Re: "Not using downloaded repomd.xml because it is older than what we have:"

[Eero Volotinen]

Do you have transparent/forced proxy in network?

Eero

ke 9. maaliskuuta 2016 klo 6.53 Thomas Leavitt  kirjoitti:

> No feedback? Is everyone else just ignoring these messages?
>
> Thomas
>
> -Original Message-
> From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:
> owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Thomas
> Leavitt
> Sent: Monday, February 29, 2016 10:53 AM
> To: scientific-linux-us...@fnal.gov
> Subject: RE: "Not using downloaded repomd.xml because it is older than
> what we have:"
>
> Not using downloaded repomd.xml because it is older than what we have:
>   Current   : Tue Feb 16 08:58:20 2016
>   Downloaded: Tue Feb 16 08:58:13 2016
>
> A 7 second variance shouldn't be that much of an issue.
>
> Regards,
> Thomas Leavitt
>
> -Original Message-
> From: Thomas Leavitt
> Sent: Monday, February 29, 2016 10:52 AM
> To: 'scientific-linux-us...@fnal.gov'
> Subject: RE: "Not using downloaded repomd.xml because it is older than
> what we have:"
>
> I've been meaning to write about this for a while... my inbox is flooded
> every day with messages with this as the content from my SL7 machines (the
> ones I have set up to forward mail sent to root). I checked the time on
> them, they're using NTP, and the time agrees, almost to the second, with
> that of network time services and other machines, I doubt there's even a 30
> second variance.
>
> What's the strategy for dealing with this? Seems like it isn't an isolated
> problem.
>
> Regards,
> Thomas Leavitt
>
> -Original Message-
> From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:
> owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of David
> Sommerseth
> Sent: Thursday, February 18, 2016 2:51 AM
> To: Peter Boy; SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
> Subject: Re: "Not using downloaded repomd.xml because it is older than
> what we have:"
>
> On 13/02/16 19:24, Peter Boy wrote:
> > Hi all,
> >
> > since several months I  get constantly from anacreon:
> >> ——<
> > /etc/cron.daily/0yum-daily.cron:
> >
> > Not using downloaded repomd.xml because it is older than what we have:
> > Current   : Thu Feb  4 16:13:26 2016
> > Downloaded: Thu Feb  4 16:13:25 2016
> >> ——<
> >
> >
> > The time difference is quite minimal. And a manual „yum update“
> > confirms that no updates are waiting.
> >
> > Using my favourite search engine I found it might have be caused by an
> > unresponsive of lazy mirror. But I use the standard configuration, i.e.
> > the mirror list just includes the three scientificlinux servers. Other
> > entries refer old bugs long fixed.
> >
> > I tried a yum clean all but it didn’t fix it.
> >
> > And all our other don’t show this issue, but the configuration is all
> > the same, at least according to my knowledge.
> >
> >
> > Obviously, there is no harm done and it can be safely ignored. But it
> > always pulls our issue alert button.
>
> Hi,
>
> I am seeing exactly the same.  I thought it was NTP issues related to my
> own setup, where I have a local rsync mirror.  But then I installed from
> scratch SL7 on another site without any local mirrors, and the same issue
> appears there too.  So I see this both with public repositories as well as
> local rsync repositories.
>
> I have also seen this on SL6, but not as frequent as on SL7.
>
> Even though they cause no obvious harm, it gets quite annoying when you
> receive many of them during a day ... sometimes even several days in a row.
>
> Perhaps yum should be more graceful to the timestamp?  And just quiet
> these messages if the time difference is less than 30 seconds or so.
>
>
> --
> kind regards,
>
> David Sommerseth
>
> --
> kind regards,
>
> David Sommerseth
> 
>
> This e-mail may contain privileged or confidential information. If you are
> not the intended recipient: (1) you may not disclose, use, distribute, copy
> or rely upon this message or attachment(s); and (2) please notify the
> sender by reply e-mail, and then delete this message and its attachment(s).
> EAG, Inc. and its affiliates disclaim all liability for any errors,
> omissions, corruption or virus in this message or any attachments.
>
>

Re: needs-restarting

[Eero Volotinen]

I think they both do about same things and almost in the same way. I was
not aware that needs-restarting utility is nowdays available anymore.

--
Eero

2016-02-20 10:41 GMT+02:00 Iosif Fettich :

> Hi Eero,
>
> I've noticed you're indication about how to determine which deamons need
> to be restarted after an upgrade, given on another thread:
>
> Please note that you need to restart daemons that are still using old
>> library versions or reboot the whole machine.
>>
>
> you can use command 'lsof +c0 -d DEL | awk 'NR==1 || /libc-/ {print
>> $2,$1,$4,$NF}' | column -t' to check what daemons are still using old
>> version of library.
>>
>
> Out of curiosity: within the yum-utils package, there is a
> needs-restarting utility that seems to be designed to do about the same
> thing (I haven't looked into it).
>
> Would you know how that one or the command line you mentioned compare?
> Is one more reliable/safer/easier than the other?
>
>
> Thanks,
>
> Iosif Fettich
>

Re: CVE 2015-7547

[Eero Volotinen]

Please note that you need to restart daemons that are still using old
library versions or reboot the whole machine.

you can use command 'lsof +c0 -d DEL | awk 'NR==1 || /libc-/ {print
$2,$1,$4,$NF}' | column -t' to check what daemons are still using old
version of library.

