Re: question regarding the future
I think this misses the point. SL was a major 'security blanket' for the uncertainty that was happening with RedHat essentially taking control of CentOS. People were not sure which way things were going to go, so SL filled the gap. As time has passed, RedHat has done the right thing so far with CentOS - and a lot of people are less nervous as a result. I understand the decision not to do an SL8 - as the environment is pretty settled again and it is much clearer how this will run. It's better to utilise those resources on a more internal focus. The threat of CentOS disappearing is gone, so most people will probably pick up CentOS 8 when it comes around to it. Steven Haigh net...@crc.id.au https://urldefense.proofpoint.com/v2/url?u=https-3A__www.crc.id.au=DwIFaQ=gRgGjJ3BkIsb5y6s49QqsA=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A=bxSPoSV3klZdWvNSRY1MzfipTnfuVcJ-eFb3mV2ht3A=z13E-77e2i9E3Fd3_dgZfCfqJPga60K5Jdz9WOj_qIA= +61 (3) 9001 6090 0412 935 897 On Sun, Apr 28, 2019 at 1:08 AM, John Holmes wrote: Try Springdale Linux (formerly PUIAS), it was started long before CentOS. PU-IAS = Princeton University - Institute for Advanced Study https://urldefense.proofpoint.com/v2/url?u=http-3A__springdale.math.ias.edu_=DwIDaQ=gRgGjJ3BkIsb5y6s49QqsA=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A=wP65fR-SDNTSPXnXaiYwSUdkmZtorgLfyxLkJX73d1U=GCfR5v9kjH_NGH0--yMHNpy_l708MANUmXBGhyDJIBw= On 27/04/2019 14:15, Maarten wrote: Hello fellow SL users, I having been using SL for a while now, after the CentOS project became part of Redhat I was glad that I was using SL because I would think that CentOS would become a middle testing ground for Redhat to test new things, getting the idea SL would stay closer to the source since it just being another clone. Now that it has been announced that there will be no SL8, what's the best clone to switch to after EOL of SL6 and SL7. Even though Redhat says that CentOS will never be used as a testing ground or switch how they are doing things, I do not believe what they say now will be the same in the future.
Re: Trouble with MySQL Server
1% /tmp /dev/sda1 xfs 497M 230M 268M 47% /boot /dev/mapper/sl-home xfs 411G 14G 397G 4% /home tmpfs tmpfs 3.2G 40K 3.2G 1% /run/user/1000 tmpfs tmpfs 3.2G 0 3.2G 0% /run/user/0 The database lives on /home, which doesn’t seem anywhere near full, and the number of bytes that “should have been written” in that error message are nowhere near a threat to the capacity, which suggests something else might be going wrong. Does anyone have a notion of what’s going on? My suspicion is that the problem is that the temporary file is just ./file, which is in the root directory, which as you can see *is* full - if this is the case, is there a way to redirect where those temporary files are made? Or should I just try to expand that? Your ibtmp1 file will be written to /var/lib/mysql/ by default. That's on a partition that is full. Either reconfigure mysql to create this elsewhere, or fix the ugly partition system :) -- Steven Haigh ? net...@crc.id.au ? https://www.crc.id.au ? +61 (3) 9001 6090? 0412 935 897
Re: Tip: when your terminal gets all screwed up
On Sunday, 12 November 2017 1:30:45 AM AEDT Nico Kadel-Garcia wrote: > On Sat, Nov 11, 2017 at 8:10 AM, Tom H <tomh0...@gmail.com> wrote: > > [ Hundreds of lines of fine-tuning prompt manipulation code and theory > snipped, especially involving quote handling ] > > And *this* is why I ignore it all and just use "stty sane" when my > console gets confused. heh - personally, I just type: reset -- Steven Haigh net...@crc.id.au http://www.crc.id.au +61 (3) 9001 6090 0412 935 897 signature.asc Description: This is a digitally signed message part.
Re: Tip: when your terminal gets all screwed up
On Saturday, 11 November 2017 1:48:23 PM AEDT jdow wrote: > On 2017-11-10 16:38, ToddAndMargo wrote: > > On 11/10/2017 04:21 PM, jdow wrote: > >> On 2017-11-10 15:14, ToddAndMargo wrote: > >>> Dear List, > >>> > >>> Ever cat a binary file by accident and your > >>> terminal gets all screwed up. > >>> > >>> I had a developer on the Perl 6 chat line give me > >>> a tip on how to unscrew your terminal and set it > >>> back to normal. (He way helping me do a binary > >>> read from the keyboard.) > >>> > >>> stty sane^j > >>> > >>> Note: it is , not "enter". > >>> > >>> -T > >> > >> Make "\033]0;" the first bit of your prompt. Never worry about it again. > >> > >> ESC-0 sets the terminal to have no attribute bits set. So it clears funny > >> display. I've had that as a standard part of my prompts for decades, even > >> back in the CP/M days. > >> {^_^} Joanne > > > > Sweet! > > Here is what I have in my .bash_profile file: > > > if [ "$PS1" ]; then ># extra [ in front of \u unconfuses confused Linux VT parser >PS1="\e[0 [[\\u@\\h:\\l \\w]\\$ " > fi For what its worth, I've been using this for years: PS1="\[\033[01;37m\]\$? \$(if [[ \$? == 0 ]]; then echo \"\[\033[01;32m\] \342\234\223\"; else echo \"\[\033[01;31m\]\342\234\227\"; fi) $(if [[ ${EUID} == 0 ]]; then echo '\[\033[01;31m\]\h'; else echo '\[\033[01;32m\]\u@\h'; fi)\ [\033[01;34m\] \w \$\[\033[00m\] " Stick it all on one line. Add the \e[0 in front, and that'd be pretty cool :) -- Steven Haigh net...@crc.id.au http://www.crc.id.au +61 (3) 9001 6090 0412 935 897 signature.asc Description: This is a digitally signed message part.
[WARNING] Intel Skylake/Kaby Lake processors: broken hyper-threading
ke processors with signatures 0x806e9 and 0x906e9 *might* fix the issue. We do not have confirmation about which microcode revision fixes Kaby Lake at this time. Related processor signatures and microcode revisions: Skylake : 0x406e3, 0x506e3 (fixed in revision 0xb9/0xba and later, public fix in linux microcode 20170511) Skylake : 0x50654 (no information, erratum listed) Kaby Lake : 0x806e9, 0x906e9 (defect still exists in revision 0x48, fix available as a BIOS/UEFI update) References: https://caml.inria.fr/mantis/view.php?id=7452 http://metadata.ftp-master.debian.org/changelogs/non-free/i/intel-microcode/unstable_changelog https://www.intel.com/content/www/us/en/processors/core/desktop-6th-gen-core-family-spec-update.html https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v5-spec-update.html https://www.intel.com/content/www/us/en/products/processors/core/6th-gen-x-series-spec-update.html [1] iucode_tool -S will output your processor signature. This tool is available in the *contrib* repository, package "iucode-tool". -- Steven Haigh ? net...@crc.id.au ? http://www.crc.id.au ? +61 (3) 9001 6090? 0412 935 897
Re: 7.4
On Saturday, 24 June 2017 3:32:02 AM AEST ToddAndMargo wrote: > On 06/23/2017 07:28 AM, Sean A wrote: > > Are you all referring to RHEL 7.4 Beta? > > > > Given recent history on the past 2 releases, I would put my money on 7.4 > > GA in Nov. 2017. Scientific probably not until Jan 2018. > Just 7.4. When Red Hat Bugzilla notifies me they > have fixed something, they say they fixed it in 7.4. > > The way RH sounds, RHEL is already on 7.4, but I > haven't checked. Nope: $ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.3 (Maipo) -- Steven Haigh net...@crc.id.au http://www.crc.id.au +61 (3) 9001 6090 0412 935 897 signature.asc Description: This is a digitally signed message part.
Re: Updateinfo file is not valid XML
On 2017-06-22 16:09, Mikkel Kruse Johnsen wrote: Hi SL When will this error on your YUM repo server be solved. ? --/etc/cron.hourly/0yum-hourly.cron: Updateinfo file is not valid XML: -- This is a problem with EPEL, not anything SL operated. There's a rumour that 'yum clean all' on the affected system will fix it - but it hasn't fixed it for all my systems. We get an email every hour from 15+ servers. I'm getting the same from wy more systems than that! That's why there's a "Mark all as read" option in most mail clients :) -- Steven Haigh ? net...@crc.id.au ? http://www.crc.id.au ? +61 (3) 9001 6090? 0412 935 897
Re: nmcli question
On 09/04/17 12:59, Nico Kadel-Garcia wrote: > In case it's unclear I am *not* happy with NetworkManager for servers > or stable environments. Laptops that have to wander from environment > to environment need multiple VPN's, yeah, OK, I can see having a more > complex tool. But for a VM? Or a server? Yep - I've gone as far as removing NetworkManager completely from my servers. A few months ago I drank the koolaid and set up nmcli with my Xen server - and it was a pain in the backside. Finally got it working, but it still decided to drop the bridging interfaces randomly (causing all VMs to disconnect from the network) and wouldn't bring them back up. I ended up reverting to manually creating ifcfg-* config files and scrapping all plans of migrating to anything NetworkManager. The down side is that you lose the network-online target for systemd - which can cause its own problems - but its worth working around those for a stable network config. -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: RAID 6 array and failing harddrives
On 05/04/17 05:44, Konstantin Olchanski wrote: > Moving to ZFS because of issues like this. RAID6 rebuild with 4-6-8-10TB disks > has become too scary. If there is any transient error during the rebuild, > the md driver starts kicking disks out, getting into funny states with many > "missing" disks, recovery is only via "mdadm --assemble --force" and without > per-file checksums in ext4/xfs there is no confidence whatsoever that data > was not subtly corrupted. > > ZFS is also scary, but seems to behave well, even in the presence > of "bad disks". ZFS scrub seems to overcome/rewrite bad sectors, > bad data on disk (if I poop on a disk using "dd"), all without corrupting > data files (I compute and check my own sha-512 checksums for each file). Heh - another soon to be victim of ZFS on linux :) You'll quickly realise that the majority of major features you'd expect to work - don't. You can't grow a ZFS 'raid'. You're stuck with the number of disks you first start with. You'll find out more as you go down this rabbit hole. > BTRFS is even better (on paper), but not usable in el7.3 because it has no > concept of "failed disk". If you pull a disk on btrfs, it will fill /var/log > with disk error messages, will not take any mitigation/recovery action > (drop disk from array, rerun the data balancer, etc). DO NOT USE RAID5/6 WITHIN BTRFS. I have tried this before and have the many Gb of lost data when it goes wrong. In fact, I discovered several new bugs that I lodged with the BTRFS guys - which led to warnings of DO NOT USE PARITY BASED RAID LEVELS IN BTRFS becoming the official line. However, BTRFS is very stable if you use it as a simple filesystem. You will get more flexible results in using mdadm with btrfs on top of it. mdadm can be a pain to tweak - but almost all problems are well known and documented - and unless you really lose all your parity, you'll be able to recover with much less data loss than most other concoctions. > > K.O. > > > On Tue, Apr 04, 2017 at 04:17:22PM +0200, David Sommerseth wrote: >> Hi, >> >> I just need some help to understand what might be the issue on a SL7.3 >> server which today decided to disconnect two drives from a RAID 6 setup. >> >> First some gory details >> >> - smartctl + mdadm output >> <https://paste.fedoraproject.org/paste/wLyz44nipkJ7FgKxWk-1mV5M1UNdIGYhyRLivL9gydE=> >> >> - kernel log messages >> https://paste.fedoraproject.org/paste/mkyjZINKnkD4SQcXTSxyt15M1UNdIGYhyRLivL9gydE= >> >> >> The server is setup with 2x WD RE4 harddrives and 2x Seagate >> Constellation ES.3 drives. All 4TB, all was bought brand new. They're >> installed in a mixed pattern (sda: RE4, sdb: ES3, sdc: RE4, sdd: ES3) >> ... and the curious devil in the detail ... there are no /dev/sde >> installed on this system - never have been even, at least not on that >> controller. (Later today, I attached a USB drive to make some backups - >> which got designated /dev/sde) >> >> This morning *both* ES.3 drives (sdb, sdd) got disconnected and removed >> from the mdraid setup. With just minutes in between. On drives which >> have been in production for less than 240 days or so. >> >> lspci details: >> 00:1f.2 SATA controller: Intel Corporation 6 Series/C200 Series Chipset >> Family SATA AHCI Controller (rev 05) >> >> Server: HP ProLiant MicroServer Gen8 (F9A40A) >> >> <https://www.hpe.com/us/en/product-catalog/servers/proliant-servers/pip.specifications.hpe-proliant-microserver-gen8.5379860.html> >> >> >> Have any one else experienced such issues? Several places on the net, >> the ata kernel error messages have been resolved by checking SATA cables >> and their seating. It just sounds a bit too incredible that two >> harddrives of the same brand and type in different HDD slots have the >> same issues but not at the exact same time (but close, though). And I >> struggle to believe two identical drives just failing so close in time. >> >> What am I missing? :) Going to shut down the server soon (after last >> backup round) and will double check all the HDD seating and cabling. >> But I'm not convinced that's all just yet. >> >> >> -- >> kind regards, >> >> David Sommerseth > -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: OpenSSL in SL6 ?
