Re: [CentOS] Sendmail is considered deprecated

2017-03-31 Thread Peter 
On 01/04/17 10:40, Kenneth Porter wrote:
> What makes Postfix superior in fighting spam?

One major feature that comes to mind is postscreen:
http://www.postfix.org/POSTSCREEN_README.html
http://www.postfix.org/postscreen.8.html

> How do I integrate MIMEDefang, SpamAssassin, and ClamAV with Postfix?

There are many guides online that tell you how to do this.

> Are there migration guides for moving one's Sendmail anti-spam and AV
> configurations to Postfix?

Let me google that for you:
http://lmgtfy.com/?q=sendmail+to+postfix


Peter
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail is considered deprecated

2017-03-31 Thread Peter 
On 01/04/17 09:57, Xinhuan Zheng wrote:
> Today I searched redhat official portal and learned that Sendmail is
> considered deprecated. By default, CentOS 7 will use postfix as MTA.

It is considered "deprecated" as you say, but that does not mean they no
longer support it.  You can use Sendmail in CentOS 7 just fine and it is
relatively easy to switch (complexities of proper Sendmail configuration
not withstanding).

I think in this case they simply mean that Sendmail is not the default,
but that does not mean it is not supported in any way.

> I need good advise on what it means to us. We are CentOS customers.
> We use that operating system for quite a few years. We rely on
> Sendmail for years for us to relay large quantity of emails to our
> customers for marketing purpose.

Admittedly this sounds like SPAM, but not all mass marketing mail is
SPAM and it can be done in a way which is not.  I'll give you the
benefit of the doubt for now.

> We build our additional fallback
> servers as well for fallback relays. We build our customized
> configuration for Sendmail too. I really need help to figure out if
> we can continue using Sendmail (even deprecated) for future long term
> and what implication would be doing so. Thanks,

I would say that Sendmail will likely continue to be supported at least
through the lifespan of RHEL7, I cannot speak as to whether it will be
supported in RHEL8 or not, but if you want to continue using Sendmail
and you feel comfortable using it, then by all means use it.

That said, I would encourage you to have a look at Postfix, you can do
pretty much everything you do in Sendmail in Postfix and more and the
configuration is easier to manage.  Postscreen is one of the newer
postfix features that you won't find in Sendmail and you may find that
alone is worth the switch.


Peter
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail is considered deprecated

2017-03-31 Thread Alice Wonder 

On 03/31/2017 02:57 PM, Valeri Galtsev wrote:


On Fri, March 31, 2017 4:46 pm, Alice Wonder wrote:

On 03/31/2017 02:40 PM, Kenneth Porter wrote:

On 3/31/2017 2:15 PM, Valeri Galtsev wrote:

Well, it sounds like you are one of the companies with whose effort I
have
to fight constantly in my own effort to protect our users from spam...


What makes Postfix superior in fighting spam?


I actually made two independent statements:

1. That I use postfix forever (postfix was written by Wietse Venema with
security in mind).

2. That the company the OP works for judging from my reading of OP's post
makes money by facilitating the creation of spam (by their customers).

By no means I meant to say posfix is superior to sendmail in fighting
spam. Neither of them is designed for fighting spam, each of them is
merely MTA. Postfix, however, having human readable configs with rather
logical logics makes it easier (for me) to administer, therefore easier
(for me again) to integrate with anti-spam components (amavisd,
spamassassin, clamav - the last to scan for viruses - or rather virii I
should say as that is plural of latin word ;-)

Just my $0.02.

Valeri


That's pretty much why I started using postfix, I don't remember when 
but I believe it was with Red Hat 7 (pre Fedora days). It was much 
easier for me to configure postfix on a web application server and have 
it send encrypted to their MX then it was to configure sendmail. It was 
possible with sendmail but I wasted hours trying to get sendmail 
configured, first time with postfix was cake.


Now I use it because of the support for opportunistic DANE (I run an 
updated version, built from CentOS src.rpm but with version bump) so 
that when the receiving MX has DNSSEC with a TLSA record on port 25, I 
know the message is either delivered to that MX encrypted or not at all.


The attack that strips the STARTTLS causing plain text won't work when 
the receiving MX is configured with DANE. Right now comcast is the only 
major ISP in the united states that has MX servers configured with DANE, 
but several small ones do as well, and several in Europe are as well 
(especially .nl and .de mail servers)


I don't know if sendmail has been updated to support DANE yet or not, 
but last time I looked, it did not.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail is considered deprecated

2017-03-31 Thread Kenneth Porter 

On 3/31/2017 2:46 PM, Alice Wonder wrote:
I don't know about MIMEDefang but SpamAssassin and ClamAV are pretty 
straight forward. There are guides for both with Postfix all over the 
net.


MIMEDefang I have not heard of, but unless it does something really 
funky I suspect it also is easy to set up with Postfix.


From the MIMEDefang website:

MIMEDefang is an e-mail filtering tool that works with the Sendmail 
"Milter" library. MIMEDefang lets you express your filtering policies 
in Perl rather than C, making it quick and easy to filter or 
manipulate your mail.


It will detect a SpamAssassin and ClamAV installation and invoke it 
site-wide, rejecting virii and extreme spam before it gets to the 
delivery agent (eg. procmail), quarantining it for administrative review 
and sending a quarantine notification to the recipient.


http://mimedefang.org/

Reading around, it looks like Postfix supports milters and people have 
gotten MD working with it.




---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail is considered deprecated

2017-03-31 Thread Valeri Galtsev 

On Fri, March 31, 2017 4:46 pm, Alice Wonder wrote:
> On 03/31/2017 02:40 PM, Kenneth Porter wrote:
>> On 3/31/2017 2:15 PM, Valeri Galtsev wrote:
>>> Well, it sounds like you are one of the companies with whose effort I
>>> have
>>> to fight constantly in my own effort to protect our users from spam...
>>
>> What makes Postfix superior in fighting spam?

I actually made two independent statements:

1. That I use postfix forever (postfix was written by Wietse Venema with
security in mind).

2. That the company the OP works for judging from my reading of OP's post
makes money by facilitating the creation of spam (by their customers).

By no means I meant to say posfix is superior to sendmail in fighting
spam. Neither of them is designed for fighting spam, each of them is
merely MTA. Postfix, however, having human readable configs with rather
logical logics makes it easier (for me) to administer, therefore easier
(for me again) to integrate with anti-spam components (amavisd,
spamassassin, clamav - the last to scan for viruses - or rather virii I
should say as that is plural of latin word ;-)

Just my $0.02.

Valeri


>>
>> How do I integrate MIMEDefang, SpamAssassin, and ClamAV with Postfix?
>> Are there migration guides for moving one's Sendmail anti-spam and AV
>> configurations to Postfix?
>>
>>
>> ---
>> This email has been checked for viruses by Avast antivirus software.
>> https://www.avast.com/antivirus
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>
> I don't know about MIMEDefang but SpamAssassin and ClamAV are pretty
> straight forward. There are guides for both with Postfix all over the net.
>
> MIMEDefang I have not heard of, but unless it does something really
> funky I suspect it also is easy to set up with Postfix.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail is considered deprecated

2017-03-31 Thread Alice Wonder 

On 03/31/2017 02:40 PM, Kenneth Porter wrote:

On 3/31/2017 2:15 PM, Valeri Galtsev wrote:

Well, it sounds like you are one of the companies with whose effort I
have
to fight constantly in my own effort to protect our users from spam...


What makes Postfix superior in fighting spam?

How do I integrate MIMEDefang, SpamAssassin, and ClamAV with Postfix?
Are there migration guides for moving one's Sendmail anti-spam and AV
configurations to Postfix?


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


I don't know about MIMEDefang but SpamAssassin and ClamAV are pretty 
straight forward. There are guides for both with Postfix all over the net.


MIMEDefang I have not heard of, but unless it does something really 
funky I suspect it also is easy to set up with Postfix.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail is considered deprecated

2017-03-31 Thread Kenneth Porter 

On 3/31/2017 2:15 PM, Valeri Galtsev wrote:

Well, it sounds like you are one of the companies with whose effort I have
to fight constantly in my own effort to protect our users from spam...


What makes Postfix superior in fighting spam?

How do I integrate MIMEDefang, SpamAssassin, and ClamAV with Postfix? 
Are there migration guides for moving one's Sendmail anti-spam and AV 
configurations to Postfix?



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail is considered deprecated

2017-03-31 Thread Alice Wonder 

On 03/31/2017 01:57 PM, Xinhuan Zheng wrote:

Hello,

Today I searched redhat official portal and learned that Sendmail is considered 
deprecated. By default, CentOS 7 will use postfix as MTA. I need good advise on 
what it means to us. We are CentOS customers. We use that operating system for 
quite a few years. We rely on Sendmail for years for us to relay large quantity 
of emails to our customers for marketing purpose. We build our additional 
fallback servers as well for fallback relays. We build our customized 
configuration for Sendmail too. I really need help to figure out if we can 
continue using Sendmail (even deprecated) for future long term and what 
implication would be doing so.
Thanks,

- xinhuan
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



You can still install sendmail, but postfix is the default, a decision I 
personally support as I have found it to be a lot easier to administer 
than sendmail with a much better security track record.


Historically, you would use system-switch-mail to select your preferred 
MTA to switch from the default.


I don't know if that is still the method, since the default now is what 
I prefer.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail is considered deprecated

2017-03-31 Thread Valeri Galtsev 

On Fri, March 31, 2017 3:57 pm, Xinhuan Zheng wrote:
> Hello,
>
> Today I searched redhat official portal and learned that Sendmail is
> considered deprecated. By default, CentOS 7 will use postfix as MTA.

That was an excellent decision I welcomed the day RedHat made it.
Beginning with my firat RedHat (it was somewhere around RedHat 5 IIRC) I
always have been replacing venerable sendmail with postfix.

> I
> need good advise on what it means to us. We are CentOS customers. We use
> that operating system for quite a few years. We rely on Sendmail for years
> for us to relay large quantity of emails to our customers for marketing
> purpose.

Well, it sounds like you are one of the companies with whose effort I have
to fight constantly in my own effort to protect our users from spam...

Valeri

> We build our additional fallback servers as well for fallback
> relays. We build our customized configuration for Sendmail too. I really
> need help to figure out if we can continue using Sendmail (even
> deprecated) for future long term and what implication would be doing so.
> Thanks,
>
> - xinhuan
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Sendmail is considered deprecated

2017-03-31 Thread Xinhuan Zheng 
Hello,

Today I searched redhat official portal and learned that Sendmail is considered 
deprecated. By default, CentOS 7 will use postfix as MTA. I need good advise on 
what it means to us. We are CentOS customers. We use that operating system for 
quite a few years. We rely on Sendmail for years for us to relay large quantity 
of emails to our customers for marketing purpose. We build our additional 
fallback servers as well for fallback relays. We build our customized 
configuration for Sendmail too. I really need help to figure out if we can 
continue using Sendmail (even deprecated) for future long term and what 
implication would be doing so.
Thanks,

- xinhuan
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-virt] Network isolation for KVM guests

2017-03-31 Thread C. L. Martinez 
On Fri, Mar 31, 2017 at 05:06:53PM +0200, Sven Kieske wrote:
> On 31/03/17 15:55, C. L. Martinez wrote:
> > I need to attach two physical interfaces to a guest and these phy 
> > interfaces have IP and routes assigned and I need to get them off the main 
> > routing table.
> 
> I do not understand this.
> 
> You can attach a physical (or virtual, doesn't matter), interface to any
> given vm, without assigning routes or IPs to these interfaces directly.

No, I can't because this host doesn't support PCI passthrough. One of these 
interfaces is a wireless nic.

> 
> Just do the network configuration inside the vm, and the routing, well
> on your router? You will just need the route for the vm networks on your
> host, but what is your attack scenario to keep this separated from other
> routes on this host? you need at least CAP_NET_ADMIN to fiddle with those.

How? If the same host routes Internet traffic in the main routing table I 
expose host's services to Internet.

> 
> -- 
> Mit freundlichen Grüßen / Regards
> 
> Sven Kieske
> 
> Systemadministrator
> Mittwald CM Service GmbH & Co. KG
> Königsberger Straße 6
> 32339 Espelkamp
> T: +495772 293100
> F: +495772 29
> https://www.mittwald.de
> Geschäftsführer: Robert Meyer
> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
> 




> ___
> CentOS-virt mailing list
> CentOS-virt@centos.org
> https://lists.centos.org/mailman/listinfo/centos-virt


-- 
Greetings,
C. L. Martinez
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] 2.6.0-28.el7_3.6.1 e1000 problem

2017-03-31 Thread Sandro Bonazzola 
Adding Paolo and Miroslav.

Il 30/Mar/2017 08:57, "Dmitry Melekhov"  ha scritto:

> 30.03.2017 10:52, Dmitry Melekhov пишет:
>
>> Hello!
>>
>> We tried to move Windows 2003 VM with e1000 driver from Centos 7 which
>> runs qemu-kvm-0.12.1.2-2.491.el6_8.7.x86_64
>> to Centos 7 with qemu-kvm-ev-2.6.0-28.el7_3.6.1.x86_64 and we got
>> problems-
>> tcp sessions, namely smb connections, randomly drops.
>>
>> We didn't test previous qemu-rhev with this VM, so we don't know how it
>> works in them.
>>
>> Could you tell me is this known problem? Any workaround except switching
>> to virtio?
>>
>> Thank you!
>>
>> Sorry, previous host system was Centos 6 with default qemu...
>
>
> ___
> CentOS-virt mailing list
> CentOS-virt@centos.org
> https://lists.centos.org/mailman/listinfo/centos-virt
>
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] Network isolation for KVM guests

2017-03-31 Thread Sven Kieske 
On 31/03/17 15:55, C. L. Martinez wrote:
> I need to attach two physical interfaces to a guest and these phy interfaces 
> have IP and routes assigned and I need to get them off the main routing table.

I do not understand this.

You can attach a physical (or virtual, doesn't matter), interface to any
given vm, without assigning routes or IPs to these interfaces directly.

Just do the network configuration inside the vm, and the routing, well
on your router? You will just need the route for the vm networks on your
host, but what is your attack scenario to keep this separated from other
routes on this host? you need at least CAP_NET_ADMIN to fiddle with those.

-- 
Mit freundlichen Grüßen / Regards

Sven Kieske

Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +495772 293100
F: +495772 29
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen



signature.asc
Description: OpenPGP digital signature
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] Network isolation for KVM guests

2017-03-31 Thread C. L. Martinez 
On Fri, Mar 31, 2017 at 06:14:22AM -0400, Dima (Dan) Yasny wrote:
> On Fri, Mar 31, 2017 at 5:56 AM, C. L. Martinez 
> wrote:
> 
> > On Thu, Mar 30, 2017 at 06:15:28PM +0100, Nux! wrote:
> > > Use libvirt with mac/ip spoofing enabled.
> > >
> > > https://libvirt.org/formatnwfilter.html
> > >
> > > https://libvirt.org/firewall.html
> > >
> > > --
> > > Sent from the Delta quadrant using Borg technology!
> > >
> > Thanks Nux and Kristian but I don't see if these solutions will be really
> > efective in my environment. Let me to explain. In this host I three
> > physical interfaces: eth0, eth1 and wlan0.
> >
> >  eth0 is connected to my internal network. eth1 is connected to a public
> > router and wlan0 is connected to another public router. wlan0 and eth1 are
> > bonded to provide failover Internet connections. CPU doesn't supports pci
> > passthrough (pci passthrough would solve my problems).
> >
> 
> If assigning a NIC directly to a VM would solve the problem, you could try
> using macvtap instead of PCI passthrough
> 
> 

Oops .. bad luck (according to https://access.redhat.com/solutions/1978833):

Does bridge/macvtap interfaces work on wireless interfaces in RHEL?
 SOLUTION VERIFIED - Updated October 2 2015 at 6:23 PM - English 
Environment

Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Issue

If a bridge/macvtap interface is created using a wireless adapter, it fails to 
communicate. However, the wired physical ethernet card works without an issue
Resolution

Communication over an interface that's bridged with a wireless interface(Wi-Fi) 
won't work because most Access Points (APs) won't accept frames that have a 
source address that is not authenticated with the AP. The same holds true with 
APs that allow open authentication(without password)
Bridging can done only with physical ethernet controllers


-- 
Greetings,
C. L. Martinez
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] Network isolation for KVM guests

2017-03-31 Thread Dima (Dan) Yasny 
On Fri, Mar 31, 2017 at 5:56 AM, C. L. Martinez 
wrote:

> On Thu, Mar 30, 2017 at 06:15:28PM +0100, Nux! wrote:
> > Use libvirt with mac/ip spoofing enabled.
> >
> > https://libvirt.org/formatnwfilter.html
> >
> > https://libvirt.org/firewall.html
> >
> > --
> > Sent from the Delta quadrant using Borg technology!
> >
> Thanks Nux and Kristian but I don't see if these solutions will be really
> efective in my environment. Let me to explain. In this host I three
> physical interfaces: eth0, eth1 and wlan0.
>
>  eth0 is connected to my internal network. eth1 is connected to a public
> router and wlan0 is connected to another public router. wlan0 and eth1 are
> bonded to provide failover Internet connections. CPU doesn't supports pci
> passthrough (pci passthrough would solve my problems).
>

If assigning a NIC directly to a VM would solve the problem, you could try
using macvtap instead of PCI passthrough


>
>  I need to deploy a fw vm to control traffic between internal and external
> interfaces. In BSD systems you can seggregate all ip address and route
> tables from principal routing table. It is the same effect that I would
> like to implement in this host.
>
>  And I don't see how to implement using CentOS (or another linux distro).
>
> --
> Greetings,
> C. L. Martinez
> ___
> CentOS-virt mailing list
> CentOS-virt@centos.org
> https://lists.centos.org/mailman/listinfo/centos-virt
>
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] Network isolation for KVM guests

2017-03-31 Thread Richard Landsman - Rimote 

Hi,

I don't see why this should not work with the given solutions. But I'm 
relatively new to KVM / libvirt. Alternative:


Personally I use Shorewall (Shoreline FW) and bridge setups (also works 
with a bonding interface). This way you can create zones, interfaces, 
addresses, forwarding-rules etc and give per VM permission to let's say 
only use a certain IP, only access certain parts of the network, talk to 
a certain limited list of IPs etc. I can not imagine you can't create 
what you want with Shorewall. It looks complicated, but actually is very 
intuitive if you give it some time and effort.


Please feel free to provide a better description of what you want to 
accomplish. Maybe I misunderstand what you want to achieve.


--
Met vriendelijke groet,

Richard Landsman
http://rimote.nl

T: +31 (0)50 - 763 04 07
(ma-vr 9:00 tot 18:00)

24/7 bij storingen:
+31 (0)6 - 4388 7949
@RimoteSaS (Twitter Serviceberichten/security updates)

On 03/31/2017 11:56 AM, C. L. Martinez wrote:

On Thu, Mar 30, 2017 at 06:15:28PM +0100, Nux! wrote:

Use libvirt with mac/ip spoofing enabled.

https://libvirt.org/formatnwfilter.html

https://libvirt.org/firewall.html

--
Sent from the Delta quadrant using Borg technology!


Thanks Nux and Kristian but I don't see if these solutions will be really 
efective in my environment. Let me to explain. In this host I three physical 
interfaces: eth0, eth1 and wlan0.

  eth0 is connected to my internal network. eth1 is connected to a public 
router and wlan0 is connected to another public router. wlan0 and eth1 are 
bonded to provide failover Internet connections. CPU doesn't supports pci 
passthrough (pci passthrough would solve my problems).

  I need to deploy a fw vm to control traffic between internal and external 
interfaces. In BSD systems you can seggregate all ip address and route tables 
from principal routing table. It is the same effect that I would like to 
implement in this host.

  And I don't see how to implement using CentOS (or another linux distro).



___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS-virt] Network isolation for KVM guests

2017-03-31 Thread C. L. Martinez 
On Thu, Mar 30, 2017 at 06:15:28PM +0100, Nux! wrote:
> Use libvirt with mac/ip spoofing enabled.
> 
> https://libvirt.org/formatnwfilter.html
> 
> https://libvirt.org/firewall.html
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
Thanks Nux and Kristian but I don't see if these solutions will be really 
efective in my environment. Let me to explain. In this host I three physical 
interfaces: eth0, eth1 and wlan0.

 eth0 is connected to my internal network. eth1 is connected to a public router 
and wlan0 is connected to another public router. wlan0 and eth1 are bonded to 
provide failover Internet connections. CPU doesn't supports pci passthrough 
(pci passthrough would solve my problems).

 I need to deploy a fw vm to control traffic between internal and external 
interfaces. In BSD systems you can seggregate all ip address and route tables 
from principal routing table. It is the same effect that I would like to 
implement in this host.

 And I don't see how to implement using CentOS (or another linux distro). 

-- 
Greetings,
C. L. Martinez
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS] Best practices for docker setup on Centos 7?

2017-03-31 Thread James Hogarth 
On 31 March 2017 at 07:11, Rafał Radecki  wrote:
> Hi All.
>
> I am currently running docker 1.13 on Centos 7 boxes with devicemapper
> storage plugin.
> I would like to know what are your experiences in regard to:
> - storage plugins
> - kernel versions
> - stability
>
> I consider upgrade to docker 17.03.1 and would like to choose most stable
> combination of kernel/storage plugin.
>


If you really want the most stable setup which is well tested with the
Red Hat environment I'd suggest to stop using upstream and use the
docker in the extras repo, which is the same as the docker in the RHEL
extras repo and is patched to work optimally with Red Hat and is
tested by them.

If you have plenty of block storage I'd use devicemapper with a thin
pool LVM setup.

We've recently switched to overlay2 as our graph driver, although that
is in a CI and nor prod environment ... you may want to carry out some
comparisons.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld management on a headless server

2017-03-31 Thread James Hogarth 
On 30 March 2017 at 19:47, Mark Milhollan  wrote:
> On Wed, 29 Mar 2017, Robert Moskowitz wrote:
>>On 03/29/2017 07:38 AM, Leon Fauster wrote:
>
>>>We have good results with http://www.shorewall.net/ an iptables
>>>"abstraction".
>>>Despite its not a GUI, the streamlined configuration helps to be effective.
>>
> >From what I can determine, it is still iptables.  Not firewalld.
>
> That's what Leon said, shorewall is an iptables abstraction, and
> iptables is a command that manipulates netfilter.
>
> FirewallD is similar in that it abstracts and simplifies using netfilter
> without using the iptables command.  Which has a GUI that can be used
> remotely but it is not web based as requested.  Fedora's CoPilot
> probably has a module for it, but I don't know that it can be used with
> a CentOS based server.  Webmin likely has a module for it by now.
>
>

Minor correction here ... firewalld is an iptables abstraction like
shorewall and it doesn't link into netfilter directly.

You can see that here:

https://github.com/t-woerner/firewalld/blob/master/src/firewall/core/ipXtables.py
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Best practices for docker setup on Centos 7?

2017-03-31 Thread Rafał Radecki 
Hi All.

I am currently running docker 1.13 on Centos 7 boxes with devicemapper
storage plugin.
I would like to know what are your experiences in regard to:
- storage plugins
- kernel versions
- stability

I consider upgrade to docker 17.03.1 and would like to choose most stable
combination of kernel/storage plugin.

Thanks for all info!

BR,
Rafal.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos