[CentOS] Yes another "I can't open port 53 for Bind DNS"
Hi, It's just past 3am and for the past 6 hours I've been configuring a secondary name server to replace one that just crashed. My problem appears to be that port 53 is not open for some reason on my server even though I have this: [root@tribe etc]# netstat -an | grep ":53 " tcp0 0 205.211.154.3:53 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:53 0.0.0.0:* LISTEN udp0 0 205.211.154.3:530.0.0.0:* udp0 0 127.0.0.1:530.0.0.0:* udp0 0 205.211.154.3:530.0.0.0:* udp0 0 127.0.0.1:530.0.0.0:* udp0 0 205.211.154.3:530.0.0.0:* udp0 0 127.0.0.1:530.0.0.0:* udp0 0 205.211.154.3:530.0.0.0:* udp0 0 127.0.0.1:530.0.0.0:* udp0 0 205.211.154.3:530.0.0.0:* udp0 0 127.0.0.1:530.0.0.0:* udp0 0 205.211.154.3:530.0.0.0:* udp0 0 127.0.0.1:530.0.0.0:* But with a test from http://www.yougetsignal.com/tools/open-ports/ it says port 53 is closed. I'm using CentOS 6.0 and BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 I'm not using iptables (well I didn't configure any) [root@tribe log]# iptables --line-numbers -n -L Chain INPUT (policy ACCEPT) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 2ACCEPT icmp -- 0.0.0.0/00.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:22 5REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination Currently this server is not behind any type of firewall. Can someone suggest something I have forgotten? TIA, Shane ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Yes another "I can't open port 53 for Bind DNS"
Shane Bywater wrote:
> Hi,
>It's just past 3am and for the past 6 hours I've been
> configuring a secondary name server to replace one that just crashed.
> My problem appears to be that port 53 is not open for some reason on my
> server even though I have this:
>
> [root@tribe etc]# netstat -an | grep ":53 "
> tcp0 0 205.211.154.3:53
> 0.0.0.0:* LISTEN
> tcp0 0 127.0.0.1:53
> 0.0.0.0:* LISTEN
> udp0 0 205.211.154.3:530.0.0.0:*
>
> {snip}
>
> But with a test from
> http://www.yougetsignal.com/tools/open-ports/
> it says port 53 is closed.
>
> I'm using CentOS 6.0 and BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2
>
> I'm not using iptables (well I didn't configure any)
>
{snip}
> 5REJECT all -- 0.0.0.0/00.0.0.0/0
> reject-with icmp-host-prohibited
>
>
{snip}
> Can someone suggest something I have forgotten?
>
> TIA,
> Shane
>
I think iptables rule 5 is stopping DNS.
I can 'see' your ICMP (ping) and SSH are open from here.
I've not used Centos 6 in production yet but try entering:-
iptables -I INPUT 4 -p udp --dport 53 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 4 -p tcp --dport 53 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
hopefully that will fix it
YMMV
Ken
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Yes another "I can't open port 53 for Bind DNS"
Ken Smith wrote: > Shane Bywater wrote: > >> Hi, >> It's just past 3am and for the past 6 hours I've been >> >> > > iptables -I INPUT 4 -p udp --dport 53 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > > iptables -I INPUT 4 -p tcp --dport 53 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > > > Ken > > Obviously those commands are all on one line so the '--state' is followed by 'NEW,' and not line wrapped as in this e-mail :-) Ken -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mod_rails under Apache under Ceontos 6
On Mon, Jan 30, 2012 at 7:00 PM, Craig White wrote: > > On Jan 30, 2012, at 10:12 AM, Boris Epstein wrote: > >> Hello listmates, >> >> For some reason we don't seem to be able to launch a Ruby-on-rails >> application ( http://www.redmine.org/ ) on a CentOS 6 machine under Apache. >> Nor can I find a mod_rails as a separate package for it. Would anyone have >> any idea what we might be doing wrong? > > mod rails is 'passenger' which is typically installed as a gem and then > finished by executing the bind code (as root) > > gem install passenger > passenger-install-apache2-module > > but CentOS 6 might have a package that does this but it is certain to be out > of date at any given time which makes the gem more suitable. I think you will find this a good resource: http://blog.phusion.nl/2011/01/04/phusion-passenger-native-packages-for-redhatfedoracentos/ http://passenger.stealthymonkeys.com/ -- Mikael ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Double Copies Double Copies
On 02/01/2012 02:16 AM, Mark LaPierre wrote: > Hey Y'all, why am I getting double copies of every email on this list > today when it wasn't happening yesterday? Isn't happening on any of my > other email. > I still get only one mail, as it should be. Maybe your server-client connection is getting berserk. do you have webmail access so you can check if duplicate mails are on the server also? -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] GUI login issues over NFS
On Tue, Jan 31, 2012 at 03:10:15PM -0500, Michael Weiner wrote: > On Fri, Jan 27, 2012 at 9:28 AM, Tru Huynh wrote: > > no other idea for the moment. > > Tru - > > I think i *MAY* have this figured out. When you do 'ibrix_fs -i' is > compatibility set to no? If so, are you a 64-bit client only shop? I > am wondering if our having the 64-bit mode set is causing the > problems. I did my tests on c5/c6 x86_64 only. > > [root@lri-brix01 temp]# ibrix_fs -i > FileSystem: ibrix > = > Total Segments: 24 > STATE : Mounted > Mirrored? : No > Compatible? : No > [root@xx2 ~]# ibrix_fs -i FileSystem: ibfs1 = Total Segments: 4 STATE : Mounted Mirrored? : No Compatible? : Yes,MaxSegments=63 I don't have account on the ibrix machine. imho: this should be fixed by HP/ibrix support team. Good luck, Tru -- Tru Huynh (mirrors, CentOS i386/x86_64 Package Maintenance) http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B pgpc9ZU06zpco.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] first steps in selinux: cron.daily and postfix
Hello, my CentOS 6.2 server sends the daily messages correct e.g. today at Feb 1 03:31:14 At the beginning of work hours (9:00 am local time): Feb 1 10:06:17 server postfix/sendmail[27125]: fatal: chdir /var/spool/postfix: Permission denied Solution: restorecon -R /var/spool/postfix/ Afterwards, postfix is OK again. My own cron jobs will be run latest 1 am What daily cron job destroys the selinux permissions? -- Viele Grüße Helmut Drodofsky Internet XS Service GmbH Heßbrühlstraße 15 70565 Stuttgart Geschäftsführung Dr.-Ing. Roswitha Hahn-Drodofsky HRB 21091 Stuttgart USt.ID: DE190582774 Tel. 0711 781941 0 Fax: 0711 781941 79 Mail:i...@internet-xs.de www.internet-xs.de ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] timeconfig
On Tuesday 31 January 2012 14:08:20 Roberto Alvarado wrote: > cp -f /usr/share/zoneinfo/YOURTIMEZONE /etc/localtime > And you have to do that every time you update the glibc package. Any better way to configure time properly? Regards ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Yes another "I can't open port 53 for Bind DNS"
On 02/01/2012 10:01 AM, Ken Smith wrote:
> Shane Bywater wrote:
>> Hi,
>> It's just past 3am and for the past 6 hours I've been
>> configuring a secondary name server to replace one that just crashed.
>> My problem appears to be that port 53 is not open for some reason on my
>> server even though I have this:
>>
>> [root@tribe etc]# netstat -an | grep ":53 "
>> tcp0 0 205.211.154.3:53
>> 0.0.0.0:* LISTEN
>> tcp0 0 127.0.0.1:53
>> 0.0.0.0:* LISTEN
>> udp0 0 205.211.154.3:530.0.0.0:*
>>
>
>> {snip}
>>
>> But with a test from
>> http://www.yougetsignal.com/tools/open-ports/
>> it says port 53 is closed.
