Re: [CentOS] PHP 7.x on CentOS 7 : which solution ?

[Alice Wonder]

On 3/15/19 12:51 AM, Nicolas Kovacs wrote:

Hi,

As you all know, CentOS 7 is shipping PHP 5.4, which is OK in some
situations. Unfortunately, some applications like OwnCloud require a
more recent version of PHP.

Up until recently, I've been using PHP 5.6 packages from the Webtatic
repository. Despite the bad press this third party repo seems to have,
it has been working perfectly for me for a few years. Here's the PHP 5.6
packages I have on an OwnCloud server:

$ rpm -qa | grep php
php56w-devel-5.6.40-1.w7.x86_64
php56w-pdo-5.6.40-1.w7.x86_64
php56w-gd-5.6.40-1.w7.x86_64
php56w-mysql-5.6.40-1.w7.x86_64
php56w-process-5.6.40-1.w7.x86_64
php56w-pear-1.10.4-1.w7.noarch
php56w-common-5.6.40-1.w7.x86_64
php56w-xml-5.6.40-1.w7.x86_64
php56w-pecl-redis-3.1.6-1.w7.x86_64
php56w-cli-5.6.40-1.w7.x86_64
php56w-mcrypt-5.6.40-1.w7.x86_64
php56w-mbstring-5.6.40-1.w7.x86_64
php56w-pecl-igbinary-2.0.5-1.w7.x86_64
php56w-pecl-apcu-4.0.11-2.w7.x86_64
php56w-intl-5.6.40-1.w7.x86_64
php56w-5.6.40-1.w7.x86_64
php56w-soap-5.6.40-1.w7.x86_64

Now I'll have to upgrade these to some version of PHP 7. So I googled
"php 7 centos 7" and found quite a wealth of - sometimes contradictory -
information.

1. The "recommended" way of doing things seems to be the Red Hat
Software Collections. Correct me if I'm wrong. I wonder if this way of
doing things will enable me to get all the PHP modules listed above.

2. The use of Webtatic seems to be frowned upon. I still have to figure
out why, since this repository has always worked perfectly for me.

3. Then there's another repository managed by Remi Collet. Any thoughts
on that?

And then there's also the question : which version of PHP 7 should I
choose ? On my servers, I'm mainly hosting WordPress, Dolibarr and
OwnCloud.

Any suggestions ? I'm no lamer for doing a bit of RTFM, so a pointer to
documentation will do. The problem is not so much that there is no
information on the subject. It's rather : there's too much. As we say in
France : I'm confused about which saint to send my prayers to. :o)

Cheers,

Niki



I package PHP 7.3.x linked against LibreSSL rather than OpenSSL.

I also package MariaDB 10.2.x and updated Apache.

Right now there is a yum install issue - you have to manually remove the 
mariadb libs from 5.x to install. The dependencies are met, yum just 
can't figure it out.


https://lirelamp.com/

Some of my documentation is a bit out of date, but no one is paying me, 
so...


I do things differently than "software collections" - my philosophy is 
to just replace the system provided versions rather than put them in /opt.


I have that philosophy because I prefer to set up a VPS for a purpose 
and if that purpose is a LAMP stack I don't see the point of keeping the 
crusty MariaDB / PHP in place so I just replace them with modern 
versions which largely are modified when needed Fedora spec files.


With the exception that I build against LibreSSL instead of against OpenSSL.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] read permission on rotated logs

[Alice Wonder]

When logs (e.g. /var/log/maillog) are rotated (e.g. to 
/var/log/maillog-MDD) is there a way via systemd or whatever to 
assign read permission to a specific group?


Right now, for example -

ls -l maillog*
-rw--- 1 root root 3105240 Mar 13 22:04 maillog
-rw--- 1 root root 1079031 Feb 24 04:39 maillog-20190224
-rw--- 1 root root 7237640 Mar  1 12:59 maillog-20190228
-rw--- 1 root root 1297508 Mar  3 04:21 maillog-20190303
-rw--- 1 root root 1319371 Mar 10 08:17 maillog-20190310

What I would like -

ls -l maillog*
-rw--- 1 root root 3105240 Mar 13 22:04 maillog
-rw-r- 1 root somegroup 1079031 Feb 24 04:39 maillog-20190224
-rw-r- 1 root somegroup 7237640 Mar  1 12:59 maillog-20190228
-rw-r- 1 root somegroup 1297508 Mar  3 04:21 maillog-20190303
-rw-r- 1 root somegroup 1319371 Mar 10 08:17 maillog-20190310

That way a user in somegroup could run a script that analyzes the 
rotated logs w/o needing root privileges.


Obviously I could put a script in /etc/cron.hourly that looks for 
rotated log files and changes ownership / permission, but I am wondering 
if there is a "proper" way to configure it via systemd or another utility.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CPAN not working, or is it?

[Alice Wonder]

On 3/11/19 1:57 PM, Warren Young wrote:
*snip*


What is correct is that the CentOS-provided RPMs are often sufficiently outdated that they no longer work with the latest releases that cpanm wants to download by default. 


Often I end up downloading a src.rpm from Fedora for perl modules and 
building that.


It means security patches are now my responsibility for it, and 
sometimes it has other perm module dependencies that I have to do the 
same thing with first, but it usually it works without too much fuss.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Mail Server Guides

[Alice Wonder]

On 3/4/19 5:40 AM, Robert Moskowitz wrote:



On 3/1/19 12:53 PM, Ben Archuleta wrote:

Hello All,


I need to set up a new mail server to replace an aging CentOS 6.3 mail 
server. I was wondering what were some of the best guides on the web 
for Postfix (Maildir), Spamassassin, ClamAV, Dovecot?


I am close to upgrading my mailserver.  My current instructions are at:

http://www.htt-consult.com/Centos7-mailserver.html

I need to finish:

SHA256 or SHA512 instead of MD5 for the password (Just need to finish up 
the roundcube password change script)

dovecotadm backup for the mail
and something to backup the mysql

Otherwise my testing has been good.

Of course adding stuff like DKIM, DANE, etc.  would be nice.


Note with DKIM - OpenDKIM defaults to 1024-bit RSA but that is no longer 
recommended and some services no longer consider it valid. 2048-bit RSA 
is the current recommended.


The problem is that since DKIM keys do not expire, sysadmins got lazy 
and never bothered to periodically generate new ones, making 1024-bit 
RSA unsuitable.


Ed25519 is also now available but support for it is not wide-spread yet.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Mail Server Guides

[Alice Wonder]

On 3/1/19 9:53 AM, Ben Archuleta wrote:

Hello All,


I need to set up a new mail server to replace an aging CentOS 6.3 mail server. 
I was wondering what were some of the best guides on the web for Postfix 
(Maildir), Spamassassin, ClamAV, Dovecot?



Probably not what you are looking for and it still has bugs, but I just 
(within last five days) started this project for securing outbound SMTP 
from a Postfix server, taking DANE, MTA-STS, and STARTTLS Everywhere 
policies into consideration.


One thing I will note, don't use the Postfix that ships with CentOS 7.x. 
It was fine when 7.0 shipped, but you really want to be using 3.2 or 
newer now.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Support for Argon2 for password hashing

[Alice Wonder]

The version of libsodium in EPEL supports argon2

For php you can build the libsodium extension. Also php 7.2+ builds that 
extension if you specify it build time using --with-sodium=shared switch.


For dovecot you have to build it against sodium which means building 
your own packages but it works. At least with modern upstream dovecot.


On 2/13/19 5:18 AM, Robert Moskowitz wrote:

Is there any information on adding support for Argon2?

I have been working on my new mailserver and this came up in moving from 
the default MD5 hash to more 'modern' hashes like SHA256 and SHA512. 
Then I was pointed to the work behind Argon2, and I see that it is 
moving through the IRTF cfrg workgroup:


draft-irtf-cfrg-argon2-04.txt

It is a 'purpose built' hash for passwords, with recommendations that 
new implementations use it.  Of course can't use it if crypt does not 
support it


thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] DNSSEC Questions

[Alice Wonder]

On 2/12/19 11:49 PM, Paul R. Ganci wrote:


On 2/12/19 10:55 PM, Alice Wonder wrote:
DNSSEC keys do not expire. Signatures do expire. How long a signature 
is good for depends upon the software generating the signature, some 
lets you specify. ldns I believe defaults to 60 days but I am not sure.


The keys are in DNSSKEY records that are signed by your Key Signing 
Key and must be resigning before the signature expires or they will no 
longer validate.


Likewise, the other records in the zone must be resigned by your Zone 
Signing Key before their signatures expire.


It's not the keys that are the issue, but the RRSIG record that 
contains a start and expiration time for the records.


If you upload signed zone files to godaddy, make sure to resign once a 
week or so so that the RRSIG gets updated.


man ldns-signzone


Okay so I misunderstood the message I was getting when I checked my 
DNSSEC setup via http://dnsviz.net/. What you are telling me is that all 
I had to do was re-sign the zone files but that it was not necessary to 
generate new keys. This point is definitely one that I missed.


I too run my own authoritative nameservers. I was following the Digital 
Ocean procedure to setup DNSSEC:


https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2 



That site suggested the use of dnssec-signzone after key creation ala a 
command like (the stuff that follows has been sanitized):


 > dnssec-signzone -3 `head -c 1000 /dev/random | sha1sum | cut -b 1-16` 
-N INCREMENT -o domain.tld -t domain.tld.zone


After resigning with that command a file named dsset-domain.tld. is 
created which contains 2 digests.


 > cat dsset-domain.tld.
domain.tld. IN DS 20716 7 1 04E3E6C87CD4190F74DD0371A14AD5CC42B71521
domain.tld. IN DS 20716 7 2 
FA6D0EF0100855E5C85C6CD5A33590681DD9D7D9F6C773785C53E865 E02FF572


It is the keytag (20716) and the digests (hex fields) that are supposed 
to be uploaded to the registrar according to the section entitled 
"Configure DS records with the registrar" in the Digital Ocean reference 
I previously mentioned. In my original message it was the uploading of 
these keytags and digests to Godaddy that I was referring in my point 1 
and which seems to be accomplished only manually via the Godaddy web 
interface.


So doesn't ldns-signzone create the same kind of digest that requires it 
be uploaded to the registrar? Isn't that essential information in order 
to tell the .tld that the domain.tld DNSSEC is valid and to maintain the 
DNSSEC authentication chain trust up to the root servers? You can go to 
the http://dnsviz.net/ site and can use nurdog.com as an example of what 
i mean.


The DS record does have to be uploaded to your registrar but it only 
changes when you change your Key Signing Key, as it is based on your Key 
Signing Key.


I see you are using algorithm 7 - I would recommend switching to either 
algorithm 13 or at least to 8.


Algorithm 7 uses a SHA1 hash.

See https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update-04

That's a draft but soon will be an update to the standard.

Algorithm 13 (ECDSAP256SHA256) results in much smaller keys and 
signatures and is equivalent to about RSA-3072 in strength, and it uses 
a SHA-256 hash.


However note that changing algorithms will result in validation failure 
for few days unless done carefully.




If I do not have to generate the keys every time the RRSIGs expire then 
the scripting or re-signing the zones is really trivial as I am in full 
control of my own DNS servers. It is even easier now if I don't have to 
generate new keys although that really isn't a difficult step.


Yes that is what I do, daily via cron (or whenever I change a record) I 
resign it and upload.




So maybe I asked the wrong question. Is there a way to re-sign the zone 
files without having to recreate the information found in that 
dsset-domain.tld. file and uploading it to the registrar? I suspect 
there is no way around that as I believe it is essential to maintaining 
the chain of trust. But if I can keep everything on my own nameservers 
that would be a big help ... maybe ldns-signzone is the answer?




As long as you don't change your KSK that information will not change.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] DNSSEC Questions

[Alice Wonder]

On 2/12/19 7:26 PM, Paul R. Ganci wrote:
Last weekend I had my DNSSEC keys expire. I discovered that they had 
expired the hard way... namely randomly websites could not be found and 
email did not get delivered. It seems that the keys were only valid for 
what I estimate was about 30 days. It is a real PITA to have update the 
keys, restart named and then update Godaddy with new digests.


DNSSEC keys do not expire. Signatures do expire. How long a signature is 
good for depends upon the software generating the signature, some lets 
you specify. ldns I believe defaults to 60 days but I am not sure.


The keys are in DNSSKEY records that are signed by your Key Signing Key 
and must be resigning before the signature expires or they will no 
longer validate.


Likewise, the other records in the zone must be resigned by your Zone 
Signing Key before their signatures expire.




The first part of the problem is fairly manageable in the sense I 
already have a script that partially can do the job of updating the DNS 
server. However from what I can tell the only way I can update the 
DNSSEC of my 8 domains is via the Godaddy control panel GUI. So a couple 
of questions.


1.) Is anyone aware of anyway to update Godaddy DNSSEC data via a Centos 
7 bash shell? I will contact Godaddy but I suspect I am SOL but thought 
I would ask here thinking somebody else may have already run into this 
issue.


That I don't know, I use ldns to sign my zone files and upload them to 
my own authoritative nameserver.




2.) Assuming the answer to DNSSEC is no, can I at least have the keys 
last longer than they do by default. I am presently creating the keys via:


 > dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE zone

 > dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE zone


It's not the keys that are the issue, but the RRSIG record that contains 
a start and expiration time for the records.


If you upload signed zone files to godaddy, make sure to resign once a 
week or so so that the RRSIG gets updated.


man ldns-signzone

It has switches for setting the start and expiration date of signatures. 
By default I believe it uses current timestamp for start and +60 days 
for end, though it may be +30 days.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Curl spec file

[Alice Wonder]

On 1/23/19 1:55 PM, Roee Agami wrote:

Hi,
I saw this spec file for curl-7.29:
https://git.centos.org/blob/rpms!curl.git/c7/SPECS!curl.spec

And was wondering if you have one for a later version.
And if not, how hard is it to modify the existing one to support later versions.

Thanks!
Roee.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



http://awel.domblogger.net/7/libre/src/repoview/curl.html

--
For signature trust anchor (paranoid only need worry 'bout this):
https://ca.pipfrosch.com/pipfrosch-cacert-pem.crt

Webmail clients, sorry, out of luck, you can't import it.
Get an actual e-mail app.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] thunderbird & firefox

[Alice Wonder]

On 1/4/19 8:28 AM, mark wrote:

I *really* dislike the new photon UI. I WANT the arrow buttons top and
bottom of the scrollbars.

Does anyone know how to bring them back, or is that "that's *sooo* last
year, you can't ever have them again"?

 mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



Switch to Mate and they are there.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [Fwd: Centos 7.6 and Aeskulap]

[Alice Wonder]

On 12/28/18 6:38 AM, Gregory P. Ennis wrote:



I tried to compile aeskulap on Centos 7.6 by using the commands ./configure 
followed by
make which resulted in the following errors :


Attempting to build this way is next to pointless and will likely show
you errors completely unrelated to why the package won't properly build.


make[4]: *** [dimoimg.o] Error 1
make[4]: Leaving directory `/root/rpmbuild/SOURCES/aeskulap-0.2.2-
beta1/dcmtk/dcmimgle/libsrc'
make[3]: *** [libsrc-all] Error 2
make[3]: Leaving directory 
`/root/rpmbuild/SOURCES/aeskulap-0.2.2-beta1/dcmtk/dcmimgle'
make[2]: *** [dcmimgle-libsrc-all] Error 2
make[2]: Leaving directory `/root/rpmbuild/SOURCES/aeskulap-0.2.2-beta1/dcmtk'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/rpmbuild/SOURCES/aeskulap-0.2.2-beta1'
make: *** [all] Error 2


...and even if you were building it correctly you completely skipped the
actual errors here.  What you've shown can't be used in any significant
way to help.


I downloaded the source files from :

http://li.nux.ro/download/nux/dextop/el7/SRPMS/aeskulap-0.2.2-0.17beta1.el7.nux.src.rpm


As you've already stated and shown here this is a package from a
3rd-party repo, and as such is not supported by the CentOS project.  If
Nux can't help you then I suggest you look for the package elsewhere or
try to (properly) build it yourself.  Unfortunately neither of these
options is supported here.


I was going to give it a shot but there are three build dependencies not 
part of CentOS 7 / EPEL 7


dcmtk-devel
gconfmm26-devel
libglademm24-devel

When that starts to happen, it often results in needing additional 
dependencies to build those, etc.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [Fwd: Centos 7.6 and Aeskulap]

[Alice Wonder]

On 12/27/18 7:53 PM, Gregory P. Ennis wrote:

Everyone,

Apparently, aeskulap is broken during the upgrade fro 7.5 to 7.6, and
is no longer available in the epel repos.

I had some difficulty having it function, and during the debug process
I decided to do a yum remove, but when I tried a yum install to
reinstall it, aeskulap was no longer present.  This problem may also affect
other modules.

I have placed a bug report :

https://bugzilla.redhat.com/show_bug.cgi?id=1659667

The depracation of tcp wrappers may be involved in this

https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers


tcp_wrappers is still part of CentOS 7 in 7.6.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] You removed Weboob package over political reasons? Whole Internet laughs at you

[Alice Wonder]

On 12/25/18 4:48 PM, Scott Robbins wrote:

On Mon, Dec 24, 2018 at 01:26:15PM -0500, rj coleman wrote:




On Dec 24, 2018, at 10:42 AM, Alice Wonder  wrote:


On 12/24/18 7:21 AM, vsnsdua...@memeware.net wrote:
Debian is not ruled by the men who actually write the software, but instead 
women.


*snip*







Can we please ban the person who sent that disgusting rant to the list



I was under the impression that it was sarcasm.  Whenever something gets
posted a or a code of conduct that comes down to don't be a jerk is
adapted, there's lots of people who feel their right to be jerks has been
infringed.  I could easily be wrong but I thought that post was making a
about why such codes of conduct become necessary.



Could be, I'm autistic and often completely miss what other people claim 
was obvious sarcasm. But sometimes what I think they might claim was 
obvious sarcasm based upon past experience it wasn't.


That's why /sarcasm or other indications really should be used, not all 
minds work the same and it isn't fair to assume they should.


--
For signature trust anchor (paranoid only need worry 'bout this):
https://ca.pipfrosch.com/pipfrosch-cacert-pem.crt

Webmail clients, sorry, out of luck, you can't import it.
Get an actual e-mail app.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] You removed Weboob package over political reasons? Whole Internet laughs at you

[Alice Wonder]

On 12/24/18 7:21 AM, vsnsdua...@memeware.net wrote:
Debian is not ruled by the men who actually write the software, but 
instead women.


*snip*

Can we please ban the person who sent that disgusting rant to the list?

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] upgrading 7.5 ==> 7.6

[Alice Wonder]

On 12/21/18 12:44 PM, Fred Smith wrote:

On Fri, Dec 21, 2018 at 06:27:45PM +, Liam O'Toole wrote:

On 2018-12-19, Fred Smith
 wrote:

[...]


Result: Boots to GDM just fine, but Mate is a black screen. Switching
to Gnome, works fine, but I can't stand Gnome.  Not knowing what else
to try I restored the dd backup.


This is a known issue, and was mentioned on this list recently. The
problem is that Mate in EPEL needs to be updated to work with CentOS
7.6. Perhaps keep an eye on changes to the EPEL repo before attempting
the upgrade again.


Thanks, Liam, for the info.

Since it IS working on the netbook I'm hoping that means that whatever
needed updating has been updated.

So, I compared the versions on my desktop with those on the netbook, and
find that mate_dictionary, mate-disk-usage-analyzer, mate-screenshot,
mate-search-tool, mate-system-log, mate-system-monitor, mate-utilsk,
mate-utils-common all had a minor version bump. Some from 1.16.1-1 to
1.16.1-2, one from 1.16.0-1 to 1.16.0-2.

I know there are other packages that do not contain "mate" in their names,
but I don't know which they are.

So, do you (or anyone else) happen to know which Mate packages are/were
in need of update?

thanks again, in advance.



Not sure, MATE is working just fine for me, versions range from 1.16.0 
to 1.16.3


yum list |grep "mate" |grep -v "@epel" |grep -v "devel"
mate-menus-preferences-category-menu.x86_64
classmate.noarch 1.3.1-2.el7 
epel
classmate-javadoc.noarch 1.3.1-2.el7 
epel
f22-backgrounds-mate.noarch  21.91.0-1.el7 
epel
mate-common.noarch   1.16.0-1.el7 
epel
mate-netspeed.x86_64 1.12.0-1.el7 
epel
mate-sensors-applet.x86_64   1.16.1-1.el7 
epel
mate-themes-extras.noarch3.14.7-1.el7 
epel
php-league-climate.noarch3.2.4-1.el7 
epel
workrave-mate.x86_64 1.10.16-1.el7 
epel

xmonad-mate.x86_64   0.11-12.el7 epel

Some of those obviously are not mate packages, but those are the only 
mate packages I do NOT have installed and it is working, so if mate is 
not working I wonder if the issue is something other than the packages.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] daemon core dump

[Alice Wonder]

I have a daemon I can conistently cause a crash on.

https://iangilham.com/2016/12/08/core-dump-from-centos-7.html

Is that the best way (obviously with debug packages installed) to get 
the core dump or is there a better way?


It is NOT a CentOS/EPEL maintained daemon.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Fedora Server - as an alternative ?

[Alice Wonder]

On 12/20/18 5:11 AM, lejeczek via CentOS wrote:

hi guys

I wonder if any Centosian here have done something different than only 
contemplated using Fedora Server, actually worked on it in 
test/production envs.


If here are some folks who have done it I want to ask if you deem it to 
be a viable option to put it on at least portion of servers stack.


Anybody?

Many thanks, L.





I run CentOS 7 but with an updated server stack, including rebuilds 
(sonetimes with tweaks) of Fedora packages.


Gives me a stable base with modern server software. Does take some work 
to get some stuff built.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Can't configure GDM after update to CentOS 7.6

[Alice Wonder]

On 12/06/2018 08:10 AM, Nicolas Kovacs wrote:

Le 06/12/2018 à 15:24, James Pearson a écrit :

I suspect it might be something that has been left out in the rebase to
GDM 3.28.1 - an earlier change log for GDM has:


On a side note, I've now spent a day and a half trying to recover my
wrecked desktop profiles, with only a partial success. As it looks now,
I'll probably move all my desktop installations to openSUSE Leap 15 and
KDE 5 in the near future.

As far as I can tell, rebasing GNOME in the middle of a minor update was
not a good idea.

Cheers,

Niki



They did a similar thing with NetworkManager few releases ago that 
caused all my servers to start grabbing randomized IPv6 addresses 
instead of static they previously grabbed.


I don't understand why Red Hat makes these kind of changes in point 
releases - yet they won't update OpenSSL or PHP or Postfix in a point 
release.


It's like they use /dev/random to determibe where they require API 
stability between point releases.


--
For signature trust anchor (paranoid only need worry 'bout this):
https://ca.pipfrosch.com/pipfrosch-cacert-pem.crt

Webmail clients, sorry, out of luck, you can't import it.
Get an actual e-mail app.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] EPEL update?

[Alice Wonder]

On 12/04/2018 09:08 AM, Tony Molloy wrote:



The same dependency holds for several mate packages.

So either hold back on the update until mate is updated or build it
yourself are the choices..



Using EPEL-testing also solves the problem in many cases, might also be 
able to build a temporary compat library package for old version of 
libgtop until MATE packages are updated.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: good free email service ?

[Alice Wonder]

On 12/02/2018 06:41 AM, Chris wrote:

On Sat, 10 Nov 2018 00:22:00 -0800
Alice Wonder  wrote:


I run my own, using postfix + dovecot + roundcube, but because I
can't afford my own subnet - I end up constantly on spam blacklists
when someone else on my subnet sends spam.


which blacklists are this?



spamhaus zen
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Where to buy S/MIME ??

[Alice Wonder]

On 11/28/2018 07:58 PM, Gordon Messmer wrote:

On 11/27/18 3:47 PM, Alice Wonder wrote:
I actually went for a more complex scenario, I've created my own CA 
complete with CRL.



OK.  That means fewer certificates for your peers to install over time, 
but is otherwise no better than self-signed.



It's nice because with S/MIME you really want two certs - one for 
signing (where ecdsa can be used) and one for when you need to receive 
encrypted.



IIRC, an S/MIME client should be able to install your public cert and 
encrypt messages sent to you with no user interaction.  With 
Thunderbird, if I reply to a signed message, I can encrypt the reply. 
 From a usability standpoint, I really want to have just one 
certificate.  The easier it is to send me encrypted messages, the more 
likely it is that messages will be secure.



A) For one certificate to do both it has to be an RSA cert but the 
primary use of S/MIME is signing where RSA is excessively bloated 
compared to ECDSA.


B) Certs for encryption have to have a backup key somewhere so there 
isn't data loss if I lose the private key, and that key needs to be w/o 
a pass phrase in case something happens to me and someone else needs 
access to the encrypted messages.


But having such a backup means it isn't safe to use for digital signing 
because the backup is a theft risk, so signing with that key to prove it 
is me isn't a great idea.





Web browsers are applications that exist for the explicit purpose of 
downloading and executing untrusted code. It does not seem like that 
is a very wise environment to use for generating long term 
cryptography keys. It really doesn't. 



On the other hand, if you don't trust your browser's cryptography 
implementation, you definitely should not be using your browser for 
secure communication (https).


https is handled by a TLS library outside the browser, which is vastly 
different than in browser generation of private keys.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Where to buy S/MIME ??

[Alice Wonder]

On 11/27/2018 03:33 PM, Gordon Messmer wrote:

On 11/25/18 5:35 AM, Alice Wonder wrote:
The "free for personal" S/MIME from Comodo didn't work. Browser said 
it did but there was nothing to export for me to then import. I 
suspect it is because I used private browser window,



Probably, yes.  I've used that service in the past without issue.


I really don't like the idea of a private key stored in browser 
anyway. And it never asked for a password to encrypt the private key



Setting a password will protect all of the certificates stored by 
Firefox.  Select: Preferences -> Privacy and Security -> Security 
Devices (under Certificates) -> Software Security Device -> Change password


Chrome may have a similar option, but I don't see it and I don't see 
documentation for it.\



nor let me specify key strength (only let me choose between medium and 
high - I assume high is 4096 but I don't know, it didn't say)



There's very little harm in getting a certificate and examining it to 
find out.  You can destroy it later with no ill effect.





I actually went for a more complex scenario, I've created my own CA 
complete with CRL.


It's nice because with S/MIME you really want two certs - one for 
signing (where ecdsa can be used) and one for when you need to receive 
encrypted. And I have multiple e-mail accounts I want to do thus with.


Could have done self-signed too but this at least allows me to revoke if 
a device like laptop or phone w/ private key is stolen.


Does mean those who want to confirm my messages have to import my root 
key but that's for them to decide.


Web browsers are applications that exist for the explicit purpose of 
downloading and executing untrusted code. It does not seem like that is 
a very wise environment to use for generating long term cryptography 
keys. It really doesn't.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] [OT] Where to buy S/MIME ??

[Alice Wonder]

Hi, I'm getting increasingly paranoid.

Something I said on a certain social media site several months ago was 
modified - then reported - then by account was banned until I agreed to 
delete it.


Obviously since what I said was modified I didn't have any issue with 
deleting it but I want more than just DKIM sigs on my e-mail now.


Anyway looking for S/MIME I can use to sign and/or encrypt but mostly 
sign. Not interested in GnuPG or self-signed S/MIME - I want something 
that can be trusted because someone else that is trusted actually 
vouched for me.


The "free for personal" S/MIME from Comodo didn't work. Browser said it 
did but there was nothing to export for me to then import. I suspect it 
is because I used private browser window, I really don't like the idea 
of a private key stored in browser anyway. And it never asked for a 
password to encrypt the private key, nor let me specify key strength 
(only let me choose between medium and high - I assume high is 4096 but 
I don't know, it didn't say)


Didn't like the "browser generated" process, even if it had worked and 
generated the final product I could export - I really didn't like the 
process and have serious questions about the wisdom of a private key 
without a pass phrase stored in an application that interacts with web 
sites.


Anyway so used openssl to create private key (with aes-256 encryption 
and pass phrase) and then a CSR.


But I can't find anyone who sells certs for S/MIME to send the CSR too.

Globalsign but they wanted $89 - no one else.

Found a few sites that offered to "send me a quote" that I think were 
intended for corporate accounts.


Where do regular users who just want an inexpensive certificate usable 
for S/MIME from a CSR generated the traditional way go to buy a cert?


-=-

Off Topic 2

I'm going to strangle whoever it is at Google that thinks it is a good 
idea to put so many video results at the top of search results for this 
kind of thing. I'm really getting sick of how highly ranked videos now 
are in search engines.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NetworkManager and /etc/resolv.conf

[Alice Wonder]

On 11/17/2018 07:01 AM, Alice Wonder wrote:

On 11/17/2018 06:43 AM, Alice Wonder wrote:

CentOS 7.5 image running on linode.

unbound running on localhost.

Have to use a cron job once a minute to keep /etc/resolv.conf using 
the localhost for name resolution - whenever NetworkManager gets 
restarted (usually only a system boot) it gets over-written.


It seems every distro has a different way of preventing NetworkManager 
from replacing that file.


I found instructions for Fedora that said create 
/etc/NetworkManager/conf.d/no-dns.conf containing


[main]
dns=none

That doesn't seem to have any effect.

Poking around, I find a file on boot seems to be created called

/var/run/NetworkManager/resolv.conf

It has most of the contents of what ends up in /etc/resolv.conf - 
except w/o the last line, which just reads rotate in generated 
/etc/resolv.conf.


It says it's generated by NetworkManager (both /etc/resolv.conf and 
the one in /var/run/NetworkManager) but neither are specific enough to 
indicate what is causing them to be created so I can turn it off.


Anyone know how to tell NetworkManager to just not create that file?

Using a cron job to overwrite it once a minute works but there must be 
a proper way.


I really wish KISS was a design goal when designing system configuration.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Just found this -

# cat dhclient-exit-hooks
echo 'options rotate' >> /etc/resolv.conf

That's where the last line in /etc/resolv.conf is coming from.


Okay replacing the contents of dhclient-exit-hooks with

echo -e 'nameserver 127.0.0.1\nnameserver ::1' > /etc/resolv.conf

seems to do what I need.

I hope RHEL/CentOS 8 do networking better, as in, not have spaghetti 
scripts called here and there making something that should be a config 
option hard to do.


With DNS the only way to trust results is if the zone is signed and 
local resolver validates. You can't ever trust external nameservers 
defined by dhcp to validate. So there's very valid reasons to want to 
use local unbound.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NetworkManager and /etc/resolv.conf

[Alice Wonder]

On 11/17/2018 06:43 AM, Alice Wonder wrote:

CentOS 7.5 image running on linode.

unbound running on localhost.

Have to use a cron job once a minute to keep /etc/resolv.conf using the 
localhost for name resolution - whenever NetworkManager gets restarted 
(usually only a system boot) it gets over-written.


It seems every distro has a different way of preventing NetworkManager 
from replacing that file.


I found instructions for Fedora that said create 
/etc/NetworkManager/conf.d/no-dns.conf containing


[main]
dns=none

That doesn't seem to have any effect.

Poking around, I find a file on boot seems to be created called

/var/run/NetworkManager/resolv.conf

It has most of the contents of what ends up in /etc/resolv.conf - except 
w/o the last line, which just reads rotate in generated /etc/resolv.conf.


It says it's generated by NetworkManager (both /etc/resolv.conf and the 
one in /var/run/NetworkManager) but neither are specific enough to 
indicate what is causing them to be created so I can turn it off.


Anyone know how to tell NetworkManager to just not create that file?

Using a cron job to overwrite it once a minute works but there must be a 
proper way.


I really wish KISS was a design goal when designing system configuration.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Just found this -

# cat dhclient-exit-hooks
echo 'options rotate' >> /etc/resolv.conf

That's where the last line in /etc/resolv.conf is coming from.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] NetworkManager and /etc/resolv.conf

[Alice Wonder]

CentOS 7.5 image running on linode.

unbound running on localhost.

Have to use a cron job once a minute to keep /etc/resolv.conf using the 
localhost for name resolution - whenever NetworkManager gets restarted 
(usually only a system boot) it gets over-written.


It seems every distro has a different way of preventing NetworkManager 
from replacing that file.


I found instructions for Fedora that said create 
/etc/NetworkManager/conf.d/no-dns.conf containing


[main]
dns=none

That doesn't seem to have any effect.

Poking around, I find a file on boot seems to be created called

/var/run/NetworkManager/resolv.conf

It has most of the contents of what ends up in /etc/resolv.conf - except 
w/o the last line, which just reads rotate in generated /etc/resolv.conf.


It says it's generated by NetworkManager (both /etc/resolv.conf and the 
one in /var/run/NetworkManager) but neither are specific enough to 
indicate what is causing them to be created so I can turn it off.


Anyone know how to tell NetworkManager to just not create that file?

Using a cron job to overwrite it once a minute works but there must be a 
proper way.


I really wish KISS was a design goal when designing system configuration.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: good free email service ?

[Alice Wonder]

On 11/10/2018 03:45 PM, Mike Burger wrote:

On 2018-11-10 03:22, Alice Wonder wrote:

*snip*


It's a real pain the arse.


FWIW, I used to run my mail server at home, on my own private IP 
(through my ISP). When I moved, in May, I had to switch providers and 
they didn't offer static IP for home users, so I've moved my DNS and 
mail server to the cloud.


Between the two of them, they cost me about $50/month...not cheap, but 
my IP isn't automatically on blacklists and I control everything, 
including inbound spam protection.




I use Linode - sometimes it will go many months w/o being put on a 
blacklist, sometimes its a lot more common, I think they rotate IP 
assignment and when unused IP addresses on my subnet are not being 
assigned to new accounts there is no issue.


I just wish the spam lists would do a better job at realizing a 
well-aged domain that's been on the same IP address for years isn't a 
spammer and shouldn't be part of the blacklist.


In many respects I see it as a net neutrality issue, pushing everyone 
into the big providers that do their own share of spamming yet are never 
blacklisted because they are too big to blacklist.


I'm thinking about trying to design a DKIM based white list, e.g. if 
DKIM validates from aged domain that doesn't have positive spaminess to 
it, skip the IP based spam checks.


But even if I came up with something, the big e-mail companies wouldn't 
care to use it, they have no financial motive to and every financial 
motive not to (forces users into their tracking ecosystem)

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: good free email service ?

[Alice Wonder]

On 11/09/2018 12:07 PM, Warren Young wrote:

On Nov 9, 2018, at 9:22 AM, Vic Chester  wrote:


https://protonmail.com/


Aside from semi-charitable organizations like that, I wouldn’t expect good free 
email service to exist.  It’s seriously complicated to run a 
properly-configured email server.

The last time I looked into it, there were something like 24 separate RFCs an 
SMTP-only server had to implement, and much of that complexity spills over into 
the administration side, such as DKIM setup.  Then you have everything outside 
of the protocol such as spam filtering, blacklist/greylist/whitelist 
maintenance, TLS key updates, OS updates, etc.

Expect to pay for what you use, either by throwing a whole lot of your own time 
at it or paying someone to spend that time on your behalf.  Unless you’re doing 
this for educational or professional reasons, where the time spent is paid back 
handsomely, it’s probably a better trade to pay someone to handle it for you.
___


Plus there's constantly dealing with spam lists.

I run my own, using postfix + dovecot + roundcube, but because I can't 
afford my own subnet - I end up constantly on spam blacklists when 
someone else on my subnet sends spam.


The blacklists don't care that I've had these IP addresses for years, 
never spam, etc. - they just see someone on the subnet spam and they 
blacklist the entire subnet and you have to fill out their form to get 
removed, often to just be added again in a week.


It's a real pain the arse.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Red Hat is Planning To Deprecate KDE on RHEL By 2024

[Alice Wonder]

On 11/03/2018 01:22 AM, Nicolas Kovacs wrote:

Le 02/11/2018 à 21:19, mark a écrit :

Odd, I've never had that problem. On the other hand, I *really* dislike
gnome. I think their target is 16 yr olds.


My reaction to GNOME 3 has been roughly the same as with systemd. At
first, I hated it with a passion. Then I saw everyone else seemed to use
it. So I started to read the docs and experiment a little bit. And now
I'm using it on a daily basis, and to my bewilderment, I've grown to
like it.


What really did me in when I was trying to like it, the scroll bars were 
gone and I was told they could be put back in place with configuration. 
So I tried to find the configuration option and couldn't find it. Then I 
was told that I had to hand-code CSS to get them back.


I installed MATE the very next day.

I did briefly try it again a few month ago and I just can't figure it 
out. It's like it is trying to be a tablet OS or something, but I'm not 
using a touchscreen, I'm using a mouse and keyboard.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Mail has quit working

[Alice Wonder]

On 07/24/2018 05:36 AM, Mike McCarthy, W1NR wrote:

Your IP address is flagged as spam in Real Time Block Lists. Are you
using a dynamic IP address? You may have a mis-configured server that is
allowing spammers to relay through your server. Another possibility is
your system is compromised with a spambot.

Mike




Happens frequently to me and I'm no open relay.

CentOS uses spamhaus and spamhaus blocks entire subnets if someone on 
the subnet spams.


So unless you can afford your own subnet or pay to be on a whitelist, 
blacklists are a common thing for the little guy.


So much for net neutrality.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Which is better? Microsoft Exchange 2016 or Linux-based SMTP Servers?

[Alice Wonder]

On 07/19/2018 07:14 AM, Johnny Hughes wrote:

On 07/18/2018 04:05 PM, Valeri Galtsev wrote:



On 07/18/18 14:36, Johnny Hughes wrote:

On 07/18/2018 01:58 PM, Valeri Galtsev wrote:





But are you guys really telling you think the calendaring / scheduling
for individual users and the main corporate account, etc. .. are
working
well enough with any Linux solution.


I must confess, my servers are FreeBSD, but I'm quite sure the same is
doable easily on Linux.

We use for calendars Owncloud (may migrate to nextcloud in some future
to come). That authenticates against LDAP.


And does that calendar solution allow for things like:

1)  Allowing all users in the organization to see users calendars and
see when they are free to schedule a meeting with them.


Yes at least about a part of it: calendars can be shared with some
people or with everybody (which we didn't do, so I may be not 100%
presenting "experimental fact" here). Not certain about "free/not free"
mapped on calendars though.



2) Allow for designated people to schedule meetings for others (ie, your
secretary/office assistant can schedule meetings for people, etc.)


Yes, you can share calendar with anybody, and can set any set of choices

can read
can write
can "re-share" your calendar

You can share stuff to external people, and set individual
authentication for them independent of our system (in general, it is not
just calendars, but we use it for mostly synchronizing between all of
your devices, and also sharing: files, calendars, address book; it can
also be bookmarks, and there are variety of plugins expanding what else
can be accessed/synchronized via web/dav)



3) Allow a calendar to schedule shared items .. like meeting rooms,
shared vehicles, etc.  So that people can check those out for specifc
time windows, etc.


No, but for resource booking (if I read the question correctly) we use
mrbs (https://mrbs.sourceforge.io/). I know, that is not "integrated"
for you to have everything in one place. I never had time to look for
extention/plugin to suck from mrbs booked slot into one's calendar.



Those are just a couple of minor things a lot of solutions can't do

And do they work with imap, etc.


No, owncloud/nextcloud don't work with IMAP as far as I know. Mail
server is separate issue. Zimbra in that respect IS "integrated
collaborative environment". And so is Kolab. They both are lacking
per-user spam preferences. One more thing that added some minus for each
of them in my estimate what to choose is: behind each of them there is
commercial company. And that in my long experience significantly
increases the chance one day openly available incarnation of each may
become no longer available for us, and I will have to find replacement
in a rush and find the way to migrate to it, and the more sophisticated
the thing is, the trickier the migration will be.

My answers are mostly about owncloud which we use for quite some time.
Nextcloud is fork of owncloud, and to my regret nextcloud doesn't work
with postgresql, only with mysql/MariaDB, whereas owncloud works with
postgresql as well as with mysql/MariaDB (still we have some reasons to
migrate to nextcloud at some point).

I hope, someone with more knowledge will chime in.




Don't get me wrong.  I've run qmail, postfix, and zimbra mail servers
with IMAP, along with webmail front ends (roundcude, squirrel mail,
etc), for windows, mac and linux clients for several companies (all on
CentOS of course :D) .. I just don't think that calendaring that I have
seen is as user friendly as google calendar (for example).  But I'm all
for people running mail servers on CentOS (or any other Linux) if they
want !


I can't use google calendar because it used tracking cookies which I block.

So it doesn't work for me.

Would actually love to see a distributed / federated calendaring 
platform developed, that I suspect would do well.


What I mean is Company A can choose to federate with Company B when 
needed to allow cross-scheduling when needed while both still maintain 
complete ownership of their calendar data.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Which is better? Microsoft Exchange 2016 or Linux-based SMTP Servers?

[Alice Wonder]

On 07/18/2018 10:24 AM, Andrew Holway wrote:



Still a lot better than trying to run your own hodge-podge of nightmares
on Linux.


Beg pardon? Did I make a mistake on the email address? I thought this went
to the CentOS general discussion list.



I specifically meant setting up and running email services on linux is not
for the feint of heart and delivers little real value considering the
plethora of free and commercial email services available.


I would disagree.

Postfix and Dovecot are both very well documented.

Running the server yourself protects your users from content scanning by 
the companies that profit from tracking users.


And running itself lets you run DANE for SMTP which makes MITM a lot 
more difficult when the other server you are talking to supports DANE 
for SMTP.


The major e-mail services do not offer that.

Sure it is more work, but it isn't that difficult to get it right.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how and where to get libuuid.a

[Alice Wonder]

On 07/17/2018 08:03 AM, qw wrote:

Hi,


I use Centos 7.4, and can find libuuid.so in my OS. how and where to get 
libuuid.a?


Thanks!


Not seeing it, but libuuid.so is provided by libuuid-devel from EPEL.

Frequently, static libraries are not provided by CentOS / EPEL.

Is there a reason you need the static instead of dynamic?

If you, you probably have to rebuild the src.rpm after modifying the 
spec file to not delete the static library.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 7 and RAM

[Alice Wonder]

On 07/16/2018 04:41 PM, Jay Hart wrote:




On 17 July 2018 at 09:24, Jay Hart  wrote:


Hello,

What would the recommended minimum amount of RAM be, to run Centos 7.
16GB???




Jay, it helps us help you when you give more information.

I have CentOS 7 running happily on 4GB. My presumption - based on
experience, extrapolation, and google - is that it will also run with 64TB.

Anything between those numbers should be good.

Cheers
L.


L, The use of this machine would be as a home server running as a web and email 
server, two users,
light use.  My current server has 4GB, but I'm thinking of getting a new box 
and if I can afford
it, figured I'd get 16GB vice 8.



I also run it on a quadcore XEON with 16GB as a general dev machine 
including LAMP stack and it is very fast on that setup.


Most of the time, only a few of the cores are used and when I have 
looked at memory usage it is never anywhere nearing using up the 16GB.


For a new box I would recommend 16GB though just because the cost 
difference between 8 GB and 16 GB isn't that great unless you are on a 
really tight budget (as I usually am) and even then, if you can find a 
way to go 16 GB do it, because it helps future-proof the box so it is 
usable for many years into the future.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 7 and RAM

[Alice Wonder]

On 07/16/2018 04:24 PM, Jay Hart wrote:

Hello,

What would the recommended minimum amount of RAM be, to run Centos 7. 16GB???

Thanks,

Jay


I run it on an Lenovo Thinkpad T410 with 4 GB of RAM using the MATE desktop.

Not a speed demon, but it works well enough.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ca-certificates-2018.2.22-65.1.el6.noarch problematic

[Alice Wonder]

On 07/04/2018 08:54 AM, Walter H. wrote:

Hello,

the RPM

ca-certificates-2018.2.22-65.1.el6.noarch

has a big problem ...
many certificates were removed - my proxy uses this as source and isn't
able to validate correct any more -
most sites show this:

/[No Error] (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)

/Self-signed SSL Certificate in chain: /C=SE/O=AddTrust AB/OU=AddTrust
External TTP Network/CN=AddTrust External CA Root

Self-signed SSL Certificate in chain: /C=US/O=DigiCert
Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

and many other Root certificates are missing ...



Not sure why they were removed but in the past, root certificates are 
removed due to problems with the certificate authorities that mean their 
signatures no longer mean the sites are who they say there.


That's the problem with PKI. When you can't trust the root, you can't 
sign any certificate down the chain from the root.


Unfortunately DANE is not yet supported by browsers.

But anyway, does the changelog indicate why the certs were removed?

It may be a good thing - protecting you from potential MITM when you 
otherwise would have the assumption that the site is valid because it 
has a cert.


I know digicert specifically has had problems before resulting in 
fraudulent certificates being issued.


Hopefully the industry can move to DANE and make blind trust a thing of 
the past.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firefox 60.0.1.0 ESR Progress?

[Alice Wonder]

On 07/02/2018 06:57 AM, Sean wrote:

Is there a way to track CentOS's progress on RHSA-2018-2113?

https://access.redhat.com/errata/RHSA-2018:2113

Thanks!
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



This is what I do and it works well, script run as root after 
downloading compiled tarball from upstream.


--
#!/bin/bash

TMP=`mktemp -d /tmp/ff.`
mv $1 ${TMP}/

pushd ${TMP}

FFOX=`echo $1 |sed -e s?"\.tar\.bz2"?""?`

tar -jxf ${1}

chown -R root:root firefox

mv firefox /usr/local/${FFOX}

popd

pushd /usr/local

rm -f firefox && ln -s ${FFOX} firefox

popd

rm -rf ${TMP}
-

$1 is the FireFox downloaded from upstream (compiled)

Installing it as root means I am safe from malware over-writing bits of 
it, but I do have to manually download.


/usr/local/firefox/firefox then starts it - and old versions are 
preserved in case something breaks (I just change which one the 
/usr/local/firefox link points to - though I almost never have to revert)


It's not RPM but there are too many advantages to newer FireFox for me 
to wait.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] C++11 and GCC 5+

[Alice Wonder]

This may be common knowledge to some, but it was new to me.

Libraries that use C++11 and are compiled with GCC 4.8.x that CentOS 7.x 
has are NOT binary compatible with GCC 5.x or newer.


It seems to only effect C++11.

What you have to do -

create /opt/gcc55 (or whatever)

Rebuild any libraries that use C++11 that you need in something compiled 
with GCC 5+ and install them within that prefix.


Then point to them in that prefix when building what you need to build.

-=-

The Linux runtime linker seems to get it right (as long as you have 
/opt/gcc55/lib64 in path) and not load wrong version of library, so you 
don't need to use rpath.


But you do need to have a version of the dependency compiled with the 
GCC you want available at both compile time and runtime.


-=-

I ran across this issue when building Audacity 2.2.2 - which does not 
build with GCC 4.8.5.


The problem libraries:
* flac
* vamp-sjdk-plugin
* wxGTK3

All three of those use C++11 and therefore needed to be rebuilt with GCC 
5.5.0 (what I used for building Audacity)


Just thought I'd pass it along.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] dumb shared library question

[Alice Wonder]

Binary compiled on a system with ggc 5.5.0 w/ libstdc++.so.6.0.21

Because the major version is libstdc++.so.6 there shouldn't be any 
problems running it on CentOS 7 with libstdc++.so.6.0.19, right?

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Passwords in plain text

[Alice Wonder via CentOS]

On 06/17/2018 09:11 AM, Alice Wonder via CentOS wrote:

On 06/17/2018 08:52 AM, Michael Hennebry via CentOS wrote:

I'm petty sure I messed up attributions, so am deleting them.


I believe this is a DMARC issue. Yahoo, among other places, has set
their dmarc records to p=reject:



So, if your mail hosting provider enforces dmarc,(gmail does) and you
get mail from a list that doesn't rewrite the headers, and people
from places like yahoo post to the list, you'll likely get some form
of warning about being being kicked off the mailing list every now
and then. The frequency depends on how often people from p=reject
places post, and what the settings are for bounce handling of the
mailing list in question.



This is indeed what happened.  An email from yahoo.com.uk caused gmail
to reject all the mails sent by that user because of the yahoo DMARC
settings.


Say it isn't so: *An* e-mail, just *one* from yahoo.com.uk
caused every gmail user to have his account disabled.

I'd heard of the DMARC thing with mailing lists before,
but had not known it enabled single e-mails of mass destruction.


I run dmarc on my mail server but only in report mode, it doesn't reject.

I did it as a test (for years) and am fully convinced that dmarc is
worthless for real world protection.

Numerous mail lists out there are configured in such a way that dmarc
gets triggered and that just isn't going to change.

It's a neat idea but it's not backwards compatible with the way SMTP
already works.

I can not recommend its use. I do recommend mail server software update
if possible to be compatible but I just can not recommend mail servers
enforce dmarc.

DKIM is a good thing, but dmarc breaks things too badly.

Even DKIM though is of limited usefulness - it seems the spammer
blacklists don't really care. Even with proper DKIM signature on a
domain with correct reverse DNS set up for years, they will still add
you to the spam blacklist if any other host on your subnet is identified
as a spammer.

So even the blacklists don't really utilize this anti-spam anti-spoof
technology, which makes it kind of worthless.

Using DKIM as one of several factors in spamassassin though is possibly
helpful, though most spammers these days have a validating DKIM sig.

___



Let me put it this way - in the several years of running dmarc is report 
only mode, over 99% of reported violations are false positives from mail 
lists.


That high of a false positive rate tells me it is broken technology.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Passwords in plain text

[Alice Wonder via CentOS]

On 06/17/2018 08:52 AM, Michael Hennebry via CentOS wrote:

I'm petty sure I messed up attributions, so am deleting them.


I believe this is a DMARC issue. Yahoo, among other places, has set
their dmarc records to p=reject:



So, if your mail hosting provider enforces dmarc,(gmail does) and you
get mail from a list that doesn't rewrite the headers, and people
from places like yahoo post to the list, you'll likely get some form
of warning about being being kicked off the mailing list every now
and then. The frequency depends on how often people from p=reject
places post, and what the settings are for bounce handling of the
mailing list in question.



This is indeed what happened.  An email from yahoo.com.uk caused gmail
to reject all the mails sent by that user because of the yahoo DMARC
settings.


Say it isn't so: *An* e-mail, just *one* from yahoo.com.uk
caused every gmail user to have his account disabled.

I'd heard of the DMARC thing with mailing lists before,
but had not known it enabled single e-mails of mass destruction.


I run dmarc on my mail server but only in report mode, it doesn't reject.

I did it as a test (for years) and am fully convinced that dmarc is 
worthless for real world protection.


Numerous mail lists out there are configured in such a way that dmarc 
gets triggered and that just isn't going to change.


It's a neat idea but it's not backwards compatible with the way SMTP 
already works.


I can not recommend its use. I do recommend mail server software update 
if possible to be compatible but I just can not recommend mail servers 
enforce dmarc.


DKIM is a good thing, but dmarc breaks things too badly.

Even DKIM though is of limited usefulness - it seems the spammer 
blacklists don't really care. Even with proper DKIM signature on a 
domain with correct reverse DNS set up for years, they will still add 
you to the spam blacklist if any other host on your subnet is identified 
as a spammer.


So even the blacklists don't really utilize this anti-spam anti-spoof 
technology, which makes it kind of worthless.


Using DKIM as one of several factors in spamassassin though is possibly 
helpful, though most spammers these days have a validating DKIM sig.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS Kernel Support

[Alice Wonder]

On 06/14/2018 08:00 AM, Peter Kjellström wrote:

On Thu, 14 Jun 2018 16:26:27 +0200
Gianluca Cecchi  wrote:
...

The src.rpm for that kernel is probably available somewhere.


I'm fairly certain you cannot download the SRPM for EUS kernels.
You might if you're a Red Hat customer paying for that product (but
don't take my word for it).

...

I agree for the format of release (SRPM), but in any case Red Hat
should provide the sources for the changes, as the kernel is GPL-2.0
Then one can manually try to merge them in a patched kernel in some
way... Gianluca


Redhat of course complies with the GPL and provide source to the
customers that get access to the binary packages. They are not required
to provide the sources to anyone else.

/Peter


Yes that's why I said somewhere.
At least in the past there have been people who made their own mirrors 
of RHEL exclusive source packages (which the GPL allows).


I don't know who does now, but someone somewhere probably does.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS Kernel Support

[Alice Wonder]

On 06/13/2018 02:33 PM, Jonathan Billings wrote:

On Jun 13, 2018, at 4:47 PM, Ken Young  wrote:

Is anyone on the mailing list aware of anyone who supports older versions of 
CentOS kernels?  Particularly, I am interested in getting security patches 
added to kernel-3.10.0-514.10.2.el7.src.rpm.  Please let me know.


As far as CentOS support, only the latest kernel is supported. This really 
means that *you* are now the only support for old kernels.

You might be able to pay Red Hat for an Extended Update Support release of 
RHEL7 that has a similar version (kernel-3.10.0-514.51.1.el7) but support ends 
November 30 2018.

https://access.redhat.com/articles/rhel-eus



The src.rpm for that kernel is probably available somewhere.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Articles on OpenSSH and Personal Git

[Alice Wonder]

Hi,

Wrote a couple articles on OpenSSH and on running your Git server in a 
CentOS 7 environment


https://notrackers.com/the-command-line/openssh-primer/

and

https://notrackers.com/the-command-line/setting-up-your-own-git-server/

And the domain name is honest, there no trackers on that blog. None.

(that blog is actually for a WordPress project not ready for general use 
but it seemed like a good place for the articles too)


-=-

I am sure they aren't perfect, but they may be of assistance to some. 
Any blatant mistakes, I am not above correction.


Git article needs SELinux instructions added for web content served 
outside of /var/www/html and the public web git viewer I'm planning to 
fork to fix some issues I have it (I'll contribute patches back if they 
want them)


I still need to find a CI solution (alternate to Travis-CI) that works 
just from standard Git - e.g. a git hook when pushing commits or tagging 
a release that pings the CI solution causing it to do a standard git 
pull to run the build and unit tests.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] git public web frontends

[Alice Wonder]

On 06/06/2018 09:08 PM, Keith Keller wrote:

On 2018-06-06, Alice Wonder  wrote:

I'll be putting those in /srv/git and using a different username than
the account for my private git repositories.

But... can anyone recommend a web front end?


Another recommendation for Gitlab.  For maximum flexibility you can just
run it out of a Docker container with appropriate volume mounts for
persistent data.

--keith



I'm actually using something called GitList.

Simple and I like simple.

The 0.6 version had remote code execution bug so I do have to go through 
the code and make sure all proper validation is done, but what I want to 
do is simple and what GitList does is simple.


I don't like overly complex solutions even when there are installers 
that make it seem simple.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] git public web frontends

[Alice Wonder]

Hello,

Set up a CentOS 7.5 VM linode for git now that github has been bought.