--
Eero

2016-02-20 7:30 GMT+02:00 jdow :

> # rpm -qa | grep glibc
> glibc-2.12-1.166.el6_7.7.x86_64
> glibc-2.12-1.166.el6_7.7.i686
> glibc-utils-2.12-1.166.el6_7.7.x86_64
> glibc-common-2.12-1.166.el6_7.7.x86_64
> glibc-devel-2.12-1.166.el6_7.7.x86_64
> glibc-headers-2.12-1.166.el6_7.7.x86_64
>
> Already installed with updates as of a day or so ago.
>
> {^_^}
>
> On 2016-02-19 17:49, Kenny Noe wrote:
>
>> Yes.   Follow these instructions.
>>
>> http://www.thegeekstuff.com/2016/02/glibc-patch-cve-2015-7547/
>>
>> --Kenny
>>
>> Thanks
>>
>> --Kenny
>>
>> On Fri, Feb 19, 2016 at 8:33 PM, ToddAndMargo > > wrote:
>>
>> Hi All,
>>
>> Are we affected by this?
>>
>>
>> http://www.infoworld.com/article/3033862/security/patch-now-unix-bug-puts-linux-android-and-ios-systems-at-risk.html
>>
>> -T
>>
>>
>> --
>> ~~
>> Computers are like air conditioners.
>> They malfunction when you open windows
>> ~~
>>
>>
>>

Re: "Not using downloaded repomd.xml because it is older than what we have:"

[Eero Volotinen]

Does 'yum clean all' fix the issue?
13.2.2016 8.24 ip. "Peter Boy"  kirjoitti:

> Hi all,
>
> since several months I  get constantly from anacreon:
> > ——<
> /etc/cron.daily/0yum-daily.cron:
>
> Not using downloaded repomd.xml because it is older than what we have:
> Current   : Thu Feb  4 16:13:26 2016
> Downloaded: Thu Feb  4 16:13:25 2016
> > ——<
>
>
> The time difference is quite minimal. And a manual „yum update“ confirms
> that no updates are waiting.
>
> Using my favourite search engine I found it might have be caused by an
> unresponsive of lazy  mirror. But I use the standard configuration, i.e.
> the mirror list just includes the three scientificlinux servers. Other
> entries refer old bugs long fixed.
>
> I tried a yum clean  all but it didn’t fix it.
>
> And all our other don’t show this issue, but the configuration is all the
> same, at least according to my knowledge.
>
>
> Obviously, there is no harm done and it can be safely ignored. But it
> always pulls our issue alert button.
>
> Anyone any hint how to fix it?
>
>
> Thanks
> Peter
>
>
>
>
>
>
>
>
>
> —
> Dr. Peter Boy
> Universität Bremen
> Mary-Sommerville-Str. 5
> 28359 Bremen
> Germany
>
> p...@zes.uni-bremen.de
> www.zes.uni-bremen.de
>
> 
>
> Are you looking for a web content management system for scientific
> research organizations?
> Have a look at http://www.scientificcms.org
>

Re: SL 7.2 not booting on HP Microserver N36L

[Eero Volotinen]

Try this kernel parameter on boot for workaround:
initcall_blacklist=clocksource_done_booting

--
Eero

2016-02-10 11:11 GMT+02:00 Eero Volotinen <eero.voloti...@iki.fi>:

> See this url: https://bugs.centos.org/view.php?id=10176
>
> Maybe it's just kernel bug. works on some older? kernels.
>
> Eero
>
> 2016-02-10 11:08 GMT+02:00 Otto-Michael BRAUN <o...@ieee.org>:
>
>> Does this mean that SL 7.2 does not run on AMD cpus ?
>>
>> Michael
>>
>>
>> Am 10.02.2016 um 10:00 schrieb Eero Volotinen:
>>
>> I think that is related to amd cpu on board?
>>
>> --
>> Eero
>>
>> 2016-02-10 10:57 GMT+02:00 Otto-Michael BRAUN <o...@ieee.org>:
>>
>>> I tried to PXE-install SL 7.2 on an HP Microserver N36L without success.
>>> Booting stops for 20 seconds after "switching clocksource to hpet" and then
>>> crashes (screenshots attached). Disabling the high precision event timer in
>>> BIOS did not help. Any suggestions on what might be a workaround would be
>>> appreciated.
>>>
>>> Otto-Michael BRAUN
>>>
>>
>>
>>
>>
>

Re: Microsoft Active Directory and SCCM

[Eero Volotinen]

 NB: ITC Information Technology Consultant (a California State University
 staff position designation) -- a technician, typically with a BS in IT or a
 related field, who has hardware and software control over
 non-administrative-computing Faculty MS Windows or Mac OS X workstations.

 End quote.

 Does anyone on the list have to use these Microsoft proprietary systems
 with EL open systems -- both servers and workstations? If so, what are your
 experiences and how does one do the integration? Under no circumstances are
 we willing to share root passwords with the administrative unit. Replies
 off list are welcome.


Well, you can easily join RHEL 6, RHEL 6, RHEL 7 and clones to AD domain if
you have access to administrative account on AD.

Works with basic tools, no special tools or software needed. You can easily
get groups and user authentication via pam services.

For advanced use, FreeIPA or Redhat IPA  and some complexity is required.

--
Eero

Re: Microsoft Active Directory and SCCM

[Eero Volotinen]

2014-08-05 20:29 GMT+03:00 Paul Robert Marino prmari...@gmail.com:

 I've never heard of SCCM but the Microsoft's AD thing is doable but
 difficult.


Doable, not difficult as it required only authconfig command twice.

man authconfig

--
Eero

Re: Encrypted rsyslog

[Eero Volotinen]

Maybe cert_t is correct context as certificates are usually located under
/etc/pki

so try something like:

semanage fcontext -a -t cert_t /path/to/keys(/.*)?
restorecon -R -v /path/to/keys

and you should also be familiar with selinux audit logs to figure out
correct context.




