[CentOS] persistent change of max_stack_depth
Hi All, Could anybody point me in the right direction for setting the kernel parameter, max_stack_depth, to 10240 for database tuning? I have currently set it by running 'ulimit -s 10240' but this does not survive a reboot. I've Googled plenty and can't find any solution, thanks Michael ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] persistent change of max_stack_depth
Hi Thomas, Could anybody point me in the right direction for setting the kernel parameter, max_stack_depth, to 10240 for database tuning? I have currently set it by running 'ulimit -s 10240' but this does not survive a reboot. Thanks for the response, I've been nosing around that file recently but noted the first two lines; #This file sets the resource limits for the users logged in via PAM. #It does not affect resource limits of the system services. Look at the file /etc/security/limits.conf For documentation, 'man limits.conf' - Thomas ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I added these two lines to the end of the file * softstack 12288 * hardstack 12288 in an attempt to set the stack depth to 12MB so that I can configure postgresql max_stack_depth = 10MB. I rebooted, ulimit -s shows 12288. When I restart my service (#It does not affect resource limits of the system services.) becomes apparent. Aug 14 16:22:17 db1 pg_ctl[3177]: < 2015-08-14 16:22:17.839 BST >LOG: invalid value for parameter "max_stack_depth": 10240 Aug 14 16:22:17 db1 pg_ctl[3177]: < 2015-08-14 16:22:17.839 BST >DETAIL: "max_stack_depth" must not exceed 7680kB. Aug 14 16:22:17 db1 pg_ctl[3177]: < 2015-08-14 16:22:17.839 BST >HINT: Increase the platform's stack depth limit via "ulimit -s" or local equivalent. So, I then run 'ulimit -s 12288' and still can't restart my service. How can I increase stack depth for system processes, not just PAM authenticated users? Thanks in advance, Michael ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] persistent change of max_stack_depth
Hi Jason, On 14/08/15 16:45, Jason Warr wrote: On Fri, 2015-08-14 at 16:31 +0100, Michael H wrote: Hi Thomas, Could anybody point me in the right direction for setting the kernel parameter, max_stack_depth, to 10240 for database tuning? I have currently set it by running 'ulimit -s 10240' but this does not survive a reboot. Thanks for the response, I've been nosing around that file recently but noted the first two lines; #This file sets the resource limits for the users logged in via PAM. #It does not affect resource limits of the system services. What CentOS version? CentOS7.1 Look at the file /etc/security/limits.conf For documentation, 'man limits.conf' - Thomas ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I added these two lines to the end of the file * softstack 12288 * hardstack 12288 in an attempt to set the stack depth to 12MB so that I can configure postgresql max_stack_depth = 10MB. I rebooted, ulimit -s shows 12288. When I restart my service (#It does not affect resource limits of the system services.) becomes apparent. Aug 14 16:22:17 db1 pg_ctl[3177]: < 2015-08-14 16:22:17.839 BST >LOG: invalid value for parameter "max_stack_depth": 10240 Aug 14 16:22:17 db1 pg_ctl[3177]: < 2015-08-14 16:22:17.839 BST >DETAIL: "max_stack_depth" must not exceed 7680kB. Aug 14 16:22:17 db1 pg_ctl[3177]: < 2015-08-14 16:22:17.839 BST >HINT: Increase the platform's stack depth limit via "ulimit -s" or local equivalent. So, I then run 'ulimit -s 12288' and still can't restart my service. How can I increase stack depth for system processes, not just PAM authenticated users? If this is CentOS 7 then you may need to put the ulimit directives in the service file. An example is I needed to increase the NOFILE limit for nfs-secure on a Fedora 20 machine so I set LimitNOFILE=16384 In /etc/systemd/system/nfs-secure.service I located the service file for postgresql-9.4 [root@db1 multi-user.target.wants]# locate postgresql-9.4.service /etc/systemd/system/multi-user.target.wants/postgresql-9.4.service /usr/lib/systemd/system/postgresql-9.4.service I've edited /etc/systemd/system/multi-user.target.wants/postgresql-9.4.service and added LimitSTACK=12288 to the [Unit] section of the service file. systemctl daemon-reload systemctl restart postgresql-9.4 I'm still getting the same errors when I try to start my service... Aug 17 08:23:58 db1 pg_ctl[16839]: < 2015-08-17 08:23:58.533 BST >LOG: invalid value for parameter "max_stack_depth": 10240 Aug 17 08:23:58 db1 pg_ctl[16839]: < 2015-08-17 08:23:58.533 BST >DETAIL: "max_stack_depth" must not exceed 7680kB. I have tried moving the 'LimitSTACK=12288' to other sections of the service file, when I do I don't get my error from postgresql I see this in /var/log/messages Aug 17 08:38:47 db1 systemd: Reloading. Aug 17 08:38:47 db1 systemd: [/usr/lib/systemd/system/dm-event.socket:10] Unknown lvalue 'RemoveOnStop' in section 'Socket' Aug 17 08:38:47 db1 systemd: [/usr/lib/systemd/system/lvm2-lvmetad.socket:9] Unknown lvalue 'RemoveOnStop' in section 'Socket' Aug 17 08:38:49 db1 systemd: Starting PostgreSQL 9.4 database server... Aug 17 08:38:49 db1 kernel: postgresql94-ch[3021]: segfault at 7ffcd1a28f30 ip 7f116054c79e sp 7ffcd1a28f30 error 6 in libc-2.17.so[7f1160458000+1b6000] Aug 17 08:38:49 db1 systemd: postgresql-9.4.service: control process exited, code=killed status=11 Aug 17 08:38:49 db1 systemd: Failed to start PostgreSQL 9.4 database server. Aug 17 08:38:49 db1 systemd: Unit postgresql-9.4.service entered failed state. Thanks in advance, Michael ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Should I, or can I make this change elsewhere? thanks Michael ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] persistent change of max_stack_depth
Just a quick addition - On 17/08/15 08:40, Michael H wrote: Hi Jason, On 14/08/15 16:45, Jason Warr wrote: On Fri, 2015-08-14 at 16:31 +0100, Michael H wrote: Hi Thomas, Could anybody point me in the right direction for setting the kernel parameter, max_stack_depth, to 10240 for database tuning? I have currently set it by running 'ulimit -s 10240' but this does not survive a reboot. Thanks for the response, I've been nosing around that file recently but noted the first two lines; #This file sets the resource limits for the users logged in via PAM. #It does not affect resource limits of the system services. What CentOS version? CentOS7.1 Look at the file /etc/security/limits.conf For documentation, 'man limits.conf' - Thomas ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I added these two lines to the end of the file * softstack 12288 * hardstack 12288 in an attempt to set the stack depth to 12MB so that I can configure postgresql max_stack_depth = 10MB. I rebooted, ulimit -s shows 12288. When I restart my service (#It does not affect resource limits of the system services.) becomes apparent. Aug 14 16:22:17 db1 pg_ctl[3177]: < 2015-08-14 16:22:17.839 BST >LOG: invalid value for parameter "max_stack_depth": 10240 Aug 14 16:22:17 db1 pg_ctl[3177]: < 2015-08-14 16:22:17.839 BST >DETAIL: "max_stack_depth" must not exceed 7680kB. Aug 14 16:22:17 db1 pg_ctl[3177]: < 2015-08-14 16:22:17.839 BST >HINT: Increase the platform's stack depth limit via "ulimit -s" or local equivalent. So, I then run 'ulimit -s 12288' and still can't restart my service. How can I increase stack depth for system processes, not just PAM authenticated users? If this is CentOS 7 then you may need to put the ulimit directives in the service file. An example is I needed to increase the NOFILE limit for nfs-secure on a Fedora 20 machine so I set LimitNOFILE=16384 In /etc/systemd/system/nfs-secure.service I located the service file for postgresql-9.4 [root@db1 multi-user.target.wants]# locate postgresql-9.4.service /etc/systemd/system/multi-user.target.wants/postgresql-9.4.service /usr/lib/systemd/system/postgresql-9.4.service I've edited /etc/systemd/system/multi-user.target.wants/postgresql-9.4.service and added LimitSTACK=12288 to the [Unit] section of the service file. systemctl daemon-reload systemctl restart postgresql-9.4 I'm still getting the same errors when I try to start my service... Aug 17 08:23:58 db1 pg_ctl[16839]: < 2015-08-17 08:23:58.533 BST >LOG: invalid value for parameter "max_stack_depth": 10240 Aug 17 08:23:58 db1 pg_ctl[16839]: < 2015-08-17 08:23:58.533 BST >DETAIL: "max_stack_depth" must not exceed 7680kB. I have tried moving the 'LimitSTACK=12288' to other sections of the service file, when I do I don't get my error from postgresql I see this in /var/log/messages Aug 17 08:38:47 db1 systemd: Reloading. Aug 17 08:38:47 db1 systemd: [/usr/lib/systemd/system/dm-event.socket:10] Unknown lvalue 'RemoveOnStop' in section 'Socket' Aug 17 08:38:47 db1 systemd: [/usr/lib/systemd/system/lvm2-lvmetad.socket:9] Unknown lvalue 'RemoveOnStop' in section 'Socket' Aug 17 08:38:49 db1 systemd: Starting PostgreSQL 9.4 database server... Aug 17 08:38:49 db1 kernel: postgresql94-ch[3021]: segfault at 7ffcd1a28f30 ip 7f116054c79e sp 7ffcd1a28f30 error 6 in libc-2.17.so[7f1160458000+1b6000] Aug 17 08:38:49 db1 systemd: postgresql-9.4.service: control process exited, code=killed status=11 Aug 17 08:38:49 db1 systemd: Failed to start PostgreSQL 9.4 database server. Aug 17 08:38:49 db1 systemd: Unit postgresql-9.4.service entered failed state. Hi All, On the PostgreSQL mailing list I've been pointed to this URL; https://ma.ttias.be/increase-open-files-limit-in-mariadb-on-centos-7-with-systemd/ I've created a directory (I tried changing the 9.4 to 9-4 also) /etc/systemd/system/postgresql-9.4.service.d /etc/systemd/system/postgresql-9-4.service.d created a 'limits.conf' file inside this directory containing [Service] LimitSTACK=12288 and I'm unable to restart the service still... I see the same errors as above when I run systemctl status postgresql-9.4 -l. any more suggestions?! thanks Michael Thanks in advance, Michael ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Should I, or can I make this change elsewhere? thanks Michael ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] persistent change of max_stack_depth
