Re: XFS vs Ext4
XFS is a from the ground up journaling filesystem, whereas EXT4 is still a journal tacked on filesystem. That's said EXT4 has caught up to XFS and in some specific cases exceeded its performance but not all. The short version is it depends on what you are doing both have pros and cons, Here are some short examples If I'm doing a Gluster object store I will always use XFS because Gluster is optimized for XFS, If it's an NFS volume then EXT4 is usually better because of inode compatibility issues which can be worked around in XFS but tank the performance. If I'm using it for temp space for compiles or an ETL, XFS will probably do better because it will reduce the IOPS around the handling of inodes. Extremely large volumes (100TB+ on a SAN or in a RAID) I always will use XFS. Desktop pick the one you know the best, but if undelete is important to you use EXT4 (XFS has no mechanism for undeleting files). if you are dealing with an embedded device that boots off of an SD card or EMMC, XFS if possible because how it handles inodes puts less wear on it over time. High risk of file corruption due to unreliable power or hardware always XFS The long version There is a huge efficiency gain when deleting files in XFS. It's noticeably faster when freeing up space from deleting files; this is because instead of having an inode per block it only creates 1 inode at the beginning of every file as needed for legacy application backward support. Another positive side effect of his formatting an XFS filesystem is faster because it never pre-creates inodes during the formatting process, infact the only thing mkfs.xfs does is create a couple of redundant journals. The 1 inode per file is also the reason XFS puts less wear on SSD's, This difference wont make a noticeable impact on the life of a business class SSD, and probably not in a decent consumed grade SSD, but for SD cards and EMMC being used as a boot device this impact can be huge especially if that device isn't using tmpfs for /tmp or is storing /var on the SSD and is writing a lot of logs and temp files. Risk of file system corruption due to unplanned power outages XFS, because it keeps multiple copies of the journal, ignores the inodes for recovery and generally is self healing. While they both do an amazing job at recovering from this kind of situation, EXT4 still trusts the inodes over its single copy of the journal and as a result is more likely to have significant file corruption issues sooner. fsck.xfs normally only does a comparison of the copies of the journal to fix journal corruption issues and will usually roll back file changes that were incomplete at the time of the power loss. By the way XFS does this automatically when the volumes are mounted if the checksums of the copies of the journal don't match so essentially it's normally a placebo command which you should never need to run unless you are dealing with bad sectors in the physical media. EXT4 handles things way differently on mount and as a result you may need to manually run fsck.ext4 after a power loss to recover and it may not recover as well. Essentially if you want to create and delete files quickly XFS is definitely the way to go, the easiest way you can see this is by deleting a large multi GB file and running the df command multiple times EXT4 will take a few seconds to free the space and XFS will free it immediately. XFS can also be tuned to optimize the performance in general on RAID volumes if it is told some details about the RAID when the filesystem is created. https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_documentation_en-2Dus_red-5Fhat-5Fenterprise-5Flinux_6_html_performance-5Ftuning-5Fguide_s-2Dstorage-2Dxfs=DwIFaQ=gRgGjJ3BkIsb5y6s49QqsA=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A=J0XUyOuCLK8Iw3r5uS2peX0cFvg-VzKQz417xJp_NKS1rBAJsaP7fmbiyaCWwCz3=anjmxPLaNFBFOW2Ma6LUp1D5fZRlbef28388r3x2kAA= https://urldefense.proofpoint.com/v2/url?u=https-3A__xfs.org_index.php_XFS-5FFAQ-23Q-3A-5FHow-5Fto-5Fcalculate-5Fthe-5Fcorrect-5Fsunit.2Cswidth-5Fvalues-5Ffor-5Foptimal-5Fperformance=DwIFaQ=gRgGjJ3BkIsb5y6s49QqsA=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A=J0XUyOuCLK8Iw3r5uS2peX0cFvg-VzKQz417xJp_NKS1rBAJsaP7fmbiyaCWwCz3=NaUHHrZJZOKhn5EanoQKy78vFjwVakMN-Cm3kB3NdCw= Also XFS has incremental backup capabilities built in, it rudimentary but its there https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_documentation_en-2Dus_red-5Fhat-5Fenterprise-5Flinux_7_html_storage-5Fadministration-5Fguide_xfsbackuprestore=DwIFaQ=gRgGjJ3BkIsb5y6s49QqsA=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A=J0XUyOuCLK8Iw3r5uS2peX0cFvg-VzKQz417xJp_NKS1rBAJsaP7fmbiyaCWwCz3=JsxStjzjv_BahpqpOc2VZyEHPZIn73ex9tpkznid0_s= . With NFS always go with EXT4 because NFS isn't compatible with 64bit inodes, so you need to disable a flag with XFS for "inode64" which means on files over 2GB XFS' will need to create multiple
Re: Back UP
well if cron is broken you could take the sedghamer approach and install jobscheduler https://urldefense.proofpoint.com/v2/url?u=https-3A__www.sos-2Dberlin.com_en_jobscheduler-2Ddownloads=DwIFaQ=gRgGjJ3BkIsb5y6s49QqsA=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A=zg66EiCB-0MjyUT4sH_xbY9luy7GY2Jvc8OmDcWBFEo=U3ysnINxB8VXojeYx_Aq6wQBgErIZ9p5zO8T6la0m_8= lol seriously though its a bit much if you are just replacing cron but if you are enterprise scale automation its awesome. On Mon, Aug 9, 2021 at 5:29 PM Jon Pruente wrote: > > > > On Mon, Aug 9, 2021 at 3:36 PM Larry Linder > <0dea520dd180-dmarc-requ...@listserv.fnal.gov> wrote: >> >> Have friends and relatives buy a MAC. > > > I know this is a silly nit to pick in what you are posting about, but it > reminded me that I tend to see it most often from technical types. Why do > people use MAC when referring to a Macintosh? MAC should be for something > like a MAC address. We don't call people named Joseph JOE when their name > gets shortened. However, technical types seem to do it all the time for Macs. > Just a habit from dealing with MAC addresses all the time?
Re: ctrl + alt + F1 issue
Keep going through the function keys (CTRL + ALT + F2, CTRL + ALT + F3, etc. ) eventually you will find the right one this is a common problem on systems with Wayland as opposed to X11. On Wed, Apr 28, 2021, 6:17 PM Chen, Zhenhang wrote: > Hello Everyone, > > On my scientific linux desktop, I pressed ctrl + alt + F1 shortcut keys > and got a black screen only with a cursor that can be moved. How can I go > back to the desktop screen ? Thank you ! > > > Zhenhang >
Re: LSI MegaRAID management
LSI got split up a few years back the SANS went to Netapp and the raids went to Broadcom you should be able to find the linux tools here https://urldefense.proofpoint.com/v2/url?u=https-3A__www.broadcom.com_support_download-2Dsearch_-3Fpg-3D-26pf-3D-26pn-3D-26pa-3D-26po-3D-26dk-3DMegaRAID-2B9266-2D4i=DwIFaQ=gRgGjJ3BkIsb5y6s49QqsA=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A=uDeYY5jilEWNuLdEGycqx1u_71fgZyvcULsTNOTcKAM=Bsg1dGwheOxTr3yXGayYaQxGXJKE71J-UO1bF2iGUoI= As for monitoring you have a few options, the megaraid cli is a nice tool, storage manager has a nice GUI if i remember correctly, and for remote monitoring look at the SMIS provider. SMIS is an industry standard for storage monitoring that works very well, there are a number of tools and API's that support it too. the down side is the API isn't documented well for consumption by the general public I wrote some documentation about it for a perl implementation of a client some years back here https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_prmarino1_Lib-2DCIM-2DPerl_blob_master_LCP-3A-3AQuery.md=DwIFaQ=gRgGjJ3BkIsb5y6s49QqsA=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A=uDeYY5jilEWNuLdEGycqx1u_71fgZyvcULsTNOTcKAM=i_aZX7GqrXEWbXaESR5LtyXPYd9Q0TO8Sh91mxMYFD4= the documentation on how the queries work should work for any WBEM/CIM client and for any subset including SMIS and WMI. when you get down to it CIM (the transport protocol for SMIS) is kind of like a sane version of SNMP where you can get just the raw data but you can also get the mib from the device you are querying. On Thu, Oct 18, 2018 at 4:28 PM Alec Habig wrote: > LSI puts out an rpm, the one I've got laying around from an old install > is MegaCli-8.01.06-1.i386.rpm > > Current version is either at your vendor's drivers page, or presumably > from LSI's own website. > > I run the attached cronjob nightly to get an email report of the array's > health: > > Checking RAID status on lepton.d.umn.edu > Controller a0: LSI MegaRAID SAS 9280-16i4e > No of Physical disks online : 6 > Degraded : 0 > Failed Disks : 0 > > -- >Alec Habig > University of Minnesota Duluth > Dept. of Physics and Astronomy > ha...@neutrino.d.umn.edu > > https://urldefense.proofpoint.com/v2/url?u=http-3A__neutrino.d.umn.edu_-7Ehabig_=DwIFAw=gRgGjJ3BkIsb5y6s49QqsA=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A=HyUzo1cZ5rJfgEG6gRB-VkwQyw2SU4ItLpmGKJt0coU=y03GGtHkL3OIhqqltEKkMq9SXQz_hTXMYjC7F4USR90= >
Re: is the disk failing ?
Radha, Over the decades of my dealing with hundreds of thousands of disks in data centers my experience comes down to this. 1) if smart says its going to die trust it its rarely wrong about failures. 2) if smart says its fine, but you are getting IO errors use the badblocks and or fdisk to verify. %60 of the time it will be a file system problem, %39 of the time it will be something wrong smart didn't detect, the rest will be something else like in no particular order a bad kernel version, bad bios revision, bad controller, or bad cable. by the way this happened to me this year on one of my personal laptops with a toshiba drive smart said it was fine but badblocks revealed it had bad sectors and more were going bad by the day. Lastly any one who would like to discuss how the raid controllers for HP server, Dell servers, work and relates subjects like SMI-S feel free to contact me off the list, butI wont engage any further with a flame war based on the uninformed opinions of people on an open list. frankly I can back up what I say with published proven facts by reputable experts, but many people do not respond well when presented with real facts based on evidence. On Wed, Oct 17, 2018 at 8:11 PM Konstantin Olchanski wrote: > On Wed, Oct 17, 2018 at 11:57:34PM +, Hinz, David (GE Healthcare) > wrote: > > I'd like to submit an opposing viewpoint. > > If SMART disk analysis says it's going to break, replace it. > > Nothing is worth risking lost data. > > > I second this. > > My only case of false positive (SMART reports complete failure while > disk still seems to work) has been a worn out 2 TB "green" WD disk. > By "worn out" I mean that it was (a) heavily used and (b) all it's mates > of same vintage, age and heavy use have already failed (with i/o errors, > etc). > > > K.O. > > > > > > > > > > On 10/17/18, 4:50 PM, "owner-scientific-linux-us...@listserv.fnal.gov > on behalf of Konstantin Olchanski" < > owner-scientific-linux-us...@listserv.fnal.gov on behalf of > olcha...@triumf.ca> wrote: > > > > > > > > # smartctl -a /dev/sda > > > ... > > > Device Model: TOSHIBA MG03ACA100 > > > ... > > > > Thank you for posting your data, here is my reading of smartctl data: > > > > > > > > === START OF READ SMART DATA SECTION === > > > SMART overall-health self-assessment test result: PASSED > > > > > > > this you can ignore, I have held in my hands disks that reported > "PASSED" > > but were dead, could not read, could not write anything. Also had > > disks that worked perfectly but reported "FAILED" here. > > > > > > Next goes the meat of the data: > > > > > ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE > UPDATED WHEN_FAILED RAW_VALUE > > > 4 Start_Stop_Count0x0032 100 100 000Old_age > Always - 26 > > > > Your disk is brand new, only ever saw 26 power cycles. > > > > > 9 Power_On_Hours 0x0032 051 051 000Old_age > Always - 19725 > > > > Your disk is brand new, 19725 hours is 2.2 years. > > > > > 194 Temperature_Celsius 0x0022 100 100 000Old_age > Always - 32 (Min/Max 20/37) > > > > You have good cooling, temperature is 32C, as high as 40C is usually > okey, above 50C means the cooling fans are dead. > > > > > 5 Reallocated_Sector_Ct 0x0033 100 100 050Pre-fail > Always - 0 > > > 196 Reallocated_Event_Count 0x0032 100 100 000Old_age > Always - 0 > > > 198 Offline_Uncorrectable 0x0030 100 100 000Old_age > Offline - 0 > > > 199 UDMA_CRC_Error_Count0x0032 200 200 000Old_age > Always - 0 > > > > Your disk does not report any problems reading or writing data to > the magnetic media. > > > > Conclusion: healthy as a bull. > > > > -- > > Konstantin Olchanski > > Data Acquisition Systems: The Bytes Must Flow! > > Email: olchansk-at-triumf-dot-ca > > Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, > Canada > > > > > > -- > Konstantin Olchanski > Data Acquisition Systems: The Bytes Must Flow! > Email: olchansk-at-triumf-dot-ca > Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada >
Re: is the disk failing ?
to be clear I wasn't saying Smart is useless just that smartctl doesn't always tell you every thing so you shouldn't rely as a definitive answer on all issues on all disks. As for raid controllers well that's a very long conversation there are good reasons the enterprise ones do not, at least not directly in a way you can extract using the smartctl command instead they have more advanced checks available through the drivers and additional monitoring tools provided by the manufacturer of the raid controller. as for the predictive nature of smart well that's actually in its specification it predicts errors based on indicators. On Tue, Oct 16, 2018 at 7:55 PM Konstantin Olchanski wrote: > On Tue, Oct 16, 2018 at 04:20:03PM -0400, Paul Robert Marino wrote: > > > > smart is predictive and doesn't catch all errors its also not compatible > > with all disks and controllers especially raid capable controllers. > > > > > Do not reject SMART as useless, it correctly reports many actual disk > failures: > > a) overheating (actual disk temperature is reported in degrees Centigrade) > b) unreadable sectors (data on these sectors is already lost) - disk model > dependant > c) "hard to read" sectors (WD specific - "raw read error rate") > d) sata link communication errors ("CRC error count") > > even more useful actual (*not* predictive) stuff is reported for SSDs > (again, model dependant) > > it is true that much of this information is disk model dependant and > one has to have some experience with the SMART data to be able > to read it in a meaningful way. > > as for raid controllers that prevent access to disk SMART data, > they are as safe to use a car with a blank dashboard (no fuel level, > no engine temperature, no speedometer, etc). > > > -- > Konstantin Olchanski > Data Acquisition Systems: The Bytes Must Flow! > Email: olchansk-at-triumf-dot-ca > Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada >
Re: gaming laptop compatibility
By the way one more thing. conventional wisdom for gamers is to use Nvidia cards the reason for this is the high end Nvidia cards (1080, and 2080 series) are faster than current AMD's GPU's however I've never seen a gaming laptop with those GPU's or even a 1070 in them without being severely thermally constrained. That means on Laptops right now the field between AMD and Nvidia GPU's is actually level. Also AMD does have an advantage on Linux the amdgpu driver is GPL and part of the Kernel. this driver is good for them most pare with a couple of exceptions for which you need to install the amdgpu-pro driver which is not a kernel driver instead it actually communicates with the amdgpu driver in the kernel which means no compiles of proprietary kernel drivers on kernel updates.The two exceptions are as follows.1) the amdgpu-pro driver is required for crossfire (multi GPU) support this may not sound important but it is if the laptop has a Ryzen mobile CPU (that are all actually APU's with their own GPU built in)2) if you do a lot of work with Open-CL the amdgpu driver can do it but the amdgpu-pro driver is faster for ececuting Open-CL Applications.there is also a limitation to the amdgpu-pro driver it is pre-compiled and they only make packages for RHEL, Ubuntu LTS, and SuSE (no Fedora support :( ) this shouldn't be a problem for Scientific Linux because the RHEL version should work but it is something to keep in mind.by the way the latest Ryzen 7 Mobile 2700U APU should be playable in most games if they need a budget gaming laptop On Mon, Oct 15, 2018 at 3:45 PM Paul Robert Marino <prmari...@gmail.com> wrote:I have an Asus ROG Strix GL702ZC its on the high end side and the battery life is terrible, but its got a desktop Ryzen 7 CPU 8 cores 16 threads, a 4GB AMD RX 580 video card, a 17" freesync screen. 32GB of ram,.an SSD, and a hard drive.The thing i like about it is I can easily play games on at higher frame rates than I've ever seen on a laptop (100FPS+ in most games) and it is also a power house for running VM's and containers under Linux. I can easily set up mini clouds on it when I want to test or develop network applications. it also surprisingly is cooled well and I had no issues installing Linux.I've tested it with RHEL and Fedora, and I know some one else who has one running Ubuntu. The only bad thing I would say about it running Linux is Asus has not signed on to LVFS yet so firmware updates are not automatic, but can still be done at boot via a usb thumb drive via the BIOS so its safe to blow away the windows partitions :) .By the way don't listen to any one who says Intel CPU's are better for games on a laptop they really cant handle a video card big enough for the slight extra speed on the Intel CPU's to have any noticeable.The new stuff Valve funded the development of for gaming for Linux like the DirectX11 to Vulcan stuff utilizes the extra cores on the AMD CPU's much better than the same game on Windows. Most games using DirectX11 (on Windows or Wine) can only use 2 cores and 4 cores if they are DrectX12, but Vulcan can use more and the AMD video card supports Vulcan on Linux even in the GPL driver now included with newer Linux Kernels.That said its huge and heavy I often joke about it being more like a Compaq portable than a laptop lol. also the battery life off the charger is less than an hour so it does have some down sides.On Mon, Oct 15, 2018 at 2:04 PM Yasha Karant <ykar...@csusb.edu> wrote:Please see the list below. These come from a popular press article, but I cannot post the URL as the university that provides this email rewrites all URLs, and thus I have no certainty that any URL I post (or is embedded in any thread to which I respond) will not be corrupted. At the end of the popular press account, there are mentions of specific laptop models. As I do not have the time to research this, but a number of students want to know, which if any of these are SL 7 compatible (meaning, all hardware is "supported")? I assume that a larger number are Ubuntu supported, in that Ubuntu keeps closer to the "bleeding edge" of Linux hardware support. Thanks for any specific information. Yasha Karant Excerpt: How to buy a gaming laptop They're cheaper, lighter and more powerful than ever before. Devindra Hardawar If your priority is smooth gameplay, I'd recommend a laptop with a 15.6-inch 1080p screen and either NVIDIA's GTX 1060 or 1070 Max-Q GPU. The former will run most games well at 60fps and beyond, while the 1070 will let you reach even higher frame rates and better-quality graphics settings. Mid-range machines like HP's Omen and some of Dell's Alienware models are a good start. If you've got a slightly bigger budget, you should consider laptops with high-refresh-rate screens: MSI's GS65 Stealth Thin, Gigabyte's Aero 15X, Razer's Blade and pricier Alienware configuration. But if you're on a budget, stick to machines with the
Re: gaming laptop compatibility
I have an Asus ROG Strix GL702ZC its on the high end side and the battery life is terrible, but its got a desktop Ryzen 7 CPU 8 cores 16 threads, a 4GB AMD RX 580 video card, a 17" freesync screen. 32GB of ram,.an SSD, and a hard drive. The thing i like about it is I can easily play games on at higher frame rates than I've ever seen on a laptop (100FPS+ in most games) and it is also a power house for running VM's and containers under Linux. I can easily set up mini clouds on it when I want to test or develop network applications. it also surprisingly is cooled well and I had no issues installing Linux. I've tested it with RHEL and Fedora, and I know some one else who has one running Ubuntu. The only bad thing I would say about it running Linux is Asus has not signed on to LVFS yet so firmware updates are not automatic, but can still be done at boot via a usb thumb drive via the BIOS so its safe to blow away the windows partitions :) . By the way don't listen to any one who says Intel CPU's are better for games on a laptop they really cant handle a video card big enough for the slight extra speed on the Intel CPU's to have any noticeable.The new stuff Valve funded the development of for gaming for Linux like the DirectX11 to Vulcan stuff utilizes the extra cores on the AMD CPU's much better than the same game on Windows. Most games using DirectX11 (on Windows or Wine) can only use 2 cores and 4 cores if they are DrectX12, but Vulcan can use more and the AMD video card supports Vulcan on Linux even in the GPL driver now included with newer Linux Kernels. That said its huge and heavy I often joke about it being more like a Compaq portable than a laptop lol. also the battery life off the charger is less than an hour so it does have some down sides. On Mon, Oct 15, 2018 at 2:04 PM Yasha Karant wrote: > Please see the list below. These come from a popular press article, but > I cannot post the URL as the university that provides this email > rewrites all URLs, and thus I have no certainty that any URL I post (or > is embedded in any thread to which I respond) will not be corrupted. > > At the end of the popular press account, there are mentions of specific > laptop models. As I do not have the time to research this, but a number > of students want to know, which if any of these are SL 7 compatible > (meaning, all hardware is "supported")? I assume that a larger number > are Ubuntu supported, in that Ubuntu keeps closer to the "bleeding edge" > of Linux hardware support. > > Thanks for any specific information. > > Yasha Karant > > Excerpt: > > How to buy a gaming laptop > They're cheaper, lighter and more powerful than ever before. > Devindra Hardawar > > If your priority is smooth gameplay, I'd recommend a laptop with a > 15.6-inch 1080p screen and either NVIDIA's GTX 1060 or 1070 Max-Q GPU. > The former will run most games well at 60fps and beyond, while the 1070 > will let you reach even higher frame rates and better-quality graphics > settings. Mid-range machines like HP's Omen and some of Dell's Alienware > models are a good start. If you've got a slightly bigger budget, you > should consider laptops with high-refresh-rate screens: MSI's GS65 > Stealth Thin, Gigabyte's Aero 15X, Razer's Blade and pricier Alienware > configuration. > > But if you're on a budget, stick to machines with the GTX 1050, 1050Ti > or 1060 Max-Q, like Dell's G3 and G5 series. You won't get > high-refresh-rate monitors with these, but they'll have enough > horsepower to reach a silky 60fps. They're ideal if you're mainly > playing MOBA titles and undemanding games like Overwatch. > > It's easy to get overwhelmed by the number of options today, but that > variety is ultimately a good thing. What was once a category filled with > huge, ugly monstrosities now includes genuinely gorgeous machines that > aren't much heavier than a MacBook Pro. >
Re: Trouble with MySQL Server
So first thing first to get you back up and running run the following command "setenforce 0" This will set selinux into permissive mode then restart mysql. The next step is to reliable your file system a quick Google search can tell you how to do this. The next steps are a little more complicated but you should be start with the audit2why command Sorry I'm not giving you a full how to right now but I'm answering from my cell phone so I don't have the full set of commands avaliable to me at the moment to give you proper examples. What I can tell you is selinux isn't that hard to deal with once you know the basic tools. Original Message From: eric.lofg...@wsu.edu Sent: May 16, 2018 8:34 PM To: pa...@tchpc.tcd.ie Cc: scientific-linux-users@fnal.gov Subject: Re: Trouble with MySQL Server It looks like we have a winner. chown doesn’t work, but checking selinux, I get a number of denied {write} notices for that directory. It looks like selinux is preventing writing to that directory. Is there a way to change that? I confess selinux is utterly opaque to me. Eric > On May 16, 2018, at 2:36 AM, Paddy Doylewrote: > Maybe instead of the chmod, just make the dir owned by the mysql user: > > chown mysql.mysql /home/mysqltmp > > Or check if selinux is enabled and is preventing writing to that directory. > > getenforce > grep mysqltmp /var/log/audit/audit.log > > Paddy
Re: SIGTERM?