2014-07-23 11:43 GMT+03:00 Robin Long r.l...@cern.ch:

  Hi Eero,

 Thanks for the advice.  That command does not seem to work, it changes the
 context from:

 drwxr-x---. root root unconfined_u:object_r:etc_t:s0   certificates
 -rw-r-. root root unconfined_u:object_r:admin_home_t:s0 hostcert.pem
 -rw-r-. root root unconfined_u:object_r:admin_home_t:s0 hostkey.pem

 to

 drwxr-x---. root root unconfined_u:object_r:syslog_conf_t:s0 certificates
 -rw-r-. root root unconfined_u:object_r:syslog_conf_t:s0 hostcert.pem
 -rw-r-. root root unconfined_u:object_r:syslog_conf_t:s0 hostkey.pem

 but then results in the error:
 could not load module '/lib64/rsyslog/lmnsd_gtls.so', rsyslog error -2078

 which usually translates as cannot read your CA file.

 Will Keep trying,

 Thanks for all the help.

 Robin.


 On 23/07/14 03:34, Eero Volotinen wrote:




 2014-07-22 22:58 GMT+03:00 Eero Volotinen eero.voloti...@iki.fi:




  2014-07-22 22:01 GMT+03:00 Robin Eamonn Long r.l...@cern.ch:

 Hi Eero,

 I found this page:
 http://www.sebdangerfield.me.uk/2011/12/setting-up-a-centralised-syslog-server-in-the-cloud/
 which suggests that:
 There is a good chance you’ve got the $InputTCPServerRun and
 $InputTCPServerStreamDriverMode directives in the wrong order, the
 $InputTCPServerRun should come last.

 Then I got the error messages that the peer was not permitted to talk to
 the server.  It looks like the order of commands is very specific and needs
 to be:

 $InputTCPServerStreamDriverAuthMode x509/name
 $InputTCPServerStreamDriverPermittedPeer *.example.net
 $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
 $InputTCPServerRun 10514 # start up listener at port 10514

  It seems to all be working now.

 Do you know the selinux magic that I need to perform on the certificates
 so that it works without disabling selinux?


  You need to set correct fcontext to files (see man semanage) and semanage
 fcontext -l (to list defined context) and then restorecon -Rv
 /path/to/directory

  --
 Eero


  So this magic might work:

  semanage fcontext -a -t syslog_conf_t /path/to/keys(/.*)?
 restorecon -R -v /path/to/keys

  just a wild quess without any testing..

  --
 Eero

Re: Encrypted rsyslog

[Eero Volotinen]

2014-07-23 12:37 GMT+03:00 Robin Long r.l...@cern.ch:

 Hi Eero and Elias,

 So seeting it to cert_t worked, as did:
 semanage fcontext -a -t etc_t /etc/grid-security(/.*)?
 I chose etc_t as when I did an ls -Z the certificates folder had this to
 begin with and was happy, where as the hostkeys and certs had admin_home.

 The output of audit2why is here, I do not understand it at all.

 # tail /var/log/audit/audit.log | audit2why
 type=AVC msg=audit(1406108140.477:6317): avc:  denied  { search } for
  pid=9753 comm=72733A6D61696E20513A526567 name=grid-security dev=dm-0
 ino=131479 scontext=unconfined_u:system_r:syslogd_t:s0
 tcontext=unconfined_u:object_r:syslog_conf_t:s0 tclass=dir

 Was caused by:
 Missing type enforcement (TE) allow rule.

 You can use audit2allow to generate a loadable module to allow
 this access.

 type=AVC msg=audit(1406108140.479:6318): avc:  denied  { search } for
  pid=9753 comm=72733A6D61696E20513A526567 name=grid-security dev=dm-0
 ino=131479 scontext=unconfined_u:system_r:syslogd_t:s0
 tcontext=unconfined_u:object_r:syslog_conf_t:s0 tclass=dir

 Was caused by:
 Missing type enforcement (TE) allow rule.

 You can use audit2allow to generate a loadable module to allow
 this access.


 I would like to understand SELinux and how to audit the problems, but I
 have not found a good entry level guide.  Usually the problems I have are
 simple such as ssh-key permissions or httpd problems - google has always
 had a solution, I just do not know how to get to these solutions myself.


Read manual at :
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/

--
Eero

Re: Encrypted rsyslog

[Eero Volotinen]

2014-07-22 18:30 GMT+03:00 Robin Long r.l...@cern.ch:

 Hi All,

 I am trying to configure rsyslog between to servers with encryption. This
 works when the authmode is 'anon' but not when set to 'x509/name', and I
 cannot tell why - google is providing no help.

 My client config is:

 ===
  MODULES 

 $ModLoad imuxsock # provides support for local system logging (e.g. via
 logger command)
 $ModLoad imklog   # provides kernel logging support (previously done by
 rklogd)
 #$ModLoad immark  # provides --MARK-- message capability

 # Provides UDP syslog reception
 #$ModLoad imudp
 #$UDPServerRun 514

 # Provides TCP syslog reception
 $ModLoad imtcp
 #$InputTCPServerRun 514


  GLOBAL DIRECTIVES 

 # Use default timestamp format
 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

 # File syncing capability is disabled by default. This feature is usually
 not required,
 # not useful and an extreme performance hit
 #$ActionFileEnableSync on

 # Include all config files in /etc/rsyslog.d/
 $IncludeConfig /etc/rsyslog.d/*.conf

  Encryption 

 # make gtls driver the default
 $DefaultNetstreamDriver gtls

 # certificate files
 $DefaultNetstreamDriverCAFile /etc/grid-security/
 certificates/UKeScienceCA-2B.pem
 $DefaultNetstreamDriverCertFile /etc/grid-security/hostcert.pem
 $DefaultNetstreamDriverKeyFile /etc/grid-security/hostkey.pem

 #$ModLoad imtcp # load TCP listener

 $ActionSendStreamDriverMode 1 # require TLS for the connection
 $ActionSendStreamDriverAuthMode x509/name
 $ActionSendStreamDriverPermittedPeer central.log.server