Hi All, Could anybody point me in the right direction for setting the kernel parameter, max_stack_depth, to 10240 for database tuning? I have currently set it by running 'ulimit -s 10240' but this does not survive a reboot. Thanks for the response, I've been nosing around that file recently but noted the first two lines; #This file sets the resource limits for the users logged in via PAM. #It does not affect resource limits of the system services. What CentOS version? CentOS7.1 Look at the file /etc/security/limits.conf For documentation, 'man limits.conf' - Thomas ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I added these two lines to the end of the file * softstack 12288 * hardstack 12288 in an attempt to set the stack depth to 12MB so that I can configure postgresql max_stack_depth = 10MB. I rebooted, ulimit -s shows 12288. When I restart my service (#It does not affect resource limits of the system services.) becomes apparent. Aug 14 16:22:17 db1 pg_ctl[3177]: < 2015-08-14 16:22:17.839 BST >LOG: invalid value for parameter "max_stack_depth": 10240 Aug 14 16:22:17 db1 pg_ctl[3177]: < 2015-08-14 16:22:17.839 BST >DETAIL: "max_stack_depth" must not exceed 7680kB. Aug 14 16:22:17 db1 pg_ctl[3177]: < 2015-08-14 16:22:17.839 BST >HINT: Increase the platform's stack depth limit via "ulimit -s" or local equivalent. So, I then run 'ulimit -s 12288' and still can't restart my service. How can I increase stack depth for system processes, not just PAM authenticated users? If this is CentOS 7 then you may need to put the ulimit directives in the service file. An example is I needed to increase the NOFILE limit for nfs-secure on a Fedora 20 machine so I set LimitNOFILE=16384 In /etc/systemd/system/nfs-secure.service I located the service file for postgresql-9.4 [root@db1 multi-user.target.wants]# locate postgresql-9.4.service /etc/systemd/system/multi-user.target.wants/postgresql-9.4.service /usr/lib/systemd/system/postgresql-9.4.service I've edited /etc/systemd/system/multi-user.target.wants/postgresql-9.4.service and added LimitSTACK=12288 to the [Unit] section of the service file. systemctl daemon-reload systemctl restart postgresql-9.4 I'm still getting the same errors when I try to start my service... Aug 17 08:23:58 db1 pg_ctl[16839]: < 2015-08-17 08:23:58.533 BST >LOG: invalid value for parameter "max_stack_depth": 10240 Aug 17 08:23:58 db1 pg_ctl[16839]: < 2015-08-17 08:23:58.533 BST >DETAIL: "max_stack_depth" must not exceed 7680kB. I have tried moving the 'LimitSTACK=12288' to other sections of the service file, when I do I don't get my error from postgresql I see this in /var/log/messages Aug 17 08:38:47 db1 systemd: Reloading. Aug 17 08:38:47 db1 systemd: [/usr/lib/systemd/system/dm-event.socket:10] Unknown lvalue 'RemoveOnStop' in section 'Socket' Aug 17 08:38:47 db1 systemd: [/usr/lib/systemd/system/lvm2-lvmetad.socket:9] Unknown lvalue 'RemoveOnStop' in section 'Socket' Aug 17 08:38:49 db1 systemd: Starting PostgreSQL 9.4 database server... Aug 17 08:38:49 db1 kernel: postgresql94-ch[3021]: segfault at 7ffcd1a28f30 ip 7f116054c79e sp 7ffcd1a28f30 error 6 in libc-2.17.so[7f1160458000+1b6000] Aug 17 08:38:49 db1 systemd: postgresql-9.4.service: control process exited, code=killed status=11 Aug 17 08:38:49 db1 systemd: Failed to start PostgreSQL 9.4 database server. Aug 17 08:38:49 db1 systemd: Unit postgresql-9.4.service entered failed state. Hi All, On the PostgreSQL mailing list I've been pointed to this URL; https://ma.ttias.be/increase-open-files-limit-in-mariadb-on-centos-7-with-systemd/ I've created a directory (I tried changing the 9.4 to 9-4 also) /etc/systemd/system/postgresql-9.4.service.d /etc/systemd/system/postgresql-9-4.service.d created a 'limits.conf' file inside this directory containing [Service] LimitSTACK=12288 and I'm unable to restart the service still... I see the same errors as above when I run systemctl status postgresql-9.4 -l. any more suggestions?! I have created a new directory /etc/systemd/system/postgresql-9.4.service.d restorecon -Frv /etc/systemd/system/postgresql-9.4.service.d I created a limits.conf I have tried to add this with no section - LimitSTACK=12288 output: Aug 17 11:18:41 db1 systemd: [/usr/lib/systemd/system/dm-event.socket:10] Unknown lvalue 'RemoveOnStop' in section 'Socket' Aug 17 11:18:41 db1 systemd: [/etc/systemd/system/postgresql-9.4.service.d/limits.conf:1] Assignment outside of section. Ignoring. Aug 17 11:18:41 db1 systemd: [/usr/lib/systemd/system/lvm2-lvmetad.socket:9] Unknown lvalue 'RemoveOnStop' in section 'Socket' the [Unit] section - [Unit] LimitSTACK=12288 output: Aug 17 11:20:06 db1 systemd: [/usr/lib/systemd/system/dm-event.socket:10] Unknown lvalue 'RemoveOnStop' in section 'Socket' Aug 17 11:20:06 db1 systemd: [/etc/sy
Re: [CentOS] persistent change of max_stack_depth
Hi Gordon, On 17/08/15 19:07, Gordon Messmer wrote: On 08/17/2015 03:34 AM, Michael H wrote: the [Service] section - [Service] LimitSTACK=12288 ... By the errors I will assume that it should be in the [Service] section. I couldn't find confirmation of this online... Yes, it belongs in the [Service] section. $ man systemd.exec ... "The execution specific configuration options are configured in the [Service], [Socket], [Mount], or [Swap] sections, depending on the unit type." However, I assume that you are confused because "ulimit" in a bash shell returns a value in KiB, but LimitSTACK and setrlimit accept a value in bytes. That is, you've decreased the stack size to 12KiB, which is why PostgreSQL segfaults immediately. That is the most valuable piece of information! I couldn't find this documented anywhere, maybe I just looked in the wrong place... # cat /etc/systemd/system/postgresql.service .include /lib/systemd/system/postgresql.service [Service] LimitSTACK=12582912 # grep stack /var/lib/pgsql/data/postgresql.conf max_stack_depth = 10MB# min 100kB # systemctl daemon-reload # systemctl restart postgresql ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Thank you for your help, Michael ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] shared memory - shmmax - shmall - page_size
Hi List, I'm tuning up a new database server and I'm finding very mixed information online. Here are the default shmmax and shmall from my new system cat /proc/sys/kernel/shmmax 4294967295 cat /proc/sys/kernel/shmall 268435456 SHMALL is close enough to being SHMMAX / 16. Now, everything I'm finding online tells me that SHMALL = SHMMAX / PAGE_SIZE. default page size is 4096. Has something changed in this calculation? should the defaults be set on SHMALL = SHMMAX / 16?? I'm running CentOS Linux release 7.1.1503 (Core), my old database is running CentOS release 6.6 (Final) and I'm seeing the same calculations there too. Can somebody please point me in the right direction, I've had a look at pgtune here http://pgtune.leopard.in.ua/, I will not be using the 'default' calculated configuration that it suggests but I noticed the shmall = shmmax / page_size (4096). I'll benchmark with both calculations but I would really appreciate some confirmation on this. thanks Michael ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] abrt-watch-log -F BUG: WARNING: at WARNING: CPU: INFO: possible recursive locking detected
Hi All, I've been tuning a server recently and just today this has started to appear in my top/htop output. [root@db1 ~]# ps -aux | grep kernel root 1011 0.0 0.0 212048 4532 ? Ss 13:34 0:00 /usr/bin/abrt-watch-log -F BUG: WARNING: at WARNING: CPU: INFO: possible recursive locking detected ernel BUG at list_del corruption list_add corruption do_IRQ: stack overflow: ear stack overflow (cur: eneral protection fault nable to handle kernel ouble fault: RTNL: assertion failed eek! page_mapcount(page) went negative! adness at NETDEV WATCHDOG ysctl table check failed : nobody cared IRQ handler type mismatch Machine Check Exception: Machine check events logged divide error: bounds: coprocessor segment overrun: invalid TSS: segment not present: invalid opcode: alignment check: stack segment: fpu exception: simd exception: iret exception: /var/log/messages -- /usr/bin/abrt-dump-oops -xtD I had made a few changes to sysctl.conf which I have now reverted and the error still exists. my sysctl.conf contained; vm.swappiness=0 vm.overcommit_memory=2 vm.overcommit_ratio=90 - this was only added this morning because of an 'out of memory' error in postgresql. kernel.shmmax=35433480192 kernel.shmall=2214592512 which I have now removed. Can anyone shine any light on this? A little search on Google mentions faulty memory, I will install memtest today and see what the output is like. Thanks Michael ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] USB devices - libgphoto2 - PTP - hplip
Hi All,
I'm trying to disable USB storage devices in Centos7.1.1503.
I've setup udev rules to block all usb devices and then additional rules
to allow specific vendors / products to be used (mainly keyboards and
mice). This is all working perfectly.
cat /etc/udev/rules.d/01-usblockdown.rules
# Block all USB devices
ACTION=="add", SUBSYSTEMS=="usb", RUN+="/bin/sh -c 'for host in
/sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default; done'"
# Allow devices
# Keyboards
ACTION=="add", ATTR{idVendor}=="04f3", ATTR{idProduct}=="0103"
RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'"
..
Now I'm testing against mobile devices and when I connect an Asus mobile
telephone it's mounting the camera using PTP even though the device is
not allowed in my udev rules.
I removed libgphoto2 which has now stopped the PTP from automounting.
My issue is that I require hplip on my systems for certain printer
drivers and this package was removed along with libgphoto2. I added an
'exclude=libgphoto2*' to my /etc/yum.repos.d/CentOS-Base.repo and
installing hplip now fails on dependencies.
Is there a method of disable libgphoto2 PTP without having to remove the
package? or can I create further udev rules to stop PTP mounts?
thanks in advance,
Michael
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
[CentOS] USB devices - libgphoto2 - PTP - hplip
Hi,
Posting this again as it has been drowned. can anybody assist?
--
Hi All,
I'm trying to disable USB storage devices in Centos7.1.1503.
I've setup udev rules to block all usb devices and then additional rules
to allow specific vendors / products to be used (mainly keyboards and
mice). This is all working perfectly.
cat /etc/udev/rules.d/01-usblockdown.rules
# Block all USB devices
ACTION=="add", SUBSYSTEMS=="usb", RUN+="/bin/sh -c 'for host in
/sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default; done'"
# Allow devices
# Keyboards
ACTION=="add", ATTR{idVendor}=="04f3", ATTR{idProduct}=="0103"
RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'"
..
Now I'm testing against mobile devices and when I connect an Asus mobile
telephone it's mounting the camera using PTP even though the device is
not allowed in my udev rules.
I removed libgphoto2 which has now stopped the PTP from automounting.
My issue is that I require hplip on my systems for certain printer
drivers and this package was removed along with libgphoto2. I added an
'exclude=libgphoto2*' to my /etc/yum.repos.d/CentOS-Base.repo and
installing hplip now fails on dependencies.
