2016-09-22

EFF Announces Voting Registration Service

The Electronic Frontier Foundation ( EFF ) has announced a Beta version of their ongoing project to facilitate voter registration for United States elections.  The server allows the user to text the service, HelloVote, in order to register.




There is another service provided by VotePlz.org that allows citizens to:


Not sure if you’re registered? No problem! We’ll check if you’re registered to vote at your current home address.
Don’t have time to vote in person? You can vote by mail instead—it’s even easier!
Want to vote in person? We’ll show you where your nearest polling station is and help you get there.
Don’t have a stamp or a printer? That’s all right! We can mail you a form, or print a form with pre-paid postage.

2016-08-11

Apache Webserver, PHP, and Software Collections on RHEL7

The relatively short lifespan of PHP versions does not bode well with Extended Release Operating Systems like Red Hat Enterprise Linux and CentOS. The longevity of the OS is, perhaps, one of the most attractive features for server owners and Administrators. However, as with most things in life, there's always a trade-off. Extended Release Operating Systems provide a long "shelf life" and ongoing support and development for the most important part of a server. It's not surprising then that "bleeding edge" software isn't readily available in the default software repositories.

This creates a dilemma in the days of DevOps and increasing Internet penetration. Software Collections have made this type of scenario less problematic. Software Collections provides a repository for more recent, development versions of software that are always separated from the system-wide software installations of a server. This allows us, for example, to run different versions of PHP on the same system.

yum install httpd24-httpd php55{,-devel}

scl enable php55 /bin/bash

systemctl enable httpd24-httpd

The commands above install a newer version of the apache web-server into the "/opt/rh/httpd/" subdirectories. Then, the newer version of PHP is set as the version used by the system. Lastly, the apache web-server is enabled to automatically start.
Please note, the default DocumentRoot is not "/var/www/html" anymore; rather, it's "/opt/rh/httpd/root/var/www/html".


Additional steps

SELinux

CentOS and RHEL don't have the httpd_sys_content_rw_t SELinux file context. Therefore, make sure the following SELinux booleans are enabled, though there might be a more precise way to accomplish this.
setsebool -P httpd_unified=1
setsebool -P httpd_builtin_scripting=1
setsebool -P httpd_enable_cgi=1

The last two booleans might already be enabled. The httpd_unified boolean allows the apache user, under which the webserver is running, to write to "httpd_sys_content_t"-labeled files and directories.

Apache Config

In case you are faced with repeated 404 errors, a blanket approach that might resolve this issue is to change AllowOverride None to AllowOverride All within the httpd.conf file.

2016-05-20

Resource Load Tips and Tricks

  • Redirect dynamic page to static page if resource issues arise from high traffic to a single Webpage
  • sar -q
  • top -c
  • netstat -antp
  • lsof -itcp
  • lsof -i :80

    When you see the PID that is connecting to a remote port 80 rather than accepting a connection to local port 80, use lsof -p on that pid number to find the working directory of it.


Security


Check if we support insecure SSLv2:
  • openssl s_client -connect 127.0.0.1:443 -ssl2
 
 
 

Check for outbound connections to remote port 80

  • netstat -atnp |awk '$5 ~ /80/ {print $0}'
 
The script above this line uses regex to search for "80" within the 5th column of the `netstat -atnp` command output
 
  • netstat -atnp |awk '$5 ~ /80$/ {print $0}'
Will do the same, making sure the string search looks for "80" at the end of a string


  • netstat -atnp |awk '$5 ~ /:80$/ {print $0}'
Will do the same, making sure the string search looks for "80" at the end of a string AND is preceded by a colon.


2016-04-27

Red Hat Addresses Critical Firefox Vulnerability

On April 26th, 2016, Red Hat 5, 6, and 7 along with its community-supported counterpart CentOS have released a major new Firefox upgrade to address a number of Critical vulnerabilities in the Extend Support Release (ESR) version of Mozilla's browser software.  The version number jumps to 45 from the current 38.  According to the Security Advisory, Mozilla reported that the Firefox version available for Enterprise Linux distributions--i.e. 38.8--could allow
 "A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
(CVE-2016-2805, CVE-2016-2806, CVE-2016-2807, CVE-2016-2808, CVE-2016-2814)"

Upstream, Mozilla's Security Advosories page for the Extended Support Release (ESR) of Firefox tracks this issue and has some relevant links for the different vulnerabilities addressed by this major update.

firefox-45.1.0-1.el7_2.src.rpm

Buffer Overflow in libstagefright

 First, the potential for a web page containing malicious content to crash firefox is outlined and tracked by mozilla at https://www.mozilla.org/en-US/security/advisories/mfsa2016-44. Red Hat's advisory page shows a Common Vulnerability Score (CVS) of 5.1. According to the short description publicly available:

Using Address Sanitizer, security researcher Sascha Just reported a buffer overflow in the libstagefright library due to issues with the handling of CENC offsets and the sizes table.


 Overflow from Invalid HashMap Entry in Javascript.watch()

The second High issue addressed with this major update fixes the vulnerability in Firefox ESR that allowed malware content in a web page to execute code as the user under which the Firefox process was run.  This issue was exploitable using the Javascript.watch() method.  Red Hat's advisory page shows a CVS score of 5.1.  Mozilla's Security Advisory page has the following short description about this issue:

The CESG, the Information Security Arm of GCHQ, reported that the JavaScript .watch() method could be used to overflow the 32-bit generation count of the underlying HashMap, resulting in a write to an invalid entry. Under the right conditions this write could lead to arbitrary code execution. The overflow takes considerable time and a malicious page would require a user to keep it open for the duration of the attack.

 Critical Memory Safety Problems

According to the Security Advisory pages for Red Hat as well as Mozilla, the various memory safety problems that were fixed by this release had a Critical level impact.  Red Hat's advisory page shows a Common Vulnerability Score (CVS) of 6.8 for all three of the relevant problems that were still present in the Firefox version 38.8 ESR.


Additional Resources


2016-04-13

RHEL 7 and CentOS 7 syslog Rate Limit

https://access.redhat.com/solutions/1417483
In RHEL 7 there is rate-limiting both in systemd-journald and in rsyslog's imjournal module

Lower Ratelimit Interval

Lower the interval for rate-limiting and increase the burst level in order to minimize the possibility of losing log messages when the threshold is reached for the specified number of messages logged within the specified interval. Rate-limiting is specific to each process, so there's usually no reason to change this. It is also inadvisable to disable this feature entirely!
grep -i rate /etc/systemd/journald.conf

#RateLimitInterval=30s
#RateLimitBurst=1000
RateLimitInterval=10s
RateLimitBurst=3000
grep -i rate /etc/rsyslog.conf

#$imjournalRatelimitInterval 600    <--default
$imjournalRatelimitInterval 300
$imjournalRatelimitBurst 30000

journal corruption

journalctl --verify
journalctl --force

2016-04-11

Centos 7 pulseaudio

Centos 7 doesn't come with an option for `awesome-wm` installation.  Therefore, the only way to make use of this light-weight tiling manager one has to enable Fedora 19 repo or build the package from source.  For the Fedora 19 repo approach, see:

https://gist.github.com/ILMostro/1909a50e1858d0ee7e10

To use without GDM, GNOME's display manager, and without gnome services, one has to be aware of certain shortcomings that the gnome-services provide by default.  One such shortcoming is the lack of built-in Sound and Volume management.  Never fret, though, as there is a solution; namely, the PulseAudio-focused tools pavucontrol and pavumeter.  These packages are available from the "nux-desktop" repository available at at http://li.nux.ro/repos.html .

nux-desktop

My unofficial, as-is, not for profit RPM repositories for EL (RHEL, CentOS, ScientificLinux etc): These repos may or may not be up to date or behave the way you expect them to; use them at your OWN RISK!

Some of these repos are dependent on EPEL, if you find you're missing a dependency make sure you have the EPEL repo active in your OS.

If you are interested in a particular issue or have a problem feel free to drop me an email at rpm at li.nux.ro.

- Nux Dextop

Summary: A desktop and multimedia oriented RPM repository for EL. It contains a lot of graphical programs such as Ardour, but also text based apps line Cone. Notes: This repository is made to coexist with Fedora EPEL; it will probably conflict badly with Repoforge/RPMforge and ATrpms and possibly other repos. I try hard not to overwrite Base.

Installation (copy/paste) for EL6:

yum -y install epel-release && rpm -Uvh http://li.nux.ro/download/nux/dextop/el6/x86_64/nux-dextop-release-0-2.el6.nux.noarch.rpm

Installation (copy/paste) for EL7:

yum -y install epel-release && rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm

- Nux Misc

Summary: RPMs that didn't make it in other repos yet. Notes: These RPMs might not get updated very frequently. Installation for EL6: Just drop http://li.nux.ro/download/nux/misc/nux-misc.repo in your /etc/yum.repos.d directory. The repo is disabled by default, so you will need to use the --enablerepo=nux-misc yum switch.

My GPG key: http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro

If you want to request a package drop me an email at rpm at li.nux.ro or post on the forums.

install pavucontrol and/or pavumeter

yum install pavucontrol
yum install pavumeter
For more complete list of useful additional repos for Centos, see:
https://wiki.centos.org/AdditionalResources/Repositories

To ensure the sound works correctly, add the following to the ~/.xinitrc file:
pulseaudio -D &


https://wiki.archlinux.org/index.php/PulseAudio

https://awesome.naquadah.org/wiki/Volume_control_and_display


2016-04-10

cPanel Removal

It's a poorly-kept secret that cPanel wants to prevent Server owners and/or administrators from being able to purge their systems from the rootkit-like software.  While they've recently made a change claiming to focus on support for primarily rpm-based Linux distributions, i.e. mainly Red Hat and CentOS; cPanel software breaks almost EVERYTHING RHEL/rpm-related on the system!

Their use of binary packages and perl scripts along with choosing to disable SELinux completely puts this outdated and soon-to-be obsolete software in direct conflict with anything Linux! I wish they had switched to support Windows instead.

In any case, here's yet another blog post online outlining the procedure attempting to, relatively cleanly, remove cPanel from a VPS running CentOS 7 in a Virtuozzo container.
yum list \*cpanel\*
yum remove \*cpanel\*

Remove the line in /etc/yum.conf starting with "exclude".
# cat /etc/yum.conf 
[main]
#; exclude=courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* mysql* nsd* php* proftpd* pure-ftpd* spamassassin* squirrelmail*
tolerant=1
errorlevel=1
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
Then execute:
yum clean all; yum check-update; yum upgrade

You might have to add "--skip-broken" to yum when installing packages that replace the cPanel-provided software; e.g. perl packages, php, httpd.

Install the "epel-release" package, which installs/enables the "epel" software repository on CentOS 7.
yum install epel-release
yum repolist all
yum-config-manager --enable epel
yum-config-manager --enable epel-testing
yum clean all; yum check-update; yum upgrade -y --skip-broken

As per this Answer on ask.fedoraproject.org, "firewalld" does not work correctly in a virtuozzo/openVZ container! Therefore, you might be better suited installing the "iptables" packages:
yum install iptable\*



Check the /etc Directory

The cpanel-related systemd services are placed in the /etc/systemd/system/ directory. They're also linked to the "/etc/systemd/system/multi-user.target.wants/" directory when enabled. Therefore, you might have to disable them first before you remove the ".service" files.
systemctl disable cpanel.service
systemctl disable cpanel...
Then remove the service files, assuming no other service files are placed there by you
rm /etc/systemd/system/*.service
Take heed of hidden cron jobs in the usual locations, i.e.

