http://planet.centos.org/ en Planet CentOS - http://planet.centos.org/ tag:blogger.com,1999:blog-7607366660500015746.post-175254253080275231 http://centosnow.blogspot.com/2012/01/drbd-8312-for-centos-5-in-testing.html The <a href="http://elrepo.org/" target="_blank">ELRepo Project</a> has DRBD packages for CentOS-5 and CentOS-6, named drbd83-utils or drbd84-utils.&nbsp; The CentOS Project does not want to maintain extra packages that exist in other places unless we need to change them ... so we are not going to create DRBD packages for CentOS-6.<br /><br />Since CentOS-4 is being EOL'ed in less than a month, we are also not going to publish updates for the DRBD in CentOS-4.<br /><br />This leaves the DRBD for CentOS-5 that are part of CentOS Extras.&nbsp; Since these have been released for CentOS-5, we will continue to maintain the DRBD version 8.3.x&nbsp; tree (drbd83) in CentOS Extras.<br /><br />A new version of DRBD 8.3 (drbd83-8.3.12) has been released to the testing repository for CentOS-5.&nbsp; You can see the details here:<br /><br /><a href="http://lists.centos.org/pipermail/centos/2012-January/122793.html" target="_blank">DRBD 8.3.12 for CentOS-5</a><br /><br />If you want to use DRBD 8.4.x for CentOS-5, rather than releasing it separately, the CentOS Project recommends that you use drbd84-utils from ELRepo (linked above).<br /><br />For users who want to use the drbd83-8.3.12 version ... please test the version that is currently in CentOS Testing and provide feedback.&nbsp; With enough feedback I will move the packages from testing to CentOS Extras.<div class="blogger-post-footer"><img width="1" height="1" src="https://blogger.googleusercontent.com/tracker/7607366660500015746-175254253080275231?l=centosnow.blogspot.com" alt="" /></div> Mon, 30 Jan 2012 10:40:44 +0000 noreply@blogger.com (Johnny Hughes) http://www.karan.org/blog/339@http://www.karan.org/blog/ http://www.karan.org/blog/index.php/2012/01/23/communities-and-questions <p>I am often surprised by the sort of questions asked in the forums or on irc around open source projects - it just feels as if people are going out of their way to inflict pain and suffering upon themselves by trying to find the most awkward and most complicated way to do things. So how can we better help these people ? We dont need to save them or anything as drastic like that, its just a case of being able to show or explain that there might be a better way.</p> <p>The first thing that I've started now doing, when asked a strange question is ask the person 'What are you really trying to achieve?'. You might be amazed how many times the answer has nothing to do with the question being asked. Try to establish what the end goal is, and in many cases its clear that the person has been lead astray by random posts on the internet, some of which are perfectly fine in their own context, but can be quite a kludge outside that context.</p> <p>Establishing, clearly what the goal is before advice or opinion is thrown at people will always result in a better overall experience. And to the people spending their time in the irc channels, web forums and mailing lists helping others out : must respect. You guys are the ones making the idea of Communities and Open Source work.</p> <p>- KB</p> Mon, 23 Jan 2012 10:56:00 +0000 http://www.arrfab.net/blog/?p=342 http://www.arrfab.net/blog/?p=342 <p>While <a href="http://centosnow.blogspot.com/2012/01/centos-in-2012.html" target="_blank">Johnny was explaining</a> to the rest of the world how CentOS 6.1 and 6.2 were released, I received quite some questions about the QA tests and how they were performed. Well, let me explain in some words how it's now organized. Previously, there was only a Tests Matrix that was shared between the QA team members : each member of that group had access to the QA bits, could download/rsync the complete tree (with ISO images too) and do his tests, and then reported the results in one way or the other (irc, mailing-list). Of course it didn't scale out very well. Too much manual intervention, and when someone was busy with personal (or work related) issues, no feedback was coming back to the CentOS devteam.</p> <p>So during <a href="http://archive.fosdem.org/2011/" target="_blank">Fosdem 2011</a>, I had a meeting with <a href="http://www.karan.org/blog/index.php" target="_blank">Karanbir</a> to see how we could solve that issue and put automation in the QA loop. We dedicated some (old) machines to be used only for QA, and in a separate VLAN. Basically, here are the steps from the built bits to the QA reports.</p> <ul> <li>The CentOS buildfarm (using the newly build system called 'reimzul' and using <a href="http://kr.github.com/beanstalkd/" target="_blank">beanstalkd</a> as a queuing system) pushes automatically each new tree to the dedicated QA hardware</li> <li>There is a rsync post-xfer script that is launched from there that also uses beanstalkd and some workers (so we can scale out easily if we add machines)</li> <li>Each built and pushed tree/ISOs set has its own BuildTag (that is used to identify what was tested and when)</li> <li>Some tools (hosted in an internal Git repository) are then used to deploy some Virtual Machines (actually a mix of BareMetal and VMs : blade/Virtual Box/Xen/KVM) and send a report if the "deploy VM step" failed (VMs are installed through ISO/pxe boot/virt-install through http/ftp/nfs methods)</li> <li>A test suite (that we call the t_functional stack) is then copied from the local git repo to those newly deployed machines and each test is then ran. From that point a report is then automatically sent to the QA mailing-list so that people can see the results, while the full log is available on QA head node.</li> </ul> <p>The fact that we use two separate git repositories (one for the deploy/provisioniong functions and another one for the tests themselves) was really a good thing, as it permitted some people to include their tests in the t_functional stack. For example , <a href="http://athmane.wordpress.com/" target="_blank">Athmane</a> did a great job writing/fixing some tests used for 6.1 and 6.2.</p> <p>More informations to come later about how you (yes, *you*) can participate and contribute such CentOS QA auto-tests !</p> Mon, 09 Jan 2012 14:41:51 +0000 tag:blogger.com,1999:blog-3673169358131892257.post-4637748541395648174 http://www.bit-integrity.com/2011/11/ssd-performance-tips-for-rhel6-and.html Solid State drives provide a pretty substantial performance boost over traditional hard drive technology, but they have some limitations that require some additional planning. There are basically two big things to do, enable discard/trim support in the filesystem, and limit write operations to the SSD. You want to enable discard to deal with underlying drive specific performance degradation Wed, 04 Jan 2012 20:38:54 +0000 noreply@blogger.com (Jim Perrin) tag:blogger.com,1999:blog-3673169358131892257.post-791334351685772921 http://www.bit-integrity.com/2012/01/oracle-rac-on-rhel6-and-centos-6.html Oracle seems to be dragging its feet in certifying the enterprise linux 6 line (RHEL, CentOS, and similar) for use with its flagship database products, but that doesn't appear to be stopping the smart folks over at dell from putting together directions for getting it working. Adam M has put together a nice piece on making Oracle and RAC work with RHEL 6, and done all the hard work for you. Have Wed, 04 Jan 2012 10:46:59 +0000 noreply@blogger.com (Jim Perrin) tag:blogger.com,1999:blog-7607366660500015746.post-2108114751256072709 http://centosnow.blogspot.com/2012/01/centos-in-2012.html The first thing I want to do is congratulate <a href="http://www.karan.org/" target="_blank">Karanbir</a> and Tasha on the birth of their new baby girl Millie. She is the quite cute ... hello Millie :)<br /><br />The <a href="http://www.centos.org/" target="_blank">CentOS Project</a> has spent much time and effort into getting a new <a href="http://lists.centos.org/pipermail/centos-devel/2011-December/008462.html" target="_blank">build system</a> in place for CentOS 6 that can generate good and timely builds, as well as inform us of newly released upstream SRPMS and keep the <a href="http://qaweb.dev.centos.org/qa/" target="_blank">CentOS QA</a> team informed when we build any new packages.<br /><br />The release of CentOS-6.2 on 12/20/2011, in less than 2 weeks and at the same time as Oracle's OEL as noted on <a href="http://www.distrowatch.com/" target="_blank">Distrowatch</a>, is where we would like to have all our future releases be. I think that we should see the standard 2-4 week time frame for point releases and within 24 hours for updates now that we have this new build system in place.<br /><br />We have also put a <a href="http://wiki.centos.org/AdditionalResources/Repositories/CR" target="_blank">Continuous Release (CR) repository</a> in place for both CentOS 5 and CentOS 6. This repository can be installed via the simple command:<br /><br /><b>yum install centos-release-cr</b><br /><br />The purpose of the CR repository is to allow the CentOS Project to push some of the security updates if we are having issues with a point release build (like we did with both CentOS-6.0 and CentOS-6.1). If we are not going to meet the 2-4 week goal for our point release, we will push out the packages we have gotten to build properly while continuing to work on the problem packages. This repository is totally optional and was not needed with CentOS-6.2, but we recommend it be installed if you want to get your security updates as fast as possible.<br /><br />Karanbir gets the credit for the new build system, called reimzul. It uses <a href="http://kr.github.com/beanstalkd/" target="_blank">beanstalkd</a> work queues and allows adding new builders to process the work as required.