Is there a method of disable libgphoto2 PTP without having to remove the
package? or can I create further udev rules to stop PTP mounts?
thanks in advance,
Michael
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB devices - libgphoto2 - PTP - hplip
On 10/12/15 10:02, Leon Fauster wrote: > Am 10.12.2015 um 09:37 schrieb Michael H : >> >> I'm trying to disable USB storage devices in Centos7.1.1503. > > on EL6 we use: > > # cat /etc/modprobe.d/usb-disabled.conf > install usb-storage /bin/true > > # depmod -a I've achieved disabling USB devices and then allowing specific vendors / products using UDEV rules. How can I disable PTP automounting without removing the libgphoto2 package? We are allowing a specific set of usb devices to be used in the company, one of the things we want to block is any kind of file transfer between mobile devices and our systems. Unfortunately it's not just a complete block on devices. > > -- > LF > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VNC on centOS
yum -y install x11vnc x11vnc -display :0 -forever -bg firewall-cmd --add-port=5900/tcp --permanent You should look into VNC passwords, I use the above command in a shell script for each user in ~/.kde/Autostart I believe the viewer I'm using is krdc? Michael On 10/12/15 11:49, Hersh wrote: > Hi, > > I have recently installed centOS 7 and trying to start vnc server on it. > Somehow, I am unable to make vncserver working. I have modified iptable > rules and xstartup file but it did not help. > > Has anyone else faced this problem earlier? Any help would be appreciated. > > Regards > Hersh > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB devices - libgphoto2 - PTP - hplip
Please read my entire post! I need to allow specific devices, I am trying to combat PTP mounting. not completely disable all USB devices. On 10/12/15 15:17, Wes James wrote: > >> On Dec 10, 2015, at 1:37 AM, Michael H wrote: >> >> Hi, >> Posting this again as it has been drowned. can anybody assist? >> >> >> -- >> >> Hi All, >> >> I'm trying to disable USB storage devices in Centos7.1.1503. >> > > > > I did a google search on “disable usb storage centos 7” and came up with > this. Don’t know if it helps: > > https://unixserveradmin.wordpress.com/2012/12/08/how-to-stop-usb-mass-storage-device-in-rhelcentos/ > > <https://unixserveradmin.wordpress.com/2012/12/08/how-to-stop-usb-mass-storage-device-in-rhelcentos/> > > -wes > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB devices - libgphoto2 - PTP - hplip
On 10/12/15 15:49, Leon Fauster wrote: > Am 10.12.2015 um 11:11 schrieb Michael H : >> >> >> On 10/12/15 10:02, Leon Fauster wrote: >>> Am 10.12.2015 um 09:37 schrieb Michael H : >>>> >>>> I'm trying to disable USB storage devices in Centos7.1.1503. >>> >>> on EL6 we use: >>> >>> # cat /etc/modprobe.d/usb-disabled.conf >>> install usb-storage /bin/true >>> >>> # depmod -a >> I've achieved disabling USB devices and then allowing specific vendors / >> products using UDEV rules. >> >> How can I disable PTP automounting without removing the libgphoto2 package? >> >> We are allowing a specific set of usb devices to be used in the company, >> one of the things we want to block is any kind of file transfer between >> mobile devices and our systems. Unfortunately it's not just a complete >> block on devices. > > > > A legitimately approach but from a security point of view its not the best > one. > No authentication, no authorization mechanism and USB IDs can be forgeable. We are simply trying to block people who are unaware their phone may be compromised. We understand that if someone puts their mind to it they will still be able to get past the udev rules but it's a good starting point. any clues on disabling PTP (photo transfer protocol) without removing the libgphoto2 package? thanks > > -- > LF > > > > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Fwd: Heads up: OpenSSH users
Probably worth a read... http://www.openssh.com/txt/release-7.1p2 > Important SSH patch coming soon. For now, everyone on all operating > systems, please do the following: > > Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" > to prevent upcoming #openssh client bug CVE-2016-0777. More later. echo "UseRoaming no" >> /etc/ssh/ssh_config ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache doesn't display "It works page" under CentOS 7
On 29/01/16 16:35, reynie...@gmail.com wrote: > I have Apache/2.4.6 installed in a minimal CentOS 7 VM. I am trying to > access the default page when Apache is installed by accessing the CentOS IP > as http://192.168.3.130 (is a host only interface) but I got "This webpage > is not available: ERR_CONNECTION_TIMED_OUT" and I can't find why. I have > stopped iptables and then checked: my first guess would be; setsebool -P httpd_can_network_connect on firewall-cmd --add-service=http --permanent if you're serving over https you'll also want; firewall-cmd --add-service=https --permanent if you intend on sending email; setsebool -P httpd_can_sendmail on ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache doesn't display "It works page" under CentOS 7
On 29/01/16 16:45, reynie...@gmail.com wrote: > On Fri, Jan 29, 2016 at 11:41 AM, Michael H wrote: > >> setsebool -P httpd_can_network_connect on >> firewall-cmd --add-service=http --permanent >> > > I have ran those two and still can't access. I have restarted httpd and > iptables services after ran those lines. BTW, what those means? setsebool > is part of SELinux? Or this is new kind of extra security layer on CentOS7? > I am moving from Centos 6.7 to 7 and things change between versions. Selinux has been around for a while. setsebool - set selinux boolean You should probably be using the firewall-cmd rather than iptables; firewall-cmd --add-service=http --permanent - add the http service to your firewall. I forgot, unless you run firewall-cmd --reload the rules may not be in play. Michael > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache doesn't display "It works page" under CentOS 7
On 29/01/16 16:52, reynie...@gmail.com wrote: > On Fri, Jan 29, 2016 at 11:48 AM, Michael H wrote: > >> Selinux has been around for a while. >> > > Yes, I know this but ... > > >> >> setsebool - set selinux boolean >> > > What I am asking is if the command above is part of SELinux since I doesn't > use before because it's a VM running on my PC so I not need such security > levels. > >> You should probably be using the firewall-cmd rather than iptables; >> firewall-cmd --add-service=http --permanent - add the http service to >> your firewall. >> >> I forgot, unless you run >> >> firewall-cmd --reload >> >> the rules may not be in play. > U > > # firewall-cmd --reload > FirewallD is not running systemctl stop iptables systemctl disable iptables systemctl start firewalld systemctl enable firewalld firewall-cmd --list-services - confirm you have http, if not repeat the previous commands to add services. setsebool is a part of selinux. if you don't care about it setenforce 0 systemctl restart httpd firewall-cmd --reload and test. ensure /etc/httpd/conf.d/[yourvirtualhost].conf has listen *:80 I've setup several web servers this week, if this isn't working, you broke something. We always use minimal installs. Michael ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] New glibc for CentOS-6 and CentOS-7 and CVE-2015-7547
On 17/02/16 13:01, Johnny Hughes wrote: > I normally just let the daily announce post to this list show what > is available for updates, but there is a CVE (CVE-2015-7547) that > needs a bit more attention which will be on today's announce list > of updates. > > We released a new glibc yesterday for CentOS-6 and CentOS-7 .. it > is VERY important that all users update to these versions: This > update is rated as Critical by Red Hat, meaning that it is remotely > exploitable under some circumstances. Make sure this update works > in your environments and update as soon as you can. > > CentOS-7: > https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html > > https://rhn.redhat.com/errata/RHSA-2016-0176.html > > CentOS-6: > https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html > > https://rhn.redhat.com/errata/RHSA-2016-0175.html > > These mitigate CVE-2015-7547: > https://access.redhat.com/security/cve/CVE-2015-7547 > > https://bugzilla.redhat.com/show_bug.cgi?id=1293532 > > Can't stress how important this update is .. here are a couple > stories: > > http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/ > > > http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/ > > Please note that the ONLY way this is tested to work is with ALL > updates from CentOS-6 or CentOS-7 applied along with the glibc > updates. So a yum update with base and updates repo enabled is the > ONLY tested scenario. Did I say *ONLY* enough? > > Thanks, Johnny Hughes Hi Johnny, Thank you as always, Should I be rebooting servers to ensure that all services are using the new glibc? sorry for the rookie question, just need some clarification. thanks Michael ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] New glibc for CentOS-6 and CentOS-7 and CVE-2015-7547
> The easy answer is yes .. glibc requires so many things to be restarted, > that is the best bet. Or certainly the easiest. > > Note: in CentOS 7, there is also a kernel update which is rated as > Important .. so you should boot to that anyway: > https://lists.centos.org/pipermail/centos-announce/2016-February/021705.html > > Here is a good link to figure out what to restart if you don't want to > reboot: > > https://rwmj.wordpress.com/2014/07/10/which-services-need-restarting-after-an-upgrade/ > > and there is this thread: > http://markmail.org/message/dodinyrhwgey35mh > > But generalyl, after a glibc update or a kernel update .. rebooting is > easiest and it ensures everything is protected. Wow, so, I updated my server (yum update -y) which applied a new kernel and the new glibc among other things, After the update completed it knocked my master postgresql database offline. Feb 17 13:46:11 db1 systemd: Starting PostgreSQL database server... Feb 17 13:46:11 db1 pg_ctl: LOG: invalid value for parameter "max_stack_depth": 16384 Feb 17 13:46:11 db1 pg_ctl: DETAIL: "max_stack_depth" must not exceed 7680kB. Feb 17 13:46:11 db1 pg_ctl: HINT: Increase the platform's stack depth limit via "ulimit -s" or local equivalent. Feb 17 13:46:11 db1 pg_ctl: FATAL: configuration file "/var/lib/pgsql/data/postgresql.conf" contains errors Feb 17 13:46:16 db1 pg_ctl: pg_ctl: could not start server Feb 17 13:46:16 db1 pg_ctl: Examine the log output. Feb 17 13:46:16 db1 systemd: postgresql.service: control process exited, code=exited status=1 Feb 17 13:46:16 db1 systemd: Failed to start PostgreSQL database server. Feb 17 13:46:16 db1 systemd: Unit postgresql.service entered failed state. Feb 17 13:46:16 db1 systemd: postgresql.service failed. I have kernel parameters specified in /etc/sysctl.conf vm.swappiness=0 vm.overcommit_memory=2 vm.overcommit_ratio=90 kernel.shmmax=35433480192 kernel.shmall=8650752 After the update my postgresql service could not start because these parameters had been reset, I promptly rebooted to server to re-apply them. Has something changed?!? after a reboot the service still complained that my max_stack_depth was too high because kernel shmmax and shmall were too low with the same error shown above. [root@db1 ~]# ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 514616 max locked memory (kbytes, -l) 64 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size(512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 514616 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited confirms that my entries in /etc/sysctl.conf were ignored. Why would these not work anymore? Are the parameters specified elsewhere now? any information would be very helpful! Thanks Michael (slightly more grey now) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Kernel parameters ignored -
Hi, re-posting this with a more appropriate subject for my reply; > The easy answer is yes .. glibc requires so many things to be restarted, > that is the best bet. Or certainly the easiest. > > Note: in CentOS 7, there is also a kernel update which is rated as > Important .. so you should boot to that anyway: > https://lists.centos.org/pipermail/centos-announce/2016-February/021705.html > > Here is a good link to figure out what to restart if you don't want to > reboot: > > https://rwmj.wordpress.com/2014/07/10/which-services-need-restarting-after-an-upgrade/ > > and there is this thread: > http://markmail.org/message/dodinyrhwgey35mh > > But generalyl, after a glibc update or a kernel update .. rebooting is > easiest and it ensures everything is protected. Wow, so, I updated my server (yum update -y) which applied a new kernel and the new glibc among other things, After the update completed it knocked my master postgresql database offline. Feb 17 13:46:11 db1 systemd: Starting PostgreSQL database server... Feb 17 13:46:11 db1 pg_ctl: LOG: invalid value for parameter "max_stack_depth": 16384 Feb 17 13:46:11 db1 pg_ctl: DETAIL: "max_stack_depth" must not exceed 7680kB. Feb 17 13:46:11 db1 pg_ctl: HINT: Increase the platform's stack depth limit via "ulimit -s" or local equivalent. Feb 17 13:46:11 db1 pg_ctl: FATAL: configuration file "/var/lib/pgsql/data/postgresql.conf" contains errors Feb 17 13:46:16 db1 pg_ctl: pg_ctl: could not start server Feb 17 13:46:16 db1 pg_ctl: Examine the log output. Feb 17 13:46:16 db1 systemd: postgresql.service: control process exited, code=exited status=1 Feb 17 13:46:16 db1 systemd: Failed to start PostgreSQL database server. Feb 17 13:46:16 db1 systemd: Unit postgresql.service entered failed state. Feb 17 13:46:16 db1 systemd: postgresql.service failed. I have kernel parameters specified in /etc/sysctl.conf vm.swappiness=0 vm.overcommit_memory=2 vm.overcommit_ratio=90 kernel.shmmax=35433480192 kernel.shmall=8650752 After the update my postgresql service could not start because these parameters had been reset, I promptly rebooted to server to re-apply them. Has something changed?!? after a reboot the service still complained that my max_stack_depth was too high because kernel shmmax and shmall were too low with the same error shown above. [root@db1 ~]# ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 514616 max locked memory (kbytes, -l) 64 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size(512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 514616 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited confirms that my entries in /etc/sysctl.conf were ignored. Why would these not work anymore? Are the parameters specified elsewhere now? any information would be very helpful! Thanks Michael (slightly more grey now) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kernel parameters ignored -
On 17/02/16 14:32, Michael H wrote: > Hi, re-posting this with a more appropriate subject for my reply; > >> The easy answer is yes .. glibc requires so many things to be restarted, >> that is the best bet. Or certainly the easiest. >> >> Note: in CentOS 7, there is also a kernel update which is rated as >> Important .. so you should boot to that anyway: >> https://lists.centos.org/pipermail/centos-announce/2016-February/021705.html >> >> Here is a good link to figure out what to restart if you don't want to >> reboot: >> >> https://rwmj.wordpress.com/2014/07/10/which-services-need-restarting-after-an-upgrade/ >> >> and there is this thread: >> http://markmail.org/message/dodinyrhwgey35mh >> >> But generalyl, after a glibc update or a kernel update .. rebooting is >> easiest and it ensures everything is protected. > > Wow, so, I updated my server (yum update -y) which applied a new kernel > and the new glibc among other things, After the update completed it > knocked my master postgresql database offline. > > > Feb 17 13:46:11 db1 systemd: Starting PostgreSQL database server... > Feb 17 13:46:11 db1 pg_ctl: LOG: invalid value for parameter > "max_stack_depth": 16384 > Feb 17 13:46:11 db1 pg_ctl: DETAIL: "max_stack_depth" must not exceed > 7680kB. > Feb 17 13:46:11 db1 pg_ctl: HINT: Increase the platform's stack depth > limit via "ulimit -s" or local equivalent. > Feb 17 13:46:11 db1 pg_ctl: FATAL: configuration file > "/var/lib/pgsql/data/postgresql.conf" contains errors > Feb 17 13:46:16 db1 pg_ctl: pg_ctl: could not start server > Feb 17 13:46:16 db1 pg_ctl: Examine the log output. > Feb 17 13:46:16 db1 systemd: postgresql.service: control process exited, > code=exited status=1 > Feb 17 13:46:16 db1 systemd: Failed to start PostgreSQL database server. > Feb 17 13:46:16 db1 systemd: Unit postgresql.service entered failed state. > Feb 17 13:46:16 db1 systemd: postgresql.service failed. > > > I have kernel parameters specified in /etc/sysctl.conf > > vm.swappiness=0 > vm.overcommit_memory=2 > vm.overcommit_ratio=90 > kernel.shmmax=35433480192 > kernel.shmall=8650752 > > After the update my postgresql service could not start because these > parameters had been reset, I promptly rebooted to server to re-apply them. > > Has something changed?!? after a reboot the service still complained > that my max_stack_depth was too high because kernel shmmax and shmall > were too low with the same error shown above. > > [root@db1 ~]# ulimit -a > core file size (blocks, -c) 0 > data seg size (kbytes, -d) unlimited > scheduling priority (-e) 0 > file size (blocks, -f) unlimited > pending signals (-i) 514616 > max locked memory (kbytes, -l) 64 > max memory size (kbytes, -m) unlimited > open files (-n) 1024 > pipe size(512 bytes, -p) 8 > POSIX message queues (bytes, -q) 819200 > real-time priority (-r) 0 > stack size (kbytes, -s) 8192 > cpu time (seconds, -t) unlimited > max user processes (-u) 514616 > virtual memory (kbytes, -v) unlimited > file locks (-x) unlimited > > confirms that my entries in /etc/sysctl.conf were ignored. > > Why would these not work anymore? > > Are the parameters specified elsewhere now? > > any information would be very helpful! Some additional information; sysctl -a | grep kernel.shm kernel.shmall = 8650752 kernel.shmmax = 35433480192 kernel.shmmni = 4096 which corresponds to my /etc/sysctl.conf kernel.shmmax=35433480192 kernel.shmall=8650752 but contradicts; ulimit -a [...] stack size (kbytes, -s) 8192 [...] Any suggestions as to why this has happened? thanks Michael ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] New glibc for CentOS-6 and CentOS-7 and CVE-2015-7547
On 17/02/16 14:39, Johnny Hughes wrote: > On 02/17/2016 08:10 AM, Michael H wrote: >>> The easy answer is yes .. glibc requires so many things to be >>> restarted, that is the best bet. Or certainly the easiest. >>> >>> Note: in CentOS 7, there is also a kernel update which is rated >>> as Important .. so you should boot to that anyway: >>> https://lists.centos.org/pipermail/centos-announce/2016-February/021705.html >>> >>> >>> Here is a good link to figure out what to restart if you don't want to >>> reboot: >>> >>> https://rwmj.wordpress.com/2014/07/10/which-services-need-restarting-after-an-upgrade/ >>> >>> >>> and there is this thread: >>> http://markmail.org/message/dodinyrhwgey35mh >>> >>> But generalyl, after a glibc update or a kernel update .. >>> rebooting is easiest and it ensures everything is protected. >> >> Wow, so, I updated my server (yum update -y) which applied a new >> kernel and the new glibc among other things, After the update >> completed it knocked my master postgresql database offline. >> >> >> Feb 17 13:46:11 db1 systemd: Starting PostgreSQL database >> server... Feb 17 13:46:11 db1 pg_ctl: LOG: invalid value for >> parameter "max_stack_depth": 16384 Feb 17 13:46:11 db1 pg_ctl: >> DETAIL: "max_stack_depth" must not exceed 7680kB. Feb 17 >> 13:46:11 db1 pg_ctl: HINT: Increase the platform's stack depth >> limit via "ulimit -s" or local equivalent. Feb 17 13:46:11 db1 >> pg_ctl: FATAL: configuration file >> "/var/lib/pgsql/data/postgresql.conf" contains errors Feb 17 >> 13:46:16 db1 pg_ctl: pg_ctl: could not start server Feb 17 >> 13:46:16 db1 pg_ctl: Examine the log output. Feb 17 13:46:16 db1 >> systemd: postgresql.service: control process exited, code=exited >> status=1 Feb 17 13:46:16 db1 systemd: Failed to start PostgreSQL >> database server. Feb 17 13:46:16 db1 systemd: Unit >> postgresql.service entered failed state. Feb 17 13:46:16 db1 >> systemd: postgresql.service failed. >> >> >> I have kernel parameters specified in /etc/sysctl.conf >> >> vm.swappiness=0 vm.overcommit_memory=2 vm.overcommit_ratio=90 >> kernel.shmmax=35433480192 kernel.shmall=8650752 >> >> After the update my postgresql service could not start because >> these parameters had been reset, I promptly rebooted to server to >> re-apply them. >> >> Has something changed?!? after a reboot the service still >> complained that my max_stack_depth was too high because kernel >> shmmax and shmall were too low with the same error shown above. >> >> [root@db1 ~]# ulimit -a core file size (blocks, -c) 0 >> data seg size (kbytes, -d) unlimited scheduling >> priority (-e) 0 file size (blocks, -f) >> unlimited pending signals (-i) 514616 max locked >> memory (kbytes, -l) 64 max memory size (kbytes, -m) >> unlimited open files (-n) 1024 pipe size >> (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 >> real-time priority (-r) 0 stack size >> (kbytes, -s) 8192 cpu time (seconds, -t) unlimited >> max user processes (-u) 514616 virtual memory >> (kbytes, -v) unlimited file locks (-x) >> unlimited >> >> confirms that my entries in /etc/sysctl.conf were ignored. >> >> Why would these not work anymore? >> >> Are the parameters specified elsewhere now? >> >> any information would be very helpful! >> >> Thanks >> >> Michael (slightly more grey now) > > Since you are talking about SystemD .. I assume c7. > > In c7 .. there is a symlink to /etc/sysctl.d/99-sysctl.conf to > /etc/sysctl.conf > > Have you verified your sysctl.conf actually contains those settings > still. Contents are still in tact. > > Your best bet on CentOS-7 is to create a new file in > /etc/sysctl.d/ called something like 99-postgres.conf and put youjr > mods in there. That way it will never change. > > Also .. verify all the files in /etc/sysctl.d/ and /etc/sysctl.conf > are set to this label for selinux: > > unconfined_u:object_r:etc_t:s0 # ll -dZ /etc/sysctl.d drwxr-xr-x. root root system_u:object_r:etc_t:s0 /etc/sysctl.d # ll -Z /etc/sysctl.conf -rw-r--r--. root root system_u:object_r:system_conf_t:s0 /etc/sysctl.conf I tried restorecon -Frv /etc/sysctl* to no avail. Should I manually re-label these or is this an issue with the selinux-policy package having the incorrect defaults? > > See this for labeling: red.ht/1ooTpiI > > But, /etc/sysctl.conf should still work in centos-7. Thanks, Michael ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] New glibc for CentOS-6 and CentOS-7 and CVE-2015-7547
On 17/02/16 14:44, Johnny Hughes wrote: > On 02/17/2016 08:39 AM, Johnny Hughes wrote: >> On 02/17/2016 08:10 AM, Michael H wrote: >>>> The easy answer is yes .. glibc requires so many things to be restarted, >>>> that is the best bet. Or certainly the easiest. >>>> >>>> Note: in CentOS 7, there is also a kernel update which is rated as >>>> Important .. so you should boot to that anyway: >>>> https://lists.centos.org/pipermail/centos-announce/2016-February/021705.html >>>> >>>> Here is a good link to figure out what to restart if you don't want to >>>> reboot: >>>> >>>> https://rwmj.wordpress.com/2014/07/10/which-services-need-restarting-after-an-upgrade/ >>>> >>>> and there is this thread: >>>> http://markmail.org/message/dodinyrhwgey35mh >>>> >>>> But generalyl, after a glibc update or a kernel update .. rebooting is >>>> easiest and it ensures everything is protected. >>> >>> Wow, so, I updated my server (yum update -y) which applied a new kernel >>> and the new glibc among other things, After the update completed it >>> knocked my master postgresql database offline. >>> >>> >>> Feb 17 13:46:11 db1 systemd: Starting PostgreSQL database server... >>> Feb 17 13:46:11 db1 pg_ctl: LOG: invalid value for parameter >>> "max_stack_depth": 16384 >>> Feb 17 13:46:11 db1 pg_ctl: DETAIL: "max_stack_depth" must not exceed >>> 7680kB. >>> Feb 17 13:46:11 db1 pg_ctl: HINT: Increase the platform's stack depth >>> limit via "ulimit -s" or local equivalent. >>> Feb 17 13:46:11 db1 pg_ctl: FATAL: configuration file >>> "/var/lib/pgsql/data/postgresql.conf" contains errors >>> Feb 17 13:46:16 db1 pg_ctl: pg_ctl: could not start server >>> Feb 17 13:46:16 db1 pg_ctl: Examine the log output. >>> Feb 17 13:46:16 db1 systemd: postgresql.service: control process exited, >>> code=exited status=1 >>> Feb 17 13:46:16 db1 systemd: Failed to start PostgreSQL database server. >>> Feb 17 13:46:16 db1 systemd: Unit postgresql.service entered failed state. >>> Feb 17 13:46:16 db1 systemd: postgresql.service failed. >>> >>> >>> I have kernel parameters specified in /etc/sysctl.conf >>> >>> vm.swappiness=0 >>> vm.overcommit_memory=2 >>> vm.overcommit_ratio=90 >>> kernel.shmmax=35433480192 >>> kernel.shmall=8650752 >>> >>> After the update my postgresql service could not start because these >>> parameters had been reset, I promptly rebooted to server to re-apply them. >>> >>> Has something changed?!? after a reboot the service still complained >>> that my max_stack_depth was too high because kernel shmmax and shmall >>> were too low with the same error shown above. >>> >>> [root@db1 ~]# ulimit -a >>> core file size (blocks, -c) 0 >>> data seg size (kbytes, -d) unlimited >>> scheduling priority (-e) 0 >>> file size (blocks, -f) unlimited >>> pending signals (-i) 514616 >>> max locked memory (kbytes, -l) 64 >>> max memory size (kbytes, -m) unlimited >>> open files (-n) 1024 >>> pipe size(512 bytes, -p) 8 >>> POSIX message queues (bytes, -q) 819200 >>> real-time priority (-r) 0 >>> stack size (kbytes, -s) 8192 >>> cpu time (seconds, -t) unlimited >>> max user processes (-u) 514616 >>> virtual memory (kbytes, -v) unlimited >>> file locks (-x) unlimited >>> >>> confirms that my entries in /etc/sysctl.conf were ignored. >>> >>> Why would these not work anymore? >>> >>> Are the parameters specified elsewhere now? >>> >>> any information would be very helpful! >>> >>> Thanks >>> >>> Michael >>> (slightly more grey now) >> >> Since you are talking about SystemD .. I assume c7. >> >> In c7 .. there is a symlink to /etc/sysctl.d/99-sysctl.conf to >> /etc/sysctl.conf >> >> Have you verified your sysctl.conf actually contains those settings still. >> >> Your best bet on CentOS-7 is to create a new file in /etc/sysctl.d/ >> called something like 99-postgres.conf and put youjr mods in there. >> That way it will never chan
Re: [CentOS] New glibc for CentOS-6 and CentOS-7 and CVE-2015-7547
> Should my output from ulimit -a not correspond to my sysctl.conf > parameters? > > This server was tested heavily and rebooted tens of times before it > moved into production, I can't understand what has changed other than > now I get inconsistent output from > > sysctl -a and ulimit -a. I am quite confident this wasn't the case > before I updated today. > > ulimit -s is definitely not showing the correct parameter that I > specified in /etc/sysctl.conf. Hi Jonny, A little google and I found my original conversation on here about setting it initially. Sorry for wasting your time on this, https://lists.centos.org/pipermail/centos/2015-August/154290.html So, the answer is that the service requires the LimitSTACK=[stack-size-in-bytes] in the [Service] section of /etc/systemd/system/multi-user.target.wants/postgresql.service Thank you! Michael ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Systemd persistent change to service file
Hi All, I had my database fall over earlier, Initially I thought it was due to a change in the OS but the postgresql update overwrote my systemd service file. How can I create a file for my postgresql service that will not be overwritten when updates are applied? Am I correct in thinking it will be something like vi /etc/systemd/system/postgresql.service.d/postgresql-limit-stack.conf #with the contents: .include /etc/systemd/system/multi-user.target.wants/postgresql.service [Service] LimitSTACK=17825792 thanks Michael ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kernel parameters ignored -
On 17/02/16 19:55, John R Pierce wrote: > On 2/17/2016 6:39 AM, Michael H wrote: >> Some additional information; >> >> sysctl -a | grep kernel.shm >> kernel.shmall = 8650752 >> kernel.shmmax = 35433480192 >> kernel.shmmni = 4096 >> >> which corresponds to my /etc/sysctl.conf >> kernel.shmmax=35433480192 >> kernel.shmall=8650752 >> >> but contradicts; >> ulimit -a >> [...] >> stack size (kbytes, -s) 8192 > > > SysV Shared Memory has nothing to do with stack size. > > note, btw, the latest releases of postgres (I think as of 9.3?) no > longer need large values of shmall,shmmax as they now use a different > method of allocating the shared_buffers ... > Hi John, I dived into the issue in a panic, trying to fix something that was completely unrelated. Turns out my service file was overwritten and lost my stack setting. I've resolved it now with a drop-in snippet. I like the look of the new features in postgresql but we are using postgresql-server.x86_64 9.2.14-1.el7_1. Thanks for the information, Michael ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CVE-2016-1285 & CVE-2016-1286
On 10/03/16 14:47, Leonardo Oliveira Ortiz wrote: > Hello. > > I think Centos are affected, right? > > Some update from Centos? > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > Sure looks that way... https://access.redhat.com/security/cve/cve-2016-1285 https://access.redhat.com/security/cve/cve-2016-1286 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] systemctl enable httpd failure
Hi List, [root@mail1 ~]# systemctl enable httpd Failed to execute operation: Invalid argument I can disable and re-enable other services without issue, I'm also seeing the same error when I run [root@mail1 ~]# systemctl enable mailman Failed to execute operation: Invalid argument Any suggestions? Michael ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] systemctl enable httpd failure
On 28/04/16 13:29, Michael H wrote: > Hi List, > > [root@mail1 ~]# systemctl enable httpd > Failed to execute operation: Invalid argument > > I can disable and re-enable other services without issue, I'm also > seeing the same error when I run > > [root@mail1 ~]# systemctl enable mailman > Failed to execute operation: Invalid argument > > Any suggestions? > > Michael > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > [root@mail1 ~]# mv /etc/systemd/system/multi-user.target.wants/httpd.service . [root@mail1 ~]# systemctl enable httpd Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@mail1 ~]# mv /etc/systemd/system/multi-user.target.wants/mailman.service . [root@mail1 ~]# systemctl enable mailman Created symlink from /etc/systemd/system/multi-user.target.wants/mailman.service to /usr/lib/systemd/system/mailman.service. problem solved. Any ideas why this happened? Michael ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] https and self signed
On 17/06/16 15:46, James B. Byrne wrote: > > On Thu, June 16, 2016 13:53, Walter H. wrote: >> On 15.06.2016 16:17, Warren Young wrote: >>> but it also affects the other public CAs: you can’t get a >>> publicly-trusted cert for a machine without a publicly-recognized >>> and -visible domain name. For that, you still need to use >>> self-signed certs or certs signed by a private CA. >>> >> A private CA is the same as self signed; >> > > No it is not. A private CA is as trustworthy as the organisation that > operates it. No more and not one bit less. > > We operate a private CA for our domain and have since 2005. We > maintain a public CRL strictly in accordance with our CPS and have our > own OID assigned. Our CPS and CRL together with our active, expired > and revoked certificate inventory is available online at > ca.harte-lyne.ca. Our CPS states that we will only issue certificates > for our own domain and furthermore we only issue them for equipment > and personnel under our direct control. > > In a few years DANE is going to destroy the entire market of 'TRUSTED' > root CA's -- because really none of them are trust 'worthy' --. And > that development is long overdue. When we reach that point many > domains, if not most, will have their DNS forward zones providing TLSA > RRs for their domain CA certificates and signatures. And most of > those that do this are going to be running their own private CA's > simply to maintain control of their certificates. > > Our DNS TLSA flags tell those that verify using DANE that our private > CA is the only authority that can issue a valid certificate for > harte-lyne.ca and its sub-domains. Compare that to the present case > wherein any 'trusted' CA can issue a certificate for any domain > whatsoever; whether they are authorised by the domain owner or not[1]. > So in a future with DANE it will be possible to detect when an > apparently 'valid' certificate is issued by a rogue CA. > > The existing CA structure could not have been better designed for > exploitation by special interests. It has been and continues to be so > exploited. > > Personally I distrust every one of the preloaded root CAs shipped with > Firefox by manually removing all of their trust flags. I do the same > with any other browser I use. I then add back in those trusts > essential for my browser operation as empirical evidence warrants. > So I must trust certain DigiCert certificates for GitHub and > DuckDuckGo, GeoTrust for Google, COMODO for Wikipedia, and so forth. > These I set the trust flags for web services only. The rest can go > pound salt as we used to say. > > > [1] > https://nakedsecurity.sophos.com/2013/12/09/serious-security-google-finds-fake-but-trusted-ssl-certificates-for-its-domains-made-in-france/ > https://harte-lyne.ca/ net::ERR_CERT_AUTHORITY_INVALID ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] yum history list
Hi List, I have several workstations all with exactly the same OS versions, kernels + yum versions; CentOS Linux release 7.2.1511 (Core) kernel.x86_64 3.10.0-327.28.3.el7 yum.noarch 3.4.3-132.el7.centos.0.1 running a 'yum history list' command produces different outputs on some workstations, I haven't changed any yum configurations. Workstation A: yum history list Loaded plugins: fastestmirror, langpacks ID | Login user | Date and time| Action(s) | Altered Workstation B: yum history list Loaded plugins: fastestmirror, langpacks ID | Command line | Date and time| Action(s) | Altered Any clue as to why I have different fields being output? I see in the yum manual: In "history list" you can change the behaviour of the 2nd column via the configuration option history_list_view. But I'm unsure how I can adjust the columns. Any clues would be much appreciated, Thanks, Michael ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] yum history list
On 12/09/16 13:05, Michael H wrote: > Hi List, > > I have several workstations all with exactly the same OS versions, > kernels + yum versions; > > CentOS Linux release 7.2.1511 (Core) > kernel.x86_64 3.10.0-327.28.3.el7 > yum.noarch 3.4.3-132.el7.centos.0.1 > > running a 'yum history list' command produces different outputs on some > workstations, I haven't changed any yum configurations. > > Workstation A: > yum history list > Loaded plugins: fastestmirror, langpacks > ID | Login user | Date and time| Action(s) | > Altered > > > Workstation B: > yum history list > Loaded plugins: fastestmirror, langpacks > ID | Command line | Date and time| Action(s) | > Altered > > > Any clue as to why I have different fields being output? > > I see in the yum manual: > In "history list" you can change the behaviour of the 2nd column via > the configuration option history_list_view. > > But I'm unsure how I can adjust the columns. > > Any clues would be much appreciated, > > Thanks, > > Michael > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > Excuse the noise, adding: history_list_view=cmds to /etc/yum.conf produces the output I wanted. Still unsure why the installations are acting differently though, Thanks, Michael ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ipsec with ipv4 and ipv6 not working
On Tue, 2011-02-08 at 14:54 -0800, Drew wrote: > > I have posted to the ipsec-devel list and haven't gotten any responses. > > Also I > > have spent 2 days googling with > > no results about the above setup. Is it even possible to tunnel ipv4 packet > > thru > > an ipv6 ipsec tunnel? > AFAIK, No. It's probably a major "it depends". > IPv4 & IPv6 are different protocols so if you want to move IPv6 > traffic over a IPv4 IPSEC tunnel you need to encapsulate the IPv6 > payload within IPv4 packets. The reverse is also true of IPv4 over > IPv6. 1) That's not true of IPSec tunnels (transport mode is a totally different question). The ESP encapsulation itself contains the IP headers can can support it. 2) IKE, the key exchange and setup daemons, is a different matter. AFAIK, it is not possible with IKEv1. Paul and I discussed that over on the Openswan list some time ago. Basically, you can't negotiate the key exchange. IKEv2 is a different story. StrongSWAN supports IPv6 over IPv4 in an IPSec tunnel. I'm not currently sure about Openswan or Racoon (IPsec Tools). 3) In the case of IPv4 over IPv4, IPsec itself should handle it. Whether the keying daemons currently support the syntax is a question and it will most certainly have to be IKEv2. > This is why tunnel brokers like Freenet6 & Teredo exist, you can't > push IPv6 traffic out across an IPv4 only network without tunneling. But, IPsec is a tunnel. At least is has a "tunnel mode" (and I advise against transport mode in any case). Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Remote backup of server
n server will be some data corruption and backup > > server will connect and synchronize all data with errors, I have > > nothing :). > > > > For example - rdiff-backup is working with increments, so you can > > restore data a year back... > > > > 2009/9/4 Johnny Hughes : > >> On 09/04/2009 11:23 AM, happymaster23 wrote: > >>> I want mount directory of one server to another over internet. I was > >>> looking to NFS4, but there are no security mechanisms. I need > >>> encrypted connection using private key (something like SFTP). > >>> > >>> Or - if there is in CentOS repo (or EPEL) package, that can mount > >>> directory over internet using private key and make differential backup > >>> (like rdiff-backup). > >>> > >>> Thank you very much for links or other resources work up > >> > >> Why not just use rsync over ssh? > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What keeps logging to my console?
On Fri, 2008-10-17 at 12:13 +0200, Dirk H. Schulz wrote: > Hi folks, > I have lots of messages like these appearing on my local CentOS 5.2 > consoles: > > Oct 17 12:03:29 machine kernel: printk: 1 messages suppressed. > > Oct 17 12:03:29 machine kernel: pbond0: received packet with own address > as source address > I have disabled console logging in syslog.conf, and even if I shut down > syslog and kernel logger, the messages keep coming on the local consoles > (not on remote consoles). This has nothing to do with syslog. These are kernel printk messages. They also go to syslog for logging in files but they go straight to the kernel console as defined at bootup. Unless you have configured serial consoles, the "console" for the kernel is the virtual terminals. > So the question is: What process logs directly to the console bypassing > syslog/kernel log facilities? How can I find where to stop that? It's the kernel itself. In a VC: setterm --msg off man setterm: -msg [on|off] (virtual consoles only) Enables or disables the sending of kernel printk() messages to the console. > Thanks for any hint or help. > > > Dirk Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | [EMAIL PROTECTED] /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] What keeps logging to my console?
On Mon, 2008-10-20 at 12:51 +0200, Sorin Srbu wrote: > Michael H. Warfield <> scribbled on Friday, October 17, 2008 4:45 PM: > > > setterm --msg off > > > > man setterm: > > > >-msg [on|off] (virtual consoles only) > > Enables or disables the sending of kernel printk() > > messages to the console. > Is it possible to get rid of the iptables messages on the console as well, > with the above tweak, or is it specifically and only for the kernel? iptables is in the kernel. AFAIK, it's either via syslog or via printk. If you've shut them both down, it should be gone. > /S Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | [EMAIL PROTECTED] /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] What keeps logging to my console?
On Tue, 2008-10-21 at 09:51 +0200, Sorin Srbu wrote: > Robert Spangler <> scribbled on Tuesday, October 21, 2008 12:03 AM: > > >> > It was thinking it is logged through klogd, and can be suppressed by > >> > starting klogd with the e.g. "-c 3" option. > >> > Change the bootoption of klogd in: /etc/sysconfig/syslog : > > >> >KLOGD_OPTIONS="-x -c 3" > >> > >> Sounds vaguely like something my google-searches turned, but didn't quite > >> get/understand. I'll look into this again. Thx. > > > > I have the following in my /etc/sysctl.conf file; > > > > # Stop logging to console > > kernel.printk = 3 4 1 7 > The setterm-command I tried yesterday didn't work. I'll give your setting a > go. Make sure you ran it from a VC. It won't work remotely or in an X windows terminal window. > Thx. > > /S Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | [EMAIL PROTECTED] /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] TIP for broken ARIN whois
Just a point on the curve but... ARIN has made a deliberate decision to move emphasis over to their RESTful Web Interface, Whois-RWS. Part of the reason is performance and part of the reason is for granularity of the data available. They really REALLY want people to make that move although they will continue to support the old whois for a lot of the basic stuff. https://www.arin.net/resources/whoisrws/index.html I believe one of the things I heard at last years NANOG / ARIN conference here in Atlanta was that they would no longer be providing certain information such as reverse DNS servers in the old whois because that's now in a different database or some such. On another closed security forum on which I participate someone was having problems getting at Abuse POC information. There a parameter for that as well but they prefer using the Whois-RWS interface and API instead. I think we'll be hearing more of that as time goes on. Regards, Mike On Sat, 2011-09-10 at 15:26 +0100, Always Learning wrote: > This works for me on Centos 5.6. It may assist newcomers to the Linux > world of Centos. > > whois 51.51.51.51 > > produces a normal and conventional display of data. > > However since ARIN, the North American registrar of IP addresses, > "modernised" its WHOIS processing, a query to > > whois 64.64.64.64 > > will produce a one line summary of possible matches, which always > includes ARIN, but omits the details we used to receive before ARIN > implemented its much criticised "improved" service. > > A one line script solves it for me (but only for ARIN network entries). > > #!/bin/bash > whois -h whois.arin.net n + $1 > > I call my script .arin > > .arin 64.64.64.64 > > produces a normal output. > > > > Paul. > > _______ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DNS forwarding vs recursion
he argument goes at this... Your authoritative name servers (at least some of them) must be public. That's their nature, to publicly advertise your domain name information (exception here is that I recommend the master name server be private and all your public name servers be slaves off the private master - but that's a deeper story). That implies that outside, foreign, addresses must be able to communicate with your public authoritative name servers. Foreign addresses must be able to initiate queries with your authoritative name servers in order to ask for the information they are advertising. Not so with your resolvers. Your resolvers initiate communications with other name servers but no foreign name server should ever initiate a communication with your resolver (it's not authoritative for anything). Your resolvers should be maintained behind firewalls that can, in turn, maintain a knowledge of what constitutes "local" addresses on one side and "foreign" addresses on the other side. Firewall rules then prevent packets from the foreign side spoofed to look like they came from addresses on the local side. THAT prevents anyone from abusing your resolvers to attack both others and you. The net (excuse the pun) gist of it is that resolvers and authoritative name servers provide their services in different security zones and should not be mixed on the same server. As easy as it is to provide both services on the same name servers, it is not best common practice to do so. Provide those services in their respective zones on separate systems, appropriately protected and locked down. If you absolutely MUST combine them (and I would love to hear the rational as to why, beyond cost and laziness) then, by all means, restrict recursion to your local networks, with the understanding that they can still be abused to attack yourself.. I don't know where you are in the Internet "food chain" (end consumer, ISP, Tier 1 provider, or backbone) but if you are in the routing chain (you manage or provide routing - anyone other than an end consumer) then it's also very important to implement BCP (Best Common Practice) 38. BCP 38 recommends router egress filtering. That is, you only route out what will route back in. That prevents you (or any of your customers) from being a spoofing source. That strikes at the heart of many of these types of attacks. With Linux systems acting as routers, that's actually pretty easy and is (last time I looked) enabled by default. On Linux, this is the "route verification" option. With route verification enabled on Linux, it will not send a packet on an interface if the source address would ALSO be routed out through the same interface (i.e. spoofed). "Triangular routing" (not uncommon with some VPNs) is an exception to this and should be a very rare exception and treated as a strict exception. This can get real complicated and difficult if you are running BGP (Border Gateway Protocol) on overtaxed gateway routers but still should be implemented if at all possible. Routing issues and BCP38 aside, you really should separate your authoritative an recursive name servers if at all possible. https://isc.sans.edu/diary/Where+Were+You+During+the+Great+DDoS +Cybergeddon+of+2013+/15496 http://news.cnet.com/8301-1009_3-57576947-83/how-the-spamhaus-ddos-attack-could-have-been-prevented/ http://tools.ietf.org/html/bcp38 > -- > john r pierce 37N 122W > somewhere on the middle of the left coast Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DNS forwarding vs recursion
On Mon, 2013-04-01 at 11:17 -0700, John R Pierce wrote: > On 4/1/2013 6:11 AM, Michael H. Warfield wrote: > > it's also very important to implement BCP (Best Common Practice) 38. > > BCP 38 recommends router egress filtering. That is, you only route out > > what will route back in. That prevents you (or any of your customers) > > from being a spoofing source. > of course, this breaks a bunch of types of ad-hoc multihoming, where you > have multiple ISPs, each with their own subnets, and you're trying to > load balance your outbound traffic. It doesn't have to and it's just as easy to argue that stateful firewalls also break such configurations (they do). It is possible to interface your load leveling and dynamic routing into your filter if it's done properly. The point there is that you have to do it properly up front. Once it's done, it should require little maintenance. Unfortunately, if you have to go back into an established architecture and retrofit one in, that can be a difficult and time consuming prospect, especially if you didn't design the network to begin with. If you're dealing with multihoming and multiple ISPs then you should be talking BGP (or IS-IS) to your ISPs (I have my own ASN and advertise my own routes on IPv4 and IPv6 but you can use private ASNs and many ISPs will cooperate if you have the address space to advertise) and it should all be integrated. If you are trying to do ad-hoc mutihoming without using BGP or IS-IS to manage the routing to your ISPs, then I have no sympathy for you. That's just inviting a never ending stream of self-inflicted trouble and grief when routing breaks (been there, done that, not pretty). Being abused for DNS amplification attacks is the least of your problems then. Once we had multiple connections to the same ISP (redundant fiber links running in different directions out the street outside of our building) we were running BGP to manage it. But I also understand that in many large organizations (particularly ones who are NOT ISPs and their primary business is not networking) much of the IT staff is even more terrified of BGP than they are DNS and probably for good reasons. That's a statement from personal experience. Years ago, I asked for a "read-only BGP" feed from our IT department way back then (10 or 15 years ago) and got a "not no - hell no - are you insane?" answer. Their reasoning was that they trusted me (as if they had a choice) but they didn't trust all of their mainline minions (err, staff) to stick their fingers in those routers. BGP is so critical to those who rely on it (especially if you are multihomed) that, if someone makes even a minor mistake, it can disasterously disconnect you from the net or worse. Unfortunately, even worse than DNS, once it's working people (management) want you to LEAVE IT ALONE lest you beak it. So, most IT people are even less familiar with BGP than DNS and plenty are scared shitless about breaking DNS. DNS itself can be just as bad. Simple mistakes can be amplified and obfuscated. Just ask Microsoft. They got dropped off the net for days several years ago after someone misconfigured a firewall so their slaves couldn't talk to their master and the TTL (Time To Live) expired several hours after the guilty party was off duty and had gone home. On top of that, they had all their public name servers on the same subnet (violation of several BCPs going back decades) compounding the problem AND opening them up to a DOS against the router leading into that subnet. We (IETF, IEEE, ACM, etc al) can publish and update BCPs but it doesn't mean people will follow them. It does mean that we can say "we told you not to do that..." after it breaks. You pays your nickel and you takes your chance. :-/ > -- > john r pierce 37N 122W > somewhere on the middle of the left coast Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [Possibly OT] - General question: state of internet traffic
On Mon, 2013-04-01 at 18:04 -0400, Max Pyziur wrote: > Greetings, > I've read reports that there has been degradation in Internet traffic over > the last month. Until today, I haven't experienced any. However, getting > bank record data from chase.com here in NYC seems impossible. /me trying not to laugh... Yeah, there have been some problems over the last couple of weeks. You might review this list for the DNS thread. Seems that SpamHaus and Cyberbunker got into a pissing contest with some of the Cyberbunker sympathizers (not I) directing a DDoS attack against them exploiting open DNS resolvers around the net to the tune of upwards of 300Gbps against Spamhaus. > I also noticed erratic ftp behavior today; connections can be made but > data can't be transferred. This isn't consistent, though. > (I have a machine in LA while being in NYC; ftp traffic is difficult to > establish westbound; no problem eastbound). Might check out the Internet Health Report here: http://www.internetpulse.net/ Pretty much everything looks reasonable. Nothing red. No major congestion, ATM. > I haven't done any sort of consistent test, so I am not sounding alarms. > I'm just trying to get a sense of where this is happening. > And is there a reliable source of information. > Much thanks > Max Pyziur > p...@brama.com Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos 6.3 ipv6 default gateway
particular are described here: http://en.wikipedia.org/wiki/Unique_local_address Anything in 1::/16 (if that's what you're doing) is going to be illegal afaik as it's not in an assigned block and scope. It should reject it as being unroutable or having a non-valid scope. Certain addresses below 2000::/3 are used for compatibility purposes. ::a.b.c.d use to be an IPv4 compatibility address but is largely deprecated. :::a.b.c.d are IPv4 / IPv6 transition addresses for applications running in a dual stack environment where they see IPv4 addresses as IPv6 addresses in the :::0:0/112 block. All those addresses are for internal use and are seriously hands off. You can not treat IPv6 arbitrarily as if it were IPv4 with fat addresses. If you need to learn more about IPv6 and how it works, you probably might want to start looking at Hurricane Electric aka Tunnelbroker.net, http://www.tunnelbroker.net . They have some very good IPv6 interactive tutorials there for free and are very quick for the basic stuff. The first few exercise could be very helpful to you. If you follow it all the way through, you will find yourself learning how to set up DNS properly for IPv6 and registering your own IPv6 glue records with your registrars. Now, if I'm off base here and you were merely obfuscating your real addresses, I would recommend obfuscating them with fc00: instead of 1: and those would be valid example addresses. You could use fc00:1:1:1::/64 for one network and fc00:1:1:2::/64 for another and fc00:1:1:3::/64 for yet another. Read that RFC for recommendations on what you really should chose (generally a random number for fdxx::::/48 before your SLA). Since you've got 2 routers, you'll need three network prefixes, which I see you have. Generally, you'll want to manipulate that fourth field as your SLA (Site Local Address) which is IPv6 lingo for your subnet address. Replace the leading "1:" in each of those nets with "fdxx:", add your appropriate subnets, add your appropriate prefix lengths to those static address, and add appropriate static routes, and you might get further along the road. Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos 6.3 ipv6 default gateway
Slight Clarification on v6 addressing... On Thu, 2013-04-11 at 15:38 -0400, Michael H. Warfield wrote: > Those may be routed between your machines but may not be routed on the > global net either as a source or destination address. Your machines > should also be given "link local" addresses which are valid only on that > network segment. They're in the fe80::/64 prefix. That's "should" as in the kernel should already have assigned your link-local v6 addresses to your interfaces. You don't have to provide them and I didn't mean to imply you needed to add them. Generally, if I'm using static IPv6 addresses, I take that link local address and replace the "fe80::" with the network prefix I'm assigning and leave the lower bits the same. That way it has the same address as would be assigned by stateless autoconf generated from router advertisements from a router. On Linux routers, you would use either zebra from the quagga package or radvd to provide router advertisements out to your clients and you'll probably need to add that to get the end clients to self configure properly. Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos 6.3 ipv6 default gateway
On Fri, 2013-04-12 at 09:28 +0800, Jaze Lee wrote: > 2013/4/12 Michael H. Warfield > > > Hello, > > > > I may be totally off base here but... > > > > On Thu, 2013-04-11 at 18:06 +0800, Jaze Lee wrote: > > > hello, > > >i met a problem in configuratiion of ipv6 gw in my box > > > i install centos 6.3 (64 bit) on my boxs, which have four netcard. > > > i use a straight-through cable to connect centosv0:netcard-2 and > > > centosv1:netcard2 > > > the topology is this: > > > client c(windows xp) <-->centosv0:netcard-3 <--> centosv0:netcard-2 <---> > > > centosv1:netcard-2 <>centosv1:netcard-2 <---> client d (backtrack r2 > > > 32) > > > 1:2:3:4::2/64 1:2:3:4::1/64 1:2:3::4/64 > > > 1:2:3::5/64 1:2:3:5::1/64 > > > 1:2:3:5::2/64 > > > > Surely, I hope you jest with those numbers. You are not allowed to pick > > numbers out of the air and just use them, even if it's for private use. > > There are specific blocks of addresses for specific uses and assigned > > "scopes" and all the "private use" addresses are in blocks very high up > > in the address space beginning with fc or fd. If those are literally > > the addresses you used, they will not work and I would expect them to > > give you all sorts of grief at some point or another. > > > > > what i want to do is set default gw on centosv0 to centosv1 > > > > I take it "centosv0" and "centosv1" are configured for ipv6 forwarding? > > You didn't provide the information on that. There are some gotcha's in > > there with default routing on a router (basically there is no such > > thing) and the router needs to be set up properly for both routing and > > its routes. But I don't think that's your problem you're describing > > down below. > > > > > i configure /etc/sysconfig/network-scripts/ifconfig-eth2 (centosv0) as > > this > > > DEVICE="eth2" > > > BOOTPROTO=static > > > HWADDR="60:A4:4C:23:2F:6F" > > > NM_CONTROLLED="yes" > > > ONBOOT="yes" > > > TYPE="Ethernet" > > > #UUID="0ddcf499-878f-4ac7-9d1a-c27f85d2bccf" > > > IPV6INIT=yes > > > IPV6ADDR=1:2:3::4 > > ^^ You didn't specify a netmask here (default /128). > > > > > IPV6_DEFAULTGW=1:2:3::5 > > Technically not on your interface's network > > (/128) > > > > > and i also configure /etc/sysconfig/network to this: > > > NETWORKING=yes > > > HOSTNAME=centosv0 > > > NETWORKING_IPV6=yes > > > IPV6_AUTOCONF=no > > > > For forwarding... > > > > In that file you're also going to need: > > > > IPV6FORWARDING=yes > > > > You may also need to add lines to /etc/sysctl.conf (I've needed in the > > past on Fedora): > > > > net.ipv6.conf.all.forwarding = 1 > > net.ipv6.conf.default.forwarding = 1 > > > > But those aren't your problem with this... > > > > > but i met an error: > > > Bringing up interface eth2: WARN : [ipv6_add_route] Unknown error > > > > I'm not totally sure if this is because you didn't specify a prefix > > length on your IPV6ADDR line or the fact that it then conflicted with > > your IPV6_DEFAULTGW which would not have been on 1:2:3::4/128 or if it > > was because you choose and illegal IPv6 prefix or if it was a > > combination of all of them. The "WARN: [ipv6_add_route] Unknown error" > > makes me suspicious because your default gatway conflicts with your > > interface network definition (because you didn't specify the prefix size > > and it defaulted to /128) and the kernel has no way to route it out any > > interface. IAC... You won't be able to use a default route on a router > > anyways (more below). > > > > > i do not know how why,and can some one gives me some suggestion? > > > thanks a lot. > > > > If those were literally the addresses you used, It may be an address > > that's in an illegal scope. > > i test those ipv6 address on ubuntu 12.04, and it is ok. But now, we > should change system to Centos 6.3. > And i add all the stuff that i miss. One machine is configured like this: > > [root@centosv0 sysconfig]# cat /etc/sysconfig/network-scripts/ifcfg-eth2 > DEVICE="eth2" > B
Re: [CentOS] centos 6.3 ipv6 default gateway
On Fri, 2013-04-12 at 11:38 +0800, Jaze Lee wrote: > 2013/4/12 Michael H. Warfield Big snip... > > You are, none the less, not suppose to use addresses in that block for > > ANYTHING. The fc00::/7 block is intended for what you want to do. Even > > if they happen to work, they are not guaranteed to work and may cause > > other problems (like reverse DNS lookup traffic). >Currently, i just use those ipv6 address to set up my testing > environment. One day >they will be replaced by global ipv6 address. And i do not have any > global ipv6 address right now, >i have to use some thing like 1:2:3::4. They truely work on ubuntu > 12.04, so i think they should work on >centos. That last statement is incorrect. Just because they work on Ubuntu doesn't guarantee they will work on CentOS, Scientific Linux, Fedora, or Redhat Enterprise, if they do not adhere to the proper standards. You are in an area that should be considered "undefined behavior" where it might work or it might not but, if it doesn't, it's your fault not that of the system. Although, in this case, this seems to have been more of a configuration error/confusion issue between how the systems are configured. > But now, i realize i am wrong, what about i change the > 1:2:3:4/64 to fc:2:3::4/64 ? >Is that ok? No. Strictly speaking, it should be fc00:2:3::4/64. The prefix for local unicast is fc00:: or fd00::, not fc::. It's fc00 not fc. > > > Must i change ipv6 address to some thing like 2000::/3, even i just want > > to > > > use ipv6 for private? > > > > No, you should change them to FC00:/7 for private use. That's what that > > block was allocated for. Use it. Don't just dream up stuff. > > > > You will need static routes on each of your two routers for your two > > client routes. > > > I change ipv6 address to this: > DEVICE="eth2" -> in centosv0 > BOOTPROTO="static" > HWADDR="60:A4:4C:23:2F:4F" > NM_CONTROLLED="yes" > ONBOOT="yes" > TYPE="Ethernet" > #UUID="97d250ea-74db-47ae-bd8c-6682f57f9add" > IPV6INIT=yes > IPV6ADDR=fc00:2:3::5/64 > IPV6_DEFAULTGW=fc00:2:3::4 > DEVICE="eth1" -> in centosv0 > BOOTPROTO="static" > HWADDR="60:A4:4C:23:2F:4E" > NM_CONTROLLED="yes" > ONBOOT="yes" > TYPE="Ethernet" > #UUID="f7f020e9-36a4-4f55-9ed2-81acc2dbd92f" > IPV6INIT=yes > IPV6ADDR=fc00:2:3:5::1/64 > DEVICE="eth1" ---> in centosv1 > BOOTPROTO="static" > HWADDR="60:A4:4C:23:2F:6E" > NM_CONTROLLED="yes" > ONBOOT="yes" > TYPE="Ethernet" > #UUID="3597af05-199b-4eef-9a24-610c2872f313" > IPV6INIT=yes > IPV6ADDR=fc00:2:3:4::1/64 > DEVICE="eth2" ---> in centosv1 > BOOTPROTO=static > HWADDR="60:A4:4C:23:2F:6F" > NM_CONTROLLED="yes" > ONBOOT="yes" > TYPE="Ethernet" > #UUID="0ddcf499-878f-4ac7-9d1a-c27f85d2bccf" > IPV6INIT=yes > IPV6ADDR=fc00:2:3::4/64 > IPV6_DEFAULTGW=fc00:2:3::5 > and restart the network: > [root@centosv0 network-scripts]# /etc/init.d/network restart > Shutting down interface eth1: [ OK ] > Shutting down interface eth2: [ OK ] > Shutting down interface eth3: [ OK ] > Shutting down loopback interface: [ OK ] > Bringing up loopback interface:[ OK ] > Bringing up interface eth1:[ OK ] > Bringing up interface eth2:[ OK ] > Bringing up interface eth3:[ OK ] > It work now, thanks a lot, lot, lot Great! Good to see you've made progress! > Now, why ubuntu 12.04 and centos 6.3 are so different? > Is that because ubunutu 12.04 uses 3.5 kernel, and centos uses 2.6.32 ? No. Actually I suspect it's more in the supporting scripts and infrastructure. The RedHat base distros (RH, Fedora, CentOS, SL, NST, etc) and the Debian based distros (Ubuntu, Knoppix, Backtrack, etc) have based their network support on different paradigms (and is probably the PRIMARY reason why I dislike Debian, Knoppix and Ubuntu in their network code). Historically, the RH based system is (VERY) loosely based on some of the ideas that evolved out of the AT&T SYSV system with separate configuration files, the classical init scripts are still referred to
Re: [CentOS] inittab - huh what's it good for?
On Tue, 2013-04-16 at 16:18 -0400, James B. Byrne wrote: > We run a CentOS-5 based hylafax server with external serial modems. We > are transitioning to an Asterisk system using IAXmodem running on > CentOS-6. > On the CentOS-5 system to start the fax modems we added these lines to > inittab: > # Add fax lines and always ALWAYS run "telinit q" after making a change. > fax1:2345:respawn:/usr/sbin/faxgetty ttyS0 > fax2:2345:respawn:/usr/sbin/faxgetty ttyS1 > On the CentOS-6 host we did this, in accordance with the instructions > provided in the various README files and man pages. > # send > IA00:2345:respawn:/usr/bin/iaxmodem ttyIAX0 > # receive > mo00:2345:respawn:/usr/sbin/faxgetty ttyIAX0 > # send > IA01:2345:respawn:/usr/bin/iaxmodem ttyIAX1 > # receive > mo01:2345:respawn:/usr/sbin/faxgetty ttyIAX1 > However, when I do an init q the faxgetty instances do not start. If > I run faxgetty from the command line in detached mode for each of them > (faxgetty -D ttyIAX0) then they do start. The iaxmodem instances are > started from an init.d script as far as I can tell. They appear and > disappear with service iaxmodem start and stop in any case and they > most certainly do not respawn if the service is stopped. > So, my question is: Does inittab have any use on el6 systems? What is > its replacement? In other words, how do I accomplish what I am told to > do with respect to iaxmodem and faxgetty that formerly worked in > inittab and now evidently does not? What you've described above works with CenOS 5 running sysv-init. It doesn't work with CentOS 6 because sysv-init has been replaced by upstart. That, in turn, will end up being replaced by systemd when 7 eventually comes out. About the only thing that /etc/inittab is used for under upstart or systemd is for the initial run level. You might want to read up on the upstart documentation and look at the contents of the /etc/init directory. The /etc/init.d directory contains the sysv-init init scripts. The /etc/init directory (no .d) has configuration files for upstart. Upstart can start sysv services and run sysv-init style init scripts as well. > -- > *** E-Mail is NOT a SECURE channel *** > James B. Byrnemailto:byrn...@harte-lyne.ca > Harte & Lyne Limited http://www.harte-lyne.ca > 9 Brockley Drive vox: +1 905 561 1241 > Hamilton, Ontario fax: +1 905 561 0757 > Canada L8E 3C3 Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuring source-specific routing
oing it but this was what use to work for me, when I needed it many ages ago. Regards, Mike > A rough diagram of the network layout: > ISP1 router (blackbox, routes subnet A, address on subnet A) > \ >---eth0(firewall)eth1---((servers)) > / > ISP2 router (blackbox, routes subnet B, address on subnet B) > > The aim is to allow the servers to use both subnet A and subnet B. To > allow this, any machine on both subnets must have source-specific > routing configured, else packets originating from one ISP's AS will be > directed at the other's router, and neither ISP cares for that. > > At the moment, I'm focusing on getting the second ISP properly added to > the firewall box. The firewall box is using CentOS 6.4, and normally > passes traffic back and forth via proxy_arp. None of my interfaces are > NM_CONTROLLED, and NetworkManager is not installed, much less started. > > I've created a route-eth0:1 file that looks roughly like this: > > 10.0.0.1 dev eth0:1 \ > src 10.0.0.2 \ > from 10.0.0.0/29 > > default via 10.0.0.1 dev eth0:1 \ > src 10.0.0.2 \ > from 10.0.0.0/29 > > (Treat indented lines as continuations of the previous line) > (No, the ISPs aren't giving me RFC1918 addresses; these are redacted.) > > If I run "ifup eth0:1", "ip route show" includes the lines: > > 10.0.0.1 dev eth0 scope link src 10.0.0.2 > 10.0.0.0/29 dev eth0 proto kernel scope link src 10.0.0.2 > default via 10.0.0.1 dev eth0 > > > Note that the "from 10.0.0.0/29" clause is missing. With the addition of > a second default route on my firewall/gateway without any restriction on > which traffic should go that way, my whole network, of course, tanks. > > I'm surprised it's been such a pain; I would have expected it to be a > relatively common configuration. What's the proper way of doing > source-specific routing on CentOS? > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuring source-specific routing
On Wed, 2013-05-01 at 17:52 -0400, Michael Mol wrote:
> On 05/01/2013 05:15 PM, Michael H. Warfield wrote:
> > On Wed, 2013-05-01 at 16:05 -0400, Michael Mol wrote:
> >> I'm attempting to configure source-specific routing so that my servers
> >> can exist on multiple subnets from multiple upstream providers.
> >
> > Kinda curious why you are attempting this without getting involved in
> > dynamic routing (BGP)... It's usually someone trying to do multihoming
> > or multi-link load balancing on the cheap without involving their ISPs
> > (which tends to be expensive as soon as you're talking with them about
> > redundant / backup loops, provider independent addresses, and BGP
> > peering). Generally equates to "champagne taste on a beer budget" but
> > there are exceptions and reasons, as I know from personal experience.
> > It often doesn't end well and is unreliable as network conditions
> > change. But that depends on your requirements and application. I'm not
> > one to judge - just pointing out the pitfalls.
>
> Yup, I know.
>
> Intent is to maintain the old, slow (but has an SLA) connection as a
> fallback, and migrate services to the new connection piecemeal.
> Meanwhile, the same DNS server on the new connection can be, e.g. "ns3".
> The same mailserver can have a new MX on the new connection...likely
> prioritized to it.
>
> Inbound services can be load-balanced fairly easily via DNS, if TTLs are
> kept low, and records updated in response to link state. It's not
> anycast DNS, but it also doesn't require to you get BGP peering and PI
> space. (I don't even know if I could *get* IPv4 PI space at this point.
> I certainly know I wouldn't be able to if I waited a year...)
>
> >
> > I have done this a number of times in the past (mostly for VPN's and
> > redundant load-balancing links). You're probably going to have get real
> > down and dirty into policy routing rules and tables with iproute2. I
> > don't honestly believe you will be able to pull it off with the basic
> > stuff provided in the ifcfg-*, route-*, or static-route files (proviso
> > below).
> >
> > I had to do it using completely custom files utilizing "ip rule" and "ip
> > route {add|delete} table [n]" subcommands to "ip" to build custom
> > matching rules and mapping them to different routing tables containing
> > different routes and priorities. In some cases, with OpenVPN VPNs, I
> > also had to incorporate iptables filtering commands to mark and match
> > packets and interact with the ip rule tables but I doubt you're going
> > that deep.
>
> Yeah, I've gone that deep. And a tad deeper. I had almost *everything*
> working by hand, and went to figure out how to convert it to idomatic
> CentOS network configuration scripts. And took my network down *three
> times* because of the script-processing stripping things out.
>
> >
> > man ip-rule
> >
> > --
> >In some circumstances we want to route packets differently depending
> >not only on destination addresses, but also on other packet fields:
> >source address, IP protocol, transport protocol ports or even packet
> >payload. This task is called 'policy routing'.
> >
> >To solve this task, the conventional destination based routing table,
> >ordered according to the longest match rule, is replaced with a
> > 'rout‐
> >ing policy database' (or RPDB), which selects routes by executing
> > some
> >set of rules.
> Yup. I went through LARTC before writing a line of code, just to be sure.
> Curiously, at least one guy has reported success:
> http://sysadminsjourney.com/content/2009/04/15/doing-simple-source-policy-routing-centos/
> Now, the only thing different between his setup and mine (apart from my
> using ethN:1 instead of ethN, as all three routers hang off the same
> ethernet segment) is that were his guide says:
> echo "default table CorpNet via 10.0.0.1" >
> /etc/sysconfig/network-scripts/route-eth1
Ok... Wow... If that's the only difference between his description and
what you did, you certainly left A LOT out. He's using both rules and
tables neither of which you made any mention of in your original post.
At this point, having read that article, I will eat my earlier words
(not the first time and certainly won't be the last time). I guess you
can now do this using the standard files, it's just that I haven't done
it in so long that you couldn't do it ba
Re: [CentOS] TPM and secure boot
On Sun, 2013-05-19 at 14:38 -0700, John R Pierce wrote: > On 5/19/2013 2:06 PM, Reindl Harald wrote: > > Am 19.05.2013 22:59, schrieb John R Pierce: > >> >is this typically used in conjunction with disk encryption such that the > >> >TPM module supplies the decryption keys? does linux have any concept > >> >of signed executables, kernel, and so forth? would replacing the RPM > >> >keys with keys signed by our own certificate authority such that the TPM > >> >would be involved in RPM authentication be practical? > > did you not read any IT news in the last year? > > forget it on CentOS / RHEL currently > > > > even Fedora is far far away from what you think you need and the > > complete chain of trust is more or less impossible on a opensource > > system without make any 3rd party kernel module completly impossible > > > > https://fedoraproject.org/wiki/Secureboot > > http://www.networkworld.com/community/blog/microsofts-secure-boot-red-hat-request-ignites-linus-torvalds-nsfw-flame-war The comment that the complete chain of trust is more or less impossible on a opensource system without make any 3rd party kernel module completly impossible" is complete and utter bullshit, within the real that ANYTHING can be a "complete chain of trust" in OpenSource or closed source. OpenSource has no disadvantage (and some advantages - peer review and support) in this arena. Cryptographers accept that the security of a crypto system does NOT depend on the secrecy of the algorithm but only upon the secrecy of the keys (private or shared). Anyone telling you otherwise has something to sell you. You might review Joanna (little miss blue pill) Rutkowska's work on the "anti evil maid" to counter the "evil maid attack" against encrypted drives. If you wish to secure a system using TPM, this would be the place to start. > TPM is not the same as the new secureboot UEFI BIOS stuff. this is an > optional module (tamperproofed so if its unplugged, it erases) on most > server motherboards, you initialize it with your OWN security keys if > you want to use it, Microsoft has nothing to do with it. TPM has been > around since 2006 or earlier. > > > > > -- > john r pierce 37N 122W > somewhere on the middle of the left coast Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] KVM console?
On Wed, 2013-06-05 at 12:43 -0500, Les Mikesell wrote: > I finally got access to some machines with more resources than the > free VMware ESXi license allows which pushed me into trying kvm > instead. Seems capable enough for what I need and can even import and > run the existing vmdk images I already have. But, I have some > questions about accessing the virt-manager console remotely for > initial configuration, etc.. Normally I use freenx for remote GUI > access and it seems to work except that on the Windows guest I tried > the cursor position never stays in sync. Are there better ways to > get remote access to the GUI or centralize access to a group of KVM > servers? Or do most people automate the VM setup to the point where > they don't need console access until it is up on the network where you > can connect directly to the guest? Use use Remmina as a client and freenx on most of my servers. Remmina supports NX, RDP, VNC, native X11 and others an can tunnel any over ssh. That being said, I've heard some people say some very good things about Spice (not to be confused with the electrical engineering Spice as in gnuspice), which is NOT support by Remmina. Someone told me that Spice was only usable for host to VM remote desktops but, the last I heard, it looks like it's approaching a general purpose remote desktop that can outperform NX. But it's really hard to beat NX. > -- > Les Mikesell > lesmikes...@gmail.com Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