  • /etc/cron.d/
  • /etc/cron.daily/
  • /etc/cron.hourly/
  • /etc/cron.weekly/
  • root user's crontab:  # crontab -e
  • /var/spool/cron/$USER
Additionally, your hosting provider might have their internal software packages installed as well as a way to facilitate the cPanel installation in their specific environment/setup.


cat /etc/prelink.conf.d/cpanel.conf                                                                                                                                                                                                          
-l /usr/local/cpanel/perl


Check the /etc/bashrc file for cPanel-related directories:

16 # whoami=`whoami`
17 # if [ -e "~/.dns" ]; then
18 #    DNS=`cat ~/.dns`
19 #    PS1="\u@$DNS [\w]# "
20 # else
21 #    if [ -e "/var/cpanel/users/$whoami" ]; then
22 #        eval `grep DNS= /var/cpanel/users/$whoami`
23 # 
24 #            if [ ! "$DNS" = "" ]; then
25 #                echo -n "$DNS" > ~/.dns
26 #                PS1="\u@$DNS [\w]# "
27 #            fi
28 #    fi
29 # fi



unlink /etc/httpd/apache
unlink /etc/httpd/logs
rm -rf /usr/local/apache
rm -rf /usr/local/cpanel
rm -rf /var/cpanel
rm /etc/user*
rm /etc/www*
rm -rf /var/softaculous
The main issue comes from the virtfs "jail shell" that cPanel utilizes for every user in the /home directory; along with the following users:
grep -i cpanel /etc/passwd
cpanel:x:201:201::/var/cpanel/userhomes/cpanel:/usr/local/cpanel/bin/noshell
cpanelphpmyadmin:x:202:202::/var/cpanel/userhomes/cpanelphpmyadmin:/usr/local/cpanel/bin/noshell
cpanelphppgadmin:x:203:203::/var/cpanel/userhomes/cpanelphppgadmin:/usr/local/cpanel/bin/noshell
cpanelroundcube:x:204:204::/var/cpanel/userhomes/cpanelroundcube:/usr/local/cpanel/bin/noshell
cpanelrrdtool:x:205:205::/var/cpanel/userhomes/cpanelrrdtool:/usr/local/cpanel/bin/noshell
mailman:x:206:206::/usr/local/cpanel/3rdparty/mailman/mailman:/usr/local/cpanel/bin/noshell
cpanellogin:x:997:994::/var/cpanel/userhomes/cpanellogin:/usr/local/cpanel/bin/noshell
cpaneleximfilter:x:996:993::/var/cpanel/userhomes/cpaneleximfilter:/usr/local/cpanel/bin/noshell
cpaneleximscanner:x:995:992::/var/cpanel/userhomes/cpaneleximscanner:/usr/local/cpanel/bin/noshell
cpanelconnecttrack:x:994:991::/var/cpanel/userhomes/cpanelconnecttrack:/usr/local/cpanel/bin/noshell
cpses:x:993:990::/var/cpanel/cpses:/sbin/nologin

First, change the login shell for the users in the "home" subdirectories:
usermod -s /bin/bash 
Then, change the login shell for each additional user you wish to keep and delete the other irrelevant users.
userdel cpanel
userdel cpanellogin
...
Additionally, the "virtfs" directory is present in the /etc/mtab file. Therefore, the relevant lines should me commented out or delted.
cat /etc/mtab
/dev/vzfs / reiserfs rw,usrquota,grpquota 0 0
# /dev/vzfs /home/virtfs/schuler/usr vzfs ro,nosuid,relatime,usrquota,grpquota 0 0
# /dev/vzfs /home/virtfs/schuler/usr/backup/cpainl-resid/cpanel/3rdparty/mailman vzfs ro,relatime,usrquota,grpquota 0 0
#/dev/vzfs /home/virtfs/schuler/usr/backup/cpainl-resid/cpanel/3rdparty/mailman/logs vzfs rw,noatime,relatime,usrquota,grpquota 0 0
#/dev/vzfs /home/virtfs/schuler/usr/backup/cpainl-resid/cpanel/3rdparty/mailman/lists vzfs rw,noatime,relatime,usrquota,grpquota 0 0
#/dev/vzfs /home/virtfs/schuler/usr/backup/cpainl-resid/cpanel/3rdparty/mailman/locks vzfs rw,noatime,relatime,usrquota,grpquota 0 0
#/dev/vzfs /home/virtfs/schuler/usr/backup/cpainl-resid/cpanel/3rdparty/mailman/qfiles vzfs rw,noatime,relatime,usrquota,grpquota 0 0
#/dev/vzfs /home/virtfs/amel/usr vzfs ro,nosuid,relatime,usrquota,grpquota 0 0
#/dev/vzfs /home/virtfs/amel/usr/backup/cpainl-resid/cpanel/3rdparty/mailman vzfs ro,relatime,usrquota,grpquota 0 0
#/dev/vzfs /home/virtfs/amel/usr/backup/cpainl-resid/cpanel/3rdparty/mailman/logs vzfs rw,noatime,relatime,usrquota,grpquota 0 0
#/dev/vzfs /home/virtfs/amel/usr/backup/cpainl-resid/cpanel/3rdparty/mailman/lists vzfs rw,noatime,relatime,usrquota,grpquota 0 0
#/dev/vzfs /home/virtfs/amel/usr/backup/cpainl-resid/cpanel/3rdparty/mailman/locks vzfs rw,noatime,relatime,usrquota,grpquota 0 0
#/dev/vzfs /home/virtfs/amel/usr/backup/cpainl-resid/cpanel/3rdparty/mailman/qfiles vzfs rw,noatime,relatime,usrquota,grpquota 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
...
Better, yet; simply delete the /etc/mtab file and it will be recreated during the next boot. However, before the reboot, make sure to unmount all "bind" directories:
# for i in `cat /proc/mounts | grep /home/virtfs | cut -d' ' -f 2` ; do umount -l -R $i ; done
Then, check to make sure /home/virtfs/ sub-directories are empty (**unmounted**!!) before deleting them.
rmdir /home/virtfs/user1adfal/usr/lib
rmdir /home/virtfs/user1adfal/usr
rmdir /home/virtfs/user1adfal
rmdir /home/virtfs

See Also:

2016-02-28

LUKS Encryption and Unattended boot on Headless Servers

The anaconda installer on Redhat-based Linux distributions provides the user with an option to encrypt the /home partition by selecting a simple check-box. This adds an obviously valuable security/privacy feature to the system if it's selected. Consequently, this prompts the user for a password during the boot process, which then decrypts the partition and mounts it in the designated location on the filesystem. The default behaviour is not very well suited for unattended reboots or on headless servers.

The crypttab(5) manual page provides great information on how to facilitate the process for unattended boots:

DESCRIPTION
The /etc/crypttab file describes encrypted block devices that are set up during system boot.

Empty lines and lines starting with the "#" character are ignored. Each of the remaining lines describes one encrypted block device, fields on the line are delimited by white space. The first two fields are mandatory, the remaining two are optional.

Setting up encrypted block devices using this file supports three encryption modes: LUKS, TrueCrypt and plain. See cryptsetup(8) for more information about each mode. When no mode is specified in the options field and the block device contains a LUKS signature, it is opened as a LUKS device; otherwise, it is assumed to be in raw dm-crypt (plain mode) format.

The first field contains the name of the resulting encrypted block device; the device is set up within /dev/mapper/.

The second field contains a path to the underlying block device or file, or a specification of a block device via "UUID=" followed by the UUID.

The third field specifies the encryption password. If the field is not present or the password is set to "none" or "-", the password has to be manually entered during system boot. Otherwise, the field is interpreted as a absolute path to a file containing the encryption password. For swap encryption, /dev/urandom or the hardware device /dev/hw_random can be used as the password file; using /dev/random may prevent boot completion if the system does not have enough entropy to generate a truly random encryption key.

Outline

  • Create a keyfile that will serve as the console password replacement
  • Ensure DAC (Discretionary Access Control) rules add a level of security, as keyfile will be stored on persistent storage
  • Add the keyfile to the accepted method of decryption
  • Edit the /etc/crypttab file to instruct the system to use the keyfile instead of console passphrase

Create keyfile

Execute the following in the terminal as the root user to create the keyfile:

# dd if=/dev/urandom of=/root/keyfile bs=1024 count=4

Permissions

Restrict the permissions to allow root user only to read the file:
# chmod 0400 /root/keyfile -c

Add to LUKS pool

Add the keyfile to the pool of accepted LUKS passwords/keyfiles for the selected device. The specific device name can be seen in the /etc/crypttab file as the first field, prepended by /dev/mapper/.
# cryptsetup luksAddKey /dev/mapper/luks-xxxx-UUID-xxx /root/keyfile luks

Update crypttab

Finally, update the /etc/crypttab file, replacing the third field (none) with the keyfile (/root/keyfile), as explained in the crypttab(5) manpage.
# vim /etc/crypttab
#Copy the line and comment out the first as backup, just in case.
#luks-xxxx-UUID-xxxx  UUID=xxxx-UUID-xxxx    none
luks-xxxx-UUID-xxxx  UUID=xxxx-UUID-xxxx    /root/keyfile

2016-02-15

LVM Snapshot Causes Boot Failure

If you've created an LVM Snapshot before rebooting your system and found yourself staring at the dracut rescue shell you might be stricken by the same problem as I was.  Executing
init U
on the dracut commandline resulted in a descriptive error message (that might also be found in the journal/logs) about a missing dm-snapshot kernel module.  I've attempted to troubleshoot the problem for a couple of hours, failing to add the kernel module in the end--as I wasn't able to get to a working kernel.  Ultimately, the only solution was to remove the snapshot Volume, which proved to be more difficult than expected.
To remove the snapshot LV, one executes:
dracut #: lvm lvremove vg_name/lv_snapshot_name
However, you might be confronted by an error message there as well.  It seems that the volume is locked at that time.  To get around this, simply remove the /etc/lvm/lvm.conf file from the volatile initramfs "filesystem".

dracut #: rm /etc/lvm/lvm.conf
dracut #: lvm pvscan
dracut #: lvm vgscan
dracut #: lvm lvscan
dracut #: lvm lvremove vg_name/lv_snapshot_name
dracut #: reboot -f



Note

To prevent this scenario from (re)occurring, you can ensure the dm-snapshot kernel module is built-in within the initramfs image:
dracut -f -v --add-driver="dm-snapshot"

2016-01-10

OpenStack Installation on RHEL7 System

There's a simple "Get Started" Guide on the redhat website, which briefly outlines how to get a sample OpenStack system up and running in 5 steps.  The first, easily overlooked step is to start by installing a "minimum-install" version of RHEL7 on a physical system.  If you've already set up and configured a system that you're using for everyday tasks and/or work functions, be aware that the installation will repeatedly fail with errors due to incompatible options, missing dependencies, etc. 

Provided that you've followed the consequent steps in the guide to register the system and enable the pertinent repositories, the next step is to install and run the packstack script:

# yum install openstack-packstack

# packstack --allinone

This is a rather lengthy python script that uses some puppet modules to install the necessary software components and configures the system as the OpenStack All-in-One server.  According to the packstack documentation, "It can be used to install each Open‐ Stack service on separate servers, an 'allinone' server, or any combination of these." Expect to wait a while for the script to finish running, meanwhile crossing your fingers that it completes successfully; otherwise, check the error output along with the error log that'll be specified in the output. 

If the packstack script finishes successfully, move on to the next step in the Guide and go to the OpenStack dashboard in your web-browser; the packstack exit status will provide the necessary instructions on how to get to the dashboard. 
Alternatively, if the script failed with errors, read on for some common troubleshoot procedures in the next section.


packstack Troubleshooting of Common Installation Errors

If you've failed to heed the advice provided in Step 1 of Red Hat's Get-Started Guide you're likely to experience failures in the packstack script. There are a number of bugs reported about the OpenStack installation script; though, a large percentage of them are, ultimately, stemming from users attempting to install OpenStack on an existing system with incompatible software packages and configurations. As frustrating as it may be, the packstack script is written so that existing software and their configurations are not forcefully erased, overwritten, or otherwise replaced. Therefore, one can also perceive it as being a safe, rather than an indiscriminately reckless approach.

According to the relevant bugs, as well as my own experience troubleshooting the installation on an existing non-"minimal-install" RHEL7.2 host, there are a few common problems that arise in this scenario. The first problem will manifest itself if the user has an existing MariaDB server installation.

MySQL Server Dependents

First, packstack may return the following error if there are installed software packages that depend on the existing MariaDB instance:

Error: Execution of '/usr/bin/rpm -e mariadb-server-5.5.44-1.el7_1.x86_64'
 returned 1: error: Failed dependencies:
 mariadb-server is needed by (installed) akonadi-mysql-1.9.2-4.el7.x86_64
The relevant bug for this is 1268868.
The workaround for this is to remove the dependency first, e.g. akonadi-mysql or akonadi:
# yum remove akonadi
Take care to notice if any other packages are pulled in to be removed, especially if you have a KDE Desktop Environment installed. Then, proceed as you wish, either cancel the procedure or use a different DE :D.

MySQL root Password

Next, packstack may exit with an error complaining about missing permissions if your mysql server's (MariaDB) root user is denied access without a password; in other words, you need to remove the SQL-root user's password:

# mysqladmin -uroot -p password
This will prompt you for the current password for the mysql-root user, then the prompt will ask for the NEW password. To remove the password, simply leave the NEW password prompt empty and hit Enter. This is, obviously, a security concern; so, if you have a useful, important database already set up, think carefully before you proceed with the prvious workaround.

Apache Web Server Modules

There are potential compatibility issues with certain apache modules that packstack complains about, resulting in a non-zero exit status. Specifically, the NSS apache module, mod_nss, will cause packstack to fail. The relevant bug is Bug-1257352 on bugzilla, which is closed as NOTABUG as explained there. The workaround is to remove mod_nss package:

# yum remove mod_nss
Alternatively, one can tell the apache server not to load the module, either by commenting out the lines in the file /etc/httpd/conf.d/nss.conf or by moving the file to a different location, temporarily.

PHP Apache Configuration

Similarly, /etc/httpd/conf.d/php.conf will cause a problem and needs to be (re)moved or otherwise indicate to the apache web server not to load the offending file, options, module.

Summary of Potential packstack Offenders

  • MariaDB
    • Software dependent on MariaDB (e.g. Akonadi)
    • root@localhost w/out password
  • Apache modules (e.g. mod_nss)
  • PHP (/etc/httpd/conf.d/php.conf)

2016-01-08

bash tips

- no title specified
Little-known bash commands for the SysAdmin Toolbox
finger
 This is a user-information lookup program, which display information on system users.  If it's executed without an argument it will display a list of currently-logged in users:
  
