GB, but it was showing up to CentOS as a single volume. I downgraded to 3.2.1 , ran mdadm again and bam...it works, # mdadm --detail --scan ARRAY /dev/md0 metadata=imsm UUID=734f79cf:22200a5a:73be2b52:3388006b ARRAY /dev/md126 metadata=imsm UUID=3d135942:f0fad0b0:33255f78:29c3f50a ARRAY /dev/md127 container=/dev/md0 member=0 UUID=691f975d:6beecfd8:67b39886:b7ee7f6e Hopefully this can be fixed before this version makes it to 6.1, though it's likely a problem for upstream RHEL as well. - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Mock - Problems building Centos5 package on Centos6 - where can I ask for advice ?
On Oct 7, 2011 3:34 AM, "Morgan Cox" wrote:
>
> Hi
>
> Thank you for your extremely quick (and faster than support from any
> company..) reply.
>
> Sorry, can you give more detail ?
>
> >From the look of the error the 'mock centos5' is missing these files :-
>
> /usr/share/aclocal/ltoptions.m4
> /usr/share/aclocal/ltsugar.m4
> /usr/share/aclocal/ltversion.m4
> /usr/share/aclocal/lt~obsolete.m4
>
> - which come from libtool2 (on centos6)
>
> Centos5 obviously doesn't have that version...
>
> I noticed in the .spec file it has
>
>
> ---
> %build
> # aclocal workaround - to be improved
> cat `aclocal
> --print-ac-dir`/{libtool,ltoptions,ltsugar,ltversion,lt~obsolete}.m4
> >>aclocal.m4
>
> # Force use of system libtool:
> libtoolize --force --copy
> cat `aclocal
> --print-ac-dir`/{libtool,ltoptions,ltsugar,ltversion,lt~obsolete}.m4
> >build/libtool.m4
> ---
>
> It also has - from the original .spec file I based it on:-
>
> BuildRequires: bzip2, perl, libtool >= 1.4.3, gcc-c++
>
> I have libtool installed in the mock enviroment ...
>
> Anyone know what i'm doing wrong ?
>
> Regards !
>
>
>
>
>
>
>
> On 6 October 2011 15:57, John Hodrien wrote:
>
> > On Thu, 6 Oct 2011, Morgan Cox wrote:
> >
> > > Hi.
> > >
> > > I am trying to use Mock to rebuild a .src.rpm file I have made for PHP
> > 5.3.8
> > > (for Centos6)
> > >
> > > I have managed to install deps fine with mock.
> > >
> > > When I try to rebuild the package though I get.
> >
> > BuildRequires are wrong, since this SRPM requires files that aren't
being
> > pulled in. Add BuildRequires to satisfy these missing requirements and
> > it'll
> > work.
> >
> > jh
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
If your wanting PHP-5.3 for CentOS5 you may want to look at the IUS repo.
They provide PHP 5.2 and 5.3 for CentOS5.
If you send me your SRPM offlist Ill try to build it on my Mock environment.
- Trey
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Running Apache sites as separate users
On Sep 30, 2011 1:49 PM, "Michael Crilly" wrote: > > I'm not sure why you would want each website on its own Apache process (as > that just isn't needed), but some of the ideas here are a bit... > over-the-top. > > There are a few options of improving the security of your Apache setup. You > can use something like FastCGI based PHP applications or suPHP; both FastCGI > and suPHP will enable Apache to drop down to a lower privileged user when > accessing a website. This basically eliminates the chance that one website > being hacked means all your websites being hacked. The reason for this is > because the ownership of each website will be the user who owns the website. > So in an example example1.com would be owned by example_user_1 and as such, > the ownership of the files would be something like: > example_user_1:example_user_1 and rw-r--r--. > > You don't really need to go beyond this to "secure" each site. > > I hope this helps. > > On 30 September 2011 19:15, Trey Dockendorf wrote: > > > On Sep 30, 2011 11:43 AM, "John R Pierce" wrote: > > > > > > On 09/30/11 9:26 AM, Trey Dockendorf wrote: > > > > However they also > > > > want to have the CMS write to the .htaccess files to dynamically > > control > > > > which users can access the dowloads portion of the sites. That Im > > strongly > > > > against. > > > > > > CMS systems almost always use their own authentication and downloading > > > mechanisms, they don't rely on .htaccess for anything other than > > > possibily configuring whatever specific apache settings they need > > > (cgi-bin, etc) > > > > > > -- > > > john r pierceN 37, W 122 > > > santa cruz ca mid-left coast > > > > > > ___ > > > CentOS mailing list > > > CentOS@centos.org > > > http://lists.centos.org/mailman/listinfo/centos > > > > I agree, unfortunately my role is the sysadmin for this project, not the > > developer. Im running dozens of instances using Drupal, Wordpress and > > Mediawiki all very successfully and securely without ever having to think > > about these types of security measures. Once I get through the red tape of > > being allowed to pen test my own servers, then I'll have a better idea how > > well I've done. > > > > - Trey > > ___ > > CentOS mailing list > > CentOS@centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos That does thanks! - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Running Apache sites as separate users
On Sep 30, 2011 11:43 AM, "John R Pierce" wrote: > > On 09/30/11 9:26 AM, Trey Dockendorf wrote: > > However they also > > want to have the CMS write to the .htaccess files to dynamically control > > which users can access the dowloads portion of the sites. That Im strongly > > against. > > CMS systems almost always use their own authentication and downloading > mechanisms, they don't rely on .htaccess for anything other than > possibily configuring whatever specific apache settings they need > (cgi-bin, etc) > > -- > john r pierceN 37, W 122 > santa cruz ca mid-left coast > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos I agree, unfortunately my role is the sysadmin for this project, not the developer. Im running dozens of instances using Drupal, Wordpress and Mediawiki all very successfully and securely without ever having to think about these types of security measures. Once I get through the red tape of being allowed to pen test my own servers, then I'll have a better idea how well I've done. - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Running Apache sites as separate users
On Sep 30, 2011 10:58 AM, "Drew" wrote: > > > I think Trey needs to push back - *IF* I understand him correctly, it > > sounds like duplicate websites, but running as different users. That, to > > me, literally makes no sense..., unless a) the source of the request > > doesn't understand what he wants, or b) there's something illegal going > > on, and users going to a different site have different things happening, > > based on data/database content. > > The way I interpreted it he want's it setup so each domain > (example1.com, example2.com, etc) to each runs it's own Apache server > under an unprivileged login (apache1, apache2, etc). Chroot's should > accomplish that easy enough. He then wants to use the same CMS > (Joomla, Wordpress, etc) on each site. My assumption is he's hosting > several CMS sites and want's each isolated so a compromise of one > won't compromise the others. > > What is confusing is what he means by 'codebase?' Does he want each > chroot to have it's own independent copy? Or does he want to share the > CMS core files across all instances? > > > -- > Drew > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Sorry if my question is confusing, I really dont fully understand the request myself. So a single codebase would be only one set of PHP files of the CMS to manage each subdomain. The problem with this request I think is a lack of understanding on what they want vs how it should be done in Apache. The goal I think is to keep each site from being effected by one another. So if one is compromised then it wont threaten all the sites. However they also want to have the CMS write to the .htaccess files to dynamically control which users can access the dowloads portion of the sites. That Im strongly against. Really I think this would be overkill once standard security measures are used with a good IDS ( OSSEC) and thorough penetration testing. I also need to be able to implement this all with Puppet which is my requirement. Things like a chroot cant easily be done with Puppet yet, or at least that Im aware. Could SElinux isolate sites while still allowing Apache access? I have little knowledge of how to do this with SElinux but I know I could do it with Puppet. - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache security , Was: Running Apache sites as separate users