you understand the global sigterm correctly but there is a problem with relying on that. while it is true that a global sigterm is issued it is followed shortly afterward by a global kill. what that means is it may not give the database sufficient time to shutdown before killing it. whenever databases are involved you can not count on the global sigterm to shut it down correctly in time On Fri, Oct 27, 2017 at 3:57 PM, ToddAndMargowrote: > Dear List, > > In the situation I am facing, a database is not shutdown by the > systemd script that started it at boot. (Its start point was > actually hacked into a related bash file called by another > systems script without a shutdown hack.) There is no "ExecStop" > line. NO, IT WAS NO MY DOING !!! > > I am not saying which (proprietary) database as I don’t want to > get into any legal cross hairs. Anyway, someone else is using > the database. The database works fine. > > The vendor is not systemd literate and keeps complaining about > it only works under SysV. And no, they won’t give me the SysV > rc.d scripts and let me convert it for them. And, yes, I know, > you can still use SysV if you must. But, again, as I said, > it is not my doing. > > I am thinking there is a possibility of data corruptions. > > Question: does the general shutdown take care of this issue? > Am I presuming too much to think this is handled by the general > shutdown global SIGTERM? The database does properly respond > to SIGTERM. > > Do I understand the global SIGTERM correctly? > > Many thanks, > -T >
Re: clock skew too great ** EXTERNAL **
Here is a question was it using preauth? In other words is there a key tab file in /etc? The other question is NTP set to sync the time on shutdown to the bios? There are a couple of reasons why I can think this might happen the first involves how NTP corrects the time and how it may interact with how an option in MIT kerberos client works and that article. There is an incorrect statement in that article about disabling the time sync. It's not that the option disables the time sync it just corrects for it when the ticket is created to mask the issue. The problem with that is NTP usually doesn't sync the time in one shot by default it only corrects it in less than 1 second increments so it doesn't break time dependant things like cron jobs. That flag in combination with the default behavior of NTP can cause an artificial clock skew issue later. Now you can set in /etc/sysconfig an option in the NTP settings to tell it to do an initial full sync on boot before starting ntpd but it is not the default behavior in 6 if I remember correctly. If a ticket had been created and the clock had been more than 5 minutes out of sync you would have gotten a clock skew error after the clock had corrected its self because it would still have still been compensating for the initial skew. In this case kdestroy would clear the skew correction and the new key would be unaffected. The other possibility is that if preauth is being used there could have be something wrong in how the service credential was created in the kerberos server which is quite common if the server is an AD server, and sometimes happens with Heimdal kerberos servers too. Essentially the other possibility is it may have a max ticket renewal set on the principal in which case a kdestroy may force it to redo the preauth and then create a new ticket. Usually you can correct this in the kerberos server if your Kerberos admin really knows it well sadly most AD admins don't :(. I've had to show more than a few of them over the years articles on Microsoft technet, and tell them just do that and stop insisting it can't be done. By the way that article is right about one thing the DNS reverse lookup in MIT kerberos can be problematic because it can't support the use of CNAMEs in the forward lookup, and is not specified any where in any of the ratified RFCs ( in fact it was proposed and rejected by committee on that basis) so it causes more problem especially when it interacts with other kerberos implementation or is implemented in the cloud. It's also the only implementation of Kerberos 5 that does it. It's not the only place where MIT kerberos violates the RFCs and those violations are the reason why you can't use it for Samba version 4 AD server, and why most Linux based appliances that support kerberos use Heimdal kerberos. On Oct 19, 2017 11:48 AM, "Stephen Isard" <7p03xy...@sneakemail.com> wrote: > On Thu, 19 Oct 2017 09:09:32 -0500, Pat Riehecky> wrote: > > >If memory serves, SL7 has "Less Brittle Kerberos"[1] where as SL6 does > >not. This could account for why one works and the other does not. > > > >Pat > > > >[1] https://fedoraproject.org/wiki/Features/LessBrittleKerberos > > That looks promising as an explanation. > > The problem has been "solved", or at least it has gone away, although I > don't really understand why. Without any clear hypothesis as to why it > might help, I decided to run "kdestroy -A" on the affected machine to clear > expired tickets out of my local cache. That did it. No more clock skew > messages. So it looks as if it was a kerberos issue, rather than an ntp > one, and the error message wasn't really explaining what was wrong. > > Thanks to everyone for their advice. > > Stephen Isard > > > >On 10/18/2017 07:10 PM, Stephen Isard wrote: > >> On Wed, 18 Oct 2017 17:12:46 -0400, R P Herrold > wrote: > >> > >>> On Wed, 18 Oct 2017, Howard, Chris wrote: > >>> > Is it possible the two boxes are talking to two different servers? > >>> as the initial post mentioned and showed it was using remote > >>> host lists to a pool alias, almost certainly -- > >> Oh, I took the question to be about the kerberos server. Yes, you are > right, > >> ntpd -q returns different results on the two machines. However, as I > said in the original post, the time on the two machines is the same to > within a very small amount., well within the five minute tolerance used by > kerberos. So I don't understand why it should matter that the two machines > have arrived at the same time by syncing with different servers. > >> > >>> as a way around, set up ONE unit to act as the local master, > >>> and then sync against it, to get 'site coherent' time > >> Could you tell me how to do this, or point me at a document that does? > >> > >> Thanks. > >> > >>> [a person with more than one clock is never quite _sure_ what > >>> time is correct ;) ] > >>> > >>> > >>> for extra geek points, spend $25 on AMZN, and get
Re: [SCIENTIFIC-LINUX-USERS] clock skew too great ** EXTERNAL **
As I said they probably have a different setting for the allowed clock skew so I would check the time on the kerberos server Note in MIT kerberos in the krb5.conf file this can be set via the 'clockskew' option in the "libdefaults"section. It is specified in seconds and usually defaults to 300 seconds check out the krb5.conf man page for details there is also an option to allow the client to compensate for it and detect the actual skew but I don't recommend tinkering with it because it can cause issues. Also note that if you kerberos server is an AD server windows clients usually use their AD server as their default NTP source otherwise they go to Microsoft's pool of NTP servers. On Oct 19, 2017 10:09 AM, "Pat Riehecky"wrote: > If memory serves, SL7 has "Less Brittle Kerberos"[1] where as SL6 does > not. This could account for why one works and the other does not. > > Pat > > [1] https://fedoraproject.org/wiki/Features/LessBrittleKerberos > > On 10/18/2017 07:10 PM, Stephen Isard wrote: > >> On Wed, 18 Oct 2017 17:12:46 -0400, R P Herrold >> wrote: >> >> On Wed, 18 Oct 2017, Howard, Chris wrote: >>> >>> Is it possible the two boxes are talking to two different servers? >>> as the initial post mentioned and showed it was using remote >>> host lists to a pool alias, almost certainly -- >>> >> Oh, I took the question to be about the kerberos server. Yes, you are >> right, >> ntpd -q returns different results on the two machines. However, as I >> said in the original post, the time on the two machines is the same to >> within a very small amount., well within the five minute tolerance used by >> kerberos. So I don't understand why it should matter that the two machines >> have arrived at the same time by syncing with different servers. >> >> as a way around, set up ONE unit to act as the local master, >>> and then sync against it, to get 'site coherent' time >>> >> Could you tell me how to do this, or point me at a document that does? >> >> Thanks. >> >> [a person with more than one clock is never quite _sure_ what >>> time is correct ;) ] >>> >>> >>> for extra geek points, spend $25 on AMZN, and get a GPS USB >>> dongle; run a local top strata server (the first three >>> lintes of the following) >>> >>> [root@router etc]# ntpq -p >>> remote refid st t when poll reach delay >>> offset jitter >>> >>> = >>> GPS_NMEA(0) .GPS.0 l- 1600.000 >>> 0.000 0.000 >>> SHM(0) .GPS.0 l- 1600.000 >>> 0.000 0.000 >>> SHM(1) .PPS.0 l- 1600.000 >>> 0.000 0.000 >>> +ntp1.versadns.c .PPS.1 u 665 1024 377 51.817 >>> -12.510 19.938 >>> *tock.usshc.com .GPS.1 u 294 1024 377 34.608 >>> -8.108 10.644 >>> +clmbs-ntp1.eng. 130.207.244.240 2 u 429 1024 377 31.520 >>> -5.674 7.484 >>> +ntp2.sbcglobal. 151.164.108.15 2 u 272 1024 377 23.117 >>> -6.825 10.479 >>> +ntp3.tamu.edu 165.91.23.54 2 u 1063 1024 377 63.723 >>> -3.319 16.813 >>> [root@router etc]# >>> >>> >>> configuring ntp.conf is not all that hard >>> >>> -- Russ herrold >>> >> > -- > Pat Riehecky > > Fermi National Accelerator Laboratory > www.fnal.gov > www.scientificlinux.org >
Re: clock skew too great ** EXTERNAL **
no difference there the time in both protocals are based on EPOC which means it is always using GMT time regardless of the OS settings. So that should make no difference in this case, though without NTP involved that has been a know issue for encrytion in genneral so its not a bad question just most likely irrelivant in this case. On Thu, Oct 19, 2017 at 9:42 AM, Howard, Chriswrote: > How about timezone? > > > -Original Message- > From: owner-scientific-linux-us...@listserv.fnal.gov [mailto: > owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Stephen Isard > Sent: Wednesday, October 18, 2017 5:43 PM > To: scientific-linux-us...@listserv.fnal.gov > Subject: Re: clock skew too great ** EXTERNAL ** > > On Wed, 18 Oct 2017 21:02:53 +, Howard, Chris > wrote: > > >Is it possible the two boxes are talking to two different servers? > > Thanks for the idea, but no. The admin_server entry in /etc/krb5.conf is > the same on both machines, and the host command returns the same ip address > for that machine name on both machines. > > > > >-Original Message- > >From: owner-scientific-linux-us...@listserv.fnal.gov [mailto: > owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Stephen Isard > >Sent: Wednesday, October 18, 2017 2:47 PM > >To: scientific-linux-us...@listserv.fnal.gov > >Subject: clock skew too great ** EXTERNAL ** > > > >Hello, > > > >I have two laptops side by side, one running SL6, the other SL7, both up > >to date. According to the date command, their times agree to within a > >small fraction of a second. > > > >On both machines, I normally run kinit to get a kerberos ticket in the > >same realm. Today, the SL7 machine gets its ticket normally, but the > >SL6 one shows an error message "Clock skew too great while getting > >initial credentials". Since the clocks of the two machines appear to > >agree, I would have expected that either both should produce the error > >or neither. From what I have read on the web, the standard tolerance > >for clock skew is 5 minutes, and the agreement between the times on the > >two machines is well within that. > > > >Both machines have ntpd running, using the time servers > >[0-3].rhel.pool.ntp.org. Powering off the SL6 machine and rebooting > >does not restore sanity. The problem just arose today. There have been > >no system updates on the SL6 machine since it successfully got its > >ticket yesterday. > > > >Any suggestions for what to try? > > > >Stephen Isard > > > > > > *** This email is from an EXTERNAL sender *** > >Use caution before responding. DO NOT open attachments or click links > from unknown senders or unexpected email. If this email appears to be sent > from a Platte River Power Authority employee or department, verify its > authenticity before acting or responding. Contact the IT Help Desk with any > questions. >
Re: clock skew too great ** EXTERNAL **
well the clock sqew allowed is a client side setting and may be different on the two the real question is what is the time on the kerberos server? the clock sqew probably there not on the clients, The clock sqew allowed is set in the/etc/krb5.conf file by default (and also has a default value if not specified) however may be overriden by the library call so in other words the pam module may also over ride the defaults. Sometime they have been known to change the default for clock sqew in the MIT Kerberos libraries between major releases so thats probably why you are seeing this. looking at differences in the upstream NTP servers is only something you should consider when all of the other possibilities are exausted because the public ones are usually getting their time from the same upstream source (usually GPS which is fed by NORAD's atomic clock, or NTP from NIST's or CERN'satomic clocks or other simmilar autoritative source all of which syncronize with eachother regualrly ), and there for are very unlikely to have more than a few miliseconds difference between them which is not enough to cause such an error. In short look at your Kerberos server not the clients NTP servers as that is most likely where the real clock drift issue is. Then next thing to check is the firewalls because NTP works in a veru unusual way when compared to other protocols on the internet, for example in netfilters firewalls you need to load a special conntrack helper module to support it other wise it breaks due to the inability to the blocking of related connections the source server tries to make back to the client durring the syncronization process. . On Wed, Oct 18, 2017 at 8:10 PM, Stephen Isard <7p03xy...@sneakemail.com> wrote: > On Wed, 18 Oct 2017 17:12:46 -0400, R P Herrold> wrote: > > >On Wed, 18 Oct 2017, Howard, Chris wrote: > > > >> Is it possible the two boxes are talking to two different servers? > > > >as the initial post mentioned and showed it was using remote > >host lists to a pool alias, almost certainly -- > > Oh, I took the question to be about the kerberos server. Yes, you are > right, > ntpd -q returns different results on the two machines. However, as I said > in the original post, the time on the two machines is the same to within a > very small amount., well within the five minute tolerance used by > kerberos. So I don't understand why it should matter that the two machines > have arrived at the same time by syncing with different servers. > > >as a way around, set up ONE unit to act as the local master, > >and then sync against it, to get 'site coherent' time > > Could you tell me how to do this, or point me at a document that does? > > Thanks. > > >[a person with more than one clock is never quite _sure_ what > >time is correct ;) ] > > > > > >for extra geek points, spend $25 on AMZN, and get a GPS USB > >dongle; run a local top strata server (the first three > >lintes of the following) > > > >[root@router etc]# ntpq -p > > remote refid st t when poll reach delay > >offset jitter > > > = > > GPS_NMEA(0) .GPS.0 l- 1600.000 > >0.000 0.000 > > SHM(0) .GPS.0 l- 1600.000 > >0.000 0.000 > > SHM(1) .PPS.0 l- 1600.000 > >0.000 0.000 > >+ntp1.versadns.c .PPS.1 u 665 1024 377 51.817 > >-12.510 19.938 > >*tock.usshc.com .GPS.1 u 294 1024 377 34.608 > >-8.108 10.644 > >+clmbs-ntp1.eng. 130.207.244.240 2 u 429 1024 377 31.520 > >-5.674 7.484 > >+ntp2.sbcglobal. 151.164.108.15 2 u 272 1024 377 23.117 > >-6.825 10.479 > >+ntp3.tamu.edu 165.91.23.54 2 u 1063 1024 377 63.723 > >-3.319 16.813 > >[root@router etc]# > > > > > >configuring ntp.conf is not all that hard > > > >-- Russ herrold >
Re: [EXTERNAL] Re: scanner
Don't use a smart phone camera for it a decent dedicated digital camera will correct for that optically in the lense, but you are right that is an issue for smart phone cameras due to the physical lense size.Sent from my BlackBerry - the most secure mobile deviceFrom: miles.on...@cirrus.comSent: October 12, 2017 5:52 PMTo: prmari...@gmail.com; jason.bron...@gmail.com; scientific-linux-users@fnal.govSubject: Re: [EXTERNAL] Re: scanner On 10/12/2017 04:42 PM, Paul Robert Marino wrote: Interestingly my father threw me for a loop on this now a days a low grade digital camera actually has higher resolution than most scanners so he uses one in a photo copy stand and then just copies the one file to his computer via a bluetooth enabled SD card which is faster than any scanner on the market. Then he uses gimp or photos of depending on which computer he is using to crop it and convert the format if need. He told me this actually works faster and easier than any scanner he has ever used and gets higher resolution as well and requires no drivers. All you need is a photo copy stand which is a rig you attach your camera to the holds it level to a surface. Its a fascinating idea and I'm sure he is right about it, and it's probably the way I'm going to do it in the future. That seems like it would introduce distortion, as the document edges would be farther from the camera lens than the document center. Kind of like most selfies make your nose look bigger.
Re: scanner
No it would not produce parallax that the is the point of using a photo copy stand. That is how Profesional photographers have been copying photographs without the negatives since the beginning of photography it's a rig designed to prevent exactly that.Now the down side is a good photo copy stand is expensive ($400+) but the one he is using actually originally belonged to his father. Really good ones are a one time high quality investment that will out last you, but you can get cheap ones (less than $50) that will last a decade or more of constant use too.Sent from my BlackBerry - the most secure mobile deviceFrom: positiv...@gmx.comSent: October 12, 2017 5:51 PMTo: prmari...@gmail.comCc: jason.bron...@gmail.com; scientific-linux-users@fnal.govSubject: Re: scanner A single point of imaging would produce paralax -- if that matters. Otherwise , an efficient 'hack' . On the plus side , could 'scan' a non-flat object. Sent: Thursday, October 12, 2017 at 5:42 PM From: "Paul Robert Marino" <prmari...@gmail.com> To: "Jason Bronner" <jason.bron...@gmail.com>, scientific-linux-users <scientific-linux-users@fnal.gov> Subject: Re: scanner Interestingly my father threw me for a loop on this now a days a low grade digital camera actually has higher resolution than most scanners so he uses one in a photo copy stand and then just copies the one file to his computer via a bluetooth enabled SD card which is faster than any scanner on the market. Then he uses gimp or photos of depending on which computer he is using to crop it and convert the format if need. He told me this actually works faster and easier than any scanner he has ever used and gets higher resolution as well and requires no drivers. All you need is a photo copy stand which is a rig you attach your camera to the holds it level to a surface. Its a fascinating idea and I'm sure he is right about it, and it's probably the way I'm going to do it in the future. Sent from my BlackBerry - the most secure mobile device From: jason.bron...@gmail.com Sent: October 12, 2017 5:26 PM To: scientific-linux-users@fnal.gov Subject: Re: scanner I'm currently using an older Epson Perfection with a reasonable degree of success. HP is probably going to be your best bet for any kind of stable use and long term support, though. It'll function correctly on about anything until the unit dies from mechanical failure. Virus-free. www.avg.com On Thu, Oct 12, 2017 at 1:50 PM, David Sommerseth <sl+us...@lists.topphemmelig.net> wrote: On 12/10/17 17:31, ToddAndMargo wrote: > Dear List, > > Anyone have a favorite flat bed scanner that is SL friendly? I've only had MFPs the last 10 years or so, with printer and scanner integrated. These are my general experiences on a few brands - Canon Horrendous Linux support, network scanning basically impossible. USB scanning may work reasonably okay. - Brother Functional Linux drivers (also on RHEL), cumbersome setup but once done even network scanning works reasonably well. - HP One of the best driver packages I've used. Newest hardware can be tricky and may require building hplip package manually. But the web page is quite good at listing which driver version is required. Network scanning works very well, even AFP with duplex scanning. And for USB scanning, this works also very well. Downside: requires a binary plug-in to be installed post driver install. This is basically a required closed source/proprietary firmware to enable scanning. This can be installed both via the hplip command line and GUI tools. I'd recommend a HP MFP device any time. If you can find an older model on sale, you'll get big bang for the bucks with a big chance it will work out of the box once the hplip packages are installed. -- kind regards, David Sommerseth
Re: scanner
Interestingly my father threw me for a loop on this now a days a low grade digital camera actually has higher resolution than most scanners so he uses one in a photo copy stand and then just copies the one file to his computer via a bluetooth enabled SD card which is faster than any scanner on the market. Then he uses gimp or photos of depending on which computer he is using to crop it and convert the format if need.He told me this actually works faster and easier than any scanner he has ever used and gets higher resolution as well and requires no drivers. All you need is a photo copy stand which is a rig you attach your camera to the holds it level to a surface.Its a fascinating idea and I'm sure he is right about it, and it's probably the way I'm going to do it in the future.Sent from my BlackBerry - the most secure mobile deviceFrom: jason.bron...@gmail.comSent: October 12, 2017 5:26 PMTo: scientific-linux-users@fnal.govSubject: Re: scanner I'm currently using an older Epson Perfection with a reasonable degree of success. HP is probably going to be your best bet for any kind of stable use and long term support, though. It'll function correctly on about anything until the unit dies from mechanical failure. Virus-free. www.avg.com On Thu, Oct 12, 2017 at 1:50 PM, David Sommersethwrote:On 12/10/17 17:31, ToddAndMargo wrote: > Dear List, > > Anyone have a favorite flat bed scanner that is SL friendly? I've only had MFPs the last 10 years or so, with printer and scanner integrated. These are my general experiences on a few brands - Canon Horrendous Linux support, network scanning basically impossible. USB scanning may work reasonably okay. - Brother Functional Linux drivers (also on RHEL), cumbersome setup but once done even network scanning works reasonably well. - HP One of the best driver packages I've used. Newest hardware can be tricky and may require building hplip package manually. But the web page is quite good at listing which driver version is required. Network scanning works very well, even AFP with duplex scanning. And for USB scanning, this works also very well. Downside: requires a binary plug-in to be installed post driver install. This is basically a required closed source/proprietary firmware to enable scanning. This can be installed both via the hplip command line and GUI tools. I'd recommend a HP MFP device any time. If you can find an older model on sale, you'll get big bang for the bucks with a big chance it will work out of the box once the hplip packages are installed. -- kind regards, David Sommerseth
Re: How do I access mtp from the command line?
Mtp is a barely a protocol, its implementation actually differs widely for each device that uses it. I remember years ago I needed it for a old hard drive mp3 player I had and it was always annoying to get working to say the least. That said if you need support for a recent device that uses it you should always get the latest from source because no two devices implement it the same way, so it's a race between the hardware manufacturers and the maintainers of libmtp which the maintainers can never really win but they do their best to keep up. Original Message From: toddandma...@zoho.com Sent: October 7, 2017 3:57 AM To: SCIENTIFIC-LINUX-USERS@fnal.gov Subject: Re: How do I access mtp from the command line? On 10/07/2017 12:27 AM, Jos Vos wrote: > On Fri, Oct 06, 2017 at 03:44:51PM -0700, ToddAndMargo wrote: > >> With a lot of help from Vladimir, here is my write up: >> >> SL 7.4: how to operate MTP devices from the command line; >> >> First download and install libmtp and libmtp-examples from: >> http://people.redhat.com/bnocera/libmtp-rhel-7.5/ > > EPEL has ready-to-use libmtp packages, as well ass jmtpfs (FUSE > and libmtp based filesystem). Never used it myself. > > Sounds like a much simpler way to go. > The current libmtp did not recognize my wife's tablet. Red Hat fixed that and posted it on the link I gave. See https://bugzilla.redhat.com/show_bug.cgi?id=1356288
Re: reiserfs?
OK well reiserfs is actually EXT2 with a journal slapped on top of it just like EXT3 so you can try mounting it as readonly EXT2 though admittedly I haven't tried it it should work in theory, but certainly can't hurt if you try it in read only mode. Original Message From: toddandma...@zoho.com Sent: July 18, 2017 8:50 PM To: SCIENTIFIC-LINUX-USERS@fnal.gov Subject: Re: reiserfs? On 07/18/2017 05:33 PM, Nico Kadel-Garcia wrote: > On Fri, Jul 14, 2017 at 9:04 PM, ToddAndMargowrote: >> Hi All, >> >> I need to read a reiserfs partition on a flash drive. >> Any words of wisdom? > > *Why* ? reiserfs has languished since the arrest of Hans Reiser for > murdering his wife. And much like ReiserFS, Hans claimed complete > innocence until actually looking at evidence proved that her sudden > absence was entirely his fault. > Hi Niko, Ya, no fooling! :-) I was trying to read the reiserfs partition on my Knoppix Live USB drive. I eventuality qemu-kvm boot the flash drive and used cifs to import the data I wanted from my Samba server -T
Re: selinux preventing access to directory net
It looks like you may be right that it's /proc/net Have you tried using the python audit tools such as audit2text to analyze them they can make it a lot easier to understand what's going on, though they usually don't tell you if there is a bool you can flip to fix it. That tool still needs to be written :) Original Message From: 7p03xy...@sneakemail.com Sent: July 17, 2017 2:16 PM To: scientific-linux-us...@listserv.fnal.gov Subject: selinux preventing access to directory net On two SL7.3 systems where I have set exim as my mta alternative, I am getting a lot of entries in /var/log/messages saying "SELinux is preventing /usr/bin/exim from search access on the directory net", with the usual accompanying "if you believe that exim should be allowed..." stuff, but the logs don't explain what call to exim triggered the messages. Sealert -l tells me Raw Audit Messages type=AVC msg=audit(1500313603.937:268): avc: denied { search } for pid=3097 comm="exim" name="net" dev="proc" ino=7154 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir type=SYSCALL msg=audit(1500313603.937:268): arch=x86_64 syscall=open success=no exit=EACCES a0=7ff03baef4b0 a1=8 a2=1b6 a3=24 items=0 ppid=781 pid=3097 auid=4294967295 uid=0 gid=93 euid=0 suid=0 fsuid=0 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) which doesn't seem to be much help. Searches turn up two Centos 7 reports, https://bugs.centos.org/view.php?id=13247 and https://bugs.centos.org/view.php?id=12913 that look as if they might be the same thing with different mta alternatives, but no response to either. All that the mta is supposed to be doing on these systems is reporting the output of cron jobs, and that appears to be happening correctly, so I am puzzled as to what this is about. I'm not even sure what net directory is being referred to. /proc/net? Does an mta need to look in that directory? I can send mail internally, to and from my local user and root, and that doesn't provoke selinux messages in the logs. Any suggestions for where to look? Thanks, Stephen Isard
Re: is it possible to update kernel on out-of-data SL5?
Not trustworthy ones On Jun 21, 2017 6:08 PM, "WILLIAM J LUTTER"wrote: > Recently there has been the "stack-clash" exploit that impacts several OS > including linux > > (CVE-2017-1000364). Unfortunately, I maintain several old SL5 PCs. For > instance, one of them is 5.7 with a 2.6.18-419 kernel. > > > I suppose that kernels for SL/Centos/Redhat kernels that would be > compatible with say SL5.7 are not maintained, so when exploits get too bad, > then time to install SL7? > > > Are there kernels that are kept up to date that could be installed for > older SL5 via rpmfind or some such repo/download site? > > > Bill Lutter >
Re: Perl 6 just hit
Perl 5 isn't going any where any time soon. surprisingly you can actually get working Perl 4 RPMs for SL7. besides there is too much C code linked to lib Perl 5 like Git for example On Wed, Dec 28, 2016 at 4:24 PM, Natalia Ratnikova <nata...@fnal.gov> wrote: > Hi All, > With Perl 6 on the scene, is Perl 5 expected to continue to get full support > within SL? > Thanks. >Natalia. > > > On 12/28/16 3:09 PM, Paul Robert Marino wrote: >> >> Well I'm hoping my multi-threaded code will actually be able to use >> multiple CPU cores on Linux. its worked on Solaris for a long time but >> for some reason its always been CPU core bound on Linux. >> Also I would like to start a local Perl 6 work group for Perl 5 >> programmers looking to port their code. there is one for active Perl 6 >> projects but they don't want any one who doesn't already have an >> active Perl 6 project to attend. I asked them very politely for a >> clarification on their policy and didn't not get a response. I didn't >> get a reply but I know other Perl 5 programmers who showed up looking >> to get porting tips, and were asked to leave because they weren't >> currently Perl 6 programmers, which is a very poor approach to take if >> you really want to rebuild the Perl community. >> >> On Tue, Dec 27, 2016 at 8:55 PM, ToddAndMargo <toddandma...@zoho.com> >> wrote: >>>> >>>> On Tue, Dec 27, 2016 at 8:28 PM, ToddAndMargo <toddandma...@zoho.com> >>>> wrote: >>>>> >>>>> Hi All, >>>>> >>>>> Perl 6 just hit EPEL: rakudo-star.x86_64 0:0.0.2016.11-1.el7 >>>>> >>>>> -T >>>>> >>>>> -- >>>>> ~~ >>>>> Computers are like air conditioners. >>>>> They malfunction when you open windows >>>>> ~~ >>> >>> >>> On 12/27/2016 05:53 PM, Paul Robert Marino wrote: >>>> >>>> Cool >>>> I guess that means I really should start writing in Perl 6 >>>> >>> I am looking forward to the improved way of passing variables to >>> subroutines. :-) >>> >>> >>> -- >>> ~~ >>> Computers are like air conditioners. >>> They malfunction when you open windows >>> ~~
Re: Perl 6 just hit
Well I'm hoping my multi-threaded code will actually be able to use multiple CPU cores on Linux. its worked on Solaris for a long time but for some reason its always been CPU core bound on Linux. Also I would like to start a local Perl 6 work group for Perl 5 programmers looking to port their code. there is one for active Perl 6 projects but they don't want any one who doesn't already have an active Perl 6 project to attend. I asked them very politely for a clarification on their policy and didn't not get a response. I didn't get a reply but I know other Perl 5 programmers who showed up looking to get porting tips, and were asked to leave because they weren't currently Perl 6 programmers, which is a very poor approach to take if you really want to rebuild the Perl community. On Tue, Dec 27, 2016 at 8:55 PM, ToddAndMargo <toddandma...@zoho.com> wrote: >> On Tue, Dec 27, 2016 at 8:28 PM, ToddAndMargo <toddandma...@zoho.com> >> wrote: >>> >>> Hi All, >>> >>> Perl 6 just hit EPEL: rakudo-star.x86_64 0:0.0.2016.11-1.el7 >>> >>> -T >>> >>> -- >>> ~~ >>> Computers are like air conditioners. >>> They malfunction when you open windows >>> ~~ > > > On 12/27/2016 05:53 PM, Paul Robert Marino wrote: >> >> Cool >> I guess that means I really should start writing in Perl 6 >> > > I am looking forward to the improved way of passing variables to > subroutines. :-) > > > -- > ~~ > Computers are like air conditioners. > They malfunction when you open windows > ~~
Re: Perl 6 just hit
Cool I guess that means I really should start writing in Perl 6 On Tue, Dec 27, 2016 at 8:28 PM, ToddAndMargowrote: > Hi All, > > Perl 6 just hit EPEL: rakudo-star.x86_64 0:0.0.2016.11-1.el7 > > -T > > -- > ~~ > Computers are like air conditioners. > They malfunction when you open windows > ~~
Re: Regarding latest Linux level 3 rootkits
This thread raises some interesting point but I've seen a few misconceptions in it too first let me clear up the misconceptions. 1) busy box is meant to make the footprint on an appliance or live "CD" type distro smaller it is not for security. Rootkits that replace busy box have been seen in the wild on appliances in the past, so its not necessarily a good answer to prevent rootkits. 2) you really don't need root to be writable in production on any system as long as you've laid out your logical volume or partitions correctly and just add a few simple operational procedures when you update or modify configuration files. As far as updates go you can still do it by remounting (mount -O remount) the filesystem as read write first,run your updates, then remount again as read only. I've been doing this on secure systems for over 20 years and its quite effective in preventing about 40% of root kits from infecting a system. In fact in the cloud you should make your instances as stateless and read only as possible. you do this by only doing updates on the VM you use to create your image and not the production VM's instead you should just replace them when you are ready to update this works well with thing like AWS autoscaling and other similar solutions. in reality on most systems only /var, /tmp (preferably tmpfs), and maybe /home need to be writable in production. 3) SELinux secures system processed but not user executed commands for that you need apparmor which is not implemented in RHEL yet. now some suggestions A simple solution for file integrity checking is AIDE https://sourceforge.net/projects/aide/ there has been an RPM included in all versions of RHEL and Fedora since the first versions. If you want a better more enhanced rootkit protection look at Samhain http://la-samhna.de/samhain/ here is a SANS article from a couple of years ago which can walk you through the install https://www.sans.org/reading-room/whitepapers/detection/samhain-host-based-intrusion-detection-file-integrity-monitoring-34567 If you want to get really into it look at OSEC but be warned I've found OSEC has issues with the cloud specifically when autoscaling is involved because its very difficult to remove retired instances . In the cloud I have found simpler solutions like using AIDE work well because you don't need to register and unregister instances, also you can precreate the database on the VM you use to create the image so no post launch scripts need to be added to cloudinit. That said I haven't tried it yet in the cloud yet but I think Samhain may have some potential in the cloud but the implementation of it for the cloud would need a lot more forethought then a standard install. On a side note effecting the load order of libraries is not a new method for rootkits, and many of them have been know to install themselves in users home directories and modifying the users profile and or bashrc. Also i know it hasnt been updated in a long time but if you want to know more about securing a Linux box I highly suggest you take a look at what Bastille Linux does http://bastille-linux.sourceforge.net/ even though its out of date (looking for config file in the wrong place or expecting an old syntax) a lot of the base concepts of what it did are correct and very good to do if you want to secure a system. On Thu, Sep 8, 2016 at 6:44 AM, Vladimir Mosgalinwrote: > Hi Steven J. Yellin! > > On 2016.09.07 at 19:03:32 -0700, Steven J. Yellin wrote next: > >> Are rpm and the check sum tools statically linked? If not, hiding >> copies of them might not help if libraries have been compromised. But >> busybox is statically linked, and it looks like it can be easily used to >> replace most commands used to check security without going to the trouble of >> pulling files from it. For example, 'ln -s busybox md5sum' allows use of >> busybox's md5sum and 'ln -s busybox vi' allows use of its vi. See >> https://busybox.net/FAQ.html#getting_started . > > Statically linked rpm won't help you at all. This malware in question > doesn't modify any system files or libraries, it installs new (non > system-managed) library and creates extra config file for linker, it has > random name and is treated as non system-managed as well. This library > preloads itself for any non-statically linked binary and replaces libc > functions. > > rpm has absolutely nothing to do with non-system files, you can do as > many verify passes as you want, using statically linked rpm binary if > you prefer, and it won't show you that anything is wrong. > > -- > > Vladimir
Re: Red Hat's new virtualization
I ran RHEV in production in a previous job to give you an idea its similar to VMWare vSphere. It allows you to have a single host manage you virtualization environment including live migrations. in addition it can monitors the virtual machines and hardware so if vms crash unexpectedly due to hardware failures it can relaunch them on a different host, but it requires the management host to have access to ILO's, DRAC's, or similar device to control the power switches of the servers and the use of SAN or NAS storage to fully work correctly. it can also manage Gluster storage clusters, however it assumes that the Gluster clusters are dedicated to RHEV for use by the virtual machines and nothing else. there are two features vShpere has that Ovirt does not 1) last I worked with it there was no virtual switch option although I know there is at least a plan to integrate openvswitch in the future. 2) it can not bring a VM back online in the identical running state if the hardware crashed, VMware does this by mirroring the ram to a ramdisk on the SAN the developers of Ovirt consider this to be an edge case that is often misused, and I think they are right. it slows down writes to the VM's ram significantly and eats the cache on the SAN slowing down every thing else on it. Ovirt is the upstream project. there is one main difference between ovirt and RHEV, with RHEV you can use a striped down appliance image on the servers running the VM's, the appliance is tiny just a few hundred MB and unless its in maintenance mode (all of the VM's have been automatically migrated off of it and the management console has temporarily removed it from the pool of usable servers) it runs with most of volumes mounted as readonly including the one where it stores its configs so its considerably hardened. in fact I've run the whole thing off a bootable SD card slot on a motherboard before in an HP DL385 with no drives or raid controller. I just loaded it with 8 core CPU's, lots of ram and a high quality SD card in the slot on the motherboard and it was good to go. For storage I suggest using NFS, Gluster (with a minimum of 3 node for quorum), or a SAN also keep in mind NFS is required for ISO image storage, and data center migrations. while iSCSI is supported I don't recommend using it because last I worked with it it had some nasty race conditions which can stop the system from working until you dig deep into the database to fix it. Red Hats support can not help you with it if that happens they say just to drop the database and reload from backups. that said I have fixed it before by manually deleting the frozen tasks from the table and triggering the plsql command to release the lock but it took me a an hour or two to figure it out and the only reason I was able to is I use to be a PostgreSQL DBA and could read and understand the PSQL procedures. On a side note if you are looking at RHEV and Cloudforms its also a good idea to look at cloudinit as well. On Sat, Aug 27, 2016 at 10:01 AM, Steven Mianowrote: > The upstream of CloudForms is actually: http://manageiq.org/ > > On Sat, Aug 27, 2016 at 6:16 AM, David Sommerseth > wrote: >> >> On 27/08/16 09:23, ToddAndMargo wrote: >> > Hi All, >> > >> > Will we be seeing any of this? >> > >> > >> > http://www.infoworld.com/article/3111908/virtualization/red-hat-virtualization-4-woos-vmware-faithful.html >> > >> > >> > And does it have anything to do with qemu-kvm? >> > >> >> AFAIK, Red Hat Virtualization (RHV) is building upon libvirt and >> qemu-kvm. The difference is that it comes with a far more powerful >> management tool than virsh and virt-manager and the host OS is a scaled >> down RHEL installation fine-tuned for being a virtualization host. >> >> Right now I've forgotten what the upstream project of RHV is named, but >> it should exist such a project. >> >> You also have CloudForms, which is an even wider scoped management tool >> capable of managing more than just libvirt/qemu-kvm virt hosts. The >> upstream project for this is called oVirt, IIRC. >> >> >> -- >> kind regards, >> >> David Sommerseth > > > > > -- > Miano, Steven M. > http://stevenmiano.com
Re: Perl window question
sure Ill send you some stuff when I get home tonight. On Mon, Nov 23, 2015 at 5:58 PM, ToddAndMargowrote: >>>Original Message >>> From: ToddAndMargo >>> Sent: Sunday, November 22, 2015 23:00 >>> To: scientific-linux-users@fnal.gov >>> Subject: Perl window question >>> >>> Hi All, >>> >>> I am trying to teach myself Perl. I am also trying to >>> get away from Zenity. >>> >>> Any of you guys have a favorite method of creating a >>> windows from Perl that is SL7 friendly (meaning the >>> modules are available)? >>> >>> Many thanks, >>> -T >>> >> > > On 11/23/2015 07:04 AM, prmari...@gmail.com wrote: >> >> By window I assume you mean X11 >> In that case look at Perl/TK there are several great modules that can help >> you, that's the classic method although most people just do web interfaces >> now. >> Also if you would like I could suggest some books to read that would help >> you a lot. >> I'm a pretty heavy Perl programmer my self and am always happy to help any >> one who wants to learn Perl. >> One thing I will advise it seems pretty abstract at first but learn how >> anonymous references work in Perl because they are really the key to >> unlocking the true power of the whole language, I always consider it as the >> key piece of knowledge that separates Perl scripters from a Perl programmer. >> > > Hi Prmarino, > > I will look up Perl/TK. > > "anonymous references"? Is that the mysterious "->" thingy? > > $ua = LWP::UserAgent->new; > $ua->timeout ( MaxTime1 ); > $ua->show_progress; > > Can you point me to a good web page to "finally" figure out > what that is? > > Thank you for helping me with this! > -T > >
Re: how to add packages that are not in the repo?
by the way for future reference yum provides */kalarm would have told you if it was in a package with a different name than you expect. also I always check rpm.pbone.net its very useful for finding rpm's in 3rd party repos. On Tue, Jun 2, 2015 at 2:42 PM, Mark Stodola stod...@pelletron.com wrote: That is a source rpm. It contains the source files and settings to build the binary packages for a target system. Installing it would give you the files necessary to run it through rpmbuild. You would then need to install the resulting package, assuming you have all of the required libraries and development tools needed for a successful build. Many people use a tool called mock to help accomplish this. On 06/02/2015 12:35 PM, t...@telekon.org wrote: this version is independent, http://pkgs.repoforge.org/kaffeine/kaffeine-0.8.7-1.rf.src.rpm can it be installed with yumex? or should i use one of these, su yum localinstall kaffeine-0.8.7-1.rf.src.rpm yum install kaffeine-0.8.7-1.rf.src.rpm su -c 'yum -y install kaffeine-0.8.7-1.rf.src.rpm' (i'm about ready to give up) --- Original Message --- From: Mark Stodola stod...@pelletron.com To: scientific-linux-users@fnal.gov scientific-linux-users@fnal.gov Subject: Re: how to add packages that are not in the repo? Date: Tue, 2 Jun 2015 On 06/02/2015 11:01 AM, Tini wrote: can you make a repo install the version that you want, instead of the latest version? i want this: http://pkgs.repoforge.org/kaffeine/ (ver. 0.8) but instead i keep getting version 1.0 -Tini If you look carefully at that repo, you will notice that 0.8 is for EL 5 and below. If you are getting 1.1, I am guessing you are on EL 6. There are ways to specify versions/roll back, but in this case I don't think it is a good idea to mix packages like that. If you are feeling adventurous you could try it I guess. Just include the full release info in the package name I think. kaffeine-0.8.7-1.el5.rf.x86_64 Alternately, you can just download by hand and toss it in with yum or rpm. If you have automated yum updates, it will get caught and upgraded unless you exclude/blacklist it.
Re: write permission error on a shared drive
Mahmood you will also probably need to learn about the setgid bit. On Sat, Nov 29, 2014 at 12:23 PM, Nico Kadel-Garcia nka...@gmail.com wrote: On Sat, Nov 29, 2014 at 10:56 AM, Mahmood N nt_mahm...@yahoo.com wrote: Hi A server and a client both run SL6.3. On server, I have exported a disk with the following property /data 192.168.1.0/24(rw,sync,no_root_squash) and on the client side, I wrote this entry in the fstab 192.168.1.5:/data /data nfs defaults 0 0 However on the client side, I am not able to create folders. [mahmood@client data]$ mkdir afolder mkdir: cannot create directory `afolder': Permission denied However, root has the write permission. [root@client data]# mkdir a [root@client data]# How can I grant the write permission tot he user? Regards, Mahmood You need to learn about uid, gid, and file system permissions. The user and the groupo that own a file are stored, on the NFS serrver's file system, as numbers. Those numbers are tied to group and owner as far as the login name and login user's groups by /etc/passwd, /etc/group, and lots of different network tools that can also do that. If the user name on the client *has the same uid and group gid memberships* as the server expects, then they'lll typically have permission to write to those directories. This is much like file ownership on a local directory. If someone else owns the directory, *and did not allow write access to others*, others will not be able to write there. In this case, I would do ls -al /data and see who owns it. Then I'd look up the man pages for chown and chgrp and chmod to get a handle on what you want to allow and prevent.
Re: Final Solution to Chinese Break in
That is because the secret service is part of the treasury department oddly enough. Even though they are most know for protecting the president they are actually a law enforcement agency.-- Sent from my HP Pre3On Oct 5, 2014 2:54 AM, jdow j...@earthlink.net wrote: If credit card fraud was involved you might check with the Secret Service. At least in the mid 80s credit card fraud was investigated by the Secret Service. I've no freaking idea why; but, during an investigation about some online stalking featuring me as one of the victims credit card fraud was involved. I was interviewed about it by a Secret Service agent and an FBI agent concurrently. Both were just a touch out of their depth. Sigi Kluger was ultimately prosecuted for the CC fraud, not the stalking, not the death threats, not the bodily harm (chop me up and feed me to his dog) but CC fraud that was small amounts over a full year. VERY few women stayed with McGraw-Hill's "BIX" or "Byte Information eXchange" through that year. I was too damn stubborn to be run out. But - damn - CC fraud was the Secret Service's domain? Washington DC was hopelessly screwed up even then. {^_^} Joanne On 2014-10-04 21:26, Paul Robert Marino wrote: you may be right Interpol's economic crimes division might be the right way to go Ive never considered that before. On Sat, Oct 4, 2014 at 8:56 PM, Nico Kadel-Garcia nka...@gmail.com wrote: On Sat, Oct 4, 2014 at 9:26 PM, Bill Maidment b...@maidment.me wrote: There used to be an organisation called Interpol to deal with international crime. I haven't heard anything recent about them; do they still exist? Regards Bill Maidment Interpol still exists, they've a web site hat https://www.interpol.int/. Since we've gone way off this mailing list's announced purpose, I'll stop here.
Re: Final Solution to Chinese Break in
Well it looks like in 2003 it was transfered to the new at that tim DHS. It originally was not a waste of money because the FBI didn't exist yet so it was vital at the time. Can it be consolidated now? Yes; but that doesn't mean a new conglomerate agency would do a good job.All things said and done outside of the protection of the president and other dignitaries the secret service has a long history of being very good and efficient at their originally mandated job even in the internet age which is to really with finance related crimes originally meaning preventing the circulation of fake currency.I think a new agency needs to be developed with a strict mandate of international internet crimes; however I don't trust modern politicians to do a great job of designing it to work in our best interests. Honestly I don't think they know enough about the subject to even know if they are or are not doing the right thing.-- Sent from my HP Pre3On Oct 5, 2014 2:04 PM, Jason Bronner jason.bron...@gmail.com wrote: Its under DHS now and has been under DHS for quite a while. Initially thats who is tasked with investigating counterfeiting US currency and is why they were a division of the Treasury Dept. Had a nice chat with one of their reps when I was still in management and someone shot a fake 100 through my safe and i filled out the paperwork on it at the bank. On Sun, Oct 5, 2014 at 11:54 AM, jdow j...@earthlink.net wrote:Like I say, our government is totally disorganized and overbloated. Law enforcement should be part of DoJ not Treasury. But, we gotta waste money somehow so we get a mishmash of a hodgepodge. nuff said - except to note that I wanted a chance to live enough that I illegally carried a .38 special for most of that year and slept with it under the pillow. Surrender is for victims. I gave up being a victim and liked the feeling. {o.o} On 2014-10-05 06:27, Paul Robert Marino wrote: That is because the secret service is part of the treasury department oddly enough. Even though they are most know for protecting the president they are actually a law enforcement agency. -- Sent from my HP Pre3 On Oct 5, 2014 2:54 AM, jdow j...@earthlink.net wrote: If credit card fraud was involved you might check with the Secret Service. At least in the mid 80s credit card fraud was investigated by the Secret Service. Ive no freaking idea why; but, during an investigation about some online stalking featuring me as one of the victims credit card fraud was involved. I was interviewed about it by a Secret Service agent and an FBI agent concurrently. Both were just a touch out of their depth. Sigi Kluger was ultimately prosecuted for the CC fraud, not the stalking, not the death threats, not the bodily harm (chop me up and feed me to his dog) but CC fraud that was small amounts over a full year. VERY few women stayed with McGraw-Hills BIX or Byte Information eXchange through that year. I was too damn stubborn to be run out. But - damn - CC fraud was the Secret Services domain? Washington DC was hopelessly screwed up even then. {^_^} Joanne On 2014-10-04 21:26, Paul Robert Marino wrote: you may be right Interpols economic crimes division might be the right way to go Ive never considered that before. On Sat, Oct 4, 2014 at 8:56 PM, Nico Kadel-Garcia nka...@gmail.com wrote: On Sat, Oct 4, 2014 at 9:26 PM, Bill Maidment b...@maidment.me wrote: There used to be an organisation called Interpol to deal with international crime. I havent heard anything recent about them; do they still exist? Regards Bill Maidment Interpol still exists, theyve a web site hat https://www.interpol.int/. Since weve gone way off this mailing lists announced purpose, Ill stop here.
Re: Final Solution to Chinese Break in
One other problem is the FBI can only investigate criminals operating within the united states they really can't do any thing if the criminal is operating out of an other country due to their mandated scope of enforcement.In fact internet crimes are really difficult for any law enforcement because they are usually international and there for exceed their jurisdiction. The laws that limit jurisdiction are ment to protect our rights and prevent any one law enforcement agency from having enough power to threaten the government; however this makes it nearly impossible for any one of them to truly investigate internet crimes. What is needed is a new agency who's jurisdiction is international internet crimes; however that also presents its own risks because if you think the NSA is bad about respecting our rights just wait to see what an international agency tasked with tracking internet crimes would do.-- Sent from my HP Pre3On Oct 3, 2014 12:30 AM, Nico Kadel-Garcia nka...@gmail.com wrote: On Thu, Oct 2, 2014 at 4:02 PM, Larry Linder larry.lin...@micro-controls.com wrote: on May 22 Our server was broken into by some one in China. How it happened is that we had had a hole in our firewall so employees could access out server from the field. This had worked pretty well - until the AT Motorola modem died and they install two new ones and left the port to the ssh open. *Ouch*. Dude, you've my sympathies. This sort of thing is precisely why I argue with people about the concept of "we have a firewall, so we don't need to be so rigorous about our internal network security". And oh, yes, the old standby "who would want to hack us?" The people who did this job had more than a working knowledge of networks, Linux and files systems. We were wondering how they could create a directory at end of file system was a puzzle. They had root privilege, ssh, and with access to bash they were in. And the kernel. Don't forget that with that level of access, they can manipulate the modules in your kernel. How did they covered their tracks so well? "messages" was there but filled with nonsense and file in /var/log that tells you who and what was sent was touched was now missing. "security" was there and you could see the And since they owned root, they could replace core system libraries, even corrupting compilers. *nothing* rebuilt on that host can be trusted. repeated access attempts to break in again. "cron" was changed so daily backups were done after they down loaded all new files. "crontab -e" no longer worked. We made a copy of the OS onto old disk and removed disk from the system. There were so many charges to the OS and files in /etc that we did not even try to repair it. There were 1000's of differences between new install and copy of old system. I personally think the bash problem is over blown because they have to get threw modem, firewall, ssh before they can use "bash". That is *one* instance, and not really relevant to the circumstances you described. In fact, many systems expose SSH to the Internet at large for "git" repository access, and for telecommuting access to firewalls and routers. The big problem with "shellshock" was that attempts to restrict the available commands for such access, for example inside "ForceCommands" controlled SSH "authrozed_keys" files, could now broken out of and allow full local shell access. Once you have *that* on a critical server, your hard crunch outershell is cracked open and your soft chewy underbelly exposed. One question remains and that is what code and script did they use to run the system?? Gods only know. there are so *many* rootkits in the wild, and so much theft of private SSH keys and brute force attacks or theft of passwords, it's hard to know how they got in. If anyone wants details and IP's I will send it to them on an individual basis. We contacted the FBI and after a telephone interview, they were sort of interested but I think the problem is so big they don't have time to work little stuff. My personal experience with the FBI and computer crime is that they are simply not competent. They accept information eagerly and do nothing at all helpful with it. They have a very poor track record of getting crackers to turn each other in and abusing the resulting immunity from prosecution, and not actually investigating or prosecuting more than the tiniest fraction of crimes reported. This is a little disjointed because it happened over a long time. Larry Linder As I mention, you have my sympathies. It'a a good reminder to keep your internal systems updated from known attack vectors.
Re: about realtime system
Nico Depending on the role of the particular system and or which company I was working for at the time I've need one the other or both. In my current role in the broadcast industry precision with predictable latency is more important for most of my systems. That said when I worked in the financial industry it changed based on what part of the industy I was working for. The stock exchanges I've worked for cared about precision because it was more important to them to make sure every one had the same latency and our logging was accurate for audit purposes. When I used to work for a managed systems vender for hedge funds they were all about low latency because the faster they got data in and out of the exchanges often determined if they had an edge over their competitors or not. quite literally an extra millisecond could cost them millions of dollars a second due to the nature of high frequency trading. Generally I don't think of real time kernels when I am thinking about low latency because oftent they increase the latency when dealing with multiple operations. however the reverse can true if you only have a box doing one specific task only but that rarely is the case. By the way one of those stock exchanges is where the VMware engineers told us never to use their product in production. In fact we had huge problems with VMware in our development environments because some of our applications would actually detect the clock instability in the VMware clocks and would shut themselves down rather than have inaccurate audit logs. as a result we found we had trouble even using it in our development environments. By the way Red hat only told me recently about guaranteeing the microsecond precision of the clocks in KVM on RHEV and said they have been doing it in financial for over a year. there are conditions though such as you need to turn off support for overbooking the CPU cores. last I checked VMware still says do not use their product anywhere where you need millisecond accurate clocks. Further more I dont know about that statement Anyways, KVM will not handle latency any better than Vmware. the article you pointed out talks about VCPU's going in and out of halted states, which is normal and completely expected in VMware because they always assume you are going to overbook your CPU cores. there is a slight difference when you talk about KVM in paravirtualized mode with overbooking disabled it directly maps the CPU cores the the VM so as long as you don't have power management enabled the CPU's are always operating at full speed further more you can directly map PCIe bus address to the VM (essentially assigning a card on your bus directly to the VM to be completely managed by its kernel) to reduce latency in other ways to hardware if you need too. On Sun, Aug 24, 2014 at 2:02 PM, Nico Kadel-Garcia nka...@gmail.com wrote: On Sun, Aug 24, 2014 at 12:57 PM, John Lauro john.la...@covenanteyes.com wrote: Why spread FUD about Vmware. Anyways, to hear what they say on the subject: http://www.vmware.com/files/pdf/techpaper/latency-sensitive-perf-vsphere55.pdf Anyways, KVM will not handle latency any better than Vmware. - Original Message - From: Paul Robert Marino prmari...@gmail.com To: Nico Kadel-Garcia nka...@gmail.com Cc: Brandon Vincent brandon.vinc...@asu.edu, llwa...@gmail.com, SCIENTIFIC-LINUX-USERS@FNAL.GOV scientific-linux-users@fnal.gov Sent: Sunday, August 24, 2014 12:26:17 PM Subject: Re: about realtime system Wow I don't know how VMware got mentioned in this string but VMware is not capable of real time operation and if you ask the senior engineers at VMware they will tell you they don't want you even trying it on their product because they know it wont work. The reason is VMware plays games with the clock on the VM so the clocks can never be 100% accurate. It should be possible to do real time in KVM assuming you don't overbook your CPU Cores or RAM. Apparently Red Hat has been doing VM's with microsecond accurate clocks with PTP running on the visualization I mentioned that I hope they were using real servers, not VM's. I'd had people try to run real-time systems in virtualization, specifically with VMware, and it wasn't workable for their needs. Also, high precision is not the same as low latency, although both are often grouped together for real-time operations. I'm curious if Paul needs both.
Re: about realtime system
PS. That last paragraph was intended to respond to John not Nico. On Sun, Aug 24, 2014 at 3:27 PM, Paul Robert Marino prmari...@gmail.com wrote: Nico Depending on the role of the particular system and or which company I was working for at the time I've need one the other or both. In my current role in the broadcast industry precision with predictable latency is more important for most of my systems. That said when I worked in the financial industry it changed based on what part of the industy I was working for. The stock exchanges I've worked for cared about precision because it was more important to them to make sure every one had the same latency and our logging was accurate for audit purposes. When I used to work for a managed systems vender for hedge funds they were all about low latency because the faster they got data in and out of the exchanges often determined if they had an edge over their competitors or not. quite literally an extra millisecond could cost them millions of dollars a second due to the nature of high frequency trading. Generally I don't think of real time kernels when I am thinking about low latency because oftent they increase the latency when dealing with multiple operations. however the reverse can true if you only have a box doing one specific task only but that rarely is the case. By the way one of those stock exchanges is where the VMware engineers told us never to use their product in production. In fact we had huge problems with VMware in our development environments because some of our applications would actually detect the clock instability in the VMware clocks and would shut themselves down rather than have inaccurate audit logs. as a result we found we had trouble even using it in our development environments. By the way Red hat only told me recently about guaranteeing the microsecond precision of the clocks in KVM on RHEV and said they have been doing it in financial for over a year. there are conditions though such as you need to turn off support for overbooking the CPU cores. last I checked VMware still says do not use their product anywhere where you need millisecond accurate clocks. Further more I dont know about that statement Anyways, KVM will not handle latency any better than Vmware. the article you pointed out talks about VCPU's going in and out of halted states, which is normal and completely expected in VMware because they always assume you are going to overbook your CPU cores. there is a slight difference when you talk about KVM in paravirtualized mode with overbooking disabled it directly maps the CPU cores the the VM so as long as you don't have power management enabled the CPU's are always operating at full speed further more you can directly map PCIe bus address to the VM (essentially assigning a card on your bus directly to the VM to be completely managed by its kernel) to reduce latency in other ways to hardware if you need too. On Sun, Aug 24, 2014 at 2:02 PM, Nico Kadel-Garcia nka...@gmail.com wrote: On Sun, Aug 24, 2014 at 12:57 PM, John Lauro john.la...@covenanteyes.com wrote: Why spread FUD about Vmware. Anyways, to hear what they say on the subject: http://www.vmware.com/files/pdf/techpaper/latency-sensitive-perf-vsphere55.pdf Anyways, KVM will not handle latency any better than Vmware. - Original Message - From: Paul Robert Marino prmari...@gmail.com To: Nico Kadel-Garcia nka...@gmail.com Cc: Brandon Vincent brandon.vinc...@asu.edu, llwa...@gmail.com, SCIENTIFIC-LINUX-USERS@FNAL.GOV scientific-linux-users@fnal.gov Sent: Sunday, August 24, 2014 12:26:17 PM Subject: Re: about realtime system Wow I don't know how VMware got mentioned in this string but VMware is not capable of real time operation and if you ask the senior engineers at VMware they will tell you they don't want you even trying it on their product because they know it wont work. The reason is VMware plays games with the clock on the VM so the clocks can never be 100% accurate. It should be possible to do real time in KVM assuming you don't overbook your CPU Cores or RAM. Apparently Red Hat has been doing VM's with microsecond accurate clocks with PTP running on the visualization I mentioned that I hope they were using real servers, not VM's. I'd had people try to run real-time systems in virtualization, specifically with VMware, and it wasn't workable for their needs. Also, high precision is not the same as low latency, although both are often grouped together for real-time operations. I'm curious if Paul needs both.
Re: about realtime system
John reread the first and third paragraph of my previous email. Trading firms care about low latency but never cared about the accuracy millisecond of the clocks. Sock exchanges on the other hand want predictable latency not necessarily low latency but absolutely require millisecond and if possible microsecond accurate clocks. The reason for this is trading funds are worried about getting quotes, bids, executions, etc. to the exchanges gateways as fast as possible; however the exchange has to be able to prove to both the member firms and the regulators that everyone is treated fairly once they put an order into the gateway. While yes VMware says under very specific configurations with 3/4ths of their features disabled and special network cards which offload their virtual switch's work VMware can handle low latency, but they still can not handle clocks accurate to the millisecond and certain cant handle it to the microsecond. Furthermore I find this article highly suspect because its talking about reducing the latency overhead in their visualization stack to the point where it becomes less noticeable not necessarily true low latency. This makes it acceptable for small hedge funds which have staff and equipment budget constraints, but not really good enough for the big boys if they are smart. I would advise you to be careful with VMwares technical marketing docs and blogs in this area because the sale people will tell you anything to get you to buy it, their high level engineers will actually tell you the truth if they know what you are using it for. In true real time and high precision situations their senior engineers will tell the sales department to wave you off of using their product if your employer is a big enough name for for the real senior engineers (not sales engineers) to look at your design prior to sale. If you dive deep into that article it say's you need 1) very specific hardware support specifically network cards 2) you need to turn off vmotion and all of the other fault tolerance features 3) you need to have very specific features turned on 4) It makes strongly implied suggestion but doesn't state flat out that for best performance you need to align the number of cores you assign to the layout of the cache in your CPU so you don't get multiple VM's sharing CPU cache even if that means assigning more VCPUs than you need. 5) a separate physical network card for each VM 6) disable memory over committing (Same as KVM) 7) disable CPU over committing (Same as KVM) Even with that all of that you still do not have a 10 microsecond latency jitter in the network stack, and the accuracy of the clocks are still not guaranteed to the millisecond. In no place in that article or the blog is clock accuracy mentioned at all. All they are talking about is better response time latency not real precision. On Sun, Aug 24, 2014 at 3:46 PM, John Lauro john.la...@covenanteyes.com wrote: The recommendation changed with 5.5. http://blogs.vmware.com/performance/2013/09/deploying-extremely-latency-sensitive-applications-in-vmware-vsphere-5-5.html ... However, performance demands of latency-sensitive applications with very low latency requirements such as distributed in-memory data management, stock trading, and high-performance computing have long been thought to be incompatible with virtualization. vSphere 5.5 includes a new feature for setting latency sensitivity in order to support virtual machines with strict latency requirements. - Original Message - From: Paul Robert Marino prmari...@gmail.com To: Nico Kadel-Garcia nka...@gmail.com Cc: John Lauro john.la...@covenanteyes.com, Brandon Vincent brandon.vinc...@asu.edu, Lee Kin llwa...@gmail.com, SCIENTIFIC-LINUX-USERS@FNAL.GOV scientific-linux-users@fnal.gov Sent: Sunday, August 24, 2014 3:27:39 PM Subject: Re: about realtime system ... By the way one of those stock exchanges is where the VMware engineers told us never to use their product in production. In fact we had huge problems with VMware in our development environments because some of our applications would actually detect the clock instability in the VMware clocks and would shut themselves down rather than have inaccurate audit logs. as a result we found we had trouble even using it in our development environments.
Re: about realtime system
Seriously lets take the high frequency trading thing off this list and any one else who wants to talk to me as well a out it, I'm perfectly happy to explain it.Further more I'm willing to explain the real problems with the world financial system but not on this list and certainly not on this thread-- Sent from my HP Pre3On Aug 24, 2014 8:55 PM, Nico Kadel-Garcia nka...@gmail.com wrote: On Sun, Aug 24, 2014 at 7:50 PM, jdow j...@earthlink.net wrote: The stock exchange could remove most of the problem, meaning high frequency trades, by placing a purely random 0 to 1 second latency on all incoming data and all outgoing data. The high frequency trading reads to me as just another means of skimming now that they're not allowed to round down fractional pennies and pocket the change. It's time to give mere mortals some practical access to the exchanges. And this interest in microsecond clocks would simply vanish from the exchanges. The whole high frequency trading, low latency mess is due to leave the Linux world, at least for the hosts directly receiving the data, due to the availability of FPGA's that can live on fiber optic connections, physically adjacent to the stock market. I can say that based on interviews I did some years back, without a signed NDA for the interviews, and based on press articles on the technology. Generating the rules for the FPGA's, now, *that* is an interesting potential Linux market, and I can point people to job ads for precisely this. Tying it back to Scientific Linux, I'd *love* to see them using Scientific Linux for this due to the support available from the Scientific Linux world for oddball scientific computing requirements. And the Scientific Linux built-in integration for 3rd party repositories like EPEL and ATrpms is invaluable. On a different point, the word I can find is that the free version of VMWare does not support this "high latency sensitivity" setting. {o.o} Joanne, Just sayin' Cool thanks for looking into it!
Re: XFS and dump?
Look at CXFS your dreams of using it on other operating systems are actually possible at least on a SAN.-- Sent from my HP Pre3On Aug 2, 2014 10:53 PM, Brent L. Bates blbates1...@gmail.com wrote: I'm sorry, but the proven, reliable, and fast file system is XFS, NOT ext4. ext4 is the new kid on the block. XFS has been around for probably 20 YEARS, if not longer. Half of that time also under Linux. ext4 hasn't been around nearly that long. XFS is the tried and true, dependable, reliable, resilient, and fast file system. I've seen it survive hardware crashes and flaky disk drives and keep on going. I've used it under both 32bit (not huge disk drives) and 64bit Linux with no problems. I would not use any other file system under Linux and if I could, I'd use it under other OS's as well. It is just that good, fast, and reliable. -- Brent L. Bates Email: blbates1...@gmail.com
Re: Clarity on current status of Scientific Linux build
well what I dont understand here is all of RHEL SRPMs are on a web server an can be downloaded if you have an entitlement. all you need is 1) the CA cert located here /usr/share/rhn/RHNS-CA-CERT on any Red Hat host. 2) the entitlement cert from subscription manager winch you can get off of access.redhat.com go to Subscriptions - Subscription Management - UNITs then click on the subscription you would like to use. you will see a Download button on the top left side of the screen. 3) on the page where you downloaded the certificate there is a sub tab called Content Set take the URL's listed there and prefix them with https://cdn.redhat.com if you connect with a browser you can see its just a standard yum repo which uses the certificates for authentication, so most yum mirroring tools will work just fine as long as it can supply the the PKI (entitlement) cert to their web server. On Mon, Jun 23, 2014 at 9:54 AM, Steven Timm t...@fnal.gov wrote: I was at the HEPiX meeting at which those slides were presented and there was further discussion during the course of the week as to what would happen. RedHat/CentOS was also represented at that meeting in the person of Karanbir Singh. You should not presume that the presentations given at that meeting are the final word. You notice that nobody with a cern.ch or fnal.gov E-mail address has responded to this thread up until now. When they have something concrete they will respond with the details. Steve Timm It seems it is more likely that Scientific LInux 7 will become a Special Interest Group (SIG) of CentOS 7. See the presentations at the Hepix meeting in Annecy Le Vieux, last May, on SL 10 years, notably the ones from Connie Sieh and Jarek Polok: http://indico.cern.ch/event/274555/session/11/#20140519 Alain -- Administrateur Système/Réseau Laboratoire de Photonique et Nanostructures (LPN/CNRS - UPR20) Centre de Recherche Alcatel Data IV - Marcoussis route de Nozay - 91460 Marcoussis Tel : 01-69-63-61-34 -- Steven C. Timm, Ph.D (630) 840-8525 t...@fnal.gov http://home.fnal.gov/~timm/ Fermilab Scientific Computing Division, Scientific Computing Services Quad. Grid and Cloud Services Dept., Associate Dept. Head for Cloud Computing
Re: bootable USB flash drive questions
Hi Urs here are a couple of notes on the subject I havent done it in a few years but my past experience may be useful. 1) on the subject of the mother board not supporting booting off the USB drive it doesn't matter because Grub supports it so if you install grub as the boot loader on your hard drive it can handle it for you. 2) its not the USB bandwidth you need to worry about with speed. Most USB flash drives are far slower than the USB bus some of them measure in the hundreds of Kilobytes per second so don't expect speed unless you buy a very high end Flash drive. that said Ram helps a lot and there are some other hybrid options you can look at SuSE's live (DV|C)D's traditionally allowed booting off of the CD and merging it with persistent data on disk images on an Fat32 or NTFS drive it can give you more speed but at the cost of shortening the life span of your DVD drive because of the constant use. so there are alternative options you could evaluate. 3) more ram will help the more you can keep in ram the better your performance will be. 4) do not put a swap partition on your flash drive! it will eat the total life time writes very quickly however if you absolutly need too then resuce the swappienes 5) use tempfs as much as possible. use it for /tmp and if you can for /var/run and /var/log it will eat some ram but it will significantly increase the life span of the flash drive. On Sun, Mar 23, 2014 at 5:00 AM, ToddAndMargo toddandma...@zoho.com wrote: On 03/22/2014 04:09 AM, Urs Beyerle wrote: 3) 1x DVD read is 1.3 MB/s (10.5 Mbit/s), so a 24X DVD drive will be about 30 MB/s. I guess there is no speedup using a USB 2 flash drive. Hi Urs, Just playing around with it in KVM, I'd say it boot about 4 times faster than a CD on one of my customer's computers -T -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: Wanted LDAP server configuration documents
That's an old good but out of date document.The big question is do you want to do LDAP 2 or 3.The big difference is Kerberos in 3 or not and are you planning to use no encryption or SSL as in version 2 or TLS as in version 3 which is similar but has some additional DNS requirements.Also that document refers to openldap which I used for many years but I would advise you now to look at 389 server which was one of the original LDAP servers written by Netscape Security Solutions and is now owned by Red Hat also under RHDS and the basis of Oracles Directory Server due to a commercial fork agreement negotiated between SUN and AOL after AOL bought Netscape. Its not perfect but its GPL and in many ways better than OpenLDAP as a server platform and truly the good parts existed before Netscape died to the point where the first time I saw the java GUI a couple of years ago I fell on the floor litteraly bec)s of the nasty flashbacks of supporting the SCO version and the NT 4 domain controller sync plugin in the late 90s-- Sent from my HP Pre3On Mar 23, 2014 19:45, Steven Miano mian...@gmail.com wrote: This is a very good starting point:http://www.tldp.org/HOWTO/LDAP-HOWTO/installing.html On Sun, Mar 23, 2014 at 7:41 PM, Pritam Khedekar pritamkhedek...@gmail.com wrote: Dear All, Please send me some LDAP config documents if available. ASAP. -- Miano, Steven M. http://stevenmiano.com
Re: Sharing users among few hosts
TLS/SSL won't work correctly if you use the /etc/hosts file. That is the real constraint with LDAP and DNS.But its not that severe all you need to be able to do is forward and reverse lookup the host name and match it to the IP address.You do not really need the SRV records. As long as the name in the cert matches the DNS A record for the hostname(s) and the reverse lookup of the resulting IP also matches the hostname(s) in the cert you are good.One other option is you don't really need the passwords in the LDAP database you can put it in Kerberos then you don't have to worry about clear text passwords at all and there are no DNS requirements.It takes a out 15 minutes to set up a Kerberos server and only about an hour to setup 389 server (a.k.a Red Hat Directory servera.k.a. Netscape Directory Server) from scratch to use Kerberos Auth.Then on your client configs you specify the IP addresses instead of the host names.-- Sent from my HP Pre3On Feb 17, 2014 9:09, Tam Nguyen tam8gu...@gmail.com wrote: If you wanted to avoid DNS, then you can *temporarily* achieve that on RH Identity Management by updating the /etc/hosts files on the server and client nodes. -Tam On Mon, Feb 17, 2014 at 6:57 AM, צביקה הרמתי haramaty.zv...@gmail.com wrote: Hi.I want to have several hosts, sharing the same Users Accounts database. i.e, user John will be able to seamlessly login to host1 or to host2, without having to manually config Johns credentials unto each machine. Nothing more than that...LDAP seems like the solution, however, I tried to find an easy tutorial and understood that maybe its a little bit overkill for my humble requirements. Ive read about RH Identity Management (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html) It seemed interesting; but its DNS requirements are a little bit too complicated for scenerio (having the IDM servers public IP properly configured DNS record). Am I missing something?There must be simpler way...Thanks,Zvika
Re: Exchange server alternative?
You know what you also can't do with Gmail create a SOX compliant export for regulators if you get audited.So if there is reason to believe that your companies emails contains data pertinent to the financial transactions of your company and your company gets audited you are in deep trouble. It is also the legal responsibility of the person or people in charge of maintaining the email system to ensure the compliant backups are taken and made available upon request.That's why most large and or financial companies in the united states won't use it.And some times the regulators are the ones who are actually asking for the tap via a compliance officer on some ones emails without managerial approval and its really bad if they can't do that.You can thank Enron for that.-- Sent from my HP Pre3On Feb 9, 2014 1:25, Nico Kadel-Garcia nka...@gmail.com wrote: On Sat, Feb 8, 2014 at 6:53 PM, Paul Robert Marino prmari...@gmail.com wrote: info sec is not the problem it's a record keeping issue. Info sec for email is *always* a problem. It's also critical to the record keeping: the ability to re-route, or delete, or backfill email needs to be handled. (Do not get me *started* on desires to backfill email that never happened, or to silently tap people's email with or without managerial permission! Switching to GMail made it possible for me to say "can't be done!!!" and avoid responsibility for such abuses.) Fortunately, modern IMAP based email systems give easy ways to transfer or replicate email wholesale ti alternative servers, wholesale. Thank you, *gods* for the migration from POP based services, which have mostly disappeared but stored all the folder information on the client. For most clients, they can pretty much cut and paste their old Exchange folders to a new IMAP environment. *Migrating* from Exchange to the new environment takes time and effort. For folks recommending Zimbra or Zarafa, I'd be very curious how they migrate data from Exchange clients. I'm sure that part's not just "drop-in replacement".
Re: Exchange server alternative?
have you looked at openchange http://www.openchange.org/index.html It's been a few years since I looked at it but the goal is to create a exchange server replacement. On Sat, Feb 8, 2014 at 11:34 AM, Nico Kadel-Garcia nka...@gmail.com wrote: Whoops, sorry! I thought you were looking for an AD replacement, not an Exchange replacement. To replace Exchange, run, do not walk, to Google Apps for Business. It works very well, you don't have to maintain your own expert IT infrastructure to deal with the vagaries and backups and security of email handling, and their uptime exceeds that of any internal business email setup I've ever seen or helped run. You lose Outlook based calendar functionality, but you gain document sharing and collaboration to replace emailing bulky email documents around. And it plays very, very well with Linux clients such as Scientific Linux and even cell phones, unlike the Exchange suite. The spam filtering is also *ery* good. Unless you've got some very large demands for customized internal services or security far beyond that of most small shops, don't burn your time on setting up your own messaging or collaborative suite. Between managing high reliability services, backups, denial-of-service attacks, system security, customization requests, and migrating users to new tool suites, you'll burn up any benefits from having it in house with months, if not within minutes, of first running it in house in a small environment. If you *have* to continue with Outlook based clients, especially for calendaring, look at Microsoft's Online365 services. I'm afraid I can't recommend the locally installed, Linux based, messaging suite replacements for Exchange. I tried Zimbra under RHEL/CentOS some years back, and rejected it as too bulky and far too expensive in engineering time to maintain. I hope it's gotten better since, but it suffered from the same problem as Exchange: awkward integration of conflicting components and their requirements. I don't expect the mentioned Zarafa tool suite to do it any better, but I'd be curious to see more recent experience with either. Nico Kadel-Garcia nka...@gmail.com
Re: What happened to adobe repository ?
FYI they also did the same thin with Shockwave Flash player for Linux too.Apparently Adobe doesn't care about the linux user market share any more.-- Sent from my HP Pre3On Jan 15, 2014 10:56, Graham Allan al...@physics.umn.edu wrote: On 1/15/2014 4:20 AM, Urs Beyerle wrote: Adobe discontinued the Adobe Reader 9 for Linux in June 2013 and has not fixed and will not fix any further security issues in it. Therefore it makes totally sense to remove it from their repo. I'm not disagreeing with you but it's still a breathtakingly crappy way of handling it. Acroread for linux is still available as a regular web download, so it's not remotely obvious that it's desupported unless you follow the news independently. For example it might have been worth a final mention on Adobe's "acrobat for unix" blog http://blogs.adobe.com/acroread/ rather than leaving that abandoned since 2010! Graham
RE: Fedora Scientific Spin
I'm not touching this question lol.-- Sent from my HP Pre3On Jan 15, 2014 22:40, Jean-Victor Côté jean-v.c...@sympatico.ca wrote: There could be a Long Term Support (LTS) option for Fedora Scientific, built from the latest stable release and tested by the builders. This sounds a bit like Ubuntu, which might also benefit from a scientific version. Further upstream, there is Debian Science, which can be built upon directly and which even has versions for many branches of science: https://wiki.debian.org/DebianScience/Jean-Victor Côté Date: Wed, 15 Jan 2014 19:06:39 -0800 From: ykar...@csusb.edu To: scientific-linux-users@fnal.gov Subject: Re: Fedora Scientific Spin On 01/15/2014 04:36 PM, Andrew Z wrote: Would not it be sufficient to have a "scientific applications" group in the installer? On Jan 15, 2014 7:29 PM, "Jean-Victor Côté" jean-v.c...@sympatico.ca mailto:jean-v.c...@sympatico.ca wrote: They have included interesting IDEs: https://fedoraproject.org/wiki/Scientific_Spin Collaboration between the two projects might prove fruitful, who knows? Jean-Victor Côté, M.Sc.(Sciences économiques), (CPA, CMA), Post MBA J'ai aussi passé d'autres examens, dont les examens CFA. J'ai un profil Viadeo sommaire: http://www.viadeo.com/fr/profile/jean-victor.cote I also have a LinkedIn profile: http://www.linkedin.com/profile/view?id=2367003trk=tab_pro Whether or not a "scientific spin" is placed on Fedora, such an approach does not address the fundamental issue. Fedora is an enthusiast perpetually alpha or beta distribution, never designed as a stable, "bulletproofed", production distribution. For many EL users, clone or TUV, the reason is stability. I do not need nor use beta environments except for testing or for those situations in which I am forced to use a Microsoft product (e.g., MS Win under VirtualBox under Linux). Thus, any Fedora environment simply does not address the needs of my work. Yasha Karant
Re: RedHat CentOS acquisition: stating the obvious
Well in general my company uses SL or depending on the business unit CentOS for non critical systems and Red Hat on every thing mission critical, not because they think it works better just because of appearances. If there is an outage on a critical system that effects the bottom line the first question they will be asked by the board of directors is what linux distro it was running on and if director of the department doesn't say Red Hat with a current support agreement then the board knows who to make their scapegoat. If the director answers Red Hat and we have support then they look else where for a scapegoat. Also market analysts look at the distro when they evaluate your projected stock value and they tend to give higher estimates if you can say all your linux boxes run Red Hat.-- Sent from my HP Pre3On Jan 14, 2014 18:01, John Lauro john.la...@covenanteyes.com wrote: Your first assumption, although largely correct as a generality it is not entirely accurate, and at a minimum is not the sole purpose. That is why companies have mission statements. They rarely highlight the purpose of making money, although that is often the main purpose even if not specified. What is Red Hat's mission? It is listed as: To be the catalyst in communities of customers, contributors, and partners creating better technology the open source way. Making things exceedingly difficult would go against the stated mission. In my opinion it would also go against making money as it would kill the eco system of vendors that support RedHat Enterprise Linux for their applications. There are so many distributions out there, the biggest way for them to not make money is to become insignificant. Having free alternatives like Centos keeps high market share of the EL product and ensures compatibility and a healthy eco system. If there was not open clones of EL, then ubuntu or something else would take over and the main supported platform of enterprise applications, and then the large enterprises that pay for RedHat support contracts would move completely off. Having people use Centos or Scientific linux might not directly help the bottom line, but for RedHat it's a lot better than having people use ubuntu or suse. Oracle not being free could pose a bigger threat, but either RedHat remains on top as they are the main source for good support, or they do not and Oracle will have to pick up the slack for driving RedHat out of business. and what's left of RedHat would have to start using Oracle as TUV... I don't see too many switching to Oracle besides those that are already Oracle shops.- Original Message - From: "Patrick J. LoPresti" lopre...@gmail.com To: scientific-linux-users@fnal.gov Sent: Tuesday, January 14, 2014 12:45:01 PM Subject: RedHat CentOS acquisition: stating the obvious RedHat is a company. Companies exist for the sole purpose of making money. Every action by any company -- literally every single action, ever -- is motivated by that goal. The question you should be asking is: How does Red Hat believe this move is going to make them money? Those were statements of fact. What follows is merely my opinion. Right now, anybody can easily get for free the same thing Red Hat sells, and their #1 competitor is taking their products, augmenting them, and reselling them. If you think Red Hat perceives this as being in their financial interest, I think you are out of your mind. SRPMs will go away and be replaced by an ever-moving git tree. Red Hat will make it as hard as legally possible to rebuild their commercial releases. The primary target of this move is Oracle, but Scientific Linux will be collateral damage. I consider all of this pretty obvious, but perhaps I am wrong. I hope I am. - Pat
Re: Centos vs. SL
Well correction that was one of the original goals of LTS (Long term support Linux) which was the name of one of the two efforts which were combine to create SL. Since then TUV a.k.a Red Hat has changed their lifecycle policy and made it much longer that it had been prior to RHEL 4I'm sure though if Red Hat decided to go back to a two or three year life cycle then SL's policy would change back to providing security patches over a longer period of time.-- Sent from my HP Pre3On Jan 9, 2014 18:39, Ian Murray murra...@yahoo.co.uk wrote: On 09/01/14 23:13, Paul Robert Marino wrote: SL is an exact match to RHEL with only a few variations such as the removed the client for Red Hats support site integration and added a few things like AFS because their labs need it. The differences are well documented in the release notes and its a short list. In addition SL guarantees long term patch availability even if Red Hat is no longer supporting that release. This wasn't my understanding. According to this page https://www.scientificlinux.org/distributions ... " * We plan on following the TUV Life Cycle. Provided TUV continues to make the source rpms publicly available." ... which disagrees with your statement. At least the way I read it. CentOS tends to do thing like update the PHP libraries to make it easier for web developers. And as a result they take longer for many security patches because they occasionally hit dependency issues due to the packages they have updated. I am pretty sure the base release does not do this kind of thing by default. It would be a major deviation from being "binary compatible" with upstream vendor, which is how I recall their stated goal to be. It may be optional, however. -- Sent from my HP Pre3 On Jan 9, 2014 13:17, Orion Poplawski or...@cora.nwra.com wrote: On 01/09/2014 05:54 AM, Adrian Sevcenco wrote:. What technical differences would be between CentOS + scientific repo and SL? Just a personal thought, but maybe this would free some human resources for maintaining a lot of scientific (and IT/grid related) packages in well established repos (like epel, fedora/rpmfusion) Thanks! Adrian Well, for me the main difference between CentOS and SL is that with SL you can stay on EL point releases. That would require a major change in the CentOS infrastructure to support it. Worth exploring though... -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com
Re: DNS Servers
Bind works well period!That said one of my favorite DNS appliances uses PowerDNS under the hood and it works very well too if you configure it correctly.The others I really can't speak to because I've never used them.It really comes down to this you need to balance your budget as compared to man hours. I tend to use appliances for my core DNS servers where ever possible because there are a lot of really good ones and I have support staff time limitations, but I also use Bind 9 slave servers to handle most of the actual query traffic because it reduces my support and equipment costs. That said if you are more concerned about the initial upfront cost and support cost than man hours Bind is the safest bet because its the standard that all the others are based on.-- Sent from my HP Pre3On Jan 9, 2014 19:28, Steven Haigh net...@crc.id.au wrote: On 10/01/2014 11:16 AM, Jeremy Wellner wrote: I've been using BIND on RHEL5 for years and it's come time to overhaul those venerable DNS boxes. I've seen alot of alternatives like NSD, PowerDNS, YADIFA, and others but I'm wondering what experience has been with going to something other than BIND. Having a database backend is very attractive, but so is having a manageable GUI for those in the department that work with adding devices and are scared of text files and the black of terminal. Use bind. DNS is all about reliability - not pretty or GUIs... -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
Re: DNS Servers
I in theory would like webmin for this in a fast and dirty development environment, but it still has too many infosec problems for my taste for production.In the past when I had the time and work driven focus to harden webmin with only custom module which all used sudo for an appliance I was able to reconcile my issues, but in production as is it stock webmin is risky. Many if these concerns could be handles by selinux now but the webmin developers are still behind the ball on writing the appropriate rules or even requiring module writer to include the prerequisite rules so I still wouldn't consider it in production. -- Sent from my HP Pre3On Jan 9, 2014 19:50, Nico Kadel-Garcia nka...@gmail.com wrote: BIND for the server, "webmin" for the configuration tool. and my presentation at SVNday a few years ago if you wnat notes on how to put it under source control. Don't forget "mkrdns" for generating your reverse DNS reliably: the RPM building tools are at https://github.com/nkadel/repoforge-rpms-nkadel-dev/tree/master/specs/mkrdns/ On Thu, Jan 9, 2014 at 7:26 PM, Steven Haigh net...@crc.id.au wrote: On 10/01/2014 11:16 AM, Jeremy Wellner wrote: I've been using BIND on RHEL5 for years and it's come time to overhaul those venerable DNS boxes. I've seen alot of alternatives like NSD, PowerDNS, YADIFA, and others but I'm wondering what experience has been with going to something other than BIND. Having a database backend is very attractive, but so is having a manageable GUI for those in the department that work with adding devices and are scared of text files and the black of terminal. Use bind. DNS is all about reliability - not pretty or GUIs... -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
Re: Centos / Redhat announcement
Absolutely right. Red Hat is only obliged to provide source code to those who they have shared the software with, nor are they required to package the software and thief patches in an easy to compile format like source RPM packages.Now there is absolutely nothing that prevents some one who pays for Red Hat 'support' from re-sharing it but Redhat has always gone above and beyond the requirements of the GPL. But their is also nothing in the gpl that requires them to make it easy which they do.There are plenty of companies I've worked for that license software the write as GPL but don't share it with any one else but their subsidiaries and based on their employment contracts the employees who use the software as part of their job are not technically covered under the shared with clause of the GPL so its highly unlikely you will se any of them on a public web server ever.The GPL is far more subtle in legal terms than most programmers it users really understand.That said...As I've said before can we please stop this speculation train its giving me a migraine and I want to get off lol.-- Sent from my HP Pre3On Jan 9, 2014 20:46, zxq9 z...@zxq9.com wrote: On Friday 10 January 2014 01:14:02 Ian Murray wrote: On 10/01/14 00:16, jdow wrote: Don't forget that GPL means you must have the sources available when asked for. And this obligation only applies to Red Hat's customers, not to us. I have been struggling with this myself tbh. If RH adds a line in a GPL program that says "Welcome to Red Hat", releases the binary as RHEL and then modifies it for CentOS to read "Welcome to CentOS" and only releases the source that says "Welcome to CentOS", then they are in technical violation of the GPL, I would say. (IANAL). No, if you received the CentOS binaries you are only entitled to receive the sources to those binaries (not the Red Hat ones). GPL does not mandate that sources get released publicly, only to parties to whom a program has been directly distributed. Folks who are not Red Hat customers have not received programs from Red Hat, we've received the same programs from other places (CentOS, SL, or to be more legally accurate, mirror locations) and it is those other projects/providers who are obliged to make programs available in source form. The fact that the GPL and related licenses also guarantee that any customer can distribute the source (but not a copy of the binary) to anyone they want means its almost impossible to can or gag a successful piece of GPL software. As a business it is better to control that release process than to be blindsided by it, so Red Hat has fully embraced the open source community idea and always provided public access to source -- but they are not obligated to do so.
