Showing posts with the label RHEL

Apache Webserver, PHP, and Software Collections on RHEL7

The relatively short lifespan of PHP versions does not bode well with Extended Release Operating Systems like Red Hat Enterprise Linux and CentOS. The longevity of the OS is, perhaps, one of the most attractive features for server owners and Administrators. However, as with most things in life, there's always a trade-off. Extended Release Operating Systems provide a long "shelf life" and ongoing support and development for the most important part of a server. It's not surprising then that "bleeding edge" software isn't readily available in the default software repositories. This creates a dilemma in the days of DevOps and increasing Internet penetration. Software Collections have made this type of scenario less problematic. Software Collections provides a repository for more recent, development versions of software that are always separated from the system-wide software installations of a server. This allows us, for example, to run different ver…

Red Hat Addresses Critical Firefox Vulnerability

On April 26th, 2016, Red Hat 5, 6, and 7 along with its community-supported counterpart CentOS have released a major new Firefox upgrade to address a number of Critical vulnerabilities in the Extend Support Release (ESR) version of Mozilla's browser software.  The version number jumps to 45 from the current 38.  According to the Security Advisory, Mozilla reported that the Firefox version available for Enterprise Linux distributions--i.e. 38.8--could allow
 "A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
(CVE-2016-2805, CVE-2016-2806, CVE-2016-2807, CVE-2016-2808, CVE-2016-2814)"
Upstream, Mozilla's Security Advosories page for the Extended Support Release (ESR) of Firefox tracks this issue and has some relevant links for the different vulnerabilities addressed by this major update.


Buffer Overflow in libstagefright  First, the…

RHEL 7 and CentOS 7 syslog Rate Limit In RHEL 7 there is rate-limiting both in systemd-journald and in rsyslog's imjournal module Lower Ratelimit Interval Lower the interval for rate-limiting and increase the burst level in order to minimize the possibility of losing log messages when the threshold is reached for the specified number of messages logged within the specified interval. Rate-limiting is specific to each process, so there's usually no reason to change this. It is also inadvisable to disable this feature entirely! grep -i rate /etc/systemd/journald.conf #RateLimitInterval=30s #RateLimitBurst=1000 RateLimitInterval=10s RateLimitBurst=3000 grep -i rate /etc/rsyslog.conf #$imjournalRatelimitInterval 600 <--default $imjournalRatelimitInterval 300 $imjournalRatelimitBurst 30000 journal corruption journalctl --verify journalctl --force

cPanel Removal

It's a poorly-kept secret that cPanel wants to prevent Server owners and/or administrators from being able to purge their systems from the rootkit-like software.  While they've recently made a change claiming to focus on support for primarily rpm-based Linux distributions, i.e. mainly Red Hat and CentOS; cPanel software breaks almost EVERYTHING RHEL/rpm-related on the system!

Their use of binary packages and perl scripts along with choosing to disable SELinux completely puts this outdated and soon-to-be obsolete software in direct conflict with anything Linux! I wish they had switched to support Windows instead.

In any case, here's yet another blog post online outlining the procedure attempting to, relatively cleanly, remove cPanel from a VPS running CentOS 7 in a Virtuozzo container.
yum list \*cpanel\* yum remove \*cpanel\*
Remove the line in /etc/yum.conf starting with "exclude".
# cat /etc/yum.conf [main] #; exclude=courier* dovecot* exim* filesystem httpd…

LUKS Encryption and Unattended boot on Headless Servers

The anaconda installer on Redhat-based Linux distributions provides the user with an option to encrypt the /home partition by selecting a simple check-box. This adds an obviously valuable security/privacy feature to the system if it's selected. Consequently, this prompts the user for a password during the boot process, which then decrypts the partition and mounts it in the designated location on the filesystem. The default behaviour is not very well suited for unattended reboots or on headless servers. The crypttab(5) manual page provides great information on how to facilitate the process for unattended boots: DESCRIPTION
The /etc/crypttab file describes encrypted block devices that are set up during system boot.

Empty lines and lines starting with the "#" character are ignored. Each of the remaining lines describes one encrypted block device, fields on the line are delimited by white space. The first two fields are mandatory, the remaining two …

LVM Snapshot Causes Boot Failure

If you've created an LVM Snapshot before rebooting your system and found yourself staring at the dracut rescue shell you might be stricken by the same problem as I was.  Executing init U on the dracut commandline resulted in a descriptive error message (that might also be found in the journal/logs) about a missing dm-snapshot kernel module.  I've attempted to troubleshoot the problem for a couple of hours, failing to add the kernel module in the end--as I wasn't able to get to a working kernel.  Ultimately, the only solution was to remove the snapshot Volume, which proved to be more difficult than expected. To remove the snapshot LV, one executes:
dracut #: lvm lvremove vg_name/lv_snapshot_name However, you might be confronted by an error message there as well.  It seems that the volume is locked at that time.  To get around this, simply remove the /etc/lvm/lvm.conf file from the volatile initramfs "filesystem".

dracut #: rm /etc/lvm/lvm.conf dracut #: lvm p…

OpenStack Installation on RHEL7 System

There's a simple "Get Started" Guide on the redhat website, which briefly outlines how to get a sample OpenStack system up and running in 5 steps.  The first, easily overlooked step is to start by installing a "minimum-install" version of RHEL7 on a physical system.  If you've already set up and configured a system that you're using for everyday tasks and/or work functions, be aware that the installation will repeatedly fail with errors due to incompatible options, missing dependencies, etc. 

Provided that you've followed the consequent steps in the guide to register the system and enable the pertinent repositories, the next step is to install and run the packstack script:

# yum install openstack-packstack # packstack --allinone
This is a rather lengthy python script that uses some puppet modules to install the necessary software components and configures the system as the OpenStack All-in-One server.  According to the packstack documentation, &q…

Linux date Command: Day of Week

To find the day of week (e.g. Friday) on a particular date using the Linux version of the `date` utility, execute:

$ date -d 'Jan 03 2004' "+%a" Sat

The -dflag tells the utility to display the information only, instead of setting the date, etc.

The "+%a" options are`date`'s FORMAT options, which are listed in the manpages.
So, for example, we can also have the full name of the weekday output by changing the "+%a" to "+%A". $ date -d 'Jan 03 2004' "+%A" Saturday
DATE(1) User Commands NAME date - print or set the system date and time SYNOPSIS date [OPTION]... [+FORMAT] ... ... FORMAT controls the output. Interpreted sequences are: %% a literal % %a locale's abbreviated weekday name (e.g., Sun) %A locale's full weekday name (e.g., Sunday) %b locale's abbreviated month name (e.g., Jan) %B locale's…

SELinux Failure after Fedora22 Upgrade

SELinux got somehow mangled during upgrade process from Fedora21 -> Fedora22. Some of the modules were changed between the versions and as a result my SELinux "system" is borked. It'd be nice to have more available documentation on re-installing and/or resetting SELinux on a system.  I can't use any of the normal tools to manage SELinux, as it only prints out errors like `libsepol.permission_copy_callback...`.  Attempting to relabel a filecontext, for example results in:

# semanage fcontext -a -t system_dbusd_var_lib_t /var/lib/dbus/machine-id libsepol.context_from_record: type radicale_port_t is not defined (No such file or directory). libsepol.context_from_record: could not create context structure (Invalid argument). libsepol.port_from_record: could not create port structure for range 5232:5232 (tcp) (Invalid argument). libsepol.sepol_port_modify: could not load port range 5232 - 5232 (tcp) (Invalid argument). libsemanage.dbase_policydb_mo…

RHEL7 Fedora as Network Router and Gateway

Hardware Requirements:2 Ethernet Network Cards: 1 for WAN; 1 for LANOptional Wireless Router for wifi
Software Requirements:NIC Configuration Filessysctl Kernel ParametersFirewall Configurationdhcpd Server For the sake of clarity the two network cards will be called ifcfg-wan (WAN) and ifcfg-lan (LAN); make the necessary changes for your environment accordingly, e.g. eth0, ens1, enp0s77, etc., as I will not outline how to make naming changes for hardware devices.  The configuration files for the relevant network adapters/cards are located in /etc/sysconfig/network-scripts/ifcfg-wan and /etc/sysconfig/network-scripts/ifcfg-lan files.

First, make sure all the interfaces are "down" and the ethernet cables are unplugged from both adapters.  Assuming you're not using NetworkManager this can be accomplished on the commandline with "ifdown wan" and/or "ifdown lan".

Next, check the system's network activity for open ports and close them all for now:

# netst…

Virtual Interfaces and VLANs in Fedora20

Setting up VLAN interfaces in Fedora20 VLAN is an acronym for Virtual Local Area Network. Several VLANs can co-exist on a single physical switch, which are configured via Linux software and not through hardware interface (you still need to configure actual hardware switch too).

Hardware Device Requirements
• To be able to use VLANs you will need a switch that support the IEEE 802.1q standard on an Ethernet network.
• You will also need a NIC (Network Interface Card) that works with Linux and support 802.1q standard. Setting Up 802.1q VLAN Tagging This is based on Fedora documentation, specifically F17-System Administrators Guide .
• First, ensure that the 8021q kernel module is loaded with the following command:
# lsmod | grep 8021q# modprobe 8021q is the command to load it if no output results from the grep command above.
• Configure the physical interf…

Samsung Printer Scanner on Linux

Once again, I've been made to feel as just another outcast in the information age of script-kiddies and spreadsheet warriors; yet another instance of a corporation neglecting Linux users with lacking software support and drivers for their devices.  As in most other cases, the linux community provides their own workaround in this instance as well; namely, the SANE (Scanner Access Now Easy) backend and libraries for the Samsung CLX-3185 Multifunction Printer/Scanner device.  The Samsung support website claims to offer a "Universal Linux Driver", but that's just a smokescreen created by the ineffective binaries and poorly constructed installation scripts from Samsung.  Notwithstanding, the SANE backend implementation isn't perfect  either--as there are still issues with certain System setups, USB 3.0, or simply non-supported devices--but it's far better integrated into the Linux ecosystem. 

It can be very frustrating not being able to complete an important task …

CPU Fan Control on ThinkPad Laptop

I have a Lenovo ThinkPad laptop that occasionally displays error messages about "Hardware events/THERMAL EVENTS" during times of high CPU usage.  This is a scary set of messages in the journal logs that could prophecy a short life span of the CPU if neglected; at times I've suspected that it may have been the culprit of system crashes, though, I won't go into further details on that here.

It's worth noting that the performance improves and error messages subside after one disassembles the laptop and cleans out the heat sink; maybe even properly applies a fresh coat of thermal compound on it.  This improvement, however, never lasts too long as the dust accumulates within the heatsink area again.

I can recall reading anecdotal evidence of this problem from other ThinkPad owners on the Lenovo forums and other places when I first came across these scary messages on my system.  Those owners running Linux on their laptops offered explanations about the poor air fl…


lvm table

Specify I/O Scheduler with udev rules

Since the advent of systemd the use of /etc/rc* startup-scripts has been discouraged and phased out. However, systemd still supports the use of certain local startup scripts for compatibility purposes. Nevertheless, to ensure full current- and future compatibility with systemd, administrators are encouraged to create own systemd service files or udev rules to run scripts during boot.  This post will briefly outline the use of a udev rule to assign a specific I/O scheduler to a specific HDD.

NOTE To see an example using the phased-out rc-startup scripts, take a look at my previous post.
Create a custom rules-file, e.g. 99-custom.rules, in the /etc/udev/rules.d/ directory with your editor of choice.  The following example will instruct udev to assign the deadline I/O scheduler to the /dev/sdb device:

# vim /etc/udev/rules.d/99-custom.rules ACTION=="add|change", SUBSYSTEM=="block" , KERNEL=="sdb*", RUN+="/bin/sh -c 'echo deadline > /sys/bloc…

Specify I/O Scheduler per Device

Since the advent of systemd the use of /etc/rc* startup-scripts has been discouraged and phased out. However, systemd still supports the use of certain local startup scripts for compatibility purposes. This post will briefly outline the use of the /etc/rc.local file to assign a specific I/O scheduler to a specific HDD.

At the moment, I have an SSD drive (primary /dev/sda) and an "old-fashioned" HDD (/dev/sdb) in use on my RHEL7 system.  I'd like to be able to use the deadline I/O scheduler as the default and assign the cfq scheduler to the HDD device.  In RHEL7 the default I/O scheduler can change based on the selected tuned profile, which adds an additional layer of uncertainty if you're unaware of "tuned".  The default tuned profile is throughput-performance, which enables the deadline scheduler by default among other performance-related system settings.  However, if the default profile is changed to , e.g. virtual-host, the scheduler of choice becomes

SystemD and FIFO Sockets in RHEL7

There's a bug with a relevant discussion on systemd's approach to FIFO socket deletion. As of systemd-214 the issue with "stale" sockets was resolved by supplying the `RemoveOnStop` option to its corresponding `.service`. However, at the moment RHEL7 has systemd-208 as the default version; and I am seeing the following errors in `dmesg` output: systemd[1]: systemd 208 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ) systemd[1]: /usr/lib/systemd/system-generators/anaconda-generator exited with exit status 1. [ +0.056775] systemd[1]: [/usr/lib/systemd/system/lvm2-lvmetad.socket:9] Unknown lvalue 'RemoveOnStop' in section 'Socket' [ +0.000675] systemd[1]: [/usr/lib/systemd/system/dm-event.socket:10] Unknown lvalue 'RemoveOnStop' in section 'Socket' I'm not sure if LVM2 is referencing a feature that's not available in the default systemd version; AFAIK, my configurati…

Power Management and Performance in Enteprise Linux (EL7)

As with most things in Linux, there are an array of different tools and options available when dealing with the performance and power consumption of hardware components. Nevertheless, certain standard or even non-standard defaults always emerge, either distribution-specific or -agnostic. While a greater number of available tools provides greater control and more possible solutions, it also brings with it the possibility of greater potential for confusion and unclear incompatibilities. One such confusion arose when I noticed the inconsistency in my CPU frequency preference across reboots. I was used to using the cpupower utility from the kernel-utils package; however, options in the configuration file in /etc/sysconfig/cpupower had no effect on the system during the boot up process. It turns out that RHEL7 and, by extension, Centos EL7 use the tuned utility by default for performance tuning. As a result, according to a forum post in the Centos forum, ...that service conflicts …

Expanding LVM Partition in RHEL7

Scenario:  I've created a VM with a RHEL7 guest.  The partition layout is a standard, primary partition for /boot and LVM for the rest--namely, /usr, /var, /home, swap and / (rootfs).  After installing updates and some other packages, the /usr directory began to fill up.

In order to mitigate the situation, I created an additional primary partition with an XFS filesystem, as that is the preferred/default FS in RHEL7.

    # parted /dev/vda mkpart P3 xfs 14G 16G

The above command instructs "parted" to operate on the /dev/vda disk and create primary partition 3 with XFS filesystem starting at 14G and ending at 16G.  
Next, I added the physical partition to LVM with the following command: 

# pvcreate /dev/vda

Then, extend the volume group with the physical partition with: 

    # vgextend rhel /dev/vda3


    # lvextend -L+2G /dev/rhel/usr

Finally, to grow the filesystem I executed 

    # xfs_growfs /dev/rhel/usr

Password Aging and Authentication in RHEL7

As I posted in a previous note, the password policy in RHEL 7, and most other linux distributions, is handled by the dynamically-configurable PAM (Pluggable Authentication Modules) system. However, there are a number of other tools implemented in securing the RHEL system. One such tool is the shadow password suite. The shadow suite creates an additional layer of abstraction for the system's login passwords, by removing the account passwords from the /etc/passwd file to a separate file /etc/shadow;while maintaining the unobstructed use of the rest of the accounts system. The Linux Documentation Project explains it: the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called ``/etc/shadow'', contains encrypted password as well as other information such as account or password expiration values, etc. The /etc/shadow file is readable only by the root account and is therefore less of a security risk.
According t…