On Saturday, 4 February 2017 3:29:32 PM AEDT David Sommerseth wrote: > On 03/02/17 17:22, Andrew C Aitchison wrote: > > SL6 uses OpenSSL v1.0.1, which is no longer supported by OpenSSL > > ( https://www.openssl.org/policies/releasestrat.html ). > > v1.0.2 which may be a drop in replacement is supported until the end of > > 2019. > > Just wanted to point out that regardless of OpenSSL's life cycles, Red > Hat will continue to support, backport and fix issues with OpenSSL > v1.0.1 as long as they have a distribution shipping with that version. > > > https://access.redhat.com/solutions/1530413 > > explains Red Hat's position on this, but it can only be read by > > those with a Red Hat contract. > > That URL basically says what I just said in the previous paragraph. > Otherwise - as already pointed out, for many of these KB articles, you > just need to have a free account. I would highly recommend people to > sign up there, as there's lots of good info here. > > > Could SL make a similar statement which is available to anyone who > > has access to SL ? > > > > I'm particularly asking since I'm trying to build the latest exim, > > which does not support openssl v1.0.1 > > https://lists.exim.org/lurker/message/20170131.025153.592b38db.en.html > > > >As we are into 2017, the oldest OpenSSL supported by the OpenSSL > >project > >is 1.0.2, so that is now the oldest version which the Exim Maintainers > >formally "support" for Exim. As of yet, I do not believe that any > >changes have been merged which would break support for older OpenSSL, > >but you are on your own if you try to use such. > > There seems to be a Fedora EPEL package with Exim 4.88 ready for EL6 > already: https://koji.fedoraproject.org/koji/buildinfo?buildID=835727 > > > I can of course build a local OpenSSL v1.0.2 for exim, but if there were > > a system version it would be simpler for me. > > OpenSSL 1.0.2 as a system package will require a rebuild of all packages > depending on OpenSSL 1.0.1. Which is why Red Hat rather puts efforts > into keeping 1.0.1 up-to-date by backporting fixes from newer upstream > releases. Doing that often requires less resources and keeps a far more > stable environment in a longer run. I do wonder if it will mean that EL6 or EL7 won't see TLS1.3 support though - or if they wholesale backport the entire TLS1.3 to OpenSSL 1.0.1. IIRC, TLS1.3 is supposed to arrive in OpenSSL 1.1.1 -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: This is a digitally signed message part.
Re: OpenSSL in SL6 ?
On 04/02/17 03:22, Andrew C Aitchison wrote: > https://access.redhat.com/solutions/1530413 > explains Red Hat's position on this, but it can only be read by > those with a Red Hat contract. You don't have to have a contract, only an account. Anyone can register, and there's also free 'developer' accounts if you wish. -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: Perl 6 just hit
On 31/12/16 17:12, Nico Kadel-Garcia wrote: > I'd suggest learning bash first. Many complex perl, python, php, etc. > tools are actually wrappers for a few lines of shell. Yeah, I was going to suggest this too. Your biggest thing will be shell scripts - they hold everything together. There's not much that you can't do in bash - but there are a lot more things that are much more complex / dedicated that you'd be better off in a language like perl. The big thing is learning how to think in logical steps. When to use if, for, while etc etc. Once you've got a grip on the basics, the only real difference between languages is what specific formatting you give to the options to keep its compiler happy. bash is something you'll use every day - so its probably easy to deal with from the start. -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: Perl 6 just hit
On 30/12/16 20:04, prmari...@gmail.com wrote: > What you will here is Perl is dead, but the truth is most people use it on a > daily basis and don't know it. Perl is still the swiss army chainsaw of > scripting languages. If you do an online transaction - somewhere between you and your bank, you hit a perl script. It's been said that the next financial crisis will be triggered by a perl bug. Even more seriously, stuff that absolutely must work, all the time, every time and for more than a year at a time is written in perl. Billion of dollars a month get moved around with perl scripts - and that won't change anytime soon... -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Kernel Local Privilege Escalation - CVE-2016-5195
(Reproduced below) Red Hat Product Security has been made aware of a vulnerability in the Linux kernel that has been assigned CVE-2016-5195. This issue was publicly disclosed on October 19, 2016 and has been rated as Important. Background Information A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. This could be abused by an attacker to modify existing setuid files with instructions to elevate privileges. An exploit using this technique has been found in the wild. Impacted Products The following Red Hat Product versions are impacted: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise MRG 2 Attack Description and Impact This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set. This is achieved by racing the madvise(MADV_DONTNEED) system call while having the page of the executable mmapped in memory. Take Action All Red Hat customers running the affected versions of the kernel are strongly recommended to update the kernel as soon as patches are available. Details about impacted packages as well as recommended mitigation are noted below. A system reboot is required in order for the kernel update to be applied. Mitigation Please reference bug 1384344 for detailed mitigation steps. Updates for Affected Products A kpatch for customers running Red Hat Enterprise Linux 7.2 or greater is available. Please open a support case to gain access to the kpatch. --- END ADVICE --- Possible mitigation for the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13 There are currently no fixed packages available anywhere to resolve this. -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: LDAP problems
NORE] PAM_LDAP.SO > account required pam_permit.so > > passwordrequisite pam_pwquality.so try_first_pass local_users_only > retry=3 authtok_type= > passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass > use_authtok > #passwordsufficientpam_sss.so use_authtok > PASSWORDSUFFICIENTPAM_LDAP.SO USE_AUTHTOK > passwordrequired pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > #session optional pam_sss.so > SESSION OPTIONAL PAM_LDAP.SO > > -- > [root@login-0 ~]# cat /etc/pam.d/password-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > authrequired pam_env.so > auth[default=1 success=ok] pam_localuser.so > auth[success=done ignore=ignore default=die] pam_unix.so nullok > try_first_pass > authrequisite pam_succeed_if.so uid >= 500 quiet_success > #authsufficientpam_sss.so forward_pass > AUTHSUFFICIENTPAM_LDAP.SO USE_FIRST_PASS > authrequired pam_deny.so > > account required pam_unix.so broken_shadow > account sufficientpam_localuser.so > account sufficientpam_succeed_if.so uid < 1000 quiet > #account [default=bad success=ok user_unknown=ignore] pam_sss.so > ACCOUNT [DEFAULT=BAD SUCCESS=OK USER_UNKNOWN=IGNORE] PAM_LDAP.SO > account required pam_permit.so > > passwordrequisite pam_pwquality.so try_first_pass local_users_only > retry=3 authtok_type= > passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass > use_authtok > #passwordsufficientpam_sss.so use_authtok > PASSWORDSUFFICIENTPAM_LDAP.SO USE_AUTHTOK > passwordrequired pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > #session optional pam_sss.so > SESSION OPTIONAL PAM_LDAP.SO > > Has anyone encountered a problem like this one? Does anyone knows what can I > do? Any help will be welcomed! > > -Ricardo -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Links: -- [1] http://ldap.example.com [2] http://ldap-master.example.com:666 [3] http://127.0.0.1/
Re: Python 2.7 OS requirements
You can look at virtualenv from EPEL. You can install a separate python environment in a users home directory. On 31/07/16 09:36, P. Larry Nelson wrote: > Hi all, > > Please don't shoot the questioner (me), as I have no experience with > Python, other than knowing "what" it is and that my SL6.8 systems have > version 2.6.6 installed. > > I have been asked by one of our Professors that one of his grad students > apparently needs Python 2.7.x installed on our cluster (optimally in > /usr/local, which is an NFS mounted dir everywhere). > > In my brief Googling, I have not found OS requirements for 2.7.x, but > have inferred that it probably needs SL7.x. > > Can anyone confirm that? > Or has anyone installed Python 2.7.x (and which .x?) on an SL6.8 system > without replacing 2.6.x? > > I'm guessing this can be quite a morass to delve into as when I do a > 'rpm -qa|grep -i python|wc' > It returns with 67 rpms with python in the rpm name! > > If the solution is indeed simple, I might proceed, otherwise, I'm > of a tendency to reply to the Professor and student, "No way - won't work." > I think the student probably has access to CERN systems that probably > have what he's looking for. > > I've followed up with that inquiry to the student and waiting to hear back. > > Thanks! > - Larry > > -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: sl6.8 libcgroup -- bug
That could probably be Connie atm. CC'ed into this thread. On 2016-07-28 16:08, Stijn De Weirdt wrote: hi fredric, i confirm, things seem ok with the centos rpm quick inspection of the rpms also does not show something obviously wrong (both rpms ship same files with same sizes). i took the centos rpms, modified the release using rpmrebuild (rpmrebuild --release=18.el6_8.0.fromcentos -p thecentosrpms) for all libcgroup rpms and added them to one of our local repos. yum is happy again. how do we report this to the SL packagers? (or do we just assume they read all these mails?) stijn On 07/27/2016 05:22 PM, SCHAER Frederic wrote: Same here. Hey ! This seems SL specific... !? I installed this one manually : CentOS/6.8/updates/x86_64/Packages/libcgroup-0.40.rc1-18.el6_8.x86_64.rpm [root@dev7247 ~]# cat /etc/redhat-release Scientific Linux release 6.8 (Carbon) [root@dev7247 ~]# rpm -qi libcgroup Name: libcgroupRelocations: (not relocatable) Version : 0.40.rc1 Vendor: CentOS Release : 18.el6_8 Build Date: Tue 12 Jul 2016 06:27:20 PM CEST Install Date: Wed 27 Jul 2016 05:15:28 PM CEST Build Host: worker1.bsys.centos.org (...) And cgroups seem to still work whereas they failed with the SL RPM : [root@dev7247 ~]# service cgconfig restart Stopping cgconfig service: [ OK ] Starting cgconfig service: [ OK ] ? Regards -Message d'origine- De : owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-scientific-linux-us...@listserv.fnal.gov] De la part de ~Stack~ Envoyé : mercredi 27 juillet 2016 12:59 À : Stijn De Weirdt <stijn.dewei...@ugent.be>; scientific-linux-users@fnal.gov Objet : Re: sl6.8 libcgroup On 07/27/2016 03:53 AM, Stijn De Weirdt wrote: hi all, we have a update an sl67 node to sl68 (but not yet updated the kernel), and this updates libcgroup-0.40.rc1-17.el6_7.x86_64 to libcgroup-0.40.rc1-18.el6_8.x86_64 however, it now seems that the cgonfigparser even fails to validate the distributed /etc/cgconfig.conf [root@test2802 ~]# /sbin/cgconfigparser -l /etc/cgconfig.conf error at line number 17 at {:syntax error Error: failed to parse file /etc/cgconfig.conf /sbin/cgconfigparser; error loading /etc/cgconfig.conf: Have multiple paths for the same namespace the /etc/cgconfig.conf is the same in both rpms anyone seeing this? or knows how to fix? Greetings, I discovered the exact same thing. I fully updated to 6.8 and rebooted into the new kernel. I haven't filed a bug report against it yet as I didn't have time yesterday to really dig into it. My "workaround" was to "yum downgrade libcgroup" on all my hosts until I could figure it out. ~Stack~ -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897
Re: libxml2-python Infected File
On 2016-07-25 10:23, W.M. wrote: Running clamscan today I received the following infected file report. /usr/share/doc/libxml2-python-2.9.1/reader2.py: Xml.Exploit.CVE_2013_3860-1 FOUND Has anyone else received this or should I just remove the file? libxml2-python seems to be a fairly common library. This may be helpful to you: https://www.clamxav.com/BB/viewtopic.php?f=1=4085=22064 I'm tipping a false positive with a new definition update. If you haven't already, I would update to the latest definitions via freshclam and look again. If you feel its a security issue, you can try a 'yum verify' after installing the yum-plugin-verify package. This will check files installed on the system versus the packaged files. If all that comes back good, then you should be ok. -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897
Re: free ssl certificate
On 14/07/2016 11:24 PM, Steven Miano wrote: > If you are automating the process, it has no impact on your environment, > maintenance, or administrative costs. > > The only reason I could see a short lifespan of the certificates being > an issue is if you were manually caring and feeding them. > > From LE: > > "At launch all certificates will have a lifetime of exactly 90 days. > Post launch we will possibly offer more options, but they will likely be > on the shorter side rather than the longer side. Part of the rationale > for the 90 day number is that when certs are renewed only once a year, a > lot can change. The person in charge might forget how to do it, or leave > the organization, or change email addresses, etc. A shorter lifetime > will hopefully encourage people to automate the renewal process, and > we'll provide tools to help with that." I hadn't actually read that previously, but it seems about as badly thought out as having to run some magic script every 88 days that nobody knows how to fix it etc etc. The reasons give above for having a short expiry time "someone might forget how to do it"? Really? Are you kidding me? Anyway, rubbish reasons like that aside, the expected hands-off automation of something like SSL certs imho leaves the mentality of 'set and forget' for the server. That is bad. Real world experience shows that this causes other problems. In fact, one system I inherited was a 'set and forget' system that ran perfectly. That perfectly that nobody realised that the security updates went EOL for that system back in 2009. It was only discovered by me when something misbehaved 7 years later. So yes, I understand the mentality - but it is based on false reasoning. Nearly 20 years in this area has taught me the practical way on these. So, the best method I've seen? Set a reminder in your calendar for 7 days before your cert expires, and renew away. StartSSL will even send you nice reminders that your cert is about to expire. What a great way to not forget a system :) I wrote that StartAPI system to make my life easier. I admin somewhere in the order of 40 systems including production, staging, development environments on those systems. I'm working on a deploy script to assist - but the key part is that the certificates and management are all centralised - not on each individual system. Total time to renew a cert, about 5 minutes per year - and I know exactly where I have them - and whoever gets to take over after me will get the email reminders for each system as they come due. Of course, if you only run one server.. -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: free ssl certificate
On 14/07/2016 9:11 PM, Steven Miano wrote: > https://letsencrypt.org/ > > Free SSL certificates, 90 days before renewal, and extremely convenient > renewal procedures. 90 day renewal is the only reason I will never touch or recommend Lets Encrypt. StartSSL's free certs are valid for 1 year. > > Toolkit for ease of use: > > https://certbot.eff.org/ > > On Thu, Jul 14, 2016 at 5:52 AM, Steven Haigh <net...@crc.id.au > <mailto:net...@crc.id.au>> wrote: > > And if you want a nice toolkit to make it easier: > https://github.com/CRCinAU/startapi > > On 14/07/2016 7:30 PM, Enrico M.V. Fasanelli wrote: > > https://www.startssl.com > > > > Ciao, > > > > Enrico > > > >> On 14 Jul 2016, at 11:22, Ian A Taylor <i...@st-andrews.ac.uk > <mailto:i...@st-andrews.ac.uk> > >> <mailto:i...@st-andrews.ac.uk <mailto:i...@st-andrews.ac.uk>>> wrote: > >> > >> Sir/Madam > >> > >> Can anyone recommend where I can get a free SSL certificate. > >> > >> > >> -- > >> > >> Thanking you. > >> > >> Yours sincerely > >> > >> > >> > >> Ian Taylor > >> University of St.Andrews, > >> School of Physics & Astronomy, > >> North Haugh, > >> St.Andrews, > >> Fife KY16 9SS, > >> Scotland. > >> > >> e-Mail :- i...@st-and.ac.uk <mailto:i...@st-and.ac.uk> > >> Tel:- (0)1334-463141 > >> Fax:- (0)1334-463104 > >> > >> The University of St Andrews > >> is a charity registered in > >> Scotland : No SC013532. > > > > -- > > Keep Ithaka always in your mind. > > Arriving there is what you are destined for. (Konstantinos P. > Kavafis). > > > > > > > > > > > > -- > Steven Haigh > > Email: net...@crc.id.au <mailto:net...@crc.id.au> > Web: https://www.crc.id.au > Phone: (03) 9001 6090 - 0412 935 897 > > > > > -- > Miano, Steven M. > http://stevenmiano.com -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: free ssl certificate
And if you want a nice toolkit to make it easier: https://github.com/CRCinAU/startapi On 14/07/2016 7:30 PM, Enrico M.V. Fasanelli wrote: > https://www.startssl.com > > Ciao, > > Enrico > >> On 14 Jul 2016, at 11:22, Ian A Taylor <i...@st-andrews.ac.uk >> <mailto:i...@st-andrews.ac.uk>> wrote: >> >> Sir/Madam >> >> Can anyone recommend where I can get a free SSL certificate. >> >> >> -- >> >> Thanking you. >> >> Yours sincerely >> >> >> >> Ian Taylor >> University of St.Andrews, >> School of Physics & Astronomy, >> North Haugh, >> St.Andrews, >> Fife KY16 9SS, >> Scotland. >> >> e-Mail :- i...@st-and.ac.uk >> Tel:- (0)1334-463141 >> Fax:- (0)1334-463104 >> >> The University of St Andrews >> is a charity registered in >> Scotland : No SC013532. > > -- > Keep Ithaka always in your mind. > Arriving there is what you are destined for. (Konstantinos P. Kavafis). > > > > > -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: Updates of samba4 ?