 *.* @@(o)central.log.server:10514 # send (all) messages

 ###Rules
 #Standard rules, no need to paste here

 ==

 and the central log servers config is:

 ===

 # rsyslog v5 configuration file

 # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
 # If you experience problems, see http://www.rsyslog.com/doc/
 troubleshoot.html

  MODULES 

 $ModLoad imuxsock # provides support for local system logging (e.g. via
 logger command)
 $ModLoad imklog   # provides kernel logging support (previously done by
 rklogd)
 #$ModLoad immark  # provides --MARK-- message capability

 # Provides UDP syslog reception
 #$ModLoad imudp
 #$UDPServerRun 514

 # Provides TCP syslog reception
 #$ModLoad imtcp
 #$InputTCPServerRun 514


  GLOBAL DIRECTIVES 

 # Use default timestamp format
 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

 # File syncing capability is disabled by default. This feature is usually
 not required,
 # not useful and an extreme performance hit
 #$ActionFileEnableSync on

 # Include all config files in /etc/rsyslog.d/
 $IncludeConfig /etc/rsyslog.d/*.conf

  Encryption 

 # make gtls driver the default
 $DefaultNetstreamDriver gtls

 # certificate files
 $DefaultNetstreamDriverCAFile /etc/grid-security/
 certificates/UKeScienceCA-2B.pem
 $DefaultNetstreamDriverCertFile /etc/grid-security/hostcert.pem
 $DefaultNetstreamDriverKeyFile /etc/grid-security/hostkey.pem

 $ModLoad imtcp # load TCP listener
 $InputTCPServerRun 10514 # start up listener at port 10514

 $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
 $InputTCPServerStreamDriverAuthMode x509/name # client is authenticated
 $InputTCPServerStreamDriverPermittedPeer *.local.domain


  RULES 
 #Standard rules, no need to paste here

 

 rsyslog starts fine on the central log server, but on the client I get the
 following written to messages:

 

 rsyslogd-2040: can not read file '/etc/grid-security/hostcert.pem' [try
 http://www.rsyslog.com/e/2040 ]

 

 Any suggestions or help?


is the selinux context for files correct. try in permissive mode first
(setenforce 0)

--
Eero

Re: Encrypted rsyslog

[Eero Volotinen]

2014-07-22 18:58 GMT+03:00 Robin Long r.l...@cern.ch:

  Hi Eero,

 I set selinux to permissive as you suggested and the error went away.
 However, the logs on the remote server now look like this:

 Jul 22 16:54:54 client.server
 #026#003#002#000V#001#000#000R#003#002SΊz82#002CEE7-#021A5LB6jA7@BB#024XE3DB|FP
 B6P96F4NA3W#000#000$#0003#000E#0009#00088#000#026#0002#000D#0008#00087#000#023#000f#000/#000A#0005#00084



Usually something wrong with certificates, it's a bit hard to debug. try
regeneration of all certificates including the ca.

--
Eero

Re: Encrypted rsyslog

[Eero Volotinen]

2014-07-22 22:01 GMT+03:00 Robin Eamonn Long r.l...@cern.ch:

 Hi Eero,

 I found this page:
 http://www.sebdangerfield.me.uk/2011/12/setting-up-a-centralised-syslog-server-in-the-cloud/
 which suggests that:
 There is a good chance you’ve got the $InputTCPServerRun and
 $InputTCPServerStreamDriverMode directives in the wrong order, the
 $InputTCPServerRun should come last.

 Then I got the error messages that the peer was not permitted to talk to
 the server.  It looks like the order of commands is very specific and needs
 to be:

 $InputTCPServerStreamDriverAuthMode x509/name
 $InputTCPServerStreamDriverPermittedPeer *.example.net
 $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
 $InputTCPServerRun 10514 # start up listener at port 10514

 It seems to all be working now.

 Do you know the selinux magic that I need to perform on the certificates
 so that it works without disabling selinux?


You need to set correct fcontext to files (see man semanage) and semanage
fcontext -l (to list defined context) and then restorecon -Rv
/path/to/directory

--
Eero

Re: Encrypted rsyslog

[Eero Volotinen]

2014-07-22 22:58 GMT+03:00 Eero Volotinen eero.voloti...@iki.fi:




 2014-07-22 22:01 GMT+03:00 Robin Eamonn Long r.l...@cern.ch:

 Hi Eero,

 I found this page:
 http://www.sebdangerfield.me.uk/2011/12/setting-up-a-centralised-syslog-server-in-the-cloud/
 which suggests that:
 There is a good chance you’ve got the $InputTCPServerRun and
 $InputTCPServerStreamDriverMode directives in the wrong order, the
 $InputTCPServerRun should come last.

 Then I got the error messages that the peer was not permitted to talk to
 the server.  It looks like the order of commands is very specific and needs
 to be:

 $InputTCPServerStreamDriverAuthMode x509/name
 $InputTCPServerStreamDriverPermittedPeer *.example.net
 $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
 $InputTCPServerRun 10514 # start up listener at port 10514

 It seems to all be working now.

 Do you know the selinux magic that I need to perform on the certificates
 so that it works without disabling selinux?


 You need to set correct fcontext to files (see man semanage) and semanage
 fcontext -l (to list defined context) and then restorecon -Rv
 /path/to/directory

 --
 Eero


So this magic might work:

semanage fcontext -a -t syslog_conf_t /path/to/keys(/.*)?
restorecon -R -v /path/to/keys

just a wild quess without any testing..

--
Eero

Re: Any 7 rumors?

[Eero Volotinen]

 Is SL not PCI compliant because it is not a commercial
 effort?  I thought SL got all the patches the RHEL
 got?  Please elucidate.


