RE: [SCIENTIFIC-LINUX-USERS] Security ERRATA Important: kernel on SL6.x i386/x86_64

2018-05-24 Thread Bill Maidment 
Hi Pat
Thanks for your suggestions.

confirmed memory is 2048MB
tried numa=off
confirmed virtio and qxl
confirmed BIOS is F8

I'll try resetting BIOS and doing a memory test over the weekend.

I have an SL7.5 guest which I am setting up with Kolab, so I will probably 
switch to that soon and ditch SL6.9

Thanks again for spending time on this.
Cheers
Bill
 
-Original message-
> From:Pat Riehecky 
> Sent: Friday 25th May 2018 6:11
> To: Bill Maidment ; scientific-linux-us...@listserv.fnal.gov
> Subject: Re: [SCIENTIFIC-LINUX-USERS] Security ERRATA Important: kernel on 
> SL6.x i386/x86_64
> 
> H this error seems to point to a memory/instruction mapping 
> issue.
> 
>   Do you have a base8 amount of RAM in the VMs?
>   Can I have you try adding 'numa=off' to the boot line?
>   Are things using virtio/qxl/etc?
> 
> 
> While I doubt this is it, you may want to be sure you've got the F8 
> bios[1].  If you can I'd consider setting the values back to defaults 
> and then re-activating the hardware VM acceleration after that.
> 
> Pat
> 
> [1] https://www.gigabyte.com/Motherboard/GA-990FXA-D3-rev-1x#support-dl-bios
> 
> On 05/24/2018 12:40 AM, Bill Maidment wrote:
> > Hi Pat
> > The full error message is:
> > PANIC: early exception 0d rip 10:810462b6 error 0 cr2 0
> >
> > These are my specs:
> >
> > Mobo GA-990FXA-D3
> > CPU AMD FX-8120
> > Host 8 CPU 16GB RAM running SL 7.5 with kernel 3.10.0-862.3.2
> > Guest 2 CPU 2GB RAM running SL 6.9 with kernel 2.6.32.30.1
> > 5 other guests running SL 7.5 with kernel 3.10.0-862.3.2 run OK
> >
> > SL 6.9 kernel re-installed but still the same error
> > previous kernel 2.6.32-696.28.1 runs OK
> >
> > The SL 6.9 machine is my internal mail server running zarafa and mysql
> >
> > Is there anything else you need to know?
> >
> > Cheers
> > Bill
> >
> >   
> >   
> > -Original message-
> >> From:Pat Riehecky 
> >> Sent: Wednesday 23rd May 2018 23:25
> >> To: Bill Maidment ; 
> >> scientific-linux-us...@listserv.fnal.gov
> >> Subject: Re: [SCIENTIFIC-LINUX-USERS] Security ERRATA Important: kernel on 
> >> SL6.x i386/x86_64
> >>
> >> Hi Bill,
> >>
> >> Our internal test VMs are KVM guests on SL 6.9 with an AMD server. I'm
> >> not seeing this problem there.
> >>
> >> Are there any more details you can share?
> >>
> >> Pat
> >>
> >> On 05/22/2018 09:20 PM, Bill Maidment wrote:
> >>> Hi
> >>> The new kernel caused
> >>> PANIC early exception 0d 10 . error 0 rc2
> >>> on a KVM SL 6.9 x86_64 guest
> >>> AMD server and all other guests running SL7.5 are all runn ing OK on 
> >>> their new kernel
> >>>
> >>> Reverting to the previous SL 6.9 kernel gave me back my guest machine
> >>> Cheers
> >>> Bill
> >>> 
> >>> 
> >>> -Original message-
>  From:Scott Reid 
>  Sent: Wednesday 23rd May 2018 4:33
>  To: scientific-linux-err...@listserv.fnal.gov
>  Subject: Security ERRATA Important: kernel on SL6.x i386/x86_64
> 
>  Synopsis:  Important: kernel security and bug fix update
>  Advisory ID:   SLSA-2018:1651-1
>  Issue Date:    2018-05-22
>  CVE Numbers:   CVE-2018-3639
>  --
> 
>  Security Fix(es):
> 
>  * An industry-wide issue was found in the way many modern microprocessor
>  designs have implemented speculative execution of Load & Store
>  instructions (a commonly used performance optimization). It relies on the
>  presence of a precisely-defined instruction sequence in the privileged
>  code as well as the fact that memory read from address to which a recent
>  memory write has occurred may see an older value and subsequently cause 
>  an
>  update into the microprocessor's data cache even for speculatively
>  executed instructions that never actually commit (retire). As a result, 
>  an
>  unprivileged attacker could use this flaw to read privileged memory by
>  conducting targeted cache side-channel attacks. (CVE-2018-3639)
> 
>  Note: This issue is present in hardware and cannot be fully fixed via
>  software update. The updated kernel packages provide software side of the
>  mitigation for this hardware issue. To be fully functional, up-to-date 
>  CPU
>  microcode applied on the system is required.
> 
>  In this update mitigations for x86 (both 32 and 64 bit) architecture are
>  provided.
> 
>  Bug Fix(es):
> 
>  * Previously, an erroneous code in the x86 kexec system call path caused 
>  a
>  memory corruption. As a consequence, the system became unresponsive with
>  the following kernel stack trace:
> 
>  'WARNING: CPU: 13 PID: 36409 at lib/list_debug.c:59
>  __list_del_entry+0xa1/0xd0 list_del corruption. prev->next should be
>  dd03fddeeca0, but was (null)'
> 
>  This update ensures that the code does not corrupt memory.

Re: Create bootable ISO that can be copied to a USB key

2018-05-24 Thread Nico Kadel-Garcia 
> On May 24, 2018, at 2:17 PM, Bill  wrote:
> 
> I am creating a custom installation ISO using kickstart.  This install ISO is 
> based on SL 7.2.
> 
> When I burn a DVD from this ISO I can boot from the DVD and the install menu 
> come up as expected.  
> 
> When I use dd to copy the ISO to a USB key and try to boot from the USB key 
> the install menu does not appear and the system boots from the hard drive.  
> 
> I tried using dd to copy the SL7.2 ISO to a USB key.  When I try to boot from 
> this USB key the install menu comes up as expected.
> 
> What files on the SL7.2 have to do with booting from the USB key?

“Any if them”, especially the boot loader, which is normally written *before* 
the partition information and superblicks for the filesystem. That was what 
“dd” copies first which file copies would not copy.

> 
> Is there a mkisofs option I should be using to make booting USB key work?

“dd” is your friend. There are many guidelines for building bootable cd’s you 
could review, but you can probably save a lot of work not using that.

Re: Create bootable ISO that can be copied to a USB key

2018-05-24 Thread Steven M. Miano 

  
  
Hey Bill,
  
  This is not an uncommon thing to be doing, and there are
  definitely challenges in terms of MBR/EFI, and media in doing
  this.
  
  I've culled some of my key resources as a short list of URLs here:
  

http://www.tuxfixer.com/mount-modify-edit-repack-create-uefi-iso-including-kickstart-file/
  https://access.redhat.com/solutions/60959
  http://ideanist.com/2017/03/09/unattended-kickstart-installation-centos-7/
  http://www.frankreimer.de/?p=522
  http://www.smorgasbork.com/2012/01/04/building-a-custom-centos-7-kickstart-disc-part-3/
  https://gist.github.com/vkanevska/fd624f708cde7d7c172a576b10bc6966
# This is where I learned you have to mount -o loop the efi
image
  https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/anaconda_customization_guide/


  I'd pay very close attention to that github gist that points out
  that efi image that you'll need to mount and modify (there are
  actually three locations you need to edit/modify for the bootable
  media: EFI/BOOT/grub.cfg, isolinux.cfg, and within
  images/efiboot.img).
  
  The mkisofs command that we're using at ${EMPLOYER} is: 
  

mkisofs -o
  "${BASE_DIR}"/"${ENV}"/custom_${today}.iso \
  -b isolinux/isolinux.bin -c
  isolinux/boot.cat \
  --no-emul-boot --boot-load-size
  4 --boot-info-table \
  -eltorito-alt-boot -e
  images/efiboot.img -no-emul-boot \
  -graft-points -m .git* -f -J -R
  -V "CentOS 7 x86_64" -A \
  "CentOS 7 x86_64" -volset
  "CentOS 7 x86_64" /custom/


  We're clearly working on/with CentOS, but you should be close with
  the above.
  
  Regards,
Steven M. Miano
(727)244-9990
http://stevenmiano.com
2AFF 44FC 5CC6 B712 00C7  79EF 1811 C2CB 8219 4F52
On 5/24/18 14:17, Bill wrote:


  I am creating a custom installation ISO using kickstart.  This install ISO is based on SL 7.2.

When I burn a DVD from this ISO I can boot from the DVD and the install menu come up as expected.  

When I use dd to copy the ISO to a USB key and try to boot from the USB key the install menu does not appear and the system boots from the hard drive.  

I tried using dd to copy the SL7.2 ISO to a USB key.  When I try to boot from this USB key the install menu comes up as expected.

What files on the SL7.2 have to do with booting from the USB key?

Is there a mkisofs option I should be using to make booting USB key work?


  




signature.asc
Description: OpenPGP digital signature

RE: [SCIENTIFIC-LINUX-USERS] Create bootable ISO that can be copied to a USB key

2018-05-24 Thread EXT-Askew, R W 
Hi Pat
Thanks for the reply

I make a copy of the files from the SL-7.2-DVD-x86_64-2016-01-26.iso in a 
directory.
I delete the packages I don't want.
I copy our application software and kickstart file into the directory.
I modify isolinux/isolinux.cfg to use the kickstart file.
I use mkisofs to create the new ISO

mkisofs -U -J -R -v -T -V PCS -o ../R20.001.iso -b isolinux/isolinux.bin  -c 
isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table .

I burn a DVD from the new ISO which I can boot from and do the install.

When I use dd to create a USB key from the ISO and try to boot from USB key, it 
does not boot.

I have tried adding the "-eltorito-alt-boot -e images/efiboot.img 
-no-emul-boot" options to the mkisofs command with no success.

Bill 

-Original Message-
From: Pat Riehecky [mailto:riehe...@fnal.gov] 
Sent: Thursday, May 24, 2018 1:35 PM
To: EXT-Askew, R W ; 
scientific-linux-us...@listserv.fnal.gov
Subject: Re: [SCIENTIFIC-LINUX-USERS] Create bootable ISO that can be copied to 
a USB key

Hello,

Are you creating the custom iso with pungi or a different tool?

Pat

On 05/24/2018 01:17 PM, Bill wrote:
> I am creating a custom installation ISO using kickstart.  This install ISO is 
> based on SL 7.2.
>
> When I burn a DVD from this ISO I can boot from the DVD and the install menu 
> come up as expected.
>
> When I use dd to copy the ISO to a USB key and try to boot from the USB key 
> the install menu does not appear and the system boots from the hard drive.
>
> I tried using dd to copy the SL7.2 ISO to a USB key.  When I try to boot from 
> this USB key the install menu comes up as expected.
>
> What files on the SL7.2 have to do with booting from the USB key?
>
> Is there a mkisofs option I should be using to make booting USB key work?

-- 
Pat Riehecky

Fermi National Accelerator Laboratory
www.fnal.gov
www.scientificlinux.org

Re: [SCIENTIFIC-LINUX-USERS] Create bootable ISO that can be copied to a USB key

2018-05-24 Thread Kraus, Dave (GE Healthcare) 
Pungi uses isohybrid (from the syslinux package) down in the bowels to do that. 
At least that's what I found when I deconstructed its methodology.

That's how I'm getting a USB-bootable .iso file for our spin, anyway...

The algorithm I'm using is:

mkisofs
isohybrid
implantisomd5

Your mileage may vary...

On 5/24/18, 1:35 PM, "owner-scientific-linux-us...@listserv.fnal.gov on behalf 
of Pat Riehecky"  wrote:

Hello,

Are you creating the custom iso with pungi or a different tool?

Pat

On 05/24/2018 01:17 PM, Bill wrote:
> I am creating a custom installation ISO using kickstart.  This install 
ISO is based on SL 7.2.
>
> When I burn a DVD from this ISO I can boot from the DVD and the install 
menu come up as expected.
>
> When I use dd to copy the ISO to a USB key and try to boot from the USB 
key the install menu does not appear and the system boots from the hard drive.
>
> I tried using dd to copy the SL7.2 ISO to a USB key.  When I try to boot 
from this USB key the install menu comes up as expected.
>
> What files on the SL7.2 have to do with booting from the USB key?
>
> Is there a mkisofs option I should be using to make booting USB key work?

-- 
Pat Riehecky

Fermi National Accelerator Laboratory
www.fnal.gov
www.scientificlinux.org

Re: [SCIENTIFIC-LINUX-USERS] Create bootable ISO that can be copied to a USB key

2018-05-24 Thread Pat Riehecky 

Hello,

Are you creating the custom iso with pungi or a different tool?

Pat

On 05/24/2018 01:17 PM, Bill wrote:

I am creating a custom installation ISO using kickstart.  This install ISO is 
based on SL 7.2.

When I burn a DVD from this ISO I can boot from the DVD and the install menu 
come up as expected.

When I use dd to copy the ISO to a USB key and try to boot from the USB key the 
install menu does not appear and the system boots from the hard drive.

I tried using dd to copy the SL7.2 ISO to a USB key.  When I try to boot from 
this USB key the install menu comes up as expected.

What files on the SL7.2 have to do with booting from the USB key?

Is there a mkisofs option I should be using to make booting USB key work?


--
Pat Riehecky

Fermi National Accelerator Laboratory
www.fnal.gov
www.scientificlinux.org

Create bootable ISO that can be copied to a USB key

2018-05-24 Thread Bill 
I am creating a custom installation ISO using kickstart.  This install ISO is 
based on SL 7.2.

When I burn a DVD from this ISO I can boot from the DVD and the install menu 
come up as expected.  

When I use dd to copy the ISO to a USB key and try to boot from the USB key the 
install menu does not appear and the system boots from the hard drive.  

I tried using dd to copy the SL7.2 ISO to a USB key.  When I try to boot from 
this USB key the install menu comes up as expected.

What files on the SL7.2 have to do with booting from the USB key?

Is there a mkisofs option I should be using to make booting USB key work?

Re: Problem with selinux since Kernel Update

2018-05-24 Thread Scott Reid 
Hi Orion,

Thank you for the report. A new version of libsepol has been pushed out which 
should address your problem.

Thanks!


On 5/23/18, 5:26 PM, "owner-scientific-linux-us...@listserv.fnal.gov on behalf 
of Orion Poplawski"  wrote:

On 05/15/2018 05:45 PM, Orion Poplawski wrote:
> On 05/15/2018 05:41 PM, Orion Poplawski wrote:
>> On 05/15/2018 12:23 PM, Maarten wrote:
>>> I have the same problem on all of my systems, running the same package
>>> versions and kernel, also under 7.5:
>>>
>>> libsepol.policydb_read: policydb version 31 does not match my version
>>> range 15-30
>>> invalid binary policy
>>>
>>> 3.10.0-862.2.3.el7.x86_64
>>>
>>> policycoreutils-2.5-22.el7.x86_64
>>> checkpolicy-2.5-6.el7.x86_64
>>> selinux-policy-targeted-3.13.1-192.el7_5.3.noarch
>>> policycoreutils-python-2.5-22.el7.x86_64
>>> selinux-policy-3.13.1-192.el7_5.3.noarch
>>>
>>> sl-release-7.5-2.sl7.x86_64
>>>
>>>
>>>
>>> On 05/11/2018 07:29 AM, Klaus Steinberger wrote:
 Am 04.05.2018 um 13:06 schrieb Steven C Timm:
> Did you just update the kernel or also all the other security updates
> that came out.
 The problem is also after upgrading to SL 7.5:

 [root@dmz-sv-mirror01 ~]# audit2allow -a -m local
 libsepol.policydb_read: policydb version 31 does not match my version
 range 15-30
 invalid binary policy ���\T

 [root@dmz-sv-mirror01 ~]# uname -a
 Linux dmz-sv-mirror01.physik.uni-muenchen.de 3.10.0-862.2.3.el7.x86_64 
#1 SMP
 Tue May 8 14:55:36 CDT 2018 x86_64 x86_64 x86_64 GNU/Linux
 [root@dmz-sv-mirror01 ~]# rpm -q -a | grep policy
 policycoreutils-2.5-22.el7.x86_64
 policycoreutils-python-2.5-22.el7.x86_64
 checkpolicy-2.5-6.el7.x86_64
 selinux-policy-targeted-3.13.1-192.el7_5.3.noarch
 selinux-policy-3.13.1-192.el7_5.3.noarch
 [root@dmz-sv-mirror01 ~]#

 Sincerly,
 Klaus

>>
>>
>> I see this as well.  Very strange since the message and constants appear 
to
>> be defined in libsepol, and since that is updated I don't see how the
>> policydb version can be wrong.
>>
>> # strings /usr/lib64/libsepol.so.1 | grep 'version range'
>> policydb version %d does not match my version range %d-%d
>> policydb module version %d does not match my version range %d-%d
>> # rpm -q libsepol
>> libsepol-2.5-8.1.el7.x86_64
>>
> 
> Ah, but there is a libsepol-static package - so if packages were 
incorrectly
> built against the older version of that, that would explain the problem.