On 2016-06-07 11:14, Stephen John Smoogen wrote: On 6 June 2016 at 17:27, Rupert Kolb <rupert.k...@med.uni-tuebingen.de> wrote: Thanks for clarifying. I was not aware of this. For the short term I downgraded to an older version of samba4 (to get my system running again). (And yes, there is an entry in bugzilla for "my" problem. And a link to an upstream patch ) In the medium term I'm looking for an other distribution: It doesn't make sense to have about 10 years of support (in theory), but updates just every half year. It depends on what you are defining as an update because it means different things. If you are talking about security updates and major problem updates then it is sooner than 6 months. Then I prefer a system -- where I have to do upgrades to the next major versions more frequently, -- because of merely about 3 years of update support, ++ but with a more current update policy ++ and an overall more recent software. You are asking a lot for free. If the warm fuzzy feeling of a version number update means a lot to you, and you don't care about reinstalling stuff once a year, Fedora may be better for you. Much more bleeding edge with versions, but you'll need more of an admin effort to make sure it all works. -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897
Re: unfortunate bind dns attack
On 03/08/15 16:31, Bill Maidment wrote: # rpm -qv bind bind-9.9.4-18.el7_1.3.x86_64 Interesting, I sync with ftp.scientificlinux.org hourly, yet I only see: $ find . | grep bind-9 ./updates/security/bind-9.9.4-18.el7_1.2.x86_64.rpm ./updates/security/bind-9.9.4-18.el7_1.1.x86_64.rpm ./os/Packages/bind-9.9.4-18.el7.x86_64.rpm -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: unfortunate bind dns attack
On 03/08/15 17:02, Steven Haigh wrote: On 03/08/15 16:52, Bill Maidment wrote: -Original message- From:Steven Haigh net...@crc.id.au Sent:Mon 03-08-2015 16:35 Subject: Re: unfortunate bind dns attack Attachment: signature.asc To: scientific-linux-users@fnal.gov; On 03/08/15 16:31, Bill Maidment wrote: # rpm -qv bind bind-9.9.4-18.el7_1.3.x86_64 Interesting, I sync with ftp.scientificlinux.org hourly, yet I only see: $ find . | grep bind-9 ./updates/security/bind-9.9.4-18.el7_1.2.x86_64.rpm ./updates/security/bind-9.9.4-18.el7_1.1.x86_64.rpm ./os/Packages/bind-9.9.4-18.el7.x86_64.rpm N.B. its in 7rolling-security I thought that 7x and 7rolling were supposed to be one and the same? In fact, looking at this further, there are only 3 packages that are different between 7x / security and 7rolling / security: bind libuser openafs There are more differences in the 'fastbugs' repo for 7rolling. -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: unfortunate bind dns attack
On 03/08/15 16:52, Bill Maidment wrote: -Original message- From: Steven Haigh net...@crc.id.au Sent: Mon 03-08-2015 16:35 Subject: Re: unfortunate bind dns attack Attachment: signature.asc To: scientific-linux-users@fnal.gov; On 03/08/15 16:31, Bill Maidment wrote: # rpm -qv bind bind-9.9.4-18.el7_1.3.x86_64 Interesting, I sync with ftp.scientificlinux.org hourly, yet I only see: $ find . | grep bind-9 ./updates/security/bind-9.9.4-18.el7_1.2.x86_64.rpm ./updates/security/bind-9.9.4-18.el7_1.1.x86_64.rpm ./os/Packages/bind-9.9.4-18.el7.x86_64.rpm N.B. its in 7rolling-security I thought that 7x and 7rolling were supposed to be one and the same? -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: unfortunate bind dns attack
On 03/08/15 16:04, d tbsky wrote: hi: one of our dns server was attack and shutdown, it seems cause by CVE-2015-5477. we are a small company, so we don't expect 0day attack happened to us. anyone suffers from the bug also? scientific linux has fixed it in SL5, but SL6 SL7 don't have the fix now.. See my request for this here: https://listserv.fnal.gov/scripts/wa.exe?A2=ind1508L=SCIENTIFIC-LINUX-DEVELF=S=P=76 -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: SL7: Is there a GUI for systemctl?
On Sun, 14 Jun 2015 09:11:38 AM Steven Miano wrote: In FC22 there is cockpit though, which does have a very nice WUI (Web User Interface) for systemctl: Here are a couple of screenshots for those features (cockpit has a multitude of other great functionality as well though, including being able to add additional hosts to any cockpit-ws). Services (Target): http://i.imgur.com/TGkHHYf.png Services (Target (abrt-ccpp.service): http://i.imgur.com/WhQaFPS.png Its times like this that I question what the hell we are doing in computing. We have a init system that is that complex, it has a web interface (!) written around it. What. The. Hell. That is a complete web server, with toolstack, to help configure simply starting a computer. Have we lost the plot with regards to OS concepts these days? -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: This is a digitally signed message part.
Re: SL7: Is there a GUI for systemctl?
On 15/06/2015 3:05 AM, David Sommerseth wrote: On 14 June 2015 16:01:44 CEST, Steven Haigh net...@crc.id.au wrote: On Sun, 14 Jun 2015 09:11:38 AM Steven Miano wrote: In FC22 there is cockpit though, which does have a very nice WUI (Web User Interface) for systemctl: Here are a couple of screenshots for those features (cockpit has a multitude of other great functionality as well though, including being able to add additional hosts to any cockpit-ws). Services (Target): http://i.imgur.com/TGkHHYf.png Services (Target (abrt-ccpp.service): http://i.imgur.com/WhQaFPS.png Its times like this that I question what the hell we are doing in computing. We have a init system that is that complex, it has a web interface (!) written around it. What. The. Hell. That is a complete web server, with toolstack, to help configure simply starting a computer. Have we lost the plot with regards to OS concepts these days? Okay, I'll bite. That's also an angle to see this. I rather choose to see cockpit as a completely different project solving issues this project have considered worth solving. And it is possible through systemd's dbus API. Cockpit is basically just an web interface for dbus. It doesn't do anything else than to do dbus calls. And I consider that impressive. Why? Because if you don't like systemctl or Cockpit, you can write your own tools using the same dbus API. And the bonus is that it (in theory at least) should work out of the box on any systemd based distribution without any changes. You can write your own management tools simplifying processes unique to your environment. Cockpit is a pretty good demonstration of the powers of systemd, which also through the dbus API ensures operations a user requests are authorized properly. A user lacking privileges will not be able to perform the requested operations. So feel free to rant about the complexity of systemd. After having played around with systemd in a few of Fedora releases, SL7 and RHEL7, I cannot agree that systemd is such a complex beast, not in any way. It is not worse than than upstart nor the older sysv init scripts. I honestly think that these anti-systemd rants are pure trash from people who have no interest in seeing that there are parts of the Linux universe which are in desperate need for improvements: System Management. And if systemd+cockpit can in a longer run make Linux systems more understandable for old school Windows-admins, then just that is a big win in my opinion. Another point of view: Ditching sysv init isn't a new thing. Upstart is another approach which is in SL6 and RHEL6. In other OSes, Solaris went for SMF, Mac OSX chose launchd. Sysv init worked wonderfully in the 70s, 80s and most of 90s, because the server needs where quite different back then. Nowadays systems live in a far more dynamic environments than earlier. And new challenges needs solutions appropriate to these new demands. Otherwise we would still on a daily basis drive around in T-Fords. I think you're moving the goal posts with the reply. We have a web interface that configures the boot process. We have projects like cups that have web interfaces to configure printers. Complexity and security wise, we're dumbing things down that much that the trend is to have a web server + god knows what else running to configure fairly simple things. Would you agree that webmin is a great system administration tool? If so, then you don't see the problem. There are tons of EL users that care more about security and audit ability of systems in place - and for some, that's a legal requirement. So, now we have to either: 1) Not change; or 2) Be able to audit each projects back end - including its own implementation of a web server, its tools and other bundled cruft. This doesn't make life any easier for high-security systems - and indeed adds more vectors for attack - which I'll admit - are mostly theoretical until they are not. -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: What determines when things start with systemclt
On 14/06/2015 1:35 PM, Jamie Duncan wrote: On Sat, Jun 13, 2015, 11:32 PM ToddAndMargo toddandma...@zoho.com mailto:toddandma...@zoho.com wrote: On 06/13/2015 08:25 PM, Jamie Duncan wrote: You define what each service needs or wants for it to be able to start. Look at the .service files On Sat, Jun 13, 2015, 11:23 PM ToddAndMargo toddandma...@zoho.com mailto:toddandma...@zoho.com mailto:toddandma...@zoho.com mailto:toddandma...@zoho.com wrote: Hi All, /etc/rc/d/rc5.d with its numbered start points are being phased out. In SL7, systemctl, what determines when things start? Many thanks, -T # find /etc/systemd/system/ -iname \*.service | grep -i firewall /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service /etc/systemd/system/basic.target.wants/firewalld.service Is this it (firewalld.service)? [Unit] Description=firewalld - dynamic firewall daemon Before=network.target Before=libvirtd.service Before=NetworkManager.service Conflicts=iptables.service ip6tables.service ebtables.service So you tell it before what you want? Seems a bit confusing. Am I missing something? There are many options to allow it to be parallel. It's well documented upstream and for RHEL. Time to hit the books! What he's really saying is that there is no set order. There is no reliable order. There is no pre-determined order. What you do get is a setting that says I will load service X before Y - which it has to work out on every boot. It may or may not be the same order every time you boot - and depending on what is set where, it may even start services that are not specifically enabled if they are listed as dependencies. One good example is upowerd. Even if you have this disabled, it will still get started by other services in the boot process. Now you can argue until the cows come home as to if this is good or not - and I'll leave that to an academic argument. Before and After in the unit file can be abused - and you could end up very easily in a logic loop that is not possible. I'm not sure how it tries to deal with these cases - or if it just throws its hands up in the air and complains (verbally or silently). Consider the following: a.service: [Unit] Before b.service b.service: [Unit] Before a.service Now generally, if you only use distro supplied packages, this should be fine - however it does make things more difficult for the packager. -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: how do I to get the address of a mirror?
