Saturday, April 25, 2015

SystemD and FIFO Sockets in RHEL7

There's a bug with a relevant discussion on systemd's approach to FIFO socket deletion. As of systemd-214 the issue with "stale" sockets was resolved by supplying the `RemoveOnStop` option to its corresponding `.service`. However, at the moment RHEL7 has systemd-208 as the default version; and I am seeing the following errors in `dmesg` output:
systemd[1]: systemd 208 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
systemd[1]: /usr/lib/systemd/system-generators/anaconda-generator exited with exit status 1.
[  +0.056775] systemd[1]: [/usr/lib/systemd/system/lvm2-lvmetad.socket:9] Unknown lvalue 'RemoveOnStop' in section 'Socket'
[  +0.000675] systemd[1]: [/usr/lib/systemd/system/dm-event.socket:10] Unknown lvalue 'RemoveOnStop' in section 'Socket'
I'm not sure if LVM2 is referencing a feature that's not available in the default systemd version; AFAIK, my configuration is pretty much standard (default) regarding the pertinent components.
# rpm -qf /usr/lib/systemd/system/lvm2-lvmetad.socket 
lvm2-2.02.115-3.el7.x86_64

# yum info systemd
Installed Packages
Name        : systemd
Arch        : x86_64
Version     : 208
Release     : 20.el7_1.2
Size        : 11 M
Repo        : installed
From repo   : rhel-7-server-rpms

# multipath -l
Apr 24 03:48:25 | DM multipath kernel driver not loaded
Apr 24 03:48:25 | /etc/multipath.conf does not exist, blacklisting all devices.
Apr 24 03:48:25 | A default multipath.conf file is located at
Apr 24 03:48:25 | /usr/share/doc/device-mapper-multipath-0.4.9/multipath.conf
Apr 24 03:48:25 | You can run /sbin/mpathconf to create or modify /etc/multipath.conf
Apr 24 03:48:25 | DM multipath kernel driver not loaded
According to the bug report, RHEL 7.2 is planned to include systemd version 219 by default. This issue should be resolved then, if not sooner through a patch. Ultimately, this issue is not critical to the systems' operation.

Power Management and Performance in Enteprise Linux (EL7)

As with most things in Linux, there are an array of different tools and options available when dealing with the performance and power consumption of hardware components. Nevertheless, certain standard or even non-standard defaults always emerge, either distribution-specific or -agnostic. While a greater number of available tools provides greater control and more possible solutions, it also brings with it the possibility of greater potential for confusion and unclear incompatibilities.
One such confusion arose when I noticed the inconsistency in my CPU frequency preference across reboots. I was used to using the cpupower utility from the kernel-utils package; however, options in the configuration file in /etc/sysconfig/cpupower had no effect on the system during the boot up process. It turns out that RHEL7 and, by extension, Centos EL7 use the tuned utility by default for performance tuning. As a result, according to a forum post in the Centos forum,
...that service conflicts with cpupower. As far as I can tell cpupower gets completely ignored by systemd once tuned is enabled. So you can either disable tuned and use cuppower or forget about cpupower and stick with tuned.
Consequently, this post will briefly outline how to use the 'tuned' utility to configure the performance and power preferences on a RHEL7 system. The tuned project page has some useful information about the utility, of course.

Full documentation on the 'tuned' utility can be found in the Fedora Power Management Guide. The 'tuned' utility takes advantage of udev's dynamic device management capabilities to statically assign power/performance values through sysctl and sysfs settings to a various devices; including CPU, networking devices, disks, USB, audio, video, vm.
While the utility supports dynamic tuning as well, we won't concern ourselves with that feature here as it is disabled by default in EL7. Furthermore, according to the project's web page, dynamic tuning is experimental and limited in scope.
There are various profiles optimized for powersave, performance and virtual hosts/guests. You can view all available profiles with the following command:

# tuned-adm list
The profiles are held in the /usr/lib/tuned/ directory. The default profile is 'balanced'; if you want to switch to the e.g. powersave profile use:
# tuned-adm profile powersave
This setting is persistent across reboots. One can also create custom profiles that can either include and/or override settings from system profiles. Your custom profiles can be put into the /etc/tuned/ directory, and they have higher priority in case of conflict.
A caveat worth mentioning, as explained in Fedora's Power Management Docs:
The powersave profile may not always be the most efficient. Consider there is a defined amount of work that needs to be done, for example a video file that needs to be transcoded. Your machine can consume less energy if the transcoding is done on the full power, because the task will be finished quickly, the machine will start to idle and can automatically step-down to very efficient power save modes. On the other hand if you transcode the file with a throttled machine, the machine will consume less power during the transcoding, but the process will take longer and the overall consumed energy can be higher. That is why the balanced profile can be generally a better option.