There is no PCI requirement(s) to use commercial OS. Please read the
requirements instead of FUD!

--
Eero

Re: Exchange server alternative?

[Eero Volotinen]

 Also, he stores credit card information on his workstations
 and server.  (PCI would freak out.)


http://www.merchantuniversity.org/101-education/security-pci-101/pci-compliance-fines.aspx

Please report this client to VISA.

--
Eero

Re: RPM for THC Hydra

[Eero Volotinen]

Hi,

look at atomicorp repository? (
http://pkgs.org/centos-5-rhel-5/atomic-i386/hydra-5.4-1.el5.art.i386.rpm.html)
as it might contain packaged version for el6/el5?

Eero


2013/9/16 Todd And Margo Chester toddandma...@gmail.com

 Anyone know of an RPM for THC Hydra?  pbone and google draw a blank

 http://sectools.org/tool/**hydra/ http://sectools.org/tool/hydra/

 Many thanks,
 -T

Re: How to open CFEngine network port 5308

[Eero Volotinen]

What is output of netstat -tupln with root account?

Looks like daemon is not started or listening the port? Selinux?
Configuration failure?

Eero

On Tuesday, July 23, 2013, Yasha Karant wrote:

 We are forced to use a university firewall service that disables almost
 all port below 1024 but supposedly has higher ports, e.g., 5308, open. As a
 test of this, I installed telnet and did the usual:

 telnet 127.0.0.1 5308
 Trying 127.0.0.1...
 telnet: connect to address 127.0.0.1: Connection refused

 as a quick test with a clear failure.  Although I have disabled our local
 firewall on the SL6x machine, I found a recommendation for (obviously, as
 root):

 iptables -A INPUT -m state --state NEW -p tcp --dport 5308 -j ACCEPT

 followed by

 [root@ahprc4 ykarant]# service iptables restart
 iptables: Flushing firewall rules: [  OK  ]
 iptables: Setting chains to policy ACCEPT: filter  [  OK  ]
 iptables: Unloading modules:   [  OK  ]
 [root@ahprc4 ykarant]# iptables --list
 Chain INPUT (policy ACCEPT)
 target prot opt source   destination
 ACCEPT tcp  --  anywhere anywherestate NEW tcp
 dpt:cfengine

 Chain FORWARD (policy ACCEPT)[root@ahprc4 ykarant]# iptables --list
 Chain INPUT (policy ACCEPT)
 target prot opt source   destination
 ACCEPT tcp  --  anywhere anywherestate NEW tcp
 dpt:cfengine

 Chain FORWARD (policy ACCEPT)
 target prot opt source   destination

 Chain OUTPUT (policy ACCEPT)
 target prot opt source   destination
 target prot opt source   destination

 Chain OUTPUT (policy ACCEPT)
 target prot opt source   destination

 but had the same telnet problem.

 Port 5308 is the default for the version of CFEngine we are attempting to
 use.

 Note that by using local host (127.0.0.1) (loopback), I should be avoiding
 any external firewall issues that apply to the 802.3 connection.

 Obviously, something is misconfigured.  Suggestions?

 Yasha Karant

Re: SL 6.3 doesn't no network present until user logs in on GUI.

[Eero Volotinen]

2012/12/9 José Pablo Méndez Soto aux...@gmail.com:
 Hello,

 I am playing around with SL instead of CentOS so to know which one behaves
 better or just to have a criteria on how they both differ, being RedHat
 re-distros.

 I noticed that my virtual machine with GUI, that I built from the
 SL-63-x86_64-2012-08-02-Install-DVD.iso, won't reply to pings or open SSH
 sessions until a user logs in.

 I tried the same on a CentOS  6.2 built similarly, and no matter if there
 are users or no users logged in, it always have networking and you can SSH
 into it.

 Any idea about this difference? Can it be changed in SL so to initiate
 connections before a GUI log in?

On RHEL 6 and clones, network is managed by network-manager by
default. You need to disable network manager and configure interfaces
on traditional way.

Take look at NM_MANAGED on /etc/sysconfig/network-scripts/ifcfg*


--
Eero

kernel problem?

[Eero Volotinen]

Hi,

One of my server runs to some kernel bug:

eth0: no IPv6 routers present
eth3: no IPv6 routers present
irq 16: nobody cared (try booting with the irqpoll option)
Pid: 0, comm: swapper Not tainted 2.6.32-220.7.1.el6.x86_64 #1
Call Trace:
 IRQ  [810db42b] ? __report_bad_irq+0x2b/0xa0
 [810db62c] ? note_interrupt+0x18c/0x1d0
 [810dbd4d] ? handle_fasteoi_irq+0xcd/0xf0
 [8100df09] ? handle_irq+0x49/0xa0
 [814f4dbc] ? do_IRQ+0x6c/0xf0
 [8100ba53] ? ret_from_intr+0x0/0x11
 EOI  [812c4b0e] ? intel_idle+0xde/0x170
 [812c4af1] ? intel_idle+0xc1/0x170
 [81097b0d] ? sched_clock_cpu+0xcd/0x110
 [813fa027] ? cpuidle_idle_call+0xa7/0x140
 [81009e06] ? cpu_idle+0xb6/0x110
 [814d420a] ? rest_init+0x7a/0x80
 [81c1ff76] ? start_kernel+0x424/0x430
 [81c1f33a] ? x86_64_start_reservations+0x125/0x129
 [81c1f438] ? x86_64_start_kernel+0xfa/0x109
handlers:
[a00de140] (nouveau_irq_handler+0x0/0x140 [nouveau])
[a00cf7c0] (arcmsr_do_interrupt+0x0/0x20 [arcmsr])
Disabling IRQ #16

lspci:

00:00.0 Host bridge: Intel Corporation 2nd Generation Core Processor
Family DRAM Controller (rev 09)
00:01.0 PCI bridge: Intel Corporation Xeon E3-1200/2nd Generation Core
Processor Family PCI Express Root Port (rev 09)
00:16.0 Communication controller: Intel Corporation 6 Series/C200
Series Chipset Family MEI Controller #1 (rev 04)
00:1a.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset
Family USB Enhanced Host Controller #2 (rev 05)
00:1b.0 Audio device: Intel Corporation 6 Series/C200 Series Chipset
Family High Definition Audio Controller (rev 05)
00:1c.0 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset
Family PCI Express Root Port 1 (rev b5)
00:1c.2 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset
Family PCI Express Root Port 3 (rev b5)
00:1c.3 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset
Family PCI Express Root Port 4 (rev b5)
00:1c.4 PCI bridge: Intel Corporation 82801 PCI Bridge (rev b5)
00:1c.5 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset
Family PCI Express Root Port 6 (rev b5)
00:1c.6 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset
Family PCI Express Root Port 7 (rev b5)
00:1c.7 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset
Family PCI Express Root Port 8 (rev b5)
00:1d.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset
Family USB Enhanced Host Controller #1 (rev 05)
00:1f.0 ISA bridge: Intel Corporation H67 Express Chipset Family LPC
Controller (rev 05)
00:1f.2 IDE interface: Intel Corporation 6 Series/C200 Series Chipset
Family 4 port SATA IDE Controller (rev 05)
00:1f.3 SMBus: Intel Corporation 6 Series/C200 Series Chipset Family
SMBus Controller (rev 05)
00:1f.5 IDE interface: Intel Corporation 6 Series/C200 Series Chipset
Family 2 port SATA IDE Controller (rev 05)
02:00.0 VGA compatible controller: nVidia Corporation GT218 [GeForce
210] (rev a2)
02:00.1 Audio device: nVidia Corporation High Definition Audio
Controller (rev a1)
03:00.0 RAID bus controller: 3ware Inc 9650SE SATA-II RAID PCIe (rev 01)
04:00.0 Ethernet controller: Intel Corporation 82572EI Gigabit
Ethernet Controller (Copper) (rev 06)
05:00.0 PCI bridge: ASMedia Technology Inc. ASM108x PCIe to PCI Bridge
Controller (rev 01)
06:02.0 PCI bridge: Intel Corporation 80331 [Lindsay] I/O processor
(PCI-X Bridge) (rev 0a)
07:0e.0 RAID bus controller: Areca Technology Corp. ARC-1110 4-Port
PCI-X to SATA RAID Controller
08:00.0 IDE interface: VIA Technologies, Inc. VT6415 PATA IDE Host Controller
09:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 06)
0a:00.0 USB controller: ASMedia Technology Inc. ASM1042 SuperSpeed USB
Host Controller

# cat /proc/interrupts
   CPU0   CPU1   CPU2   CPU3
  0:421  0  0  0   IO-APIC-edge  timer
  1:  3  0  0  0   IO-APIC-edge  i8042
  8:  1  0  0  0   IO-APIC-edge  rtc0
  9:  0  0  0  0   IO-APIC-fasteoi   acpi
 12:  4  0  0  0   IO-APIC-edge  i8042
 16: 200012  0  0  0   IO-APIC-fasteoi
nouveau, arcmsr
 17:133  0  0  0   IO-APIC-fasteoi
pata_via, hda_intel
 18:  73176  0  0  0   IO-APIC-fasteoi   3w-9xxx
 20:   12960813  0  0  0   IO-APIC-fasteoi
ata_piix, ata_piix
 23: 60  0  0  0   IO-APIC-fasteoi
ehci_hcd:usb1, ehci_hcd:usb2
 31:268  0  0  0   PCI-MSI-edge  hda_intel
 32:   47545815  0  0  0   PCI-MSI-edge  eth3
 33: 25  0  0  0   PCI-MSI-edge  xhci_hcd
 34:  0  0  0  0   

how to update scientific linux 6.1 to 6.2?

[Eero Volotinen]

tried normal redhat way update, without any success:

yum upgrade
Setting up Upgrade Process
No Packages marked for Update

why?

cat /etc/yum.repos.d/sl.repo
[sl]
name=Scientific Linux $releasever - $basearch
baseurl=http://ftp.scientificlinux.org/linux/scientific/$releasever/$basearch/os/

http://ftp1.scientificlinux.org/linux/scientific/$releasever/$basearch/os/

http://ftp2.scientificlinux.org/linux/scientific/$releasever/$basearch/os/

ftp://ftp.scientificlinux.org/linux/scientific/$releasever/$basearch/os/
#mirrorlist=http://ftp.scientificlinux.org/linux/scientific/mirrorlist/sl-base-6.txt
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-sl
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-dawson

[sl-security]
name=Scientific Linux $releasever - $basearch - security updates
baseurl=http://ftp.scientificlinux.org/linux/scientific/$releasever/$basearch/updates/security/

http://ftp1.scientificlinux.org/linux/scientific/$releasever/$basearch/updates/security/

http://ftp2.scientificlinux.org/linux/scientific/$releasever/$basearch/updates/security/

ftp://ftp.scientificlinux.org/linux/scientific/$releasever/$basearch/updates/security/
#mirrorlist=http://ftp.scientificlinux.org/linux/scientific/mirrorlist/sl-security-6.txt
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-sl
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-dawson


[sl-source]
name=Scientific Linux $releasever - Source
baseurl=http://ftp.scientificlinux.org/linux/scientific/$releasever/SRPMS/

http://ftp1.scientificlinux.org/linux/scientific/$releasever/SRPMS/

http://ftp2.scientificlinux.org/linux/scientific/$releasever/SRPMS/

ftp://ftp.scientificlinux.org/linux/scientific/$releasever/SRPMS/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-sl
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-dawson

--
Eero

Re: how to update scientific linux 6.1 to 6.2?

[Eero Volotinen]

yum --releasever=6.2 update did the trick.

2012/4/4 Eero Volotinen eero.voloti...@iki.fi:
 tried normal redhat way update, without any success:

 yum upgrade
 Setting up Upgrade Process
 No Packages marked for Update

sorry for noise to the list..

--
Eero

Intel Corporation 82572EI Gigabit Ethernet Controller (Copper) on scienfic linux 6.1

[Eero Volotinen]

Hi,

Any ideas how to get Intel Corporation 82572EI Gigabit Ethernet
Controller (Copper) working on scientific linux 6.1?
Looks like e1000 driver is tool old to support this card?

Info:


02:00.0 Ethernet controller: Intel Corporation 82572EI Gigabit
Ethernet Controller (Copper) (rev 06)
Subsystem: Intel Corporation PRO/1000 PT Server Adapter
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast TAbort-
TAbort- MAbort- SERR- PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupt: pin A routed to IRQ 36
Region 0: Memory at fb64 (32-bit, non-prefetchable) [size=128K]
Region 1: Memory at fb62 (32-bit, non-prefetchable) [size=128K]
Region 2: I/O ports at d000 [size=32]
Expansion ROM at fb60 [disabled] [size=128K]
Capabilities: [c8] Power Management version 2
Flags: PMEClk- DSI+ D1- D2- AuxCurrent=0mA
PME(D0+,D1-,D2-,D3hot+,D3cold+)
Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=1 PME-
Capabilities: [d0] MSI: Enable+ Count=1/1 Maskable- 64bit+
Address: fee0f00c  Data: 41e1
Capabilities: [e0] Express (v1) Endpoint, MSI 00
DevCap: MaxPayload 256 bytes, PhantFunc 0, Latency L0s
512ns, L1 64us
ExtTag- AttnBtn- AttnInd- PwrInd- RBE- FLReset-
DevCtl: Report errors: Correctable+ Non-Fatal+ Fatal+
Unsupported+
RlxdOrd- ExtTag- PhantFunc- AuxPwr- NoSnoop+
MaxPayload 128 bytes, MaxReadReq 512 bytes
DevSta: CorrErr- UncorrErr+ FatalErr- UnsuppReq+
AuxPwr+ TransPend-
LnkCap: Port #0, Speed 2.5GT/s, Width x1, ASPM L0s,
Latency L0 4us, L1 64us
ClockPM- Surprise- LLActRep- BwNot-
LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- Retrain- CommClk+
ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
LnkSta: Speed 2.5GT/s, Width x1, TrErr- Train-
SlotClk+ DLActive- BWMgmt- ABWMgmt-
Capabilities: [100] Advanced Error Reporting
UESta:  DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt-
UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq+ ACSViol-
UEMsk:  DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt-
UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
UESvrt: DLP+ SDES- TLP- FCP+ CmpltTO- CmpltAbrt-
UnxCmplt- RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
CESta:  RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr-
CEMsk:  RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr-
AERCap: First Error Pointer: 14, GenCap- CGenEn- ChkCap- ChkEn-
Capabilities: [140] Device Serial Number 00-1b-21-ff-ff-b0-a7-7e
Kernel driver in use: e1000e
Kernel modules: e1000e

What is best way to update driver? Latest source from intel supports
this card, but is i prefer rpm way ..

--
Eero

Re: Intel Corporation 82572EI Gigabit Ethernet Controller (Copper) on scienfic linux 6.1

[Eero Volotinen]

2011/8/22 Akemi Yagi amy...@gmail.com:
 On Mon, Aug 22, 2011 at 7:42 AM, Eero Volotinen eero.voloti...@iki.fi wrote:
 2011/8/22 Devin Bougie devin.bou...@cornell.edu:
 Hi Eero,

 Have you tried using the e1000e driver that's provided by SL?  We haven't 
 had any problems using 82572EI cards in SL5.6 with the e1000e driver.

 I hope this helps,
 Devin

 You mean the default driver? yes, it cannot detect line.

 As Patrick mentioned, ELRepo's kmod-e1000e package may be worth a try
 because its driver version is newer:

 EL5: 1.3.10-k2
 EL6: 1.2.20-k2
 ELRepo: 1.4.4

 If that does not make any difference and you want to remove it, it's
 as easy as running 'rpm -e kmod-e1000e'.

Looks like it worked, big thanks!

--
Eero

acpi error?

[Eero Volotinen]

Any idea how to fix this?

ACPI Exception: AE_NOT_FOUND, while evaluating GPE method [_L16]
(20090903/evgpe-568)
ACPI Error (psargs-0359): [RAMB] Namespace lookup failure, AE_NOT_FOUND
ACPI Error (psparse-0537): Method parse/execution failed [\_SB_.GNVS]
(Node 8802365553d0), AE_NOT_FOUND
ACPI Error (psparse-0537): Method parse/execution failed [\_GPE._L16]
(Node 880236557a38), AE_NOT_FOUND
ACPI Exception: AE_NOT_FOUND, while evaluating GPE method [_L16]
(20090903/evgpe-568)
ACPI Error (psargs-0359): [RAMB] Namespace lookup failure, AE_NOT_FOUND
ACPI Error (psparse-0537): Method parse/execution failed [\_SB_.GNVS]
(Node 8802365553d0), AE_NOT_FOUND
ACPI Error (psparse-0537): Method parse/execution failed [\_GPE._L16]
(Node 880236557a38), AE_NOT_FOUND
ACPI Exception: AE_NOT_FOUND, while evaluating GPE method [_L16]
(20090903/evgpe-568)
ACPI Error (psargs-0359): [RAMB] Namespace lookup failure, AE_NOT_FOUND
ACPI Error (psparse-0537): Method parse/execution failed [\_SB_.GNVS]
(Node 8802365553d0), AE_NOT_FOUND
ACPI Error (psparse-0537): Method parse/execution failed [\_GPE._L16]
(Node 880236557a38), AE_NOT_FOUND
ACPI Exception: AE_NOT_FOUND, while evaluating GPE method [_L16]
(20090903/evgpe-568)

after I enabled irqpoll, this message is spammed to kernel message logs ..

OS is scientific linux 6.1 and motherboard is:
Manufacturer: ASUSTeK Computer INC.
Product Name: P8H67
Version: Rev X.0x

--
Eero

--
Eero

Re: acpi error?

[Eero Volotinen]

2011/8/21 Andrew Z form...@gmail.com:
 Steven,
 Last time (4years ago) I looked to update mine, it was one pauntfull
 exercise. Any tools that I can use now?
 --
 Sent from my Android phone with K-9 Mail. Please excuse my brevity.

 Steven Haigh net...@crc.id.au wrote:

 On 08/21/2011 11:42 PM, Eero Volotinen wrote:
  Any idea how to fix this?
  OS is scientific linux 6.1 and motherboard is:
  Manufacturer: ASUSTeK Computer INC.
   Product Name: P8H67
   Version: Rev X.0x

 For all kinds of acpi errors, the first suggestion would be a bios update.


Thanks, looks like bios update fixed problems. Usually it's a pain in
the * to update bios on Linux machine, but EZ bios supports bios
upgrade from usb stick.

br,
--
Eero

Re: xen on Scientific Linux 6 32-Bit or 64-Bit

[Eero Volotinen]

2011/7/19 Stephen John Smoogen smo...@gmail.com:
 On Tue, Jul 19, 2011 at 13:30, Justin Sandy justmatt9...@gmail.com wrote:
 Is there a way to install xen on 32-bit or 64-bit Scientific Linux 6?

 Probably not easily. The kernels are optimized to work with KVM. You
 would need to tear out that kernel and build one for Xen and a xen
 image

http://wiki.xensource.com/xenwiki/RHEL6Xen4Tutorial

if it breaks, you can keep both pieces ;)

--
Eero

Re: scilinux 6 install fail

[Eero Volotinen]

2011/6/15 Yasha Karant ykar...@csusb.edu:
 I am not installing from a network share; I am installing from a DVD that
 was tested.
 Please look at the anaconda diagnostics.

how about trying to paste error messages to pastebin.ca or pastebin.com ?

--
Eero

Re: scilinux 6 install fail

[Eero Volotinen]

2011/6/15 Urs Beyerle urs.beye...@env.ethz.ch:
 I don't see an attachment to your previous mail containing the anaconda
 error output log.

because mailing list software deletes attachments from mails?

--
Eero

Re: What kins of business use Linux?

[Eero Volotinen]

2011/4/19 Todd And Margo Chester toddandma...@gmail.com:
 Hi All,

 I am a consultant who only works in two counties.
 I am currently working my way out of two jobs,
 which is normal.  Also means I have to do some
 cold calling, also normal.  And to facilitate
 that, I have made up a database of local businesses.
 I work with both Linux and Windows.  (The occasional
 Apple too, but you did not hear me admit to that.)

 I really do not feel like the *aggravation* of having
 to maintain any more Windows installations: low quality
 software that almost works and has to be fussed with
 20 times more than a Linux installation.  And customer
 who are never really very happy with the way things
 turn out, or the expense.

 This may seems like a weird question, when I am sifting
 through my lists of businesses, does anyone have an tips
 as to what kinds of businesses prefer Linux?  I would
 like to directly target those kinds of businesses
 before settling from more Windows work.

Almost all? From single server hosting companies to clustered
scientific/medical environments
?

--
Eero

Re: RPM dependency issue with unixODBC

[Eero Volotinen]

2011/4/11 Jean-Michel Barbet jean-michel.bar...@subatech.in2p3.fr:
 Hello all,

 I am trying to package a MonaLisa sensor that comes with its own
 java binary distribution and would be installed in /usr/local.

 I can build the package fine but it does not install because of a
 dependency not satisfied :

  depcheck: package MLSensor 1.0-1 needs libodbc.so()(64bit)
  depcheck: package MLSensor 1.0-1 needs libodbcinst.so()(64bit)

 This is because rpmbuild have autocomputed the dependencies and
 the resulting RPM have these requirements :
 libodbc.so()(64bit)
 libodbcinst.so()(64bit)

unixODBC-2.2.14-11.el6.i686 : A complete ODBC driver manager for Linux
Repo: sl
Matched from:
Filename: /usr/lib/libodbc.so



unixODBC-2.2.14-11.el6.x86_64 : A complete ODBC driver manager for Linux
Repo: sl
Matched from:
Filename: /usr/lib64/libodbc.so

and

unixODBC-2.2.14-11.el6.i686 : A complete ODBC driver manager for Linux
Repo: sl
Matched from:
Filename: /usr/lib/libodbcinst.so



unixODBC-2.2.14-11.el6.x86_64 : A complete ODBC driver manager for Linux
Repo: sl
Matched from:
Filename: /usr/lib64/libodbcinst.so

are you using sl 5 or sl 6?

--
Eero

Re: Problems with VMWare tools

[Eero Volotinen]

2011/4/9 Nikola Wenta nikola.we...@nottingham.ac.uk:
 Dear all,
 I am trying Scientific Linux and want to get VMWare tools installed. Can 
 someone tell me where I can download the required Kernel C header files, and 
 under what path they will be installed?
 Cheers,
 Niko

What is your vmware esx(i) version? what is your sf linux version?

br,
--
Eero,
RHCE