<br /><br />The build system has the flexibility to allow us to import SRPMS into a git repo for packages we want to change, generate a new SRPM after edits for those packages, and submit those modified SRPMS into the work queues. It also allows for the submission of non-modified SRPMS directly without the need to import them into git. It automates several things that we have done in the past by hand (automatically knowing which packages are not built by CentOS (for example the RHN packages that deal with upstream subscriptions) and automatically copies multilib 32bit packages into the 64 bit tree. The system also reliably produces the Yum-Presto DeltaRPMS and metadata for minimizing download times for updates.<br /><br />We do need to announce that CentOS-4 will be reaching the End Of Life at the end of February 2012. That means that there will be no more CentOS-4 updates after March 1st, 2012. If you are still using CentOS-4, you need to upgrade to CentOS-5 or CentOS-6 or switch to Red Hat's paid Extended Update Support for EL4 to continue to get updates. Please see the <a href="http://lists.centos.org/pipermail/centos-announce/2011-December/018285.html" target="_blank">CentOS-4 EOL announcement</a> for more details.<br /><br />So, news on the CentOS front for 2012 is very promising and we are looking forward to great things in the new year.<div class="blogger-post-footer"><img width="1" height="1" src="https://blogger.googleusercontent.com/tracker/7607366660500015746-2108114751256072709?l=centosnow.blogspot.com" alt="" /></div> Tue, 03 Jan 2012 06:51:14 +0000 noreply@blogger.com (Johnny Hughes) http://sheltren.com/3 at http://sheltren.com http://sheltren.com/stop-disabling-selinux <div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>I see a lot of people coming by #centos and similar channels asking for help when they’re experiencing a problem with their Linux system. It amazes me how many people describe their problem, and then say something along the lines of, “and I disabled SELinux...”. Most of the time SELinux has nothing to do with the problem, and if SELinux is the cause of the problem, why would you throw out the extra security by disabling it completely rather than configuring it to work with your application? This may have made sense in the Fedora 3 days when selinux settings and tools weren’t quite as fleshed out, but the tools and the default SELinux policy have come a long way since then, and it’s very worthwhile to spend a little time to understand how to configure SELinux instead of reflexively disabling it. In this post, I’m going to describe some useful tools for SELinux and walk through how to configure SELinux to work when setting up a Drupal web site using a local memcached server and a remote MySQL database server -- a pretty common setup for sites which receive a fair amount of traffic.</p> <p>This is by no means a comprehensive guide to SELinux; there are many of those already!<br /><a href="http://wiki.centos.org/HowTos/SELinux">http://wiki.centos.org/HowTos/SELinux</a><br /><a href="http://fedoraproject.org/wiki/SELinux/Understanding">http://fedoraproject.org/wiki/SELinux/Understanding</a><br /><a href="http://fedoraproject.org/wiki/SELinux/Troubleshooting">http://fedoraproject.org/wiki/SELinux/Troubleshooting</a></p> <h3>Too Long; Didn’t Read Version</h3> <p>If you’re in a hurry to figure out how to configure SELinux for this particular type of setup, on CentOS 6, you should be able to use the following two commands to get things working with SELinux:<br /><code># setsebool -P httpd_can_network_connect_db 1<br /> # setsebool -P httpd_can_network_memcache 1<br /></code></p> <p>Note that if you have files existing somewhere on your server and you move them to the webroot rather than untar them there directly, you may end up with SELinux file contexts set incorrectly on them which will likely deny access to apache to read those files. If you are having a related problem, you’ll see something like this in your /var/log/audit/audit.log:<br /><code>type=AVC msg=audit(1324359816.779:66): avc: denied { getattr } for pid=3872 comm="httpd" path="/var/www/html/index.php" dev=dm-0 ino=549169 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file<br /></code></p> <p>You can solve this by resetting the webroot to its default file context using the restorecon command:<br /><code># restorecon -rv /var/www/html<br /></code></p> <h3>Server Overview</h3> <p>I’m going to start with a CentOS 6 system configured with SELinux in targeted mode, which is the default configuration. I’m going to be using httpd, memcached, and PHP from the CentOS base repos, though the configuration wouldn’t change if you were to use the IUS PHP packages. MySQL will be running on a remote server which gives improved performance, but means a bit of additional SELinux configuration to allow httpd to talk to a remote MySQL server. I’ll be using Drupal 7 in this example, though this should apply to Drupal 6 as well without any changes.</p> <h3>Initial Setup</h3> <p>Here we will setup some prerequisites for the website. If you already have a website setup you can skip this section.</p> <p>We will be using tools such as audit2allow which is part of the policycoreutils-python package. I believe this is typically installed by default, but if you did a minimal install you may not have it.<br /><code># yum install policycoreutils-python<br /></code></p> <p>Install the needed apache httpd, php, and memcached packages:<br /><code># yum install php php-pecl-apc php-mbstring php-mysql php-pecl-memcache php-gd php-xml httpd memcached<br /></code></p> <p>Startup memcached. The CentOS 6 default configuration for memcached only listens on 127.0.0.1, this is great for our testing purposes. The default of 64M of RAM may not be enough for a production server, but for this test it will be plenty. We’ll just start up the service without changing any configuration values:<br /><code># service memcached start<br /></code></p> <p>Startup httpd. You may have already configured apache for your needs, if not, the default config should be enough for the site we’ll be testing.<br /><code># service httpd start<br /></code><br /> If you are using a firewall, then you need to allow at least port 80 through so that you can access the website -- I won’t get into that configuration here.</p> <p>Install Drupal. I’ll be using the latest Drupal 7 version (7.9 as of this writing). Direct link: <a href="http://ftp.drupal.org/files/projects/drupal-7.9.tar.gz">http://ftp.drupal.org/files/projects/drupal-7.9.tar.gz</a><br /> Download the tarball, and expand it to the apache web root. I also use the --strip-components=1 argument to strip off the top level directory, otherwise it would expand into /var/www/html/drupal-7.9/<br /><code># tar zxf drupal-7.9.tar.gz -C /var/www/html --strip-components=1<br /></code><br /> Also, we need to get the Drupal site ready for install by creating a settings.php file writable by apache, and also create a default files directory which apache can write to.<br /><code># cd /var/www/html/sites/default/<br /> # cp default.settings.php settings.php<br /> # chgrp apache settings.php &amp;&amp; chmod 660 settings.php<br /> # install -d -m 775 -g apache files<br /></code></p> <p>Setup a database and database user on your MySQL server for Drupal. This would be something like this:<br /><code>mysql&gt; CREATE DATABASE drupal;<br /> mysql&gt; GRANT ALL ON drupal.* TO drupal_rw@web-server-ip-here IDENTIFIED BY 'somepassword';<br /></code></p> <p>Test this out by using the mysql command line tool on the web host.<br /><code># mysql -u drupal_rw -p -h drupal<br /></code></p> <p>That should connect you to the remote MySQL server. Be sure that is working before you proceed.</p> <h3>Now for the Fun Stuff</h3> <p>If you visit your new Drupal site at <a href="http://your-hostname-here">http://your-hostname-here</a>, you’ll be presented with the Drupal installation page. Click ahead a few times, setup your DB info on the Database Configuration page -- you need to expand “Advanced Options” to get to the hostname field since it assumes localhost. When you click the button to proceed, you’ll probably get an unexpected error that it can’t connect to your database -- this is SELinux doing its best to protect you!</p> <h3>Allowing httpd to Connect to a Remote Database</h3> <p>So what just happened? We know the database was setup properly to allow access from the remote web host, but Drupal is complaining that it can’t connect. First, you can look in /var/log/audit/audit.log which is where SELinux will log access denials. If you grep for ‘httpd’ in the log, you’ll see something like the following:<br /><code># grep httpd /var/log/audit/audit.log<br /> type=AVC msg=audit(1322708342.967:16804): avc: denied { name_connect } for pid=2724 comm="httpd" dest=3306 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket<br /></code></p> <p>That is telling you, in SELinux giberish language, that the httpd process was denied access to connect to a remote MySQL port. For a better explanation of the denial and some potential fixes, we can use the ‘audit2why’ utility:<br /><code># grep httpd /var/log/audit/audit.log | audit2why<br /> type=AVC msg=audit(1322708342.967:16804): avc: denied { name_connect } for pid=2724 comm="httpd" dest=3306 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket</code></p> <p> Was caused by:<br /> One of the following booleans was set incorrectly.<br /> Description:<br /> Allow HTTPD scripts and modules to connect to the network using TCP.</p> <p> Allow access by executing:<br /> # setsebool -P httpd_can_network_connect 1<br /> Description:<br /> Allow HTTPD scripts and modules to connect to databases over the network.