Sunday, April 19, 2015

Font Discrepencies in Google Play Books

I have two tablets with Google Play Books installed; the larger tablet has poor font display in Google Play Books when compared to the smaller Nexus7 tablet. I don't know if this is due to different fonts being installed or, perhaps, the difference in the display output. The older, larger tablet is running a custom firmware and, I noticed, the fontScale value is 1.15000; whereas the Nexus7 2013 is running CyanogenMod, and the fontScale value is 1.00000. However, even after changing the global fontScale to "normal" value of 1.00000 the font stays the same as before.

Expanding LVM Partition in RHEL7

Scenario:  I've created a VM with a RHEL7 guest.  The partition layout is a standard, primary partition for /boot and LVM for the rest--namely, /usr, /var, /home, swap and / (rootfs).  After installing updates and some other packages, the /usr directory began to fill up.

In order to mitigate the situation, I created an additional primary partition with an XFS filesystem, as that is the preferred/default FS in RHEL7.

    # parted /dev/vda mkpart P3 xfs 14G 16G

The above command instructs "parted" to operate on the /dev/vda disk and create primary partition 3 with XFS filesystem starting at 14G and ending at 16G.  
Next, I added the physical partition to LVM with the following command: 

    # pvcreate /dev/vda 

Then, extend the volume group with the physical partition with: 

    # vgextend rhel /dev/vda3 

and 

    # lvextend -L+2G /dev/rhel/usr

Finally, to grow the filesystem I executed 

    # xfs_growfs /dev/rhel/usr   

Saturday, April 11, 2015

Password Aging and Authentication in RHEL7

As I posted in a previous note, the password policy in RHEL 7, and most other linux distributions, is handled by the dynamically-configurable PAM (Pluggable Authentication Modules) system. However, there are a number of other tools implemented in securing the RHEL system. One such tool is the shadow password suite. The shadow suite creates an additional layer of abstraction for the system's login passwords, by removing the account passwords from the /etc/passwd file to a separate file /etc/shadow;while maintaining the unobstructed use of the rest of the accounts system. The Linux Documentation Project explains it:
the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called ``/etc/shadow'', contains encrypted password as well as other information such as account or password expiration values, etc. The /etc/shadow file is readable only by the root account and is therefore less of a security risk.

According to the Red Hat Documentation, "In Red Hat Enterprise Linux 7, shadow passwords are enabled by default."
The /etc/login.defs file defines the site-specific configuration for the shadow password suite. This file is required; absence of it will not prevent system operation, but will probably result in undesirable operation. Each line in the file describes one configuration parameter.
$ cat /etc/login.defs

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR      Maildir
MAIL_DIR        /var/spool/mail
#MAIL_FILE      .mail

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               201
SYS_GID_MAX               999

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD    /usr/sbin/userdel_local

#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME     yes

# The permission mask is initialized to this value. If not specified, 
# the permission mask will be initialized to 022.
UMASK           077

# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512
As usual, the login.defs man-page provides more information on this file along with all of its available configuration options.


RHEL7 provides a commandline program, chage, as an alternative to manually editing the /etc/login.defs file. The shadow-utils package provides this as well as a number of other useful programs:
$ rpmquery -l shadow-utils

/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/lastlog
/usr/bin/newgrp
/usr/bin/sg
/usr/sbin/adduser
/usr/sbin/chpasswd
/usr/sbin/groupadd
/usr/sbin/groupdel
/usr/sbin/groupmems
/usr/sbin/groupmod
/usr/sbin/grpck
/usr/sbin/grpconv
/usr/sbin/grpunconv
/usr/sbin/newusers
/usr/sbin/pwck
/usr/sbin/pwconv
/usr/sbin/pwunconv
/usr/sbin/useradd
/usr/sbin/userdel
/usr/sbin/usermod
/usr/sbin/vigr
/usr/sbin/vipw
DESCRIPTION
       The chage command changes the number of days between password changes
and the date of the last password change. This information is used by the
system to determine when a user must change his/her password.

OPTIONS
       The options which apply to the chage command are:

       -d, --lastday LAST_DAY
           Set the number of days since January 1st, 1970 when the password
was last changed. The date may also be expressed in the format
YYYY-MM-DD (or the format more commonly used in your area).
If the LAST_DAY is set to 0 the user is forced to change his password on the
next log on.

       -E, --expiredate EXPIRE_DATE
           Set the date or number of days since January 1, 1970 on which the
user's account will no longer be accessible. The date may also be expressed
in the format YYYY-MM-DD (or the format more commonly used in your area).
A user whose account is locked must contact the system administrator before
being able to use the system again.

Passing the number -1 as the EXPIRE_DATE will remove an account expiration date.

       -h, --help
           Display help message and exit.

       -I, --inactive INACTIVE
           Set the number of days of inactivity after a password has expired 
before the account is locked. The INACTIVE option is the number of days of 
inactivity. A user whose account is locked must contact the system administrator
before being able to use the system again.

Passing the number -1 as the INACTIVE will remove an account's inactivity.

       -l, --list
           Show account aging information.

       -m, --mindays MIN_DAYS
           Set the minimum number of days between password changes to MIN_DAYS.
A value of zero for this field indicates that the user may change his/her 
password at any time.

       -M, --maxdays MAX_DAYS
           Set the maximum number of days during which a password is valid. 
When MAX_DAYS plus LAST_DAY is less than the current day, the user will be 
required to change his/her password before being able to use his/her account.
This occurrence can be planned for in advance by use of the -W option, which
provides the user with advance warning.

Passing the number -1 as MAX_DAYS will remove checking a password's validity.

       -R, --root CHROOT_DIR
           Apply changes in the CHROOT_DIR directory and use the configuration
files from the CHROOT_DIR directory.

       -W, --warndays WARN_DAYS
           Set the number of days of warning before a password change is required.
The WARN_DAYS option is the number of days prior to the password expiring that
a user will be warned his/her password is about to expire.

       If none of the options are selected, chage operates in an interactive
fashion, prompting the user with the current values for all of the fields. 
Enter the new value to change the field, or leave the line blank to use the
current value. The current value is displayed between a pair of [ ] marks.

Password Policy in RHEL 7

In Red Hat Enterprise Linux 7, the pam_pwquality PAM module replaced pam_cracklib, which was used in Red Hat Enterprise Linux 6 as a default module for password quality checking. It uses the same back end as pam_cracklib.
The code was originally based on pam_cracklib module, and the module is backwards compatible with its options.


The pam_pwquality module can be customized and configured in the file /etc/security/pwquality.conf. The possible options in the file are:

difok Number of characters in the new password that must not be present in the old password. (default 5)

minlen Minimum acceptable size for the new password (plus one if credits are not disabled which is the default). (See pam_pwquality(8).) Cannot be set to lower value than 6. (default 9)

dcredit The maximum credit for having digits in the new password. If less than 0 it is the minimum number of digits in the new password. (default 1)

ucredit The maximum credit for having uppercase characters in the new password. If less than 0 it is the minimum number of uppercase characters in the new password. (default 1)

lcredit The maximum credit for having lowercase characters in the new password. If less than 0 it is the minimum number of lowercase characters in the new password. (default 1)

ocredit The maximum credit for having other characters in the new password. If less than 0 it is the minimum number of other characters in the new password. (default 1)

minclass The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others). (default 0)

maxrepeat The maximum number of allowed same consecutive characters in the new password. The check is disabled if the value is 0. (default 0)

maxsequence The maximum length of monotonic character sequences in the new password. Examples of such sequence are '12345' or 'fedcb'. Note that most such passwords will not pass the simplicity check unless the sequence is only a minor part of the password. The check is disabled if the value is 0. (default 0)

maxclassrepeat The maximum number of allowed consecutive characters of the same class in the new password. The check is disabled if the value is 0. (default 0)

gecoscheck If nonzero, check whether the words longer than 3 characters from the GECOS field of the user's passwd entry are contained in the new pass‐ word. The check is disabled if the value is 0. (default 0)

badwords Space separated list of words that must not be contained in the password. These are additional words to the cracklib dictionary check. This setting can be also used by applications to emulate the gecos check for user accounts that are not created yet.

dictpath Path to the cracklib dictionaries. Default is to use the cracklib default. SEE ALSO pwscore(1), pwmake(1), pam_pwquality(8)


PAM, pam - Pluggable Authentication Modules for Linux

The password policy in RHEL 7, and most other linux distributions, is handled by the PAM (Pluggable Authentication Modules) system. The dynamically-configurable system can be modified in /etc/pam.conf and /etc/pam.d/.
Linux-PAM separates the tasks of authentication into four independent management groups: account management; authentication management; password management; and session management. (We highlight the abbreviations used for these groups in the configuration file.)
Simply put, these groups take care of different aspects of a typical user's request for a restricted service:

account - provide account verification types of service: has the user's password expired?; is this user permitted access to the requested service?

authentication - authenticate a user and set up user credentials. Typically this is via some challenge-response request that the user must satisfy: if you are who you claim to be please enter your password. Not all authentications are of this type, there exist hardware based authentication schemes (such as the use of smart-cards and biometric devices), with suitable modules, these may be substituted seamlessly for more standard approaches to authentication - such is the flexibility of Linux-PAM.

password - this group's responsibility is the task of updating authentication mechanisms. Typically, such services are strongly coupled to those of the auth group. Some authentication mechanisms lend themselves well to being updated with such a function. Standard UN*X password-based access is the obvious example: please enter a replacement password.

session - this group of tasks cover things that should be done prior to a service being given and after it is withdrawn. Such tasks include the maintenance of audit trails and the mounting of the user's home directory. The session management group is important as it provides both an opening and closing hook for modules to affect the services available to a user.

cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so


There are a number of different options that are placed in the /etc/pam.d/system-auth file that allows system administrators to further customize the implementation of the various modules in PAM. The following options are available for the pam_pwquality module:
debug This option makes the module write information to syslog(3) indicating the behavior of the module (this option does not write password informa‐ tion to the log file).

authtok_type=XXX The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". The example word UNIX can be replaced with this option, by default it is empty.

retry=N Prompt user at most N times before returning with error. The default is 1.

difok=N This argument will change the default of 5 for the number of changes in the new password from the old password.

minlen=N The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of char‐ acters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower and digit). The default for this parameter is 9 . Note that there is a pair of length limits also in Cracklib, which is used for dictionary checking, a "way too short" limit of 4 which is hard coded in and a build time defined limit (6) that will be checked without reference to minlen.

dcredit=N (N >= 0) This is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of digits that must be met for a new password.

ucredit=N (N >= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or N upper case letters each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of upper case letters that must be met for a new password.

lcredit=N (N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each let‐ ter will count +1 towards meeting the current minlen value. The default for lcredit is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of lower case letters that must be met for a new password.

ocredit=N (N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of other characters that must be met for a new password.

minclass=N The minimum number of required classes of characters for the new password. The default number is zero. The four classes are digits, upper and lower letters and other characters. The difference to the credit check is that a specific class if of characters is not required. Instead N out of four of the classes are required.

maxrepeat=N Reject passwords which contain more than N same consecutive characters. The default is 0 which means that this check is disabled.

maxsequence=N Reject passwords which contain monotonic character sequences longer than N. The default is 0 which means that this check is disabled. Examples of such sequence are '12345' or 'fedcb'. Note that most such passwords will not pass the simplicity check unless the sequence is only a minor part of the password.

maxclassrepeat=N Reject passwords which contain more than N consecutive characters of the same class. The default is 0 which means that this check is disabled.

gecoscheck=N If nonzero, check whether the individual words longer than 3 characters from the passwd GECOS field of the user are contained in the new pass‐ word. The default is 0 which means that this check is disabled.

badwords='list of words' The words more than 3 characters long from this space separated list are individually searched for and forbidden in the new password. By default the list is empty which means that this check is disabled.

enforce_for_root The module will return error on failed check even if the user changing the password is root. This option is off by default which means that just the message about the failed check is printed but root can change the password anyway. Note that root is not asked for an old password so the checks that compare the old and new password are not performed.

local_users_only The module will not test the password quality for users that are not present in the /etc/passwd file. The module still asks for the password so the following modules in the stack can use the use_authtok option. This option is off by default.

use_authtok This argument is used to force the module to not prompt the user for a new password but use the one provided by the previously stacked password module.

dictpath=/path/to/dict Path to the cracklib dictionaries.

