Posts

Red Hat Addresses Critical Firefox Vulnerability

On April 26th, 2016, Red Hat 5, 6, and 7 along with its community-supported counterpart CentOS have released a major new Firefox upgrade to address a number of Critical vulnerabilities in the Extend Support Release (ESR) version of Mozilla's browser software.  The version number jumps to 45 from the current 38.  According to the Security Advisory, Mozilla reported that the Firefox version available for Enterprise Linux distributions--i.e. 38.8--could allow
 "A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
(CVE-2016-2805, CVE-2016-2806, CVE-2016-2807, CVE-2016-2808, CVE-2016-2814)"
Upstream, Mozilla's Security Advosories page for the Extended Support Release (ESR) of Firefox tracks this issue and has some relevant links for the different vulnerabilities addressed by this major update.

firefox-45.1.0-1.el7_2.src.rpm

Buffer Overflow in libstagefright  First, the…

RHEL 7 and CentOS 7 syslog Rate Limit

https://access.redhat.com/solutions/1417483 In RHEL 7 there is rate-limiting both in systemd-journald and in rsyslog's imjournal module Lower Ratelimit Interval Lower the interval for rate-limiting and increase the burst level in order to minimize the possibility of losing log messages when the threshold is reached for the specified number of messages logged within the specified interval. Rate-limiting is specific to each process, so there's usually no reason to change this. It is also inadvisable to disable this feature entirely! grep -i rate /etc/systemd/journald.conf #RateLimitInterval=30s #RateLimitBurst=1000 RateLimitInterval=10s RateLimitBurst=3000 grep -i rate /etc/rsyslog.conf #$imjournalRatelimitInterval 600 <--default $imjournalRatelimitInterval 300 $imjournalRatelimitBurst 30000 journal corruption journalctl --verify journalctl --force

Centos 7 pulseaudio

Image
Centos 7 doesn't come with an option for `awesome-wm` installation.  Therefore, the only way to make use of this light-weight tiling manager one has to enable Fedora 19 repo or build the package from source.  For the Fedora 19 repo approach, see:

https://gist.github.com/ILMostro/1909a50e1858d0ee7e10

To use without GDM, GNOME's display manager, and without gnome services, one has to be aware of certain shortcomings that the gnome-services provide by default.  One such shortcoming is the lack of built-in Sound and Volume management.  Never fret, though, as there is a solution; namely, the PulseAudio-focused tools pavucontrol and pavumeter.  These packages are available from the "nux-desktop" repository available at at http://li.nux.ro/repos.html .
nux-desktop My unofficial, as-is, not for profit RPM repositories for EL (RHEL, CentOS, ScientificLinux etc): These repos may or may not be up to date or behave the way you expect them to; use them at your OWN RISK!

Some of…

cPanel Removal

It's a poorly-kept secret that cPanel wants to prevent Server owners and/or administrators from being able to purge their systems from the rootkit-like software.  While they've recently made a change claiming to focus on support for primarily rpm-based Linux distributions, i.e. mainly Red Hat and CentOS; cPanel software breaks almost EVERYTHING RHEL/rpm-related on the system!

Their use of binary packages and perl scripts along with choosing to disable SELinux completely puts this outdated and soon-to-be obsolete software in direct conflict with anything Linux! I wish they had switched to support Windows instead.

In any case, here's yet another blog post online outlining the procedure attempting to, relatively cleanly, remove cPanel from a VPS running CentOS 7 in a Virtuozzo container.
yum list \*cpanel\* yum remove \*cpanel\*
Remove the line in /etc/yum.conf starting with "exclude".
# cat /etc/yum.conf [main] #; exclude=courier* dovecot* exim* filesystem httpd…

LUKS Encryption and Unattended boot on Headless Servers

The anaconda installer on Redhat-based Linux distributions provides the user with an option to encrypt the /home partition by selecting a simple check-box. This adds an obviously valuable security/privacy feature to the system if it's selected. Consequently, this prompts the user for a password during the boot process, which then decrypts the partition and mounts it in the designated location on the filesystem. The default behaviour is not very well suited for unattended reboots or on headless servers. The crypttab(5) manual page provides great information on how to facilitate the process for unattended boots: DESCRIPTION
The /etc/crypttab file describes encrypted block devices that are set up during system boot.

Empty lines and lines starting with the "#" character are ignored. Each of the remaining lines describes one encrypted block device, fields on the line are delimited by white space. The first two fields are mandatory, the remaining two …

LVM Snapshot Causes Boot Failure

If you've created an LVM Snapshot before rebooting your system and found yourself staring at the dracut rescue shell you might be stricken by the same problem as I was.  Executing init U on the dracut commandline resulted in a descriptive error message (that might also be found in the journal/logs) about a missing dm-snapshot kernel module.  I've attempted to troubleshoot the problem for a couple of hours, failing to add the kernel module in the end--as I wasn't able to get to a working kernel.  Ultimately, the only solution was to remove the snapshot Volume, which proved to be more difficult than expected. To remove the snapshot LV, one executes:
dracut #: lvm lvremove vg_name/lv_snapshot_name However, you might be confronted by an error message there as well.  It seems that the volume is locked at that time.  To get around this, simply remove the /etc/lvm/lvm.conf file from the volatile initramfs "filesystem".

dracut #: rm /etc/lvm/lvm.conf dracut #: lvm p…

OpenStack Installation on RHEL7 System

Image
There's a simple "Get Started" Guide on the redhat website, which briefly outlines how to get a sample OpenStack system up and running in 5 steps.  The first, easily overlooked step is to start by installing a "minimum-install" version of RHEL7 on a physical system.  If you've already set up and configured a system that you're using for everyday tasks and/or work functions, be aware that the installation will repeatedly fail with errors due to incompatible options, missing dependencies, etc. 

Provided that you've followed the consequent steps in the guide to register the system and enable the pertinent repositories, the next step is to install and run the packstack script:

# yum install openstack-packstack # packstack --allinone
This is a rather lengthy python script that uses some puppet modules to install the necessary software components and configures the system as the OpenStack All-in-One server.  According to the packstack documentation, &q…