[CentOS] CentOS 7.3 and e1000e

[Jerry Geis]

Hi All  - I have a box running the above. Power was lost long enough that
UPS did not work. When power came back on the C7 box boots way faster than
the switch and resulted in no network. power cycling the C7 box resulted in
network.

This even happened a second time. The only way to get the box back was to
power cycle. the box is remote and no keyboard and mouse connected.

Any thoughts on why the e1000e would not talk to the switch ? The switch is
an unmanaged linksys - could not get the model. It auto negotiates to
1G/full.

Thanks, for any thoughts.

Jerry
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] performance problems with OpenLDAP and multiple simultaneous clients

[John Jasen]

Running CentOS7, with openldap-2.4.40-13.el7. The environment consists
of two ldap providers, in mirror mode, serving over a shared virtual IP.
Client-facing services are provided by 4 consumers, most of which are
accessed over a layer 4 load balancer.

Periodically, the consumers encounter some sort of client request(s)
which consume all available threads, cause backload threads to spike,
and cause slapd to go unresponsive for a long period of time. I've no
idea what is causing these events, or if there is anything in the
configurations that I can tweak to help.

Anyone have any ideas?









___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] mdraid doesn't allow creation: device or resource busy

[Adam Kalisz]

Dear CentOS users and administrators,

I solved the problem! It really was multipath and it had to do with some
automatic mapping probably. I maybe did reboot after I created a new
partition tables on each drive, which probably wasn't very smart.
Anyway, the solution was:

# multipath -l
ST3500630NS_9QG0P0PY dm-1 ATA ,ST3500630NS
size=466G features='0' hwhandler='0' wp=rw
`-+- policy='service-time 0' prio=0 status=active
  `- 6:0:0:0 sdf 8:80  active undef running
ST3500630NS_9QG0HLRX dm-6 ATA ,ST3500630NS
size=466G features='0' hwhandler='0' wp=rw
`-+- policy='service-time 0' prio=0 status=active
  `- 4:0:0:0 sdd 8:48  active undef running
ST3500630NS_9QG0H3N5 dm-3 ATA ,ST3500630NS
size=466G features='0' hwhandler='0' wp=rw
`-+- policy='service-time 0' prio=0 status=active
  `- 5:0:0:0 sde 8:64  active undef running
ST3500630NS_9QG0KYMH dm-4 ATA ,ST3500630NS
size=466G features='0' hwhandler='0' wp=rw
`-+- policy='service-time 0' prio=0 status=active
  `- 3:0:0:0 sdc 8:32  active undef running
ST3500630NS_9QG0KQH2 dm-5 ATA ,ST3500630NS
size=466G features='0' hwhandler='0' wp=rw
`-+- policy='service-time 0' prio=0 status=active
  `- 8:0:0:0 sdh 8:112 active undef running
ST3500630NS_9QG0H3JL dm-2 ATA ,ST3500630NS
size=466G features='0' hwhandler='0' wp=rw
`-+- policy='service-time 0' prio=0 status=active

and remove mapping one after one, or with -F all at once:

# multipath -f ST3500630NS_9QG0KYMH

It was then possible to:

# mdadm --create /dev/md6 --assume-clean --level=5 --raid-devices=6
/dev/sd[cdefgh]1

which worked without problem...

Best regards

Adam Kalisz

On Fri, 2017-06-30 at 02:06 +0200, adam_kalisz wrote:
> Dear fellow CentOS users,
> 
> I have never experienced this problem with hard disk management
> before 
> and
> cannot explain it to myself on any rational basis.
> 
> The setup:
> I have a workstation for testing, running latest CentOS 7.3 AMD64. I
> am
> evaluating oVirt and a storage-ha as part of my bachelors thesis.
> I have already been running a RAID1 (mdraid, lvm2) for the system and
> some oVirt 4.1 testing. Now I added 6x 500 GB platters from an old
> server running Debian 8 Jessie with software RAID of a similar fashion
> as well. That would unexpectably prevent the system from booting
> past something like (I copied it from the working setup), I ran it
> over
> night, so it was actually about 16 hours:
> "A start job is running for dev-mapper-vg0\x2droot.device (13s / 1min
> 30s)"
> 
> Can it be just some kind of a scan, which takes so long? The current 
> throughput based
> on time (16 h) and capacity (3 TB) would be about 50 MBps. (Those
> drives 
> can be pretty
> slow when writing, dd showed about 30 MBps, the write cache is off.)
> 
> This is actually repeatable. If I unplug those drives and boot again,
> it 
> all works.
> 
> I don't know, if it helps but before that I had two screens full of:
> "dracut-initqueue[331]: Warning: dracut-initqueue timeout - starting
> timeout scripts"
> 
> Well, I proceded without this array, and after it booted I connected
> the
> array of 6 hard disks again. They were recognized etc. The problem is,
> I
> cannot do much. I can dd from and to the harddrives, I can create and
> delete partitions but I cannot create an md raid array out of them, I
> cannot create a physical volume or format them with a filesystem. I
> even
> tried overwriting all of those harddrives with zeroes, which worked
> but
> didn't help at all with the creation of the array afterwards.
> 
> mdadm --create /dev/md6 --level=5 --raid-devices=6 /dev/sd[cdefgh]1
> 
> "mdadm: cannot open /dev/sdc1: Device or resource busy"
> 
> with pvcreate, it seems as if there was no device, but I clearly see
> it
> in /dev/sdc1...
> 
> "Device /dev/sdc1 not found (or ignored by filtering)."
> 
> partprobe yields:
> 
> "device-mapper: remove ioctl on ST3500630NS_9QG0P0PY1 failed: Device
> or
> resource busy
> Warning: parted was unable to re-read the partition table on
> /dev/mapper/ST3500630NS_9QG0P0PY (Device or resource busy).  This
> means
> Linux won't know anything about the modifications you made.
> device-mapper: create ioctl on ST3500630NS_9QG0P0PY1part1-mpath-
> ST3500630NS_9QG0P0PY failed: Device or resource busy
> device-mapper: remove ioctl on ST3500630NS_9QG0P0PY1 failed: Device or
> resource busy"
> 
> In some forums, it was suggested, dmraid (yes, the old) could be the
> trouble. I eliminated this hypothesis (overwritten all with zeroes,
> fakeraid was never present with these disks). Also multipathd/
> dm_multipath could be the trouble, someone suggested. The problem is,
> if
> I was to remove device-mapper-multipath, I would loose oVirt-engine,
> because it has multipath as dependency for some reason.
> 
> Do you have any ideas? What logs/ information should I provide if you
> want to have a look into this.
> 
> Best regards
> Adam Kalisz
> ___
> CentOS mailing list
> CentOS@centos.org
> 

Re: [CentOS] Extreme frustration with GIMP

[Leroy Tennison]

Well, I mis-spoke, Ctrl-Z can undo some things, not others.  Sorry.

- Original Message -
From: "Leroy Tennison" 
To: "centos" 
Sent: Friday, July 7, 2017 12:38:17 PM
Subject: Re: [CentOS] Extreme frustration with GIMP

I saw Fred's later reply and am glad someone knew how to do it.  I feel your 
pain, the gimp documentation isn't always the best.  If you aren't already 
aware, when your work is suddenly undone, remember that Ctrl-Z (UnDo) is your 
friend.  I found that I had to look for gimp tutorials on the web wherever I 
could and use the one that worked (as you discovered - not all do).  And then 
there were cases where, like you did, posting on a forum produced far better 
results than hours of web search.

- Original Message -
From: "Alice Wonder" 
To: "centos" 
Sent: Friday, July 7, 2017 11:42:01 AM
Subject: [CentOS] Extreme frustration with GIMP

I am not a graphics person. Also can't afford to hire one.

Trying to follow instructions at 
https://docs.gimp.org/en/gimp-tutorial-quickie-separate.html

I use the "intelligent scissors" just like they say, spend quite a bit 
of effort doing so.

Then click the foreground select tool - just like they say - and 
suddenly everything I did with the intelligent tool is undone.

WTF?

Does anyone know of an actual GIMP tutorial for removing background that 
doesn't cause me to throw a damn brick through my monitor?

Photoshop makes it easy, but clearly GIMP developers have a completely 
different philosophy on how a graphics tool should work and I can't 
figure out what their philosophy is.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Extreme frustration with GIMP

[m . roth]

Alice Wonder wrote:
> I am not a graphics person. Also can't afford to hire one.
>
> Trying to follow instructions at
> https://docs.gimp.org/en/gimp-tutorial-quickie-separate.html
>
> I use the "intelligent scissors" just like they say, spend quite a bit
> of effort doing so.
>
> Then click the foreground select tool - just like they say - and
> suddenly everything I did with the intelligent tool is undone.
>
> WTF?
>
> Does anyone know of an actual GIMP tutorial for removing background that
> doesn't cause me to throw a damn brick through my monitor?

Don't do that, does nasty things to a budget.

Don't know a tutorial, either, and their tools do operate in an, um,
interesting manner. That being said... I dunno if I've used the
intelligent scissors tool, but I'd expect to use a select tool, *then* a
scissors.

Feel free to talk or rant to me offlist.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Extreme frustration with GIMP

[Leroy Tennison]

I saw Fred's later reply and am glad someone knew how to do it.  I feel your 
pain, the gimp documentation isn't always the best.  If you aren't already 
aware, when your work is suddenly undone, remember that Ctrl-Z (UnDo) is your 
friend.  I found that I had to look for gimp tutorials on the web wherever I 
could and use the one that worked (as you discovered - not all do).  And then 
there were cases where, like you did, posting on a forum produced far better 
results than hours of web search.

- Original Message -
From: "Alice Wonder" 
To: "centos" 
Sent: Friday, July 7, 2017 11:42:01 AM
Subject: [CentOS] Extreme frustration with GIMP

I am not a graphics person. Also can't afford to hire one.

Trying to follow instructions at 
https://docs.gimp.org/en/gimp-tutorial-quickie-separate.html

I use the "intelligent scissors" just like they say, spend quite a bit 
of effort doing so.

Then click the foreground select tool - just like they say - and 
suddenly everything I did with the intelligent tool is undone.

WTF?

Does anyone know of an actual GIMP tutorial for removing background that 
doesn't cause me to throw a damn brick through my monitor?

Photoshop makes it easy, but clearly GIMP developers have a completely 
different philosophy on how a graphics tool should work and I can't 
figure out what their philosophy is.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Extreme frustration with GIMP

[fred roller]

On Fri, Jul 7, 2017 at 12:42 PM, Alice Wonder  wrote:

> Does anyone know of an actual GIMP tutorial for removing background


Use the intelligent scissors as you did.  Right click inside the section
and choose copy. Right click anywhere and choose Edit -> Paste As -> As New
Image.  This should get you off to a good start.  Here is a link to GIMP
communities who can better assist you learn the GIMP way and would love to
here your input on the UI as well.  I am not a graphics person either but
this method has been the simplest


https://www.gimp.org/links/#clubs

-- Fred
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Extreme frustration with GIMP

[Alice Wonder]

I am not a graphics person. Also can't afford to hire one.

Trying to follow instructions at 
https://docs.gimp.org/en/gimp-tutorial-quickie-separate.html


I use the "intelligent scissors" just like they say, spend quite a bit 
of effort doing so.


Then click the foreground select tool - just like they say - and 
suddenly everything I did with the intelligent tool is undone.


WTF?

Does anyone know of an actual GIMP tutorial for removing background that 
doesn't cause me to throw a damn brick through my monitor?


Photoshop makes it easy, but clearly GIMP developers have a completely 
different philosophy on how a graphics tool should work and I can't 
figure out what their philosophy is.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-docs] Markus McLaughlin Intro

[Karanbir Singh]

Hi Markus,

Welcome onbard - is you wiki user MarkusMcLaughlin ?

-- 
Karanbir Singh, Project Lead, The CentOS Project
+44-207-0999389 | http://www.centos.org/ | twitter.com/CentOS
GnuPG Key : http://www.karan.org/publickey.asc


On 07/07/17 15:32, Markus McLaughlin wrote:
> My name is Markus McLaughlin, I am coming on board the CentOS EDUcation
> SIG Project.  I want to bring my resourcefulness and talents to this
> very ambitious project.  Debian has already made available its own EDU
> distribution.  It's time for CentOS to "step up," and offer its own
> service.  Windows and MACs have dominated
> the education market far too long.  It's time to bring free and open
> source software to those schools and
> students who can't afford to use either of their systems.
> 
> I think there should be two forms of the CentOS EDU distribution: 1. 4GB
> "Core" with the bare essentials, including offline Wikipedia access, and
> a library of free e-textbooks for those who don't have broadband
> internet access.
> 2. 8GB "Everything" with additional software like Audacity, GIMP,
> Blender, Scribus, Inkscape, etc.  CentOS EDU
> should provide a configuration menu of all the different interfaces,
> GNOME, KDE, etc., based on the Anaconda
> installer.  It should also provide Windows compatibility so MS Office
> can be used instead of LibreOffice.
> 
> Another option that Debian EDU probably does not have is, why not have
> CentOS EDU be compatible with the
> Linux layer of Windows 10?  The CORE could be accessed inside Windows 10
> so it would be a "win win."
> 
> I would like to see CentOS EDU paired with the Raspberry Pi Foundation
> as well, presenting it to those who can't afford a full PC.  The Pi
> would make an inexpensive means to support poor students.  For $100.00,
> a Pi with CentOS EDU 32gb microsd card included, would open up a whole
> new world!
> 
> Please consider my ideas!  :D
> 
> Regards,
> Markus McLaughlin
> marknetproductions.com
> 

___
CentOS-docs mailing list
CentOS-docs@centos.org
https://lists.centos.org/mailman/listinfo/centos-docs

[CentOS-docs] Markus McLaughlin Intro

[Markus McLaughlin]

My name is Markus McLaughlin, I am coming on board the CentOS EDUcation 
SIG Project.  I want to bring my resourcefulness and talents to this 
very ambitious project.  Debian has already made available its own EDU
distribution.  It's time for CentOS to "step up," and offer its own 
service.  Windows and MACs have dominated
the education market far too long.  It's time to bring free and open 
source software to those schools and

students who can't afford to use either of their systems.

I think there should be two forms of the CentOS EDU distribution: 1. 4GB 
"Core" with the bare essentials, including offline Wikipedia access, and 
a library of free e-textbooks for those who don't have broadband 
internet access.
2. 8GB "Everything" with additional software like Audacity, GIMP, 
Blender, Scribus, Inkscape, etc.  CentOS EDU
should provide a configuration menu of all the different interfaces, 
GNOME, KDE, etc., based on the Anaconda
installer.  It should also provide Windows compatibility so MS Office 
can be used instead of LibreOffice.


Another option that Debian EDU probably does not have is, why not have 
CentOS EDU be compatible with the
Linux layer of Windows 10?  The CORE could be accessed inside Windows 10 
so it would be a "win win."


I would like to see CentOS EDU paired with the Raspberry Pi Foundation 
as well, presenting it to those who can't afford a full PC.  The Pi 
would make an inexpensive means to support poor students.  For $100.00, 
a Pi with CentOS EDU 32gb microsd card included, would open up a whole 
new world!


Please consider my ideas!  :D

Regards,
Markus McLaughlin
marknetproductions.com

___
CentOS-docs mailing list
CentOS-docs@centos.org
https://lists.centos.org/mailman/listinfo/centos-docs

Re: [CentOS] Web server files ownership?

[Nicolas Kovacs]

Le 07/07/2017 à 12:53, Pete Biggs a écrit :
> There's lots of pages out there about hardening Apache and what file
> ownership and permissions the site should have. Everyone has their
> opinion and the defaults for different distros varies. But the
> underlying idea is that the web server files should not be owned by the
> process that the web server runs as.

Thanks very much. I just updated the relevant information on my blog.

https://blog.microlinux.fr/apache-centos/

https://blog.microlinux.fr/apache-ssl-centos/

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C7 and spoofed MAC address

[Robert Moskowitz]

On 07/07/2017 02:13 AM, James Hogarth wrote:

On 30 June 2017 at 18:58,   wrote:

Got a problem: a user's workstation froze. He wound up rebooting, without
calling me in first, so I dunno. But, and this is a show-stopper, when it
came up, it came up with the firmware MAC, not the spoofed one. In
/etc/sysconfig/network-scripts/ifcg-eth0, I've got the spoofed MAC
address, and a UUID. In the grub.conf, I've got net.ifnames=0
biosdevname=0. But when I logged onto his machine, ip a showed eth0... but
with the firmware MAC.

And I'm wondering if it went to renew its IP address, and lost the spoofed
MAC. That might explain his freezes.

Anyway, does anyone have any idea if there's some networkmangler or
systemd configuration that would force it to pay attention?

Note that my hack to fix it was ifdown eth0/ifup eth0, and it's fine.



Not much to go on here 

Your ifcfg-* configs would be helpful.

There was a slight change to MAC spoof behaviour in the NM 1.4.0 that
was part of EL7.3 compared to the older NM as I recall

https://www.hogarthuk.com/?q=node/18

That may or may not be affecting you.


I am using Centos7-armv7hl and have had no problem altering my MAC 
address.  Much easier than back in Centos6.  All I have needed is in 
ifcfg-eth0 like:


DEVICE="eth0"
BOOTPROTO=none
ONBOOT="yes"
TYPE="Ethernet"
NAME="eth0"
MACADDR=02:67:15:00:E0:02
MTU=1500
DNS1=192.168.224.2
GATEWAY="192.168.224.1"
IPADDR="192.168.224.2"
NETMASK="255.255.255.0"
IPV6INIT="yes"

No grub.conf but

cat /boot/extlinux/extlinux.conf
#Created by RootFS Build Factory
ui menu.c32
menu autoboot centos
menu title centos Options
#menu hidden
timeout 60
totaltimeout 600
label centos
kernel /vmlinuz-4.9.30-203.el7.armv7hl
append enforcing=1 root=UUID=ad25a528-baf4-469c-bd12-5276e8f5f9ae
fdtdir /dtb-4.9.30-203.el7.armv7hl
initrd /initramfs-4.9.30-203.el7.armv7hl.img

Oh, ip addr shows:

2: eth0:  mtu 1500 qdisc pfifo_fast 
state UP qlen 1000

link/ether 02:67:15:00:e0:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.224.2/24 brd 192.168.224.255 scope global eth0
   valid_lft forever preferred_lft forever
inet6 2601:4:2001:7302:67:15ff:fe00:e002/64 scope global 
noprefixroute dynamic

   valid_lft 2147448sec preferred_lft 604765sec
inet6 fe80::67:15ff:fe00:e002/64 scope link
   valid_lft forever preferred_lft forever

BTW, the reason I change my MAC is to thus hand-craft my IPv6 address.  
6715 is my IANA Enterprise number and e002 is the IPv4 subnet address.  :)



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web server files ownership?

[Bill Gee]

On Friday, July 7, 2017 6:45:48 AM CDT Pete Biggs wrote:
> > File permissions are 574.  Note that owners are NOT required to have
> > higher
> > permissions than groups!
> > 
> > find /var/www/html -type f -exec chmod 574 {} \;
> 
> Normal files really shouldn't have their execute bit set. There is no
> need to (since they aren't going to be executed) and just sets up
> security issues If you want to have only group write permissions on
> normal files you should set the permissions to 464 (-r--rw-r--).
> 
> P.
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

Yep, good catch.  eXecute is not normally required on HTML files.

-- 
Bill Gee

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web server files ownership?

[Pete Biggs]

On Fri, 2017-07-07 at 12:56 +0100, John Hodrien wrote:
> On Fri, 7 Jul 2017, Pete Biggs wrote:
> 
> > Not necessarily. In order to change permissions on a file you need to
> > have write access to the directory (i.e. the special file in the parent
> > directory that describes the files present in the directory).
> 
> To delete, yes, but to chmod?  It makes no sense for that to be the case, as
> hardlinks would end up being a touch baffling.
> 

Yes, you're right. Sorry. The permissions must be held in a different
place (chmod isn't suid so it can't write to the directory file if it
doesn't have the correct permissions) - it's a long time since I last
looked at filesystem internals.

And this has drifted too far away from apache! 

P. 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web server files ownership?

[John Hodrien]

On Fri, 7 Jul 2017, Pete Biggs wrote:


Not necessarily. In order to change permissions on a file you need to
have write access to the directory (i.e. the special file in the parent
directory that describes the files present in the directory).


To delete, yes, but to chmod?  It makes no sense for that to be the case, as
hardlinks would end up being a touch baffling.

[ as root ]
# mkdir foo
# touch foo/bar
# chown user foo/bar
# chmod 574 foo/bar

[ as user ]
$ cd foo
$ ls -ld .
drwxr-xr-x. 2 root root 16 Jul  7 12:51 .
$ ls -l bar
-r-xrwxr--. 1 user root 0 Jul  7 12:51 bar
$ echo rabbits > bar
bash: bar: Permission denied
$ chmod 644 bar
$ echo rabbits > bar
$ cat bar
rabbits
$ ls -l bar
-rw-r--r--. 1 user root 8 Jul  7 12:54 bar

jh
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web server files ownership?

[Pete Biggs]

> 
> File permissions are 574.  Note that owners are NOT required to have higher 
> permissions than groups!
> 
> find /var/www/html -type f -exec chmod 574 {} \;

Normal files really shouldn't have their execute bit set. There is no
need to (since they aren't going to be executed) and just sets up
security issues If you want to have only group write permissions on
normal files you should set the permissions to 464 (-r--rw-r--). 

P.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web server files ownership?

[Pete Biggs]

On Fri, 2017-07-07 at 12:31 +0100, John Hodrien wrote:
> On Fri, 7 Jul 2017, Bill Gee wrote:
> 
> > File permissions are 574.  Note that owners are NOT required to have higher
> > permissions than groups!
> 
> But the owner can change the permissions, no?

Not necessarily. In order to change permissions on a file you need to
have write access to the directory (i.e. the special file in the parent
directory that describes the files present in the directory). The owner
of a file does not necessarily have those permissions in a normal
directory.

P.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web server files ownership?

[John Hodrien]

On Fri, 7 Jul 2017, Bill Gee wrote:


File permissions are 574.  Note that owners are NOT required to have higher
permissions than groups!


But the owner can change the permissions, no?

574 is a properly perculiar permission to set.

jh
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web server files ownership?

[Bill Gee]

On Friday, July 7, 2017 5:25:29 AM CDT Nicolas Kovacs wrote:


> Hi,
> 
> I have a series of websites hosted on two CentOS 7 servers, using Apache
> virtual hosts. One of these servers is a "sandbox" machine, to test
> things and to fiddle around.
> 
> Since Apache is running as system user 'apache' and system group
> 'apache', I thought it sensible that hosted files be owned by that process.
> 
> # ls -l /var/www/html/
> total 24
> drwxr-x---. 3 apache apache 4096  6 juil. 09:37 default
> drwxr-x---. 3 apache apache 4096  6 juil. 10:01 phpinfo
> drwxr-x---. 3 apache apache 4096  6 juil. 09:41 slackbox-mail
> drwxr-x---. 3 apache apache 4096  6 juil. 09:37 slackbox-site
> drwxr-x---. 3 apache apache 4096  6 juil. 09:42 unixbox-mail
> drwxr-x---. 3 apache apache 4096  6 juil. 09:38 unixbox-site

Hi Niki -

Pete Biggs has weighed in with one way of setting Apache permissions.  His 
basic contention is right on:  The user under which the Apache process runs 
should not have write permissions.

The method we adopted at my last job goes like this:  All of our CentOS7 
servers are members of Active Directory.  We created an AD group which 
contains the user names of our web developers.  We do not have any Web 
services that require writing data back to the server, so we do not have that 
complication to deal with.  We also have nothing that writes to a database.

On the CentOS server everything is owned by nobody and has a group of 
d...@ad.com.

chown -R nobody:d...@ad.com /var/www/html

File permissions are 574.  Note that owners are NOT required to have higher 
permissions than groups!

find /var/www/html -type f -exec chmod 574 {} \;

Directory permissions are 575.  The eXecute bit must be set so that Apache can 
navigate into the subdirectories.

find /var/www/html -type d -exec chmod 575 {} \;

The group sticky bit is set on directories.  That means any new directories 
created by the developers will have a group of d...@ad.com.

find /var/www/html -type d -exec chmod g+s {} \;

We also set ACLs on the directories so that new files and directories have the 
desired permissions.  I don't remember the exact command for that.  Setfacl is 
pretty finicky!

The end result can be a bit messy since new files in the html directory will 
be owned by the developer who copied them up.  I have not found a way to force 
ownership to nobody.  That doesn't matter, though, since Apache does not use 
owner permissions and web developers get permissions through the group 
settings.  If you are picky about this, it is easy to set a cron job that runs 
chown on a regular basis.

-- 
Bill Gee

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ntsysv and chkconfig update error

[Mark Haney]

It was just a standard 'yum update'.  I suppose I could try removing
ntsysv, but I"m not sure that'll fix it.  It seems the 'pre-existing rpmdb
problem is the issue here. The ntsysv and chkconfig versions match in the
Error.  But the error message after the '**' mentions different ntsysv and
chkconfig versions.  (ie 1.7.2-1.el7. instead of 1.7.2-1.el7_3.1).  I'm not
sure of the significance of that unless it's a problem in the RPM builds or
the rpmdb is still wrong even after a full rebuild.

I tried to do a yum check on that server but it seemed to hang, though
since I've never run that command, it may just be REALLY slow.

On Fri, Jul 7, 2017 at 4:43 AM, James Pearson 
wrote:

> Mark Haney wrote:
> >
> > We have a couple of CentOS 7 boxes that were built before I was hired to
> > clean up the kickstart script used for C7 boxes.  We had a couple of rpm
> > packages that were pre-C7 that were used and setup the old SysV Init way
> > using ntsysv and chkconfig on these boxes. (I finally fixed that in the
> > newer scripts.)  These are out in the field and I'm having to deal with
> > them as they are.  One thing I'm having trouble with is updating them
> > without this error:
> >
> >> Error: Package: ntsysv-1.7.2-1.el7_3.1.x86_64 (updates)
> >>Requires: chkconfig = 1.7.2-1.el7_3.1
> >>Installed: chkconfig-1.3.61-4.el7.x86_64 (@anaconda)
> >>chkconfig = 1.3.61-4.el7
> >>  You could try using --skip-broken to work around the problem
> >> ** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows:
> >> ntsysv-1.7.2-1.el7.x86_64 has missing requires of chkconfig = ('0',
> >> '1.7.2', '1.el7')
> >
> > Now, I've verified the chkconfig v1.7.2 package is available on the
> > mirror we're using, I've rebuilt the RPM database and nothing has
> > worked.  I'm not even sure what the problem is at this point. Anyone
> > have any ideas?
>
> What yum command line did you use that gave the above errors?
>
> I'm not an expert on yum, but the above errors seem to indicate that 3
> versions of chkconfig are involved: 1.7.2-1.el7_3.1, 1.7.2-1.el7 and
> 1.3.61-4.el7 - not sure of the significance of this ...
>
> I guess you could try removing ntsysv and then trying to update
> chkconfig and then re-install ntsysv :
>
>   yum remove ntsysv
>   yum update chkconfig
>   yum install ntsysv
>
> James Pearson
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
[image: photo]
Mark Haney
Network Engineer at NeoNova
919-460-3330 <(919)%20460-3330> (opt 1) • mark.ha...@neonova.net
www.neonova.net 
  

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web server files ownership?

[Pete Biggs]

> 
> Since Apache is running as system user 'apache' and system group
> 'apache', I thought it sensible that hosted files be owned by that process.
> 
> # ls -l /var/www/html/
> total 24
> drwxr-x---. 3 apache apache 4096  6 juil. 09:37 default
> drwxr-x---. 3 apache apache 4096  6 juil. 10:01 phpinfo
> drwxr-x---. 3 apache apache 4096  6 juil. 09:41 slackbox-mail
> drwxr-x---. 3 apache apache 4096  6 juil. 09:37 slackbox-site
> drwxr-x---. 3 apache apache 4096  6 juil. 09:42 unixbox-mail
> drwxr-x---. 3 apache apache 4096  6 juil. 09:38 unixbox-site
> 
> Directories are all drwxr-x---, while files are -rw-r-.
> 
> Now some guy on the french forum fr.centos.org told me that I got
> everything wrong, and that my setup is a security flaw, without
> elaborating any further though.

> So I thought I'd ask on this list (which is a little bit more urbane
> than the french forum).
> 
> 1. What is wrong with my setup ?

Possibly what he means is that having the files and directories
writeable by the process that the web server runs as is a security
issue. i.e. if there are any security issues with httpd, or the code
that runs on the sites, then without a privilege escalation the exploit
would run as the apache user, which means that the exploit can write to
those directories resulting at the least a defaced site or at worst the
upload of a more problematic exploit.

> 
> 2. What do you suggest ?

Have as few directories/files owned by the web server process as
possible. If you have an application that needs to write to a file or
upload to a directory, then they do need to be owned & writeable by
apache.

The files do need to be readable by the apache user, so the file
permissions are usually 644 (with directories 755) and owned by
root.root - although the actual owner doesn't matter so long as apache
can read the files. I suppose if you are really paranoid, then set the
owner to nobody.nobody

> 
> BTW, I don't mind to RTFM, even extensively.
> 

There's lots of pages out there about hardening Apache and what file
ownership and permissions the site should have. Everyone has their
opinion and the defaults for different distros varies. But the
underlying idea is that the web server files should not be owned by the
process that the web server runs as.

P.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Web server files ownership?

[Nicolas Kovacs]

Hi,

I have a series of websites hosted on two CentOS 7 servers, using Apache
virtual hosts. One of these servers is a "sandbox" machine, to test
things and to fiddle around.

On the sandbox server, I have a few dummy websites I'm hosting.

# ls /var/www/html/
default  phpinfo  slackbox-mail  slackbox-site  unixbox-mail  unixbox-site

Since Apache is running as system user 'apache' and system group
'apache', I thought it sensible that hosted files be owned by that process.

# ls -l /var/www/html/
total 24
drwxr-x---. 3 apache apache 4096  6 juil. 09:37 default
drwxr-x---. 3 apache apache 4096  6 juil. 10:01 phpinfo
drwxr-x---. 3 apache apache 4096  6 juil. 09:41 slackbox-mail
drwxr-x---. 3 apache apache 4096  6 juil. 09:37 slackbox-site
drwxr-x---. 3 apache apache 4096  6 juil. 09:42 unixbox-mail
drwxr-x---. 3 apache apache 4096  6 juil. 09:38 unixbox-site

Directories are all drwxr-x---, while files are -rw-r-.

Now some guy on the french forum fr.centos.org told me that I got
everything wrong, and that my setup is a security flaw, without
elaborating any further though.

So I thought I'd ask on this list (which is a little bit more urbane
than the french forum).

1. What is wrong with my setup ?

2. What do you suggest ?

BTW, I don't mind to RTFM, even extensively.

Cheers from the sunny South of France,

Niki Kovacs

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ntsysv and chkconfig update error

[James Pearson]

Mark Haney wrote:
>
> We have a couple of CentOS 7 boxes that were built before I was hired to
> clean up the kickstart script used for C7 boxes.  We had a couple of rpm
> packages that were pre-C7 that were used and setup the old SysV Init way
> using ntsysv and chkconfig on these boxes. (I finally fixed that in the
> newer scripts.)  These are out in the field and I'm having to deal with
> them as they are.  One thing I'm having trouble with is updating them
> without this error:
>
>> Error: Package: ntsysv-1.7.2-1.el7_3.1.x86_64 (updates)
>>Requires: chkconfig = 1.7.2-1.el7_3.1
>>Installed: chkconfig-1.3.61-4.el7.x86_64 (@anaconda)
>>chkconfig = 1.3.61-4.el7
>>  You could try using --skip-broken to work around the problem
>> ** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows:
>> ntsysv-1.7.2-1.el7.x86_64 has missing requires of chkconfig = ('0',
>> '1.7.2', '1.el7')
>
> Now, I've verified the chkconfig v1.7.2 package is available on the
> mirror we're using, I've rebuilt the RPM database and nothing has
> worked.  I'm not even sure what the problem is at this point. Anyone
> have any ideas?

What yum command line did you use that gave the above errors?

I'm not an expert on yum, but the above errors seem to indicate that 3 
versions of chkconfig are involved: 1.7.2-1.el7_3.1, 1.7.2-1.el7 and 
1.3.61-4.el7 - not sure of the significance of this ...

I guess you could try removing ntsysv and then trying to update 
chkconfig and then re-install ntsysv :

  yum remove ntsysv
  yum update chkconfig
  yum install ntsysv

James Pearson
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C7 and spoofed MAC address

[James Hogarth]

On 30 June 2017 at 18:58,   wrote:
> Got a problem: a user's workstation froze. He wound up rebooting, without
> calling me in first, so I dunno. But, and this is a show-stopper, when it
> came up, it came up with the firmware MAC, not the spoofed one. In
> /etc/sysconfig/network-scripts/ifcg-eth0, I've got the spoofed MAC
> address, and a UUID. In the grub.conf, I've got net.ifnames=0
> biosdevname=0. But when I logged onto his machine, ip a showed eth0... but
> with the firmware MAC.
>
> And I'm wondering if it went to renew its IP address, and lost the spoofed
> MAC. That might explain his freezes.
>
> Anyway, does anyone have any idea if there's some networkmangler or
> systemd configuration that would force it to pay attention?
>
> Note that my hack to fix it was ifdown eth0/ifup eth0, and it's fine.
>


Not much to go on here 

Your ifcfg-* configs would be helpful.

There was a slight change to MAC spoof behaviour in the NM 1.4.0 that
was part of EL7.3 compared to the older NM as I recall

https://www.hogarthuk.com/?q=node/18

That may or may not be affecting you.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Virtual IP

[James Hogarth]

On 6 July 2017 at 15:41, Scott Robbins  wrote:
> On Thu, Jul 06, 2017 at 08:17:17AM -0400, Jonathan Billings wrote:
>> On Thu, Jul 06, 2017 at 11:17:12AM +0300, Amine Tengilimoglu wrote:
>> >i need your helps on setting the virtual ip. I am trying to setup static
>> > virtual ip on CenOS7.  but I want my VIP to should not open when rebooting.
>>
>> It looks like you're trying to add the second IP on an aliased
>> interface, something that you used to have to do in older releases of
>> CentOS.
>>
>> In C7, you just add multiple IPs to the interface, no need to use
>> eth0:1 style names.
>>
>> In the ifcfg-, you can just put in IPADDR1=1.2.3.4 and
>> NETMASK1=255.255.255.0, and PREFIX1=1.2.3.0.
>>
>> The documentation is in
>> /usr/share/doc/initscripts-9.49.37/sysconfig.txt (part of the
>> initscripts package), which says:
>
> There's a clearer explanation, IMHO, with examples, here.
> https://community.spiceworks.com/topic/545859-add-secondary-ip-to-one-interface-in-centos-7
>
> I don't see mention of it in the RHEL-7 release notes, they just say NM is
> better than it was, and perhaps there's an easy way to do it with NM.
>
> I've left the text that J.Billings kindly included, in below.
>
>
>>
>>
>>   Base items:
>> NAME=
>>   Most important for PPP.  Only used in front ends.
>> DEVICE=>   devices where it is the "logical name")>
>> IPADDRn=
>> PREFIXn=
>>   Network prefix.  It is used for all configurations except aliases
>>   and ippp devices.  It takes precedence over NETMASK when both
>>   PREFIX and NETMASK are set.
>> NETMASKn=
>>   Subnet mask; just useful for aliases and ippp devices.  For all other
>>   configurations, use PREFIX instead.
>>
>> The "n" is expected to be consecutive positive integers starting from 0.
>> It can be omitted if there is only one address being configured.
>>
>> So, you can have IPADDR0, IPADDR1, IPADDR2, etc.
>>
>> All of these will configure an IP on the device named in the DEVICE
>> line.  No need to have multiple alias interfaces.
>>
>> --
>> Jonathan Billings 


Don't even go near an aliased interface on EL7 ... it's the most
painful way to handle this and not NM compatible.

Here's an article I wrote way back on handling this:

https://www.hogarthuk.com/?q=node/6

Note that with NM in use (as should be the case on EL7) it's as simple
as: nmcli con mod  +ipv4.addr "10.0.0.2/24"

https://www.hogarthuk.com/?q=node/8
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos