Re: Library security updates
If it doesn't protect us is there practicable way to make sure we are genuinely protected short of rebooting the whole system every time there is a security update? Depending on what the update is. If you want to be 100% certain, reboot. If you don't want to reboot, you can hunt through what programs use certain libraries using ld - however the effort taken to do this is much more than a reboot - and probably takes longer. It actually isn't that hard to track down. [root@colo-a2vm t2]# lsof -n | grep gcc hpiod 2649 root DEL REG 252,0 4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea mysqld 2851mysql DEL REG 252,0 4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea libvirtd 3121 root DEL REG 252,0 4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea yum-updat 3343 root DEL REG 252,0 4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea smartd 3469 root DEL REG 252,0 4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea automount 6482 root DEL REG 252,0 4718600 /lib64/libgcc_s-4.1.2-20080825.so.1.#prelink#.dvRyeN httpd 11089 root mem REG 252,0 58400 4718834 /lib64/libgcc_s-4.1.2-20080825.so.1 php 11639 ioi mem REG 252,0 58400 4718834 /lib64/libgcc_s-4.1.2-20080825.so.1 php 24239 ioi mem REG 252,0 58400 4718834 /lib64/libgcc_s-4.1.2-20080825.so.1 httpd 27057 daemon mem REG 252,0 58400 4718834 /lib64/libgcc_s-4.1.2-20080825.so.1 httpd 27058 daemon mem REG 252,0 58400 4718834 /lib64/libgcc_s-4.1.2-20080825.so.1 You can tell the processes that were not restarted as they show DEL instead of mem...
Re: Library security updates
On 01/28/2015 10:48 AM, Steven Haigh wrote: And indeed, if yum updates a daemon due to security fixes does the daemon restart? By default, package updates won't restart running programs. This is a manual step. glibc is special. When glibc is updated it executes from %post /usr/sbin/glibc_post_upgrade.x86_64 which severely lacks documentation, best I could find is it runs telinit u; service sshd condrestart It definitely does restart crond I'm sure since a few years back it wend bad and crond failed across the whole plant. Not sure I actually trust the above to actually restart everything.
Re: Library security updates
On 28/01/2015 8:35 PM, John Rowe wrote: I'm sure many people will have seen the recent security update on gethostbyname(), etc. Apparently exim can be vulnerable to this. Yes it is. This raises the question: does updating a library package actually protect systems from the vulnerability or do daemons continue to use the (insecure) version of the library call they linked at start up? The program (exim in this case) uses a function in the library. It will continue to use the library that was present when the program started until you restart the program. And indeed, if yum updates a daemon due to security fixes does the daemon restart? By default, package updates won't restart running programs. This is a manual step. If it doesn't protect us is there practicable way to make sure we are genuinely protected short of rebooting the whole system every time there is a security update? Depending on what the update is. If you want to be 100% certain, reboot. If you don't want to reboot, you can hunt through what programs use certain libraries using ld - however the effort taken to do this is much more than a reboot - and probably takes longer. -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Library security updates
I'm sure many people will have seen the recent security update on gethostbyname(), etc. Apparently exim can be vulnerable to this. This raises the question: does updating a library package actually protect systems from the vulnerability or do daemons continue to use the (insecure) version of the library call they linked at start up? And indeed, if yum updates a daemon due to security fixes does the daemon restart? If it doesn't protect us is there practicable way to make sure we are genuinely protected short of rebooting the whole system every time there is a security update? John
Re: Library security updates
On 28/01/15 10:35, John Rowe wrote: And indeed, if yum updates a daemon due to security fixes does the daemon restart? Yes and no. It mostly depends on what kind of package has been updated. Some packages triggers restart of daemons, some does not. Generally speaking, packages such as httpd, postfix, openssh-server and such usually restarts the service when the package is updated. But for library packages it may be mixed. Some times daemons are restarted, but it usually depends on helper scripts (which glibc does have). But having that said, it doesn't mean all daemons are restarted. If it doesn't protect us is there practicable way to make sure we are genuinely protected short of rebooting the whole system every time there is a security update? I generally treat core system libraries (such as glibc) on the same line as kernel updates. So I try to do a reboot as soon as possible. Depending on the severity of the system library update and the time until I can schedule a reboot defines if I do a restart of critical daemons. Generally I only restart daemons using the network, but I have very few boxes where users log into with shell access. All non-restarted processes will use the old library until it is restarted. This is why a reboot is helpful when core system libraries are updated, it reassures you that all processes use the latest code. And having a reboot every now and then is also good sys-admin practice, to ensure the setup/configuration is always persistent - for the times if an abrupt reboot happens. -- kind regards, David Sommerseth
SL 7.0 and WINS name resolution
In SL 7.0, adding wins to end of hosts line in /etc/nsswitch.conf no longer gives me the WINS name resolution I had in earlier versions, i.e. I could ping NetBIOS names from SL 6.x command line. I've added and enabled various other services in a blind effort to get it working, to no effect: nscd, samba, and samba-winbind What's missing in SL 7.0 that was present and allowed this in SL 6.x?
clonezilla or equivalent
We are in the process of migrating one of our compute engines (a CUDA Nvidia GPU close coupled multichassis unit using Infiniband for the compute fabric) to SL7 from SL6. I have a fully operational SL 7 installation on my workstation that also has a CUDA Nvidia GPU. We will first migrate the head node of the compute engine to SL 7 and then continue with the rest of the nodes (the head node has the 802.3 connection to the LAN and then Internet/WAN). We plan to clone the SL7 boot harddrive from my workstation rather than go through a full install from media -- we have done this before and find cloning and then readjusting partitions to be the fastest method in our circumstances. In the past, we have physically removed drives and used an external cloning device -- easy to do on the primary servers as these all have drives in externally removable carriers -- but this would require me to open up and tear down my workstation. I have mounted a new drive -- upon which we shall be putting SL7 for the compute engine -- in an external USB3 interface. My workstation detects the drive; under SL7, it is /dev/sdj . However, a dd does not work -- it seems not to want to clone beyond 4 GBytes, rather than the full drive (the destination hard drive has sufficient capacity to hold the entire image of the source hard drive). My workstation has multiple bootable harddrives -- I am booting from a different drive than the one from which I am cloning and the clone source and target drives are not mounted during the cloning (obviously, still visible in /dev ). My next approach -- before disassembly -- will be to try clonezilla or the equivalent. As I understand clonezilla, I boot from the clonezilla dvd and then clone from source to target. Does clonezilla permit cloning over a USB3 interface, or only a USB 2 (that I also can use)? We are using ext4 partitions. Does anyone have a preferred utility over clonezilla? Any advice would be appreciated. Yasha Karant
Re: Library security updates
Actually, looking at what files were updated, that should probably be lsof -n | grep -e libc- (Probably not a lot of difference in the programs listed, but...) - Original Message - From: John Lauro john.la...@covenanteyes.com To: Steven Haigh net...@crc.id.au Cc: scientific-linux-users@fnal.gov Sent: Wednesday, January 28, 2015 9:13:08 AM Subject: Re: Library security updates If it doesn't protect us is there practicable way to make sure we are genuinely protected short of rebooting the whole system every time there is a security update? Depending on what the update is. If you want to be 100% certain, reboot. If you don't want to reboot, you can hunt through what programs use certain libraries using ld - however the effort taken to do this is much more than a reboot - and probably takes longer. It actually isn't that hard to track down. [root@colo-a2vm t2]# lsof -n | grep gcc hpiod 2649 root DEL REG 252,0 4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea mysqld 2851mysql DEL REG 252,0 4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea libvirtd 3121 root DEL REG 252,0 4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea yum-updat 3343 root DEL REG 252,0 4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea smartd 3469 root DEL REG 252,0 4718941 /lib64/libgcc_s-4.1.2-20080825.so.1;545bc2ea automount 6482 root DEL REG 252,0 4718600 /lib64/libgcc_s-4.1.2-20080825.so.1.#prelink#.dvRyeN httpd 11089 root mem REG 252,0 584004718834 /lib64/libgcc_s-4.1.2-20080825.so.1 php 11639 ioi mem REG 252,0 584004718834 /lib64/libgcc_s-4.1.2-20080825.so.1 php 24239 ioi mem REG 252,0 584004718834 /lib64/libgcc_s-4.1.2-20080825.so.1 httpd 27057 daemon mem REG 252,0 584004718834 /lib64/libgcc_s-4.1.2-20080825.so.1 httpd 27058 daemon mem REG 252,0 584004718834 /lib64/libgcc_s-4.1.2-20080825.so.1 You can tell the processes that were not restarted as they show DEL instead of mem...
Re: SL 7.0 and WINS name resolution
Hi Ed Agoff! On 2015.01.28 at 12:54:49 -0800, Ed Agoff wrote next: In SL 7.0, adding wins to end of hosts line in /etc/nsswitch.conf no longer gives me the WINS name resolution I had in earlier versions, i.e. I could ping NetBIOS names from SL 6.x command line. I've added and enabled various other services in a blind effort to get it working, to no effect: nscd, samba, and samba-winbind What's missing in SL 7.0 that was present and allowed this in SL 6.x? You are likely missing nss libraries /usr/lib64/libnss_winbind.so and /usr/lib64/libnss_wins.so. They are provided by samba-winbind-modules package. Samba was split into more subpackages in EL7, I guess. -- Vladimir
Re: clonezilla or equivalent
On Wed, Jan 28, 2015 at 6:08 PM, Yasha Karant ykar...@csusb.edu wrote: Any advice would be appreciated. Clonezilla Live does support USB 3.0. Out of curiosity, is the external drive you connected formatted as FAT32? The 4 GB file size limit would explain why dd would be failing. Brandon Vincent
Re: SL 7.0 and WINS name resolution
Wins is now considered obsolete along with netbios even by Microsoft. In modern environments every thing should use DNS. XP was the last version of windows which shipped with netbios turned on by default and without netbios wins doesn't work either. Sent from my BlackBerry 10 smartphone. From: Ed AgoffSent: Wednesday, January 28, 2015 15:55To: scientific-linux-users@fnal.govSubject: SL 7.0 and WINS name resolutionIn SL 7.0, adding "wins" to end of hosts line in /etc/nsswitch.conf no longer gives me the WINS name resolution I had in earlier versions, i.e. I could ping NetBIOS names from SL 6.x command line. I've added and enabled various other services in a blind effort to get it working, to no effect: nscd, samba, and samba-winbindWhat's missing in SL 7.0 that was present and allowed this in SL 6.x?
Re: clonezilla or equivalent
In the past I use to use a utility called mkcdrec which has a successor project called relax and recover (rear for short) I haven't used the new version but it should work well. That said if you can package every thing in rpms you could use spacewalk or katello to create identical builds including copying config files. As a long term solution I like this option because it allows you to quickly rebuild after a catastrophic failure in a very clean precise way. It also allows for quick expansion of an existing environment. In my environment the typical spacewalk build takes 20 minutes and in most cases includes every thing needed to bring the box up immediately aside from state data such as database content and my normal database recovery scripts handle that and in many cases spacewalk even automatically executes them after the install is complete. Sent from my BlackBerry 10 smartphone. Original Message From: Yasha Karant Sent: Wednesday, January 28, 2015 20:09 To: scientific-linux-users@fnal.gov Subject: clonezilla or equivalent We are in the process of migrating one of our compute engines (a CUDA Nvidia GPU close coupled multichassis unit using Infiniband for the compute fabric) to SL7 from SL6. I have a fully operational SL 7 installation on my workstation that also has a CUDA Nvidia GPU. We will first migrate the head node of the compute engine to SL 7 and then continue with the rest of the nodes (the head node has the 802.3 connection to the LAN and then Internet/WAN). We plan to clone the SL7 boot harddrive from my workstation rather than go through a full install from media -- we have done this before and find cloning and then readjusting partitions to be the fastest method in our circumstances. In the past, we have physically removed drives and used an external cloning device -- easy to do on the primary servers as these all have drives in externally removable carriers -- but this would require me to open up and tear down my workstation. I have mounted a new drive -- upon which we shall be putting SL7 for the compute engine -- in an external USB3 interface. My workstation detects the drive; under SL7, it is /dev/sdj . However, a dd does not work -- it seems not to want to clone beyond 4 GBytes, rather than the full drive (the destination hard drive has sufficient capacity to hold the entire image of the source hard drive). My workstation has multiple bootable harddrives -- I am booting from a different drive than the one from which I am cloning and the clone source and target drives are not mounted during the cloning (obviously, still visible in /dev ). My next approach -- before disassembly -- will be to try clonezilla or the equivalent. As I understand clonezilla, I boot from the clonezilla dvd and then clone from source to target. Does clonezilla permit cloning over a USB3 interface, or only a USB 2 (that I also can use)? We are using ext4 partitions. Does anyone have a preferred utility over clonezilla? Any advice would be appreciated. Yasha Karant
Re: clonezilla or equivalent
On Wed, 28 Jan 2015 17:08:06 -0800 Yasha Karantlt;ykar...@csusb.edugt; wrote My next approach -- before disassembly -- will be to try clonezilla or the equivalent. As I understand clonezilla, I boot from the clonezilla dvd and then clone from source to target.Does clonezilla permit cloning over a USB3 interface, or only a USB 2 (that I also can use)? We are using ext4 partitions. Does anyone have a preferred utility over clonezilla? Any advice would be appreciated. Yasha Karant Hi Yasha, I adore clonezilla. It just works. You boot off a CD (not DVD). The ISO also will create a decent flash drive. I used Fedora Liveusb-creator, which does run under SL 6.x: https://fedorahosted.org/liveusb-creator/ I have done both USB2 and USB3. They must be plugged in before booting. Also, the target disk must be the same size or bigger than the source. When I have had smaller targets, I have had to go in with Xfce Fedora Live CD and reduce the partition size of the source with gparted first. Clonezilla will give you the exact same partition size that you had to start with. Use the same gparted to get the rest of your larger partition back. I got to help you for once. Cool. :-) Good luck, -T Always do an fsck (or chkdsk /f if ntfs) before attempting to clone. I have done fat, ntfs, ext4 so far, but not xfs.
Re: clonezilla or equivalent
On Wed, 28 Jan 2015 17:08:06 -0800 Yasha Karant lt;ykar...@csusb.edugt; wrote gt; However, a dd does not work -- it seems not to want to gt; clone beyond 4 GBytes, rather than the full drive (the destination hard gt; drive has sufficient capacity to hold the entire image of the source gt; hard drive) Boot into Xfce Fedora 21 Live DVD, go into gparted and nuke the original contents. If it is apple partitioned (G-Drives etc.), pull down gdisk with yum, go into the extended features (may be called something else) and nuke the GPT partition
Re: clonezilla or equivalent
On 01/28/2015 07:21 PM, Brandon Vincent wrote: On Wed, Jan 28, 2015 at 6:08 PM, Yasha Karant ykar...@csusb.edu wrote: Any advice would be appreciated. Clonezilla Live does support USB 3.0. Out of curiosity, is the external drive you connected formatted as FAT32? The 4 GB file size limit would explain why dd would be failing. Brandon Vincent The target hard drive is supposed to have no file system format (just the low level format from the manufacturer) -- not MS Windows, Mac OS X, or any other file system format. It is supposed to be brand new raw. Will gparted work to remove any high level format? It should -- the drive can be accessed as /dev/sdj (over the USB 3 interface to the external disk holding unit). Yasha Karant
Re: clonezilla or equivalent
On Wed, Jan 28, 2015 at 10:32 PM, Yasha Karant ykar...@csusb.edu wrote: Will gparted work to remove any high level format? It should -- the drive can be accessed as /dev/sdj (over the USB 3 interface to the external disk holding unit). Yes. The easiest way to do this is to create a new partition table on the disk. [1] [1] http://gparted.org/display-doc.php?name=help-manual#gparted-create-partition-table Brandon Vincent
Re: clonezilla or equivalent
CLearing the remnants of a a filesystem can be awkward. In order to clear previously used partitions for clean OS installation, I used to use lvm (to get a list of known volumes and devices, activate them enough to write to, an dthem delete them *all* with extreme prejudice). Then i'd use parted to partition, as desired, and then mkfs to set up partitions. Doing this as a well scripted '%pre' operation can save enormous complexity in trying to trick the very limited and underdocumented 'anaconda' tools into doing the wreite things. Unfortunately, the parted that came with CentOS 5 installation media was not as powerful as that which came with the operating system, so some extra chicanery was sometimes required. On Thu, Jan 29, 2015 at 12:32 AM, Yasha Karant ykar...@csusb.edu wrote: On 01/28/2015 07:21 PM, Brandon Vincent wrote: On Wed, Jan 28, 2015 at 6:08 PM, Yasha Karant ykar...@csusb.edu wrote: Any advice would be appreciated. Clonezilla Live does support USB 3.0. Out of curiosity, is the external drive you connected formatted as FAT32? The 4 GB file size limit would explain why dd would be failing. Brandon Vincent The target hard drive is supposed to have no file system format (just the low level format from the manufacturer) -- not MS Windows, Mac OS X, or any other file system format. It is supposed to be brand new raw. Will gparted work to remove any high level format? It should -- the drive can be accessed as /dev/sdj (over the USB 3 interface to the external disk holding unit). Yasha Karant