>>
>> I'm using CentOS 6.0 and BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2
>>
>> I'm not using iptables (well I didn't configure any)
>>
> {snip}
>
>
>> 5REJECT all -- 0.0.0.0/00.0.0.0/0
>> reject-with icmp-host-prohibited
>>
>>
> {snip}
>> Can someone suggest something I have forgotten?
>>
>> TIA,
>> Shane
>>
> I think iptables rule 5 is stopping DNS.
>
> I can 'see' your ICMP (ping) and SSH are open from here.
>
> I've not used Centos 6 in production yet but try entering:-
>
> iptables -I INPUT 4 -p udp --dport 53 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
>
> iptables -I INPUT 4 -p tcp --dport 53 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
You only want "--state NEW". The related/established bit is handled by rule
1 in the INPUT chain.
Regards,
Dennis
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
[CentOS] squirrelmail for 6.2
Hello list. I have install centos-release-6-2.el6.centos.7.x86_64 and I cant find squirrelmail. Does any know why? -- *Γατσής Νίκος - Gatsis Nikos* Web developer tel.: 2108256721 - 2108256722 fax: 2108256712 email: ngat...@qbit.gr http://www.qbit.gr ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] apache 2.2.22 on CentOS 5...
Hi, while the brand new apache 2.2.22 compiles fine on CentOS 6, it fails on CentOS 5 unless you tell him to use its internal apr lib...I saw in the 2.2.22 release notes: "This release includes the Apache Portable Runtime (APR) version 1.4.5 and APR Utility Library (APR-util) version 1.4.2, bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv version 1.2.1) must all be updated to ensure binary compatibility and address many known security and platform bugs. APR-util version 1.4 represents a minor version upgrade from earlier httpd source distributions, which previously included version 1.3." On CentOS 6, we have apr 1.3.9 On CentOS 5, apr 1.2.7 Anyone knows if it will be backported to the packaged apr...? Thx, JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] squirrelmail for 6.2
On Wed, 2012-02-01 at 15:09 +0200, Nikos Gatsis - Qbit wrote: > Hello list. > I have install centos-release-6-2.el6.centos.7.x86_64 and I cant find > squirrelmail. > Does any know why? Check epel repo. squirrelmail-1.4.22-2.el6.noarch : webmail client written in php Regards, B.J. CentOS release 6.2 (Final) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] gtar compression achieved
Hey folks, I looked at the man page and don't see any way to do this - maybe it is a function of the compression program used I dunno. Is there any way to get gtar to report on the compression it achieved? I can't just check file sizes because I'm writing data to tape. The basic problem is that I know how much data is there to begin with but I don't know how much room it took up on the tape so I have no idea how much room is left on the tape. thanks, -Alan -- “Don't eat anything you've ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] squirrelmail for 6.2
On 2012-02-01 13:21, B.J. McClure wrote: > On Wed, 2012-02-01 at 15:09 +0200, Nikos Gatsis - Qbit wrote: > >> Hello list. >> I have install centos-release-6-2.el6.centos.7.x86_64 and I cant >> find >> squirrelmail. >> Does any know why? > > Check epel repo. > > squirrelmail-1.4.22-2.el6.noarch : webmail client written in php > It may be available on the epel repo, but as it is just a bunch of php's put into a webfile I tend to just get the tarball and configure Apache/PHP to run it. Does the rpm have any features beyond that? Patches / Plugins? Squirrelmail has been fraught with issues in the past that allowed spammers to use it to relay email. It may have been the fault of PHP, I can't honestly remember. In any case 1.4.22 is the latest stable version, so you should be ok to use the rpm in that repo for the time being. -- Message sent via my webmail account. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] squirrelmail for 6.2
Le 01/02/2012 15:24, Giles Coochey a écrit : >>> Hello list. >>> >> I have install centos-release-6-2.el6.centos.7.x86_64 and I cant >>> >> find >>> >> squirrelmail. >>> >> Does any know why? >> > >> > Check epel repo. >> > >> > squirrelmail-1.4.22-2.el6.noarch : webmail client written in php >> > > It may be available on the epel repo, but as it is just a bunch of > php's put into a webfile I tend to just get the tarball and configure > Apache/PHP to run it. > Does the rpm have any features beyond that? Patches / Plugins? It is perhaps better to use the EPEL repository to get security updates (if there are) ? Alain -- == Alain Péan - LPP/CNRS Administrateur Système/Réseau Laboratoire de Physique des Plasmas - UMR 7648 Observatoire de Saint-Maur 4, av de Neptune, Bat. A 94100 Saint-Maur des Fossés Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33 == ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] squirrelmail for 6.2
On 2012-02-01 14:40, Alain Péan wrote: > Le 01/02/2012 15:24, Giles Coochey a écrit : Hello list. >> I have install centos-release-6-2.el6.centos.7.x86_64 and I cant >> find >> squirrelmail. >> Does any know why? >>> > >>> > Check epel repo. >>> > >>> > squirrelmail-1.4.22-2.el6.noarch : webmail client written in php >>> > >> It may be available on the epel repo, but as it is just a bunch of >> php's put into a webfile I tend to just get the tarball and >> configure >> Apache/PHP to run it. >> Does the rpm have any features beyond that? Patches / Plugins? > > It is perhaps better to use the EPEL repository to get security > updates > (if there are) ? > Is there a guarantee that a package is being actively maintained if it is in the EPEL repository? I checked the FAQ and can't pin down what they do in those instances. I only say, as I have stated off-list, the reason I've not been using a repo for some php packages is that I've found that they were sometimes lagging behind with the current stable version, and that security issues existed that had not been patched by the repo in question. -- Message sent via my webmail account. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gtar compression achieved
On Wed, Feb 1, 2012 at 8:18 AM, Alan McKay wrote: > Hey folks, > > I looked at the man page and don't see any way to do this - maybe it is a > function of the compression program used I dunno. > > Is there any way to get gtar to report on the compression it achieved? > > I can't just check file sizes because I'm writing data to tape. > > The basic problem is that I know how much data is there to begin with but I > don't know how much room it took up on the tape so I have no idea how much > room is left on the tape. There is a --totals option, but that is before compression. I don't think there is a way to do it. You can use -f /dev/null and --totals to get a quick estimate of the uncompressed size of what matches the tar arguments (for full/incremental). Gnu tar 'special cases' output to /dev/null and doesn't bother actually reading the data but it adds up the sizes from the directory. That was added so amanda can do estimates that let it decide how to mix the fulls and incrementals each day to fill a tape. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gtar compression achieved
> > There is a --totals option, but that is before compression. I don't > think there is a way to do it. > Dang. THere is a "tell" command on "mt" which tells you what block number you are on, but according to the man page only exists for some types of drive. And evidently not mine :-( That would have worked with some simple math. -- “Don't eat anything you've ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gtar compression achieved
On Wed, Feb 1, 2012 at 9:59 AM, Alan McKay wrote: >> >> There is a --totals option, but that is before compression. I don't >> think there is a way to do it. >> > > Dang. THere is a "tell" command on "mt" which tells you what block number > you are on, but according to the man page only exists for some types of > drive. And evidently not mine :-( > > That would have worked with some simple math. Is there some reason you aren't using amanda? Give it some holding disk space and it will run multiple backups at once, buffering on disk, and figure out how they should go on the tape for you. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gtar compression achieved
>
> Is there some reason you aren't using amanda? Give it some holding
> disk space and it will run multiple backups at once, buffering on
> disk, and figure out how they should go on the tape for you.
>
I'm archiving, not backing up.
I looked at Amanda for a few days and it would be really clunky to do what
I want.
Anyway I found this :
[root@solexa-db tmp]# export GZIP=-v
[root@solexa-db tmp]# tar czf files.tar.gz file{1,2,3,4,5}
98.4%
So I'm golden :-)
--
“Don't eat anything you've ever seen advertised on TV”
- Michael Pollan, author of "In Defense of Food"
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gtar compression achieved
On Wed, Feb 1, 2012 at 10:10 AM, Alan McKay wrote: >> >> Is there some reason you aren't using amanda? Give it some holding >> disk space and it will run multiple backups at once, buffering on >> disk, and figure out how they should go on the tape for you. >> > > > I'm archiving, not backing up. Is there some limit to the number of tapes it will track or the length of a cycle? > I looked at Amanda for a few days and it would be really clunky to do what > I want. I haven't used it for a while, but I thought it had an indexing mechanism that would let you tell it what you want and it would tell you the tapes you need and the order to restore them (for full + incremental cases). And it could re-index the tapes if you lost the disk copy. Maybe that doesn't fit your use, but it seemed handy. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gtar compression achieved
> > I haven't used it for a while, but I thought it had an indexing > mechanism that would let you tell it what you want and it would tell > you the tapes you need and the order to restore them (for full + > incremental cases). And it could re-index the tapes if you lost the > disk copy. Maybe that doesn't fit your use, but it seemed handy. > In general it is massive overkill for what I"m doing. Even if I wanted to switch backup solutions and move my backups to Amanda it would not be worthwhile to get this as an add-on because of the nature of the data I am dealing with. Case in point I have about 300G of data that one of the scientists copied over to my server from a piece of scientific equipment. That 300G was never in my backups and I never want it to be. But he needs it archived. Amanda is just way, way too too big for this. In 2 weeks I've got a program written that is tailored exactly to our needs. THat's probably less time than it would have taken me to deploy Amanda. And it would not have been tailored precisely to our needs. -- “Don't eat anything you've ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gtar compression achieved
On Wed, Feb 1, 2012 at 10:22 AM, Alan McKay wrote: >> >> I haven't used it for a while, but I thought it had an indexing >> mechanism that would let you tell it what you want and it would tell >> you the tapes you need and the order to restore them (for full + >> incremental cases). And it could re-index the tapes if you lost the >> disk copy. Maybe that doesn't fit your use, but it seemed handy. >> > > In general it is massive overkill for what I"m doing. Even if I wanted to > switch backup solutions and move my backups to Amanda it would not be > worthwhile to get this as an add-on because of the nature of the data I am > dealing with. > > Case in point I have about 300G of data that one of the scientists copied > over to my server from a piece of scientific equipment. That 300G was > never in my backups and I never want it to be. But he needs it archived. > > Amanda is just way, way too too big for this. > > In 2 weeks I've got a program written that is tailored exactly to our > needs. THat's probably less time than it would have taken me to deploy > Amanda. And it would not have been tailored precisely to our needs. 'Deploying' amanda is a matter of installing the rpm and editing a couple of config files about the tape drive, tapes, targets, and holding space. And maybe some firewall tweaking - but nothing really complicated. You get a lot of coverage of 'real-world' problems already built in that will be hard to match in a new program, but you do have to think the way it does... -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gtar compression achieved
From: Les Mikesell > 'Deploying' amanda is a matter of installing the rpm and editing a > couple of config files about the tape drive, tapes, targets, and > holding space. And maybe some firewall tweaking - but nothing really > complicated. You get a lot of coverage of 'real-world' problems > already built in that will be hard to match in a new program, but you > do have to think the way it does... An issue with tar is that if you have an error somewhere in the tar... it is bad news... afio compress files individually and has other nice things... Maybe star does it too. JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gtar compression achieved
On Wed, Feb 1, 2012 at 10:47 AM, John Doe wrote: > >> 'Deploying' amanda is a matter of installing the rpm and editing a >> couple of config files about the tape drive, tapes, targets, and >> holding space. And maybe some firewall tweaking - but nothing really >> complicated. You get a lot of coverage of 'real-world' problems >> already built in that will be hard to match in a new program, but you >> do have to think the way it does... > > An issue with tar is that if you have an error somewhere in > the tar... it is bad news... > afio compress files individually and has other nice things... > Maybe star does it too. In a practical sense, I don't know if that even matters. I've never seen a tape drive that could recover and read past an error in the input anyway. Maybe back in floppy disk days... -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-announce Digest, Vol 84, Issue 1
Send CentOS-announce mailing list submissions to
centos-annou...@centos.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
centos-announce-requ...@centos.org
You can reach the person managing the list at
centos-announce-ow...@centos.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-announce digest..."
Today's Topics:
1. CESA-2012:0069 Moderate CentOS 6 ruby Update (Johnny Hughes)
2. CESA-2012:0079 Critical CentOS 4 firefox Update (Johnny Hughes)
3. CESA-2012:0079 Critical CentOS 5 firefox Update (Johnny Hughes)
4. CESA-2012:0080 Critical CentOS 6 thunderbird Update
(Johnny Hughes)
5. CESA-2012:0079 Critical CentOS 6 firefox Update (Johnny Hughes)
6. CESA-2012:0085 Critical CentOS 4 thunderbird Update
(Johnny Hughes)
7. CESA-2012:0084 Critical CentOS 4 seamonkey Update (Johnny Hughes)
8. CESA-2012:0085 Critical CentOS 5 thunderbird Update
(Johnny Hughes)
--
Message: 1
Date: Tue, 31 Jan 2012 10:23:57 +
From: Johnny Hughes
Subject: [CentOS-announce] CESA-2012:0069 Moderate CentOS 6 ruby
Update
To: centos-annou...@centos.org
Message-ID: <20120131102357.ga32...@chakra.karan.org>
Content-Type: text/plain; charset=us-ascii
CentOS Errata and Security Advisory 2012:0069 Moderate
Upstream details at : https://rhn.redhat.com/errata/RHSA-2012-0069.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
--
Message: 2
Date: Wed, 1 Feb 2012 03:34:27 +
From: Johnny Hughes
Subject: [CentOS-announce] CESA-2012:0079 Critical CentOS 4 firefox
Update
To: centos-annou...@centos.org
Message-ID: <20120201033427.ga21...@chakra.karan.org>
Content-Type: text/plain; charset=us-ascii
CentOS Errata and Security Advisory 2012:0079 Critical
Upstream details at : https://rhn.redhat.com/errata/RHSA-2012-0079.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
340967d551b8656011eda2d0b0a973e245f50df6d4d6990f503bb96245dc
firefox-3.6.26-2.el4.centos.i386.rpm
x86_64:
99885db8f385d695b86374eb49cd8c5c5a3bc3d9d0cc0ec3ab5731a7d05bebdd
firefox-3.6.26-2.el4.centos.x86_64.rpm
Source:
ffb691f17da49f5645ac6e0b5f6581b8de0ef9edbbe1f02ff91353404eeef435
firefox-3.6.26-2.el4.centos.src.rpm
--
Tru Huynh
CentOS Project { http://www.centos.org/ }
irc: tru_tru, #cen...@irc.freenode.net
--
Message: 3
Date: Wed, 1 Feb 2012 03:47:51 +
From: Johnny Hughes
Subject: [CentOS-announce] CESA-2012:0079 Critical CentOS 5 firefox
Update
To: centos-annou...@centos.org
Message-ID: <20120201034751.ga22...@chakra.karan.org>
Content-Type: text/plain; charset=us-ascii
CentOS Errata and Security Advisory 2012:0079 Critical
Upstream details at : https://rhn.redhat.com/errata/RHSA-2012-0079.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
3d2fd820790a0362cd0907ef95c0d87f9eeafa4aae1019e90c3657240f24abfa
firefox-3.6.26-1.el5.centos.i386.rpm
16cc826aa34dd9c02ffe6e5dffeeacf81944af3d69e437aab05d0665928e2e9c
xulrunner-1.9.2.26-1.el5_7.i386.rpm
8b77f64c807523795a6572e18daddf391fec5ea22e4776738406be6305d1b2b4
xulrunner-devel-1.9.2.26-1.el5_7.i386.rpm
x86_64:
3d2fd820790a0362cd0907ef95c0d87f9eeafa4aae1019e90c3657240f24abfa
firefox-3.6.26-1.el5.centos.i386.rpm
4ad673dbff843b6822f582f69cb64f6a1b5378082d8bfc564b90d874895b1a6a
firefox-3.6.26-1.el5.centos.x86_64.rpm
16cc826aa34dd9c02ffe6e5dffeeacf81944af3d69e437aab05d0665928e2e9c
xulrunner-1.9.2.26-1.el5_7.i386.rpm
94ee10e7d68c82c58cab76dea506a4e904a4f1e8709bc8b749e27faee07cfa9f
xulrunner-1.9.2.26-1.el5_7.x86_64.rpm
8b77f64c807523795a6572e18daddf391fec5ea22e4776738406be6305d1b2b4
xulrunner-devel-1.9.2.26-1.el5_7.i386.rpm
3493a44418017d86723e996b2bc0c36598c30478edb31d2cc403daa35af7d529
xulrunner-devel-1.9.2.26-1.el5_7.x86_64.rpm
Source:
607486a79971d75a9d2c60e2565386f477bcf0e3039cdead93e6f2708e71f4cb
firefox-3.6.26-1.el5.centos.src.rpm
9f18f5016d14d0cc1188238631850dc2fb07be8791dcd9f78ed871e263e1e898
xulrunner-1.9.2.26-1.el5_7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
--
Message: 4
Date: Wed, 1 Feb 2012 11:56:07 +
From: Johnny Hughes
Subject: [CentOS-announce] CESA-2012:0080 Critical CentOS 6
thunderbird Update
To: centos-annou...@centos.org
Message-ID: <20120201115607.ga18...@chakra.karan.org>
Content-Type: text/plain; charset=
[CentOS] CentOS 6.2 Autofs stopped working
Seems that autofs in 6.2 stopped working like it used to. We use NIS and automount maps. Primary map auto.sf ssdt-fstype=autofs,rw auto_ssdt auto.ssdt map scratch-fstype=nfs,hard,intr gold:/vol/ssdt/scratch So finding a path such as /sf/ssdt/scratch has always worked and continues to work on non CentOS 6.2 machines. This ability stopped with CentOS 6.2 CentOS 6.0 uses autofs-5.0.5-23.el6.x86_64.rpm CentOS 6.2 uses autofs-5.0.5-39.el6.x86_64.rpm The work around seems to be to remove autofs in CentOS 6.2 And do an rpm install of autofs from CentOS 6.0. I presume it is a flaw upstream. Anyone else observing this behavior? Ed ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Updating/Backing Up Server
I am slowly migrating the data etc off an old CentOS32 4.x server to a new CentOS64 5.x server. The old server only has 15Gbyte of its hard drive in use. Is there an easy/safe way to copy the entire contents of old server root directory to a directory on the new server for future reference? Most of the data is various test files, perl scripts, etc. scattered all over. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] ip route and nexthop: the "CentOS" way
Hi, I'm wanting to configure a CentOS 6 server to have a fall-back default route via a second network interface. Given: - eth0 with 192.168.0.10 on subnet 192.168.0.0/24 gateway 192.168.0.1 - eth1 with 192.168.1.10 on subnet 192.168.1.0/24 gateway 192.168.1.1 Where eth0's network is a "back door" to the internet, and eth1's is the "front door", I believe I can configure the routing table manually like this: ip route default scope global \ nexthop via 192.168.1.1 dev eth1 weight 1 \ nexthop via 192.168.0.1 dev eth0 weight 2 However, I've re-read the RHEL6 documents for configuring static routes here: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-static-routes.html This kind of thing doesn't seem to fit into the scheme of /etc/sysconfig/network-scripts/route-eth? described there, since the route isn't "for" any single interface. Is there a "RHEL/CentOS" way to do this, or do I need to resort to some sort of script containing the above ip route command inserted somewhere? And how do I stop CentOS from trying to pick its own default gateway settings (since /etc/sysconfig/network likely won't have a GATEWAY parameter)? Cheers, Nick ps. Hints about this obtained from http://lkml.indiana.edu/hypermail/linux/net/0201.0/.html http://lartc.org/lartc.html#AEN298 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gtar compression achieved
On Wednesday, February 01, 2012 09:18:08 AM Alan McKay wrote: > The basic problem is that I know how much data is there to begin with but I > don't know how much room it took up on the tape so I have no idea how much > room is left on the tape. What I would do is use the '-' special filename to pipe the uncompressed tar to stdout, pipe to the compressor of choice, then pipe to tee, and have one branch of the tee go to the tape and the other branch go to a program to count bytes. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Updating/Backing Up Server
On Wed, 1 Feb 2012 12:50:00 -0600 Matt wrote: > I am slowly migrating the data etc off an old CentOS32 4.x server to a > new CentOS64 5.x server. The old server only has 15Gbyte of its hard > drive in use. Is there an easy/safe way to copy the entire contents > of old server root directory to a directory on the new server for > future reference? Most of the data is various test files, perl > scripts, etc. scattered all over. tar? -- MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com www.creekfm.com - FIFTY THOUSAND WATTS of POW WOW POWER! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Updating/Backing Up Server
> Matt wrote: > >> I am slowly migrating the data etc off an old CentOS32 4.x server to a >> new CentOS64 5.x server. The old server only has 15Gbyte of its hard >> drive in use. Is there an easy/safe way to copy the entire contents >> of old server root directory to a directory on the new server for >> future reference? Most of the data is various test files, perl >> scripts, etc. scattered all over. > > tar? If possible, save and install old drive into new server and mount when/if you need something. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ip route and nexthop: the "CentOS" way
On 02/01/2012 02:03 PM, Nick wrote: > Hi, > > I'm wanting to configure a CentOS 6 server to have a fall-back default route > via > a second network interface. > > Given: > > - eth0 with 192.168.0.10 on subnet 192.168.0.0/24 gateway 192.168.0.1 > - eth1 with 192.168.1.10 on subnet 192.168.1.0/24 gateway 192.168.1.1 > > Where eth0's network is a "back door" to the internet, and eth1's is the > "front > door", I believe I can configure the routing table manually like this: > > ip route default scope global \ > nexthop via 192.168.1.1 dev eth1 weight 1 \ > nexthop via 192.168.0.1 dev eth0 weight 2 > > However, I've re-read the RHEL6 documents for configuring static routes here: > > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-static-routes.html > > This kind of thing doesn't seem to fit into the scheme of > /etc/sysconfig/network-scripts/route-eth? described there, since the route > isn't > "for" any single interface. Is there a "RHEL/CentOS" way to do this, or do I > need to resort to some sort of script containing the above ip route command > inserted somewhere? > > And how do I stop CentOS from trying to pick its own default gateway settings > (since /etc/sysconfig/network likely won't have a GATEWAY parameter)? > > Hmm... I just tried this and besides needing ip route "add" default It does not seem to work when I unplug the cable on my primary link. -- Stephen Clark *NetWolves* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Configuration Compliance auditing for many CentOS 5.x boxes
Hi CentOS experts,* Short Version* I would like to produce a weekly report in HTML for each CentOS 5.x server we have indicating configuration compliance with some industry benchmark. I am looking for a tool or tools to implement this, I am happy to use 3rd party proprietary stuff if necessary. * Long(er) Version* Current Situation.. I have a client with many (200x) CentOS 5.x servers deployed in various web, mail, database and file server roles, and these boxes have been variously administrated to a lessor or greater degree. All the boxes have EPEL repository included as part of their base-install, and all boxes have cron jobs for "yum -y update" running frequently, and are rebooted when kernels are available. (so they are not in a terrible state) For network, local and external vulnerabilities - We use a 3rd party firm, who use WebInspect to monitor for external facing ports and vulnerable services and produce various regular reports to my boss. (hence am not looking at Nessus, OpenVAS or network based scanning tools right now, or indeed any vulnerability tools) However we now have a New Big Boss in Town - who is an ex security compliance dude. The new rules are; that if its not being regularly tested, then its not in compliance, even if it is in compliance etc. (to be honest, I quite like that rule) So now I am looking for a way to generate a report of server compliance with some compliance standard for all the boxes regularly. We have a basic list of configuration settings, that is a weaker form of various compliance recommendations, so I am confident that most compliance benchmarks like CIS, EAL3 or the linux web STIG level would be sufficient. We have chef installed on the CentOS instances, hence I can push out yum based packages, (and I can install from source tarballs, but it will make me cry, on these instances) I Would like to have... a tool that runs locally on each CentOS box and produces a reasonably comprehensive html report regarding configuration compliance (and a massive bonus would be to send email alert for severe problems, but I can script that if required) Ideally I could generate a weekly report that indicates compliance with 1 or more of the recognised linux server benchmarks. I am happy to pay for a subscription for the checklist, but I suspect the kind per instance 100 USD licenses I see are going to blow my budget. Current progress is... I see that OPENSCAP and OVAL have tools in CentOS-base or EPEL, such as OpenSCAP-utils ovaldi - oval reference interpreter Which can be used to create reports. However they seem a little unrefined. For SCAP and OVAL content I have found the following. 1. NIST provide SCAP content for RHEL desktop, which is kinda close; 2. http://usgcb.nist.gov/usgcb/rhel_content.html 3. There is a tool called sectool in the fedora repos, but I can't get it to run on CentOS due to a missing python-slip module. Any suggestions on functioning stacks for this problem would be helpful. Thanks, Tom ps SORRY FOR THE LONG EMAIL ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Updating/Backing Up Server
On Wed, Feb 1, 2012 at 12:50 PM, Matt wrote: > I am slowly migrating the data etc off an old CentOS32 4.x server to a > new CentOS64 5.x server. The old server only has 15Gbyte of its hard > drive in use. Is there an easy/safe way to copy the entire contents > of old server root directory to a directory on the new server for > future reference? Most of the data is various test files, perl > scripts, etc. scattered all over. Yes, with new machines typically having many orders of magnitudes more storage than old ones it is easier to keep a backup of old stuff online than to sort through it. If both machines are still running, on the old one, cd to /, then rsync -av . new_machine:/path/to/save perhaps using --exclude to avoid the /proc and /sys directories. Rsync will create the last directory in the target path if it doesn't exist, but only the last one. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mod_rails under Apache under Ceontos 6
> > > > I think you will find this a good resource: > > http://blog.phusion.nl/2011/01/04/phusion-passenger-native-packages-for-redhatfedoracentos/ > http://passenger.stealthymonkeys.com/ > > -- > Mikael > ___ > Mikael, This looks very useful indeed, thanks! Boris. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gtar compression achieved
On Wed, Feb 1, 2012 at 1:10 PM, Lamar Owen wrote: > On Wednesday, February 01, 2012 09:18:08 AM Alan McKay wrote: >> The basic problem is that I know how much data is there to begin with but I >> don't know how much room it took up on the tape so I have no idea how much >> room is left on the tape. > > What I would do is use the '-' special filename to pipe the uncompressed tar > to stdout, pipe to the compressor of choice, then pipe to tee, and have one > branch of the tee go to the tape and the other branch go to a program to > count bytes. Or unless you are talking about many TB per run, decouple the compression from the tape run by sending the output to a disk file that you can sweep to tape later. There are lots of advantages, like not slowing down the tape streaming waiting for compression, being able to do multiple targets at once, and not only knowing the size of what is on the tape so far, but also the total compressed size of what you are going to start to write. Plus, of course, being able to do the tar runs at night when no one is there to swap tapes. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gtar compression achieved
On Wed, Feb 1, 2012 at 11:32 AM, Les Mikesell wrote: > 'Deploying' amanda is a matter of installing the rpm and editing a > couple of config files about the tape drive, tapes, targets, and > holding space. And maybe some firewall tweaking - but nothing really > complicated. You get a lot of coverage of 'real-world' problems > already built in that will be hard to match in a new program, but you > do have to think the way it does... > Well then I guess thinking the way it does is what I was having issues with. I did have trouble wrapping my head around it. And after a fair bit of googling (and if I'm not mistaken asking on this list) I really could find no examples of a configuration as simple as the one I was looking for. I'm happy where I am. It is all very basic stuff (knock on wood - hee, hee). And I've got stuff that Amanda cannot possibly have since it is very specific to our environment. -- “Don't eat anything you've ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gtar compression achieved
On Wed, Feb 1, 2012 at 2:10 PM, Lamar Owen wrote: > What I would do is use the '-' special filename to pipe the uncompressed > tar to stdout, pipe to the compressor of choice, then pipe to tee, and have > one branch of the tee go to the tape and the other branch go to a program > to count bytes. > The GZIP environment variable is working really well. It tells me the compression ratio and even send it to STDERR for me so I can easily separate that from the gtar output. -- “Don't eat anything you've ever seen advertised on TV” - Michael Pollan, author of "In Defense of Food" ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gtar compression achieved
On Wednesday, February 01, 2012 04:00:06 PM Alan McKay wrote: > The GZIP environment variable is working really well. It tells me the > compression ratio and even send it to STDERR for me so I can easily > separate that from the gtar output. Cool. That's useful information. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ip route and nexthop: the "CentOS" way
On Wed, Feb 1, 2012 at 1:35 PM, Steve Clark wrote: > >> I'm wanting to configure a CentOS 6 server to have a fall-back default route >> via >> a second network interface. >> >> Given: >> >> - eth0 with 192.168.0.10 on subnet 192.168.0.0/24 gateway 192.168.0.1 >> - eth1 with 192.168.1.10 on subnet 192.168.1.0/24 gateway 192.168.1.1 >> >> Where eth0's network is a "back door" to the internet, and eth1's is the >> "front >> door", I believe I can configure the routing table manually like this: >> >> ip route default scope global \ >> nexthop via 192.168.1.1 dev eth1 weight 1 \ >> nexthop via 192.168.0.1 dev eth0 weight 2 >> >> However, I've re-read the RHEL6 documents for configuring static routes here: >> >> >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-static-routes.html >> >> This kind of thing doesn't seem to fit into the scheme of >> /etc/sysconfig/network-scripts/route-eth? described there, since the route >> isn't >> "for" any single interface. Is there a "RHEL/CentOS" way to do this, or do I >> need to resort to some sort of script containing the above ip route command >> inserted somewhere? >> >> And how do I stop CentOS from trying to pick its own default gateway settings >> (since /etc/sysconfig/network likely won't have a GATEWAY parameter)? >> >> > Hmm... > > I just tried this and besides needing ip route "add" default > > It does not seem to work when I unplug the cable on my primary link. I don't think CentOS is smart enough to automatically drop routes associated with a NIC that is down like a Cisco would. If you put routes in /etc/sysconfig/network-scripts/routes-eth? to match the device names, the ifup and ifdown scripts will add/remove routes when you manually run time to enable/disable a particular NIC, but that doesn't get you automatic failover. And with ethernet type devices it is pretty rare for the link to go away at the same time the packets stop getting through anyway. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Bash scripting - Remotely ran commands break while loop
I have two CentOS5 systems server1 and server2. There is user peter on server1 who can ssh to server2 using public ssh keys and no password is needed. What I noticed is that running remote ssh commands in bash script breaks while loops. == #!/bin/sh for i in server2 server2; do echo "--> Start" ssh peter@$i ls echo "--> END" done echo " server2 server2" | \ while read confLine; do echo "--> $confLine" ssh peter@$confLine ls echo "--> END $confLine" done The "for" loop in the script above will run twice but the "while" loop below it will run only once. This is very simple to test and I've tried it on different systems including CentOS6 and OpenSolaris with the same result. Any idea what would cause the ssh command to break the while loop? Thanks Peter ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] gtar compression achieved
On Wed, Feb 1, 2012 at 2:58 PM, Alan McKay wrote: > On Wed, Feb 1, 2012 at 11:32 AM, Les Mikesell wrote: > >> 'Deploying' amanda is a matter of installing the rpm and editing a >> couple of config files about the tape drive, tapes, targets, and >> holding space. And maybe some firewall tweaking - but nothing really >> complicated. You get a lot of coverage of 'real-world' problems >> already built in that will be hard to match in a new program, but you >> do have to think the way it does... >> > > > Well then I guess thinking the way it does is what I was having issues > with. > I did have trouble wrapping my head around it. And after a fair bit of > googling (and if I'm not mistaken asking on this list) I really could find > no examples of a configuration as simple as the one I was looking for. I always thought that was why it had a woman's name. You are better off just letting her do things her own way. It really does do a good job of automating and tracking everything and is exceptionally good at the case where you have one tape a day and you want to get at least an incremental of every machine every night and a full at least within the cycle where you start re-using tapes but preferably more often if there is space. It is probably adaptable to other scenarios but it may not fit yours very well. Once it is set up, all you have to do is swap the tape sometime during the day. It takes so little attention I let my setup run even after setting up backuppc until our last tape drive died. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ip route and nexthop: the "CentOS" way
On 02/01/2012 04:06 PM, Les Mikesell wrote: > On Wed, Feb 1, 2012 at 1:35 PM, Steve Clark wrote: >>> I'm wanting to configure a CentOS 6 server to have a fall-back default >>> route via >>> a second network interface. >>> >>> Given: >>> >>>- eth0 with 192.168.0.10 on subnet 192.168.0.0/24 gateway 192.168.0.1 >>>- eth1 with 192.168.1.10 on subnet 192.168.1.0/24 gateway 192.168.1.1 >>> >>> Where eth0's network is a "back door" to the internet, and eth1's is the >>> "front >>> door", I believe I can configure the routing table manually like this: >>> >>>ip route default scope global \ >>> nexthop via 192.168.1.1 dev eth1 weight 1 \ >>> nexthop via 192.168.0.1 dev eth0 weight 2 >>> >>> However, I've re-read the RHEL6 documents for configuring static routes >>> here: >>> >>> >>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-static-routes.html >>> >>> This kind of thing doesn't seem to fit into the scheme of >>> /etc/sysconfig/network-scripts/route-eth? described there, since the route >>> isn't >>> "for" any single interface. Is there a "RHEL/CentOS" way to do this, or do >>> I >>> need to resort to some sort of script containing the above ip route command >>> inserted somewhere? >>> >>> And how do I stop CentOS from trying to pick its own default gateway >>> settings >>> (since /etc/sysconfig/network likely won't have a GATEWAY parameter)? >>> >>> >> Hmm... >> >> I just tried this and besides needing ip route "add" default >> >> It does not seem to work when I unplug the cable on my primary link. > I don't think CentOS is smart enough to automatically drop routes > associated with a NIC that is down like a Cisco would. If you put > routes in /etc/sysconfig/network-scripts/routes-eth? to match the > device names, the ifup and ifdown scripts will add/remove routes when > you manually run time to enable/disable a particular NIC, but that > doesn't get you automatic failover. And with ethernet type devices it > is pretty rare for the link to go away at the same time the packets > stop getting through anyway. > I got it sort of work - but even with the weights and flushing the routing cache sometimes it seemed to want to go on the higher weighted route. Could be something in my setup. I did onetime have if fail from the lower weight to the higher weighted route when I pulled the cable on the preferred route. -- Stephen Clark *NetWolves* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bash scripting - Remotely ran commands break while loop
Am 01.02.2012 22:07, schrieb Peter Blajev: > I have two CentOS5 systems server1 and server2. There is user peter on > server1 who can ssh to server2 using public ssh keys and no password is > needed. > > What I noticed is that running remote ssh commands in bash script breaks > while loops. > > == > #!/bin/sh > for i in server2 server2; do > echo "--> Start" > ssh peter@$i ls > echo "--> END" > done > > echo " server2 > server2" | \ > while read confLine; do > echo "--> $confLine" > ssh peter@$confLine ls > echo "--> END $confLine" > done > > > The "for" loop in the script above will run twice but the "while" loop > below it will run only once. > > This is very simple to test and I've tried it on different systems > including CentOS6 and OpenSolaris with the same result. > > Any idea what would cause the ssh command to break the while loop? > > Thanks > Peter That has simply nothing to do with SSH. Compare following: echo "foo bar" | while read LINE; do echo $LINE; done and echo -e "foo\nbar" | while read $LINE; do echo $LINE; done Alexander ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bash scripting - Remotely ran commands break while loop
On Wed, Feb 1, 2012 at 3:46 PM, Alexander Dalloz wrote: > > That has simply nothing to do with SSH. Compare following: > > echo "foo bar" | while read LINE; do echo $LINE; done > > and > > echo -e "foo\nbar" | while read $LINE; do echo $LINE; done No, (a) that read $LINE should be read LINE and (b) echo "foo bar" | something should preserve the quoted newline. Ssh does seem to be consuming stuff from the inherited piped stdin even though it isn't obvious what it does with it in a non-interactive scenario. But anything that reads stdin inside the loop would cause that (throw a 'cat >dev/null' in...). -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bash scripting - Remotely ran commands break while loop
On Wed, Feb 01, 2012 at 01:07:31PM -0800, Peter Blajev wrote: > echo " server2 > server2" | \ > while read confLine; do > echo "--> $confLine" > ssh peter@$confLine ls > echo "--> END $confLine" > done > The "for" loop in the script above will run twice but the "while" loop > below it will run only once. > Any idea what would cause the ssh command to break the while loop? "ssh" is reading from stdin and passing the data over to the remote machine. You can test this with ssh peter@$confLine 'read x ; echo we got $x' To stop it doing this, use the "-n" flag ssh -n peter@$confLine ls -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuration Compliance auditing for many CentOS 5.x boxes
On Feb 1, 2012, at 2:54 PM, Tom H wrote: > Hi CentOS experts,* > > Short Version* > > I would like to produce a weekly report in HTML for each CentOS 5.x > server we have indicating configuration compliance with some industry > benchmark. I am looking for a tool or tools to implement this, I am > happy to use 3rd party proprietary stuff if necessary. > * You could have a weekly cron job on all boxes that does a rpm for all package config files, diff against a "snapshot" copy contained under /var somewhere, email those diffs to a change management system,then save the current files in the snapshot directory. First run will send the complete configs, all subsequent runs will send the diffs. Of course you need a change management system that will hold an inventory of systems, those systems' hardware/software inventories and configurations, and track those changes with alerts and reports and such. I don't know of a good system for doing all that unfortunately, but if you do find one let me know. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuration Compliance auditing for many CentOS 5.x boxes
On Wed, Feb 1, 2012 at 2:54 PM, Tom H wrote: > Hi CentOS experts,* > > Short Version* > > I would like to produce a weekly report in HTML for each CentOS 5.x > server we have indicating configuration compliance with some industry > benchmark. I am looking for a tool or tools to implement this, I am > happy to use 3rd party proprietary stuff if necessary. > [snip] > I'm in a similar situation. We have a growing infrastructure of over 300 instances of RHEL4/5/6. Though not specifically CentOS the tools are the same. My focus has been on PCI compliance. As of yet we don't have any SOX systems on Linux, but I expect that will change in the near future. For PCI compliance there are a few things that we do. The first thing was to get a handle on the buildout process which we did via kickstart. This ensured consistency in the builds which previously was done by different engineers/operators with different skill levels. We validated the standard image and then used Satellite/Spacewalk to keep track of the versions. The next step was the daily bit rot and the damage from the application folks whose sole experience was on desktop or laptop systems (i.e., they never had to comply with any industry standards). We started by separating OS from application. This meant not only separate volume groups and mount points for application files, but also things like ensuring that apps did not run as root (you'd be amazed how many developers insist that builds must occur as root). In just about every case where we allowed application developers to have root access we ended up with systems that were wildly out of compliance. In one case a developer installed an entire desktop suite, including MP3 player and video editing tools, in order to satisfy a dependency on a single widget library. We don't do that any more. :/ Next was auditing, which I think may apply to your question. For the basic package setup, Spacewalk or Satellite can track the versions and allow you to lock the package set. There are also existing scripts that wrap variations of an 'rpm -qVa' and send the reports back. Tools such as tripwire are also useful for this. If you have deployed SELinux, you can effectively even lock the root user from installing or modifying system packages. For the configurations, we are experimenting with cfengine and puppet. They allow you to track configuration changes, reset changes, etc.. I've also used CVS to track configuration files directly. I.e., checkin the changes onto a logged administration server then have the production servers checkout the changes on an on-demand or scheduled basis. This minimizes on-the-fly configurations that accumulate and take the server out of compliance. There are tools to generate reports from cfengine/puppet that show which configurations have changed, etc.. We are also using the perl test harness to run validations. It's pretty coding intensive so you'd possibly need a Perl developer initially to create and to maintain the scripts. The idea is to create the test scripts in lock step with changes to the kickstart. The harness generates a PASS or FAIL response depending on the Perl test. For example, for PCI compliance we have a standard login banner. The test does an MD5 sum against the target machine's /etc/issue.net and checks it against the stored hash. If the hashes correspond it passes the test (barring hash collisions of course :D ). We are still looking at other methods. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Updating/Backing Up Server
>> I am slowly migrating the data etc off an old CentOS32 4.x server to a >> new CentOS64 5.x server. The old server only has 15Gbyte of its hard >> drive in use. Is there an easy/safe way to copy the entire contents >> of old server root directory to a directory on the new server for >> future reference? Most of the data is various test files, perl >> scripts, etc. scattered all over. > > Yes, with new machines typically having many orders of magnitudes more > storage than old ones it is easier to keep a backup of old stuff > online than to sort through it. If both machines are still running, > on the old one, cd to /, then > rsync -av . new_machine:/path/to/save > perhaps using --exclude to avoid the /proc and /sys directories. > Rsync will create the last directory in the target path if it doesn't > exist, but only the last one. That worked great. Thanks. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuration Compliance auditing for many CentOS 5.x boxes
On Wed, Feb 1, 2012 at 6:04 PM, Kwan Lowe wrote: > > For the basic package setup, Spacewalk or Satellite can track the versions > and allow you to lock the package set. There are also existing scripts that > wrap variations of an 'rpm -qVa' and send the reports back. Ocsinventory-ng will send a hardware and software inventory to a central server daily - with agents for both Linux and windows. It will pick up the installed rpms but you'd have to extend it to look for local config changes. > For the configurations, we are experimenting with cfengine and puppet. They > allow you to track configuration changes, reset changes, etc.. Is anyone looking at salt instead of puppet yet? http://saltstack.org/ -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuration Compliance auditing for many CentOS 5.x boxes
On 02/02/12 00:04, Kwan Lowe wrote: > > Next was auditing, which I think may apply to your question. > > For the configurations, we are experimenting with cfengine and puppet. They > allow you to track configuration changes, reset changes, etc.. I've also > used CVS to track configuration files directly. I.e., checkin the changes > onto a logged administration server then have the production servers > checkout the changes on an on-demand or scheduled basis. This minimizes > on-the-fly configurations that accumulate and take the server out of > compliance. There are tools to generate reports from cfengine/puppet that > show which configurations have changed, etc.. I noticed that a bunch of projects are using puppet to remediate the problems detected in the auditing, eg changing file permissions and adding/removing packages. fedora aqueduct is on, and fedora secstate is another, also the NIST rhel STIG has a puppet script to apply the changes. > > We are also using the perl test harness to run validations. It's pretty > coding intensive so you'd possibly need a Perl developer initially to > At the moment, custom probes are more likely to be nagios for me, than compliance, I would be happy with most of the basic benchmarks... > We are still looking at other methods. > ___ OK, well if you are interested, then I have created a question on serverfault.com to track my progress, I will keep it updated. http://serverfault.com/questions/355680/configuration-compliance-auditing-for-many-centos-5-x-boxes If you have any great ideas then I will bung some points on your account there... Cheers, Tom ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuration Compliance auditing for many CentOS 5.x boxes
On 02/02/12 00:26, Les Mikesell wrote: > > Is anyone looking at salt instead of puppet yet? http://saltstack.org/ > I had such a bad experience with puppet, that I ran like a jilted teenage lover on a rebound into the arms of chef... unfortunately I may not have reviewed all the options (including salt) when making that decision. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Double Copies Double Copies [SOLVED] it's self
On 01/31/2012 08:16 PM, Mark LaPierre wrote: > Hey Y'all, why am I getting double copies of every email on this list > today when it wasn't happening yesterday? Isn't happening on any of my > other email. > I didn't change anything since I wrote the last time. It's working fine now. Only one copy of each email. Hmmm? Must be an AOL issue that they fixed. Funny that it only affected the CentOS mail. -- _ °v° /(_)\ ^ ^ Mark LaPierre Registerd Linux user No #267004 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuration Compliance auditing for many CentOS 5.x boxes
On Wed, Feb 1, 2012 at 6:43 PM, Tom H wrote: > On 02/02/12 00:26, Les Mikesell wrote: >> >> >> Is anyone looking at salt instead of puppet yet? http://saltstack.org/ >> > > I had such a bad experience with puppet, that I ran like a jilted teenage > lover on a rebound into the arms of chef... > > unfortunately I may not have reviewed all the options (including salt) when > making that decision. Not sure salt is quite ready for prime time, but it should be close for linux anyway. The zeromq over ssl connectivity is the first thing I've seen that looks like it would scale. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] tftp in 6.2
Seems to only write the first block, or with some clients only a zero length file. Perms are obviously not an issue if at least one block can be written? Anyone know what might give? Thanks, jlc ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bash scripting - Remotely ran commands break while loop
On Wed, Feb 1, 2012 at 2:53 PM, Stephen Harris wrote: > On Wed, Feb 01, 2012 at 01:07:31PM -0800, Peter Blajev wrote: > > echo " server2 > > server2" | \ > > while read confLine; do > > echo "--> $confLine" > > ssh peter@$confLine ls > > echo "--> END $confLine" > > done > > > The "for" loop in the script above will run twice but the "while" loop > > below it will run only once. > > > Any idea what would cause the ssh command to break the while loop? > > "ssh" is reading from stdin and passing the data over to the remote > machine. You can test this with > ssh peter@$confLine 'read x ; echo we got $x' > > To stop it doing this, use the "-n" flag > ssh -n peter@$confLine ls This is it. Right on Stephen. Thank you very much. I can't believe I've gone so long without knowing it. This works for me. I still don't have full understanding of it but I'll do some more reading. Unfortunately I can't always use the (-n) option. If I wan't to send data through the pipe then the (-n) won't work. For example (on top of my head): mysqldump dB | ssh peter@remoteServer "mysql dB" In my script I ended up using "ssh -n" when I want to work on the output of remotely ran command and "ssh" without (-n) when I want to send data over ssh to a remote command. This so far is not breaking the while loop and it seems to be working but it makes me nervous. Any note will be appreciated. Thanks again. -- Peter ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] tftp in 6.2
On 02/01/2012 09:59 PM, Joseph L. Casale wrote: > Seems to only write the first block, or with some clients only a zero length > file. > Perms are obviously not an issue if at least one block can be written? > Anyone know what might give? > > Thanks, > jlc I use tftp + pxe booting routinely on EL6.2. To get help, you're going to need to share much more information about your setup, the errors/log messages, and what you've tried to do thus far. -- Digimer E-Mail: digi...@alteeve.com Papers and Projects: https://alteeve.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bash scripting - Remotely ran commands break while loop
On Wed, Feb 01, 2012 at 07:03:33PM -0800, Peter Blajev wrote: > On Wed, Feb 1, 2012 at 2:53 PM, Stephen Harris wrote: > > > On Wed, Feb 01, 2012 at 01:07:31PM -0800, Peter Blajev wrote: > > > echo " server2 > > > server2" | \ > > > while read confLine; do > > > echo "--> $confLine" > > > ssh peter@$confLine ls > > > echo "--> END $confLine" > > > done > > > Any idea what would cause the ssh command to break the while loop? > > > > "ssh" is reading from stdin and passing the data over to the remote > > machine. You can test this with > > ssh peter@$confLine 'read x ; echo we got $x' > > > > To stop it doing this, use the "-n" flag > > ssh -n peter@$confLine ls > > Unfortunately I can't always use the (-n) option. If I wan't to send data > through the pipe then the (-n) won't work. For example (on top of my head): > mysqldump dB | ssh peter@remoteServer "mysql dB" In this situation, ssh will read from the pipe and not from the "echo" statement and so it won't break your while loop. The thing you need to understand is how redirection works. echo foo | while read do ... done Everything from the "while" to the "done" will have stdin configured to read from the pipe (the output of "echo"). Here's an example: % echo "a b c d" | while read a do echo We have $a read b echo And $b done We have a And b We have c And d You can see that the "read" statement inside the loop is reading from the pipe and so draining input. An "ssh" on its own, in this situation, would drain _all_ the input. The "-n" flag tells ssh to not do this. But, equally, when you do sqldump | ssh then you've told ssh to take input from the output of sqldump, and so it's no longer reading the from outer loop. Instead of "ssh -n" you could do "ssh < /dev/null" or "echo | ssh" or other options, and get the same sort of effect; you're setting up the stdin to ssh to be from somewhere _other_ than your main echo. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Yes another "I can't open port 53 for Bind DNS"
On 02/01/2012 12:14 AM, Shane Bywater wrote: > I'm not using iptables (well I didn't configure any) > > [root@tribe log]# iptables --line-numbers -n -L > Chain INPUT (policy ACCEPT) > num target prot opt source destination > 1ACCEPT all -- 0.0.0.0/00.0.0.0/0 state > RELATED,ESTABLISHED You should figure out who/what did, then. Those rules don't look like they were created by Red Hat's tools (where you'd see RH-Firewall...), and won't be present by default. Something created rules and the rules don't allow access to TCP or UDP 53 (you need both). For now, just flush the rules: iptables -F INPUT ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bash scripting - Remotely ran commands break while loop
On Wed, Feb 1, 2012 at 7:13 PM, Stephen Harris wrote: > On Wed, Feb 01, 2012 at 07:03:33PM -0800, Peter Blajev wrote: > > On Wed, Feb 1, 2012 at 2:53 PM, Stephen Harris wrote: > > > > > On Wed, Feb 01, 2012 at 01:07:31PM -0800, Peter Blajev wrote: > > > > echo " server2 > > > > server2" | \ > > > > while read confLine; do > > > > echo "--> $confLine" > > > > ssh peter@$confLine ls > > > > echo "--> END $confLine" > > > > done > > > > > Any idea what would cause the ssh command to break the while loop? > > > > > > "ssh" is reading from stdin and passing the data over to the remote > > > machine. You can test this with > > > ssh peter@$confLine 'read x ; echo we got $x' > > > > > > To stop it doing this, use the "-n" flag > > > ssh -n peter@$confLine ls > > > > Unfortunately I can't always use the (-n) option. If I wan't to send data > > through the pipe then the (-n) won't work. For example (on top of my > head): > > mysqldump dB | ssh peter@remoteServer "mysql dB" > > In this situation, ssh will read from the pipe and not from the "echo" > statement and so it won't break your while loop. > > The thing you need to understand is how redirection works. > echo foo | while read > do > ... > done > > Everything from the "while" to the "done" will have stdin configured to > read from the pipe (the output of "echo"). Here's an example: > % echo "a > b > c > d" | while read a > do >echo We have $a >read b >echo And $b > done > We have a > And b > We have c > And d > > You can see that the "read" statement inside the loop is reading from > the pipe and so draining input. > > An "ssh" on its own, in this situation, would drain _all_ the input. > The "-n" flag tells ssh to not do this. But, equally, when you do > sqldump | ssh > then you've told ssh to take input from the output of sqldump, and so it's > no longer reading the from outer loop. > > Instead of "ssh -n" you could do "ssh < /dev/null" or "echo | ssh" or > other options, and get the same sort of effect; you're setting up the > stdin to ssh to be from somewhere _other_ than your main echo. Wow. Great lesson. Thank you Stephen. It makes more sense now. I'll save this email for sure. -- Peter ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] some notes on setting up vsftp on centos6
I was not sure why vsftp (or any other ftp software) was installed as part of the webserver. some quick notes, hope it helps anyone else having an issue. So I yum installed it. I had a bear of a time. But I finally got it to work doing the following. I had to add ip_conntrack_ftp to my iptables-config file or it would not work IPTABLES_MODULES="ip_conntrack_ftp" I had to add this line to my iptables file -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT NOTE: I tried using other non standard ports, but this caused a problem upon connection with no way to fix it. I believe it has something to do with port 20 part of vsftp which short of rewriting source code seemed too much. So stick with the default port 21 to avoid any issues. in etc/vsftpd/vsftp.conf I left everything pretty much the way it was (after hours of fudging it around). I only changed anonymous_enable=YES to ' NO ' instead. ( I do not want anonymous users, just the few users on the system). This does not address virtual hosts as this is a virtual machine, thus just one website will be on it. The user/pass from a normal user was able to access the /var/www/html/ folder and modify it. That was all I wanted. I did not set up secure ftp yet (meaning I did not add a ssl cert of anything yet for it). I certainly hope this helps others. I was surprised I had to modify what I had to. I was surprised I was unable to change the port number and still want to give that a try. good luck. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