On Wed, 10 Jun 2015 07:41:39 PM ToddAndMargo wrote: On 06/10/2015 07:27 PM, ToddAndMargo wrote: Hi All, I am trying to get the actual address of Mozilla's mirror for a script. Currently, I can do it with curl --head --max-time 20 --silent http://ftp.mozilla.org/ --output - |\ html2text -nobs -style pretty -width 132 | \ grep -i Apache | \ awk -F Server: '{print $3}' | awk '{print $1}' And it does work. Is there an easier way? Many thanks, -T Dang the address it comes up with is bogus. $ host ftp.mozilla.org ftp.mozilla.org has address 63.245.215.56 ftp.mozilla.org has address 63.245.215.46 Reference them by IP? -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: This is a digitally signed message part.
Re: IMAP client backup applications
On 10/03/2015 11:12 PM, Mark Stodola wrote: On 3/9/2015 6:20 PM, Yasha Karant wrote: On 03/07/2015 04:21 PM, Chris Schanzle wrote: On 03/06/2015 06:58 PM, Yasha Karant wrote: My department is being forced by the university administrative IT unit to MS Office365 distributed server (cloud) email service, as I have communicated in a previous query. We are now being advised by others who have been forced to do this -- but of course not by IT -- to backup all of our email. I use Mozilla Thunderbird, incoming IMAP, outgoing to a designated SMTP server. I have found http://www.beyondinbox.com/beyondinbox-download.html licensed for fee that claims to function under Linux, MacOS X, and MS Windows for this purpose. There are concerns to find a viable licensed-for-free product that will copy IMAP folders and all of the contents thereof to a local harddrive directory/file structure and that can restore these same IMAP folders and the contents thereof back to a remote IMAP service -- thus guarding against loss -- up to the last backup snapshot -- of all email. Has anyone any experience with the above application? is there a licensed for free reliable, viable alternative, GUI preferred, for Linux? Yasha Karant I've had good luck with imapsync[1] to make backup copies to another IMAP server. It's smart and useful for migrating many accounts from one imap service to another, but it's also useful for just syncing one account. When we migrated to the cloud, I had expectations of the cloud just vaporizing or turning into a thundercloud and taking a dump on us, but it has been OK. MS hasn't lost any of our mail. Thunderbird does occasionally re-download all folders on my various systems (fedora, windows, CentOS 6) which takes a long time for my years of email archives due to their throttling (which has vastly improved as well -- use to take a week with many fatal errors while using it normally; now completes in about a day and rarely a failure). The root cause of this is unknown - could be when they move me to another 'pod' or when they muck with my folders (redownload happened recently when they added Clutter). [1] http://imapsync.lamiral.info/ At present, my department chair is suggesting: http://www.mailstore.com/en/mailstore-home-email-archiving.aspx that is licensed for free for home use -- presumably meaning single user unless one really must work from home for this use. Note that this application does not support Linux. Hence, my plan is: under SL run VirtualBox running MS Win 7 pro running the above application, but save all of the produced files on the Linux side using VirtualBox shared folders. Many of my colleagues here do not use MS Win as the primary OS environment; most use Linux or MacOS X with open system extensions (e.g., fink). The colleague who suggested the above application is using MS Win on his workstation. Has anyone had any experience with this sort of scheme or this application? Yasha Karant I would just pick something that seems to have merit and _try_ it. At worst, it doesn't do what you intended and you go find something else to try. I am in a similar situation (mail migration) and am planning on trying Chris's suggestion of imapsync. Setting up an entire virtual machine seems a bit overblown for email save/restore. Also, don't get too caught up on the licensing. If you are doing it 1 time for a handful of users, I wouldn't worry too much. If you are going to use it on a regular basis, continuously, then the licensing becomes much more of an issue. If you look at the licensing plans, you can see it is bracketed by user count and on an annual basis, targeted as a long term backup solution. My advice, if you are using linux, find a linux solution. There are dozens of scripts/programs out there to do this, just pick one and experiment. -Mark Apologies if I've jumped in part way and missed something - but fetchmail should do this? Seems people are trying to reinvent the wheel? -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: Migrating old SL 5 Xen server and guests to SL 6
Configuation wise - it should be pretty much the same. I haven't changed my config template for *many* years and it still works with SL6 and Xen 4.5.0. If you followed the best practices back in the day, you used LVM as the storage method and have an LV for each DomU that you run. The only real thing to remember is that the boot= config line doesn't do what you think - ie boot=c will boot from the disk - boot=d is from CD. Something that remains legacy from inception based on well, in DOS, the HDD is C: and the cd drive is D: ;) In all honesty though, if you're deploying new stuff, I'd use EL6 as a base and start with my guide: http://xen.crc.id.au/support/guides/install/ You can use Xen 4.4 by installing the xen44 package, xen 4.5 is still in the testing repositories and installed via the xen45 package. On 21/02/2015 1:45 AM, Nico Kadel-Garcia wrote: I'm dealing with a Xen 3 server on SL 5 operating system with SL 5 para virtualized guests on it. But I'm having a heck of a time updating guests, getting them CD booted with console access to start the process. Any good pointers with the Xen 3.x built into SL 5 would be welcome. I know it's matured a *lot* since then, and a lot of guidelines just don't apply to such an old setup. Nico Kadel-Garcia Email: nka...@gmail.com Sent from iPhone On Feb 6, 2015, at 0:25, Steven Haigh net...@crc.id.au wrote: Hi all, As some of you might know, I package Xen and a Xen Dom0 kernel for EL7. If anyone uses Xen and want to test packages for EL7, take a look at: http://au1.mirror.crc.id.au/repo/el7-testing/ The testing repo has Xen version 4.5.0 and kernel 3.14.31. Bug tracker: http://xen.crc.id.au/bugs/my_view_page.php Mailing list: https://lists.wireless.org.au/mailman/listinfo/kernel-xen -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: Migrating old SL 5 Xen server and guests to SL 6
That'll be fun to debug later ;) I think from memory the problem with EL5 was that you had to run the kernel-xen package - as it wasn't included in the stock kernel. It'd also be easier to do a netinstall vs a CD install and supply it the vmlinuz / initrd of the xen installer. Either way, Xen 3 has been end of life for many years now - so as far as security go, I wouldn't be putting them anywhere that could be abused. On 21/02/2015 12:26 PM, Nico Kadel-Garcia wrote: Throwing out old manually defined files from /etc/xen and starting with virt-install is allowing me to install fully virtualized CentOS and SL 6 servers for now. I'm afraid I'll have to wait until updating the Xen server to switch them to para-virtualization, which I'd really prefer. Nico Kadel-Garcia Email: nka...@gmail.com Sent from iPhone On Feb 20, 2015, at 12:21, Steven Haigh net...@crc.id.au wrote: Configuation wise - it should be pretty much the same. I haven't changed my config template for *many* years and it still works with SL6 and Xen 4.5.0. If you followed the best practices back in the day, you used LVM as the storage method and have an LV for each DomU that you run. The only real thing to remember is that the boot= config line doesn't do what you think - ie boot=c will boot from the disk - boot=d is from CD. Something that remains legacy from inception based on well, in DOS, the HDD is C: and the cd drive is D: ;) In all honesty though, if you're deploying new stuff, I'd use EL6 as a base and start with my guide: http://xen.crc.id.au/support/guides/install/ You can use Xen 4.4 by installing the xen44 package, xen 4.5 is still in the testing repositories and installed via the xen45 package. On 21/02/2015 1:45 AM, Nico Kadel-Garcia wrote: I'm dealing with a Xen 3 server on SL 5 operating system with SL 5 para virtualized guests on it. But I'm having a heck of a time updating guests, getting them CD booted with console access to start the process. Any good pointers with the Xen 3.x built into SL 5 would be welcome. I know it's matured a *lot* since then, and a lot of guidelines just don't apply to such an old setup. Nico Kadel-Garcia Email: nka...@gmail.com Sent from iPhone On Feb 6, 2015, at 0:25, Steven Haigh net...@crc.id.au wrote: Hi all, As some of you might know, I package Xen and a Xen Dom0 kernel for EL7. If anyone uses Xen and want to test packages for EL7, take a look at: http://au1.mirror.crc.id.au/repo/el7-testing/ The testing repo has Xen version 4.5.0 and kernel 3.14.31. Bug tracker: http://xen.crc.id.au/bugs/my_view_page.php Mailing list: https://lists.wireless.org.au/mailman/listinfo/kernel-xen -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: systemd (again)
On 16/02/2015 2:29 AM, David Sommerseth wrote: From: John Lauro john.la...@covenanteyes.com To: David Sommerseth sl+us...@lists.topphemmelig.net Cc: scientific-linux-users SCIENTIFIC-LINUX-USERS@fnal.gov, kei...@kl-ic.com Sent: 15. februar 2015 14:33:25 Subject: Re: systemd (again) Sounds just what hackers would like. A nice web interface that doesn't even show up as a resource after it's been idle for 10 minutes so admins might not even realize if it's wide open... Gee ... if you look at netstat, I'm sure you'd notice that systemd is listening to that port. I'm sure any responsible sysadmin will always double check which ports are truly open. In addition, there is firewalling which any responsible sysadmin would not ignore to ensure is properly configured. netstat isn't the default way anymore... In fact, on some systems it isn't even available anymore unless you include the net-tools package. The advantage is that no system resources are spent on processes not being actively in use. Yes, it requires another mindset. But those who depend on evaluating system security primarily based on the output of 'ps' does a fairly poor job. So its xinetd? :) I've done a little bit of work with Xen packages using SystemD - and to be honest, it isn't *that* bad. If systemd is needed at all is a different question - although we're just adding another wrapper layer around an initscript that now gets called via systemd. In the end, it doesn't do anything more functional than the old init system did - just now that instead of throwing stuff in /etc/init.d, you now have to write another file to then call the init script. Web interfaces and other junk aside, systemd doesn't seem to do much in the way of improvement - in fact, most features of priorities and parallel start exist in sysvinit - but were never implemented properly by distributions... So instead, we reinvent the wheel again... -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: Safe to install Oracle Java 1.8?
On 31/01/15 03:44, Vladimir Mosgalin wrote: Hi hansel! On 2015.01.29 at 19:30:33 -0500, hansel wrote next: If I download the Oracle rpm for 1.8, do the necessary links in /etc/alternatives, remove Open JDK 1.7 and make sure the enviroment variables are correct, do I avoid crashes (or silent errors) -- to the best of more experienced SL users' knowledge, of course? Some of what I do depends on Java version 1.8 andI need to do something. (On other distos, I would just do it (and did with Ubuntu), but SL7 docs carry strong warnings about introducting conflicts.) You don't have to remove OpenJDK 1.7 if there is some dependency installed. alternatives system allows multiple java versions to be installed at the same time. The warnings mostly apply to the way Oracle JDK is packaged, if you correct the packaging there is no problem with having it on the system, and no need to remove openjdk (if something depends on it) too. For example, one of the Oracle JDK packaging problems is inability to install both 32-bit and 64-bit JDK from rpm (official workaround: install from .bin bundle into distinct directories). Another problem is manual steps required for activating browser plugin. OpenJDK doesn't suffer from these and other problems. RHEL offers Oracle JDK 1.7 and 1.8 packages, for example, properly repackaged and ready to install. So there is definitely no inherent incompatibility. On a related note, from what I can tell the update to 1.8 has disabled some SSL connect methods. Sadly, this has locked me out of any Dell DRAC5 remote console interfaces... I'm hunting for a way to re-enable the disabled SSL methods, but I'm not quite sure how to do so... I'm on Fedora 21 on my desktop - but I believe its the same with any upgrade to 1.8 - even the Oracle JRE disables these SSL methods :( -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: Safe to install Oracle Java 1.8?
On 31/01/15 13:30, Steven Haigh wrote: On 31/01/15 03:44, Vladimir Mosgalin wrote: Hi hansel! On 2015.01.29 at 19:30:33 -0500, hansel wrote next: If I download the Oracle rpm for 1.8, do the necessary links in /etc/alternatives, remove Open JDK 1.7 and make sure the enviroment variables are correct, do I avoid crashes (or silent errors) -- to the best of more experienced SL users' knowledge, of course? Some of what I do depends on Java version 1.8 andI need to do something. (On other distos, I would just do it (and did with Ubuntu), but SL7 docs carry strong warnings about introducting conflicts.) You don't have to remove OpenJDK 1.7 if there is some dependency installed. alternatives system allows multiple java versions to be installed at the same time. The warnings mostly apply to the way Oracle JDK is packaged, if you correct the packaging there is no problem with having it on the system, and no need to remove openjdk (if something depends on it) too. For example, one of the Oracle JDK packaging problems is inability to install both 32-bit and 64-bit JDK from rpm (official workaround: install from .bin bundle into distinct directories). Another problem is manual steps required for activating browser plugin. OpenJDK doesn't suffer from these and other problems. RHEL offers Oracle JDK 1.7 and 1.8 packages, for example, properly repackaged and ready to install. So there is definitely no inherent incompatibility. On a related note, from what I can tell the update to 1.8 has disabled some SSL connect methods. Sadly, this has locked me out of any Dell DRAC5 remote console interfaces... I'm hunting for a way to re-enable the disabled SSL methods, but I'm not quite sure how to do so... I'm on Fedora 21 on my desktop - but I believe its the same with any upgrade to 1.8 - even the Oracle JRE disables these SSL methods :( Whoops - forgot to paste in my reference for this: https://rhn.redhat.com/errata/RHSA-2015-0069.html Although, further research that turned up the above URL also shows: A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566) Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section. Further digging on that shows up: Users who need to re-enable SSL 3.0 protocol support in OpenJDK or Oracle JDK can do so using one of the following ways: * Change the master security properties file to not include SSLv3 in the list of disabled algorithms. The java.security files for each JDK can be found at the following path: /usr/lib/jvm/*/jre/lib/security/java.security The sub-directory under /usr/lib/jvm contains package name (such as java-1.7.0-openjdk or java-1.7.0-oracle) possibly followed by package version or architecture (depending on the JDK and its version). Note that the change to the file will affect all applications using given JDK. Local changes to the file will also cause new java.security versions to be installed as java.security.rpmnew if future updates change packaged version, requiring manual merge of changes. * Re-enable SSLv3 support only for specific application or applications that require it. Create a new security properties file that will override the default jdk.tls.disabledAlgorithms setting from the master java.security, and use the java.security.properties system property to make Java read the file in addition to the master security properties file. Example: $ cat enable-ssl3.security jdk.tls.disabledAlgorithms= $ java -Djava.security.properties=/path/to/enable-ssl3.security ... Note that this only works if the master security properties file sets the security.overridePropertiesFile security property to true. That is the default setting in all OpenJDK and Oracle JDK packages shipped in Red Hat Enterprise Linux. -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: Library security updates
On 28/01/2015 8:35 PM, John Rowe wrote: I'm sure many people will have seen the recent security update on gethostbyname(), etc. Apparently exim can be vulnerable to this. Yes it is. This raises the question: does updating a library package actually protect systems from the vulnerability or do daemons continue to use the (insecure) version of the library call they linked at start up? The program (exim in this case) uses a function in the library. It will continue to use the library that was present when the program started until you restart the program. And indeed, if yum updates a daemon due to security fixes does the daemon restart? By default, package updates won't restart running programs. This is a manual step. If it doesn't protect us is there practicable way to make sure we are genuinely protected short of rebooting the whole system every time there is a security update? Depending on what the update is. If you want to be 100% certain, reboot. If you don't want to reboot, you can hunt through what programs use certain libraries using ld - however the effort taken to do this is much more than a reboot - and probably takes longer. -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: CVE-2015-0235 / RHSA-2015:0092
Hi again all, This might be a false alarm. I tried to do more testing on different systems and have been unable to reproduce this... I did a full package check and all was good. Reinstalled the latest updates to glibc and things worked properly this time. If you want extra safety, for this upgrade, make sure you have a copy of the old packages in case you find a problem too... On 28/01/2015 5:30 PM, Steven Haigh wrote: Hi all, Looks like there is something wrong with the new glibc packages pushed to address this. With the following packages installed: glibc-2.12-1.149.el6_6.5 glibc-common-2.12-1.149.el6_6.5 Many segfaults like: sed[749]: segfault at 0 ip 0030004c4800 sp 7fff71c57038 error 6 in libc-2.12.so[300040+18a000] sed[763]: segfault at 0 ip 0030004c4800 sp 7fff78303768 error 6 in libc-2.12.so[300040+18a000] sed[785]: segfault at 0 ip 0030004c4800 sp 7fff1b4d04c8 error 6 in libc-2.12.so[300040+18a000] sed[792]: segfault at 0 ip 0030004c4800 sp 7fffae46a6d8 error 6 in libc-2.12.so[300040+18a000] grep[925]: segfault at 2a0 ip 0030004c2003 sp 7fffbb544dd0 error 6 in libc-2.12.so[300040+18a000] grep[937]: segfault at 2a0 ip 0030004c2003 sp 7fff830c0130 error 6 in libc-2.12.so[300040+18a000] sed[1028]: segfault at 0 ip 0030004c2091 sp (null) error 6 in libc-2.12.so[300040+18a000] sed[1050]: segfault at 0 ip 0030004c4800 sp 7fffbf52de08 error 6 in libc-2.12.so[300040+18a000] sed[1055]: segfault at 0 ip 0030004c4800 sp 7fff15bde3f8 error 6 in libc-2.12.so[300040+18a000] sed[1074]: segfault at 0 ip 0030004c4800 sp 7fff7bc97858 error 6 in libc-2.12.so[300040+18a000] sed[1079]: segfault at 0 ip 0030004c4800 sp 7fff01b59ab8 error 6 in libc-2.12.so[300040+18a000] grep[1180]: segfault at 2e0 ip 0030004c2003 sp 7fff58432e70 error 6 in libc-2.12.so[300040+18a000] egrep[1427]: segfault at 320 ip 0030004c2003 sp 7fffda712ba0 error 6 in libc-2.12.so[300040+18a000] smartd[1478]: segfault at 160 ip 7f3978f56003 sp 7fff0b2501b0 error 6 in libc-2.12.so[7f3978e94000+18a000] xl[1489]: segfault at 0 ip 0030004c2091 sp (null) error 6 in libc-2.12.so[300040+18a000] xl[1491]: segfault at 0 ip 0030004c2091 sp (null) error 6 in libc-2.12.so[300040+18a000] xl[1495]: segfault at 0 ip 0030004c2091 sp (null) error 6 in libc-2.12.so[300040+18a000] xl[1497]: segfault at 0 ip 0030004c2091 sp (null) error 6 in libc-2.12.so[300040+18a000] xl[1501]: segfault at 0 ip 0030004c2091 sp (null) error 6 in libc-2.12.so[300040+18a000] xl[1503]: segfault at 0 ip 0030004c2091 sp (null) error 6 in libc-2.12.so[300040+18a000] xl[1618]: segfault at 0 ip 0030004c2091 sp (null) error 6 in libc-2.12.so[300040+18a000] xl[1619]: segfault at 0 ip 0030004c2091 sp (null) error 6 in libc-2.12.so[300040+18a000] sed[1652]: segfault at 0 ip 0030004c2091 sp (null) error 6 in libc-2.12.so[300040+18a000] sed[1661]: segfault at 0 ip 0030004c2091 sp (null) error 6 in libc-2.12.so[300040+18a000] sed[1671]: segfault at 0 ip 0030004c4800 sp 7fffb757a6b8 error 6 in libc-2.12.so[300040+18a000] sed[1678]: segfault at 0 ip 0030004c4800 sp 71e3db48 error 6 in libc-2.12.so[300040+18a000] sed[1688]: segfault at 0 ip 0030004c4800 sp 7fff550a3b68 error 6 in libc-2.12.so[300040+18a000] sed[1708]: segfault at 0 ip 0030004c4800 sp 7fffe1127118 error 6 in libc-2.12.so[300040+18a000] sed[1744]: segfault at 0 ip 0030004c2091 sp (null) error 6 in libc-2.12.so[300040+18a000] sed[1768]: segfault at 0 ip 0030004c4800 sp 7fffee010d28 error 6 in libc-2.12.so[300040+18a000] sed[1775]: segfault at 0 ip 0030004c4800 sp 7fff13814028 error 6 in libc-2.12.so[300040+18a000] Downgrading to 2.12-1.149.el6_6.4 gives me a working system again. On 28/01/2015 11:44 AM, Steven Haigh wrote: As an FYI: A heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitary code with the permissions of the user running the application. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235 https://rhn.redhat.com/errata/RHSA-2015-0092.html -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: Optimus / combination graphics
I kinda thought this about external monitors too... I could see an analog VGA cable being lesser quality than DVI, but DVI is digital - as such there is no quality loss - its either there or not. If its a 15 pin VGA connector in use, it will get loss at 1600x1200 or higher resolutions. That's the beauty of DVI / HDMI / DP - they're purely digital transmission forms. On 20/12/2014 12:22 AM, James M. Pulver wrote: I was pleased installing SL6 on a Lenovo W520. As I said, I just went into the BIOS, and told it to only use the nVidia card, and it all Just Worked at that point. I can't speak to nVidia being better than Intel for desktops, I haven't ever seen a difference I can notice (personally, I can't tell) for any VGA to 1920x1080 display based on the card driving it. Now, different Monitors definitely can make a big difference, but that has been independent of the video card in my experience. -- James Pulver CLASSE Computer Group Cornell University -Original Message- From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Karel Lang AFD Sent: Thursday, December 18, 2014 11:53 AM To: Jeff McWilliams Cc: Steven Haigh; scientific-linux-users@fnal.gov Subject: Re: Optimus / combination graphics Hi Jeff, thanks for a tip :] On 12/18/2014 01:33 PM, Jeff McWilliams wrote: Karel, I'm the development manager for Altair HyperView, a CAE post processing tool. We run into some of these same issues. On the Windows side, NVidia provided us with a method that allows our application to signal that the NVidia graphics should be used on an Optimus laptop, not the Intel graphics. The heuristics that the Optimus driver uses to switch between Intel and NVidia wasn't able to reliably switch to NVidia for our OpenGL app on its own. HyperView? I know that :] Our CAE/FEM department run mostly ANSA CAE preprocesor with Meta viewer. For CAD we run mostly Catia. My colleagues, that care about laptop installations also had troubles with Optimus (on windows Catia laptops), that's why i said don't want to buy it for my Linux laptop.. How are you connecting your laptop to the display? Analog VGA connector? DVI? Displayport? If you have different options, you may want to try switching to see if it improves the output. One of the guys here noticed a big difference when switching between one connector and the other. My laptop is docked and connected via DVI to HP LP2465 standard 1920x1200 external screen, so it should be OK. My understanding is that the switching between Intel and NVidia or AMD graphics is driven by the need to reduce power consumption and increase battery life. The integrated Intel graphics consumes less power than the AMD or NVidia chipsets. If you've ever worked with some of the older mobile workstation type laptops, those things would get hot sitting in your lap due to all the heat they generated. I know, the old mobile workstations were beasts, but at least you were sure you get the job done. And it really was as the name stated - 'mobile' workstations, so i wouldn't quite characterize it as a standard laptop :] I know the goal is to prolong the battery life. *Question is, what should be a perfect Linux laptop for Linux sysadmin :]* cheers, On Thu, Dec 18, 2014 at 6:30 AM, Karel Lang AFD l...@afd.cz mailto:l...@afd.cz wrote: On 12/17/2014 10:35 PM, Steven Haigh wrote: I have to chime in here... Windows support for Optimus and ATI Hybrid Graphics seem to work quiet well. I have a Dell Inspiron with onboard Intel an ATI card. I haven't been able to fault it. I don't use Optimus myself, so i can not say from my own experience - but if you just use a search engine and look for 'windows optimus troubleshooting' you'll see a good handful of hits. Most of the time when I'm running desktop apps, the Intel on-cpu graphics does everything needed - but when firing up OpenGL or DirectX stuff, the ATI card takes over the panel seemlessly. This is running on Windows 7 - I hear Windows 8 does this even better - but its Windows 8 :\ I work for Car design company (meaning CAD apps), we work for all big brands - VW group (Skoda, Volkswagen, Seat ..) Mercedes Benz, BMW - so i'm used to 'see' good VGA cards in work every day. If i take a computer screen that was connected previously to HP workstation with Nvidia Quadro VGA and connect it to laptop with Intel VGA - the difference is *huge* in colors, contrast etc. So for me, Intel VGA is simply no-go, because i know how much better it can be. I don't know where you get this 'bad pictures' part. It'll throw pixels at the screen just as quick as the ATI card for general desktop
Re: Optimus / combination graphics
On 18/12/2014 3:12 AM, Karel Lang AFD wrote: :] Thanks Akemi - i know. Thanks to a community of a bright and knowledge-sharing ppl we have at least this. (Linus Torvalds said it nicely a while ago ..(cite) Fuck you Nvidia! :]] ) But let's be blunt - it is not perfect, heck, it's not working correctly even on M$ windows. I read tons of Win users complains about this. I have to chime in here... Windows support for Optimus and ATI Hybrid Graphics seem to work quiet well. I have a Dell Inspiron with onboard Intel an ATI card. I haven't been able to fault it. Most of the time when I'm running desktop apps, the Intel on-cpu graphics does everything needed - but when firing up OpenGL or DirectX stuff, the ATI card takes over the panel seemlessly. This is running on Windows 7 - I hear Windows 8 does this even better - but its Windows 8 :\ I think that if i had to (was forced to) buy new laptop for linux nowadays, i'd buy most probably something with Kaveri APU from AMD (like eg. HP EliteBook 745 G2) .. Intel has good CPUs but bad VGAs and Optimus won't help you much, because it means you look at a bad pictures on screen most of the time (using Intel Vga). I don't know where you get this 'bad pictures' part. It'll throw pixels at the screen just as quick as the ATI card for general desktop use. The only real difference is in OpenGL / DirectX where the discrete card kicks in. The problem is, Linux support for this is just awful. We can throw blame games all you like, but yeah - it just doesn't work properly. I tried everything from Fedora to Arch to EL6 and nothing was happy to do switching as it should. It isn't the fault of the technology - but the software implementation to use it. AMD Kaveri APU has ofc worse CPU part compared to Intel APUs - but - do i need the CPU computing power here on laptop - no i dont, but do i need good sharp picture? Yes i need that one. Why should i buy Optimus with Nvidia 1GB Ram card, which is used only 5% of time then and 95% time is used ugly Intel VGA? Haha, i see it just as another clever plot to trick out us, poor users. I'm still not sure why you think Intel graphics are ugly. As I said, it'll throw 1920x1080 to a laptop screen all day and hardly be noticed. The only bad part is the linux implementation of switching between cards. -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: kickstart to install to whole disk
On 24/10/2014 1:59 PM, Orion Poplawski wrote: On 10/22/2014 03:23 PM, Steven Haigh wrote: Hi all, I'm wondering - I'm looking to simplify my Xen DomU installation via a kickstart file... As my Xen config has /dev/xvda - which should be formatted as ext4 and used as / - is there any options that I can achieve this? Just about everything I've stumbled across does partitioning first - and not the entire disk. Without supplying a kickstart file, the installer will bail saying no disks found. It's been this way for MANY years, but I heard rumours of a magical kickstart option - but I can't seem to find it... What do you have against partitioning the disk? Loosing the 512-bytes for the partition table? On some setups it can cause major write degradations in the virtual machine. If you can imaging the disk being set up in 4Kb clusters - which LVM then adheres to - but on the DomU disk with a partition, the alignment for partition data is now 0 + 512 bytes instead of 0. This means a write of 4Kb would write two sectors to the physical disk (first being 512 bytes + 4Kb, the second being the 512 bytes that give us an offset). In lame ASCII art, this means: Plain Disk: 0---512---1024---1536---2048 etc Whole disk write: -- to 4Kb Partitioned disk write: [ part tbl ] to 4Kb + 512 bytes Its good to get your sectors aligned Especially when its on a RAID backend that also has a stripe size as well... -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: kickstart to install to whole disk
On 24/10/2014 2:59 PM, Orion Poplawski wrote: On 10/23/2014 09:05 PM, Steven Haigh wrote: On 24/10/2014 1:59 PM, Orion Poplawski wrote: On 10/22/2014 03:23 PM, Steven Haigh wrote: Hi all, I'm wondering - I'm looking to simplify my Xen DomU installation via a kickstart file... As my Xen config has /dev/xvda - which should be formatted as ext4 and used as / - is there any options that I can achieve this? Just about everything I've stumbled across does partitioning first - and not the entire disk. Without supplying a kickstart file, the installer will bail saying no disks found. It's been this way for MANY years, but I heard rumours of a magical kickstart option - but I can't seem to find it... What do you have against partitioning the disk? Loosing the 512-bytes for the partition table? On some setups it can cause major write degradations in the virtual machine. If you can imaging the disk being set up in 4Kb clusters - which LVM then adheres to - but on the DomU disk with a partition, the alignment for partition data is now 0 + 512 bytes instead of 0. This means a write of 4Kb would write two sectors to the physical disk (first being 512 bytes + 4Kb, the second being the 512 bytes that give us an offset). In lame ASCII art, this means: Plain Disk: 0---512---1024---1536---2048 etc Whole disk write: -- to 4Kb Partitioned disk write: [ part tbl ] to 4Kb + 512 bytes Its good to get your sectors aligned Especially when its on a RAID backend that also has a stripe size as well... Hmm, that is an issue. I assume you've tried: part / --onpart /dev/xvda You may also be able to partition in %pre manually with GPT or dos with your desired alignment. For the record, I did manage to get this going: ## Wipe the disk completely and use the whole disk in ext4 config. zerombr clearpart --all --drives=xvda part / --fstype=ext4 --onpart=xvda --label=root bootloader --location=none One point though is that you have to make your own 'grub.conf' for Xen to use in booting the system. This isn't really an issue though - because you only need a template - the kernel updates will update the template once created. Now I've got it happening ok - its actually quicker to do a KS install than it was to untar my xz archive of a template system :) Having tried using full disk for things like md raid and lvm in the past an gotten burned by loosing most autodetection I've given up on not partitioning. Heh - I'm the other way :) -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: kickstart to install to whole disk
On 24/10/2014 3:08 PM, Orion Poplawski wrote: On 10/23/2014 10:02 PM, Steven Haigh wrote: For the record, I did manage to get this going: ## Wipe the disk completely and use the whole disk in ext4 config. zerombr clearpart --all --drives=xvda part / --fstype=ext4 --onpart=xvda --label=root bootloader --location=none Just an aside - no swap? Nope - If I need it, I do a file on disk instead... - or another partition which is also 'full disk' in the LVM... -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
kickstart to install to whole disk
Hi all, I'm wondering - I'm looking to simplify my Xen DomU installation via a kickstart file... As my Xen config has /dev/xvda - which should be formatted as ext4 and used as / - is there any options that I can achieve this? Just about everything I've stumbled across does partitioning first - and not the entire disk. Without supplying a kickstart file, the installer will bail saying no disks found. It's been this way for MANY years, but I heard rumours of a magical kickstart option - but I can't seem to find it... -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: Final Solution to Chinese Break in
On 3/10/2014 10:27 PM, Nico Kadel-Garcia wrote: On Fri, Oct 3, 2014 at 1:44 AM, Brad Cable b...@bcable.net wrote: repeated access attempts to break in again. cron was changed so daily backups were done after they down loaded all new files. crontab -e no longer worked. We made a copy of the OS onto old disk and removed disk from the system. There were so many charges to the OS and files in /etc that we did not even try to repair it. There were 1000's of differences between new install and copy of old system. I personally think the bash problem is over blown because they have to get threw modem, firewall, ssh before they can use bash. That is *one* instance, and not really relevant to the circumstances you described. In fact, many systems expose SSH to the Internet at large for git repository access, and for telecommuting access to firewalls and routers. The big problem with shellshock was that attempts to restrict the available commands for such access, for example inside ForceCommands controlled SSH authrozed_keys files, could now broken out of and allow full local shell access. Once you have *that* on a critical server, your hard crunch outershell is cracked open and your soft chewy underbelly exposed. Does git-shell use bash at all for its execution? Shouldn't git-shell fix most of these issues? I'm not sure git-shell wouldn't fix this issue, but introduce a raft of configuration issues. I was referring to the commonplace use of the SSH 'ForceCommands' option o restrict operations by a shared service account, such as the SSH credentials used for 'g...@github.com:/username/reponame access, and even Github reported vulnerability to this problem for some accounts. The use of 'git-shell' for such shared service accounts is an intriguing approach I've not personally tried: thinking about it, it *sounds* like it might work wel. I'm quite curious how Github and Bitbucket and git.centos.org do it. Github, at least, did report partial vulnerability, which the've addressed. It wouldn't do bupkiss for most svn+ssh or rsync over SSH backup setups. rsync actually has an 'rrsync' utility in /usr/share/doc/rsync-x/support/ It is preferred to use this as the ForceCommand section of ssh config. This prevents getting a full shell and (should) resolve this issue. -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 signature.asc Description: OpenPGP digital signature
Re: sl7 systemd sysvinit
On 26/08/2014 9:42 PM, David Sommerseth wrote: On 26/08/14 01:57, Steven Haigh wrote: On 26/08/2014 9:36 AM, Vladimir Mosgalin wrote: Hi Ken Teh! On 2014.08.25 at 12:58:21 -0500, Ken Teh wrote next: I read the following article on systemd http://ifwnewsletters.newsletters.infoworld.com/t/9625863/474699771/826094/14/ The comments suggested one could still revert to sysvinit. Is this just wishful thinking on my part? Yes. As an exercise, why don't you revert EL6's upstart to sysvinit? Note that enabling/disabling some services on EL6 *requires* you to use upstart-specific initctl, you simply won't notice these services if you will only look at chkconfig. systemd offers many benefits for system administrators, like: No, no it doesn't. [...snipped out ranting...] Today I learnt that if you don't fit a standard model for usage, you become a ranter First of all, systemd is a new way of thinking bootup and system management. It requires users to adjust to the a way of doing things. I used to be a sharp systemd critic, after struggling with it during testing of Fedora 15. I've run Fedora 19 and Fedora 20, and accepted that systemd is not going away. And I do begin to like it. And I very much look forward to it in EL7. Even my Jolla phone uses systemd, and it was a breeze to write the needed unit file to make it load my own firewall rules at boot. Remember that systemd replaces _more_ than just the init scripts and the boot process. It is a full blown system _manager_. Its task is to ensure a predictable behaviour as long as the system runs. If you plug in or remove hardware, the appropriate actions should happen. If a specific network becomes available, network filesystems can automatically be mounted. Restarting of processes which dies can be tackled automatically (and disabled where you don't want it). Resource management via cgroups can be tackled in a more consistent way. And more. All this via a more standardised set of tools, which knows about each other and tries to avoid to trip on each others toes. I can agree that systemd has a broad footprint. But the more I play with it, the more I can understand why it needs to have a broader scope than just kicking off init scripts at boot. snip So I encourage people to give systemd a fair chance. Accept that it does things differently, and see how it can be used to reach your goals. Hopefully you'll see what I've seen so far, that it actually works quite well. I've given it a fair go - but there is a BIG problem if you don't fit the standard model that systemd forces you into. Ok, so off the top of my head, the following is broken with systemd as of right now: 1) Logwatch doesn't work at all with journals. 2) You can't pipe the journal to a different machine as per remote syslogging (which is a standard for decades). You can run syslog *as well* as systemd logging, but output is limited compared to journals. 3) SNMP monitors that monitor log files are broken because of point #2. 4) A heap of very basic changes require you to write your own service file for systemd. While it isn't hard, I found that roughly half of services I required to run needed me to write my own service file (remember, you can't just edit the one in /usr/./ etc). 5) Network stability was faulty in my tests - you could not guarantee that networking would start (this is a static IP case) on every boot. This alone is critical. 6) The concept of a binary log file is flawed from the start. IBM used to do it, but afaik, abandoned the idea in most products. 7) Parallel service start introduces a range of issues that do not happen in serial boot order. In enterprise land, we care about stability - not speed. As a comparison, the BIOS on the RAID card takes longer (usually 45-50 seconds) than booting the system no matter what OS / init system. 8) SystemD isn't just about system boot. It replaces logging, cron, monitoring, service init and more. It gets its claws into everything - but not everything it replaces gets done well. I'm half expecting it to grow an email client in there as well. I have no problems with change when it is done well. The problem is, SystemD has not been done well and introduces more problems than it fixes. To say that it is perfect more indicates that you fit the SystemD mold rather than SystemD actually doing its job properly. In other news, there was a recent slashdot article on this exact subject: http://linux.slashdot.org/story/14/08/25/1730245/choose-your-side-on-the-linux-divide There is certainly a new trend of linux developers around - and the problems that are being introduced now are the same ones that were fixed decades ago by the previous generation of developers. The problems haven't changed - only the way they are approached. -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
Re: need wget help: dos not resolt file name
Quoting. wget http://www.overlooksoft.com/packages/download?plat=lx64ext=rpm; On 28/07/2014 4:08 PM, ToddAndMargo wrote: Hi All, The nice folks at OverLookSoft set this file up so that it will download automatically with wget http://www.overlooksoft.com/packages/download?plat=lx64ext=rpm It get a file called: download?plat=lx64ext=rpm Firefox does resolve this. What am I doing wrong with wget? Many thanks, -T -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: need wget help: dos not resolt file name
On 29/07/2014 2:54 AM, ToddAndMargo wrote: On 28/07/2014 4:08 PM, ToddAndMargo wrote: Hi All, The nice folks at OverLookSoft set this file up so that it will download automatically with wget http://www.overlooksoft.com/packages/download?plat=lx64ext=rpm It get a file called: download?plat=lx64ext=rpm Firefox does resolve this. What am I doing wrong with wget? Many thanks, -T On 07/27/2014 11:12 PM, Steven Haigh wrote: Quoting. wget http://www.overlooksoft.com/packages/download?plat=lx64ext=rpm; Hi Steven, Firefox sees the same thing, but resolves it to a real file name. I am trying to duplicate that with wget. Yeah, wget isn't that smart... I've never figured it out - When I know the filename, I just use the -O filename option to override the output file... -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: How do you speed up rsync?
On 12/07/2014 3:24 PM, ToddAndMargo wrote: On 07/11/2014 01:49 PM, Patrick J. LoPresti wrote: On Fri, Jul 11, 2014 at 1:40 PM, Patrick J. LoPresti lopre...@gmail.com wrote: Try giving the --size-only option to rsync. Better yet, try --modify-window=1. From the rsync man page: --modify-window When comparing two timestamps, rsync treats the timestamps as being equal if they differ by no more than the modify-window value. This is normally 0 (for an exact match), but you may find it useful to set this to a larger value in some situations. In particular, when transferring to or from an MS Windows FAT filesystem (which represents times with a 2-second resolution), --modify-window=1 is useful (allowing times to differ by up to 1 second). - Pat Hi Pat, --modify-window=1 3 hr - 9 sec --modify-window=10 3 hr - 8 sec Rat! I really though this sounded right I did notice that the bugger the file (with no changes) the longer it took. So, I think they are still doing check sums. Any way to turn of the check sum testing? Now you're starting to get off task... How can you sync something if you don't know if it matches? Sure, you can only go off timestamps - but what then? It leaves you with a situation where you may get files that are different and you'll never know. You'd be much better off getting a better flash drive (ie not add hack upon hack that may not help) and fixing the root cause of the problem. Hell, get a small laptop HDD and put it in a USB caddy case. Get a small SSD (they're cheap!) and put that in a case... -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: How do you speed up rsync?
On 12/07/2014 3:49 PM, ToddAndMargo wrote: On 07/11/2014 10:44 PM, Steven Haigh wrote: On 12/07/2014 3:24 PM, ToddAndMargo wrote: On 07/11/2014 01:49 PM, Patrick J. LoPresti wrote: On Fri, Jul 11, 2014 at 1:40 PM, Patrick J. LoPresti lopre...@gmail.com wrote: Try giving the --size-only option to rsync. Better yet, try --modify-window=1. From the rsync man page: --modify-window When comparing two timestamps, rsync treats the timestamps as being equal if they differ by no more than the modify-window value. This is normally 0 (for an exact match), but you may find it useful to set this to a larger value in some situations. In particular, when transferring to or from an MS Windows FAT filesystem (which represents times with a 2-second resolution), --modify-window=1 is useful (allowing times to differ by up to 1 second). - Pat Hi Pat, --modify-window=1 3 hr - 9 sec --modify-window=10 3 hr - 8 sec Rat! I really though this sounded right I did notice that the bugger the file (with no changes) the longer it took. So, I think they are still doing check sums. Any way to turn of the check sum testing? Now you're starting to get off task... How can you sync something if you don't know if it matches? Sure, you can only go off timestamps How would I do size and time stamp? Virtually everything I modify will either be a different size and/or get a new time stamp. I can not think of a reason why, in this instance, I'd need to do a check sum. Then you don't want to use rsync - as you're not syncing. rsync will also checksum data AFTER copying to verify the copy was successful. If you don't care about the rest, try the normal cp: cp -apu /path/to/source /path/to/destination -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On 11/06/14 17:24, Matthias Schroeder wrote: On 06/11/2014 04:12 AM, Steven Haigh wrote: On 11/06/14 12:07, Paul Robert Marino wrote: Yes a lot of us noticed. Recompiling an entire distro from scratch is not an easy proposition. Furthermore they need to strip out all of the Red Hat branding. Expect it to take a while at least a month or two if not more. I think it'll take longer than normal this time around... The build process is changing completely from previous versions. True, adapting the process to the new supply chain and source format will take a while. It seems the code is getting published on git.centos.org - but it seems nobody really knows who is putting it there. This leaves the moral quandary of 'do we all trust an anonymous source with no official ties to Red Hat?' http://ftp.redhat.com/redhat/linux/enterprise/7Server/en/os/README says Current sources for Red Hat Enterprise Linux 7 have been moved to the following location: https://git.centos.org/project/rpms; Does this reduce your moral quandary a little? Not at all. There is no source for this data at all. Just spec files and patches that have 'appeared'. The SRPMs provided by RedHat in the past are all signed by RedHat and are VERY difficult if not impossible to tamper with. There is no method to authenticate that the files being dumped into git.centos.org by an unknown source (hint: It isn't the CentOS guys putting them there) are unmodified or even supplied by RedHat. This is the problem. -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: RHEL 7 just hit the market place, I'm looking forward to when we can start testing SL 7
On 11/06/14 12:07, Paul Robert Marino wrote: Yes a lot of us noticed. Recompiling an entire distro from scratch is not an easy proposition. Furthermore they need to strip out all of the Red Hat branding. Expect it to take a while at least a month or two if not more. I think it'll take longer than normal this time around... The build process is changing completely from previous versions. It seems the code is getting published on git.centos.org - but it seems nobody really knows who is putting it there. This leaves the moral quandary of 'do we all trust an anonymous source with no official ties to Red Hat?' Time will tell. -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: VMs of EL and other environments
On 08/04/14 22:24, Nico Kadel-Garcia wrote: On Tue, Apr 8, 2014 at 12:10 AM, Steven Haigh net...@crc.id.au wrote: I'm a little biased - but check out: http://xen.crc.id.au/ Heh. I've not had a chance to play with Xen in about 6 years, when I published the first (freeware!) RPM's for it. How's it been since Citrix bought it? I love it and stand by it. I run multiple hardware machines as Xen Dom0's with multiple guests and have *very* little trouble with it. -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: VMs of EL and other environments
On 08/04/14 14:06, zxq9 wrote: On Monday 07 April 2014 22:52:57 Nico Kadel-Garcia wrote: Name 2. Seriously. The KVM management tools are *not* good., at least in Scientific Linux 6 or the upstream vendor's toolkits, because the underlying libvirt toolkit is trying to do too many things at once and therefore getting each different virtualization technology wrong in different ways. If you think I'm kidding, go ahead and configure pair-bonding in the virtual appliances. Aside from the previous reply, I get that you think KVM is a steaming pile how does this relate to Yasha's question? More to the point, how do you feel about VirtualBox as an enterprise platform? I'm a little biased - but check out: http://xen.crc.id.au/ -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: TTF fonts
I'm a bit lazy with this I have an archive of all fonts from C:\Windows\Fonts - I simply extract this to a new directory in /usr/share/fonts/Windows. I then run the following as root: fc-cache -f -v From then on, all the windows fonts are available. -- Steven Haigh Email: net...@crc.id.au Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 On 12/03/14 04:43, צביקה הרמתי wrote: Actually, I already have the liberation fonts installed. To be more detailed, the application that needs the fonts is Cadence Specman, which currently looks awful (compared to other machines I used). I'm not 100% sure, but it's claimed that MS fonts should solve the problem, so it's worth trying. Regarding http://oimon.wordpress.com/2011/09/05/msttcorefonts-on-rhel6-centos-6-sl6/, well, I saw that link, and something is strange there. They take http://corefonts.sourceforge.net/msttcorefonts-2.0-1.spec and patch it. However, there is already http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec Therefore, I assumed that the previous post is outdated. That's the reason I wanted to hear some opinions, before trying a process that I don't fully understand... 2014-03-11 19:35 GMT+02:00 Akemi Yagi amy...@gmail.com mailto:amy...@gmail.com: On Tue, Mar 11, 2014 at 10:21 AM, Pat Riehecky riehe...@fnal.gov mailto:riehe...@fnal.gov wrote: On 03/11/2014 12:09 PM, צביקה הרמתי wrote: Hi. What's the best way to install MS TTF fonts? In Debian/Ubuntu, I just installed ttf-mscorefonts-installer. Googling gave some peculiar answers; I wandered what's the common practice. Thanks, Zvika I personally prefer the Liberation Fonts. They are very similar to the mscorefonts but under a less restrictive license. As root: yum install liberation-serif-fonts liberation-sans-fonts liberation-mono-fonts Should provide them. Pat +1 for the Liberation fonts. But if you _must_ install ttf fonts for some reason, check this out: http://oimon.wordpress.com/2011/09/05/msttcorefonts-on-rhel6-centos-6-sl6/ http://oimon.wordpress.com/2011/09/05/msttcorefonts-on-rhel6-centos-6-sl6/ (not tested by me) Akemi signature.asc Description: OpenPGP digital signature
Re: Exchange server alternative?
On 08/02/14 13:08, ToddAndMargo wrote: So I was wondering what you all thought would be a good SL6.x substitute for Exchange server? I'd actually be interested in this too... I wrote a howto[1] on getting virtual mail hosting using mysql + postfix + dovecot - however the big thing that is missing is contacts / calendar integration. Thunderbird can use caldav for calendar data, but the integration doesn't really seem to be there. As for contacts, this has the similar problem. I'd also be very interested in a method to sync calendar + contacts that can be easily tied into Thunderbird / Android -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 1 - https://www.crc.id.au/virtual-mail-hosting-on-el6/ signature.asc Description: OpenPGP digital signature
Re: Centos / Redhat announcement
On 9/01/2014 10:26 PM, Ian Murray wrote: - Original Message - From: Connie Sieh cs...@fnal.gov To: scientific-linux-users@fnal.gov; scientific-linux-de...@fnal.gov Cc: Sent: Wednesday, 8 January 2014, 19:53 Subject: Centos / Redhat announcement We are in the process of researching/evaluating this news and how it impacts Scientific Linux. CentOS Scientific Edition has a nice ring to it. Why sully the good name of Scientific Linux? :P -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: DNS Servers
On 10/01/2014 11:16 AM, Jeremy Wellner wrote: I've been using BIND on RHEL5 for years and it's come time to overhaul those venerable DNS boxes. I've seen alot of alternatives like NSD, PowerDNS, YADIFA, and others but I'm wondering what experience has been with going to something other than BIND. Having a database backend is very attractive, but so is having a manageable GUI for those in the department that work with adding devices and are scared of text files and the black of terminal. Use bind. DNS is all about reliability - not pretty or GUIs... -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: CentOS + RHEL join forces...
On 8/01/2014 1:08 PM, Steven Miano wrote: So how does that impact Scientific Linux? In a nutshell? It doesn't. -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: NFTables To Replace iptables In the Linux Kernel
On 21/10/2013 4:09 AM, Henrique C. S. Junior wrote: As reported in Slashdot[1] in the near future iptables is going to be replaced by NFTables in the linux kernel. The project[2] is said to be a new and best package filtering framework. Have any of you, guys, tried it already and have some experiences to share? Does it matter? EL6 won't ever have NFTables support. EL7 probably won't either. Don't stress and keep doing what you're doing. -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: furlough?
On 12/10/13 05:34, Robert Blair wrote: Will sl6 updates be available if FNAL shuts down due to the absence of a CR? Is there a plan for continuing support in the event FNAL furloughs its workforce? Sadly while the rest of the world looks on at the USA and shakes its collective head on how this can even happen. While I don't want to start a politics thread here - the thought of that happening elsewhere in the world is just unimaginable. Sorry to the American citizens - but you're being taken for a ride. Your country is broken and needs to be fixed. -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: pam + mysql + vsftp
Ok, so replying to myself - I managed to figure this out... On 18/09/2013 1:11 PM, Steven Haigh wrote: Hi all, I've been butting my head against this one for a while - so I figured its time to get help... ;) I'm trying to use pam_mysql to authenticate FTP users via PAM. I've edited the /etc/pam.d/vsftpd to contain: auth required pam_mysql.so config_file=/etc/vsftpd/vsftpd-mysql.conf crypt=1 verbose=1 account required pam_mysql.so config_file=/etc/vsftpd/vsftpd-mysql.conf crypt=1 verbose=1 The passwords are stored in a MySQL database as ssha512 format. This means they look something like: {SHA512-CRYPT}$6$qLv. Right here is where the problem was... crypt() fails when verifying them - as it doesn't recognise the header {SHA512-CRYPT} from the result MySQL returns. To work around this, I altered what is returned in the query: users.user_column = CONCAT(username, @, domain) users.password_column = REPLACE(password, '{SHA512-CRYPT}', '') users.password_crypt= Y The docs in /usr/share/doc/pam_mysql-0.7 are sparse, but helped me figure out I could pass more than just column names in these fields. When I try to use this account, I see the following in /var/log/messages: Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_sm_authenticate() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_open_db() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_open_db() returning 0. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_format_string() called Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_quick_escape() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - SELECT password FROM users WHERE CONCAT(username, @, domain) = 'ad...@wireless.org.au' Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd() returning 6. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() returning 0. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_converse() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_open_db() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_format_string() called Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_quick_escape() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - SELECT password FROM users WHERE CONCAT(username, @, domain) = 'ad...@wireless.org.au' Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd() returning 6. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() returning 0. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_sm_authenticate() returning 7. Sep 18 13:03:45 www vsftpd[11368]: pam_mysql - pam_mysql_release_ctx() called. Sep 18 13:03:45 www vsftpd[11368]: pam_mysql - pam_mysql_destroy_ctx() called. Sep 18 13:03:45 www vsftpd[11368]: pam_mysql - pam_mysql_close_db() called. I can't find any real info on what pam_mysql_check_passwd() returning 6 means - but I assume its a password check failure. My only thought is that somehow the password format supplied by the database (which works on dovecot) is different than expected by PAM... Does anyone have any thoughts on this? -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
pam + mysql + vsftp
Hi all, I've been butting my head against this one for a while - so I figured its time to get help... ;) I'm trying to use pam_mysql to authenticate FTP users via PAM. I've edited the /etc/pam.d/vsftpd to contain: auth required pam_mysql.so config_file=/etc/vsftpd/vsftpd-mysql.conf crypt=1 verbose=1 account required pam_mysql.so config_file=/etc/vsftpd/vsftpd-mysql.conf crypt=1 verbose=1 The passwords are stored in a MySQL database as ssha512 format. This means they look something like: {SHA512-CRYPT}$6$qLv. When I try to use this account, I see the following in /var/log/messages: Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_sm_authenticate() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_open_db() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_open_db() returning 0. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_format_string() called Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_quick_escape() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - SELECT password FROM users WHERE CONCAT(username, @, domain) = 'ad...@wireless.org.au' Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd() returning 6. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() returning 0. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_converse() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_open_db() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_format_string() called Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_quick_escape() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - SELECT password FROM users WHERE CONCAT(username, @, domain) = 'ad...@wireless.org.au' Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd() returning 6. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() called. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() returning 0. Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_sm_authenticate() returning 7. Sep 18 13:03:45 www vsftpd[11368]: pam_mysql - pam_mysql_release_ctx() called. Sep 18 13:03:45 www vsftpd[11368]: pam_mysql - pam_mysql_destroy_ctx() called. Sep 18 13:03:45 www vsftpd[11368]: pam_mysql - pam_mysql_close_db() called. I can't find any real info on what pam_mysql_check_passwd() returning 6 means - but I assume its a password check failure. My only thought is that somehow the password format supplied by the database (which works on dovecot) is different than expected by PAM... Does anyone have any thoughts on this? -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 signature.asc Description: OpenPGP digital signature
Re: Bug in yum-autoupdate
On 02/08/13 02:26, Vincent Liggio wrote: On 08/01/2013 12:16 PM, Elias Persson wrote: All the more reason to read up on the differences, and if it's only one system 'yum remove yum-autoupdate' is hardly a big deal. If it's 1200 systems, what difference would an option in anaconda make? It's not like you'll be stepping through that hundreds of times, right? No, when I have to migrate to a new OS (which won't be a 6.4 derivative, it will be a 7.0 one, so probably 8-9 months from now), then I'll worry about the differences. When I'm testing a piece of hardware that requires a specific kernel release on an OS I don't run, whether a new option is installed by default or not is not on the top of my list of things to worry about. If you really do have 1200 systems to worry about, I'd be looking at things like satellite. I have ~20-25 systems and yum-autoupdate is fantastic. It does what it says on the box and relieves me of having to watch / check for updates every day. I get an email in the morning that tells me what was updated and if there were any problems. I've been doing this for several years with no problems. Before yum-autoupdate I had my own script do similar things in the daily cron. My point is, what you want (the issue being highlighted) is already being done. It's not being done precisely where you want it to be done, but I don't see how that's an issue, given the circumstances. What I think should be done is it be an obvious option, not hidden in release notes. Its hardly hidden - and if you don't like it, don't install the package - its purely in your control.
