July 09, 2018

Improving CentOS package delivery security with signed repository metadata

July 09, 2018 03:31 PM

With the release of CentOS 7.5.1804, the CentOS Project has taken the next big step in improving software delivery security by signing all repository metadata for CentOS 6 and CentOS 7 for all architectures, including the repositories for CentOS Special Interest Groups (SIGs) produced by the CentOS Community Build System (CBS).

Wait, what do you mean signed repository metadata?

As most users of Linux distributions know, software is delivered in the form of “packages” to users through repositories. Packages are installed by their package manager (such as YUM or DNF) by fetching information about the repository to identify what it can get to do a particular user action (install new package, upgrade existing ones, and so on).

But how do you validate that the software you are getting is the software you are supposed to get? Most Linux distributions do this by digitally signing the packages using a signature that uniquely identifies the distributor via GPG. The advantage of this is that no matter what mechanism you receive the package (via repository, direct download, or on a flash drive), you can validate the signature and be assured it is a package from the distribution.

But there is a gap here: how are you assured that the repository hasn’t been tampered with? This is a specific type of vulnerability that applies only to package repositories, because they provide files that contain an index of the software in the repository, and how to fetch them. The way to close this hole is to provide a means of verifying the repository metadata is good, too. This allows the package manager to verify that the metadata is what it should be and is from the distribution before starting to process the metadata. This can help with avoiding certain types of attacks due to malformed metadata files.

We started doing this in 2015 for the main CentOS core repositories, and now we’re offering this for all repositories published by the CentOS Project.

Sounds great! How do I use it?

At the time of this writing, we do not automatically validate the repository metadata. If you want to do this, simply add the following line to the YUM repository configuration file (They are *.repo files in /etc/yum.repos.d):

repo_gpgcheck=1

If you want to enforce this globally, you can set this in /etc/yum.conf instead, though be warned that repositories like Fedora EPEL will not work since Fedora Infrastructure is currently working on signing repository metadata.

I’m a SIG maintainer and I’d like to have this by default, what do I do?

Great question! If you’re a SIG maintainer and manage the repository configuration package (i.e. centos-release-* packages), then you can choose to make this the new default for repository configuration.

To do so, just simply add “repo_gpgcheck=1” to the .repo files in your package, and it will enable it. On next update, if the user hasn’t touched/modified the *.repo files, it’ll switch on. New installations will get it as well, too.

Again, though, if you use Fedora EPEL in your repo configuration, you must not add the setting to the EPEL section in your configuration.

July 03, 2018

Release for CentOS Linux 6.10 i386 and x86_64

July 03, 2018 06:58 PM

We are pleased to announce the immediate availability of CentOS Linux
6.10 and install media for i386 and x86_64 Architectures. Release Notes
for 6.10 are available at:

http://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.10

CentOS Linux 6.10 is derived from source code released by Red Hat, Inc.
for Red Hat Enterprise Linux 6.10. All upstream variants have been placed
into one combined repository to make it easier for end users.
Workstation, server, and minimal installs can all be done from our
combined repository. All of our testing is only done against this
combined distribution.

There are various changes in this release, compared with the
past CentOS Linux 6 releases, and we highly recommend everyone study the
upstream Release Notes as well as the upstream Technical Notes about the
changes and how they might impact your installation. (See the 'Further
Reading' section if the CentOS release notes link above).

All updates since the upstream 6.10 release are also on the CentOS
mirrors as zero day updates. When installing CentOS-6.10 (or any other
version) from any of our media, you should always run 'yum update' after
the install to apply these.

Users consuming our CentOS-CR repositories will already be running most
of the packages that make up CentOS-6.10, and all updates released since.
They will notice only the a few updates today when moving to CentOS
Linux 6.10. For more
information on the CR repository for future updates, see this link:
http://wiki.centos.org/AdditionalResources/Repositories/CR

Release Announcements for all updated packages are available here:
https://lists.centos.org/pipermail/centos-cr-announce/2018-June/thread.html

+++++++++++++++++++++++
Upgrading From Prior Major CentOS Versions:

We recommend everyone perform a fresh reinstall rather than attempt an
in-place upgrade from other major CentOS versions (CentOS-2.1,
CentOS-3.x, CentOS-4.x, CentOS-5.x).

+++++++++++++++++++++++
Upgrading from CentOS-6.0 / 6.1 / 6.2 / 6.3 / 6.4 / 6.5 / 6.6 / 6.7 /
6.8 / 6.9

CentOS Linux is designed to automatically upgrade between releases
within a major version (in this case, CentOS-6). Unless you have edited
your yum default configuration, a 'yum update' should move your machines
seamlessly from any previous CentOS Linux 6.x release to 6.10. We also
test this in our QA cycles and have noticed no problems, any issues
would be mentioned in the Release Notes.

+++++++++++++++++++++++
Downloading CentOS Linux 6.10 for new installs:

When possible, consider using torrents to obtain our ISOs. Usually it is
also the fastest means to download the distro.

The install media is split into various formats. We have made efforts to
ensure that most install types and roles can be done from DVD-1 itself,
and the minimal install ISO is only tested to deliver a minimal install
set, when used as an ISO format ( either on cd or usb ). While other
forms of installs ( eg. pxe delivered ) might work from the minimal ISO,
they are neither tested not supported. The only format where we support
the entire set of install options and delivery mechanisms is via the
complete CentOS Linux 6.10 tree, which can also be created by
consolidating all content from DVD1 and DVD2.

We no longer produce CD size images for the entire CentOS Linux 6
distribution, however the minimal install and netinstall iso images are
small enough to fit on all CD grade media.

Torrent files for the DVD's are available at :

i386:
http://mirror.centos.org/centos/6.10/isos/i386/CentOS-6.10-i386-bin-DVD1to2.torrent

x86_64:
http://mirror.centos.org/centos/6.10/isos/x86_64/CentOS-6.10-x86_64-bin-DVD1to2.torrent

If you download an ISO via torrent, leave it up for a couple hours to
share with other users who are downloading.

You can also use a mirror close to you to get any of our ISOs:
http://mirror.centos.org/centos/6.10/isos/

If you need to update a local mirror, you can choose from our mirror
network ( http://www.centos.org/download/mirrors/ ). Most mirrors will
allow downloads over http, ftp and rsync.

Note: The x86_64 ISOs (minimal, netinstall, DVD1) should install on UEFI
machines. Secure Boot must be disabled to install CentOS 6. The Live
ISOs and i386 ISOs will not boot with UEFI.

+++++++++++++++++++++++
sha256sum for the CentOS-6.10 ISOS:

CentOS-6.10-i386-bin-DVD1.iso:
25d95b3f178e59bd672fa97e043a9191cbf73bb6cd12f5df9b540fa88076cae8

CentOS-6.10-i386-bin-DVD2.iso:
64967808de00d8d6426a24c98c7239d30bcb99fa177736b72bacf9e22c85aeab

CentOS-6.10-i386-LiveDVD.iso:
d94892863c113acd633f169e84870dae8bbb9b57b873e06d38e99c7b73c52ce7

CentOS-6.10-i386-minimal.iso:
cfa7d1808ab1ef4821276b18e05f4a4a7d15560a6a2d8e31caf2fa07fd4cd252

CentOS-6.10-i386-netinstall.iso:
54cb419451db9cb97ea1128739156803e9b3fef10a61248eac6a31708e3355e0

CentOS-6.10-x86_64-bin-DVD1.iso:
a68e46970678d4d297d46086ae2efdd3e994322d6d862ff51dcce25a0759e41c

CentOS-6.10-x86_64-bin-DVD2.iso:
723ca530171faf29728b8fe7bb6d05ca2ceb6ba9e09d73ed89f2c0ff693e77a5

CentOS-6.10-x86_64-LiveDVD.iso:
1375342d72579d0816ad60a8a27c1acfa81d18fbe7cef20cbd08c8fedd2fa475

CentOS-6.10-x86_64-minimal.iso:
7c0dee2a0494dabd84809b72ddb4b761f9ef92b78a506aef709b531c54d30770

CentOS-6.10-x86_64-netinstall.iso:
56f7b078a3b443095ba006cdc85319c691251cda98c5d73d12ef6db7aff6b4c1

+++++++++++++++++++++++
Cloud Images:

Images for various on-premise and off-premise Cloud environments are
currently under development for CentOS Linux 6.10 and will be released in
the coming days. Everyone looking to join and help with the CentOS Cloud
efforts is encouraged to join the CentOS-devel list where such issues
are discussed ( http://lists.centos.org/mailman/listinfo/centos-devel ).

+++++++++++++++++++++++
Getting Help:

The best place to start when looking for help with CentOS is at the wiki
( http://wiki.centos.org/GettingHelp ) which lists various options and
communities who might be able to help. If you think there is a bug in
the system, do report it at http://bugs.centos.org/ - but keep in mind
that the bugs system is *not* a support mechanism. If you need supported
software with Support Level Agreements, people to call and response
times then we recommend Red Hat Enterprise Linux.

If you have questions you would like to field at us in real time, come
join the office hours on Wed or Thu of every week. You can find details
on these at http://wiki.centos.org/OfficeHours

+++++++++++++++++++++++
Meet-ups and Events:

If you would like to get involved in helping organize, run, present or
sponsor a CentOS Dojo or even just want more details then join the
CentOS Promo list:
http://lists.centos.org/mailman/listinfo/centos-promo and drop an email
introducing yourself. We are very keen to find help to run events around
the world, and also to find people who can represent CentOS at various
community events around the world. (Current Events List:
https://wiki.centos.org/Events )

+++++++++++++++++++++++
Contributing and joining the project:

We are always looking for people to join and help with various things in
the project. If you are keen to help out a good place to start is the
wiki page at http://wiki.centos.org/Contribute . If you have questions
or a specific area you would like to contribute towards that is not
covered on that page, feel free to drop in on #centos-devel at
irc.freenode.net for a chat or email the centos-devel list
(http://lists.centos.org).

+++++++++++++++++++++++
Thanks to everyone who contributed towards making CentOS Linux 6.10,
especially the effort put in, as always, by the QA
(http://wiki.centos.org/QaGroup) and Build teams.

A special shout out to all the donors who have contributed hardware,
network connectivity, hosting and resources over the years. The CentOS
project now has a fairly well setup resource pool, solely thanks to the
donors.

Enjoy!

Student Supercomputing is #PoweredByCentOS

July 03, 2018 06:28 PM

Last week at the ISC-HPC event in Frankfurt, I had the opportunity to speak briefly with the amazing student teams in the SCC - Student Cluster Competition. These students use commodity hardware to build supercomputers, with a limit of 3KW power consumption, and compete on a variety of benchmarks.

These teams are overwhelmingly powered by CentOS, which has the latest HPC tools and libraries, and is the defacto standard when it comes to spinning up a new supercomputing cluster.

12 teams competed, and I got to speak with four of them this year.

University of Parana, Brazil

University of Warsaw, Poland

University of Heidelberg, Germany

University of Kesetsart, Thailand

 

CentOS Pulse Newsletter, July 2018

July 03, 2018 12:54 PM

We're pleased to publish another edition of the CentOS Newsletter. Once again, we cover latest releases, security updates, events, and reports from our SIGs (Special Interest Groups).

You can read the newsletter at https://wiki.centos.org/Newsletter/1802

More information about the newsletter, and how you can contribute to
future editions, is available at http://wiki.centos.org/Newsletter

We always welcome comments and suggestions

Enjoy the read.

The Newsletter Team

June 15, 2018

CentOS Atomic Host 7.1805 Available for Download

June 15, 2018 08:54 PM

The CentOS Atomic SIG has released an updated version of CentOS Atomic Host (7.1805), a lean operating system designed to run Linux containers, built from standard CentOS 7 RPMs, and tracking the component versions included in Red Hat Enterprise Linux Atomic Host.

CentOS Atomic Host includes these core component versions:

  • atomic-1.22.1-3.git2fd0860.el7.x86_64
  • cloud-init-0.7.9-24.el7.centos.x86_64
  • docker-1.13.1-63.git94f4240.el7.centos.x86_64
  • etcd-3.2.18-1.el7.x86_64
  • flannel-0.7.1-3.el7.x86_64
  • kernel-3.10.0-862.3.2.el7.x86_64
  • ostree-2018.1-4.el7.x86_64
  • rpm-ostree-client-2018.1-1.atomic.el7.x86_64

Download CentOS Atomic Host

CentOS Atomic Host is available as a VirtualBox or libvirt-formatted Vagrant box, or as an installable ISO, qcow2 or Amazon Machine image. For links to media, see the CentOS wiki.

Upgrading

If you’re running a previous version of CentOS Atomic Host, you can upgrade to the current image by running the following command:

# atomic host upgrade

Release Cycle

The CentOS Atomic Host image follows the upstream Red Hat Enterprise Linux Atomic Host cadence. After sources are released, they’re rebuilt and included in new images. After the images are tested by the SIG and deemed ready, we announce them.

Getting Involved

CentOS Atomic Host is produced by the CentOS Atomic SIG, based on upstream work from Project Atomic. If you’d like to work on testing images, help with packaging, documentation – join us!

You’ll often find us in #atomic and/or #centos-devel if you have questions. You can also join the atomic-devel mailing list if you’d like to discuss the direction of Project Atomic, its components, or have other questions.

Getting Help

If you run into any problems with the images or components, feel free to ask on the centos-devel mailing list.

Have questions about using Atomic? See the atomic mailing list or find us in the #atomic channel on Freenode.

June 05, 2018

CentOS Pulse Newsletter Rebooted

June 05, 2018 03:02 PM

After an 8 year silence, we're pleased to announce that the CentOS Pulse Newsletter is coming back to life.

This release is packed with information from the CentOS Community, including events, reports from our SIGs (Special Interest Groups) and information about the release of CentOS 7.5.1804

You can read the newsletter at https://wiki.centos.org/Newsletter/1801

More information about the newsletter, and how you can contribute to future editions, is available at http://wiki.centos.org/Newsletter   Subscribe to the newsletter mailing list, at https://lists.centos.org/mailman/listinfo/centos-newsletter, or by sending an empty message to centos-newsletter-subscribe@centos.org, to ensure you never miss an edition.

We always welcome comments and suggestions.

Enjoy the read.

The Newsletter Team

 

May 23, 2018

CentOS Atomic Host 7.1804 Available for Download

May 23, 2018 04:17 PM

The CentOS Atomic SIG has released an updated version of CentOS Atomic Host (7.1804), a lean operating system designed to run Linux containers, built from standard CentOS 7 RPMs, and tracking the component versions included in Red Hat Enterprise Linux Atomic Host.

This release, which is based on the RHEL 7.5 source code, now ships without any baked-in Kubernetes rpms, which makes it simpler for users to layer their preferred Kubernetes or OpenShift packages onto the host.

CentOS Atomic Host includes these core component versions:

  • atomic-1.22.1-3.git2fd0860.el7.x86_64
  • cloud-init-0.7.9-24.el7.centos.x86_64
  • docker-1.13.1-63.git94f4240.el7.centos.x86_64
  • etcd-3.2.18-1.el7.x86_64
  • flannel-0.7.1-3.el7.x86_64
  • kernel-3.10.0-862.2.3.el7.x86_64
  • ostree-2018.1-4.el7.x86_64
  • rpm-ostree-client-2018.1-1.atomic.el7.x86_64

Download CentOS Atomic Host

CentOS Atomic Host is available as a VirtualBox or libvirt-formatted Vagrant box, or as an installable ISO, qcow2 or Amazon Machine image. For links to media, see the CentOS wiki.

Upgrading

If you’re running a previous version of CentOS Atomic Host, you can upgrade to the current image by running the following command:

# atomic host upgrade

Release Cycle

The CentOS Atomic Host image follows the upstream Red Hat Enterprise Linux Atomic Host cadence. After sources are released, they’re rebuilt and included in new images. After the images are tested by the SIG and deemed ready, we announce them.

Getting Involved

CentOS Atomic Host is produced by the CentOS Atomic SIG, based on upstream work from Project Atomic. If you’d like to work on testing images, help with packaging, documentation – join us!

You’ll often find us in #atomic and/or #centos-devel if you have questions. You can also join the atomic-devel mailing list if you’d like to discuss the direction of Project Atomic, its components, or have other questions.

Getting Help

If you run into any problems with the images or components, feel free to ask on the centos-devel mailing list.

Have questions about using Atomic? See the atomic mailing list or find us in the #atomic channel on Freenode.

May 19, 2018

Updated CentOS Vagrant Images Available (v1804.02)

May 19, 2018 07:45 AM

We are pleased to announce new official Vagrant images of CentOS Linux 6.9 and CentOS Linux 7.5.1804 for x86_64 (based on the sources of RHEL 7.5). All included packages have been updated to 12th May 2018.

Notable Changes

The IO scheduler is now set to noop, according to Red Hat recommendations.

Known Issues

  1. The VirtualBox Guest Additions are not preinstalled; if you need them for shared folders, please install the vagrant-vbguest plugin and add the following line to your Vagrantfile:
    config.vm.synced_folder ".", "/vagrant", type: "virtualbox"

    We recommend using NFS instead of VirtualBox shared folders if possible; you can also use the vagrant-sshfs plugin, which, unlike NFS, works on all operating systems.

  2. Since the Guest Additions are missing, our images are preconfigured to use rsync for synced folders. Windows users can either use SMB for synced folders, or disable the sync directory by adding the line
    config.vm.synced_folder ".", "/vagrant", disabled: true

    to their Vagrantfile, to prevent errors on "vagrant up".

  3. Vagrant 1.8.5 is unable to create new CentOS Linux boxes due to Vagrant bug #7610
  4. Vagrant 1.8.7 is unable to download or update boxes due to Vagrant bug #7969.
  5. Vagrant 1.9.1 broke private networking, see Vagrant bug #8166
  6. Vagrant 1.9.3 doesn't work with SMB sync due to Vagrant bug #8404
  7. The vagrant-libvirt plugin is only compatible with Vagrant 1.5 to 1.8
  8. Installing open-vm-tools is not enough for enabling shared folders with Vagrant’s VMware provider. Please follow the detailed instructions in https://github.com/mvermaes/centos-vmware-tools (updated for this release).
  9. Some people reported "could not resolve host" errors when running the centos/7 image for VirtualBox on Windows hosts. Try adding the following line to your Vagrantfile:
    vb.customize ["modifyvm", :id, "--natdnshostresolver1", "off"]

Recommended Setup on the Host

Our automatic testing is running on a CentOS Linux 7 host, using Vagrant 1.9.4 with vagrant-libvirt and VirtualBox 5.1.20 (without the Guest Additions) as providers. We strongly recommend using the libvirt provider when stability is required.

Downloads

The official images can be downloaded from Vagrant Cloud. We provide images for HyperV, libvirt-kvm, VirtualBox and VMware.

If you never used our images before:

vagrant box add centos/6 # for CentOS Linux 6, or...
vagrant box add centos/7 # for CentOS Linux 7

Existing users can upgrade their images:

vagrant box update --box centos/6
vagrant box update --box centos/7

Verifying the integrity of the images

The SHA256 checksums of the images are signed with the CentOS 7 Official Signing Key. First, download and verify the checksum file:

$ curl http://cloud.centos.org/centos/7/vagrant/x86_64/images/sha256sum.txt.asc -o sha256sum.txt.asc
$ gpg --verify sha256sum.txt.asc

Once you are sure that the checksums are properly signed by the CentOS Project, you have to include them in your Vagrantfile (Vagrant unfortunately ignores checksum provided from the command line). Here's the relevant snippet from my own Vagrantfile, using v1803.01 and VirtualBox:

Vagrant.configure(2) do |config|
  config.vm.box = "centos/7"

  config.vm.provider :virtualbox do |virtualbox, override|
    virtualbox.memory = 1024
    override.vm.box_download_checksum_type = "sha256"
    override.vm.box_download_checksum = "b24c912b136d2aa9b7b94fc2689b2001c8d04280cf25983123e45b6a52693fb3"
    override.vm.box_url = "https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1803_01.VirtualBox.box"
  end
end

Feedback

If you encounter any unexpected issues with the Vagrant images, feel free to ask on the centos-devel mailing list, or via IRC, in #centos on Freenode.

Ackowledgements

We would like to warmly thank Fabian Arrotin and Thomas Oulevey for their work on the build infrastructure, as well as Patrick Lang from Microsoft for testing and feedback on the Hyper-V images.

We would also like to thank the following people (listed alphabetically):

  • Graham Mainwaring, for helping with tests and validations;
  • Michael Vermaes, for testing our official images, as well as for writing the detailed guide to using them with VMware Fusion Pro and VMware Workstation Pro;
  • Kirill Kalachev, for reporting and debugging the host name errors with VirtualBox on Windows hosts.

May 17, 2018

CentOS Dojo at DevConf.us, August 16th in Boston

May 17, 2018 04:46 PM

This year, DevConf.us will be held at Boston University, August 17th through 19th.

We've secured some space on the day before - Thursday, August 16th - and will be holding a CentOS Dojo. Further details will appear on the event website as they are available.

The call for papers is now open, and will close on June 17th, so that we have plenty of time to promote the schedule. We're particularly interested in presentations about the use of CentOS (or RHEL, or Fedora) in education and research, but we welcome all of your submissions related to CentOS.

CentOS Dojos are gatherings of CentOS (and Linux in general) enthusiasts, to share stories and techniques, and learn about the many technologies that are developed on this platform.

May 15, 2018

Testing armhfp devices

May 15, 2018 04:35 PM

7.5.1804 is a big one. For the first time, we have a release for armhfp completely lined up with x86_64, but that also means a lot of changes.
To make things a bit more complicated, the arm world is not exactly uniform, there are many vendors, chip manufacturers, chip versions and that makes testing an absolute mess.
This post is a call to share your experiences, tests and mainly, problems (it would be great if you also had the solutions, but that is rather optimistic). What we'd like is to know what device you use, which components work, which don't and what you've done so far.
Here's an example of what we'd like:

BananaPi M1: boots ok, with uboot from the rpm, ethernet works, SATA works.
BananaPi M3: has problems with the provided uboot, although it works ok with uboot version 2018.05 (this is actually true, and will be fixed shortly), ethernet not working (needs kernel 4.16+), multicore not working (needs kernel 4.18+), SATA untested.
BananaPi M2U: uboot works, but needs kernel 4.15+ to work

You can find us here, at the mailing list https://lists.centos.org/mailman/listinfo/arm-dev, at #centos-arm on irc, or if you want to read a bit before asking, check https://wiki.centos.org/SpecialInterestGroup/AltArch/armhfp.
Thank you for helping us make CentOS Linux the best distribution we can.

 

Pablo

May 14, 2018

CERN Dojo, October 19th, 2018

May 14, 2018 06:27 PM

On October 19th, 2018, we will once again be hosting a CentOS Dojo at CERN, in Meyrin, Switzerland. This will be a full day of CentOS presentations, drawn both from CERN and from the broader CentOS community.

The call for papers is now open. We're looking for talks about anything CentOS related, but we're particularly interested in:

  • OpenStack, and other cloud platforms
  • Ceph, and other software defined storage solutions
  • Configuration management tools
  • HPC, and other aspects of research computing

CERN is one of the best-known research facilities on the planet, and the home of the Large Hadron Collider.

CentOS Dojos are the best place to meet other members of the CentOS community, and the various communities - such as OpenStack and Ceph - that have a large overlap with CentOS.

May 10, 2018

CentOS 7.5.1804 released

May 10, 2018 04:46 PM

The CentOS community is pleased to announce the immediate availability of CentOS 7.5.1804 to a mirror server near you.

CentOS 7.5.1804 is a rebuild of the Red Hat Enterprise Linux 7.5 release on April 4th, 2018. For complete release notes, please see https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7.1804  You can also read the announcement on the CentOS-Announce mailing list.

To update your 7.4.1708 system to 7.5.1804, use the following procedure:

First, ask your system what version you’re on now:

$ cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)

Next, upgrade with:

$ sudo yum clean all
$ sudo yum upgrade
$ sudo systemctl reboot

Finally, once this is done, you can verify that you’re running the latest build with:

$ cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)

We would love to hear your feedback on this new release. There’s a lot of ways to to this:

  • Mailing lists: https://lists.centos.org/mailman/listinfo
  • Twitter: @CentOSProject
  • Forums: https://www.centos.org/forums/
  • Facebook: https://www.facebook.com/groups/centosproject/
  • IRC: #centos-devel on the Freenode IRC network

Thanks for using CentOS!

April 17, 2018

YUM4/DNF for CentOS 7 updates

April 17, 2018 05:39 AM

I am pleased to announce some significant updates to our ConfigManagement Special Interest Group for YUM4.  This provides YUM4, based on DNF technology, for testing on CentOS Linux 7/x86_64.  These updates are based on feedback from our prior test release last October. It includes signed packages, core DNF plugins, and uses a version of RPM very similar to and compatible with the upcoming version of CentOS 7.5.

This initiative is based on a partnership with the upstream YUM and DNF maintainers for the future of package management.  Our testing thus far indicates no major problems, but we would love to find out how it fits into your existing YUM 3 workflows. So please consider filling out the short survey - your feedback helps us all get better.

YUM 4 provides significant improvements such as fast dependency resolution and a stable, documented API. See the references below for detailed improvements. We have made every effort to preserve the existing end-user experience that is available with YUM 3. This is the primary reason for making YUM 4 available for testing now.

“What’s with the YUM4 name?”

We recognize that we need to enable users to test YUM4 (/usr/bin/yum4) within their existing workflows in order to fully understand compatibility while retaining YUM version 3 (/usr/bin/yum) as the default.  Yes, they can both be used on the same system, switching back and forth.  We do not recommend this behavior, but it should work with the only known issue being that each version retains its own separate history.  So using the Rollback capability is not recommended as each version will not be aware of the other’s history. Note that the YUM4 name is temporary for the coexistence of versions 3 & 4.

“So, what all has changed?”

The documentation does a great job explaining the differences in great detail. In short, your existing experience using yum to install, remove, and update are identical. However, there are changes such as some of the plugins and yum utilities are now consolidated into `dnf-plugins-core`. Some of the yum CLI options changed and are either converted for you automatically or silently ignored when that behavior is automatically included. Existing custom plugins written for YUM 3 will not work with YUM 4. Please reference the DNF API Reference and Changes in DNF hook API compared to YUM 3 links for further information.

“I found a bug, what should I do?”

Please report any found bugs on Red Hat Bugzilla against Fedora/dnf component (make sure to mention versions and that you use package from CentOS).

And remember to submit feedback in the short survey to help us understand how it can be improved further.

“Three step install, get started right away”

# yum install centos-release-yum4
# yum install yum4
# yum4 install dnf-plugins-core

“I was already testing a previous version of YUM4.  How do I update?”

# yum4 update centos-release-yum4
# yum4 update yum4

 

Many thanks to the CentOS Project team for their assistance in making this happen!

April 10, 2018

Updated CentOS Vagrant Images Available (v1803.01)

April 10, 2018 07:08 PM

We are pleased to announce new official Vagrant images of CentOS Linux 6.9 and CentOS Linux 7.4.1708 for x86_64 (based on the sources of RHEL 7.4). All included packages have been updated to 3rd April 2018.

Known Issues

  1. The VirtualBox Guest Additions are not preinstalled; if you need them for shared folders, please install the vagrant-vbguest plugin and add the following line to your Vagrantfile:
    config.vm.synced_folder ".", "/vagrant", type: "virtualbox"

    We recommend using NFS instead of VirtualBox shared folders if possible; you can also use the vagrant-sshfs plugin, which, unlike NFS, works on all operating systems.

  2. Since the Guest Additions are missing, our images are preconfigured to use rsync for synced folders. Windows users can either use SMB for synced folders, or disable the sync directory by adding the line
    config.vm.synced_folder ".", "/vagrant", disabled: true

    to their Vagrantfile, to prevent errors on "vagrant up".

  3. Vagrant 1.8.5 is unable to create new CentOS Linux boxes due to Vagrant bug #7610
  4. Vagrant 1.8.7 is unable to download or update boxes due to Vagrant bug #7969.
  5. Vagrant 1.9.1 broke private networking, see Vagrant bug #8166
  6. Vagrant 1.9.3 doesn't work with SMB sync due to Vagrant bug #8404
  7. The vagrant-libvirt plugin is only compatible with Vagrant 1.5 to 1.8
  8. Installing open-vm-tools is not enough for enabling shared folders with Vagrant’s VMware provider. Please follow the detailed instructions in https://github.com/mvermaes/centos-vmware-tools (updated for this release).
  9. Some people reported "could not resolve host" errors when running the centos/7 image for VirtualBox on Windows hosts. Try adding the following line to your Vagrantfile:
    vb.customize ["modifyvm", :id, "--natdnshostresolver1", "off"]

Recommended Setup on the Host

Our automatic testing is running on a CentOS Linux 7 host, using Vagrant 1.9.4 with vagrant-libvirt and VirtualBox 5.1.20 (without the Guest Additions) as providers. We strongly recommend using the libvirt provider when stability is required.

Downloads

The official images can be downloaded from Vagrant Cloud. We provide images for HyperV, libvirt-kvm, VirtualBox and VMware.

If you never used our images before:

vagrant box add centos/6 # for CentOS Linux 6, or...
vagrant box add centos/7 # for CentOS Linux 7

Existing users can upgrade their images:

vagrant box update --box centos/6
vagrant box update --box centos/7

Verifying the integrity of the images

The SHA256 checksums of the images are signed with the CentOS 7 Official Signing Key. First, download and verify the checksum file:

$ curl http://cloud.centos.org/centos/7/vagrant/x86_64/images/sha256sum.txt.asc -o sha256sum.txt.asc
$ gpg --verify sha256sum.txt.asc

If the check passed, you can use the corresponding checksum when downloading the image with Vagrant:

$ export box_checksum="4440a10744855ec2819d726074958ad6cff56bb5a616f6a45b0a42d602aa1154"
$ vagrant box add --checksum-type sha256 --checksum $box_checksum --provider libvirt --box-version 1803.01 centos/7

Feedback

If you encounter any unexpected issues with the Vagrant images, feel free to ask on the centos-devel mailing list, or via IRC, in #centos on Freenode.

Ackowledgements

We would like to warmly thank Fabian Arrotin and Thomas Oulevey for their work on the build infrastructure, as well as Patrick Lang from Microsoft for testing and feedback on the Hyper-V images.

We would also like to thank the following people (listed alphabetically):

  • Graham Mainwaring, for helping with tests and validations;
  • Michael Vermaes, for testing our official images, as well as for writing the detailed guide to using them with VMware Fusion Pro and VMware Workstation Pro;
  • Kirill Kalachev, for reporting and debugging the host name errors with VirtualBox on Windows hosts.

April 09, 2018

Seven.centos.org is dead .. long life to blog.centos.org !

April 09, 2018 06:03 AM

When we initially launched seven.centos.org, the idea was just to have a single blog instance that CentOS Dev and QA team members could use to give feedback and also report status update about the rebuild and testing of CentOS 7 : that was an easy entry point for people wanting to know how far we were in the process, what to expect, etc (and so give more transparency that during the CentOS 6 rebuild era) ... That was in 2014.

Then it continued to be used by some contributors who wanted to give hints or talk about CentOS 7 new features, but without having a personal blog (or if their personal blog wasn't aggregated through our http://planet.centos.org instance). As more and more people joined the CentOS SIGs , seven.centos.org was more and more used a central blogging platform around the CentOS ecosystem, and so not really anymore about the status of CentOS 7 itself (which was released in July 2014). We even linked authentication against our (deployed in the mean time) https://accounts.centos.org (through OpenID).

So we thought it was time to rename it to blog.centos.org, to reflect the reality. All previous links/permalinks are still working, but default URL is now blog.centos.org.

Happy blogging !

April 06, 2018

CentOS Atomic Host 7.1803 Available for Download

April 06, 2018 01:34 AM

The CentOS Atomic SIG has released an updated version of CentOS Atomic Host (7.1803), a lean operating system designed to run Linux containers, built from standard CentOS 7 RPMs, and tracking the component versions included in Red Hat Enterprise Linux Atomic Host.

This release rolls up all package minor updates that shipped through the month of March, including, most significantly, a move to docker version 1.13.

CentOS Atomic Host includes these core component versions:

  • atomic-1.22.1-1.gitd36c015.el7.centos.x86_64
  • cloud-init-0.7.9-9.el7.centos.6.x86_64
  • docker-1.13.1-53.git774336d.el7.centos.x86_64
  • etcd-3.2.15-1.el7.x86_64
  • flannel-0.7.1-2.el7.x86_64
  • kernel-3.10.0-693.21.1.el7.x86_64
  • kubernetes-node-1.5.2-0.7.git269f928.el7.x86_64
  • ostree-2017.14-2.el7.x86_64
  • rpm-ostree-client-2017.11-1.atomic.el7.x86_64

Download CentOS Atomic Host

CentOS Atomic Host is available as a VirtualBox or libvirt-formatted Vagrant box, or as an installable ISO, qcow2 or Amazon Machine image. For links to media, see the CentOS wiki.

Upgrading

If you're running a previous version of CentOS Atomic Host, you can upgrade to the current image by running the following command:

# atomic host upgrade

Release Cycle

The CentOS Atomic Host image follows the upstream Red Hat Enterprise Linux Atomic Host cadence. After sources are released, they're rebuilt and included in new images. After the images are tested by the SIG and deemed ready, we announce them.

Getting Involved

CentOS Atomic Host is produced by the CentOS Atomic SIG, based on upstream work from Project Atomic. If you'd like to work on testing images, help with packaging, documentation -- join us!

You'll often find us in #atomic and/or #centos-devel if you have questions. You can also join the atomic-devel mailing list if you'd like to discuss the direction of Project Atomic, its components, or have other questions.

Getting Help

If you run into any problems with the images or components, feel free to ask on the centos-devel mailing list.

Have questions about using Atomic? See the atomic mailing list or find us in the #atomic channel on Freenode.

April 03, 2018

SuperComputing is #PoweredByCentOS

April 03, 2018 07:36 PM

Last week I, and one of my colleagues, had the opportunity to attend SuperComputing Asia in Singapore. The great thing about the various SuperComputing conferences is getting to see what amazing things people are doing with HPC (High Performance Computing) to make the world a better place. This was very much the case last week at SC-Asia.

We had the opportunity to interview three people who are using HPC to solve real world problems, and I wanted to share those interviews with you.

First we spoke with Abhishek Saha who is an engineering student at National University of Singapore. He's working with the  Hydroinformatics Institute of Singapore to simulate water run-off across the entire island, to propose solutions for flooding.

Next, we spoke with Nick Zang who is a research fellow at Nanyang Technological University. He's investigating jet engine noise, and ways of reducing that noise:

Finally, we spoke with Yap Jia Qing, who is the Founder & CEO of Nurture.AI, an organization dedicated to encouraging AI researchers to publish their findings in AI along with open source implementations of the research, in order to reduce the burden of reproducing, and then building on, that research. This, in turn, greatly accelerates the progress of AI research.

The first two of these researchers are using CentOS in their their supercomputing infrastrucures, as well as using the large CentOS infrastructure at the National SuperComputing Center. Nurture.ai is an Ubuntu shop. All of the work from all three of these projects is open source, in an effort to accelerate research and implementations.

March 26, 2018

CentOS Linux can only come from the CentOS Project

March 26, 2018 09:00 AM

An open letter from the CentOS Board.

We didn’t think we would have to say this, but here it is:

A rebuild of CentOS Linux is NOT CentOS Linux.

We can’t tell you how good a particular rebuild is, but we can definitely tell you one thing:  if we didn’t build it, it is not CentOS Linux.

The CentOS Project trademark guidelines make it clear that no one has the project’s permission to use the “CentOS” mark for software that is not built and signed by the project.

https://www.centos.org/legal/trademarks/

Unless the binaries are from the CentOS Project, it is not CentOS Linux. It should not be called “CentOS”. Doing so causes confusion with everyone. The only official maintainer of any images is the CentOS Project.

Other groups are welcome to take the CentOS sources, rebuild them, and produce their own modified distribution, as long as they do not call it CentOS or otherwise act without our permission in using the CentOS name. Such distributions are not CentOS, and they should have their own name.

Better yet, we welcome anyone to participate in the CentOS Project and to help us with CentOS Linux. To build something into CentOS Linux you need to be an active part of the community, such as these folks:

If you want your work with open source software to be included via one of the above or a new SIG, here’s where to start:

https://wiki.centos.org/SpecialInterestGroup

The value of CentOS Linux is in the community:  the participants and the users. When you use CentOS Linux you are part of a community full of people helping each other. You are using the platform that underlies so much upstream open source community development. That is the value of the trademark -- it says that you are getting the real software from the real community.

If you are interested in using (real) CentOS Linux in various places, you can find our software here:

https://www.centos.org/download/

March 10, 2018

Updated CentOS Vagrant Images Available (v1802.01)

March 10, 2018 07:55 AM

We are pleased to announce new official Vagrant images of CentOS Linux 6.9 and CentOS Linux 7.4.1708 for x86_64 (based on the sources of RHEL 7.4). All included packages have been updated to 28th February 2018.

Known Issues

  1. The VirtualBox Guest Additions are not preinstalled; if you need them for shared folders, please install the vagrant-vbguest plugin and add the following line to your Vagrantfile:
    config.vm.synced_folder ".", "/vagrant", type: "virtualbox"

    We recommend using NFS instead of VirtualBox shared folders if possible; you can also use the vagrant-sshfs plugin, which, unlike NFS, works on all operating systems.

  2. Since the Guest Additions are missing, our images are preconfigured to use rsync for synced folders. Windows users can either use SMB for synced folders, or disable the sync directory by adding the line
    config.vm.synced_folder ".", "/vagrant", disabled: true

    to their Vagrantfile, to prevent errors on "vagrant up".

  3. Vagrant 1.8.5 is unable to create new CentOS Linux boxes due to Vagrant bug #7610
  4. Vagrant 1.8.7 is unable to download or update boxes due to Vagrant bug #7969.
  5. Vagrant 1.9.1 broke private networking, see Vagrant bug #8166
  6. Vagrant 1.9.3 doesn't work with SMB sync due to Vagrant bug #8404
  7. The vagrant-libvirt plugin is only compatible with Vagrant 1.5 to 1.8
  8. Installing open-vm-tools is not enough for enabling shared folders with Vagrant’s VMware provider. Please follow the detailed instructions in https://github.com/mvermaes/centos-vmware-tools (updated for this release).
  9. Some people reported "could not resolve host" errors when running the centos/7 image for VirtualBox on Windows hosts. Try adding the following line to your Vagrantfile:
    vb.customize ["modifyvm", :id, "--natdnshostresolver1", "off"]

Recommended Setup on the Host

Our automatic testing is running on a CentOS Linux 7 host, using Vagrant 1.9.4 with vagrant-libvirt and VirtualBox 5.1.20 (without the Guest Additions) as providers. We strongly recommend using the libvirt provider when stability is required.

Downloads

The official images can be downloaded from Vagrant Cloud. We provide images for HyperV, libvirt-kvm, VirtualBox and VMware.

If you never used our images before:

vagrant box add centos/6 # for CentOS Linux 6, or...
vagrant box add centos/7 # for CentOS Linux 7

Existing users can upgrade their images:

vagrant box update --box centos/6
vagrant box update --box centos/7

Verifying the integrity of the images

The SHA256 checksums of the images are signed with the CentOS 7 Official Signing Key. First, download and verify the checksum file:

$ curl http://cloud.centos.org/centos/7/vagrant/x86_64/images/sha256sum.txt.asc -o sha256sum.txt.asc
$ gpg --verify sha256sum.txt.asc

If the check passed, you can use the corresponding checksum when downloading the image with Vagrant:

$ export box_checksum="4440a10744855ec2819d726074958ad6cff56bb5a616f6a45b0a42d602aa1154"
$ vagrant box add --checksum-type sha256 --checksum $box_checksum --provider libvirt --box-version 1801.02 centos/7

Feedback

If you encounter any unexpected issues with the Vagrant images, feel free to ask on the centos-devel mailing list, or via IRC, in #centos on Freenode.

Ackowledgements

We would like to warmly thank Fabian Arrotin and Thomas Oulevey for their work on the build infrastructure, as well as Patrick Lang from Microsoft for testing and feedback on the Hyper-V images.

We would also like to thank the following people (listed alphabetically):

  • Graham Mainwaring, for helping with tests and validations;
  • Michael Vermaes, for testing our official images, as well as for writing the detailed guide to using them with VMware Fusion Pro and VMware Workstation Pro;
  • Kirill Kalachev, for reporting and debugging the host name errors with VirtualBox on Windows hosts.

March 06, 2018

CentOS Atomic Host 7.1802 Available for Download

March 06, 2018 10:29 PM

The CentOS Atomic SIG has released an updated version of CentOS Atomic Host (7.1802), a lean operating system designed to run Linux containers, built from standard CentOS 7 RPMs, and tracking the component versions included in Red Hat Enterprise Linux Atomic Host.

This release rolls up all package minor updates that shipped through the month of February, including, most significantly, a newer version of rpm-ostree with support for overriding base packages during package layering operations. (see below for more details)

CentOS Atomic Host includes these core component versions:

  • atomic-1.20.1-9.git436cf5d.el7.centos.x86_64
  • cloud-init-0.7.9-9.el7.centos.2.x86_64
  • docker-1.12.6-71.git3e8e77d.el7.centos.1.x86_64
  • etcd-3.2.11-1.el7.x86_64
  • flannel-0.7.1-2.el7.x86_64
  • kernel-3.10.0-693.17.1.el7.x86_64
  • kubernetes-node-1.5.2-0.7.git269f928.el7.x86_64
  • ostree-2017.14-2.el7.x86_64
  • rpm-ostree-client-2017.11-1.atomic.el7.x86_64

rpm-ostree override

While it's been possible to layer new packages onto the base CentOS Atomic tree for some time now, overriding existing base packages with layered alternatives either wasn't possible or was considered experimental. Version 7.1802 now allows for overriding base packages.

For example, the origin-clients package that includes OpenShift Origin's "oc" tool conflicts with the kubernetes-client package included in the base tree. You can use package layering and overrides to install the openshift-release rpm, remove the conflicting rpms, and install the origin-clients rpm:

# rpm-ostree install centos-release-openshift-origin
# rpm-ostree override remove kubernetes-client kubernetes-node -r

# rpm-ostree install origin-clients -r

# oc cluster up
Starting OpenShift using openshift/origin:v3.7.0 ...
Pulling image openshift/origin:v3.7.0
...

Download CentOS Atomic Host

CentOS Atomic Host is available as a VirtualBox or libvirt-formatted Vagrant box, or as an installable ISO, qcow2 or Amazon Machine image. For links to media, see the CentOS wiki.

Upgrading

If you're running a previous version of CentOS Atomic Host, you can upgrade to the current image by running the following command:

# atomic host upgrade

Release Cycle

The CentOS Atomic Host image follows the upstream Red Hat Enterprise Linux Atomic Host cadence. After sources are released, they're rebuilt and included in new images. After the images are tested by the SIG and deemed ready, we announce them.

Getting Involved

CentOS Atomic Host is produced by the CentOS Atomic SIG, based on upstream work from Project Atomic. If you'd like to work on testing images, help with packaging, documentation -- join us!

The SIG meets every two weeks as part of the Project Atomic community meeting at 16:00 UTC on Monday in the #atomic channel. You'll often find us in #atomic and/or #centos-devel if you have questions. You can also join the atomic-devel mailing list if you'd like to discuss the direction of Project Atomic, its components, or have other questions.

Getting Help

If you run into any problems with the images or components, feel free to ask on the centos-devel mailing list.

Have questions about using Atomic? See the atomic mailing list or find us in the #atomic channel on Freenode.

February 22, 2018

Linchpin 1.5 release

February 22, 2018 08:15 PM

LinchPin is a simple and flexible hybrid cloud orchestration tool. Its intended purpose is managing cloud resources across multiple infrastructures. These resources can be provisioned, decommissioned, and configured all using declarative data and a simple command-line interface.

Linchpin recently release 1.5, and I had an opportunity to talk with Clint Savage earlier this week about Linchpin and what it offers the world.

You can read more about Linchpin at some of the following places:

Docs: http://linchpin.readthedocs.io
IRC: #linchpin on Freenode
Github: https://github.com/CentOS-PaaS-SIG/linchpin
Mailing list: https://www.redhat.com/mailman/listinfo/linchpin

Linchpin is part of the CentOS PaaS SIG, which you can read more about at https://wiki.centos.org/SpecialInterestGroup/PaaS/

Also, Clint wrote this great article last year, which will give you more background: https://opensource.com/article/17/6/linchpin

 

February 19, 2018

Using newer PHP stack (built and distributed by CentOS) on CentOS 7

February 19, 2018 11:00 PM

One thing that one has to like with Entreprise distribution is the same stable api/abi during the distro lifetime. If you have one application that works, you'll know that it will continue to work.

But in parallel, one can't always decide the application to run on that distro, with the built-in components. I was personally faced with this recently, when I was in a need to migrate our Bug Tracker to a new version. Let's so use that example to see how we can use "newer" php pkgs distributed through the distro itself.

The application that we use for https://bugs.centos.org is MantisBT, and by reading their requirements list it was clear than a CentOS 7 default setup would not work : as a reminder the default php pkg for .el7 is 5.4.16 , so not supported anymore by "modern" application[s].

That's where SCLs come to the rescue ! With such "collections", one can install those, without overwriting the base pkgs, and so can even run multiple parallel instances of such "stack", based on configuration.

Let's just start simple with our MantisBT example : forget about the traditional php-* packages (including "php" which provides the mod_php for Apache) : it's up to you to let those installed if you need it, but on my case, I'll default to php 7.1.x for the whole vhost, and also worth knowing that I wanted to integrate php with the default httpd from the distro (to ease the configuration management side, to expect finding the .conf files at $usual_place)

The good news is that those collections are built and so then tested and released through our CentOS Infra, so you don't have to care about anything else ! (kudos to the SCLo SIG ! ). You can see the available collections here

So, how do we proceed ? easy ! First let's add the repository :

yum install centos-release-scl

And from that point, you can just install what you need. For our case, MantisBT needs php, php-xml, php-mbstring, php-gd (for the captcha, if you want to use it), and a DB driver, so php-mysql (if you targets mysql of course). You just have to "translate" that into SCLs pkgs : in our case, php becomes rh-php71 (meta pkg), php-xml becomes rh-php71-php-xml and so on (one remark though, php-mysql became rh-php71-php-mysqlnd !)

So here we go :

yum install httpd rh-php71 rh-php71-php-xml rh-php71-php-mbstring rh-php71-php-gd rh-php71-php-soap rh-php71-php-mysqlnd rh-php71-php-fpm

As said earlier, we'll target the default httpd pkg from the distro , so we just have to "link" php and httpd. Remember that mod_php isn't available anymore, but instead we'll use the php-fpm pkg (see rh-php71-php-fpm) for this (so all requests are sent to that FastCGI Process Manager daemon)

Let's do this :

systemctl enable httpd --now
systemctl enable rh-php71-php-fpm --now
cat > /etc/httpd/conf.d/php-fpm.conf << EOF
AddType text/html .php 
DirectoryIndex index.php
<FilesMatch \.php$>
      SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
EOF
systemctl restart httpd

And from this point, it's all basic, and application is now using php 7.1.x stack. That's a basic "howto" but you can also run multiple versions in parallel, and also tune php-fpm itself. If you're interested, I'll let you read Remi Collet's blog post about this (Thank you again Remi !)

Hope this helps, as strangely I couldn't easily find a simple howto for this, as "scl enable rh-php71 bash" wouldn't help a lot with httpd (which is probably the most used scenario)

February 14, 2018

CentOS Dojo @ FOSDEM: Videos

February 14, 2018 09:12 PM

For those of you who were unable to attend the CentOS Dojo in Brussels, here are all of the videos from the event.

Subscribe to our YouTube at youtube.com/TheCentOSProject 

KB's "State of CentOS"

Bert Van Vreckem - Basic troubleshooting of network services

Tomas Oulevey - Anaconda addon development

Matthias Runge - Opstools SIG

Haikel Guemar - Metrics with Gnocchi

Colin Charles - Understanding the MySQL database ecosystem

Fabian Arrotin - Content caching

Sean O'Keeffee - Foreman and Katello

Tom Callaway  - Building modern code with devtoolset

Spyros Trigazis - Practical system containers with Atomic

Kris Buytaert - Deplyong your SaaS stack OnPrem

February 06, 2018

FOSDEM 2018

February 06, 2018 08:25 PM

Another FOSDEM is history. I wanted to take a moment to thank all of the people that helped out at the CentOS table at FOSDEM, as well as at the Dojo before FOSDEM.

FOSDEM

We had about 75 people in attendance at the Dojo on Friday, with 12 presentations from various speakers. Some of these presentations are already available on YouTube, with the rest coming over the next few days.

FOSDEM

Traffic was steady at the CentOS table, from people new to Linux, all the way 15-year CentOS sysadmin veterans. A huge thank you to everyone who dropped by and chatted with us.

FOSDEM

If you missed FOSDEM and the Brussels Dojo, there's always other opportunities to meet CentOS people. This year we expect to have another 4 or 5 Dojos around the world, starting in Singapore next month, and moving on to Meyrin (Switzerland), Oak Ridge (USA), and Delhi (India). If you'd like to host a Dojo anywhere in the world, please get in touch with the Centos-Promo mailing list to see how we can help you achieve your goal. We can usually help find speakers, venues, and funding for your event.

January 20, 2018

Updated CentOS Vagrant Images Available (v1801.01)

January 20, 2018 05:27 PM

We are pleased to announce new official Vagrant images of CentOS Linux 6.9 and CentOS Linux 7.4.1708 for x86_64 (based on the sources of RHEL 7.4). All included packages have been updated to 9 January 2017 and include important fixes for the Meltdown and Spectre vulnerabilities affecting modern processors.

Known Issues

  1. The VirtualBox Guest Additions are not preinstalled; if you need them for shared folders, please install the vagrant-vbguest plugin and add the following line to your Vagrantfile:
    config.vm.synced_folder ".", "/vagrant", type: "virtualbox"

    We recommend using NFS instead of VirtualBox shared folders if possible; you can also use the vagrant-sshfs plugin, which, unlike NFS, works on all operating systems.

  2. Since the Guest Additions are missing, our images are preconfigured to use rsync for synced folders. Windows users can either use SMB for synced folders, or disable the sync directory by adding the line
    config.vm.synced_folder ".", "/vagrant", disabled: true

    to their Vagrantfile, to prevent errors on "vagrant up".

  3. Vagrant 1.8.5 is unable to create new CentOS Linux boxes due to Vagrant bug #7610
  4. Vagrant 1.8.7 is unable to download or update boxes due to Vagrant bug #7969.
  5. Vagrant 1.9.1 broke private networking, see Vagrant bug #8166
  6. Vagrant 1.9.3 doesn't work with SMB sync due to Vagrant bug #8404
  7. The vagrant-libvirt plugin is only compatible with Vagrant 1.5 to 1.8
  8. Installing open-vm-tools is not enough for enabling shared folders with Vagrant’s VMware provider. Please follow the detailed instructions in https://github.com/mvermaes/centos-vmware-tools (updated for this release).
  9. Some people reported "could not resolve host" errors when running the centos/7 image for VirtualBox on Windows hosts. Try adding the following line to your Vagrantfile:
    vb.customize ["modifyvm", :id, "--natdnshostresolver1", "off"]

Recommended Setup on the Host

Our automatic testing is running on a CentOS Linux 7 host, using Vagrant 1.9.4 with vagrant-libvirt and VirtualBox 5.1.20 (without the Guest Additions) as providers. We strongly recommend using the libvirt provider when stability is required.

Downloads

The official images can be downloaded from Vagrant Cloud. We provide images for HyperV, libvirt-kvm, VirtualBox and VMware.

If you never used our images before:

vagrant box add centos/6 # for CentOS Linux 6, or...
vagrant box add centos/7 # for CentOS Linux 7

Existing users can upgrade their images:

vagrant box update --box centos/6
vagrant box update --box centos/7

Verifying the integrity of the images

The SHA256 checksums of the images are signed with the CentOS 7 Official Signing Key. First, download and verify the checksum file:

$ curl http://cloud.centos.org/centos/7/vagrant/x86_64/images/sha256sum.txt.asc -o sha256sum.txt.asc
$ gpg --verify sha256sum.txt.asc

If the check passed, you can use the corresponding checksum when downloading the image with Vagrant:

$ export box_checksum="4440a10744855ec2819d726074958ad6cff56bb5a616f6a45b0a42d602aa1154"
$ vagrant box add --checksum-type sha256 --checksum $box_checksum --provider libvirt --box-version 1801.02 centos/7

Feedback

If you encounter any unexpected issues with the Vagrant images, feel free to ask on the centos-devel mailing list, or via IRC, in #centos on Freenode.

Ackowledgements

We would like to warmly thank Fabian Arrotin and Thomas Oulevey for their work on the build infrastructure, as well as Patrick Lang from Microsoft for testing and feedback on the Hyper-V images.

We would also like to thank the following people (listed alphabetically):

  • Graham Mainwaring, for helping with tests and validations;
  • Michael Vermaes, for testing our official images, as well as for writing the detailed guide to using them with VMware Fusion Pro and VMware Workstation Pro;
  • Kirill Kalachev, for reporting and debugging the host name errors with VirtualBox on Windows hosts.

Update : this blog post was updated on January Wednesday 24th to reflect different checksum as the image to use is 1801_02

January 18, 2018

Diagnosing nf_conntrack/nf_conntrack_count issues on CentOS mirrorlist nodes

January 18, 2018 11:00 PM

Yesterday, I got some alerts for some nodes in the CentOS Infra from both our monitoring system, but also confirmed by some folks reporting errors directly in our #centos-devel irc channel on Freenode.

The impacted nodes were the nodes we use for mirrorlist service. For people not knowing what they are used for, here is a quick overview of what happens when you run "yum update" on your CentOS node :

  • yum analyzes the .repo files contained under /etc/yum.repos.d/
  • for CentOS repositories, it knows that it has to use a list of mirrors provided by a server hosted within the centos infra (mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra )
  • yum then contacts one of the server behind "mirrorlist.centos.org" (we have 4 nodes so far : two in Europe and two in USA, all available over IPv4 and IPv6)
  • mirrorlist checks the src ip and sends back a list of current/up2date mirrors in the country (some GeoIP checks are done)
  • yum then opens connection to those validated mirrors

We monitor the response time for those services, and average response time is usually < 1sec (with some exceptions, mostly due to network latency also for nodes in other continents). But yesterday the values where not only higher, but also even completely missing from our monitoring system, so no data received. Here is a graph from our monitoring/Zabbix server :

mirrorlist-response-time-error.png

So clearly something was happening and time to also find some patterns. Also from our monitoring we discovered that the number of tracked network connections by the kernel was also suddenly higher than usual. In fact, as soon as your node does some state tracking with netfilter (like for example -m state ESTABLISHED,RELATED ), it keeps that in memory. You can easily retrive number of actively tracked connections like this :

cat /proc/sys/net/netfilter/nf_conntrack_count 

So it's easy to guess what happens if the max (/proc/sys/net/netfilter/nf_conntrack_max) is reached : kernel drops packets (from dmesg):

nf_conntrack: table full, dropping packet

Depending on the available memory, you can get default values, which can be changed in real-time. Don't forget to also tune then the Hash size (basic rule is nf_conntrack_max / 4) On the mirrorlist nodes, we had default values of 262144 (so yeah, keeping track of that amount of connections in memory), so to get quickly the service in shape :

new_number="524288"
echo ${new_number} > /proc/sys/net/netfilter/nf_conntrack_max
echo $(( $new_number / 4 )) > /sys/module/nf_conntrack/parameters/hashsize

Other option was also to flush the table (you can do that with conntrack -F , tool from conntrack-tools package) but it's really only a temporary fix, and that will not help you getting the needed info for proper troubleshooting (see below)

Here is the Zabbix graph showing that for some nodes it was higher than default values, but now kernel wasn't dropping packets.

ip_conntrack_count.png

We could then confirm that service was then working fine (not "flapping" anymore).

So one can think that it was the only solution for the problem and stop investigation there. But what is the root cause of this ? What happened that opened so many (unclosed) connections to those mirrorlist nodes ? Let's dive into nf_conntrack table again !

Not only you have the number of tracked connections (through /proc/sys/net/netfilter/nf_conntrack_count) but also the whole details about those. So let's dump that into a file for full analysis and try to find a pattern :

cat /proc/net/nf_conntrack > conntrack.list
cat conntrack.list |awk '{print $7}'|sed 's/src=//g'|sort|uniq -c|sort -n -r|head

Here we go : same range of IPs on all our mirrorlist servers having thousands of ESTABLISHED connection. Not going to give you all details about this (goal of this blog post isn't "finger pointing"), but we suddenly identified the issue. So we took contact with network team behind those identified IPs to report that behaviour, still to be tracked, but wondering myself if a Firewall doing NAT wasn't closing tcp connections at all, more to come.

At least mirrorlist response time is now back at usual state :

mirrorlist-response-time.png

So you can also let your configuration management now set those parameters through dedicated .conf under /etc/systctl.d/ to ensure that they'll be applied automatically.

January 09, 2018

Using a RaspberryPI3 as Unifi AP controller with CentOS 7

January 09, 2018 11:00 PM

That's something I should have blogged about earlier, but I almost forgot about it, until I read on twitter other people having replaced their home network equipment with Ubnt/Ubiquiti gear so I realized that it was on my to 'TOBLOG' list.

During the winter holidays, the whole family was at home, and also with kids on the WiFi network. Of course I already had a different wlan for them, separated/seggregated from the main one, but plenty of things weren't really working on that crappy device. So it was time to setup something else. I had opportunity to play with some Ubiquiti devices in the past, so finding even an old Unifi UAP model was enough for my needs (just need Access Point, routing/firewall being done on something else).

If you've already played with those tools, you know that you need a controller to setup the devices up , and because it's 'only' a java/mongodb stack, I thought it would be trivial to setup on a low-end device like RaspberryPi3 (not limited to that , so all armhfp boards on which you can run CentOS would work)

After having installed CentOS 7 armhfp minimal on the device, and once logged, I just had to add the mandatory unofficial epel repository for mongodb

cat > /etc/yum.repos.d/epel.repo << EOF
[epel]
name=Epel rebuild for armhfp
baseurl=https://armv7.dev.centos.org/repodir/epel-pass-1/
enabled=1
gpgcheck=0

EOF

After that, just installed what's required to run the application :

yum install mongodb mongodb-server java-1.8.0-openjdk-headless -y

The "interesting" part is that now Ubnt only provides .deb packages , so we just have to download/extract what we need (it's all java code) and start it :

tmp_dir=$(mktemp -d)
cd $tmp_dir
curl -O http://dl.ubnt.com/unifi/5.6.26/unifi_sysvinit_all.deb
ar vx unifi_sysvinit_all.deb
tar xvf data.tar.xz
mv usr/lib/unifi/ /opt/UniFi
cd /opt/UniFi/bin
/bin/rm -Rf $tmp_dir
ln -s /bin/mongod

You can start it "by hand" but let's create a simple systemd file and use it directly :

cat > /etc/systemd/system/unifi.service << EOF
[Unit]
Description=UBNT UniFi Controller
After=syslog.target network.target

[Service]
WorkingDirectory=/opt/UniFi
ExecStart=/usr/bin/java -jar /opt/UniFi/lib/ace.jar start
ExecStop=/usr/bin/java -jar /opt/UniFi/lib/ace.jar stop

[Install]
WantedBy=multi-user.target

EOF

systemctl daemon-reload
systemctl enable unifi --now

Don't forget that :

  • it's "Java"
  • running on slow armhfp processor

So that will take time to initialize. You can follow progress in /opt/UniFi/logs/server.log and wait for the TLS port to be opened :

while true ; do sleep 1 ; ss -tanp|grep 8443 && break ; done

Dont forget to open the needed ports for firewall and you can then reach the Unifi controller running on your armhfp board.

January 02, 2018

turn off unused GPU on the laptop

January 02, 2018 09:41 PM

Lots of us have dual graphics cards in the laptops these days, but almost everyone I know tends to use one or the other, hardly ever switching on the fly, since typical usage patterns tend to stick for periods of time.

One thing that almost no one seems to do however is turn off the unusued gpu – when on the move, this can have a significant impact on your battery life.

On CentOS Linux 7, the way to do this would be something like this :

echo ‘OFF’ > /sys/kernel/debug/vgaswitcheroo/switch

And thats it, lterally send it the OFF and the unused gpu is powered down.

You can also querry the interface as follows:

# cat /sys/kernel/debug/vgaswitcheroo/switch

On my Thinkpad T460p it looks like this :

0:IGD:+:Pwr:0000:00:02.0
1:DIS: :DynOff:0000:02:00.0

For more info on the vgaswitcheroo, take a look at your kernel document eg https://www.kernel.org/doc/html/v4.10/gpu/vga-switcheroo.html

Enjoy!

January 01, 2018

Lightweigth CentOS 7 i686 desktop on older machine

January 01, 2018 11:00 PM

So, end of the year is always when you have some "time off" and so can work on various projects that were left behind. While searching for other hardware collecting dust in my furniture (other blog post coming soon about that too) I found my old Asus Eeepc 900 and was wondering if I could resurrect it.

While it was working CentOS 5 and then 6 "just fine" I wanted to give it a try with CentOS 7.

Of course, if you remember the specs from that ~2008 small netbook, you remember that it had :

  • slow cpu (Intel(R) Celeron(R) M processor 900MHz)
  • only 1Gb of ram
  • very limited disk space (ASUS-PHISON OB SSD 4GB + additional 8GB for my model)

Setting up the full Gnome3 experience on it would be completely useless and also unusable. So let's try to setup CentOS 7 AltArch minimal (needed as cpu is only i686/32bits) and add what we need after that. So here we go :

  • Download netinstall iso image (I used "local" mirror for me , so http://mirror.nucleus.be/centos-altarch/7/isos/i386/CentOS-7-i386-NetInstall-1611.iso)
  • use dd to transfer it to usb storage key
  • starting the installed on the eeepc
  • wait .... wait .... wait ...

Once installed and up2date, one needs to add additional repositories that aren't there by default. As a reminder, there is no official Epel builds for i686 (same as for armhfp ) but Johnny started to rebuild Epel SRPMs for that specific reason, so here we go :

cat > /etc/yum.repos.d/epel.repo << EOF
[epel]
name=Epel rebuild for i686
baseurl=https://buildlogs.centos.org/c7-epel/
enabled=1
gpgcheck=0

EOF

cat > /etc/yum.repos.d/kernel.repo << EOF
[kernel]
name=LTS kernel for i686
baseurl=https://buildlogs.centos.org/c7.1708.exp.i386/
enabled=1
gpgcheck=0

EOF

If you see the other kernel repository, that's because the needed ath5k kernel module for the Wifi device in the Eeepc isn't there in the default kernel nor available through elrepo, but it works with that 4.9.x LTS kernel we build and maintain/update for AltArch so let's use it.

We can install what we need (YMMV though) :

yum update -y
yum groupinstall -y 'X Window System'
yum install -y openbox lightdm lightdm-gtk 
systemctl enable lightdm.service
yum install -y tint2 terminator firefox terminus-fonts-console terminus-fonts network-manager-applet gnome-keyring dejavu-sans-fonts dejavu-fonts-common dejavu-serif-fonts dejavu-sans-mono-fonts open-sans-fonts overpass-fonts liberation-mono-fonts liberation-serif-fonts google-crosextra-caladea-fonts google-crosextra-carlito-fonts 

echo 'tint2 &' >> /etc/xdg/openbox/autostart
echo 'nm-applet &' >> /etc/xdg/openbox/autostart
systemctl reboot

The last line with tint2 , terminator and firefox is purely optional but that's what I needed on my eeepc. Same for network-manager-applet, but once installed, it gives you easy to work with applet integrated in openbox environment.

You can then customize it, etc, but I like it so far for what I wanted to use that old netbook for :

CentOS 7 i686 running on Asus Eeepc 900

November 01, 2017

Community contributed Kickstarts for CentOS Linux

November 01, 2017 12:25 PM

hi,

At https://github.com/CentOS/Community-Kickstarts we’ve been collecting community contributed kickstarts for various roles, deployments and versions. If you are writing and/or using kickstarts in your setup, it would be awesome to have them hosted here as well, please feel free to send PR’s. Just keep in mind a few basic things:

  • Kickstarts should end in .cfg or .ks
  • Generally should install from mirror.centos.org unless otherwise noted
  • If a hashed password is provided, include the plaintext version in a comment. Since these kickstarts are for example purposes, please use password or centos as the passwords as needed.
  • Kickstart names should provide a version and brief description, for example centos5-raid5.cfg or centos7-workstation.ks

Take a look at the README that has a few more pieces of info about this repository https://github.com/CentOS/Community-Kickstarts/blob/master/README.md


Powered by Planet!
Last updated: July 15, 2018 06:30 PM