An additional configuration file worth mentioning within the context of password policy is the /etc/login.defs file; it's provided by the setup package. The /etc/login.defs file defines the site-specific configuration for the shadow password suite. Though, it's not part of the PAM system, this file is required; absence of it will not prevent system operation, but will probably result in undesirable operation.
More on this

Thursday, March 5, 2015

Ricoh SD-Card Reader and Linux

The linux kernel adds the benefit of making firmware drivers available for a large number of widely-used hardware devices and components. This provides great convenience and ensures portability and sane defaults across the various OS distributions. The open-source nature of the Linux kernel, however, relies on the hardware manufacturers to make the firmware and/or drivers available to the Linux community; a process that can be frustratingly slow at times, depending on the hardware manufacturer. Furthermore, once the driver is included in the kernel, it falls on the various OS distributions to make the kernel or a patch to the kernel available for the users to install.
The functionality of rarely-used hardware like a multimedia card reader (SD-card reader) are often overlooked by users until the day when they try to use the device. Usually, the kernel will load the necessary modules for the device to function properly during the boot-up process. Though, if an SD-card is not present during the configuration of the kernel the module will have to be loaded manually with the modprobe command. This writing should serve as an attempt to outline the necessary steps and required kernel modules to enable a Ricoh 4-in-1 media card reader on a ThinkPad-W520 laptop running Fedora20.
The pertinent kernel modules for the SD-card reader are:
  • mmc_core
  • mmc_block
  • sdhci
  • sdhci_pci
  • sdricoh_cs
If you're not sure about the specific modules or if they are different for a specific sd-card reader, you can look for them in the /usr/lib/modules/KERNELVERSION subfolders:
find /usr/lib/modules/3.10.06-100.fc20 -iname '*mmc*' 
find /usr/lib/modules/3.10.06-100.fc20 -iname '*sdhc*'
find /usr/lib/modules/3.10.06-100.fc20 -iname '*ricoh*'
To check whether the needed kernel modules are already loaded:
lsmod |egrep 'mmc|sdhci|ricoh'
I'm not an expert on this stuff by no means; I still have to figure out the specific modules needed without loading unnecessary and conflicting modules. The following is the dmesg output when a microSDHC+adapter was inserted.
kernel: mmc0: Controller never released inhibit bit(s).
kernel: mmc0: new high speed SDHC card at address e624
kernel: mmcblk0: mmc0:e624 SU32G 29.7 GiB (ro)
kernel:  mmcblk0: p1
kernel: SELinux: initialized (dev mmcblk0p1, type vfat), uses genfs_contexts
udisksd[5513]: Mounted /dev/mmcblk0p1 at /run/media/Username/3532-3435 on behalf of uid 1000
kernel: mmc0: Card removed during transfer!
kernel: mmc0: Resetting controller.
kernel: mmcblk0: error -123 sending status command, retrying
kernel: mmcblk0: error -123 sending status command, retrying
kernel: mmcblk0: error -123 sending status command, aborting
kernel: FAT-fs (mmcblk0p1): Directory bread(block 1234904) failed
kernel: FAT-fs (mmcblk0p1): Directory bread(block 1234905) failed
kernel: FAT-fs (mmcblk0p1): Directory bread(block 1234906) failed
kernel: FAT-fs (mmcblk0p1): Directory bread(block 1234907) failed
kernel: FAT-fs (mmcblk0p1): Directory bread(block 1234908) failed
kernel: FAT-fs (mmcblk0p1): Directory bread(block 1234909) failed
kernel: FAT-fs (mmcblk0p1): Directory bread(block 1234910) failed
kernel: FAT-fs (mmcblk0p1): Directory bread(block 1234911) failed
kernel: FAT-fs (mmcblk0p1): Directory bread(block 1234912) failed
kernel: FAT-fs (mmcblk0p1): Directory bread(block 1234913) failed
kernel: FAT-fs (mmcblk0p1): FAT read failed (blocknr 353)
kernel: FAT-fs (mmcblk0p1): FAT read failed (blocknr 406)
kernel: FAT-fs (mmcblk0p1): FAT read failed (blocknr 1425)
kernel: FAT-fs (mmcblk0p1): FAT read failed (blocknr 1426)
kernel: FAT-fs (mmcblk0p1): FAT read failed (blocknr 1425)
kernel: FAT-fs (mmcblk0p1): FAT read failed (blocknr 1426)
kernel: mmc0: Got data interrupt 0x00100000 even though no data operation was in progress.
kernel: mmc0: card e624 removed
kernel: FAT-fs (mmcblk0p1): FAT read failed (blocknr 1424)
kernel: FAT-fs (mmcblk0p1): FAT read failed (blocknr 1126)
kernel: FAT-fs (mmcblk0p1): unable to read inode block for updating (i_pos 414429186)
udisksd[5513]: Cleaning up mount point /run/media/Username/3532-3435 (device 179:1 no longer exist)
kernel: mmc0: new high speed SDHC card at address e624
kernel: mmcblk0: mmc0:e624 SU32G 29.7 GiB (ro)
kernel:  mmcblk0: p1
kernel: SELinux: initialized (dev mmcblk0p1, type vfat), uses genfs_contexts
udisksd[5513]: Mounted /dev/mmcblk0p1 at /run/media/amel/3532-3435 on behalf of uid 1000


According to an ArchLinux forum post, a problem arises if mmc_block is loaded:
There are two readers, one for SD and one for MMC. The SD reader is capable of reading MMC, however: As soon as the SD reader notices that the MMC reader is present, it passes the card to the MMC reader, which is unsupported by Linux. The MMC disabler driver is meant to prevent that, so that the working reader handles the MMC card, not the unsupported one (confusing, I know). So theoretically, MMC should work, too. However, the MSPro and xD readers do not work, as there are no drivers for them.

Solution

modprobe -r mmc_block
Unloading the mmc_block kernel module results in following dmesg output:
kernel: mmc0: card e624 removed                                                             │
kernel: mmc0: new high speed SDHC card at address e624                                      │
kernel: mmcblk0: mmc0:e624 SU32G 29.7 GiB                                                   │
kernel:  mmcblk0: p1                                                                        │
kernel: SELinux: initialized (dev mmcblk0p1, type vfat), uses genfs_contexts                │
udisksd[5513]: Mounted /dev/mmcblk0p1 at /run/media/Username/3532-3435 on behalf of uid 1000│

Monday, February 9, 2015

RHEL-RHCSA-clock_Timezone.md

localtime

Upon a successful login into the VM system, changing the Timezone to which the system’s time is configured can be accomplished by changing the /etc/localtime link.

NOTE
Since the implementation of systemd in RHEL7, changing the system’s default
timezone manually is not persistent; as the /etc/localtime link gets recreated
by systemd after a reboot, the user must use timedatectl to make the desired
change persistent

To change the default timezone to the timezone of Chicago, for example, execute the following as the root user:

#  cd /etc/
#  ls -alh localtime
/etc/localtime -> ../usr/share/zoneinfo/America/NewYork
#  unlink /etc/localtime
#  ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime
/etc/localtime -> ../usr/share/zoneinfo/America/Chicago

In the above example, we have changed the timezone from the previous value, pointing to the timezone to which “NewYork” belongs, to the timezone of Chicago.


The systemd Method for Changing the Default Timezone

Synopsis

      timedatectl [OPTIONS...] {COMMAND}

Description

      timedatectl may be used to query and change the system clock and its settings.

      Use systemd-firstboot(1) to initialize the system time zone for mounted (but not booted) system images.
timedatectl list-timezone

Shows all the available “timezones” in the form of Continent/City.

timedatectl set-timezone America/Chicago

Changes the system’s clock to follow the timezone of the city of Chicago.