Re: DNS Servers
Its doable to have bind be your DNS for AD it just takes some work and planing. The primary thing is make sure dynamic DNS works properly.The big catches there are making sure you have the right Service entries and ensuring dynamic DNS works correctly. By the way neither of theism are AD specific requirements they actually stem from the RFCs that describe LDAP 3 and the RFCs which describe TLS and Kerberos V which the LDAP 3 RFC's reference. Essentially AD is Microsoft's implementation of LDAP 3 and since Windows server 2008 its very RFC compliant with some Microsoft windows specific optimizations and automation-- Sent from my HP Pre3On Jan 9, 2014 21:38, Jeremy Wellner jwell...@stanwood.wednet.edu wrote: Thats a resounding stay the course and I dont mind that one bit. Its been rock solid and Ive been happy with it.So as a secondary question, we are planning on adding Active Directory in to our network and I know that it is very particular about its DNS. Will AD be happy with being given a delegate domain to have as its sandbox or does that throw my BIND install out the window? Thank you all for the advise!! :)
Re: Still having problem with epel
sounds like a bad mirror or an SSL issue. Here are possible things on your host or network that can cause SSL not to work correctly 1) your system clock is severely incorrect time by a few hours or days this can cause an error because one of the systems thinks its a replay attack. 2) you must have full forward and revers lookup of the DNS host name and IP's in the servers and the CNAME on the reverse lookup of the IP must match. this can be caused by a caching DNS which ignores TTL's. On Fri, Jan 3, 2014 at 2:21 AM, Mahmood Naderan nt_mahm...@yahoo.com wrote: As stated by Zvika, it seems that I have problem with https connections. So replacing https with http in epel.repo temporarily fixed the issue. Regards, Mahmood
Re: Network dies unexpectedly
This was caused by an internal hardware watchdog built into Intel network cards, it detected an error and disabled the interface on the hardware level until you rebooted and the cards memory was cleared. It looks like the card may have lost clock sync with its neighbor which is odd that basically means it wasn't sending out the 5 volt signal used for frequency sync. I've worked with Intel cards for probably over a decade and Ive never seen this exact error before. Try rolling back to the previous kernel version however this looks more like it may be a physical hardware issue. On Thu, Dec 26, 2013 at 12:40 PM, Galante, Nicola ngala...@cfa.harvard.edu wrote: Greetings, I administer a web server for my institution and last night we had a problem. The server is a 1U Intel Xeon E5620 machine. The on-board network interface is an Intel 82574L Gigabit Controller. Scientific Linux 6.4, kernel 2.6.32-431.1.2.el6.x86_64. At some point last night the network interface stopped working giving a backtrace on dev_watchdog. I could not restart the service network, it complained that the interface eth0 was not available. I tried to reconfigure it with NetworkManager, unsuccessfully. A full system reboot fixed the problem, although I couldn't identify the problem. I do not know if this matters, but this problem never occurred before the last yum update. Here below the portion of /var/log/messages that relates to the problem = Dec 25 20:01:52 veritasm xinetd[1966]: EXIT: nrpe status=0 pid=20943 duration=0(sec) Dec 25 20:02:21 veritasm xinetd[1966]: START: nrpe pid=20947 from=:::199.104.151.131 Dec 25 20:02:21 veritasm xinetd[1966]: EXIT: nrpe status=0 pid=20947 duration=0(sec) Dec 26 02:18:37 veritasm kernel: [ cut here ] Dec 26 02:18:37 veritasm kernel: WARNING: at net/sched/sch_generic.c:261 dev_watchdog+0x26b/0x280() (Not tainted) Dec 26 02:18:37 veritasm kernel: Hardware name: X8DTL Dec 26 02:18:37 veritasm kernel: NETDEV WATCHDOG: eth0 (e1000e): transmit queue 0 timed out Dec 26 02:18:37 veritasm kernel: Modules linked in: autofs4 8021q sunrpc garp stp llc cpufreq_ondemand acpi_cpufreq freq_table mperf ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 microcode iTCO_wdt iTCO_vendor_support sg i2c_i801 i2c_core lpc_ich mfd_core e1000e ptp pps_core ioatdma dca i7core_edac edac_core shpchp ext4 jbd2 mbcache raid1 sr_mod cdrom sd_mod crc_t10dif pata_acpi ata_generic ata_piix dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan] Dec 26 02:18:37 veritasm kernel: Pid: 130, comm: kipmi0 Not tainted 2.6.32-431.1.2.el6.x86_64 #1 Dec 26 02:18:37 veritasm kernel: Call Trace: Dec 26 02:18:37 veritasm kernel: IRQ [81071e27] ? warn_slowpath_common+0x87/0xc0 Dec 26 02:18:37 veritasm kernel: [81071f16] ? warn_slowpath_fmt+0x46/0x50 Dec 26 02:18:37 veritasm kernel: [8147b75b] ? dev_watchdog+0x26b/0x280 Dec 26 02:18:37 veritasm kernel: [8105dd5c] ? scheduler_tick+0xcc/0x260 Dec 26 02:18:37 veritasm kernel: [8147b4f0] ? dev_watchdog+0x0/0x280 Dec 26 02:18:37 veritasm kernel: [81084b07] ? run_timer_softirq+0x197/0x340 Dec 26 02:18:37 veritasm kernel: [810ac905] ? tick_dev_program_event+0x65/0xc0 Dec 26 02:18:37 veritasm kernel: [8107a8e1] ? __do_softirq+0xc1/0x1e0 Dec 26 02:18:37 veritasm kernel: [810ac9da] ? tick_program_event+0x2a/0x30 Dec 26 02:18:37 veritasm kernel: [8100c30c] ? call_softirq+0x1c/0x30 Dec 26 02:18:37 veritasm kernel: [8100fa75] ? do_softirq+0x65/0xa0 Dec 26 02:18:37 veritasm kernel: [8107a795] ? irq_exit+0x85/0x90 Dec 26 02:18:37 veritasm kernel: [815310ba] ? smp_apic_timer_interrupt+0x4a/0x60 Dec 26 02:18:37 veritasm kernel: [8100bb93] ? apic_timer_interrupt+0x13/0x20 Dec 26 02:18:37 veritasm kernel: EOI [8152a367] ? _spin_unlock_irqrestore+0x17/0x20 Dec 26 02:18:37 veritasm kernel: [812e7790] ? ipmi_thread+0x70/0x1c0 Dec 26 02:18:37 veritasm kernel: [812e7720] ? ipmi_thread+0x0/0x1c0 Dec 26 02:18:37 veritasm kernel: [8109af06] ? kthread+0x96/0xa0 Dec 26 02:18:37 veritasm kernel: [8100c20a] ? child_rip+0xa/0x20 Dec 26 02:18:37 veritasm kernel: [8109ae70] ? kthread+0x0/0xa0 Dec 26 02:18:37 veritasm kernel: [8100c200] ? child_rip+0x0/0x20 Dec 26 02:18:37 veritasm kernel: ---[ end trace fc057a7fca6eff49 ]--- Dec 26 02:18:37 veritasm kernel: e1000e :06:00.0: eth0: Reset adapter unexpectedly Dec 26 02:18:37 veritasm NetworkManager[1724]: info (eth0): carrier now OFF (device state 8, deferring action for 4 seconds) Dec 26 02:18:38 veritasm kernel: e1000e :06:00.0: eth0: Timesync Tx Control register not set as expected Dec 26 02:18:41
Re: Expansion plans
Look ahh the stock virtualization under SL6 with oVirt as a manager especially if you have any real time requirements as long as you don't over book the CPU cores or if you need PCIe pass through of hardware cards its a much better choice than VMware.For authentication look at FreeIPAAnd for unified storage Gluster with Samba 4 and CTDB will integrate your storage nicely.-- Sent from my HP Pre3On Dec 15, 2013 15:37, Jeff Siddall n...@siddall.name wrote: On 12/15/2013 03:17 PM, Larry Linder wrote: New project for next January. We are getting ready to expand our lab and plan to install a terminal with large displays at each bench. The bench will support one or two projects and I hate the thought of setting up 6 new SL 6.4's so there is access to schematics, parts lists, layouts, and drawings. In the past we have used NFS to do this. I have thought about setting up a VMware server and running SL 5.10 and Windows under it. The problem is how to tie it all to one or two servers in the shop without this turning into a big dog performance wise. Since we plan to use the same hardware we need to mod all SL6.4 so that Ethernet works correctly. SL5.10 works out of the box. We really like the Gigabyte boards and AMD quad cores. We quit buying other brands because of bad brown capacitors that bulge and start leaking before the board / processor fails. When you start replacing 50 or so boards it is a real problem. Wile we are at it we need to set up other boxes for shop, receiving and shipping with printers. I hate to say this we are still running a "sneaker net". We are basically an electronic engineering company that is looking more like a factory. Sounds like the perfect use for LTSP: https://fedorahosted.org/k12linux/ Basically a couple of packages to install on a normal SL system plus a client image to install and you are good to go. there may even be a live CD/USB if you want to try it out that way. The terminals (clients) can be very lightweight and are typically diskless (boot off the network with PXE). I mostly use Atom all-in-one systems. Even the server doesn't have to be too big if you aren't doing anything particularly CPU or RAM intensive. It's a bit of configuring and messing around to get it all the way you want it up front but having only one "box" to maintain is a sysadmin dream and is highly worth the effort in my experience. Jeff
Re: Unexplained Kernel Panic / Hung Task
Yup that's a hardware problem.It may be a bad firmware on the controller I would check the firmware version first and see if there is a patch. I've seen this kind of thing with Dell OEMed RAID controllers enough over the years that that's almost always the first thing I try.-- Sent from my HP Pre3On Dec 4, 2013 8:21, ~Stack~ i.am.st...@gmail.com wrote: Greetings, I have a test system I use for testing deployments and when I am not using it, it runs Boinc. It is a Scientific Linux 6.4 fully updated box. Recently (last ~3 weeks) I have started getting the same kernel panic. Sometimes it will be multiple times in a single day and other times it will be days before the next one (it just had a 5 day uptime). But the kernel panic looks pretty much the same. It is a complaint about a hung task plus information about the ext4 file system. I have run the smartmon tool against both drives (2 drives setup in a hardware RAID mirror) and both drives checkout fine. I ran a fsck against the / partition and everything looked fine (on this text box there is only / and swap partitions). I even took out a drive at a time and had the same crashes (though this could be an indicator that both drives are bad). I am wondering if my RAID card is going bad. When the crash happens I still have the SSH prompt, however, I can only do basic things like navigating directories and sometimes reading files. Writing to a file seems to hang, using tab-autocomplete will frequently hang, running most programs (even `init 6` or `top`) will hang. It crashed again last night, and I am kind of stumped. I would greatly appreciate others thoughts and input on what the problem might be. Thanks! ~Stack~ Dec 4 02:25:09 testbox kernel: INFO: task jbd2/cciss!c0d0:273 blocked for more than 120 seconds. Dec 4 02:25:09 testbox kernel: "echo 0 /proc/sys/kernel/hung_task_timeout_secs" disables this message. Dec 4 02:25:09 testbox kernel: jbd2/cciss!c0 D 0 273 2 0x Dec 4 02:25:09 testbox kernel: 8802142cfb30 0046 8802138b5800 1000 Dec 4 02:25:09 testbox kernel: 8802142cfaa0 81012c59 8802142cfae0 810a2431 Dec 4 02:25:09 testbox kernel: 880214157058 8802142cffd8 fb88 880214157058 Dec 4 02:25:09 testbox kernel: Call Trace: Dec 4 02:25:09 testbox kernel: [81012c59] ? read_tsc+0x9/0x20 Dec 4 02:25:09 testbox kernel: [810a2431] ? ktime_get_ts+0xb1/0xf0 Dec 4 02:25:09 testbox kernel: [810a2431] ? ktime_get_ts+0xb1/0xf0 Dec 4 02:25:09 testbox kernel: [81119e10] ? sync_page+0x0/0x50 Dec 4 02:25:09 testbox kernel: [8150e953] io_schedule+0x73/0xc0 Dec 4 02:25:09 testbox kernel: [81119e4d] sync_page+0x3d/0x50 Dec 4 02:25:09 testbox kernel: [8150f30f] __wait_on_bit+0x5f/0x90 Dec 4 02:25:09 testbox kernel: [8111a083] wait_on_page_bit+0x73/0x80 Dec 4 02:25:09 testbox kernel: [81096de0] ? wake_bit_function+0x0/0x50 Dec 4 02:25:09 testbox kernel: [8112f115] ? pagevec_lookup_tag+0x25/0x40 Dec 4 02:25:09 testbox kernel: [8111a4ab] wait_on_page_writeback_range+0xfb/0x190 Dec 4 02:25:09 testbox kernel: [8125d42d] ? submit_bio+0x8d/0x120 Dec 4 02:25:09 testbox kernel: [8111a56f] filemap_fdatawait+0x2f/0x40 Dec 4 02:25:09 testbox kernel: [a004de59] jbd2_journal_commit_transaction+0x7e9/0x1500 [jbd2] Dec 4 02:25:09 testbox kernel: [8100975d] ? __switch_to+0x13d/0x320 Dec 4 02:25:09 testbox kernel: [81081b5b] ? try_to_del_timer_sync+0x7b/0xe0 Dec 4 02:25:09 testbox kernel: [a0054148] kjournald2+0xb8/0x220 [jbd2] Dec 4 02:25:09 testbox kernel: [81096da0] ? autoremove_wake_function+0x0/0x40 Dec 4 02:25:09 testbox kernel: [a0054090] ? kjournald2+0x0/0x220 [jbd2] Dec 4 02:25:09 testbox kernel: [81096a36] kthread+0x96/0xa0 Dec 4 02:25:09 testbox kernel: [8100c0ca] child_rip+0xa/0x20 Dec 4 02:25:09 testbox kernel: [810969a0] ? kthread+0x0/0xa0 Dec 4 02:25:09 testbox kernel: [8100c0c0] ? child_rip+0x0/0x20 Dec 4 02:25:09 testbox kernel: INFO: task master:1058 blocked for more than 120 seconds. Dec 4 02:25:09 testbox kernel: "echo 0 /proc/sys/kernel/hung_task_timeout_secs" disables this message. Dec 4 02:25:09 testbox kernel: masterD 0 1058 1 0x0080 Dec 4 02:25:09 testbox kernel: 88021535d948 0082 88021535d8d8 81065c75 Dec 4 02:25:09 testbox kernel: 880028216700 88021396b578 880214336ad8 880028216700 Dec 4 02:25:09 testbox kernel: 88021396baf8 88021535dfd8 fb88 88021396baf8 Dec 4 02:25:09 testbox kernel: Call Trace: Dec 4 02:25:09 testbox kernel: [81065c75] ? enqueue_entity+0x125/0x410 Dec 4 02:25:09 testbox kernel: [810a2431] ? ktime_get_ts+0xb1/0xf0 Dec 4 02:25:09 testbox kernel: [811b62b0] ? sync_buffer+0x0/0x50 Dec 4
Re: Unexplained Kernel Panic / Hung Task
Well I tend to discount the driver idea because of an other problem he has involving multiple what I think are identical machines . Also any problems I've ever had with the ccsis driver were usually firmware related an a update or roll back usually corrects them.Besides the based on what I've heard this is low budget equipment and ProLiants aren't cheap. If I had to guess we are talking about Dells.-- Sent from my HP Pre3On Dec 4, 2013 18:36, David Sommerseth sl+us...@lists.topphemmelig.net wrote: On 04/12/13 14:21, ~Stack~ wrote: Greetings, I have a test system I use for testing deployments and when I am not using it, it runs Boinc. It is a Scientific Linux 6.4 fully updated box. Recently (last ~3 weeks) I have started getting the same kernel panic. Sometimes it will be multiple times in a single day and other times it will be days before the next one (it just had a 5 day uptime). But the kernel panic looks pretty much the same. It is a complaint about a hung task plus information about the ext4 file system. I have run the smartmon tool against both drives (2 drives setup in a hardware RAID mirror) and both drives checkout fine. I ran a fsck against the / partition and everything looked fine (on this text box there is only / and swap partitions). I even took out a drive at a time and had the same crashes (though this could be an indicator that both drives are bad). I am wondering if my RAID card is going bad. When the crash happens I still have the SSH prompt, however, I can only do basic things like navigating directories and sometimes reading files. Writing to a file seems to hang, using tab-autocomplete will frequently hang, running most programs (even `init 6` or `top`) will hang. It crashed again last night, and I am kind of stumped. I would greatly appreciate others thoughts and input on what the problem might be. Thanks! ~Stack~ Dec 4 02:25:09 testbox kernel: INFO: task jbd2/cciss!c0d0:273 blocked for more than 120 seconds. Dec 4 02:25:09 testbox kernel: "echo 0 /proc/sys/kernel/hung_task_timeout_secs" disables this message. Dec 4 02:25:09 testbox kernel: jbd2/cciss!c0 D 0 273 2 0x Dec 4 02:25:09 testbox kernel: 8802142cfb30 0046 8802138b5800 1000 Dec 4 02:25:09 testbox kernel: 8802142cfaa0 81012c59 8802142cfae0 810a2431 Dec 4 02:25:09 testbox kernel: 880214157058 8802142cffd8 fb88 880214157058 Dec 4 02:25:09 testbox kernel: Call Trace: Dec 4 02:25:09 testbox kernel: [81012c59] ? read_tsc+0x9/0x20 This looks like some locking issue to me, triggered by something around the TSC timer. This is either a buggy driver (most likely the ccsis driver) or a related firmware (read the complete boot log carefully, look after firmware warnings). Or it's a really unstable TSC clock source. Try switching from TSC to HPET (or in really worst case acpi_pm). See this KB for some related info: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_MRG/2/html/Realtime_Reference_Guide/chap-Realtime_Reference_Guide-Timestamping.html But my hunch tells me it's a driver related issue, with some bad locking. There seems to be several filesystem operations happening on two or more CPU cores in a certain order which seems to trigger a deadlock. -- kind regards, David Sommerseth
Re: Unexplained Kernel Panic / Hung Task
If not down rev it to the same version as the one that works.It isn't hard to do with their utilities because those of us who work in mission critical environment have hammered it into their heads that its an absolute requierment-- Sent from my HP Pre3On Dec 4, 2013 19:12, ~Stack~ i.am.st...@gmail.com wrote: On 12/04/2013 05:51 PM, Paul Robert Marino wrote: Well I tend to discount the driver idea because of an other problem he has involving multiple what I think are identical machines . Also any problems I've ever had with the ccsis driver were usually firmware related an a update or roll back usually corrects them. Besides the based on what I've heard this is low budget equipment and ProLiants aren't cheap. If I had to guess we are talking about Dells. You are right, in that I am experiencing two different issues and the vast majority of my test lab is older cast-away parts. The difference is that both issues are on very different systems. The DHCP problem is on a bunch of similar generic Dells. This particular problem is on a HP Prolient DL360 G4 which its twin (same hardware specs and thanks to Puppet should be dang-near identical in terms of software) so far has not displayed this problem. Because the twin isn't having this problem and the problem only started ~3 weeks ago is why I thought for the last few weeks it was a disk drive problem. I am looking up the firmware versions for this box now. I am not hopeful that I will find a newer firmware for this old of a system though. Still, totally worth the try! :-) Thanks! ~Stack~
RE: issue in CD not ejecting at the end of OS installation
Eject is a valid kickstart directive you don't need to put it in a post. Additionally if you don't include the eject package in your package then in a post statement it won't work because the post by default execute chrooted into the installed OS-- Sent from my HP Pre3On Oct 21, 2013 8:13, Edison, Arul (GE Healthcare) aruljeyananth.jamesedi...@ge.com wrote: Hi All, In the kick start file, I have mentioned eject at post section at the end. Still installation DVD is not ejecting . suggestion on what needs to be configured is welcome #platform=x86, AMD64, or Intel EM64T #version=DEVEL # Firewall configuration firewall --disabled install cdrom graphical firstboot --disable keyboard us lang en_US selinux --disabled logging --level=info . %packages %post eject %end -Original Message- From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Edison, Arul (GE Healthcare) Sent: Monday, October 21, 2013 3:54 PM To: scientific-linux-users@fnal.gov Subject: issue in CD not ejecting at the end of OS installation HI, I am porting my application from Redhat to Scientific Linux 6.3 In Scientific Linux the CD is not ejecting at the end of installation though I have added eject at the end of my kick start file. Can someone point how to fix this issue Thanks, Arul
Re: NFTables To Replace iptables In the Linux Kernel
Well I've heard this before Nf-Hipac http://www.hipac.org/ was at one time slated to be the next big thing. I'm not holding my breath on this one and if it does replace all of the existing tools expect it to be a few years before you see it in production any where. On Mon, Oct 21, 2013 at 1:47 PM, Jos Vos j...@xos.nl wrote: On Mon, Oct 21, 2013 at 08:34:58AM -0700, Yasha Karant wrote: [...] -- the actual name of TUV, that evidently is taboo on this list, [...] Evidently? It's complete nonsense to NOT use the name of TUV here or at whatever place, as long as you don't say things about SL in relation to TUV and/or their products that are illegal. I thought only the CentOS community was (for no good reason) paranoid. In the time I created and released X/OS Linux, being also rebuild of the Red Hat Enterprise Linux 3/4/5 sources, I did mention Red Hat, RHEL, etc., but only as far as appropriate and allowed of course. Nonetheless, once a major change (e.g., NFTables replacing iptables) is done in the base source, the production enterprise version must reflect the change -- and in less than a decade. Why less than a decade? Unless there is a fully backward compatible set of APIs, new applications and revisions typically use the current not historical APIs. Presumably, there will be NFTables features that application developers will use that have no iptables backport. Thus -- how long is the delay? Typically, are two major releases (e.g., NFTables in EL8) the usual delay? Does anyone have historical data from EL/TUV? Fedora 20 seems to use the 3.11 kernel, so it won't have a kernel with NFTables. RHEL 7 is already being developed (and in alpha stage as far as I've heard) and will most likely have a kernel = 3.11, so this makes the statement that EL7 probably won't either very trustworthy. There are no statistics about delays etc. needed to just see that RHEL 7 won't use a kernel that supports NFTables. So, there is no artificial delay created by RH to postpone things in RHEL, it's just common sense when someone says this about NFTables in relattion to RHEL 7. -- --Jos Vos j...@xos.nl --X/OS Experts in Open Systems BV | Phone: +31 20 6938364 --Amsterdam, The Netherlands| Fax: +31 20 6948204
Re: how to change the CD mount point
Um well that's not a porting issue that's a basic sysadmin issue.If the CD isn't being automouted by a GUI like they usually are nowadays then look at '/etc/fstab'.-- Sent from my HP Pre3On Oct 15, 2013 8:07, Edison, Arul (GE Healthcare) aruljeyananth.jamesedi...@ge.com wrote: HI, I am porting my application from Redhat to Scientific Linux 6.3 In Scientific Linux, the CD is mounted to mount point /media/CDROM_ I would like to change the mount point location to /mnt/cdrom Any idea what is the configuration to change this? Thanks, Arul
Re: how to change the CD mount point
The automount tools in the GUI usually use the label of the CD as the mount point so the only way to ensure the name is the same regardless of the label is to specify it in the /etc/fstab file.And yes that line should work in SL6-- Sent from my HP Pre3On Oct 15, 2013 17:09, Steven J. Yellin yel...@slac.stanford.edu wrote: Here's a line from /etc/fstab on an SL5 machine. It might work for SL6, too, assuming you have a /mnt/cdrom directory: /dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0 Or maybe it would work to instead make make /media/CDROM_ into a symbolic link to /mnt/cdrom before loading the CD. Steven Yellin On Tue, 15 Oct 2013, Edison, Arul (GE Healthcare) wrote: HI, I am porting my application from Redhat to Scientific Linux 6.3 In Scientific Linux, the CD is mounted to mount point /media/CDROM_ I would like to change the mount point location to /mnt/cdrom Any idea what is the configuration to change this? Thanks, Arul
Re: Finding the files in a package
I always userpm.pbone.netin advanced search mode for that.-- Sent from my HP Pre3On Oct 2, 2013 10:18, Loris Bennett loris.benn...@fu-berlin.de wrote: Bruno Pereira brunopereir...@gmail.com writes: Please notice that apt-file is not installed by default on a clean Debian system. dpkg -S foo_file will give you the necessary package name without installing further software. Yes, but only for installed packages, whereas apt-file will search in all packages in the configured sources. Regards Loris Regards On Wed, Oct 2, 2013 at 3:13 PM, Loris Bennett loris.benn...@fu-berlin.de wrote: Francesco Minafra francesco.mina...@gmail.com writes: Hi Loris, you can use the command: yum provides */libmpi_cxx.so.1 Cheers, Francesco. On Wed, Oct 2, 2013 at 1:01 PM, Loris Bennett loris.benn...@fu-berlin.de wrote: Dear List, I would like to know which version of the package "openmpi" contains the library "libmpi_cxx.so.1". On the Debian website, the information about individual packages includes a link to a file list for each available architecture. How would I go about finding this information for SL? Cheers, Loris -- This signature is currently under construction. Thanks Francesco (small world ;-)) and Bluejay, It seems that "provides" and "whatprovides" are synonyms. BTW, instead of messing about on the website, on Debian apt-file search libmpi_cxx.so is possible. Cheers, Loris -- This signature is currently under construction. -- Dr. Loris Bennett (Mr.) ZEDAT, Freie Universität Berlin Email loris.benn...@fu-berlin.de
Re: How a user can execute a file from anothe user
Warning running commands out of an other users home directory is ill advised and should be avoided at all costs. By changing the users home directory permissions you may cause problems as a side effect. For example if the user logs in via ssh and uses a key for authentication it may fail due to the home directory permissions being insure which is a very common side effect of doing this kind of change. On Fri, Sep 27, 2013 at 2:13 AM, Mahmood Naderan nt_mahm...@yahoo.com wrote: Sorry, I just saw the mistake, I forgot to mention that you need to grant access to the your home directory as mentioned by Mark. chmod o+rx /home/mahmood (I added read as the user didn't have permission to access the directory. If the filename is known (no requirement to do a ls on the directory), then execute is sufficient. If you give read, then all the filenames in your directory are revealed (but not necessarily the contents). Yes, thank you. It is now solved and the execute permission was good tip Regards, Mahmood From: John Lauro john.la...@covenanteyes.com To: Earl Ramirez earlarami...@gmail.com Cc: scientific-linux-users@fnal.gov; Mahmood Naderan nt_mahm...@yahoo.com Sent: Friday, September 27, 2013 12:30 AM Subject: Re: How a user can execute a file from anothe user One minor note, Read isn't needed on the directories if the user/script/etc knows the path. If the filename is known (no requirement to do a ls on the directory), then execute is sufficient. If you give read, then all the filenames in your directory are revealed (but not necessarily the contents). - Original Message - From: Earl Ramirez earlarami...@gmail.com To: Mahmood Naderan nt_mahm...@yahoo.com Cc: scientific-linux-users@fnal.gov Sent: Thursday, September 26, 2013 4:43:31 PM Subject: Re: How a user can execute a file from anothe user ... Sorry, I just saw the mistake, I forgot to mention that you need to grant access to the your home directory as mentioned by Mark. chmod o+rx /home/mahmood (I added read as the user didn't have permission to access the directory. You should now be able to execute the script as another user. For your reference: I created a folder named shared in user2 home directory @lab19 ~]# ls -la /home/user2 total 40 drwx---r-x. 5 user2 user2 4096 Sep 26 15:57 . drwxr-xr-x. 5 root root 4096 Sep 26 15:53 .. -rw---. 1 user2 user2 1387 Sep 26 16:27 .bash_history -rw-r-. 1 user2 user218 Feb 21 2013 .bash_logout -rw-r-. 1 user2 user2 176 Feb 21 2013 .bash_profile -rw-r-. 1 user2 user2 124 Feb 21 2013 .bashrc drwxr-x---. 2 user2 user2 4096 Nov 11 2010 .gnome2 drwxr-x---. 4 user2 user2 4096 Dec 20 2012 .mozilla drwxrws---. 2 user2 public 4096 Sep 26 15:57 shared -rw---. 1 user2 user2 641 Sep 26 15:57 .viminfo Created the script and was able to execute it from the user name user1 @lab19 ~]# ls -la /home/user2/shared/ total 12 drwxrws---. 2 user2 public 4096 Sep 26 15:57 . drwx---r-x. 5 user2 user2 4096 Sep 26 15:57 .. -rwxrwx---. 1 user2 public 18 Sep 26 15:57 script1 user1@lab19 ~]$ /home/user2/shared/script1 FilesystemSize Used Avail Use% Mounted on /dev/mapper/vg_lab11-lv_root 5.5G 2.8G 2.5G 54% / tmpfs504M 232K 504M 1% /dev/shm /dev/vda1485M 92M 369M 20% /boot /dev/md1272.0G 100M 1.9G 5% /home/labs -- Kind Regards Earl Ramirez GPG Key: http://trinipino.com/PublicKey.asc
Re: About the time sync for linux guest under vmware of windows xp host
It sounds like your network on the VMware side isn't configured correctly.Also you should always use VMware tools to sync your time instead of NTP on VMware virtual machines.VMWare hypervisor plays games with the clock on purpose and can cause a VM with NTP enabled to behave erratically.-- Sent from my HP Pre3On Sep 1, 2013 8:44, taozhijiang taozhiji...@gmail.com wrote: Hello, I just install my SL carbon 6.4 under vmware environment for kernel study, but found the system time runs much faster than the host. I want the kernel to be pure, so I do not take account of vmware-tools. I setup a ntpd in my host windows xp, but when guest SL update the time, it complains like this: [user@workstation ~]$ sudo ntpdate -dv 192.168.17.1 1 Sep 20:31:55 ntpdate[1479]: ntpdate 4.2.4p8@1.1612-o Fri Feb 22 03:55:28 UTC 2013 (1) Looking for host 192.168.17.1 and service ntp host found : 192.168.17.1 transmit(192.168.17.1) transmit(192.168.17.1) transmit(192.168.17.1) transmit(192.168.17.1) transmit(192.168.17.1) 192.168.17.1: Server dropped: no data server 192.168.17.1, port 123 stratum 0, precision 0, leap 00, trust 000 ... 1 Sep 20:32:00 ntpdate[1479]: no server suitable for synchronization found [user@workstation ~]$ I am wired, and do not know how to handle it. Anyone anyidea would be much much appreciated!!!
Re: [SCIENTIFIC-LINUX-USERS] Any rumors on rhel 7?
I somewhat agree however I still think systemd needs an other year or two to bake before its enterprise ready.1) the scripts are still too new and most of them haven't been thoroughly thought out yet. There are a lot of things that change when you switch from simple start and stop scripts to using an active process manager which take time for the developers and system administrators to wrap their heads around. Frankly they haven't had enough time to do it well and I will have issues all over the place with 3rd party applications when RHEL 7 is released because of it.2) systemd isn't the first of its kind on Linux in fact Gentoo Linux has been doing something similar for years with its startup scripts.3) in many ways the design of systemd is very desktop centric which is great for a desktop or laptop but horrible in an enterprise. Frankly I'm horrified by the idea that if a inexperienced sysadmin does a default install instead of our standard nobase install that someone my come along and stick a WiFi dongle in a box and create a loop or security hole because it was immediately detected and the services to auto configure it were automatically started without a authorized sysadmins intervention. By the way that is a scenario that I've seen users attempt before because they needed access from their desktop and didn't want to wait for or were just too lazy to request a firewall change. For that matter I had a consultant just this past week accidentally create a loop on my network because he had made a mistake in the network configuration and NetworkManager decided to bridge several interfaces ( I never thought I'd hear my self say this but thank god for spanning tree). So auto starting and restarting services based on things like hardware event are scary to me for good reasons. Additionally if I have a service that occasionally crashes due to a bug or misconfiguration but systems keeps relaunching it I may never know I have a problem I'd rather the process crash and get a one time complaint or trouble ticket from the user and fix it than have users grumbling how my systems suck because they keep having problems but the guy in the NOC sees all green on his screen when the user calls and keeps dismissing their complaints without further investigation.-- Sent from my HP Pre3On Aug 18, 2013 9:29, Tom H tomh0...@gmail.com wrote: On Tue, Aug 13, 2013 at 12:30 AM, zxq9 z...@zxq9.com wrote: * The old init system was complicated (in that the defaults aren't uniform). Familiarity with the system triumphed over lack of clear implementation and lack of documentation. All Linux users and developers were victims of laziness and inertia when we stuck with the mess that sysvinit scripts are for as long as we did, especially after Solaris and OS X showed the way with SMF and launchd. We should've at least moved to declarative init files with one bash/dash/sh script to start and stop daemons; we didn't and we've fortunately gone beyond that with systemd. * systemd is a huge effort that isn't doing anything to remedy the situation. One or two years after the release of EL-7, everyone'll wonder what all the anti-systemd fuss was about...
Re: [SCIENTIFIC-LINUX-USERS] Any rumors on rhel 7?
I totally disagree I love NM on my laptop but its a pox upon my servers. It causes far more problems for servers than it fixes.For one thing if I have a process bound to an IP and NM stops that interface due to a transient issue with the network such as a switch rebooting or some one accidentally unplugging the wrong cable in the patch panel for a split second. The problem is it brings the interfaces down when link is lost. However the file handle for the network socket stays in a "DELETED" state until the the service is restarted or the service detects an issue with the socket because the programmer was better than average and though about the scenario. Now the link comes back but the socket is still broken because it still points to the deleted file handle for the old link so it spears although my service is working but in reality it can't hear new connections coming in. By the way this scenario doesn't apply to things bound to the default 0.0.0.0.Also the fact that I saw it decide on its own to bridge several interfaces together last week on a CentOS 6.4 box because a consultant made a mistake I just don't trust it.In fact I've been thinking I just may scrap it all the redhat network tools and write a ground up replacement for the firewall tools I'm writing right now (yes the will be released under the GPL when they are ready).I'm thinking thinking I'll do something similar to what I did with Fedora 4 back in the day when I worked for a network secuity appliance company with an XML based config for the network interfaces. But I think I can get away with a simple set if small scripts that mostly just do XSLT transforms to create the appropriate commands for iproute2 this would mean that adding or modifying features would simply be a matter of updating a DTD or schema and the XSLT file. Also I'm thinking of possibly integrating iptables and ipset into it as well. Since I already have successfully compiled and tested ipset on RHEL 6.x and already have the tools and sysV init scripts written for them based on a slightly modified (I added to it but didn't change any thing already in it) version of the XML dumped by the ipset command.-- Sent from my HP Pre3On Aug 18, 2013 12:42, Tom H tomh0...@gmail.com wrote: On Mon, Aug 12, 2013 at 10:24 AM, Paul Robert Marino prmari...@gmail.com wrote: On Wed, Jul 31, 2013 at 10:21 PM, zxq9 z...@zxq9.com wrote: On 07/31/2013 11:57 PM, Tom H wrote: On Tue, Jul 30, 2013 at 5:12 PM, zxq9z...@zxq9.com wrote: On 07/30/2013 10:26 PM, Tom H wrote: I was only commenting on the more complex and unreadable spec files. Otherwise I'm happy about systemd and journald. In short, the kernel has evolved, the applications have evolved, why not the init system? Its not that the init system can't do with some modernization, its that the new system has a severe case of featuritis that is spawning little eddies of nonlocalized complexity all over the place. Modernizing a system and tossing everything that's come before in the interest of a deliberately incompatible rewrite are different things. Remember HAL? well thats mostly due to the fact that its new and far more complex. there was a mad rush for every one to rewrite there statup scripts and quite a few of them weren't done very well and others weren't fully thought out. what I find worse is they did a ground up rewrite and didn't touch the network configuration portion wasn't rewritten. The network scripts are limited and problematic if you want to do any thing advanced. for example its a long story why but on one device a bridge I have to add a static arp entry. iproute2 has been able to do this for as long as i can remember but there was no clean way to get it to work was to hack the network scripts in order to add the functionality. Really the scripts network scripts need to have hooks added so user defined scripts can be called at various points of the startup and shutdown of an interface. but more than that they mostly date back to the 2.0 Kernel and Linux's Network capabilities have change significantly since then but for the most part these scripts keep people stuck in the 90's. (Couldn't you top-post like everyone else?) There's been more than one hint on fedora-devel that the reason that the "/etc/sysconfig/network-scripts/scripts" haven't been adapted to systemd is that no one wants to do the (large amount of) work that would be required when the eventual goal is to default to NM and only use NM; and that that goal's ever closer. (As a Fedora user, I sometimes wish that TUV weren't so involved with GNOME and NM and that netctl were packaged for Fedora - and in the future for EL-7 - because it's integrated into systemd; but NM's slowly getting there for servers.) EL-6.4's network scripts mostly use iproute (although I don't think that you can use "PREFIX=24" instead of "NETMASK=255.255.255.0" as you can on Fedora). The following command returns not
Re: UDP message not recevied at port 8100 with Scientific Linux 6.3
-- Sent from my HP Pre3On Aug 16, 2013 14:36, Konstantin Olchanski olcha...@triumf.ca wrote: On Fri, Aug 16, 2013 at 11:24:36AM -0700, Konstantin Olchanski wrote: On Fri, Aug 16, 2013 at 02:01:20PM +, Edison, Arul (GE Healthcare) wrote: Hi all, The application that I run on Scientific Linux 6.3 is to receive the UDP message at port 8100. However I found that port 8100 is used by xprint-server Is there a way to disable the xprint-server? You can use "lsof" to find out who is consuming UDP packets sent to port 8100. FYI in most cases netstat is a lot easier to get this info examplenetstat -lunpAnd add a -t if you want to see TCP as well. (Also check that your packets are not rejected by your own firewall, "iptables -L -v"). Also SL 6.3 shipped with a defective libtirpc which discards UDP broadcast packets. The bug makes NIS not work. May bite you, too. SL 6.2 or 6.1 was okey, I think, SL 6.4 not sure. I have posted this bug on this mailing list and on RH bugzilla, it is fixed in errata packages. -- Konstantin Olchanski Data Acquisition Systems: The Bytes Must Flow! Email: olchansk-at-triumf-dot-ca Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
Re: New Install of 6.4 - no Internet step 2, 3
I use XFCE on fedoraI would like to see it on EL 7.Its a good balance of usability without the bloat that Gnome and KDE have developed over the years.-- Sent from my HP Pre3On Aug 12, 2013 13:42, Jeffrey Anderson jdander...@lbl.gov wrote: On Mon, Aug 12, 2013 at 7:41 AM, Larry Linder larry.lin...@micro-controls.com wrote: Comment: Fedora 19 with the latest Gnome desktop is written for a tablet. It only takes 6 mouse clicks to do anything useful - Hope RH 7 will allow a person to select an older version of KDE or Gnome. I would hate to think of the number of mouse ites injuries we could have. Is there a number of simpler desktops available. The new KDE is useless, Gnome in Fidora 19 is terrible so where do people who need a no BS computer go?I agree with you about Gnome3. I dont mind the latest KDE (4.10), but agree that it may be too heavy for some. Fedora19 shipped with MATE as an option, though I dont think it is installed by default. It is a fork of Gnome 2 and may be suitable.yum groupinstall MATE Desktop to get it. LXDE and IceWM are still available through simple yum updates from the standard Fedora repo as well. Jeff -- --Jeffrey Anderson | jdander...@lbl.gov Lawrence Berkeley National Laboratory |Office: 50A-5104E | Mailstop 50A-5101Phone: 510 486-4208 | Fax: 510 486-4204
Re: Bug in yum-autoupdate
Here here-- Sent from my HP Pre3On Aug 4, 2013 15:13, Mark Stodola stod...@pelletron.com wrote: Can we please end this discussion? It has become extremely off topic at this point and no longer has _any_ direct impact on Scientific Linux.
Re: Bug in yum-autoupdate
Seriously are we still beating this dead horse. While I admit I was the one who took this conversation on a tangent in the first place, every valid point of view on this has been covered from both sides.No resolution will come of it!From here its an intellectual pissing contest lets end it!-- Sent from my HP Pre3On Aug 1, 2013 20:08, Steven Haigh net...@crc.id.au wrote: On 02/08/13 09:59, Vincent Liggio wrote: On 08/01/2013 06:07 PM, Steven Haigh wrote: If you really do have 1200 systems to worry about, I'd be looking at things like satellite. I have ~20-25 systems and yum-autoupdate is fantastic. It does what it says on the box and relieves me of having to watch / check for updates every day. I get an email in the morning that tells me what was updated and if there were any problems. Guess none of you have to deal with third party applications, device drivers, change management, etc. Simple servers are easy to patch, and yes, I've done that for years. But take a system running anything graphical (especially with video and audio device drivers) and try to randomly patch it, and see how long that lasts! I hate to say it, but now you've shifted the goal posts. You talk about blade servers, now you talk about graphics drivers and audio - which I assume would be desktop use. Even on the desktop though, the kernel doesn't auto-update - so any graphics drivers that are installed against a specific kernel version will continue to work until you upgrade the kernel manually - at which time you will be required to build the kernel modules again (nvidia / ATI etc). (and yes, I really do have 1200+ systems to worry about. And I sleep very happily knowing tomorrow they won't be any different than they were today) Unless in the lack of updates, you leave a security hole and due to the lack of updates you never pick up on it. My 16 years of experience says that this is a dangerous attitude for system admins to adopt. And no, in 16 years I have never had a security breach (touch wood). Its hardly hidden - and if you don't like it, don't install the package - its purely in your control. It installs by default. I certainly can uninstall it, or set it to not autoupdate, which I shall. And this may work for you - and thats great for you. It shouldn't however mean that the default should be changed to disable this in the entire distro. In fact, if you *really* want to disable auto-updates globally, then you're better off using a single line sed command that you can run via SSH to all systems you control to disable it. That way it is rapidly deployed to all your systems with a simple bash script loop.
Re: Upgrade SLC5 to SLC6 ?
While that's somewhat true the really concern is unresolvable conflicts between packages during the update also you may experience selinux issues among other things.-- Sent from my HP Pre3On Jul 30, 2013 12:05, Anton Starikov ant.stari...@gmail.com wrote: I would expect that amount of problems depends on what is installed. And how much /etc differs from default. One story if it is, let say, minimal install with dhcp server, another story if it is host filled with all possible software in active use. Anton. On Jul 30, 2013, at 5:58 PM, Paul Robert Marino prmari...@gmail.com wrote: gennerally its possible to upgrade from one minor release to the next but not major releases so 5.1 to say 5.9 is possible but 5.x to 6.x is not. you can attempt it through yum but you will have tons of problems. Fedora you usually can upgrade versions but even Fedora has version cut offs where you have to do a scratch install for example 16 to 17 was one of those cutoffs. On Mon, Jul 29, 2013 at 4:08 AM, Tom H tomh0...@gmail.com wrote: On Thu, Jul 25, 2013 at 12:48 PM, Lamar Owen lo...@pari.edu wrote: On 07/25/2013 01:28 AM, David G.Miller wrote: The problem of upgrading from FC-n to FC-n+1 is basically the same as upgrading EL-n to EL-n+1. No; upgrading ELx to ELx+1 is like upgrading Fn to Fn+k(x), where k(x) is an element of an array of integer constants; x is the starting EL release, so k(3)=3 [RHEL3 was based on what I'm going to call 'Fedora Core 0,' which was the pre-fedora RHL 10 beta; see footnote 1]; k(4)=3, k(5)=6 (or 7, since some F13 packages showed up in EL6), and k(6) will probably be 7 or so. Doing this without going stepwise through the Fedora releases is a challenge. I forget how large of an increment preupgrade can do, but I remember doing it F12 to F13 to F14, and it had issues even going Fn to Fn+1, especially if any part of the massive yum transaction fails for any reason (it leaves the system with a half completed yum transaction that yum-complete-transaction simply won't deal with, and then you have to finish the upgrade manually and manually remove the older packages) I have done this twice on two separate machines, one had issues going from F12 to F13 and the other one had issues going from F13 to F14. The Fn to Fn+1 upgrade path is somewhat expected to work; Fn to Fn+2 probably won't work correctly, especially if major changes are in both releases. In theory, preupgrade can upgrade a system to the latest Fedora release; I assume from a still supported release so it's Fn to Fn+2. I have a colleague who went on his laptop from 12 to 14 and you can find people skipping a release on mailing lists and forums. But they're there because they have a problem. :) Both preupgrade and fedup are the source of quite a few list and forum posts. A more usable upgrade system would be one where you could snapshot a system transparently before an upgrade and fallback to the original in case of failure, like Solaris with its "Boot Environment". In the Ubuntu world, this is like taking Ubuntu LTS 6.06 straight to 8.04, or worse. I've done the 6.06 to 8.04 thing, by the way, and have no desire to repeat it. Ubuntu/Canonical support LTS-to-LTS upgrades (6.06 to 8.04 to 10.04 to 12.04) where intermediate versions are skipped (so they must be QAd quite extensively; and companies with support contracts must be on-hand for all phases of the upgrade). I've tested an 8.04 to 10.04 upgrade (as I've tested preupgrade and fedup upgrades) but I've never used Linux upgrades in a live/production setting.
RE: Large filesystem recommendation
Although that said EXT4 is still an inode centric file system with a journal added so moving the journal to a faster volume wont have as big an effect as it does on ground up designed journaling file systems. So while that feature may speed up the journal for EXT4 its still limited by the speed of the in-filesystem inodes regardless of where the journal is located.The difference being XFS, JFS, ZFS, and a few others primarily rely on the journal and write the inboxes as needed after the fact for backwards compatibility for older low level binaries. XFS also uses them with the xfsrepair tool as a DR backup incase the very rare casein the journal getting corrupted (usually due to a hardware issue like raid controller backplane melt down) but even in that case XFS only thin-provisions creates the inodes it reallyneeds the first time they are written to. Which is why themkfs.xfs tool is so fast.EXT4 still pre-allocates all of the possible inodes during formating and writes to the inodes before the journal-- Sent from my HP Pre3On Jul 25, 2013 1:17, Paul Robert Marino prmari...@gmail.com wrote: That's cool I've never noticed that I the documentation but I'll look for it.-- Sent from my HP Pre3On Jul 24, 2013 18:41, Scott Weikart scot...@benetech.org wrote: Though I will admit the being able to move your journal to a separate faster volume to increase performance is very cool and that's only a feature I've seen in XFS and ZFS. ext4 supports that. -scott From: owner-scientific-linux-us...@listserv.fnal.gov owner-scientific-linux-us...@listserv.fnal.gov on behalf of Paul Robert Marino prmari...@gmail.com Sent: Wednesday, July 24, 2013 3:36 PM To: Brown, Chris (GE Healthcare); Graham Allan; John Lauro Cc: scientific-linux-users Subject: RE: Large filesystem recommendation ZFS is a performance nightmare if you plan to export it via NFS because of a core design conflict with how NFS locking and the ZIL journal in ZFS. Its not just a linux issue it effects Solaris and BSD as well. My only experience with ZFS was on a Solaris NFS server and we had to get a dedicated flash backed ram drive for the ZIL to fix our performance issues, and let me tell you sun charged us a small fortune for the card. Aside from that most of the cool features are available in XFS if you dive deep enough into the documentation though most of them like multi disk spanning can be handled now by LVM or MD but are at least in my opinion handled better by hardware raid. Though I will admit the being able to move your journal to a separate faster volume to increase performance is very cool and that's only a feature I've seen in XFS and ZFS. -- Sent from my HP Pre3 On Jul 24, 2013 16:53, Brown, Chris (GE Healthcare) christopher.br...@med.ge.com wrote: ZFS on Linux will provide you all the goodness that it brought to Solaris and BSD. Check out: http://listserv.fnal.gov/scripts/wa.exe?A2=ind1303L=scientific-linux-usersT=0P=21739 http://listserv.fnal.gov/scripts/wa.exe?A2=ind1303L=scientific-linux-usersT=0P=21882 http://listserv.fnal.gov/scripts/wa.exe?A2=ind1307L=scientific-linux-usersT=0P=4752 - Chris -Original Message- From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Graham Allan Sent: Wednesday, July 24, 2013 3:46 PM To: John Lauro Cc: scientific-linux-users Subject: Re: Large filesystem recommendation XFS seems like the most obvious and maybe safest choice. FWIW, we use it on SL5 and SL6. Ultimately any issues we've had with it turned out to be hardware-related. ZFS has some really nice features, and we are using it for larger filesystems than we have XFS, but so far only on BSD rather than Linux... On Wed, Jul 24, 2013 at 01:59:03PM -0400, John Lauro wrote: What is recommended for a large file system (40TB) under SL6? In the past I have always had good luck with jfs. Might not be the fastest, but very stable. It works well with being able to repair huge filesystems in reasonable amount of RAM, and handle large directories, and large files. Unfortunately jfs doesn't appear to be supported in 6? (or is there a repo I can add?) Besides for support of 40TB filesystem, also need support of files 4TB, and directories with hundreds of thousands of files. What do people recommend? -- - Graham Allan School of Physics and Astronomy - University of Minnesota -
Re: Problem with errata dates?