Login     Name       Tty      Idle  Login Time   Office     Office Phone   Host
user1     user1     tty1     1:40  Jan  7 15:57                           (:0)
user1     user1     pts/0          Jan  7 15:58                           (192.168.9.1)
Given a username as an argument it will display extended information on that user:
# finger user1
Login: user1                         Name: user1
Directory: /home/user1               Shell: /bin/bash
On since Thu Jan  7 15:57 (CST) on tty1 from :0
    1 hour 40 minutes idle
On since Thu Jan  7 15:58 (CST) on pts/0 from 192.168.9.1
   4 seconds idle
No mail.
No Plan.
chfn
 Similarly, use the chfn command to change the information that the finger command displays.
        SYNOPSIS
       chfn [-f full-name] [-o office] [-p office-phone] [-h home-phone] [-u] [-v] [username]
DESCRIPTION
       chfn  is  used to change your finger information.  This information is stored in the /etc/passwd file, and is
       displayed by the finger program.  The Linux finger command will display four pieces of information  that  can
       be changed by chfn: your real name, your work room and phone, and your home phone.
       Any  of  the  four pieces of information can be specified on the command line.  If no information is given on
       the command line, chfn enters interactive mode.
       In interactive mode, chfn will prompt for each field.  At a prompt, you can enter  the  new  information,  or
       just press return to leave the field unchanged.  Enter the keyword "none" to make the field blank.
       chfn supports non-local entries (kerberos, LDAP, etc.) if linked with libuser, otherwise use ypchfn, lchfn or
       any other implementation for non-local entries.
chsh
 chsh is a quick tool that allows the user or, more precisely, an administrator to change the default login shell for a user. For example,
# chsh -s /usr/sbin/noshell
If no shell is specified on the commandline, chsh prompts for one.
chage
               The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password.
Usage: chage [options] LOGIN
Options:
  -d, --lastday LAST_DAY        set date of last password change to LAST_DAY
  -E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -h, --help                    display this help message and exit
  -I, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --list                    show account aging information
  -m, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -M, --maxdays MAX_DAYS        set maximim number of days before password
                                change to MAX_DAYS
  -R, --root CHROOT_DIR         directory to chroot into
  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS
history
        The bash shell is configured, by default, to keep a history list of the user's commands.  This is usually located in the ~/.history file or ~/.bash_history .
From the commandline we can traverse the history list and search for specific commands with the Ctrl-R shortcut key (assuming you kept the default emacs key-bindings).  To continue searching backwards to the next item found matching your search criteria, simply repeat the shortcut key combination (Ctrl-R).  I admit I always forget this key combination as I am a Vim user; emacs' own search shortcut is, if I recall correctly, Ctrl-S but this will “freeze” the screen in a terminal until the user hits Ctrl-Q (XOFF).  A nifty option to add to your environment, if you don't want to keep finding duplicate items in your history, is to add the following to your ~/.bashrc:
HISTCONTROL=ignoredupes
        I'm sure you already know how to use the “bang” (!) in front of a command that you already executed some time before to repeat it:
# !cat
 But what if you just wanted to see what it was without executing it; just append :p without any spaces to the command:
# !cat:p
 To repeat the previous command, do:
# !$
 To replace a specific item in the previous command (e.g. car) with a different one (e.g. cat) and execute it again with that new item, do:
# car /some/file/too/long/to/repeat/again.txt
# ^car^cat
There are more options, tricks, use-cases that can be found in the history.info file:
1.1.1 Event Designators
-----------------------
An event designator is a reference to a command line entry in the
history list.  Unless the reference is absolute, events are relative to
the current position in the history list.  
`!'
     Start a history substitution, except when followed by a space, tab,
     the end of the line, or `='.
`!N'
     Refer to command line N.
`!-N'
     Refer to the command N lines back.
`!!'
     Refer to the previous command.  This is a synonym for `!-1'.
`!STRING'
     Refer to the most recent command preceding the current position in
     the history list starting with STRING.
`!?STRING[?]'
     Refer to the most recent command preceding the current position in
     the history list containing STRING.  The trailing `?' may be
     omitted if the STRING is followed immediately by a newline.
`^STRING1^STRING2^'
     Quick Substitution.  Repeat the last command, replacing STRING1
     with STRING2.  Equivalent to `!!:s/STRING1/STRING2/'.
`!#'
     The entire command line typed so far.
Some more terminal shortcut tips:
Ctrl-/                 Undo
Ctrl-g Ctrl-/         Redo
Ctrl-xx         Toggle the cursor between current position and the beginning
Ctrl-w  Cut/yank the word before the cursor
Alt-d                Delete the word after the cursor
Alt-t                 Swap the current word with the previous word
Ctrl-t                 Swap the previous 2 characters
Alt-u                 Capitalize (UPPERCASE) every character of word in front of cursor
Alt-l                 Make every character of word in front of cursor lowercase
Alt-c                 Captialize the character under the cursor
Alt-.                 Insert the last word from the previous command
To change the keybindings to/from Vi/Emacs:
set -o vi
or
set -o emacs
Finally, if you wanted to have bash print out what it does in the background, verbose (debug) do:
set -x
findmnt
        Shows the mounted devices in a tree-like display.
# findmnt
TARGET                                SOURCE      FSTYPE      OPTIONS
/                                     /dev/mapper/fedora-root
│                                                 ext4        rw,relatime,seclabel
├─/sys                                sysfs       sysfs       rw,nosuid,nodev,noexec
│ ├─/sys/kernel/security              securityfs  securityfs  rw,nosuid,nodev,noexec
│ ├─/sys/fs/cgroup                    tmpfs       tmpfs       ro,nosuid,nodev,noexec
│ │ ├─/sys/fs/cgroup/devices          cgroup      cgroup      rw,nosuid,nodev,noexec
│ │ ├─/sys/fs/cgroup/memory           cgroup      cgroup      rw,nosuid,nodev,noexec
│ │ ├─/sys/fs/cgroup/freezer          cgroup      cgroup      rw,nosuid,nodev,noexec
│ │ ├─/sys/fs/cgroup/blkio            cgroup      cgroup      rw,nosuid,nodev,noexec
│ │ ├─/sys/fs/cgroup/cpu,cpuacct      cgroup      cgroup      rw,nosuid,nodev,noexec
│ │ ├─/sys/fs/cgroup/perf_event       cgroup      cgroup      rw,nosuid,nodev,noexec
│ │ ├─/sys/fs/cgroup/hugetlb          cgroup      cgroup      rw,nosuid,nodev,noexec
│ │ ├─/sys/fs/cgroup/cpuset           cgroup      cgroup      rw,nosuid,nodev,noexec
│ │ └─/sys/fs/cgroup/net_cls,net_prio cgroup      cgroup      rw,nosuid,nodev,noexec
│ ├─/sys/fs/pstore                    pstore      pstore      rw,nosuid,nodev,noexec
│ ├─/sys/fs/selinux                   selinuxfs   selinuxfs   rw,relatime
│ ├─/sys/kernel/debug                 debugfs     debugfs     rw,relatime,seclabel
│ ├─/sys/kernel/config                configfs    configfs    rw,relatime
│ └─/sys/fs/fuse/connections          fusectl     fusectl     rw,relatime
├─/proc                               proc        proc        rw,nosuid
│ │ └─/proc/sys/fs/binfmt_misc        binfmt_misc binfmt_misc rw,relatime
│ └─/proc/fs/nfsd                     nfsd        nfsd        rw,relatime
├─/dev                                devtmpfs    devtmpfs    rw,nosuid,seclabel
│ ├─/dev/shm                          tmpfs       tmpfs       rw,nosuid,nodev,seclabel
│ ├─/dev/hugepages                    hugetlbfs   hugetlbfs   rw,relatime,seclabel
│ └─/dev/mqueue                       mqueue      mqueue      rw,relatime,seclabel
├─/tmp                                tmpfs       tmpfs       rw,seclabel

Network

The following is a native bash script to output the IP only of an interface.

NOTE: Make sure to change the interface name to correspond with yours.

ipaddr=$(/sbin/ifconfig eth0) ; ipaddr=${ipaddr/*inet /} ipaddr=${ipaddr/ */}; echo $ipaddr

2015-11-18

Linux date Command: Day of Week

To find the day of week (e.g. Friday) on a particular date using the Linux version of the `date` utility, execute:

$ date -d 'Jan 03 2004' "+%a"
Sat


The -dflag tells the utility to display the information only, instead of setting the date, etc.

The "+%a" options are`date`'s FORMAT options, which are listed in the manpages.
So, for example, we can also have the full name of the weekday output by changing the "+%a" to "+%A".
$ date -d 'Jan 03 2004' "+%A"
Saturday

DATE(1)                             User Commands

NAME
       date - print or set the system date and time

SYNOPSIS
       date [OPTION]... [+FORMAT]
...
...
FORMAT controls the output.  Interpreted sequences are:

       %%     a literal %

       %a     locale's abbreviated weekday name (e.g., Sun)

       %A     locale's full weekday name (e.g., Sunday)

       %b     locale's abbreviated month name (e.g., Jan)

       %B     locale's full month name (e.g., January)

       %c     locale's date and time (e.g., Thu Mar  3 23:05:25 2005)

       %C     century; like %Y, except omit last two digits (e.g., 20)

       %d     day of month (e.g., 01)

       %D     date; same as %m/%d/%y

       %e     day of month, space padded; same as %_d

       %F     full date; same as %Y-%m-%d
...
...


2015-11-15

SELinux Failure after Fedora22 Upgrade

SELinux got somehow mangled during upgrade process from Fedora21 -> Fedora22. Some of the modules were changed between the versions and as a result my SELinux "system" is borked. It'd be nice to have more available documentation on re-installing and/or resetting SELinux on a system.  I can't use any of the normal tools to manage SELinux, as it only prints out errors like `libsepol.permission_copy_callback...`.  Attempting to relabel a filecontext, for example results in:

# semanage fcontext -a -t system_dbusd_var_lib_t /var/lib/dbus/machine-id
    libsepol.context_from_record: type radicale_port_t is not defined (No such file or directory).
    libsepol.context_from_record: could not create context structure (Invalid argument).
    libsepol.port_from_record: could not create port structure for range 5232:5232 (tcp) (Invalid argument).
    libsepol.sepol_port_modify: could not load port range 5232 - 5232 (tcp) (Invalid argument).
    libsemanage.dbase_policydb_modify: could not modify record value (Invalid argument).
    libsemanage.semanage_base_merge_components: could not merge local modifications into policy (Invalid argument).
    OSError: Invalid argument


I've found 1 relevant bug related to something similar to my issue.  The only "resolution" comes in the last comment from a user, though it's not very clear/detailed on the exact way of "fixing" this problem once and for all.  Anyway, here's the relevant comment from the bug-report:


2015-06-22 15:20:04 EDT

Umm, sure, and the obvious way to rebuild them is to *delete them* using
semanage, which I can't do.  Just rebuilding them is tricky because I
use a puppet module for the builds and I haven't done one by hand in ages; I
guess I could make a one character change to all my modules to make them regen?
Ah, here we go.
So for everybody else: what I did was find all the .pp files (i.e. sudo find
/etc | grep my | grep -v mysql | grep
-v mythtv | grep '\.pp' or whatever works for you) and then simply deleted
them (i.e. sudo rm
/etc/selinux/mymodules/mypuppetedit/mypuppetedit.pp
/etc/selinux/mymodules/myvirshbugs880971/myvirshbugs880971.pp ...).
After puppet rebuilt them, everything is fine.  I dunno about NOTABUG.  IMO,
semanage not being able to remove invalid modules is *absolutely* a bug.
But at least I have a workaround.


  • I've already tried relabeling the system with `# touch /.autorelabel` multiple times
  • I've tried removing the pertinent lines that are reported as irrelevant during relabel from the file in `/etc/selinux/targeted/modules/active/file_contexts.local` without any changes
  • I've tried disabling SELinux via `/etc/selinux/config` and/or kernel commandline with `selinux=0` in hopes that re-enabling it would, *somehow*, magically fix the issue; alas, no dice
  • I've tried removing the `selinux-policy\*` packages while disabled one by one with `# rpm -ev selinux... --nodeps` and reinstalling them; again, no dice

Once again, the linked bug report is marked as NOTABUG; I have to ask at this point, what is it then? I am clearly not the only one affected by this.

The frustrating thing is that I did not notice/experience this issue before the last upgrade with `dnf`; though, I haven't been using this system for a while now, and the Fedora version was upgraded with `fedup` 6 months ago with no noticeable problems.

Here's the directory listing for the configuration files, though I'm not sure what, if any, of those files I'm supposed to delete. 

 # ls -alh /etc/selinux/targeted/modules/active/

total 876K
drwx------. 2 root      16K Nov 15 02:32 modules
-rw-r--r--. 1 root      58K Oct  8 09:07 base.pp
-rw-r--r--. 1 root      470 Jul 15 14:40 booleans.local
-rw-------. 1 root       32 Oct  8 09:07 commit_num
-rw-------. 1 root     362K Oct  8 09:07 file_contexts
-rw-r--r--. 1 root      13K Oct  8 09:07 file_contexts.homedirs
-rw-r--r--. 1 root     4.7K Nov 15 02:33 file_contexts.local
-rw-------. 1 root     373K Oct  8 09:07 file_contexts.template
-rw-------. 1 root      12K Oct  8 09:07 homedir_template
-rw-------. 1 root        0 Oct  8 09:07 netfilter_contexts
lrwxrwxrwx. 1 root       38 Oct  8 09:07 policy.kern  /etc/selinux/targeted/policy/policy.29
-rw-r--r--. 1 root      225 Jul 15 14:40 ports.local
-rw-r--r--. 1 root      176 Nov 15 05:30 seusers
-rw-------. 1 root      176 Jul 15 14:40 seusers.final
-rw-------. 1 root      101 Oct  8 09:07 users_extra



Resolution

Ultimately, the only way to deal with this issue at the time of this writing is to painfully go through each and every failure record reported from SELinux and try to find the reference to it in the `/etc/selinux/` subdirectories and delete them.  Weak, annoying, workarounds for failures stemming from incomplete/poor/bad package updates/installation/removal.

SDL2 With Eclipse on Fedora22

On a Fedora22 system with Eclipse Mars version 4.5.1 this worked for me.

  • Create a new C++ project (File > New > C++ Project). 
  • You will need to pick a toolchain - Linux GCC.

If you want to use C++11 do the following:

  • Right click your Project under “Package Explorer” and select Properties.
  • Select (C/C++ Build > Settings > GCC C++ Compiler > Dialect)
  •  Under “Language standard” select: "ISO C++11 (-std=c++0x)". Click Apply, then OK.