</p> <p> Allow access by executing:<br /> # setsebool -P httpd_can_network_connect_db 1<br /></p> <p>audit2why will analyze the denial message you give it and potentially explain ways to correct it if it is something you would like to allow. In this case, there are two built in SELinux boolean settings that could be enabled for this to work. One of them, httpd_can_network_connect, will allow httpd to connect to anything on the network. This might be useful in some cases, but is not very specific. The better option in this case is to enable httpd_can_network_connect_db which limits httpd generated network connections to only database traffic. Run the following command to enable that setting:<br /><code># setsebool -P httpd_can_network_connect_db 1<br /></code></p> <p>It will take a few seconds and not output anything. Once that completes, go back to the Drupal install page, verify the database connection info, and click on the button to continue. Now it should connect to the database successfully and proceed through the installation. Once it finishes, you can disable apache write access to the settings.php file:<br /><code># chmod 640 /var/www/html/sites/default/settings.php<br /></code><br /> Then fill out the rest of the information to complete the installation.</p> <h3>Allowing httpd to connect to a memcached server</h3> <p>Now we want to setup Drupal to use memcached instead of storing cache information in MySQL. You’ll need to download and install the Drupal memcache module available here: <a href="http://drupal.org/project/memcache">http://drupal.org/project/memcache</a><br /> Install that into your Drupal installation, and add the appropriate entries into settings.php. For this site, I did that with the following:<br /><code># mkdir /var/www/html/sites/default/modules<br /> # tar zxf memcache-7.x-1.0-rc2.tar.gz -C /var/www/html/sites/default/modules<br /></code></p> <p>Then edit settings.php and add the following two lines:<br /><code>$conf['cache_backends'][] = 'sites/default/modules/memcache/memcache.inc';<br /> $conf['cache_default_class'] = 'MemCacheDrupal';<br /></code></p> <p>Now if you reload your site in your web browser, you’ll likely see a bunch of memcache errors -- just what you wanted! I bet it’s SELinux at it again! Check out /var/log/audit/audit.log again and you’ll see something like:<br /><code>type=AVC msg=audit(1322710172.987:16882): avc: denied { name_connect } for pid=2721 comm="httpd" dest=11211 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket<br /></code></p> <p>That’s very similar to the last message, but this one is for a memcache port. What does audit2why have to say?<br /><code># grep -m 1 memcache /var/log/audit/audit.log | audit2why<br /> type=AVC msg=audit(1322710172.796:16830): avc: denied { name_connect } for pid=2721 comm="httpd" dest=11211 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket</code></p> <p> Was caused by:<br /> One of the following booleans was set incorrectly.<br /> Description:<br /> Allow httpd to act as a relay</p> <p> Allow access by executing:<br /> # setsebool -P httpd_can_network_relay 1<br /> Description:<br /> Allow httpd to connect to memcache server</p> <p> Allow access by executing:<br /> # setsebool -P httpd_can_network_memcache 1<br /> Description:<br /> Allow HTTPD scripts and modules to connect to the network using TCP.</p> <p> Allow access by executing:<br /> # setsebool -P httpd_can_network_connect 1<br /></p> <p>Again, audit2why gives us a number of options to fix this. The best bet is to go with the smallest and most presice change for our needs. In this case there’s another perfect fit: httpd_can_network_memcache. Enable that boolean with the following command:<br /><code># setsebool -P httpd_can_network_memcache 1<br /></code></p> <p>Success! Now httpd can talk to memcache. Reload your site a couple of times and you should no longer see any memcache errors. You can be sure that Drupal is caching in memcache by connecting to the memcache CLI (telnet localhost 11211) and typing ‘stats’. You should see some number greater than 0 for ‘get_hits’ and for ‘bytes’.</p> <h3>What are all these booleans anyway?</h3> <p>Now we’ve used a couple SELinux booleans to allow httpd to connect to memcached and MySQL. You can see a full list of booleans which you can control by using the command ‘getsebool -a’. They are basically a preset way for you to allow/deny certain pre-defined access controls.</p> <h3>Restoring default file contexts</h3> <p>As I mentioned briefly in the ‘TL;DR’ section, another common problem people experience is with file contexts. If you follow my instructions exactly, you won’t have this problem because we untar the Drupal files directly into the webroot, so they will inherit the default file context for /var/www/html. If, however, you were to untar the files in your home directory, and then use ‘mv’ or ‘cp’ to place them in /var/www/html, they will maintain the user_home_t context which apache won’t be able to read by default. If this is happening to you, you will see the file denials logged in /var/log/audit/audit.log -- something like this:<br /><code>type=AVC msg=audit(1324359816.779:66): avc: denied { getattr } for pid=3872 comm="httpd" path="/var/www/html/index.php" dev=dm-0 ino=549169 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file<br /></code></p> <p>The solution in this case is to use restorecon to reset the file contexts back to normal:<br /><code># restorecon -rv /var/www/html<br /></code></p> <p><strong>Update:</strong> It was noted that I should also mention another tool for debugging audit messages, 'sealert'. This is provided in the setroubleshoot-server package and will also read in the audit log, similar to what I described with audit2why.<br /><code># sealert -a /var/log/audit/audit.log</code></p> </div></div></div><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-above clearfix"><h3 class="field-label">Tags: </h3><ul class="links"><li class="taxonomy-term-reference-0" rel="dc:subject"><a href="http://sheltren.com/tags/oss">oss</a></li></ul></div> Wed, 21 Dec 2011 23:36:15 +0000 http://sheltren.com/2 at http://sheltren.com http://sheltren.com/centos-cr <div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>The CentOS Continuous Release repository (“CR”) was first introduced for CentOS 5.6, and currently exists for both CentOS 5 and CentOS 6. The CR repo is intended to provide package updates which have been released for the next point release upstream (from RHEL) which has not yet been officially released by CentOS yet due to delays around building, testing, and seeding mirrors for a new point release. For example, this means that once RedHat releases RHEL 5.8, CentOS will include package updates from 5.8 base and updates in CentOS 5.7 CR repo until the time that CentOS is able to complete the release of CentOS 5.8. For admins, this means less time without important security updates and the ability to be on the latest packages released in the latest RHEL point release.</p> <h2>Details on the CR Repo</h2> <p>What’s included in CR and how might it affect your current CentOS installs? At this point, the CR repo is used <em>only</em> for package updates which are part of the next upstream point release. For example, for CentOS 5.7, once Red Hat releases RHEL 5.8, the CR repo will contain updates from upstream base and updates repos. When a new update for RHEL 5.8 is released, it will be built in the CentOS build system, go through a relatively minimal amount of QA by the CentOS QA team, and then will be pushed to the CentOS 5.7 CR repo. This process will continue until the time that CentOS releases its own 5.8 release. Once CentOS releases 5.8, the CR repo will be cleared out until the time that RedHat releases the next (5.9) point release.</p> <p>The CR repo is not enabled by default, so it is up to a system administrator to enable it if desired. That means, by default, you won’t see packages added to the CR repo. Installing the repo is very easy as it’s now part of the CentOS extras repository which is enabled by default. To enable CR, you simply have to:</p> <pre> yum install centos-release-cr </pre><p> If you don’t have CentOS Extras enabled, you can browse into the extras/ directory for the release of CentOS you’re currently running and download and install the centos-release-cr package by hand, or manually create a centos-cr.repo in /etc/yum.repos.d/</p> <p>In my opinion, unless you have an internal process for testing/pushing updates, <b>you should absolutely be using the CR repo</b>. Even if you do have your own local processes for updates, I would consider the CR repo to be part of CentOS updates for all intents and purposes, and pull your updates from there for testing/release. The packages in the CR repo can fix known security issues which without the CR repo you won’t have access to until the next CentOS point release -- and that can sometimes take longer than we’d like!</p> <h2>A New Proposal: Include CR by Default</h2> <p>In a <a href="http://lists.centos.org/pipermail/centos-devel/2011-November/008268.html">recent post to the CentOS Developers list</a>, Karanbir Singh proposed moving the CR repo into the main release for 6.x. What this would mean is for CentOS 6.x and onward, we would see the base OS and ISO directories be updated for each point release, but in general, updates would be pushed to a central <em>6/</em> directory, basically incorporating CR into what is currently considered <em>updates/</em>.</p> <p>This proposal is different from the current CR setup in that it incorporates CR into the release by default, and puts less reliance on the old point release model. This will help ensure that people are always running the latest security updates as well as take a bit of pressure off of CentOS developers and QA team when trying to build, test, and release the next point release. If the package updates are already released and in use, point releases become less important (though still useful for new installs).</p> <p>Incorporating CR more into the main release doesn’t mean that point releases will go away completely. They will still include updated base packages and ISO images, typically with installer bug fixes and/or new and updated drivers. In general, I see this as a good move: it means more people will be getting security updates by default instead of waiting during the time lapse between upstream RHEL releases and the time it takes for CentOS to rebuild, test, and release that point release. Having those packages available by default is great, especially for those admins who don’t pay close attention and wouldn’t otherwise enable the CR repo. It should be noted that at this point, the incorporation of CR into the main release is only being discussed for CentOS 6.x onward and won’t change anything in the 5.x releases where people will still need to manually opt-in to the CR packages.</p> <p>References:<br /><a href="http://wiki.centos.org/AdditionalResources/Repositories/CR">http://wiki.centos.org/AdditionalResources/Repositories/CR</a><br /><a href="http://lists.centos.org/mailman/listinfo/centos-cr-announce">http://lists.centos.org/mailman/listinfo/centos-cr-announce</a><br /><a href="http://lists.centos.org/pipermail/centos-devel/2011-November/008268.html">http://lists.centos.org/pipermail/centos-devel/2011-November/008268.html</a></p> </div></div></div><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-above clearfix"><h3 class="field-label">Tags: </h3><ul class="links"><li class="taxonomy-term-reference-0" rel="dc:subject"><a href="http://sheltren.com/tags/oss">oss</a></li></ul></div> Tue, 08 Nov 2011 16:03:35 +0000 tag:blogger.com,1999:blog-3673169358131892257.post-3571403872725216753 http://www.bit-integrity.com/2011/09/corporate-security-round-two.html I do not claim to be a security expert by any stretch of the imagination. The extent of my malicious network behavior ends at clicking 'start' on a nessus scan. And yet despite this, I find that I am constantly astounded at the inability of corporations to learn from each other when it comes to network security. Sony made security considerations front page news for over a month. Websites were Tue, 27 Sep 2011 08:33:01 +0000 noreply@blogger.com (Jim Perrin) http://www.arrfab.net/blog/?p=328 http://www.arrfab.net/blog/?p=328 <p>We use <a href="http://www.drbd.org" target="_blank">DRBD</a> at work on several CentOS 5.x nodes to replicate data between our two computer rooms (in different buildings but linked with Gigabit fiber). It's true that you can know if something wrong happens at the DRBD level if you have configured the correct 'handlers' and the appropriate notifications scripts (Have a look for example at the <a href="http://www.drbd.org/users-guide/s-configure-split-brain-behavior.html#s-split-brain-notification" target="_blank">Split Brain notification script</a>). Those scripts are 'cool' but what if you could 'plumb' the DRBD status in your actual monitoring solution ? We use<a href="http://www.zabbix.com" target="_blank"> Zabbix </a>at $work and I was asked to centralize events from differents sources and Zabbix doesn't support directly monitoring DRBD devices. But one of the cool thing with Zabbix is that it's like a <a href="http://www.lego.com" target="_blank">Lego</a> system : you can extend what it does if you know what to query and how to do it. If you want to monitor DRBD devices, the best that Zabbix can do (on the agent side, when using the zabbix agent running as a simple zabbix user with /sbin/nologin as shell) is to query and parse<a href="http://www.drbd.org/users-guide/ch-admin.html#s-proc-drbd" target="_blank"> /proc/drbd</a> . So here we go : we need to modify the Zabbix agent to use <a href="http://www.zabbix.com/documentation/1.8/manual/config/user_parameters#flexible_user_parameters" target="_blank">Flexible User Parameters</a>, like this (in /etc/zabbix/zabbix_agentd.conf) :</p> <blockquote><p>UserParameter=drbd.cstate[*],cat /proc/drbd |grep $1:|tr [:blank:] \\n|grep cs|cut -f 2 -d ':'|grep Connected |wc -l<br /> UserParameter=drbd.dstate[*],cat /proc/drbd |grep $1:|tr [:blank:] \\n|grep ds|cut -f 2 -d ':'|cut -f 1 -d '/'|grep UpToDate|wc -l</p></blockquote> <p>We just need to inform the Zabbix server of the actual Connection State (cs) and Disk State (ds) . For that we just need to create Application/Items and Triggers .. but what if we could just create a <a href="http://www.zabbix.com/documentation/1.8/manual/config/host_templates" target="_blank">Zabbix Template</a> so that we can just link that template to a DRBD host ? I attach to this post the DRBD Zabbix template (xml file that you can import in your zabbix setup) and you can just link it to your drbd hosts. Here is the <a href="http://www.arrfab.net/blog/wp-content/uploads/2011/09/zabbix-drbd.xml" target="_blank">link </a>. That XML file contains both two Items (cstate and dstate) and the associated triggers. Of course you can extend it, especially if you use multiple resources , drbd disks. Because we used the Flexible parameters, you can for example in the Zabbix item, create a new one (based on the template) and monitor the /dev/drbd1 device just by using the drbd.dstate[1] key in that zabbix item.</p> <p>Happy Monitoring and DRBD'ing ...</p> Wed, 07 Sep 2011 12:10:41 +0000 tag:blogger.com,1999:blog-3673169358131892257.post-869128422731461497 http://www.bit-integrity.com/2011/08/supportable-linux-security.html Computer security is once again becoming a hot topic for administrators.  There are dozens of new sites springing up around the web, and each is slinging their own ‘Perfect’ setup instructions.  They have the usual bell curve of good advice, okay advice, and advice that will effectively leave you with a smoldering pile of rubble where your data used to be. What disturbs me is the growing Wed, 31 Aug 2011 11:11:06 +0000 noreply@blogger.com (Jim Perrin) tag:blogger.com,1999:blog-3673169358131892257.post-5005530452833844056 http://www.bit-integrity.com/2011/08/ssh-oneliners.html ssh -X remotehost # yawn. X forwarding through ssh. ssh -Y remotehost # trusted X forwarding through ssh. Still yawn, let’s do something fun. ssh -D2222 remotehost # This is okay. This command sets up a SOCKS proxy on port 2222 which can be used with firefox (and Internet Explorer if you really hate yourself) to avoid office internet filters…. not that I condone such anti-social behavior. ssh Wed, 31 Aug 2011 10:29:39 +0000 noreply@blogger.com (Jim Perrin) tag:blogger.com,1999:blog-3673169358131892257.post-2158963030443472112 http://www.bit-integrity.com/2011/08/getting-rid-of-tilde.html It seems that in decommissioning my old blog setup (I got bored keeping up with wordpress security), I removed some useful bits for those of you (thanks to all 3 of you!) who actually read the stuff I write. So here's the rewrite functionality  for removing the ~ character from user pages within apache. RewriteEngine On #RewriteLog logs/rewrite.log # Uncomment for rewrite logging # Wed, 31 Aug 2011 10:17:49 +0000 noreply@blogger.com (Jim Perrin) http://www.karan.org/blog/335@http://www.karan.org/blog/ http://www.karan.org/blog/index.php/2011/08/29/a-few-notes-on-ssds-in-laptops <p>I've now had the SSD in my laptop for about 10 days. Its made a massive difference to the way I work. </p> <p>Its striking as to how much of a difference having this extra performance in the laptop would make. In march I upgraded the memory on this laptop from 2GB to 8GB - which also made a massive difference, specially since I almost never reboot the device and the filesystem cache get very good at handling just the right kind of stuff - but what kills them is my email ( ~ 30 gb ) and VMs ( upto 5 running at any given time ). Having the SSD now means that I no longer need to drop back to 10 seconds for jedit startup after I've been running a couple of VMs.</p> <p>One thing that hasn't gone quite to expectation is the battery life. The HP 2540p had ~ 4 hrs or so, doing what I do, when I got it new. That had dropped to just over 3 hrs with the 250gb sata disk in. With the SSD its now gone to 2 hrs ~30 min or so. Initially that felt quite strange, I was expecting it to go in the other direction. And while I havent been able to put a finger on exactly what this is, it seems like there are 2 interesting side effects from the SSD upgrade. </p> <p>1) The four cores on this i5 laptop now run at full speed ( 2.53 Ghz ) a lot more often than they did in the past, trending this over the last 48 hrs and its averaged 1.87Ghz; Not sure what it was earlier but the cpu governors used to stay blue a lot more than they do now.</p> <p>2) Heat. The cooling fan is on a lot more, and the heat vent seems a lot warmer than it ever did in the past. This might be due to the cpus running a lot faster, a lot more. The disk itself does not 'seem' to be any warmer. The bottom left side of the laptop which houses the disk feels cool.</p> <p>The big win of-course, is performance of everything. Almost every app just starts in place ( even eclipse! ). Doing a search in large code projects is instantaneous. Git operations are visibly quicker. Even using svn isn't nearly as boring as it used to be, if I can stop adding -a to all my svn commits it would not get in my way.</p> <p>The only thing that isn't quite as quick as it needs to be on this machine now is the graphics interface ( intel HD ).</p> <p>Also worth keeping in mind is that use CentOS-6 for the SSD hosted content, and make sure you have 'discard' enabled as a mount option.</p> <p>- KB</p> Mon, 29 Aug 2011 12:07:45 +0000 tag:blogger.com,1999:blog-3673169358131892257.post-8808904086480711787 http://www.bit-integrity.com/2011/08/dell-centos-based-livecd-for-firmware.html Turns out there's at least one fan of CentOS inside dell. A dell community blog showed up today touting a CentOS based LiveCD with all the built-in goodies needed to update the firmware for dell servers. There's a complete walk through for how to use it as well as screen shots of the disk in action. If you're using dell kit in your shop, this is definitely something worth checking out, and it's Fri, 19 Aug 2011 10:45:09 +0000 noreply@blogger.com (Jim Perrin) tag:blogger.com,1999:blog-3673169358131892257.post-118275719697860310 http://www.bit-integrity.com/2011/08/fun-with-autofs-and-rhel6.html For those of you upgrading to RHEL6 or CentOS 6 who are using nfs automappings, some of you are probably noticing some interesting behavior. When we stumbled across this issue, it was because our home directories were all mounted nobody:nobody. Turns out in RHEL6, nfsv4 is now the default, and this can catch people off guard. There are a few ways to fix this however.  Least effort: uncomment the Wed, 17 Aug 2011 13:06:07 +0000 noreply@blogger.com (Jim Perrin) tag:blogger.com,1999:blog-3673169358131892257.post-1261381637288187829 http://www.bit-integrity.com/2011/08/vim-syntax-highlighting-with-less.html I find that vim's syntax highlighting is incredibly useful in making documents more readable. So much so that I find myself wishing that I had this feature when simply paging through files quickly with 'less'. Turns out the vim folks thought of this too and include a script that allows you to use your finely honed vim environment as a replacement for less. Buried within your vim install is a Wed, 17 Aug 2011 09:35:21 +0000 noreply@blogger.com (Jim Perrin) http://www.arrfab.net/blog/?p=324 http://www.arrfab.net/blog/?p=324 <p>The number of questions I received from different people regarding the LiveCD/LiveDVD tools and the kickstart files used to produce the ISO images was quite "high". People looking at the normal place will be disappointed because we haven't used the original <a href="https://projects.centos.org/svn/livecd/" target="_blank">livecd subversion repo</a> to produce the actual Live medias.  So in the meantime, if people want to use the livecd-creator tool, they can fetch the SRPM here : <a href="http://people.centos.org/arrfab/CentOS6/SRPMS/livecd-tools-0.3.6-1.el6.src.rpm" target="_blank">http://people.centos.org/arrfab/CentOS6/SRPMS/livecd-tools-0.3.6-1.el6.src.rpm</a> . I've just copied also the two kickstart files used for both LiveCD and LiveDVD here :<a href="http://people.centos.org/arrfab/CentOS6/LiveCD-DVD/" target="_blank"> http://people.centos.org/arrfab/CentOS6/LiveCD-DVD/</a></p> <p>Hope that people will be satisfied .. faster to push those files there than to change the whole 'used behind the scene' infra</p> Thu, 28 Jul 2011 13:29:26 +0000 http://www.arrfab.net/blog/?p=320 http://www.arrfab.net/blog/?p=320 <p>As you've probably seen if you're subscribed to the <a href="http://lists.centos.org/pipermail/centos-announce/2011-July/017658.html" target="_blank">CentOS announce list</a> (or if you just rsync/mirror the <a href="http://mirror.centos.org/centos/" target="_blank">whole CentOS tree</a>) , the CentOS 6.0 LiveCD was released last monday. This is the first of our CentOS custom spins ! While I'm writing that blog post, the CentOS 6.0 LiveDVD is on its way to the external mirrors too and will normally be announced shortly (when enough mirrors will have it) ! It will be the second CentOS respin and we have more in the pipe for you ! As Karanbir announced it in the <a href="http://lists.centos.org/pipermail/centos-announce/2011-July/017645.html" target="_blank">6.0 release mail</a> , we planned also to provide two other spins : the minimal one and the lws one. Good news is that the minimal one is almost finished and being intensively tested. If things don't change (or bugs appear during QA), the iso image will be only ~250Mb for the i386 arch and ~300Mb for the x86_64 one. It's meant to be used as a real basic CentOS system (even less packages that the @core group on a normal install if used with the proper kickstart invocation !) : 186 packages only on your disk. You'll have a very basic CentOS system with only openssh-server and yum. We are even testing the luks/lvm/md devices combination to be sure to meet your needs.</p> <p>The next custom respin (LWS code name - for LightWeigth Server edition) will still be a CD iso image (but pushed to the limit) that will include basic server packages, more or less in the idea of the ServerCD that existed during the CentOS 4.x days ... That one still needs to be finished while work has already being done.</p> <p>Stay tuned for more informations when it will be pushed to mirrors and announced .. all that at the same time as 6.1 and 5.7 (in parallel) builds ..Interesting times ! <img src="http://www.arrfab.net/blog/wp-includes/images/smilies/icon_smile.gif" alt=":-)" class="wp-smiley" /> </p> Tue, 26 Jul 2011 18:39:37 +0000 http://www.arrfab.net/blog/?p=315 http://www.arrfab.net/blog/?p=315 <p>I decided to put CentOS 6 on my iMac. It was running in dual-boot mode with OSX and CentOS 5. Installing through the network (from a NFS share) was really easy and no bug encountered but at the end of the install, when it asked me to reboot, nothing : after having selected the Linux partition in the <a href="http://refit.sf.net">rEfit</a> boot manager screen, nothing. hmm ....</p> <p>I restarted the install process to see if at least anaconda tried to install grub on the first sector of the /boot partition and not in the MBR but that was correctly seen and chosen by anaconda . So the issue was somewhere else. I had a /boot ext3 partition (on /dev/sda3) while /dev/sda4 is the VolumeGroup in which I had defined my Logical Volumes. There was a big rewrite in Anaconda for the storage part and el6/CentOS 6 suffers from one bug found on the upstream bugzilla when having to deal with Apple computers *and* using rEfit at the same time : <a href="https://bugzilla.redhat.com/show_bug.cgi?id=505817" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=505817</a></p> <p>Long story short : to have CentOS 6 running on your iMac (if using refit as the EFI boot manager) :</p> <ul> <li>install CentOS 6 as usual (check that grub will be installed on the first sector of /boot and not in the MBR , normally correctly seen/proposed by Anaconda)</li> <li>on the first reboot, enter the rEFIt shell and launch 'gptsync' (it will say that it has to 'sync' the gpt, accept the sync)</li> <li>select now the Linux partition : it will fail with a black screen</li> <li>power down the iMac and start it up : select Linux in the refit boot manager and enjoy your CentOS 6 installation on the iMac</li> </ul> Mon, 25 Jul 2011 08:58:11 +0000 http://www.karan.org/blog/334@http://www.karan.org/blog/ http://www.karan.org/blog/index.php/2011/07/10/release-for-centos-6-0-i386-and-x86-64 <pre>We are pleased to announce the immediate availability of CentOS-6.0 for i386 and x86_64 Architectures. CentOS-6.0 is based on the upstream release EL 6.0 and includes packages from all variants. All upstream repositories have been combined into one, to make it easier for end users to work with. There are some important changes to this release compared with the previous versions of CentOS and we highly recommend reading this announcement along with the Release Notes at <a href="http://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.0">http://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.0</a> There are no CD images being released with CentOS-6, however we have some CD variants in the pipeline. Details for these are mentioned below. Since upstream has a 6.1 version already released, we will be using a Continous Release repository for 6.0 to bring all 6.1 and post 6.1 security updates to all 6.0 users, till such time as CentOS-6.1 is released itself. There will be more details about this posted within the next 48 hours. +++++++++++++++++++++++ Upgrading from CentOS-4 or CentOS-5: We recommend everyone run through a reinstall rather than attempt an inplace upgrade from CentOS-4 or CentOS-5 +++++++++++++++++++++++ LiveCD and LiveDVD LiveCDs and LiveDVDs for i386 and x86_64 will be released within the next few days. These will bring in the ability to directly install from the livemedia. +++++++++++++++++++++++ Minimal Install CD We have also created a minimal install CD, that would bring up a base machine with just enough content to have a usable platform. This CD image will be released in the next few days. +++++++++++++++++++++++ The LightWeightServer (LWS) CD In order to bring back the CentOS-4 Server CD style single iso image, we are creating a LWS varient of the main distro. Details for this will be posted in the next few days with release happening after the live media and the minimal cd editions. +++++++++++++++++++++++ Downloading CentOS-6.0 for new installs: When possible, consider using torrents to run the downloads. In most cases you will find its also the fastest means to download the distro. There are currently over a thousand people seeding CentOS-6 and it's possible to get upto 100mbps downloads via these torrents. Torrent files for the DVD's are avilable at : <a href="http://mirror.centos.org/centos/6.0/isos/i386/CentOS-6.0-i386-bin-DVD.torrent">http://mirror.centos.org/centos/6.0/isos/i386/CentOS-6.0-i386-bin-DVD.torrent</a> <a href="http://mirror.centos.org/centos/6.0/isos/x86_64/CentOS-6.0-x86_64-bin-DVD.torrent">http://mirror.centos.org/centos/6.0/isos/x86_64/CentOS-6.0-x86_64-bin-DVD.torrent</a> You can also use a mirror close to you : <a href="http://www.centos.org/modules/tinycontent/index.php?id=30">http://www.centos.org/modules/tinycontent/index.php?id=30</a> Most mirrors will allow direct DVD downloads over http, ftp and rsync. Please keep in mind that not all mirrors are currently updated, some might take upto another 24 hours before they have all the content. +++++++++++++++++++++++ sha1sum for the CentOS-6.0 ISOS: i386: fcf49e875cd4494f2af68cf257ab9e93523c9427 CentOS-6.0-i386-bin-DVD.iso 862815623d2e7990207dd78a281837c7eb719e83 CentOS-6.0-i386-netinstall.iso x86_64: 9de87b0c696ebd72b952edb4cc06c24cbdc37d81 CentOS-6.0-x86_64-bin-DVD1.iso 5e3834621f11fbcca78cf7d70625c647045f45f5 CentOS-6.0-x86_64-bin-DVD2.iso 23f9e606cbcbd52d2e5df3716a85cdde336f7bfe CentOS-6.0-x86_64-netinstall.iso +++++++++++++++++++++++ Sources and Debuginfo packages: SRPMS and debuginfo packages are still making their way to the CentOS mirrors and should be available within the next 24 to 48 hours. We are prioritising the centos modified packages. +++++++++++++++++++++++ Getting Help: The best place to start when looking for help with CentOS is at the wiki ( <a href="http://wiki.centos.org/GettingHelp">http://wiki.centos.org/GettingHelp</a> ) which lists various options and communities who might be able to help. If you think there is a bug in the system, do report it at <a href="http://bugs.centos.org/">http://bugs.centos.org/</a> - but keep in mind that the bugs system is *not* a support mechanism. +++++++++++++++++++++++ Contributing and joining the project: We are always looking for people to join and help with various things in the project. If you are keen to help out a good place to start is the wiki page at <a href="http://wiki.centos.org/Contribute">http://wiki.centos.org/Contribute</a> . If you have questions or a specific area you would like to contribute towards that is not covered on that page, feel free to drop in on #centos-devel at irc.freenode.net for a chat or email the centos-devel list (http://lists.centos.org). +++++++++++++++++++++++ Thanks to everyone who contributed towards making 6.0 Enjoy! </pre> Sun, 10 Jul 2011 19:07:59 +0000 http://www.arrfab.net/blog/?p=305 http://www.arrfab.net/blog/?p=305 <p>One thing that I had to have a look at (during CentOS 6 QA), is the way <a href="http://fedoraproject.org/wiki/Anaconda" target="_blank">anaconda</a> (the Red Hat/Fedora/CentOS installer) pre-defines some 'tasks' . People used to those kind of install know what I'm talking about : the "Mininal", "Desktop", "Basic Server" and other choices you have during setup. From that first selection, you can decide (or not) to customize the software selection which then leads you to a screen containing categories / groups / packages defined in the comps.xml file present under /repodata on the tree/install media.</p> <p>If you don't 'see' which screen i'm talking about, a small screenshot of the upcoming CentOS 6 will explain better than words :</p> <p><a href="http://www.arrfab.net/blog/wp-content/uploads/2011/06/anaconda-centos.png"><img class="alignleft size-medium wp-image-306" title="anaconda-centos" src="http://www.arrfab.net/blog/wp-content/uploads/2011/06/anaconda-centos-300x224.png" alt="" width="300" height="224" /></a></p> <p>Those pre-defined tasks aren't defined in the comps.xml file but rather at build time within anaconda. Fine but how can you 'modify' anaconda behaviour and test it without having to patch anaconda SRPM, rebuild it and launch a new build to generate the tree and install medias ? Easy , thanks to a simple file on the tree !</p> <p>People wanting to modify anaconda behaviour at install time without having to regenerate the whole tree can just create a small file (updates.img) , put it in the /images directory in the tree. Anaconda (when installing over the network, http/ftp/nfs) always try to see if an updates.img file exists, and if so, use it. Fine, so I could easily try to "patch" it without having to modify the whole tree.</p> <p>Creating that updates.img (it's just a ext2 filesystem on top) is really easy :</p> <blockquote><p>dd if=/dev/zero of=/tmp/updates.img bs=1k count=1440<br /> losetup `losetup -f` /tmp/updates.img</p></blockquote> <blockquote><p>losetup -a|grep updates.img<br /> mkfs.ext2 /dev/loop3           # was loop3 in my case<br /> mkdir /mnt/loop ; mount -o loop /tmp/updates.img /mnt/loop/ ; ll /mnt/loop<br /> drwx------. 2 root root 12288 Jun 11 15:43 lost+found</p></blockquote> <p>From now, it's just a matter of putting the new files that you want to test and that will "overwrite" at run-time the defaults anaconda ones.</p> <p>(in our current example, it was the installclasses/rhel.py that needed to be modified, so I just had to create a installclasses dir and drop my version of rhel.py in there on the loop device)</p> <p>When you're done, umount the updates.img, copy it to /path/to/your/install/tree/images , restart a http install (verify that permissions and selinux contexts are of course correct !) and enjoy !</p> <p>Easier and faster. Thanks to the Anaconda team which decided to permit modifying the anaconda behaviour at run-time with a simple file <img src="http://www.arrfab.net/blog/wp-includes/images/smilies/icon_smile.gif" alt=":-)" class="wp-smiley" /> </p> Sat, 11 Jun 2011 13:54:08 +0000 tag:blogger.com,1999:blog-4432325514109284204.post-6908938697417040088 http://orcorc.blogspot.com/2011/06/happy-ipv6-test-day-part-2.html <p>In my <a href="http://orcorc.blogspot.com/2011/06/happy-ipv6-test-day.html" target="_blank">first post in this small series</a>, I closed without addressing matters of securing an IPv6 connection, and in matters of debugging where a connection failure is occurring. Thinking about it, the diagnostic post needs to come first, because tightening down a conneciton can cause hard to diagnose symptoms. So, on to diagnosis ... </p><p>We examined the interface results last time. Looking at just the routing related to ipv6 is straightfowrard as well:<br /><br />Some familiar tools: <br /><pre>/sbin/ifconfig eth0<br />/sbin/ifconfig sit1<br />/sbin/route -A inet6</pre></p><p>So using those tools:<br /><pre>[herrold@hostname ~]$ /sbin/ifconfig sit1<br />sit1 Link encap:IPv6-in-IPv4<br /> inet6 addr: 2604:aa:bb:cc::2/64 Scope:Global<br /> inet6 addr: fe80::4cf2:1c/128 Scope:Link<br /> UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1<br /> RX packets:1691 errors:0 dropped:0 overruns:0 frame:0<br /> TX packets:1693 errors:0 dropped:0 overruns:0 carrier:0<br /> collisions:0 txqueuelen:0<br /> RX bytes:177195 (173.0 KiB) TX bytes:210468 (205.5 KiB)<br /><br />[herrold@hostname ~]$ /sbin/route -n -A inet6 | grep 2604<br />2604:aa:bb:cc::/64 :: U 256 1658 0 sit1<br />2604:aa:bb:cc::/128 :: U 0 0 2 lo<br />2604:aa:bb:cc::2/128 :: U 0 1691 1 lo<br />[herrold@mailhub ~]$ </pre></p><p><br />That is a pretty ordinary routing table for a non-gateway endpoint. Off-box traffic (to the '/64' netmask) is handed to the <tt>sit</tt> interface, and local traffic (to the '/128') retained on the local <tt>lo</tt> interface </p><p>We use a unfamiliar tool: <tt>ping6</tt> -- The common '127.0.0.1' localhost has a new form under ipv6: <br /><blockquote>ping6 ::1 -c 2 </blockquote></p><p>and testing <br /><pre>[root@hostname ~]# ping6 ::1 -c 2<br />PING ::1(::1) 56 data bytes<br />64 bytes from ::1: icmp_seq=0 ttl=64 time=0.157 ms<br />64 bytes from ::1: icmp_seq=1 ttl=64 time=0.132 ms<br /><br />--- ::1 ping statistics ---<br />2 packets transmitted, 2 received, 0% packet loss, time 1000ms<br />rtt min/avg/max/mdev = 0.132/0.144/0.157/0.017 ms, pipe 2<br />[root@ostname ~]# </pre></p><p>And we can ping by IP on the 'Global' link, both on the local end, and remotely with differing transit times for the packets: <br /><br />Looking at the network connections, we examine the tunelling interface: <br /><pre>[root@hostname ~]# /sbin/ifconfig sit1<br />sit1 Link encap:IPv6-in-IPv4<br /> inet6 addr: 2604:aa:bb:cc::2/64 Scope:Global<br /> inet6 addr: fe80::4cf2:1c/128 Scope:Link<br /> UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1<br /> RX packets:1714 errors:0 dropped:0 overruns:0 frame:0<br /> TX packets:1731 errors:0 dropped:0 overruns:0 carrier:0<br /> collisions:0 txqueuelen:0<br /> RX bytes:179587 (175.3 KiB) TX bytes:215180 (210.1 KiB)<br /><br />[root@hostname ~]# ping6 2604:aa:bb:cc::2 -c 2<br />PING 2604:aa:bb:cc::2(2604:aa:bb:cc::2) 56 data bytes<br />64 bytes from 2604:aa:bb:cc::2: icmp_seq=0 ttl=64 time=0.135 ms<br />64 bytes from 2604:aa:bb:cc::2: icmp_seq=1 ttl=64 time=0.137 ms<br /><br />--- 2604:aa:bb:cc::2 ping statistics ---<br />2 packets transmitted, 2 received, 0% packet loss, time 999ms<br />rtt min/avg/max/mdev = 0.135/0.136/0.137/0.001 ms, pipe 2<br />[root@hostname ~]# ping6 2604:aa:bb:cc::1 -c 2<br />PING 2604:aa:bb:cc::1(2604:aa:bb:cc::1) 56 data bytes<br />64 bytes from 2604:aa:bb:cc::1: icmp_seq=0 ttl=64 time=55.1 ms<br />64 bytes from 2604:aa:bb:cc::1: icmp_seq=1 ttl=64 time=53.7 ms<br /><br />--- 2604:8800:100:bb::1 ping statistics ---<br />2 packets transmitted, 2 received, 0% packet loss, time 1000ms<br />rtt min/avg/max/mdev = 53.781/54.473/55.165/0.692 ms, pipe 2<br />[root@hostname ~]# </pre></p><p>Turning to DNS and name resoluton, it is quite familiar. One does not need an IPv6 link to query nameservers and receive back results, as they will answer questions _about_ ipv6 hostnames ('AAAA' records) to any authorized inquirant. Try these: <br /><br /><pre>dig +trace www.ipv6.sixxs.net<br />dig www.kame.net aaaa </pre><br /></p><p>I get answers like this:<br /><br /><pre>[herrold@centos-5 ~]$ dig www.kame.net aaaa<br /><br />; <br />> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <br />> www.kame.net aaaa<br />;; global options: printcmd<br />;; Got answer:<br />;; ->>HEADER- opcode: QUERY, status: NOERROR, id: 45595<br />;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3<br /><br />;; QUESTION SECTION:<br />;www.kame.net. IN AAAA<br /><br />;; ANSWER SECTION:<br />www.kame.net. 85164 IN CNAME orange.kame.net.<br />orange.kame.net. 85164 IN AAAA 2001:200:dff:fff1:216:3eff:feb1:44d7<br /><br />;; AUTHORITY SECTION:<br />kame.net. 85164 IN NS mango.itojun.org.<br />kame.net. 85164 IN NS orange.kame.net.<br /><br />;; ADDITIONAL SECTION:<br />mango.itojun.org. 2364 IN A 210.155.141.200<br />mango.itojun.org. 2364 IN AAAA 2001:2f0:0:8800:206:5bff:fe8d:940<br />mango.itojun.org. 2364 IN AAAA 2001:2f0:0:8800::1:1<br /><br />;; Query time: 1 msec<br />;; SERVER: 10.16.1.112#53(10.16.1.112)<br />;; WHEN: Thu Jun 9 17:17:20 2011<br />;; MSG SIZE rcvd: 195<br /><br />[herrold@centos-5 ~]$</pre></p><p>which is certainbly a mess to read -- let's trim out the interesting parts: <br /><pre>[herrold@centos-5 ~]$ dig www.kame.net aaaa<br />;; ANSWER SECTION:<br />www.kame.net. 85164 IN CNAME orange.kame.net.<br />orange.kame.net. 85164 IN AAAA 2001:200:dff:fff1:216:3eff:feb1:44d7 <br /></pre></p><p>Which is the familiar information: a CNAME record is pointed in fact at a AAAA record at a ipv6 -type IP. We can ping (<tt>ping6</tt>) it by IP:<br /><br /><pre>[root@hostname ~]# ping6 2001:200:dff:fff1:216:3eff:feb1:44d7 -c 2<br />PING 2001:200:dff:fff1:216:3eff:feb1:44d7(2001:200:dff:fff1:216:3eff:feb1:44d7) 56 data bytes<br />64 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7: icmp_seq=0 ttl=52 time=246 ms<br />64 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7: icmp_seq=1 ttl=52 time=256 ms<br /><br />--- 2001:200:dff:fff1:216:3eff:feb1:44d7 ping statistics ---<br />2 packets transmitted, 2 received, 0% packet loss, time 999ms<br />rtt min/avg/max/mdev = 246.833/251.705/256.577/4.872 ms, pipe 2<br />[root@hostname ~]#</pre></p><p>or ping it by name, as DNS is working: <br /><br /><pre>[root@hostname ~]# ping6 www.kame.net -c 2<br />PING www.kame.net(2001:200:dff:fff1:216:3eff:feb1:44d7) 56 data bytes<br />64 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7: icmp_seq=0 ttl=52 time=227 ms<br />64 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7: icmp_seq=1 ttl=52 time=244 ms<br /><br />--- www.kame.net ping statistics ---<br />2 packets transmitted, 2 received, 0% packet loss, time 1008ms<br />rtt min/avg/max/mdev = 227.291/235.678/244.066/8.401 ms, pipe 2<br />[root@hostname ~]# </pre></p><p>Some other examples to try as 'beacons' might include: <br /><pre>ping6 2604:8800:100:9a::1 -c 2<br />ping6 2001:200:0:8002:203:47ff:fea5:3085 -c 2<br />ping6 ftp.ipv6.uni-muenster.de -c 2<br />ping6 -I eth0 ipv6.google.com -c 2 </pre></p><br /><p>So the familiar diagnostic methods of examining interfaces, checking routing, testing connectivity by IP, and connectvity after resolution by name are all present</p><div class="blogger-post-footer"><img width="1" height="1" src="https://blogger.googleusercontent.com/tracker/4432325514109284204-6908938697417040088?l=orcorc.blogspot.com" alt="" /></div> Thu, 09 Jun 2011 20:51:00 +0000 noreply@blogger.com (R P Herrold) http://www.arrfab.net/blog/?p=300 http://www.arrfab.net/blog/?p=300 <p>It seems quite a lot of people blogged about<a href="http://www.worldipv6day.org/"> IPV6 day</a> . It's true that it's always a good idea to speak about IPV6. I'm using IPV6 natively on my server hosted at<a href="http://www.hetzner.de/en/"> Hetzner</a> (they offer a /64 IPV6 subnet, which is more than enough for a <a href="http://www.arrfab.net/blog/?p=271">CentOS server hosting several xen domU Virtual Machines</a>). At home, that's another story. I use a<a href="http://ipv6.he.net/"> HE.net</a> <a href="http://www.tunnelbroker.net/">free tunnel</a> to be able to reach ipv6 hosts. Yes, even in 2011, you still have to use tunnels to use IPV6 ! Why ? that's indeed a good question. Even if my CentOS ipv6 tunnel end-point/router/radvd at home is working correctly, I decided to ask my belgian provider if they had plans on implementing native IPV6. Well, not for my home connection, as I already know that <a href="http://www.belgacom.be/privathttp://www.belgacom.be/private/hbsres/jsp/dynamic/homepage.jsp">Belgacom</a> (the biggest provider in belgium) doesn't support IPV6 on their BBOX2 modems that they give to customers when ordering a DSL connection at home (<em>while i'm talking about Belgacom, please stop sending me direct advertisement to my mailbox - the real one and not the electronic one - with your invoices about a service - VDSL2/BelgacomTV - that you *can't* offer to all your customers ... thanks</em>) . So I decided to ask their 'professional services' because we have two 'professional and business' lines that we used at $work. Long story short (to avoid explaining how much emails/cases I had to send/open to have an answer) : "no, even on the business lines we can't support IPV6 and we have no plans (*sic*, I hope that guy was just kidding or probably doesn't know the real answer ..) nor dates about future implementation of the IPV6 services/connectivity " ..</p> <p>Nice .. now /me goes back to CentOS QA mode ...</p> Thu, 09 Jun 2011 20:24:18 +0000 tag:blogger.com,1999:blog-4432325514109284204.post-7809183893707074815 http://orcorc.blogspot.com/2011/06/happy-ipv6-test-day.html <p>There is a 'ipv6 readiness testing day' today, <strike>April</strike> June 8, 2011, and so it seems appropriate to post my personal checklist for putting a <a href="http://www.centos.org/" target="_blank">CentOS</a> box up on that network fabric </p><ul><li><a href="http://www.sixxs.net/faq/account/?faq=10steps" target="_blank">Apply</a> for an account with SixXs. Their reply takes a couple of days, as it is a volunteer run organization </li><li>Have a deployed, updated, and <a href="http://www.pmman.com/usage/hardening/" target="_blank">hardened</a> unit at a routable static IPv4 address </li><li>Amend <tt>/etc/sysconfig/iptables </tt> to include a line passing the tunnelling protocol. I place the entry after the IPSEC protocol entries in a stock setup. Restart iptables <br /><pre>... <br />-A RH-Firewall-1-INPUT -p 50 -j ACCEPT<br />-A RH-Firewall-1-INPUT -p 51 -j ACCEPT<br /># vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv<br />-A RH-Firewall-1-INPUT -p ipv6 -j ACCEPT<br /># ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br />... </pre></li><li>Strip out any previous efforts at disabling the <tt>ipv6 </tt> / <tt>net-pf-10 </tt> kernel modules from loading in <tt>/etc/modules.conf</tt>, and in the files sourced in <tt>/etc/modprobe.d/ </tt>. Then rebuild the modules dependency table: <tt>/sbin/depmod -a </tt> </li><li>Amend <tt>/etc/sysconfig/network </tt> to carry the following lines: <br /><pre>#<br />NETWORKING_IPV6=yes<br />IPV6INIT=yes<br />IPV6FORWARDING=yes<br />IPV6_DEFAULTDEV=sit1<br />#</pre>Which anticipates that the configuration details for the ipv6 tunnel will live in a file: <tt>/etc/sysconfig/network-scripts/ifcfg-sit1 </tt></li><li> and add that mentioned file: <tt>/etc/sysconfig/network-scripts/ifcfg-sit1 </tt> -- I have elided site-specific details as to IP addresses with: <tt>aa.bb.cc </tt> and <tt>aa:bb:cc </tt> placeholders <br /><pre>#<br />DEVICE=sit1<br />BOOTPROTO=none<br />ONBOOT=yes<br />IPV6INIT=yes<br />IPV6_TUNNELNAME="SixXS"<br />#<br />IPV6_AUTOTUNNEL=yes<br />PHYSDEV=eth0<br />IPV6_ROUTER=yes<br />#<br />IPV6TUNNELIPV4="38.229.76.3"<br /># 38.229.76.3 is the remote end of the tunnel at the tunnel broker<br />IPV6TUNNELIPV4LOCAL="198.aa.bb.cc"<br /># 198.aa.bb.cc is the local ipv4 static IP<br />IPV6ADDR="2604:aa:bb:cc::2/64"<br /># 2604:aa:bb:cc::2/64 shows both the local gateway IP, and netmask<br /># the remote end gateway IP is by convention, the :1 <br />IPV6_MTU="1280"<br />TYPE=sit<br /># </pre></li></ul><p>At this point, simply restarting networking should bring up the ipv6 link, and properly route it -- so: <tt>/sbin/service network restart </tt> </p><p>The interfaces will look something like this: <br /><pre>[herrold@nostname ~]$ /sbin/ifconfig eth0<br />eth0 Link encap:Ethernet HWaddr 00:01:02:aa:bb:cc<br /> inet addr:76.aa.bb.cc Bcast:76.aa.bb.dd Mask:255.255.255.248<br /> inet6 addr: fe80::201:aaff:bb05:cc16/64 Scope:Link<br /> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br /> RX packets:11088057 errors:0 dropped:0 overruns:1 frame:0<br /> TX packets:10668738 errors:0 dropped:0 overruns:0 carrier:0<br /> collisions:0 txqueuelen:1000<br /> RX bytes:1726307345 (1.6 GiB) TX bytes:3178496052 (2.9 GiB)<br /> Interrupt:3 Base address:0x6f80<br /><br />[herrold@hostname ~]$ /sbin/ifconfig sit1<br />sit1 Link encap:IPv6-in-IPv4<br /> inet6 addr: 2604:aa:bb:cc::2/64 Scope:Global<br /> inet6 addr: fe80::bbf2:cc1c/128 Scope:Link<br /> UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1<br /> RX packets:500 errors:0 dropped:0 overruns:0 frame:0<br /> TX packets:502 errors:0 dropped:0 overruns:0 carrier:0<br /> collisions:0 txqueuelen:0<br /> RX bytes:53331 (52.0 KiB) TX bytes:62784 (61.3 KiB)<br /><br />[herrold@hostname ~]$ </pre></p><p>To wrap this up, ipv6 hardening, and connection debugging are worthy topics, and it may well be that a cautious sysadmin wants to lock down <tt>/etc/sysconfig/ip6tables </tt> and examine how one has hardened <tt>/etc/hosts.deny </tt> ... But rather than rush out content (I have a couple of mailing list posts I need to re-work), I'll leave these for later posts, while you, gentle reader, go apply for an account at a tunnel broker </p><div class="blogger-post-footer"><img width="1" height="1" src="https://blogger.googleusercontent.com/tracker/4432325514109284204-7809183893707074815?l=orcorc.blogspot.com" alt="" /></div> Wed, 08 Jun 2011 14:59:00 +0000 noreply@blogger.com (R P Herrold) tag:blogger.com,1999:blog-4432325514109284204.post-3358216333151637861 http://orcorc.blogspot.com/2011/05/what-not-to-buy-dynex-13mp-webcam.html I've spent the time across the weekend, tinkering with a USB webcam -- particularly a Dynex 1.3MP Webcam (USB ID: 0x19ff:0x0102 ). As I recall, Dynex is a BestBuy house brand. The Linux USB device driver support <a href="http://www.qbik.ch/usb/devices/showdev.php?id=4550" target="_blank">table</a> indicates that the device is supported under _some_ Linux variant<br /><br />The need was occasioned because some small animal, probably a groundsquirrel, has been digging in the garden of missus, and she wanted confirmation on what to go after. The local cat, Malaki, heard it and darted to the door, but I was too late letting him out to track down the intruder ... this time<br /><br />My laptop at home has been my primary compute platform there, since I crushed my ankle late last December. I still need to post a page with all the gory x-ray details, to go along with the twitter pictures I sent along the way with recovery. The medical bill cost was staggering as well, and I'll sanitize and post details of that as well. Back to the laptop -- it runs a reasonably stock CentOS 5 most of the time, except when I've been trialling rebuilds of part of Red Hat's '6' series SRPM rebuilds<br /><br />The seemingly needed 'uvcvideo' video driver was present, and I forced it to load, at the cost of the machine locking up in short order thereafter. I had to power cycle the unit to recover use of it. Hmmm ...<br /><br />So I went looking for an application to pull content off of the newly present <tt>/dev/video0</tt>, and turned to the native 'ekiga' that CentOS 5 carries. It refused to acknowledge anything useful at that device, and so ... I had to power cycle the unit to recover use of it. Hmmm ...<br /><br />Perhaps it was 'ekiga'. So I set out to solve the needed packaging to attain a current 'zoneminder' ... a bit more complex chain:<br /><br /><pre>06:42:44 PM libgcrypt-devel-1.4.4-5.el5<br />06:42:44 PM libgpg-error-devel-1.4-2<br />06:42:46 PM gnutls-devel-1.4.1-3.el5_4.8<br />06:42:47 PM pcre-devel-6.6-6.el5_6.1<br />06:44:49 PM perl-MIME-Types-1.19-2orc<br />06:46:55 PM perl-TimeDate-1.16-5.el5<br />06:47:02 PM perl-MailTools-1.74-1orc<br />06:47:38 PM perl-DateManip-5.44-1.2.1<br />06:47:59 PM perl-DBD-MySQL-3.0007-2.el5<br />07:19:55 PM perl-PHP-Serialization-0.27-4orc<br />07:20:50 PM perl-MIME-Lite-3.01-5orc<br />07:23:33 PM perl-IO-Stringy-2.108-3.orc<br />07:23:54 PM perl-MIME-tools-5.411a-12orc<br />07:34:34 PM perl-IO-Zlib-1.10-1orc<br />07:43:10 PM perl-Compress-Raw-Zlib-2.027-1orc<br />07:47:54 PM perl-Archive-Zip-1.16-1.2.1<br />07:48:05 PM perl-Archive-Tar-1.39.1-1.el5_5.2<br />07:49:54 PM php-pdo-5.1.6-27.el5_5.3<br />07:49:55 PM php-mysql-5.1.6-27.el5_5.3<br />07:50:28 PM perl-Module-Load-0.10-3orc<br />07:51:38 PM perl-Device-SerialPort-1.002-3orc<br />07:51:49 PM zoneminder-1.23.3-2orc<br /></pre><br /><br />and went through the very nicely done configuration. Oops -- it wants a mysql database server running to save state:<br /><br /><pre><br />07:59:18 PM mysql-server-5.0.77-4.el5_6.6<br />08:03:20 PM mysql-test-5.0.77-4.el5_6.6<br /></pre><br /><br />Zoneminder was willing to admit it could read <tt>/dev/video0</tt> but all it returned was a black image. Grrr. ... and then after a few minutes, the laptop locked up again, and I had to power cycle the unit to recover use of it. Hmmm ..<br /><br />So I spent a few minutes with Google doing some research, and found what looks like a ratehr nice little application for USB frame grabbing called: gideo -- see: <a href="http://mxhaard.free.fr/index.html" target="_blank">A GTK video grabber designed with spca5xx components</a>. Building it dragged in the Gnome / GTK development environment of thirty or so packages, and I only had to fix up a dependency's .spec file to handle Red Hat's multilib conventions <br /><br /><pre><br />05:27:56 PM libtiff-devel-3.8.2-7.el5_6.7<br />05:29:52 PM gideo-0.1-1orc<br />05:43:18 PM SDL_image-1.2.10-2orc<br />05:43:18 PM SDL_image-devel-1.2.10-2orc<br /></pre><br /><br />But now, 'gideo' is unwilling to admit, or loading the module is unwilling to produce a live <tt>/dev/video0</tt>, and ... you guessed it: The laptop locked up again, and I had to power cycle the unit to recover use of it<br /><br />I think perhaps I'll try a different video camera<div class="blogger-post-footer"><img width="1" height="1" src="https://blogger.googleusercontent.com/tracker/4432325514109284204-3358216333151637861?l=orcorc.blogspot.com" alt="" /></div> Sun, 22 May 2011 21:59:00 +0000 noreply@blogger.com (R P Herrold) http://www.karan.org/blog/333@http://www.karan.org/blog/ http://www.karan.org/blog/index.php/2011/05/19/rhel-6-1-and-centos-6-x <p>Earlier in the day today Red Hat released RHEL 6.1 ( <a href="http://www.redhat.com/about/news/prarchive/2011/Red-Hat-Delivers-Red-Hat-Enterprise-Linux-6-1">http://www.redhat.com/about/news/prarchive/2011/Red-Hat-Delivers-Red-Hat-Enterprise-Linux-6-1</a> ). Congratulations to them, it looks like a great release with lots of cool new stuff in there.</p> <p>Most people will want to know how this impacts CentOS and the CentOS-6 plans. We are, at this time, on course to deliver CentOS-6 within the next couple of weeks. We will carry on with those plans as is, and deliver a 6.0 release and then goto work on 6.1. I am fairly confident that we can get to a 6.1 release within a few weeks of the 6.0 set being finalised. Partially due to the automation and the testing process's being put into place to handle the entire CentOS-6 branch.</p> <p>If you would like to follow progress of the QA and Release team, you are welcome to drop in at <a href="http://qaweb.dev.centos.org/qa/">http://qaweb.dev.centos.org/qa/</a> . Jeff has been keeping the calendar as updated as possible and is doing a good job of keeping a fair bit of information flowing through there. At some point next week, we will try and get some dates in place for the 6.1 process as well.</p> <p>So what happens if 5.7 comes along in the mean time ? Well, the CentOS-5 process is now completely disconnected from the CentOS-6 one, and a 5.7 release should have no impact on the progress of CentOS-6 and the release cycles. We have also been working on plans for an opt-in, by design process that would allow users to get early access to packages being built for a point release. More details on that soon.</p> <p>Comments and feedback are always welcome!</p> <p>- KB</p> Thu, 19 May 2011 21:12:21 +0000 http://www.karan.org/blog/332@http://www.karan.org/blog/ http://www.karan.org/blog/index.php/2011/05/06/sign-multiple-rpms-with-one-command <p>Trying to sign a bunch of rpms usually means having to type in your password for the gpg key multiple times, once for each rpm. However, you can avoid doing that with this :</p> <p><code>rpm --resign `find . -name *.rpm`</code></p> <p>That will only prompt you once for the key passphrase, and sign all the packages it finds under that directory.</p> <p>- KB</p> Fri, 06 May 2011 23:46:21 +0000 http://www.karan.org/blog/331@http://www.karan.org/blog/ http://www.karan.org/blog/index.php/2011/04/08/centos-5-6-is-now-released <p>Hi Guys,</p> <p>CentOS 5.6 is now out and available from all mirrors. In the next few hours, all yum operations will switch from 5.5 to 5.6 ( for people who run the default yum configs ).</p> <p>All the Release Details : <a href="http://lists.centos.org/pipermail/centos-announce/2011-April/017282.html">http://lists.centos.org/pipermail/centos-announce/2011-April/017282.html</a> and make sure you skim through the Release Notes at <a href="http://wiki.centos.org/Manuals/ReleaseNotes/CentOS5.6">http://wiki.centos.org/Manuals/ReleaseNotes/CentOS5.6</a> </p> <p>Enjoy!</p> <p>- KB</p> Fri, 08 Apr 2011 23:29:22 +0000 http://www.karan.org/blog/330@http://www.karan.org/blog/ http://www.karan.org/blog/index.php/2011/04/08/why-we-needed-to-reissue-the-centos-5-6-x86_64-isos <p><strong>What was the issue</strong>:</p> <p>There was an invalid rpm ( eclipse-ecj ) in the x86_64/os tree. Premature EOF in rpm payload.</p> <p><strong>Report</strong>:</p> <p>Early morning on the 7th James Hogarth, BSkyB Entertainment reported to the QA team that there was an issue with the eclipse-ecj package shipped in the CentOS-5.6/x86_64 os tree. Stephen Walsh and Manuel Wolfshant tracked the issue back to the primary seed machine and confirmed the issue was present in not only the os tree, but also on CD3 and DVD1 of the x86_64 distribution.</p> <p><strong>Reason for this issue</strong>:</p> <p>The CentOS distribution is composed on the buildservices, but then transferred over to the distro-build machines where the installer is built. There are automated tests that run at both of these locations. The rpm content tests ( rpm -K ) for md5's as well as gpg key. The distro had passed this test at both locations. The output from the distro-build machines is the actual package tree, the installer code, isos for cd's and dvd. This is transferred using rsync to the staging machine from where we start the release process ( initially to QAMachines when in qa mode; or into the mirror.centos.org network when in release mode ). There are no tests done at the staging machine. Packages are transferred one at a time, rather than as a whole tree ( mostly for legacy reasons ). It seems that the transfer for eclipse-ecj did not complete ( driven by the fact that its OK on one side and not on the other ).</p> <p><strong>Impact</strong>: </p> <p>We had to rebuild the torrents, DVD isos, CD isos and update the CentOS-5.6/x86_64 distribution. There was no impact to CentOS-5.6/i386.</p> <p><strong>What did we do to fix things</strong>:</p> <p>To address this issue, we had to issue a new set of ISOs, and since the package content was changing, rebuild metadata. Which in turn needed a complete rebuild of the ISOS ( but not the install tree ). Over the course of the morning, Fabian and Manuel were able to test the new tree, and our automated tests ran through for the ISOs</p> <p>There was also a lot of rollback work that needed to be done, including handling the torrent tracker, issuing new torrents, making sure the mirror network etc. Much of which is done manually; and the main reason things took almost 18 hrs to resolve.</p> <p><strong>Steps taken to ensure this problem does not happen again</strong>:</p> <p>I've now moved a large number of tests to the staging machine as well, including the rpm tests. This adds an additional 3 hours to the process, but its a worthwhile safeguard.</p> <hr /> <p>I hope this helps clear up things. Also, md5sum and sha1sum for ISOs as well as torrent files are published along with the torrent files and available on all mirrors. They will also be mentioned in the actual CentOS-5.6 Release Announcement. Everyone should check to make sure they get the right ones.</p> <p>If you get the new .torrent files and drop in into the same place as the older ones did, you should see most of your data be reused ( 30% on the DVD and 86% on the CD's ).</p> Fri, 08 Apr 2011 11:22:04 +0000