On Thu, Sep 29, 2011 at 9:35 PM, Lucian wrote: > On Fri, Sep 30, 2011 at 2:22 AM, Trey Dockendorf > wrote: > > I had a recent request to improve security on my web servers by having > each > > website use a different user to run the hosting service. So > > example1.comhas it's own Apache instance running as apache1 and then > > example2.com has its own instance of Apache as apache2. Is this even > > possible or realistic? I understand the idea of how that would be > secure, > > much like creating a virtual machine to segregate services. The only way > I > > can think how this is done is to chroot each website. What makes this > > request even stranger is that each website will be managed by the same > CMS > > and code base. So with that being the case, I don't see how this is > > possible. Any ideas or insight are very welcome. > > Is there a specific requirement to run different http servers? Because > if there is not then you can just use Suexec+fastcgi. > Otherwise, just use Apache to proxy stuff to backend servers (can be > anything from apache to nginx). > > HTH > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > I do not know the exact reasoning for wanting each website to be run by a separate Apache process that has it's own user. Likely it's a misunderstanding of actual threats to websites, or using a IIS mindset to set requirements for Apache. I'll give Suexec+fastcgi a look and mod_ruid. Thanks for those suggestions While on subject of Apache security... Another request / idea was to have this CMS under development write user controls to .htaccess files to restrict download access to directories. Typically if I even allow any overrides, I set it so apache can only read .htaccess. My understanding of the more obvious implications is that if the web server can write to .htaccess so can any attacker, and then can easily inject malware or redirect the site to malicious content. Is there ever a case where it's safe to allow write access by apache to .htaccess? Does the below config for .htaccess in httpd.conf protect from this at all if write permissions were given on the file system? Order allow,deny Deny from all Satisfy All Personally I think that the CMS should handle authorization, and at then possibly rely on Apache for authentication. In the case of this CMS it will be authenticating against a campus SSO through CAS, but access has to be restricted based on user lists. - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Running Apache sites as separate users
I had a recent request to improve security on my web servers by having each website use a different user to run the hosting service. So example1.comhas it's own Apache instance running as apache1 and then example2.com has its own instance of Apache as apache2. Is this even possible or realistic? I understand the idea of how that would be secure, much like creating a virtual machine to segregate services. The only way I can think how this is done is to chroot each website. What makes this request even stranger is that each website will be managed by the same CMS and code base. So with that being the case, I don't see how this is possible. Any ideas or insight are very welcome. Thanks - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6 First Install, gripes - cool things- tips/help
On Sep 21, 2011 7:51 PM, "Bob Hoffman" wrote: > > Finally got a new server the other day. > You know I had to try out centos 6 with this one. > > dual quad cores, 24 gb ram (12 for each cpu) 6 working drives bays. > > My first big surprise was the partition system with anaconda. It is a > lot different than the centos 5.x version. > I am sure it is a bug that it has options for hot spares but does not > allow it to be ungreyed out. > I think in the end I will have to manually go into command line and take > the third drive of the mirror and turn it into a hot spare. > > Second issue, which quite shocked me, was the loss of the ability to > clone a drive during the install. In 5.x I would make all the raid > partitions, LVM/groups, boots, etc. on one drive, then simply hit > 'clone' to make the second (and third spare) in the array. > This time I had to manually do each and every drive, exactly as the > other, partition by partition. Not fun if you are reinstalling a lot to > test configs and to get it right. > > > Virtual Machines sound cool and this will be my first attempt. That > nasty selinux 'silently' is keeping me from putting the images on the > second raid 1 array I have...sigh. Initial install of virt machine stuff > popped me right into the command line, even though red hat specifically > says the graphic stuff has more options. > Second install used all the graphic desktop stuff to make sure I had the > option (first time ever saw linux desktop, sweet). > Interesting that the initial settings of my host had absolutely no > network access at all. I had to manually change the network scripts to > enable them...each time I reinstalled to play around. (host needs access > for ssh and such). > > Surprised to find a large (75%?) of packages relating to virtual > machines not selected in the packages during install...odd. Some might > be dependencies, but some obviously were not installed the first few > times until I caught that. > qemu not selected during install of virt machine? > > Still working on getting the raids to work right (first time adding a > second 'non system' raid 1) with the whole 'no hot spare' and 3 drives > as one. Sure is hard to tell it all apart in the graphic desktop since > all the drives are named exactly the same. > Learned to never touch the lvm manager graphically, it just seems to not > understand the raid setups and wants to reinitialize or destroy > everything. I'll stick to command line for that. > > Best part...using an ipmi card with kvm so I can sit on my windows and > do pics/vids of the process for a nice detailed website how to...all the > way from bios to deploy...kvm, web, guests, etc...should be fun...should be. > > Luckily for me, Kernel based virtual machine guys decided to use the > abbreviation KVM instead of KbVM. There are about 10 billion pages on > kvm switches and tons of other junk, as well as books. Kbvm? Not so > much. If I could read Danish (or dutch or german?) I could buy the > single book in existence to help with KbVM. Sigh. Should be an experience. > > I will be posting a lot of stuff on a private forum (well, open to > public, but no registrations) about what worked for a stand alone > server, hosting multiple websites in a KVM environment... Will even try > to use SElinux all the way also. > > If you want access to post things in that forum, send me an email and I > will gladly add you. > > Nothing more fun than boxes of pizza, coke, and mad google searches when > a new version of redhat/centos comes out > > > see ya in the funny papers. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos I ran into a few of those things too. For the networking to work on firstboot you have to enable it in the install, but its not obvious. There is a button on the hostname screen to open NetworkManager. It defaults to dhcp but not to be up on boot. I have a similar setup for my first KVM server. It's really amazing how well it performs especially compared to my current ESXi server on similar hardware, and with all the power and control of using Linux that you don't get with ESXi. My server is a dual six-core Xeon server with 16GB RAM, and for storage I have a RAID 1 array for the system and 6 drives in RAID 6 for the VM storage, with 6 more bays to use. Your server definitely sounds like a good one to explorer virtualization. My ESXi server with only 16GB of RAM has 10 VMs (8 CentOS), so 24GB could do a many more easily. For the KVM install I found I had to either check all 4 groups for Virtualization during install or run `yum groupinstall "Virtualization*"` . I prefer the later because I can audit what gets installed. I'd also highly recommend SElinux stay enabled for a KVM server, especially in production. That one host will be the single point of failure or compromise for all the guest VMs. Also SElinix helps ensure the VMs stay independent
Re: [CentOS] Installing yesterday's CentOS (or how to install the patch/package set from 3 weeks ago)
I think a local mirror is really your best option. Or possibly two repos. One for testing, which you sync when you want to test updates and point all test systems at it. Then a production repo for production systems that pulls from the frozen test repo. One addition to your idea would be to use git. That way all you have to do is a 'git push' when you want to update your production repo. Could then use other features in git for tracking changes, possible reverts and such. - Trey On Sep 21, 2011 10:14 PM, "Aleksey Tsalolikhin" wrote: > Hello, > > Let's say your operating policy is "no patch updates without testing > first in the test environment". Let's say it takes you 3 weeks to > test. Over the course of the 3 weeks, the repo changes (new > packages added, old removed). > > Is there a way to "freeze" a set of packages so that when I > run "yum update" on a Prod server it'll get the same package > and patch set as the Test server did 3 weeks ago? > > It's been suggested to maintain a local mirror, and take rsync > snapshots of it daily, so then you can point the end node to a > particular repository. > > What other solutions are there? > > Best, > -at > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Submitting patches from upstream fixes/bugs
On Wed, Sep 14, 2011 at 3:10 PM, Karanbir Singh wrote: > On 09/14/2011 01:59 PM, Trey Dockendorf wrote: > > Based on the bug report for the snapshot-create issue, it seems it's in > > libvirt 0.9.0 and that it's something that may be solved completely in > > Fedora 16. Is there a good way to find if a specific patch/fix has been > > applied upstream by Red Hat? > > grab the sources, look at the code. I hepe to have an easier way than > that soon, stay tuned :) > > > What goes into the maintenance of a patch? I'd be happy to do so, but I > > only know enough C to be able to work in patches / changes and track > > down compile errors, but not enough to have been the original person > > that finds these solutions. > > essentially, when you request a package be locally ( ie, in CentOS ) > patched, we would need to copy that rpm over from the base distro into > the CentOS Plus repo. Apply the patch, test it, release it. But that > process needs to be re-done everytime there is an update to the rpm, as > long as upstream does not fix the issue, change the expected behaviour > to what you are proposing or remove / change functionality in a way that > its no longer possible to support the patches. But while the patch is in > circulation, it would mean that everytime there is an update from > upstream, you would need to make sure the patch still applies, or adapt > it to apply cleanly. > > does this clear up the requirements a bit ? > > - KB > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > That does, thanks. If you want to give me more details off-list I'd like to work on getting these patches into CentOS Plus. Also where could I begin looking to see if upstream RHEL has applied these to their releases? Thanks - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Submitting patches from upstream fixes/bugs
On Tue, Sep 13, 2011 at 7:32 PM, Karanbir Singh wrote: > On 09/14/2011 01:30 AM, Trey Dockendorf wrote: > > What is the preferred method for submitting patches from upstream > > projects ? I have two patches for libvirt-0.8.1.el6_0.6. One adds ESX > > 4.1 support to things like virt-v2v > > (http://www.redhat.com/archives/libvir-list/2010-July/msg00480.html) and > > the second fixes the broken "virsh snapshot-create" > > (https://bugzilla.redhat.com/show_bug.cgi?id=727709). All I did really > > was get them to work with the CentOS 6 version of libvirt. > > For the base distro components these would need to come via RH's code. > However, if you open issues at bugs.centos.org and offer to maintain the > patches, they could go into the same components into the CentOSPlus repo. > > - KB > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos Based on the bug report for the snapshot-create issue, it seems it's in libvirt 0.9.0 and that it's something that may be solved completely in Fedora 16. Is there a good way to find if a specific patch/fix has been applied upstream by Red Hat? What goes into the maintenance of a patch? I'd be happy to do so, but I only know enough C to be able to work in patches / changes and track down compile errors, but not enough to have been the original person that finds these solutions. Thanks - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Submitting patches from upstream fixes/bugs
What is the preferred method for submitting patches from upstream projects ? I have two patches for libvirt-0.8.1.el6_0.6. One adds ESX 4.1 support to things like virt-v2v ( http://www.redhat.com/archives/libvir-list/2010-July/msg00480.html) and the second fixes the broken "virsh snapshot-create" ( https://bugzilla.redhat.com/show_bug.cgi?id=727709). All I did really was get them to work with the CentOS 6 version of libvirt. Thanks - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vitualization and Partitioning
On Tue, Sep 13, 2011 at 11:57 AM, Rajagopal Swaminathan < raju.rajs...@gmail.com> wrote: > On Tue, Sep 13, 2011 at 10:31 AM, Trey Dockendorf > wrote: > > > > That considered I saw no benefit in my > > case to use LVM when some other tools could combine the ability to do > both > > qcow2 and memory snapshotting at once. > > Could you kindly share with us the tools you which could do both? > > Another (may unrelated) question: > > Has anybody installed or migrated a Netware 3.12 using KVM? > > If so, can you please share the experiences? especially bits about > Netware partitioning and the NIC model that needs to be selected? > > TIA > > -- > Regards, > > Rajagopal > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > I've only successfully tested using virt-manager to do snapshots. There is a way using virsh, doing "snapshot-create domain", but I receive an error due to lack of that feature. error: internal error unable to execute QEMU command 'savevm': The command savevm has not been found Using the virsh "save" command works, but only does it without shutting down the VM if done through virt-manager. Other tools that look promising for snapshots thus far are things like Convirt, OpenQRM, and Archipel, but I have yet to get them in production to test that out. - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vitualization and Partitioning
On Mon, Sep 12, 2011 at 6:52 PM, Thomas Dukes wrote: > > > > -Original Message- > > From: centos-boun...@centos.org > > [mailto:centos-boun...@centos.org] On Behalf Of ken > > Sent: Monday, September 12, 2011 12:36 AM > > To: CentOS mailing list > > Subject: Re: [CentOS] Vitualization and Partitioning > > > > On 09/11/2011 11:10 PM Emmanuel Noobadmin wrote: > > > Hi, > > > > > >> When I do the install, do I or should I setup a separate partition > > >> for guest > > > That would be better from a performance point of view > > > > > >> OS's? From the redhat docs, it looks like the guest OS's reside at > > >> /var/lib/libvirt/images/. > > > This should be using files as disk files, which I did and > > found it to > > > be a problem when there is heavy I/O. > > > > I like LVM (for the reasons you cite). Would you (anyone?) > > say it's best to have one LV per guest or one LV for all guests? > > > > > > tnx. > > I'm new to this but I would think you would want a separate LV for each > guest. Seems I read somewhere, that you need one core per guest as well. > That's why I'm opting for the Xeon processor rather than the iCore(x). Four > cores v. two. More options. > > Can't believe this thread hasn't stirred more response. Maybe we all are in > the learning phase. > > Eddie > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > An LV per guest isn't necessary, but has its benefits. What I did on one of my server was a use two drives in RAID 1 for the system and then a RAID 6 array for the VM storage. I've opted to use QCow2 images for the virtual disks, so they all go on a LV I created "/vmstore" where all virtual disks go. I always try to keep the system paritions (/ and /boot) separate from the data (with virtual server, I use /vmstore , or /var/lib/libvirt/images) at least logically, if not physically. My biggest consideration between LVM and image files for the VM disks was snapshot capabilities. While LVM can do snapshots using lvm's native tools, it still requires extra steps to get the VM's memory (if still running). That considered I saw no benefit in my case to use LVM when some other tools could combine the ability to do both qcow2 and memory snapshotting at once. Plus in my environment it is easier to work with a single virtual disk file than deal with LVMs. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Installing RPM using --prefix and possible libvirt patch
I'm trying to install libvirt to /opt/libvirt, in order to test a patch I've worked into the current release, but it seems RPM is ignoring the --prefix command. The RPM I built has "Prefix: /opt/libvirt" in the spec, and correctly shows as relocatable by RPM... # rpm -qpi libvirt-0.8.1-27.el6.6.x86_64.rpm Name: libvirt Relocations: /opt/libvirt Version : 0.8.1 Vendor: (none) Release : 27.el6.6 Build Date: Fri 09 Sep 2011 07:30:28 PM CDT Install Date: (not installed) Build Host: itsclinuxdev.tamu.edu Group : Development/Libraries Source RPM: libvirt-0.8.1-27.el6.6.src.rpm Size: 2538412 License: LGPLv2+ Signature : (none) URL : http://libvirt.org/ Summary : Library providing a simple API virtualization Description : Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The main package includes the libvirtd server exporting the virtualization support. However when I issue the RPM command it will throw errors about conflicting with the current install of libvirt. # rpm -ivh --prefix /opt/libvirt libvirt-client-0.8.1-27.el6.6.x86_64.rpm Preparing...### [100%] file /usr/lib64/libvirt.so.0.8.1 from install of libvirt-client-0.8.1-27.el6.6.x86_64 conflicts with file from package libvirt-client-0.8.1-27.el6_0.6.x86_64 file /usr/share/man/man1/virsh.1.gz from install of libvirt-client-0.8.1-27.el6.6.x86_64 conflicts with file from package libvirt-client-0.8.1-27.el6_0.6.x86_64 file /usr/share/man/man1/virt-pki-validate.1.gz from install of libvirt-client-0.8.1-27.el6.6.x86_64 conflicts with file from package libvirt-client-0.8.1-27.el6_0.6.x86_64 file /usr/share/man/man1/virt-xml-validate.1.gz from install of libvirt-client-0.8.1-27.el6.6.x86_64 conflicts with file from package libvirt-client-0.8.1-27.el6_0.6.x86_64 The patch I worked into libvirt is here, http://www.redhat.com/archives/libvir-list/2010-July/msg00480.html (not my posting), to add ESXi and ESX 4.1 support , in my case to virt-v2v. I'd like to install it without possibly breaking my current install of libvirt and just use the patched virt-v2v binary. As a side note, where should I direct my patch to possibly have it put into the official centos release? I had to slightly modify what was posted in the above link to make it work with 0.8.1. Thanks - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] managing a rack full of centos servers
On Sep 5, 2011 2:47 AM, "James Nguyen" wrote: > > I'm managing two data centers and some instances on rackspace cloud servers. Currently running Cobbler+Puppet+Mcollective. So far it's been great for a team of one, myself. > > At the moment I'm looking into either using Aeolus or Openstack to bridge the gap of my data centers and the public cloud still keeping Puppet+Mcollective in the mix and seeing if Cobbler is still needed. > > Anyone out there tried both Aeolus *and* Openstack yet? I'm looking to supplement my research on these two private/public cloud tools. =) > > On Thu, Jul 21, 2011 at 3:19 PM, Marian Marinov wrote: >> >> On Thursday 21 July 2011 18:36:17 Devin Reade wrote: >> > --On Wednesday, July 20, 2011 11:02:42 PM -0700 RC >> > >> > wrote: >> > > On Wed, 20 Jul 2011 10:07:06 -0600 Devin Reade wrote: >> > >> It should be considered as complementing the automated config >> > >> management tools like cfengine et al, not as a replacement for >> > >> them (they're doing different jobs). >> > > >> > > That's not entirely fair. A little shell scripting and pdsh and pdcp >> > > can certainly do everything cfengine/puppet can do >> > >> > I wasn't referring to pdsh/pdcp; I was referring to pconsole. The >> > reason I said complementing is that sometimes it is good to have >> > stuff under a configuration management system like cfengine/puppet, >> > but sometimes you need to run ad-hoc commands, in an identical >> > fashion, on lots of similar machines, which pconsole is good at >> > (subject to the caveats I previously mentioned). >> > >> > I made no comments on pdsh/pdcp at all, and make no claims on where >> > it fits in the spectrum. >> > >> > Devin >> > >> You can actually achieve the same functionality of pdsh/pdcp and pconsole with >> a quite simple bash script :) >> >> http://multy-command.sourceforge.net/ >> >> I think it is a matter of what the admin will prefer to do. When you have a >> lot of identical machines, sometimes it is better to have cfengine/puppet, but >> sometimes it just an overkill to use them if you are the only one >> administrating those machines. >> >> cfengine and puppet have a very good place on machines that are administered >> by a team of people. >> >> But solutions like pdsh/pconsole and multy-command, in my opinion are more >> suitable when there are only one or two guys administering those machines. >> >> >> Marian >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > > > > -- > > james h nguyen | lead systems architect | www.callfire.com | 1.949.625.4263 > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > +1 for Puppet. I manage only around 20 servers all running a mix of CentOS 5.6 and CentOS 6 very well with Puppet. The initial configuration and understanding for it is daunting but WELL worth it in the end. Also for system provisioning ( kickstart and pxe) look at Foreman, which uses Puppet after initial installation. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Mount --bind source / mountpoint out of sync
On Mon, Aug 22, 2011 at 3:15 PM, James Hogarth wrote: > On 22 August 2011 20:48, Dennis Jacobfeuerborn > wrote: > > On 08/22/2011 07:01 PM, Trey Dockendorf wrote: > >> I have a shared web server that users can SSH / SFTP into to access > their > >> web content. Each users home directory is in a change root, and I use > >> "mount -o bind" to put their respective webpage's document root into > their > >> home directory. Recently I was made aware that the contents of the > mount's > >> source are not the same as the mount point's, which I don't see how that > is > >> possible. > >> > >> The file system is 3 virtual disks...each part of the same volume group. > I > >> have three LVMs, "/" , "/chroot" , and "/var". > >> > >> Here's the entry in /etc/fstab... > >> > >> /var/www/example.com <http://example.com> /chroot/home/user1/ > example.com > >> <http://example.com> nonedefaults,bind 0 0 > >> > >> The mount is active, yet running a recursive diff between > >> "/var/www/example.com <http://example.com>" and > >> "/chroot/home/user1/example.com <http://example.com>" shows numerous > >> differences. > >> > > > This is a bit of a shot in the dark perhaps but in which order was the > bind mount and httpd restarted last happen? Is it possible that httpd > has a file handle to the inode where the underlying directory for the > place being mounted too rather than the directory that is being bound? > If you unmount the binding do you see any files there? Which location > has the most recent files? These are the questions that first time to > my mind for troubleshooting purposes. > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > @Dennis, The differences were basically any changes made by the user , but for how long I'm unsure. It was reported today but that could be that he wasn't using the files until today. The differences between the the mount point and source were a wide range of things from small file changes or entire directories...nothing corrupt, but it seemed like there was a point in which changes made to the mount point (within the chroot) no longer appeared at the mount source. @James When I unmounted the directory there were indeed files in the mount point's folder. It seemed that the mount point (in chroot) was the only thing effected by changes, not the source (out of chroot). I don't understand the question about httpd and the file handle inode. Could you explain? What was strange (and maybe this is expected while still mounted), rsync did not have an effect when run in an attempt to update the source with the mount point. I ended up having to restore from last night's backup to resolve this, but am extremely puzzled as to why this happened, and a bit worried as this was going to be my new method for allowing access to hosted web services via SSH / SFTP. Thanks - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Mount --bind source / mountpoint out of sync
I have a shared web server that users can SSH / SFTP into to access their web content. Each users home directory is in a change root, and I use "mount -o bind" to put their respective webpage's document root into their home directory. Recently I was made aware that the contents of the mount's source are not the same as the mount point's, which I don't see how that is possible. The file system is 3 virtual disks...each part of the same volume group. I have three LVMs, "/" , "/chroot" , and "/var". Here's the entry in /etc/fstab... /var/www/example.com /chroot/home/user1/example.com none defaults,bind 0 0 The mount is active, yet running a recursive diff between "/var/www/ example.com" and "/chroot/home/user1/example.com" shows numerous differences. Here's "mount" output -- /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/sda1 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) /dev/mapper/VolGroup00-lv_chroot on /chroot type ext3 (rw) /var/www/example.com on /chroot/home/user1/example.com type none (rw,bind) /dev/mapper/VolGroup00-lv_var on /var type ext3 (rw) I honestly have no idea how this is possible. Is using "mount -o bind" not the best method to give a chrooted user access to a single directory outside the chroot? Would it be better to leave the web root in the chroot and have Apache (outside chroot) reference that location? Thanks - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Using Samba to share Apache web root, securely
On Tue, Aug 9, 2011 at 12:56 PM, Les Mikesell wrote: > On 8/9/2011 12:32 PM, Trey Dockendorf wrote: > > > > > > Now I have a new requirement passed to me, which is a bit more > complicated. > > > > How would I allow individual users the ability only to access specific > > subfolders within that share without them being a part of the > > department_a group? My initial idea was to make use of ACLs, but if the > > POSIX permissions don't allow them write access, then ACLs won't help, > > will they ? The model is I need users of group department_a to have > > full control over this share while allowing individual faculty members > > to access only their personal folders within this share. > > You could make a separate samba share with different ownership. At some > point it might make more sense to use a web-based content manager that > understands logins/permissions or perhaps a wiki that permits uploads > instead of randomly mapping file access around. If the users in > question already have home directories on the server you might make > things work for individuals with symlinks out of their home directories > that show up by default in samba - or map the URLs into the public_html > directory you get with ~ expansion so the home directories are > self-contained. > > -- > Les Mikesell >lesmikes...@gmail.com > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > That will probably be the best option while we move these sites to a CMS. The users are accustomed to using Windows drive letters that are mapped by our AD to access their content, and I'd like to have to leave that intact for now. Now the fun part of making that many share definitions not take up 100's of lines in my puppet node definitions :-/. In case anyone is interested I've uploaded what I have thus far for my Puppet samba module. It's here, https://github.com/treydock/puppet-samba Thanks - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Using Samba to share Apache web root, securely
On Tue, Aug 9, 2011 at 11:54 AM, Craig White wrote: > > On Aug 9, 2011, at 9:02 AM, Les Mikesell wrote: > > > On 8/9/2011 10:44 AM, Craig White wrote: > >> > >>> There's probably a way to add apache to that group with a configuration > >>> on the local machine so it doesn't have to query your ADS/NMB server. > >>> Not sure about the details but the docs at > http://samba.org/samba/docs/ > >>> are invaluable. > >> > >> I'm quite sure that if all the files are owned by the 'department_a' > group and 'readable' by user apache as I have indicated, they should be with > the given configuration, there's absolutely no need to do any mucking with > local users or groups at all. > >> > >> The reality is that this machine will query AD/NMB server each time a > non-local user does anything on this system (read or write) and the only > thing that will lighten that load is something like NSCD (good luck with > that - not always a great option with samba). > > > > Really? I thought samba would map a connection to a uid at connect time. > > indeed it does but that doesn't mean that the system won't keep polling the > authoritative account info source. > > > > >> There are two important features of what I proposed... > >> - sgid means that all files/folders created within will always belong to > department_a group > > > > You can also do a 'force group' in the samba config for a share instead > > of or besides the sgid directory. > > true but: > 1 - force anything seems to be a little heavy handed > 2 - using sgid means that anyone using a shell will also create > files/directories with the same group - using 'force group' only has > implications for samba connections. Using sgid encompasses all methods of > access. > > > > >> - create mask 664& directory mask 775 means that each file& directory > created - group will always get rw privileges and everyone else (ie user > apache) has 'read' privileges. > >> > >> The only weakness of this theory as I see it, is that there very well > may be files - perhaps config files that you wouldn't want anyone to be able > to see and you probably will have to have some restrictions in > Apache's configuration to prevent web users from accessing them. > > > > There are also likely situations where the web server needs write > > access, although those cases should be handled carefully or avoided > > where possible. > > > indeed > > Craig > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > Excellent advice thank you!!! I was very close to the same conclusion, but have never messed with SGID , but that definately helps especially as I make changes on the command line side while my users do it via Samba. Also a side note...NONE of this will work if your testing creating files from a Mac. You have to add "unix extensions = no " to the Samba global config section. Once I did that the create mask and directory mask options began to work. Now I have a new requirement passed to me, which is a bit more complicated. How would I allow individual users the ability only to access specific subfolders within that share without them being a part of the department_a group? My initial idea was to make use of ACLs, but if the POSIX permissions don't allow them write access, then ACLs won't help, will they ? The model is I need users of group department_a to have full control over this share while allowing individual faculty members to access only their personal folders within this share. Thanks again, - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Using Samba to share Apache web root, securely
I'm setting up a shared web server running Apache. Each web root will belong to a department, which has a corresponding Active Directory group to give access. So far I've got samba working and such, but am having some trouble wrapping my head around the necessary permissions to make all this work, especially securely. So far I've found that both the POSIX and the ACL permissions must both allow a user to write to directory which is proving problematic. Is it better to give the web root directories very "loose" permissions and have Samba manage who can access the folders? A few options I've come across would have a user's logged in account mapped to the "apache" user through samba, using the "force user", but that seems like a security risk allowing users to be apache. Another option I currently have working is using a default ACL for apache to give the web server read of all the files. The problem I have with this is some directories require write and some files should have read only (like db config files), so again a global permission set doesn't seem to work. I'd be very interested in knowing how someone has solved a problem like this. Thanks - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sudo #includedir function ignored CentOS 6
On Wed, Jul 27, 2011 at 7:39 AM, Craig White wrote: > On Tue, 2011-07-26 at 15:59 -0500, Trey Dockendorf wrote: > > Well I verified that putting the following line in /etc/sudoers works > > > > > > zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet > > > > > > However if I put it in /etc/sudoers.d/zabbix-puppet it does not. > > Exact same spacing and everything. > > > > > > The file was created with Puppet , and based on these errors I'm at a > > loss... > > > > > > I check the syntax, it fails > > > > > > # visudo -c -f /etc/sudoers.d/zabbix-puppet > > >>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<< > > parse error in /etc/sudoers.d/zabbix-puppet near line 0 > > > > > > I then open the file with visudo, make absoltely no changes, just ":q" > > out, still get error. > > > > > > # visudo -f /etc/sudoers.d/zabbix-puppet > > >>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<< > > > > > > Then if I run the syntax check again it passes. However I still can't > > run the command without password prompt. > > > > > > # visudo -c -f /etc/sudoers.d/zabbix-puppet > > /etc/sudoers.d/zabbix-puppet: parsed OK > > > > > > The files permissions are correct as specified by sudoers > > documentation on #includedir > > probably should ask on the puppet list since using an includedir > function would be far more likely with puppet where most people would > just tack on their edits to /etc/sudoers directly. > > I am sort of interested in your solution by the way (I am on the puppet > list too) because I use puppet but so far, only on Ubuntu and it appears > that our CentOS systems will eventually be phased out. > > by the way, I have seen the same sort of spookiness about syntax errors > created by visudo on Ubuntu 10.04 on perfectly valid edits. Had me > scratching my head too. I used to always just use emacs to edit the file > but at work, I try to play by the conventions. > > Craig > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > Craig, I got things working...I posted my module on github if your interested , https://github.com/treydock/puppet-sudo . Was two problems. First was can't have quotations around the #includedir path, second was that puppet wasn't puppeting a new line character in the file when using the "content" approach (see modules note). - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Package: virt-goodies - partly solved
If your using CentOS 5.x you may have a problem with perl...here's some notes I have on the subject # virt-v2v -f virt-v2v.conf -ic esx://server.com/?no_verify=1 -op vm_local VMname Can't locate object method "show_progress" via package "Sys::VirtV2V::Transfer::ESX::UA" at /usr/lib/perl5/vendor_perl/5.8.8/Sys/VirtV2V/Transfer/ESX.pm line 62. -- To resolve virt-v2v requires newer LWP::UserAgent...I think I had to add the --force option but can't recall for sure # cpan -i LWP::UserAgent - Trey On Tue, Jul 26, 2011 at 12:58 PM, Victor Zele wrote: > For CentOS KVM migrations use the virt-v2v package part of base. > > ** ** > > See this link, > > ** ** > > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization/chap-Virtualization-v2v-migration.html > > > ** ** > > ** ** > > Am Freitag, 22. Juli 2011, 13:37:08 schrieb Timothy Kesten: > > >* Hi Folks,* > > >* * > > >* is here someone who knows where to get the package "virt-goodies" for* > > >* CentOS6 64bit?* > > >* * > > >* I'd like to convert VMWare-images to KVM.* > > ** ** > > No answers :-( > > ** ** > > I've found the sourcecode of "vmware2libvirt" (part of virt-goodies - a ** > ** > > python-file) to convert .vmx file to .xm file for using in virt-manager. > > > This programm works fine. > > Conversion of my VMWare-Image succeeded. > > ** ** > > For everything, which interests it. > > ** ** > > Bye > > Timothy > > ** ** > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sudo #includedir function ignored CentOS 6
Well I verified that putting the following line in /etc/sudoers works zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet However if I put it in /etc/sudoers.d/zabbix-puppet it does not. Exact same spacing and everything. The file was created with Puppet , and based on these errors I'm at a loss... I check the syntax, it fails # visudo -c -f /etc/sudoers.d/zabbix-puppet >>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<< parse error in /etc/sudoers.d/zabbix-puppet near line 0 I then open the file with visudo, make absoltely no changes, just ":q" out, still get error. # visudo -f /etc/sudoers.d/zabbix-puppet >>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<< Then if I run the syntax check again it passes. However I still can't run the command without password prompt. # visudo -c -f /etc/sudoers.d/zabbix-puppet /etc/sudoers.d/zabbix-puppet: parsed OK The files permissions are correct as specified by sudoers documentation on #includedir -r--r- 1 root root 56 Jul 26 15:55 zabbix-puppet Does anyone else have the #includedir working in CentOS 5.6 or 6? Thanks - Trey On Mon, Jul 25, 2011 at 7:12 PM, John R Pierce wrote: > On 07/25/11 4:41 PM, Trey Dockendorf wrote: > > I am unable to get the #includedir function to work with sudo. This > > works just fine on all my CentOS 5.6 servers, but on 6 it is being > > ignored. I have this line in the file /etc/sudoers.d/zabbix-puppet > > > > zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet > > > > However sudo still requires a password. If I put that same line into > > /etc/sudoers file , there is no password prompt. At the end of my > > sudoers file I have this line > > > > #includedir "/etc/sudoers.d" > > > > did you edit these files with visudo -f /path/to/file ? I'd try that. > > > -- > john r pierceN 37, W 122 > santa cruz ca mid-left coast > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sudo #includedir function ignored CentOS 6
Correction, seems to be broken in 5.6 as well...I also had this interesting argument with sudo... # visudo -c -f /etc/sudoers.d/zabbix-puppet >>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<< parse error in /etc/sudoers.d/zabbix-puppet near line 0 (((NOTE: I made absolutely no changes , just did ":q"))) # visudo -f /etc/sudoers.d/zabbix-puppet >>> /etc/sudoers.d/zabbix-puppet: syntax error near line 0 <<< # visudo -c -f /etc/sudoers.d/zabbix-puppet /etc/sudoers.d/zabbix-puppet: parsed OK :-/ - Trey On Mon, Jul 25, 2011 at 6:41 PM, Trey Dockendorf wrote: > I am unable to get the #includedir function to work with sudo. This works > just fine on all my CentOS 5.6 servers, but on 6 it is being ignored. I > have this line in the file /etc/sudoers.d/zabbix-puppet > > zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet > > However sudo still requires a password. If I put that same line into > /etc/sudoers file , there is no password prompt. At the end of my sudoers > file I have this line > > #includedir "/etc/sudoers.d" > > It seems that line is being ignored. > > The permissions on the file in that directory are 0440. > > Any ideas would be greatly appreciated. > > Thanks > - Trey > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Sudo #includedir function ignored CentOS 6
I am unable to get the #includedir function to work with sudo. This works just fine on all my CentOS 5.6 servers, but on 6 it is being ignored. I have this line in the file /etc/sudoers.d/zabbix-puppet zabbix ALL=NOPASSWD: /var/lib/zabbix/bin/start_puppet However sudo still requires a password. If I put that same line into /etc/sudoers file , there is no password prompt. At the end of my sudoers file I have this line #includedir "/etc/sudoers.d" It seems that line is being ignored. The permissions on the file in that directory are 0440. Any ideas would be greatly appreciated. Thanks - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 x86_64 DVD doesn't boot
On Thu, Jul 14, 2011 at 8:32 AM, Kanwar Ranbir Sandhu < m3fr...@thesandhufamily.ca> wrote: > Hi Everyone, > > I downloaded the CentOS 6 x86_64 DVD ISOs and burned the first image to > a rewritable DVD. When I tried to boot my new home server off it, it > didn't, and then this was printed to the screen: > > ETCDisolinux: Found something at drive = EF > No DEFAULT or UI configuration directive found! > boot: > > The same disc works fine in my 4 year old HP laptop, and when installing > CentOS 6 as a KVM. > > I've found one post from a Fedora 14 user that was having the exact same > problem, but no one replied to him. Other articles, posts etc. around > the net reference something different for the "EF" part. > > Does anyone know what's going on? I've never seen this problem before. > > Regards, > > Ranbir > > -- > Kanwar Ranbir Sandhu > Linux 2.6.32.26-175.fc12.x86_64 x86_64 GNU/Linux > 09:21:53 up 10:20, 2 users, load average: 1.20, 1.47, 1.34 > > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > I had an smililar issue using the CentOS 6 DVD with a DVD-RW. The same install disk worked perfectly on another system. I ended up having to use the Netinstall CD to do the install. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Chroot issue with username to uid
I'm setting up a chroot environment on a shared web server to allow users to
modify their web roots within a secure chroot, but am having a problem.
Right now when I log in with test accounts I get this...
Last login: Thu Jul 14 09:04:14 2011 from
id: cannot find name for group ID 507
id: cannot find name for user ID 506
[I have no name!@webserver ~]$
I've verified that the UID / GIDs are correct in the chroot's /etc/passwd.
Is there possibly something I may have not put in the chroot that is needed
for id->name mapping?
Here's how I setup the chroot...I'll provide a full write up once I get this
last issue fixed...
cd /home/
mkdir chroot
cd chroot/
groupadd chrootusers
useradd treydock
usermod -a -G chrootusers treydock
mkdir -p ./{dev,etc,lib,lib64,usr,bin,home}
mkdir -p ./usr/{bin,libexec}
mkdir -p usr/libexec/openssh
mknod -m 666 dev/null c 1 3
cp -R /etc/skel home/treydock
chown -R treydock:treydock /home/chroot/home/treydock
cp /etc/ld.so.cache /home/chroot/etc/
cp /etc/ld.so.conf /home/chroot/etc/
cp -R /etc/ld.so.conf.d /home/chroot/etc/
cp /etc/nsswitch.conf /home/chroot/etc/
cp /etc/hosts /home/chroot/etc/
cp /etc/passwd /home/chroot/etc/
cp /etc/group /home/chroot/etc/
cp /etc/resolv.conf /home/chroot/etc/
cp /etc/bashrc /home/chroot/etc/
cp /bin/vi /home/chroot/bin/
cp /bin/ls /home/chroot/bin/
cp /bin/cat /bin/cp /bin/grep /bin/mkdir /bin/mv /bin/rm /bin/rmdir
/bin/bash /home/chroot/bin/
cp /usr/bin/scp /home/chroot/usr/bin/
cp /usr/bin/sftp /home/chroot/usr/bin/
cp /usr/bin/ssh /home/chroot/usr/bin/
cp /usr/bin/vim /home/chroot/usr/bin/
cp /usr/bin/id /home/chroot/usr/bin/
cp /usr/libexec/openssh/sftp-server /home/chroot/usr/libexec/openssh/
cd /usr/local/sbin/
wget -O l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
chmod +x l2chroot
vim l2chroot
for i in `ls /home/chroot/bin/`; do l2chroot /bin/$i; done
for i in `ls /home/chroot/usr/bin/`; do l2chroot /usr/bin/$i; done
l2chroot /usr/libexec/openssh/sftp-server
vim /etc/ssh/sshd_config
/etc/init.d/sshd restart
Here is an example of what is in both my system and chroot /etc/passwd
treydock:x:506:507:Trey Dockendorf:/home/treydock:/bin/bash
Thanks
- Trey
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 DVD install "Unable to read group information from repositories"
This must have been an issue with my specific external dvd drive. Used
netinstall disk successfully...yay centos 6!
Now where is the best place to post bugs regarding KVM in centos 6?
On Jul 13, 2011 9:59 AM, "Trey Dockendorf" wrote:
> This was 64 bit install and the media checks were good. I also
successfully
> used the same install media on another system. Ill try the suggestions and
> see if the drive is having problems.
> On Jul 13, 2011 1:27 AM, "Ljubomir Ljubojevic" wrote:
>> Trey Dockendorf wrote:
>>> Tried my first CentOS 6 install on a system currently running 5.6. My
>>> attempt was not an upgrade, but a full re-format. I have verified the
>>> checksums of the ISO and did the pre-install disk verify and everything
>>> checked out. However after the screen for setting up the bootloader I
>>> get the following error
>>>
>>> "Unable to read group information from repositories. This is a problem
>>> with the generation of your install tree"
>>>
>>> With my only options being "Exit Install" and "Retry", but of course
>>> "Retry" continues to fail with the same message.
>>>
>>> Basically I chose the first option in the menu for the DVD, install /
>>> upgrade, went through all the settings, did a custom layout for
>>> partitioning. I basically told the installer to re-format my ext3
>>> partitions to ext4 and set the mount points for / , /boot and swap.
>>> Then after selecting "Next" from the bootloader configuration is when I
>>> get the above error.
>>>
>>
>> 1. Was this i386 or x86_64?
>> 2. Have you run Media test od DVD('s) in system in question? Maybe DVD
>> drive can not read them right. Especially if you used higher speed to
>> burn the disk. I would recommend slow burning like 4x when you burn OS
>> DVD's (and 16x for CD's).
>>
>> And have you by any chance tried the same DVD('s) on any other system?
>>
>> Ljubomir
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 DVD install "Unable to read group information from repositories"
This was 64 bit install and the media checks were good. I also successfully
used the same install media on another system. Ill try the suggestions and
see if the drive is having problems.
On Jul 13, 2011 1:27 AM, "Ljubomir Ljubojevic" wrote:
> Trey Dockendorf wrote:
>> Tried my first CentOS 6 install on a system currently running 5.6. My
>> attempt was not an upgrade, but a full re-format. I have verified the
>> checksums of the ISO and did the pre-install disk verify and everything
>> checked out. However after the screen for setting up the bootloader I
>> get the following error
>>
>> "Unable to read group information from repositories. This is a problem
>> with the generation of your install tree"
>>
>> With my only options being "Exit Install" and "Retry", but of course
>> "Retry" continues to fail with the same message.
>>
>> Basically I chose the first option in the menu for the DVD, install /
>> upgrade, went through all the settings, did a custom layout for
>> partitioning. I basically told the installer to re-format my ext3
>> partitions to ext4 and set the mount points for / , /boot and swap.
>> Then after selecting "Next" from the bootloader configuration is when I
>> get the above error.
>>
>
> 1. Was this i386 or x86_64?
> 2. Have you run Media test od DVD('s) in system in question? Maybe DVD
> drive can not read them right. Especially if you used higher speed to
> burn the disk. I would recommend slow burning like 4x when you burn OS
> DVD's (and 16x for CD's).
>
> And have you by any chance tried the same DVD('s) on any other system?
>
> Ljubomir
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6 DVD install "Unable to read group information from repositories"
Tried my first CentOS 6 install on a system currently running 5.6. My attempt was not an upgrade, but a full re-format. I have verified the checksums of the ISO and did the pre-install disk verify and everything checked out. However after the screen for setting up the bootloader I get the following error "Unable to read group information from repositories. This is a problem with the generation of your install tree" With my only options being "Exit Install" and "Retry", but of course "Retry" continues to fail with the same message. Basically I chose the first option in the menu for the DVD, install / upgrade, went through all the settings, did a custom layout for partitioning. I basically told the installer to re-format my ext3 partitions to ext4 and set the mount points for / , /boot and swap. Then after selecting "Next" from the bootloader configuration is when I get the above error. Thanks - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Upgrade from CentOS 5.x to 6.0
Great news about CentOS 6.0 being available, and I figured I'd ask the most obvious question, what can I expect when upgrading from CentOS 5.6 to 6.0? I have not had to go from one major version of CentOS to another so this is new territory for me. Is the processes just like an install except there's an "Upgrade" option? Does an upgrade do a "yum update" of everything installed? Most of my systems use EPEL and some the IUS repos...is there a way during the upgrade to just upgrade system components and leave things like PHP, httpd and MySQL alone for now? Any suggestions on monitoring the upgrade progress via syslog or some other method so I can see exactly what is being done during the upgrade? Thanks - Trey ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