Wednesday, February 4, 2015

Configure rsyslog Server on Fedora

It can be very beneficial for system administrators and network administrators, especially, to log system messages from other machines on the network to a centralized hub. Fedora 20 uses rsyslog as the default syslogd service; this allows administrators to configure remote logging. I'll be detailing the necessary configuration steps of rsyslog in Fedora 20 to allow logging messages from a DD-WRT router. This will entail
  • Edit /etc/rsyslog.conf
  • Set up firewall rule to allow incoming connection to server
  • Configure DD-WRT router to send syslogd messages to our server

rsyslog server

Our server will be the Fedora 20 machine. There are two configuration files in the /etc/ directory that are of interest to us:
/etc/rsyslog.conf
/etc/sysconfig/rsyslog
However, the latter file is not useful anymore as it states:
# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by "-c 2"
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS=""
That means our configuration options are defined in /etc/rsyslog.conf alone. In particular, we're going to want to uncomment
$ModLoad imtcp
$InputTCPServerRun 514
to direct rsyslog to listen on the TCP port 514 for remote messages.
Then, at the bottom of the file a block of options is given to specify the remote host:port from which to accept log messages, as well as to spool messages to disk if the remote host is down.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
For example, this is a working rule that accepts logs from the DD-WRT router:
# ### begin forwarding rule ###
$ActionQueueFileName fwdRule1
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount 10
*.* @192.168.1.1:514
# ### end of the forwarding rule ###
After you save the changes in /etc/rsyslog.conf, restart the rsyslog service
systemctl restart rsyslog.service

Firewall rule

Since the recent versions of Fedora and even RedHat7 the firewalld package is used in favor of iptables. Therefore, we will set up the firewall rule to allow listening on TCP port 514 for connections using the firewall-cmd commandline option; though, there is also a GUI available (firewall-config).
firewall-cmd --add-port=514/tcp
This is the runtime option. To make this permanent, execute
firewall-cmd --add-port=514/tcp --permanent



Configuring DD-WRT For Remote syslogd Server

 photo dd-wrt_Services_Tab_zps47a6694e.png
Note: This assumes using DD-WRT firmware v24-sp2
Using the Web interface, go to the Services tab enable syslogd and enter the rsyslog server's ip address. Please be sure you have a statically-assigned ip address to the server.
 photo dd-wrt_syslogd_option_zps68ea890f.png Verify that you have a listening socket
netstat -tunlp | grep syslog
You can test it out by ssh-ing into the router and executing
 echo "yo-Adrian" | nc 192.168.1.2:514
If you receive no error message you should have a funny message in your /var/log/messages file after that.



Sunday, January 25, 2015

Firefox Apps on Desktops!

The Firefox browser has always thrived as the underdog; the "alternative" browser of choice. It's this sort of identity, along with it's historically strong security record and OpenSource nature, that had propelled it and its predecessor, "mozilla browser", to near 50-percent usage share by some counts. More recently, however, with the browser-market saturation expanded by the additions of Apple's Safari and Google's Chrome browser, Firefox's usage-share has been experiencing a downward trend; even as the newer additions to the browser-market have seen exponential user growth, i.e. Chrome!


What's even more troubling, perhaps, is that even "power-users" have been jumping the ship, so-to-speak, more and more, decrying their growing dislike of Firefox and praising the features and functionality of Chrome. While, some of Chrome's features, like chrome-apps, are prominently displayed in the Chrome browser, Firefox's Open WebApps for Desktops are available on the Firefox Marketplace; yet, the marketplace integration doesn't seem to be as prominently portrayed even in the Developers Edition of Firefox. Maybe that's why the Chrome browser's set of Web Applications seems to be more plentiful and better-supported; if the users, and potential developers of apps in, Firefox aren't as aware of the state of the "Marketplace", they either assume it's in the early development stage or they're not even aware that it exists!
Nevertheless, as I stated before, in case you haven't heard, the Firefox Marketplace for Web Apps is up and running. It hosts a number of useful, fun, fully-functional Web Apps that work on your Mobile, as well as your Desktop platforms. Apps like StackEdit.

As an OpenSource application, StackEdit's philosophy aligns well with that of Mozilla. However, at the moment, the Firefox Marketplace version of the application doesn't allow for Google-integrated services, as it always results in a popup window with a long link to google-signin that stays blank perpetually. I feel guilty to admit financially supporting StackEdit, great software as it is; yet, I have not done so--nothing even closely comparable--for Mozilla. Perhaps my guilt is driving me to try to persuade the developers of StackEdit to dedicate more effort on the Mozilla/Firefox platform version of their software!
Despite this annoying short-coming, the installation and feature-set provided by the Open WebApps-version of StackEdit works and looks great on my RedHat system with GNOME-3.8.4