[CentOS] Meltdown and Spectre
Does anyone know if Red Hat are working on backporting improved mitigation techniques and features from newer, 4.14.14+ kernels? $ grep . /sys/devices/system/cpu/vulnerabilities/* /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable /sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline $ ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] A question about NBD kernel module...
Hi, I would like to mount a device using NBD protocol on CentOS 7 but it looks like the module is not available by default in the kernel. Is there a way I can install it (like from a rpm somewhere)? I found instructions to build such a module but want to make sure that it is not already available in some repo before I go ahead with building. Any help is greatly appreciated. Thanks, Raghu ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Meltdown and Spectre
On Mon, 12 Feb 2018 11:13:57 + isdtor wrote: > Does anyone know if Red Hat are working on backporting improved > mitigation techniques and features from newer, 4.14.14+ kernels? > > $ grep . /sys/devices/system/cpu/vulnerabilities/* > /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI > /sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable > /sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: > Minimal generic ASM retpoline $ As it is Redhat has a more comprehensive set of fixes than your 4.14 example above. For everyone (regardless of microcode etc.) you get PTI and some additional LFENCE. For CPUs with microcode support you also get IBRS (restrict speculation) and IBPB (branch predict barrier). My understanding is that today for CPUs without microcode support (most/all since it was revoked) that means slightly less protection (no retpoline). But for CPUs with support and for Skylake (limited retpoline usefullness) IBRS+IBPB gives better coverage. You can view this status in /sys/kernel/debug/x86 (with mounted debugfs). The above goes for C6/C7 while Fedora has upstream vanilla stuff. /Peter ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] libsmbclient conflict problem
On Sun, 11 Feb 2018, Liam O'Toole wrote: On 2018-02-11, m...@tdiehl.org wrote: On Sun, 11 Feb 2018, Liam O'Toole wrote: On 2018-02-06, m...@tdiehl.org wrote: Hi, I have a c-6 machine that I noticed the following on: (bugs pts10) # package-cleanup --problems Loaded plugins: fastestmirror, priorities, refresh-packagekit Package system-config-printer-libs-1.1.16-26.el6.x86_64 requires libsmbclient.so.0()(64bit) Package kdebase-runtime-libs-4.3.4-9.el6.x86_64 requires libsmbclient.so.0()(64bit) So then I ran: (bugs pts10) # yum install libsmbclient [...] Error: samba4-winbind conflicts with samba-winbind-3.6.23-46el6_9.x86_64 Error: samba4-winbind-clients conflicts with samba-winbind-clients-3.6.23-46el6_9.x86_64 Error: samba4-common conflicts with samba-common-3.6.23-46el6_9.x86_64 [...] The error messages above tell you what the problem is: there is a conflict between the installed samba4 packages and the samba3 packages you are trying to install. It looks like someone uninstalled various samba3 packages using rpm (instead of yum), probably in order to install samba4, but breaking dependencies of other packages in the process. That would be me. I uninstalled the samba 3 packages because I need the functionality of the samba4 packages and the samba 3 protocols are insecure. I have the following samba packages installed: (bugs pts10) # rpm -qa samba4\* samba4-winbind-clients-4.2.10-12.el6_9.x86_64 samba4-4.2.10-12.el6_9.x86_64 samba4-client-4.2.10-12.el6_9.x86_64 samba4-common-4.2.10-12.el6_9.x86_64 samba4-winbind-4.2.10-12.el6_9.x86_64 samba4-libs-4.2.10-12.el6_9.x86_64 (bugs pts10) Can someone tell me what what I need to do to resolve the above conflicts? Do you need to keep the samba4 packages? Yes. They do not appear to be co-installable with samba3. Agreed!! In looking at this a little more it appears to me that there is a provides missing from the samba4 packages. I ran the following on another machine with the samba4 packages installed: [...] --> Processing Conflict: samba4-common-4.2.10-12.el6_9.x86_64 conflicts samba-common < 3.9.9 --> Processing Conflict: samba4-winbind-4.2.10-12.el6_9.x86_64 conflicts samba-winbind < 3.9.9 --> Processing Conflict: samba4-winbind-clients-4.2.10-12.el6_9.x86_64 conflicts samba-winbind-clients < 3.9.9 --> Finished Dependency Resolution Error: samba4-winbind conflicts with samba-winbind-3.6.23-46el6_9.x86_64 Error: samba4-winbind-clients conflicts with samba-winbind-clients-3.6.23-46el6_9.x86_64 Error: samba4-common conflicts with samba-common-3.6.23-46el6_9.x86_64 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest (cg2 pts17) --> Processing Dependency: libwbclient.so.0()(64bit) for package: libsmbclient-3.6.23-46el6_9.x86_64 As you can see above, the the resolver totally ignores the fact that the samba4 packages are installed and tries to pull in the samba 3 packages. This smells like a packaging bug to me but I could be wrong. Can anyone confirm or deny this? Regards, I think it goes a bit deeper than a missing provides (in the packaging sense). Only samba3 contains libwbclient.so.0: $ yum resolvedep libwbclient.so.0 0:samba-winbind-clients-3.6.23-46el6_9.i686 That can be verified using repoquery (from the package yum-utils): $ repoquery -l samba4-winbind-clients.x86_64 | grep wbclient (no output) Wrong package. it is in samba4-libs-4.2.10-12.el6_9.x86_64. (bugs pts3) # repoquery -l samba4-libs-4.2.10-12.el6_9.x86_64 | grep wbclient /usr/lib64/samba/libwbclient.so.0 /usr/lib64/samba/libwbclient.so.0.12 (bugs pts3) # It looks to me like they changed the package names between samba 3 and samba4. Regards, -- Tom m...@tdiehl.org ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] A question about NBD kernel module...
