RE: [SCIENTIFIC-LINUX-USERS] Security ERRATA Important: kernel on SL6.x i386/x86_64
Hi Pat Thanks for your suggestions. confirmed memory is 2048MB tried numa=off confirmed virtio and qxl confirmed BIOS is F8 I'll try resetting BIOS and doing a memory test over the weekend. I have an SL7.5 guest which I am setting up with Kolab, so I will probably switch to that soon and ditch SL6.9 Thanks again for spending time on this. Cheers Bill -Original message- > From:Pat Riehecky> Sent: Friday 25th May 2018 6:11 > To: Bill Maidment ; scientific-linux-us...@listserv.fnal.gov > Subject: Re: [SCIENTIFIC-LINUX-USERS] Security ERRATA Important: kernel on > SL6.x i386/x86_64 > > H this error seems to point to a memory/instruction mapping > issue. > > Do you have a base8 amount of RAM in the VMs? > Can I have you try adding 'numa=off' to the boot line? > Are things using virtio/qxl/etc? > > > While I doubt this is it, you may want to be sure you've got the F8 > bios[1]. If you can I'd consider setting the values back to defaults > and then re-activating the hardware VM acceleration after that. > > Pat > > [1] https://www.gigabyte.com/Motherboard/GA-990FXA-D3-rev-1x#support-dl-bios > > On 05/24/2018 12:40 AM, Bill Maidment wrote: > > Hi Pat > > The full error message is: > > PANIC: early exception 0d rip 10:810462b6 error 0 cr2 0 > > > > These are my specs: > > > > Mobo GA-990FXA-D3 > > CPU AMD FX-8120 > > Host 8 CPU 16GB RAM running SL 7.5 with kernel 3.10.0-862.3.2 > > Guest 2 CPU 2GB RAM running SL 6.9 with kernel 2.6.32.30.1 > > 5 other guests running SL 7.5 with kernel 3.10.0-862.3.2 run OK > > > > SL 6.9 kernel re-installed but still the same error > > previous kernel 2.6.32-696.28.1 runs OK > > > > The SL 6.9 machine is my internal mail server running zarafa and mysql > > > > Is there anything else you need to know? > > > > Cheers > > Bill > > > > > > > > -Original message- > >> From:Pat Riehecky > >> Sent: Wednesday 23rd May 2018 23:25 > >> To: Bill Maidment ; > >> scientific-linux-us...@listserv.fnal.gov > >> Subject: Re: [SCIENTIFIC-LINUX-USERS] Security ERRATA Important: kernel on > >> SL6.x i386/x86_64 > >> > >> Hi Bill, > >> > >> Our internal test VMs are KVM guests on SL 6.9 with an AMD server. I'm > >> not seeing this problem there. > >> > >> Are there any more details you can share? > >> > >> Pat > >> > >> On 05/22/2018 09:20 PM, Bill Maidment wrote: > >>> Hi > >>> The new kernel caused > >>> PANIC early exception 0d 10 . error 0 rc2 > >>> on a KVM SL 6.9 x86_64 guest > >>> AMD server and all other guests running SL7.5 are all runn ing OK on > >>> their new kernel > >>> > >>> Reverting to the previous SL 6.9 kernel gave me back my guest machine > >>> Cheers > >>> Bill > >>> > >>> > >>> -Original message- > From:Scott Reid > Sent: Wednesday 23rd May 2018 4:33 > To: scientific-linux-err...@listserv.fnal.gov > Subject: Security ERRATA Important: kernel on SL6.x i386/x86_64 > > Synopsis: Important: kernel security and bug fix update > Advisory ID: SLSA-2018:1651-1 > Issue Date: 2018-05-22 > CVE Numbers: CVE-2018-3639 > -- > > Security Fix(es): > > * An industry-wide issue was found in the way many modern microprocessor > designs have implemented speculative execution of Load & Store > instructions (a commonly used performance optimization). It relies on the > presence of a precisely-defined instruction sequence in the privileged > code as well as the fact that memory read from address to which a recent > memory write has occurred may see an older value and subsequently cause > an > update into the microprocessor's data cache even for speculatively > executed instructions that never actually commit (retire). As a result, > an > unprivileged attacker could use this flaw to read privileged memory by > conducting targeted cache side-channel attacks. (CVE-2018-3639) > > Note: This issue is present in hardware and cannot be fully fixed via > software update. The updated kernel packages provide software side of the > mitigation for this hardware issue. To be fully functional, up-to-date > CPU > microcode applied on the system is required. > > In this update mitigations for x86 (both 32 and 64 bit) architecture are > provided. > > Bug Fix(es): > > * Previously, an erroneous code in the x86 kexec system call path caused > a > memory corruption. As a consequence, the system became unresponsive with > the following kernel stack trace: > > 'WARNING: CPU: 13 PID: 36409 at lib/list_debug.c:59 > __list_del_entry+0xa1/0xd0 list_del corruption. prev->next should be > dd03fddeeca0, but was (null)' > > This update ensures that the code does not corrupt memory.
Re: Create bootable ISO that can be copied to a USB key
> On May 24, 2018, at 2:17 PM, Billwrote: > > I am creating a custom installation ISO using kickstart. This install ISO is > based on SL 7.2. > > When I burn a DVD from this ISO I can boot from the DVD and the install menu > come up as expected. > > When I use dd to copy the ISO to a USB key and try to boot from the USB key > the install menu does not appear and the system boots from the hard drive. > > I tried using dd to copy the SL7.2 ISO to a USB key. When I try to boot from > this USB key the install menu comes up as expected. > > What files on the SL7.2 have to do with booting from the USB key? “Any if them”, especially the boot loader, which is normally written *before* the partition information and superblicks for the filesystem. That was what “dd” copies first which file copies would not copy. > > Is there a mkisofs option I should be using to make booting USB key work? “dd” is your friend. There are many guidelines for building bootable cd’s you could review, but you can probably save a lot of work not using that.
Re: Create bootable ISO that can be copied to a USB key
Hey Bill, This is not an uncommon thing to be doing, and there are definitely challenges in terms of MBR/EFI, and media in doing this. I've culled some of my key resources as a short list of URLs here: http://www.tuxfixer.com/mount-modify-edit-repack-create-uefi-iso-including-kickstart-file/ https://access.redhat.com/solutions/60959 http://ideanist.com/2017/03/09/unattended-kickstart-installation-centos-7/ http://www.frankreimer.de/?p=522 http://www.smorgasbork.com/2012/01/04/building-a-custom-centos-7-kickstart-disc-part-3/ https://gist.github.com/vkanevska/fd624f708cde7d7c172a576b10bc6966 # This is where I learned you have to mount -o loop the efi image https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/anaconda_customization_guide/ I'd pay very close attention to that github gist that points out that efi image that you'll need to mount and modify (there are actually three locations you need to edit/modify for the bootable media: EFI/BOOT/grub.cfg, isolinux.cfg, and within images/efiboot.img). The mkisofs command that we're using at ${EMPLOYER} is: mkisofs -o "${BASE_DIR}"/"${ENV}"/custom_${today}.iso \ -b isolinux/isolinux.bin -c isolinux/boot.cat \ --no-emul-boot --boot-load-size 4 --boot-info-table \ -eltorito-alt-boot -e images/efiboot.img -no-emul-boot \ -graft-points -m .git* -f -J -R -V "CentOS 7 x86_64" -A \ "CentOS 7 x86_64" -volset "CentOS 7 x86_64" /custom/ We're clearly working on/with CentOS, but you should be close with the above. Regards, Steven M. Miano (727)244-9990 http://stevenmiano.com 2AFF 44FC 5CC6 B712 00C7 79EF 1811 C2CB 8219 4F52 On 5/24/18 14:17, Bill wrote: I am creating a custom installation ISO using kickstart. This install ISO is based on SL 7.2. When I burn a DVD from this ISO I can boot from the DVD and the install menu come up as expected. When I use dd to copy the ISO to a USB key and try to boot from the USB key the install menu does not appear and the system boots from the hard drive. I tried using dd to copy the SL7.2 ISO to a USB key. When I try to boot from this USB key the install menu comes up as expected. What files on the SL7.2 have to do with booting from the USB key? Is there a mkisofs option I should be using to make booting USB key work? signature.asc Description: OpenPGP digital signature
RE: [SCIENTIFIC-LINUX-USERS] Create bootable ISO that can be copied to a USB key
Hi Pat Thanks for the reply I make a copy of the files from the SL-7.2-DVD-x86_64-2016-01-26.iso in a directory. I delete the packages I don't want. I copy our application software and kickstart file into the directory. I modify isolinux/isolinux.cfg to use the kickstart file. I use mkisofs to create the new ISO mkisofs -U -J -R -v -T -V PCS -o ../R20.001.iso -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table . I burn a DVD from the new ISO which I can boot from and do the install. When I use dd to create a USB key from the ISO and try to boot from USB key, it does not boot. I have tried adding the "-eltorito-alt-boot -e images/efiboot.img -no-emul-boot" options to the mkisofs command with no success. Bill -Original Message- From: Pat Riehecky [mailto:riehe...@fnal.gov] Sent: Thursday, May 24, 2018 1:35 PM To: EXT-Askew, R W; scientific-linux-us...@listserv.fnal.gov Subject: Re: [SCIENTIFIC-LINUX-USERS] Create bootable ISO that can be copied to a USB key Hello, Are you creating the custom iso with pungi or a different tool? Pat On 05/24/2018 01:17 PM, Bill wrote: > I am creating a custom installation ISO using kickstart. This install ISO is > based on SL 7.2. > > When I burn a DVD from this ISO I can boot from the DVD and the install menu > come up as expected. > > When I use dd to copy the ISO to a USB key and try to boot from the USB key > the install menu does not appear and the system boots from the hard drive. > > I tried using dd to copy the SL7.2 ISO to a USB key. When I try to boot from > this USB key the install menu comes up as expected. > > What files on the SL7.2 have to do with booting from the USB key? > > Is there a mkisofs option I should be using to make booting USB key work? -- Pat Riehecky Fermi National Accelerator Laboratory www.fnal.gov www.scientificlinux.org
Re: [SCIENTIFIC-LINUX-USERS] Create bootable ISO that can be copied to a USB key
Pungi uses isohybrid (from the syslinux package) down in the bowels to do that. At least that's what I found when I deconstructed its methodology. That's how I'm getting a USB-bootable .iso file for our spin, anyway... The algorithm I'm using is: mkisofs isohybrid implantisomd5 Your mileage may vary... On 5/24/18, 1:35 PM, "owner-scientific-linux-us...@listserv.fnal.gov on behalf of Pat Riehecky"wrote: Hello, Are you creating the custom iso with pungi or a different tool? Pat On 05/24/2018 01:17 PM, Bill wrote: > I am creating a custom installation ISO using kickstart. This install ISO is based on SL 7.2. > > When I burn a DVD from this ISO I can boot from the DVD and the install menu come up as expected. > > When I use dd to copy the ISO to a USB key and try to boot from the USB key the install menu does not appear and the system boots from the hard drive. > > I tried using dd to copy the SL7.2 ISO to a USB key. When I try to boot from this USB key the install menu comes up as expected. > > What files on the SL7.2 have to do with booting from the USB key? > > Is there a mkisofs option I should be using to make booting USB key work? -- Pat Riehecky Fermi National Accelerator Laboratory www.fnal.gov www.scientificlinux.org
Re: [SCIENTIFIC-LINUX-USERS] Create bootable ISO that can be copied to a USB key
Hello, Are you creating the custom iso with pungi or a different tool? Pat On 05/24/2018 01:17 PM, Bill wrote: I am creating a custom installation ISO using kickstart. This install ISO is based on SL 7.2. When I burn a DVD from this ISO I can boot from the DVD and the install menu come up as expected. When I use dd to copy the ISO to a USB key and try to boot from the USB key the install menu does not appear and the system boots from the hard drive. I tried using dd to copy the SL7.2 ISO to a USB key. When I try to boot from this USB key the install menu comes up as expected. What files on the SL7.2 have to do with booting from the USB key? Is there a mkisofs option I should be using to make booting USB key work? -- Pat Riehecky Fermi National Accelerator Laboratory www.fnal.gov www.scientificlinux.org
Create bootable ISO that can be copied to a USB key
I am creating a custom installation ISO using kickstart. This install ISO is based on SL 7.2. When I burn a DVD from this ISO I can boot from the DVD and the install menu come up as expected. When I use dd to copy the ISO to a USB key and try to boot from the USB key the install menu does not appear and the system boots from the hard drive. I tried using dd to copy the SL7.2 ISO to a USB key. When I try to boot from this USB key the install menu comes up as expected. What files on the SL7.2 have to do with booting from the USB key? Is there a mkisofs option I should be using to make booting USB key work?
Re: Problem with selinux since Kernel Update
Hi Orion, Thank you for the report. A new version of libsepol has been pushed out which should address your problem. Thanks! On 5/23/18, 5:26 PM, "owner-scientific-linux-us...@listserv.fnal.gov on behalf of Orion Poplawski"wrote: On 05/15/2018 05:45 PM, Orion Poplawski wrote: > On 05/15/2018 05:41 PM, Orion Poplawski wrote: >> On 05/15/2018 12:23 PM, Maarten wrote: >>> I have the same problem on all of my systems, running the same package >>> versions and kernel, also under 7.5: >>> >>> libsepol.policydb_read: policydb version 31 does not match my version >>> range 15-30 >>> invalid binary policy >>> >>> 3.10.0-862.2.3.el7.x86_64 >>> >>> policycoreutils-2.5-22.el7.x86_64 >>> checkpolicy-2.5-6.el7.x86_64 >>> selinux-policy-targeted-3.13.1-192.el7_5.3.noarch >>> policycoreutils-python-2.5-22.el7.x86_64 >>> selinux-policy-3.13.1-192.el7_5.3.noarch >>> >>> sl-release-7.5-2.sl7.x86_64 >>> >>> >>> >>> On 05/11/2018 07:29 AM, Klaus Steinberger wrote: Am 04.05.2018 um 13:06 schrieb Steven C Timm: > Did you just update the kernel or also all the other security updates > that came out. The problem is also after upgrading to SL 7.5: [root@dmz-sv-mirror01 ~]# audit2allow -a -m local libsepol.policydb_read: policydb version 31 does not match my version range 15-30 invalid binary policy ���\T [root@dmz-sv-mirror01 ~]# uname -a Linux dmz-sv-mirror01.physik.uni-muenchen.de 3.10.0-862.2.3.el7.x86_64 #1 SMP Tue May 8 14:55:36 CDT 2018 x86_64 x86_64 x86_64 GNU/Linux [root@dmz-sv-mirror01 ~]# rpm -q -a | grep policy policycoreutils-2.5-22.el7.x86_64 policycoreutils-python-2.5-22.el7.x86_64 checkpolicy-2.5-6.el7.x86_64 selinux-policy-targeted-3.13.1-192.el7_5.3.noarch selinux-policy-3.13.1-192.el7_5.3.noarch [root@dmz-sv-mirror01 ~]# Sincerly, Klaus >> >> >> I see this as well. Very strange since the message and constants appear to >> be defined in libsepol, and since that is updated I don't see how the >> policydb version can be wrong. >> >> # strings /usr/lib64/libsepol.so.1 | grep 'version range' >> policydb version %d does not match my version range %d-%d >> policydb module version %d does not match my version range %d-%d >> # rpm -q libsepol >> libsepol-2.5-8.1.el7.x86_64 >> > > Ah, but there is a libsepol-static package - so if packages were incorrectly > built against the older version of that, that would explain the problem. Ping? I think this is a pretty serious issue with the SL7.5 packages. I don't see this with CentOS or RHEL. -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://urldefense.proofpoint.com/v2/url?u=https-3A__www.nwra.com_=DwIFaQ=gRgGjJ3BkIsb5y6s49QqsA=K5IsmKIlfeGD3zuXIueSwQ=HOrUKrdX0_RlnX8W2Rv3LAamiLNAjjE-5-bEaEhgGV0=jhQsxCFCn_mwuHV1RYyI1eTN2PZLmTZz9BKjcZPSQWg=
Re: qt-creator
On 24/05/18 08:35, Andrew C Aitchison wrote: On Thu, 24 May 2018, etienne.baeu...@vetsuisse.unibe.ch wrote: Hi all, since the last updates I get the following message while trying to install qt-creator: Error: Package: qt-creator-4.1.0-3.el7.x86_64 (epel) Requires: qt5-qtbase(x86-64) = 5.6.2 Installed: qt5-qtbase-5.9.2-3.el7.x86_64 (@sl) qt5-qtbase(x86-64) = 5.9.2-3.el7 Qt has been upgraded with the last update to 5.9.2 but qt-creator depends still on 5.6.2? You appear to be using the new qt5-qtbase from SL but an older qt-creator from epel. Can this be fixed? Try asking epel-de...@lists.fedoraproject.org https://dl.fedoraproject.org/pub/epel/testing/7/x86_64/Packages/q/qt-creator-4.1.0-4.el7.x86_64.rpm
Re: qt-creator
On Thu, 24 May 2018, etienne.baeu...@vetsuisse.unibe.ch wrote: Hi all, since the last updates I get the following message while trying to install qt-creator: Error: Package: qt-creator-4.1.0-3.el7.x86_64 (epel) Requires: qt5-qtbase(x86-64) = 5.6.2 Installed: qt5-qtbase-5.9.2-3.el7.x86_64 (@sl) qt5-qtbase(x86-64) = 5.9.2-3.el7 Qt has been upgraded with the last update to 5.9.2 but qt-creator depends still on 5.6.2? You appear to be using the new qt5-qtbase from SL but an older qt-creator from epel. Can this be fixed? Try asking epel-de...@lists.fedoraproject.org -- Andrew C. Aitchison Cambridge, UK and...@aitchison.me.uk
Re: qt-creator
On Thu, May 24, 2018 at 12:07 AM,wrote: > Hi all, > > since the last updates I get the following message while trying to install > qt-creator: > > Error: Package: qt-creator-4.1.0-3.el7.x86_64 (epel) >Requires: qt5-qtbase(x86-64) = 5.6.2 >Installed: qt5-qtbase-5.9.2-3.el7.x86_64 (@sl) >qt5-qtbase(x86-64) = 5.9.2-3.el7 > > Qt has been upgraded with the last update to 5.9.2 but qt-creator depends > still on 5.6.2? > > Can this be fixed? qt-creator is provided by EPEL. I think they will update the package to make it compatible with el7.5. If this does not happen, you may want to file such a request. Akemi
qt-creator
Hi all, since the last updates I get the following message while trying to install qt-creator: Error: Package: qt-creator-4.1.0-3.el7.x86_64 (epel) Requires: qt5-qtbase(x86-64) = 5.6.2 Installed: qt5-qtbase-5.9.2-3.el7.x86_64 (@sl) qt5-qtbase(x86-64) = 5.9.2-3.el7 Qt has been upgraded with the last update to 5.9.2 but qt-creator depends still on 5.6.2? Can this be fixed? Regards, thanks a lot, Etienne