Ping?  I think this is a pretty serious issue with the SL7.5 packages.  I
don't see this with CentOS or RHEL.


-- 
Orion Poplawski
Manager of NWRA Technical Systems  720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane   or...@nwra.com
Boulder, CO 80301 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.nwra.com_=DwIFaQ=gRgGjJ3BkIsb5y6s49QqsA=K5IsmKIlfeGD3zuXIueSwQ=HOrUKrdX0_RlnX8W2Rv3LAamiLNAjjE-5-bEaEhgGV0=jhQsxCFCn_mwuHV1RYyI1eTN2PZLmTZz9BKjcZPSQWg=

Re: qt-creator

2018-05-24 Thread John Pilkington 

On 24/05/18 08:35, Andrew C Aitchison wrote:

On Thu, 24 May 2018, etienne.baeu...@vetsuisse.unibe.ch wrote:


Hi all,

since the last updates I get the following message while trying to 
install qt-creator:


Error: Package: qt-creator-4.1.0-3.el7.x86_64 (epel)
  Requires: qt5-qtbase(x86-64) = 5.6.2
  Installed: qt5-qtbase-5.9.2-3.el7.x86_64 (@sl)
  qt5-qtbase(x86-64) = 5.9.2-3.el7

Qt has been upgraded with the last update to 5.9.2 but qt-creator 
depends still on 5.6.2?


You appear to be using the new qt5-qtbase from SL
but an older qt-creator from epel.


Can this be fixed?


Try asking
 epel-de...@lists.fedoraproject.org


https://dl.fedoraproject.org/pub/epel/testing/7/x86_64/Packages/q/qt-creator-4.1.0-4.el7.x86_64.rpm

Re: qt-creator

2018-05-24 Thread Andrew C Aitchison 

On Thu, 24 May 2018, etienne.baeu...@vetsuisse.unibe.ch wrote:


Hi all,

since the last updates I get the following message while trying to install 
qt-creator:

Error: Package: qt-creator-4.1.0-3.el7.x86_64 (epel)
  Requires: qt5-qtbase(x86-64) = 5.6.2
  Installed: qt5-qtbase-5.9.2-3.el7.x86_64 (@sl)
  qt5-qtbase(x86-64) = 5.9.2-3.el7

Qt has been upgraded with the last update to 5.9.2 but qt-creator depends still 
on 5.6.2?


You appear to be using the new qt5-qtbase from SL
but an older qt-creator from epel.


Can this be fixed?


Try asking
epel-de...@lists.fedoraproject.org

--
Andrew C. Aitchison Cambridge, UK
and...@aitchison.me.uk

Re: qt-creator

2018-05-24 Thread Akemi Yagi 
On Thu, May 24, 2018 at 12:07 AM,   wrote:
> Hi all,
>
> since the last updates I get the following message while trying to install 
> qt-creator:
>
>  Error: Package: qt-creator-4.1.0-3.el7.x86_64 (epel)
>Requires: qt5-qtbase(x86-64) = 5.6.2
>Installed: qt5-qtbase-5.9.2-3.el7.x86_64 (@sl)
>qt5-qtbase(x86-64) = 5.9.2-3.el7
>
> Qt has been upgraded with the last update to 5.9.2 but qt-creator depends 
> still on 5.6.2?
>
> Can this be fixed?

qt-creator is provided by EPEL. I think they will update the package
to make it compatible with el7.5. If this does not happen, you may
want to file such a request.

Akemi

qt-creator

2018-05-24 Thread etienne.baeumle 
Hi all,

since the last updates I get the following message while trying to install 
qt-creator:

 Error: Package: qt-creator-4.1.0-3.el7.x86_64 (epel)
   Requires: qt5-qtbase(x86-64) = 5.6.2
   Installed: qt5-qtbase-5.9.2-3.el7.x86_64 (@sl)
   qt5-qtbase(x86-64) = 5.9.2-3.el7

Qt has been upgraded with the last update to 5.9.2 but qt-creator depends still 
on 5.6.2?

Can this be fixed?

Regards, thanks a lot, 

Etienne