On Mon, Feb 12, 2018 at 7:59 AM, Raghuram Devarakonda wrote: > Hi, > > I would like to mount a device using NBD protocol on CentOS 7 but it looks > like the module is not available by default in the kernel. Is there a way I > can install it (like from a rpm somewhere)? I found instructions to build > such a module but want to make sure that it is not already available in > some repo before I go ahead with building. > > Any help is greatly appreciated. You can do one (or both) of the following: (1) File a request on http://bugs.centos.org and ask that CONFIG_BLK_DEV_NBD be enabled in the centosplus kernel. (2) File a request on http://elrepo.org/bugs and ask for a driver (kmod package) for that. Akemi ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] FOSDEM Dojo update, videos
A big thank you to everyone who attended the CentOS Dojo in Brussels a week ago. We had about 75 people in attendance (101 registered) and we had two tracks of great presentations. If you did not make it to the event, you can still catch all of the presentations on our YouTube channel, at https://www.youtube.com/user/TheCentOSProject/playlists Unfortunately, you miss out on the great hallway track, but there's always next year! Meanwhile, keep a lookout for upcoming events - http://wiki.centos.org/Events - and try to attend a dojo near you in the coming months. And if you'd like to host or help organize a dojo, please get in touch with me, or with the centos-promo mailing list - centos-pr...@centos.org - with your suggestions, and we'll try to make it happen. --Rich -- Rich Bowen - rbo...@redhat.com @RDOcommunity // @CentOSProject // @rbowen ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Problem with ssh disconnecting
Running CentOS 7 on workstation and having a problem with ssh disconnects. My ssh_config contains: Host * TCPKeepAlive yes ServerAliveInterval 30 ServerAliveCountMax 300 and sshd_config on the server contains: TCPKeepAlive yes ClientAliveInterval 60 ClientAliveCountMax 300 Have I missed any setting needed to prevent these random disconnects? I don't think there is anything wrong with the network card, the driver, or the cable, since if I am on a VPN connection via another server, the VPN and any ssh connection stay up indefinitely. Thanks. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problem with ssh disconnecting
On Mon, Feb 12, 2018 at 6:25 PM H wrote: > Running CentOS 7 on workstation and having a problem with ssh disconnects. > My ssh_config contains: > > Host * > TCPKeepAlive yes > ServerAliveInterval 30 > ServerAliveCountMax 300 > > and sshd_config on the server contains: > > TCPKeepAlive yes > ClientAliveInterval 60 > ClientAliveCountMax 300 > > Have I missed any setting needed to prevent these random disconnects? I > don't think there is anything wrong with the network card, the driver, or > the cable, since if I am on a VPN connection via another server, the VPN > and any ssh connection stay up indefinitely. > > Thanks. There are usually 2 different reasons for this: 1. The VPN is UDP and times out/drops keeps alives so that they no longer function properly. [The UDP connection will make it look like you have a new SSH connection which of course the system will drop because that would allow for security problems.] 2. A firewall in the chain of things (system you are on, the system you are going to, or somewhere in between) has session flushing issues. If you have the firewall set up to only accept NEW port 22 connections and then just looks to see if the ESTABLISHED, RELATED tables are accepted elsewhere then if the session somehow ages out or is flushed due to usage, the ssh connection can get dropped. The solution to one is to see if a TCP VPN fixes the problem. The second one is to either make the iptables kernel tables larger or to have all port 22 accepted even if it is not ESTABLISHED. These aren’t the only ways the problem you see can occur but they are some of the most common I have run into. > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problem with ssh disconnecting
On 02/12/2018 06:34 PM, Stephen John Smoogen wrote: > On Mon, Feb 12, 2018 at 6:25 PM H wrote: > >> Running CentOS 7 on workstation and having a problem with ssh disconnects. >> My ssh_config contains: >> >> Host * >> TCPKeepAlive yes >> ServerAliveInterval 30 >> ServerAliveCountMax 300 >> >> and sshd_config on the server contains: >> >> TCPKeepAlive yes >> ClientAliveInterval 60 >> ClientAliveCountMax 300 >> >> Have I missed any setting needed to prevent these random disconnects? I >> don't think there is anything wrong with the network card, the driver, or >> the cable, since if I am on a VPN connection via another server, the VPN >> and any ssh connection stay up indefinitely. >> >> Thanks. > > > There are usually 2 different reasons for this: > 1. The VPN is UDP and times out/drops keeps alives so that they no longer > function properly. [The UDP connection will make it look like you have a > new SSH connection which of course the system will drop because that would > allow for