Configure Eclipse to use SDL2

At this step, I'd suggest to use the system's terminal/shell to find out or verify the existence/location of the necessary files/libraries for SDL2 on your system. 

First, if you want to find the location of the necessary libraries on your system, executing the following in the terminal will provide you with the "include" location and other compiler/preprocessor flags

$ sdl2-config --cflags

Similarly, to list the libraries/linker-flags

 $ sdl2-config --libs

For example, on my Fedora22 (64bit) system, the output looks like this

$ sdl2-config --cflags --libs
-I/usr/include/SDL2 -D_REENTRANT
-lSDL2 -lpthread


You can test the compilation in a separate temporary directory without the eclipse-related project files--i.e. only the source files--like this:

$ mkdir /tmp/testing
$ cp -r main.cpp error.cpp lesson45.cpp /tmp/testing/.
$ cd /tmp/testing
$ g++ `sdl2-config --cflags --libs` -o lesson45 main.cpp error.cpp lesson45.cpp


Now, to use the SDL2 libraries/paths within Eclipse, add the necessary libraries from the `sdl2-config --libs` output

  • Right click your Project under “Package Explorer” and select Properties.
  • Select (C/C++ General > Paths and Symbols > Libraries)
  • Click “Add” and type `SDL2` and click OK
  • Click “Add” and type `pthread` and click OK

To add the preprocessor directive from the `sdl2-config --cflags` output

  • Right click your Project under “Package Explorer” and select Properties.
  • Select (C/C++ Build > Settings > GCC C++ Compiler > Preprocessor)
  • Under "Defined symbols (-D)", Click the "Add" icon
  • Type `_REENTRANT` and click OK

Resources

2015-10-24

RHEL7 Fedora as Network Router and Gateway

Hardware Requirements:

  • 2 Ethernet Network Cards: 1 for WAN; 1 for LAN
  • Optional Wireless Router for wifi

Software Requirements:

  • NIC Configuration Files
  • sysctl Kernel Parameters
  • Firewall Configuration
  • dhcpd Server

For the sake of clarity the two network cards will be called ifcfg-wan (WAN) and ifcfg-lan (LAN); make the necessary changes for your environment accordingly, e.g. eth0, ens1, enp0s77, etc., as I will not outline how to make naming changes for hardware devices.  The configuration files for the relevant network adapters/cards are located in /etc/sysconfig/network-scripts/ifcfg-wan and /etc/sysconfig/network-scripts/ifcfg-lan files.

First, make sure all the interfaces are "down" and the ethernet cables are unplugged from both adapters.  Assuming you're not using NetworkManager this can be accomplished on the commandline with "ifdown wan" and/or "ifdown lan".

Next, check the system's network activity for open ports and close them all for now:

# netstat -untap

If all the interfaces are down there shouldn't be much activity anyway. 

NIC Configuration

Create or change the configuration files for the adapters as indicated by the following example, ensuring that you change the pertinent MAC and NETWORK addresses to suit your own environment:

##/etc/sysconfig/network-scripts/ifcfg-lan
DEVICE=lan
HWADDR=11:22:33:44:55:66
BOOTPROTO=none
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.1.3
NETWORK=192.168.1.0
NM_CONTROLLED=no

##/etc/sysconfig/network-scripts/ifcfg-wan
DEVICE=wan
HWADDR=11:22:33:44:55:66
BOOTPROTO=dhcp
ONBOOT=yes
NM_CONTROLLED=no
Next, make sure that the kernel parameters allow the following, which can be checked with the "sysctl" tool, e.g.
"# sysctl -a |grep forward":
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.accept_source_route=0
To ensure that these parameters are to our liking, append the 4 lines above to the file "/etc/sysctl.conf".  To make the changes active in place, execute :
# sysctl -P /etc/sysctl.conf
Plug in the cable from your Modem/Gateway into the WAN-side NIC and execute
# ifup wan
Once the NIC receives an address from the DHCP server from your ISP test it out
# ping www.google.com

Firewall Configuration with firewalld

Let's separate the interfaces into different firewall zones:

# firewall-cmd --zone=public --add-interface=wan --permanent
# firewall-cmd --zone=internal --add-interface=lan --permanent
Add masquerading to the WAN interface zone
# firewall-cmd --zone=public --add-masquerade --permanent
Make sure no other services are listed as available and/or ports open in the WAN zone
# firewall-cmd --zone=public --list-services
# firewall-cmd --zone=public --list-ports
To remove a service, e.g. SSH, do
# firewall-cmd --zone=public --remove-service=ssh --permanent
Let's add the DHCP service to our LAN interface's firewall zone
# firewall-cmd --zone=internal --add-service=dhcp --permanent
Reload firewall rules to take effect
# firewall-cmd --reload

DHCP Server

Create or update the configuration file for the DHCP server that will serve dynamic IPs to our LAN

# vim /etc/dhcp/dhcpd.conf

default-lease-time 1400;
authoritative;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;

subnet 192.168.1.0 255.255.255.0 {
    range 192.168.1.100 192.168.1.155;
}

host yourhostnamehere {
    option host-name "yourhostnamehere";
    hardware ethernet 11:22:33:44:55:66;
    fixed-address 192.168.1.3;
}
The above configuration tells the DHCP server to serve LAN clients with dynamic IPs in the range from 100 to 155. It also sets up a FIXED address, which MUST be outside the DHCP range, as a static IP for our server. Now, copy the file from /lib/systemd/system/dhcp.service to /etc/systemd/system/dhcp.service and append the name of your LAN interface to the ExecStart line
# vim /etc/systemd/system/dhcpd.service

...
ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid lan
...
Then enable the service, plug in the LAN cable if you haven't done so already, and restart the service:
# systemctl enable dhcpd.service
# systemctl restart dhcpd.service

You should now have a working Internet-facing Gateway/router running on your RHEL7/Fedora18+ system.  As for the wifi side of your network, plugging in the cable from your LAN interface into the WAN port of a wifi router will allow the wifi router to handle that aspect of your network.