Re: Bootable USB installer for SL6.3
On 12/04/13 04:33, Konstantin Olchanski wrote: Instructions for making USB-Bootable installation disk for 64bit SL6.3 -- *snip* This seems like the long way... The method I've used is VERY simple: # dd if=/path/to/iso of=/dev/usbstick Then boot from the USB stick. I've done this for a netinstall of Fedora, SL, etc etc for a long, long time. -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
Re:
On 09/04/13 18:29, vivek chalotra wrote: Hello all, One of my friend has deleted all the data in /home by mistake using rm -rf command. She actually used $ rm -rf ~ Now is there any way to recover that precious data. Restore from backup. If you don't have a backup, let this serve as a lesson as to WHY a backup is important. -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
Re: Power management with ATI Radeon cards using the radeon driver.
On 19/03/13 09:05, David Crick wrote: Thanks for this. The Wiki actually says kernel 2.6.35 or newer is required, but TUV must have backported it because they're there and available to be set in 2.6.32-358.2.1.el6.x86_64 Yeah - this is one of the 'joys' of the TUV Franken-kernel. You never know what backported stuff you'll get. Sometimes I think it is called 2.6.32 only because that is what it started with. The end result certainly isn't 2.6.32 anymore ;) -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
multi-monitor problems...
Hi again all, This has started to bug me in a multi-monitor setup 1) notification-daemon always seems to pop up the notifications on the Top Right (This is good) of the screen that the mouse is currently on (this is bad). Is there a way that I can tell notification-daemon to use screen #x for all notifications instead of them changing based on where the mouse is at the time? I had a quick look in the schema for notification-daemon that is presented via gconf-editor, but nothing stood out. 2) New windows seem to follow the mouse also. If I click the Thunderbird icon for instance, then move my mouse to the left of the three screens, the new thunderbird windows will appear on the left screen. If I leave the mouse on the middle screen, it will appear there - same with the right screen. Is there a way to disable this behaviour to either have the windows appear where they were last, or the centre by default? Sorry if these seem to be fairly newbie questions - my history with linux has always been on the server / CLI end - this is the first time I've really been using linux on the desktop... -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
udev renaming ethernet adapaters to vlan names?
Hi all, This one has been going on for a while... Every time I install an updated kernel on this specific machine, I get a udev rule inserted in /etc/udev/rules.d/70-persistent-net.rules That rule is: # PCI device 0x10ec:0x8169 (r8169) (custom name provided by external tool) SUBSYSTEM==net, ACTION==add, DRIVERS==?*, ATTR{address}==00:18:4d:79:65:47, ATTR{type}==1, KERNEL==eth*, NAME=eth1.203 Now whats strange here is udev renames the physical ethernet adapter (eth0) to eth1.203 - which is (was?) a working VLAN. So, the network config: # cat ifcfg-eth0 DEVICE=eth0 BOOTPROTO=static BROADCAST=192.168.1.255 HWADDR=00:40:63:EA:B7:21 IPADDR=192.168.1.1 NETMASK=255.255.255.0 ONBOOT=yes # cat ifcfg-eth1 # Realtek Semiconductor Co., Ltd. RTL-8169 Gigabit Ethernet TYPE=Ethernet DEVICE=eth1 BOOTPROTO=static ONBOOT=no HWADDR=00:18:4d:79:65:47 # cat ifcfg-eth1.10 # Realtek Semiconductor Co., Ltd. RTL-8169 Gigabit Ethernet TYPE=Ethernet DEVICE=eth1.10 BOOTPROTO=static ONBOOT=yes IPADDR=10.1.1.254 NETMASK=255.255.255.0 VLAN=yes IPV6INIT=yes IPV6_AUTOCONF=no IPV6ADDR=2002:cb38:f71b:2::1 IPV6FORWARDING=yes # cat ifcfg-eth1.203 # Realtek Semiconductor Co., Ltd. RTL-8169 Gigabit Ethernet TYPE=Ethernet DEVICE=eth1.203 BOOTPROTO=static ONBOOT=yes IPADDR=203.56.246.94 NETMASK=255.255.255.240 VLAN=yes IPV6INIT=yes IPV6_AUTOCONF=no IPV6ADDR=2002:cb38:f71b:1::1 IPV6FORWARDING=yes As you can see, there isn't very much out of a normal ethernet setup - but the where the udev rule comes from is beyond me. It happens guaranteed every time yum installs a kernel update. Does anyone have any pointers on where to chase this down to? -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
Re: ath9k wifi dropouts
by a country IE request on phy0 AP: 1363163093.232867: wlan0: del station 1c:4b:d6:98:14:48 AP: 1363163096.218316: wlan0 (phy #0): mgmt TX status (cookie 80de90e0): acked AP: 1363163096.285290: wlan0 (phy #0): mgmt TX status (cookie 80dff440): no ack AP: 1363163096.342560: wlan0 (phy #0): mgmt TX status (cookie 80dff440): no ack AP: 1363163097.172129: wlan0 (phy #0): mgmt TX status (cookie 80dcef00): acked AP: 1363163097.179453: wlan0 (phy #0): mgmt TX status (cookie 80dcef00): acked AP: 1363163097.222866: wlan0: new station 1c:4b:d6:98:14:48 So, as far as the access point goes, it seems the client disassociates itself, then associates again. The PC seems think that the access point has gone away, and disconnects. Strange. -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
ath9k wifi dropouts
Hi all, I've been trying to figure out the cause of this... It seems I'll be using the wifi without issue, then NetworkManager will indicate that it is reconnecting. It seems to happen randomly with no real pattern. iw events -t shows: 4b:d6:98:14:48 - 00:0f:66:c5:2d:6b reason 3: Deauthenticated because sending station is leaving (or has left) the IBSS or ESS 1363082116.240481: wlan0 (phy #0): disconnected (local request) 1363082122.323703: wlan0 (phy #0): auth 00:0f:66:c5:2d:6b - 1c:4b:d6:98:14:48 status: 0: Successful 1363082122.344295: wlan0 (phy #0): assoc 00:0f:66:c5:2d:6b - 1c:4b:d6:98:14:48 status: 0: Successful 1363082122.347571: wlan0 (phy #0): connected to 00:0f:66:c5:2d:6b Interestingly, I've only had this problem under linux. The access point is stable and works fine with the same card under Windows 7 - as well as our smart phones etc etc. The access point hasn't changed in a number of years (4+). At the moment, I'm using the kernel-ml from elrepo until I can get the eeepc module re-enabled for 64 bit kernels from our wondering upstream provider. (Battery life dies to about 3.5 hours instead of 5+ with it!) I've tried 'iwconfig wlan0 power off' to disable power management from the wifi adapter, but the dropouts still seem to randomly happen. The AP is secured with WPA2-PSK (AES+TKIP) - not sure if that makes a difference... Does anyone have any thoughts in troubleshooting this? -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
Re: [SCIENTIFIC-LINUX-USERS] ath9k wifi dropouts
On 03/13/2013 02:54 AM, Pat Riehecky wrote: On 03/12/2013 05:45 AM, Steven Haigh wrote: On 12/03/13 21:03, Steven Haigh wrote: Hi all, I've been trying to figure out the cause of this... It seems I'll be using the wifi without issue, then NetworkManager will indicate that it is reconnecting. It seems to happen randomly with no real pattern. iw events -t shows: 4b:d6:98:14:48 - 00:0f:66:c5:2d:6b reason 3: Deauthenticated because sending station is leaving (or has left) the IBSS or ESS 1363082116.240481: wlan0 (phy #0): disconnected (local request) 1363082122.323703: wlan0 (phy #0): auth 00:0f:66:c5:2d:6b - 1c:4b:d6:98:14:48 status: 0: Successful 1363082122.344295: wlan0 (phy #0): assoc 00:0f:66:c5:2d:6b - 1c:4b:d6:98:14:48 status: 0: Successful 1363082122.347571: wlan0 (phy #0): connected to 00:0f:66:c5:2d:6b Interestingly, I've only had this problem under linux. The access point is stable and works fine with the same card under Windows 7 - as well as our smart phones etc etc. The access point hasn't changed in a number of years (4+). At the moment, I'm using the kernel-ml from elrepo until I can get the eeepc module re-enabled for 64 bit kernels from our wondering upstream provider. (Battery life dies to about 3.5 hours instead of 5+ with it!) I've tried 'iwconfig wlan0 power off' to disable power management from the wifi adapter, but the dropouts still seem to randomly happen. The AP is secured with WPA2-PSK (AES+TKIP) - not sure if that makes a difference... Does anyone have any thoughts in troubleshooting this? I should note as well that I added the following to a new file called /etc/modprobe.d/wireless.conf: options ath9k nohwcrypt=1 This doesn't seem to have made a difference. I've got one of these at home and I see similar behavior - it drops out rather often. I've not found a fix... Dang! Its rather annoying to say the least. I've even tried kernel 3.8.2 (which has the eeepc_laptop module included in the 64 bit kernel. Might have to do some more research -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
Re: CONFIG_EEEPC_LAPTOP is not set
On 11/03/2013 12:58 PM, Alan Bartlett wrote: On 11 March 2013 00:59, Steven Haigh net...@crc.id.au wrote: On 11/03/2013 1:13 AM, Akemi Yagi wrote: On Sun, Mar 10, 2013 at 6:56 AM, Steven Haigh net...@crc.id.au wrote: On 11/03/13 00:52, Akemi Yagi wrote: On Sun, Mar 10, 2013 at 4:50 AM, Steven Haigh net...@crc.id.au wrote: Not sure if this has come in from upstream or something local, but it looks like CONFIG_EEEPC_LAPTOP is no longer set in the kernel config. This reduces battery life significantly on Asus EEEPCs loading with linux. Kernel is: kernel-2.6.32-358.el6.x86_64 Install is fresh from the SL6.4 Beta 2 iso. I don't think CONFIG_EEEPC_LAPTOP was ever enabled in the TUV (therefore SL as well) kernel. Just for a reference, the CentOSPlus kernel has it enabled. But that is a custom kernel, not a distro one. Its a bit strange here... the 32 bit kernel has it enabled and built as a module. The 64 bit kernel has it disabled. I'm not quite sure why that is... You are quite right. I only checked the 64-bit kernel. The problem with this is as it stands (no module for the eeepc), it gets ~3.5 hours on battery vs Windows 7 which gets nearly 5 hours. The 'SHE' function provided by this module is paramount to getting any kind of decent battery life on the Asus EEEPC laptop range. Please open a bug report, upstream. [1] Then, as a temporary measure, consider using the kernel-lt package from the ELRepo Project. [2] CONFIG_EEEPC_LAPTOP is configured as a module is both 32- and 64-bit flavours. Alan. [1] https://bugzilla.redhat.com/frontpage.cgi [2] http://elrepo.org/tiki/kernel-lt A - thanks Alan, I wasn't aware of the elrepo kernels. Saves me a lot of messing around ;) I'll still BZ it though... -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299 smime.p7s Description: S/MIME Cryptographic Signature