security problems.] > > 2. A firewall in the chain of things (system you are on, the system you are > going to, or somewhere in between) has session flushing issues. If you have > the firewall set up to only accept NEW port 22 connections and then just > looks to see if the ESTABLISHED, RELATED tables are accepted elsewhere then > if the session somehow ages out or is flushed due to usage, the ssh > connection can get dropped. > > The solution to one is to see if a TCP VPN fixes the problem. The second > one is to either make the iptables kernel tables larger or to have all port > 22 accepted even if it is not ESTABLISHED. > > These aren’t the only ways the problem you see can occur but they are some > of the most common I have run into. > > > >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos >> Not sure if I am reading your reply correctly but I should clarify that I have problems when running naked ssh to the server, when I run ssh to the same server but over the VPN connection (that goes via third server) everything is flawless. I should also explain that: - I am on a workstation (located in the US), ssh-ing into server 1 (located in the US). - From server 1 I use scp to transfer large files from server 2 (located in Europe) to server 1 (in the US). The above randomly disconnects. However, when: - I use a VPN connection to server 3 (also located in Europe). - From the same workstation as above, do exactly as above, connections are rock-solid. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problem with ssh disconnecting
On 2018-02-12, H wrote: > Running CentOS 7 on workstation and having a problem with ssh > disconnects. My ssh_config contains: > > Host * > TCPKeepAlive yes > ServerAliveInterval 30 > ServerAliveCountMax 300 > > and sshd_config on the server contains: > > TCPKeepAlive yes > ClientAliveInterval 60 > ClientAliveCountMax 300 > > Have I missed any setting needed to prevent these random disconnects? > I don't think there is anything wrong with the network card, the > driver, or the cable, since if I am on a VPN connection via another > server, the VPN and any ssh connection stay up indefinitely. > > Thanks. Another poster has provided some possible reasons for the disconnections. Whatever the cause, autossh (from the epel repo) is a good workaround. -- Liam ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problem with ssh disconnecting
On 02/12/2018 07:24 PM, Liam O'Toole wrote: > On 2018-02-12, H wrote: >> Running CentOS 7 on workstation and having a problem with ssh >> disconnects. My ssh_config contains: >> >> Host * >> TCPKeepAlive yes >> ServerAliveInterval 30 >> ServerAliveCountMax 300 >> >> and sshd_config on the server contains: >> >> TCPKeepAlive yes >> ClientAliveInterval 60 >> ClientAliveCountMax 300 >> >> Have I missed any setting needed to prevent these random disconnects? >> I don't think there is anything wrong with the network card, the >> driver, or the cable, since if I am on a VPN connection via another >> server, the VPN and any ssh connection stay up indefinitely. >> >> Thanks. > Another poster has provided some possible reasons for the > disconnections. Whatever the cause, autossh (from the epel repo) is a > good workaround. > Not that this happens while I do large scp file transfers that may take more than half an hour, simply restarting an ssh session is not going to help since I will lose the file transfer. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problem with ssh disconnecting
On Mon, 2018-02-12 at 20:13 -0500, H wrote: > On 02/12/2018 07:24 PM, Liam O'Toole wrote: > > On 2018-02-12, H wrote: > > > Running CentOS 7 on workstation and having a problem with ssh > > > disconnects. My ssh_config contains: > > > > > > Host * > > > TCPKeepAlive yes > > > ServerAliveInterval 30 > > > ServerAliveCountMax 300 > > > > > > and sshd_config on the server contains: > > > > > > TCPKeepAlive yes > > > ClientAliveInterval 60 > > > ClientAliveCountMax 300 > > > > > > Have I missed any setting needed to prevent these random > > > disconnects? > > > I don't think there is anything wrong with the network card, the > > > driver, or the cable, since if I am on a VPN connection via > > > another > > > server, the VPN and any ssh connection stay up indefinitely. > > > > > > Thanks. > > > > Another poster has provided some possible reasons for the > > disconnections. Whatever the cause, autossh (from the epel repo) is > > a > > good workaround. > > > > Not that this happens while I do large scp file transfers that may > take more than half an hour, simply restarting an ssh session is not > going to help since I will lose the file transfer. > I don't know if this would help but I had a similar issue and it turned out that there was a custom script in /etc/profile.d/ that contain TMOUT 900. You can also check in /etc/profile, usually, the security logs has something about the disconnects, of you can use wireshark or a similar tool to capture and analyse the packets. -- Earl Ramirez signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