This is the wrong list for this question it should be on the spacewalk list but to answer your question its a known issue with the repo-sync process. What you will also notice is the version numbers on the errata's are incrementing in spacewalk every time you do a repo sync.There has been some discussion about fixing this on the developers list but as far as I know no ones seriously started work on it yet because there doesn't seem to be quorum yet on the dev list as to how it should be handled yet.-- Sent from my HP Pre3On Jul 4, 2013 2:53 AM, Ree, Jan-Albert van j.a.v@marin.nl wrote: This morning our Spacewalk service sent out some emails , among them an errata mail regarding SLSA-2013:0957-1 What I noticed in Spacewalk is that the Issued date is set at 1/1/70 Same is true for several others, Bug Fix AdvisorySLBA-2013:0835-1selinux-policy bug fix update 1 1/1/70 Security Advisory SLSA-2013:0911-1Important: kernel security update 4 1/1/70 Bug Fix AdvisorySLBA-2013:0893-1selinux-policy bug fix update 1 1/1/70 Bug Fix AdvisorySLBA-2013:0909-1selinux-policy bug fix update 4 1/1/70 Bug Fix AdvisorySLBA-2013:1000-1selinux-policy bug fix update 4 1/1/70 Security Advisory SLSA-2013:0983-1Moderate: curl security update 4 1/1/70 Security Advisory SLSA-2013:0942-1Moderate: krb5 security update 4 1/1/70 Security Advisory SLSA-2013:0957-1Critical: java-1.7.0-openjdk security update4 1/1/70 Security Advisory SLSA-2013:0981-1Critical: firefox security update 4 1/1/70 Is there a reason these are set at 1/1/70 instead of it's normal issue date? All these are coming from the sl6 security repository ftp://ftp.scientificlinux.org/linux/scientific/6rolling/x86_64/updates/security/ Regards, Jan-Albert van Ree Linux System Administrator MARIN Support Group E mailto:j.a.v@marin.nl T +31 317 49 35 48 MARIN 2, Haagsteeg, P.O. Box 28, 6700 AA Wageningen, The Netherlands T +31 317 49 39 11, F +31 317 49 32 45, I www.marin.nl
Re: Application severs cease to start after latest kernel upgrade
Check tour audit logs-- Sent from my HP Pre3On Jun 13, 2013 1:53 PM, x...@gmx.com x...@gmx.com wrote: Dear All, We upgraded our kernel with a new one (2.6.32-358.11.1.el6) today and since then we have not been able to run any of our Application Server (Jboss-eap-6, Apache Geronimo-3 and IBM Webspher-CE-3). All of these application servers were working and used in development until this morning after upgrading Scientific Linux. Every time we try to start Apache Geronimo-3 or IBM Webspher-CE-3, we get the following error: Error occurred during initialization of VM Could not reserve enough space for object heap Error: Could not create the Java Virtual Machine. Error: A fatal exception has occurred. Program will exit. And none of the three servers would start. We have spent a whole day, googling for solutions but to no avail. We suspect that the problem is caused by the kernel upgrade as it was the only software we added to our systems first thing this morning before all servers refused to start. We all really pissed off for spending a whole day on this problem and still can't find the problem even after reinstalling all of the application servers. Any help or hint or both would be greatly appreciated. Thanks in advance.
Re: New person publishing security errata
Welcome, Bonnie On Wed, Jun 12, 2013 at 11:36 AM, Connie Sieh cs...@fnal.gov wrote: I am glad to announce that we have added Bonnie King as one of the people who will be publishing security errata. She will be publishing security errata this week. -Connie Sieh
has any one else noticed all the duplicate packages in EPEL
In the last few weeks I have noticed a lot of duplicate packages in EPEL which are included in the base OS this breaks kickstarts and updates through spacewalk. here are just 2 tickets I put in today https://bugzilla.redhat.com/show_bug.cgi?id=972490 https://bugzilla.redhat.com/show_bug.cgi?id=972490 has any one else noticed these or any others if so lets get them all reported. I don't know about any one else but I would hate to have to delete packages every morning in perpetuity to ensure all of my kickstarts and updates work. * * **
Re: advice on using latest firefox from mozilla
Todd and Margo (I'm never sure who I'm addressing with you lol)There is a long standing security reason non root users can't update software which affect all users on the system. Remember over all *ux design is based on a multi user model where only people granted root access by password access or even better sudo access can affect all users. This is a good thing, it was done in response to computer viruses in the 70s.-- Sent from my HP Pre3On Jun 6, 2013 7:40 PM, Todd And Margo Chester toddandma...@gmail.com wrote: On 06/06/2013 01:18 PM, Todd And Margo Chester wrote: I have had no problems at all, except that the updates can not be installed by the users -- you have to fire up Firefox as root. I just filed this: Linux upgrade required root privileges. And, it's looking good for implementation: https://bugzilla.mozilla.org/show_bug.cgi?id=880504 "Ya All" please vote for it! -T
Re: Netrwork dropping transmitted packages on fresh SL 6.4 install
Elrepo is your problem they often push untested updated drivers.Use the drivers that came with the kernel they may not have all the features but they should work.Do not install kmod-8169.-- Sent from my HP Pre3On May 4, 2013 4:11 AM, Bill Maidment b...@maidment.vu wrote: Hi againI've just rebuilt a desktop machine with a GA-970A-D3 motherboard using SL 6.4 64 bit isos and the network adaptor is dropping all transmitted packages.The onboard adapter is a Realtek RTL8168/8111Using a Fedora 18 Live disk the network adapter works OK and is recognised as RTL8168evl/8111evlI have other spare network cards, but the are all RTL8168 or RTL8169 and all show the same symptoms in SL 6.4, but they all work in Fedora 18.Can anyone help me to get the drivers updated (ELrepo kmod-r8168 and kmod-r8169 did not help)?
Re: Issues with the recent kernel and proprietary nvidia drivers
Um wellFrankly the proprietary driver is never up to date with the kernel and it is well that's luck if it ever works with a new version of the kernel after you have reinstalled "recompiled the module with code you can't see against the new code"If you have a problem with the proprietary driver take it up with ?Nvidia. In theory you pay them to make it work correct ?If you don't pay them for support then find a card that doesn't use proprietary code.-- Sent from my HP Pre3On Mar 25, 2013 9:59 PM, Jeff Siddall n...@siddall.name wrote: On 03/25/2013 12:41 PM, Yasha Karant wrote: We are forced to use the Nvidia proprietary driver for two reasons: 1. We use the switched stereoscopic 3D mode of "professional" Nvidia video cards with the external Nvidia 3D switching emitter for the stereoscopic 3D "shutter glass" mode of various applications that display stereoscopic 3D images (both still and motion). 2. We need to load Nvidia CUDA in order to use the CUDA computational functions of Nvidia GPU compute cards in our GPU based compute engines. The Nvidia CUDA system appears to require the proprietary Nvidia driver. Yup, I run the proprietary driver for VDPAU support. If anyone knows how to get that from the open source driver I would like to know. Jeff
Re: A silly question
Well this is sort of a question I answer at work all the time so I can tell you and I know there are sites and even Linux journal articles that explain it.Essentially both labs had their own in-house compiled versions of RHEL already for slightly different reasons but CERNs was called LTS (long term support) Linux and their original goal was to keep doing security patches to older RHEL versions after Redhat declared EOL ( End Of Life) on earlier versions of RHEL because their were essentially appliances built for labs that were it was difficult to migrate the apps to newer versions of RHEL and at the time Redhat only provided patches for a version for about 2 years for a version of RHEL if I remember correctly. The problem is when you install something in a facility connected directly or by proximity with less that two firewalls in between to a secure US government facility it must have all security patches for any installed software within a few months of the creation of the fix for the security hole. Also every new version of any OS needs to be evaluated for security prior to being connected. So for CERN since so many US Government agencies already used RHEL, and the time its was so popular in the US, that any one in the US who knew linux had used Reheat at some point; it was really the only choice.As a matter of fact I can remember in the late 90s being so synotimous with linux in the US that I was having a problem with compiling a program due to a Redhat only bug caused by a patch they put into gcc so I ran into 4 different software stores asking if they had any linux distro other than redhat, the first three store I was told no the 4th store told me yea we have plenty and then walked me over to a wall filled floor to sealing of various different redhat (box set v5.x pre RHEL) box sets with various different support add-ons like the "secure webserver" version that included a script on an additional 3.5 floppy to set up a openssl CA for you, but the were all redhat.Fermilabs motivation to choose RHEL over SuSE I'm not sure of but I suspect since they are funded by multiple countries and the nature of their research they may have also run into the US Government security rules and its just easier in that case to go with the flow than deal with the long drawn out process of getting a different distro certified.-- Sent from my HP Pre3On Mar 21, 2013 12:11 AM, Yasha Karant ykar...@csusb.edu wrote: This is perhaps a silly question, but I would appreciate a URL or some other explanation. A faculty colleague and I were discussing the differences between a supported enterprise Linux and any of a number of "beta" or "enthusiast" linuxes (including TUV Fedora). A question arose for which I have no answer: why did SL -- that has professional paid personnel at Fermilab and CERN -- select to use the present TUV instead of SuSE enterprise that is RPM (but yast, not yum) based, and has to release full source (not binaries/directly useable) for the OS environment under the same conditions as TUV of SL? SuSE is just as stable, but typically incorporates more current versions of applications and libraries than does the TUV chosen. Any insight would be appreciated. If SuSE had been chosen (SuSE originally was from the EU and thus a more natural choice for CERN), what would we be losing over SL? To the best of my knowledge, there is no SuSE Enterprise clone equivalent to the SL or CentOS clones of TUV EL. Yasha Karant
Re: Power management with ATI Radeon cards using the radeon driver.
StevenWow thanks for sharing that, its certainly useful information about the kernel Radeon driver I didn't know.I wonder if its true for the AMD fusion as well or does it scale based on the CPU frequency since the are on the same die? Looks like I have some experiments to do latter.-- Sent from my HP Pre3On Mar 18, 2013 3:47 AM, Steven Haigh net...@crc.id.au wrote: Hi all, I've been on a path of discovery lately regarding the state of play for ATI graphics cards. I started off using the ATI binary driver due to the high fan speed (resulting from high power usage) of the open source driver. I decided to take a different approach today and stick with the open source 'radeon' driver. I managed to find that by default, the OSS driver keeps the card in a 'high power / performance' state. This can be changed by using the sysfs entries exposed. I found that using the following puts the card in low power mode: echo profile /sys/class/drm/card0/device/power_method echo low /sys/class/drm/card0/device/power_profile Now, this is great to shut the fan up, and works on multi-head systems (more than one screen). If you only use one screen, then you're in luck. echo dynpm /sys/class/drm/card0/device/power_method The "dynpm" method dynamically changes the clocks based on the number of pending fences, so performance is ramped up when running GPU intensive apps, and ramped down when the GPU is idle. The reclocking is attemped during vertical blanking periods, but due to the timing of the reclocking functions, doesn't not always complete in the blanking period, which can lead to flicker in the display. Due to this, dynpm only works when a single head is active. If you are like me and have multiple screens, you have the following options to get power_profile to: "default" uses the default clocks and does not change the power state. This is the default behavior. "auto" selects between "mid" and "high" power states based on the whether the system is on battery power or not. The "low" power state are selected when the monitors are in the dpms off state. "low" forces the gpu to be in the low power state all the time. Note that "low" can cause display problems on some laptops; this is why auto does not use "low" when displays are active. "mid" forces the gpu to be in the "mid" power state all the time. The "low" power state is selected when the monitors are in the dpms off state. "high" forces the gpu to be in the "high" power state all the time. The "low" power state is selected when the monitors are in the dpms off state. I've found that the 'low' setting seems to work fine in every day desktop tasks - and it certainly causes the fan to be much, much quieter than the default profile. References: * http://www.x.org/wiki/RadeonFeature -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
Re: nfs+xfs - was Re: SL6.3 2.6.32-358.2.1.el6.x86_64 kernel panic
I've used XFS for over a decade now. Its the most reliable crash resistant filesystem I've ever used according to all my tests and experience. But I have had a few bad patches on older versions of RHEL (before RedHat started supporting it) where it didn't work well, but historicity its worked perfectly on every non reheat based distro.By the way I know why the performance goes down on NFS4 its mostly due to the fact that it supports xattribs natively and ext3 does not unless you explicitly turn it on when you mount the file system.By the way I currently have several production servers running gluster on top of XFS serving both gluster native and NFS 3 clients and in several clusters it works perfectly for me.Oh and the earlier confusion Netapps are BSD UNIX boxes and just like Unix Linux can serve NFS volumes Netapp didn't invent NFS nor are they even the best implementation. Give me a linux box with a san or a good raid controller any day they are faster and in the case of a SAN the are cheaper to scale-- Sent from my HP Pre3On Mar 18, 2013 3:45 AM, Sergio Ballestrero sergio.ballestr...@cern.ch wrote: On 18 Mar 2013, at 08:37, Steven Haigh wrote:On 03/18/2013 06:34 PM, Nico Kadel-Garcia wrote:On Mon, Mar 18, 2013 at 2:59 AM, Dr Andrew C Aitchisona.c.aitchi...@dpmms.cam.ac.uk wrote:On Sun, 17 Mar 2013, Nico Kadel-Garcia wrote:Also, *why* are you mixing xfs and nfs services in the sameenvirnment? And what kind of NFS and XFS servers are you using?Out of curiosity, why not ?In theory the choice of disk filesystem and network file sharingprotocol should be independent.How different is the practice ?I had some bad, bad experience with XFS and haven't used it since. Itcompletely destabilized my bulk storage environment: things may havechanged.I've deliberately and effectively kept my file systems below the 16 TBrange and worked well with ext4. I've occasionally used larger scalecommercial storage serves such as NetApp's for larger NFS environmentssince then.I use XFS on a small RAID6 array (its 2Tb - not huge), and I mount it via NFS to other systems. I haven't had a kernel crash as yet.We use XFS for some heavily loaded "buffer storage" systems, and we haven't had an issue - but no NFS there.We also have an NFS server using XFS (mostly because of the "project quota" feature we needed on some shares) and that's also working fine with NFSv3, serving about 200 clients; NFSv4 performance on XFS is disappointing compared to ext3 but we are not in an hurry to migrate.Cheers, Sergio --Sergio Ballestrero -http://physics.uj.ac.za/psiwiki/BallestreroUniversity of Johannesburg, Physics DepartmentATLAS TDAQ sysadmin team - Office:75282 OnCall:164851
Re: nfs+xfs - was Re: SL6.3 2.6.32-358.2.1.el6.x86_64 kernel panic
Its mostly due to the uid and gid name mapping to names instead of numbers introduced in NFS 4 by default if possible a backup is saved as an extended attribute and can also compound the atime update speed issue.As for JFS its been a long time since I tested it but I had the reverse issue.Oh and I know the issue you ran into with xfs its rare but has been known to happen I've hit it once my self on a laptop its a journal problem, and fsck isn't the tool to use.There is a specific xfs repair tool to fix the journal or can rebuild it from the backup inodes-- Sent from my HP Pre3On Mar 18, 2013 10:53 AM, Vladimir Mosgalin mosga...@vm10124.spb.edu wrote: Hi Paul Robert Marino! On 2013.03.18 at 08:55:39 -0400, Paul Robert Marino wrote next: I've used XFS for over a decade now. Its the most reliable crash resistant filesystem I've ever used according to all my tests and experience. But I have This might be true, but it's not the case for all. I've experienced very bad corruptions on xfs myself, resulting in lots of non-accessible fake files (random size, attributes etc) with random filenames including non-printable characters - and there was no way to remove them, fsck refused to fix them, too. Filesystem was in total mess and producing various errors - it's fortunate that I was able to copy all real data without corruption from it, though. Since then I try not to approach xfs without serious reason. I'd rather use JFS for huge filesystem which I've been using for many years until ext4 appeared.. But for fs 16 Tb jfs is still best option, I believe (far more stable in my experience compared to xfs, though might be not as fast). For several reasons most people don't consider JFS but I used it on tons of servers for filesystems 1 Tb (ext3 was a bad choice for huge filesystems for various reasons) and never had a single issue with it. At most, after multiple power failures during heavy write access I had errors which remounted it into R/O mode and fsck always fixed it. By the way I know why the performance goes down on NFS4 its mostly due to the fact that it supports xattribs natively and ext3 does not unless you explicitly turn it on when you mount the file system. I don't really understand your implication: xfs is slower *due* to xattr support? So if I will mount ext4 with user_xattr option, NFS4 from it will become slower? How come? -- Vladimir
Re: need command line support of zoho
Well that depends.If its clear text and you have the right flags set it will show you all of the raw data.Wireshark can in many cases decode it further.However if it ssl/tls encrypted there is a tool much to most infosec peoples dismay (and joy when its useful ) called ssldump that can take a tcpdump that captures the full conversation and decode it.But that answered is no not out of the box.-- Sent from my HP Pre3On Mar 15, 2013 10:27 PM, jdow j...@earthlink.net wrote: On 2013/03/15 19:14, Todd And Margo Chester wrote: On 03/15/2013 02:17 PM, Todd And Margo Chester wrote: Hi All, The connection just times out. Does anyone know what I am doing wrong here? This is Linux and the nail program. (The account does work from Thunderbird.) #!/bin/bash echo "nail test" | \ nail -v \ -S smtp-use-starttls \ -S from=taperepo...@.com \ -S smtp-auth=login \ -S ssl-verify=ignore \ -S smtp-auth-user=taperepo...@.com \ -S smtp-auth-password=zz \ -S smtp=smtp.zoho.com:465 \ -s `dnsdomainname`" zoho smtp test subject" y...@zoho.com Many thanks, -T Okay, I've have gotten a little further along. I am able to test with gmail but not yet with zoho: #!/bin/bash echo "nail test" | nail -v -s `dnsdomainname`" zoho smtp test subject" \ -S smtp-use-starttls \ -S smtp-auth=plain \ -S ssl-verify=ignore \ -S smtp=smtps://smtp.zoho.com:465 \ -S from=x...@zoho.com \ -S smtp-auth-user= \ -S smtp-auth-password="hahahahaha" \ -S nss-config-dir=/home/linuxutil/mailcerts/ \ yy...@zoho.com Gives me: 250 AUTH LOGIN PLAIN STARTTLS 220 Ready to start TLS SSL/TLS handshake failed: Unknown error -5938. Anyone know what causes this? Many thanks, -T Okay. I figured it out. I commented out "-S smtp-use-starttls". Go figure. [editorial comment] AAHH!![/editorial comment] -T Out of curiosity does tcpdump show the plain text login and message transfer or is it encrypted? {O.O}
Re: Installing on a new laptop
I have an X120e as well and simply changing the hard drive doesn't fix the eufi issue. the first answer to this string is correct with two cavorts RedHat got two signed certs one fro RHEL and the other for Fedora. apparently the process was a nightmare but they will work with secure boot. for that reason I run fedora as my primary os on my laptop and if i have to do any Scientific Linux testing I run it in a VM (and yes an AMD fusion chip can runs a single VM surprisingly well).. On Tue, Feb 26, 2013 at 2:04 PM, Ken Teh t...@anl.gov wrote: I never boot a new laptop into Windows. I replace the original hard drive with a new one and install Linux on it. This way I can put the original disk back in and never void my warranty. You can then even sell it in its original state. Of course, this works only if you don't plan to use Windows. I use a $500 Lenovo X120e netbook. On 02/26/2013 11:26 AM, Scott_Gates wrote: OK, If I needed a desktop, I'd just roll my own. Probably starting with something bare-bones from TigerDirect. I'm thinking of buying a new laptop, rather than just recycling old ones, like I have been. I have HEARD there are issues with trying to install on computers with Windows8 already installed--the only source I have of CHEAP laptops. Basically a Wal-mart or Best-buy boxes that I can get in the $250-$400 ra nge. Does anybody have experience with this? Yeah, I know I'll be Voiding the Warranty--but, I need a laptop for real work--not socializing or net flicking. You know what I mean.
Re: puppet
The only problem I ever had with cfengine is the documentation was never all that great but it is stable and scales well. That being said puppet is not perfect many of the stock recipes for it you find on the web don't scale well and to get it to scale you really need to be a ruby programer. My other issue with puppet is it doesn't provide you with a great amount of control over the timing of the deployment of changes unless you go to significant lengths. Essentially its good for a Agile development model environment which is popular with many web companies; however its a nightmare for mission critical 24x7x365 environments which require changes to be scheduled in advance. These days I'm using Spacewalk for most of what I would have used cfengine or puppet for in the past the only thing that it doesn't do out of the box is make sure that particular services are running or not running at boot, but there are a myriad of other simple ways to do that which require very little work, and if I really wanted to I could get spacewalk to do that as well via the soap APIs. On Fri, Feb 22, 2013 at 11:04 AM, Graham Allan al...@physics.umn.edu wrote: On 2/21/2013 4:13 PM, Natxo Asenjo wrote: On Thu, Feb 21, 2013 at 9:38 PM, Graham Allan al...@physics.umn.edu wrote: Also cfengine, though that seems to be getting less fashionable... We still use it, no compelling reasons to change so far! we take our decisions based on functionality, not fashion. Cfengine is just fine. Good performance, little dependencies, good security record (not unimportant for your infrastructure management tool and oh what a start of the year for ruby it was), and it has in place editing instead of requiring you to use yet another tool (augeas). But puppet/chef are good products too, just not good enough to justify a downgrade from the better one ;-) Totally agree, I just meant that puppet does have more mindshare these days and you'll probably find more people familiar with it. We have used cfengine for 10+ years, not that we haven't discovered flaws over time but I'm certainly very happy with it and see no reason to change. We have had student sysadmins come in, have to learn cfengine, they also look at puppet, and comment that cfengine was a good choice. Just as we here still write most of our support scripts etc in perl, that is also unfashionable now, doesn't mean it's not the best tool for the job (fx: throws bomb and runs away... :-) Graham