I'm not anti-microsoft but I'm worried they will make changes that I 
don't like (e.g. requiring ms account, changing billing, etc.) so I 
figured better take control now.


Currently moving my private repos and have them set up in my home 
directory there, but my public repos - I want to set them up with a web 
interface so people can browse them etc. and do a git clone w/o needing 
authentication.


I'll be putting those in /srv/git and using a different username than 
the account for my private git repositories.


But... can anyone recommend a web front end?

It doesn't need to be as fancy as github but it does need to parse 
markdown as all my documentation is in markdown.


Thanks for suggestions.

Preferably something that "just works" with CentOS 7.

-=-

What would be fantastic is if someone made some kind of federation type 
service similar to how Mastodon works that lets public git repositories 
that opt in be found without needing to be on a centralized server.


But I doubt that currently exists.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] get unicode ranges from a TTF ???

[Alice Wonder]

I received excellent advice on this that works -

https://twitter.com/FakeUnicode/status/991916370752229376

ttx -t cmap -d . Dosis-v2031b-200ExtraLight.otf

for example produces an XML file with the Unicode numbers that I can 
parse to figure out the range covered.


On 05/01/2018 09:52 PM, Alice Wonder wrote:

Hello list,

Is there a command line tool I run on a ttf font and get a list of the
Unicode Ranges for that that font that would be compatible with the
unicode-range: parameter in a CSS @fontface declaration?

I'm guessing something in the python world probably exists...

Hopefully something that works in CentOS 7

I need something like that for a FLOSS font server project that doesn't
track users.

I don't feel a need to split up a font by unicode range, but a lot of
fonts are already split by their upstream developers according to
language support - e.g. the Noto Fonts, the main font has a lot of
glyphs but Hebrew for example is in it's own font file already.

I want to be able to get the range information for what the fonts support.

Thanks for any tips.

My font server project I need it for is at
https://github.com/AliceWonderMiscreations/FlossWoff2
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] get unicode ranges from a TTF ???

[Alice Wonder]

Hello list,

Is there a command line tool I run on a ttf font and get a list of the 
Unicode Ranges for that that font that would be compatible with the 
unicode-range: parameter in a CSS @fontface declaration?


I'm guessing something in the python world probably exists...

Hopefully something that works in CentOS 7

I need something like that for a FLOSS font server project that doesn't 
track users.


I don't feel a need to split up a font by unicode range, but a lot of 
fonts are already split by their upstream developers according to 
language support - e.g. the Noto Fonts, the main font has a lot of 
glyphs but Hebrew for example is in it's own font file already.


I want to be able to get the range information for what the fonts support.

Thanks for any tips.

My font server project I need it for is at 
https://github.com/AliceWonderMiscreations/FlossWoff2

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Question on CentoS 7.4 on nvidia

[Alice Wonder]

That's what I get too -

01:00.0 VGA compatible controller: NVIDIA Corporation GT218 [GeForce 
405] (rev a2)


It works fine for me with mate with this:

kernel-3.10.0-693.5.2.el7.x86_64
kmod-nvidia-340xx-340.102-4.el7_4.elrepo.x86_64

I've had problems with gnome 3 and nvidia before, but haven't tested in 
a very long time, been running mate for years.


On 12/14/2017 01:51 PM, Jerry Geis wrote:

I installed the elrepo kmod-nvidia and also the nvidia-detect and modules
(see below).

I had X working with the 3.10 from Centos  - but video was freezing. SO I
thought I would try the elrepo kernel. I installed that and X does not come
up?

How do I re-make the nvidia module for 4.14.5 kernel? I want to make sure
the kmod kernel did it.   I 'm thinking it did not.

lspci | grep VGA says GT218

Or  what do I look at now to see why X is not coming up?

Thanks,

Jerry

uname -r
4.14.5-1.el7.elrepo.x86_64


grep EE /var/log/Xorg.0.log
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
[   136.998] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module.
Please see the
[   136.998] (EE) NVIDIA: system's kernel log for additional error
messages and
[   136.998] (EE) NVIDIA: consult the NVIDIA README for details.
[   136.998] (EE) No devices detected.
[   136.998] (EE)
[   136.998] (EE) no screens found(EE)
[   136.998] (EE)
[   136.998] (EE) Please also check the log file at "/var/log/Xorg.0.log"
for additional information.
[   136.998] (EE)
[   137.004] (EE) Server terminated with error (1). Closing log file.

uname -a

rpm -qa | grep kernel
kernel-3.10.0-693.el7.x86_64
kernel-tools-3.10.0-693.5.2.el7.x86_64
abrt-addon-kerneloops-2.1.11-48.el7.centos.x86_64
kernel-headers-3.10.0-693.5.2.el7.x86_64
kernel-ml-devel-4.14.5-1.el7.elrepo.x86_64
kernel-devel-3.10.0-693.el7.x86_64
kernel-3.10.0-693.5.2.el7.x86_64
kernel-ml-4.14.5-1.el7.elrepo.x86_64
kernel-tools-libs-3.10.0-693.5.2.el7.x86_64
kernel-devel-3.10.0-693.5.2.el7.x86_64
[root@mediaport14 ~]# rpm -qa | grep kernel-ml
kernel-ml-devel-4.14.5-1.el7.elrepo.x86_64
kernel-ml-4.14.5-1.el7.elrepo.x86_64


# rpm -qa | grep nvidia
kmod-nvidia-340xx-340.102-4.el7_4.elrepo.x86_64
nvidia-detect-384.90-1.el7.elrepo.x86_64
yum-plugin-nvidia-1.0.2-1.el7.elrepo.noarch
nvidia-x11-drv-340xx-340.102-1.el7.elrepo.x86_64
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Broadcom BCM4360

[Alice Wonder]

On 12/04/2017 01:34 AM, Nicolas Kovacs wrote:

Le 04/12/2017 à 01:22, Gregory P. Ennis a écrit :

I just purchased a new wfi card that is identified as using lspci as
: Broadcom Limited BCM4360 802.11ac Wireless Network Adapter (rev
03)

I have not been able to get it to work Centos 7.4 machine.  Some of
the centos user posts had indicated the nux repsitory had a Centos 7
kmod- wl, but it is not present when I tried to search or or install
it at this time.

Has anyone had any success in making the Broadcom BCM4360 chip work
for Centos 7.4


Some time ago I installed CentOS 7 on a MacBook Pro with a Broadcom
wireless card. The card was a PITA to configure, but it works perfectly
now.

I wrote an article about it. It's in French, but the *nix bits are
universal. :o)

https://blog.microlinux.fr/centos-7-macbook-pro/#rezo-wifi

Cheers,

Niki



lspci |grep -i broad
02:00.0 Network controller: Broadcom Limited BCM4360 802.11ac Wireless 
Network Adapter (rev 03)


That's my broadcom chip and it works in CentOS 7.4 with the

kmod-wl-6_30_223_271-4.el7.centos.x86_64

rpm built from the previously mentiones nosrc rpm.

I might have bumped the release tag when rebuilding it, don't remember.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Broadcom BCM4360

[Alice Wonder]

On 12/03/2017 11:10 PM, Phil Perry wrote:

On 04/12/17 00:38, John R Pierce wrote:

On 12/3/2017 4:22 PM, Gregory P. Ennis wrote:

I have not been able to get it to work Centos 7.4 machine.  Some of the
  centos user posts had indicated the nux repsitory had a Centos 7 kmod-
wl, but it is not present when I tried to search or or install it at
this time.


this looks potentionally helpful

http://elrepo.org/tiki/wl-kmod

it appears those are closed source drivers with funky licenses, so
they can't just be redistributed without assumption of liability.




Correct, elrepo isn't able to freely redistribute the drivers due
Broadcom's licensing, but does provide instructions and a SRPM (minus
tarball) for you to build yourself.


That's what I have to do, and it can sometimes be a PITA because a 
kernel update can break it and you have to build it again.


With major updates (like 7.3 to 7.4) you sometimes have to download a 
new nosrc rpm.




Alternatively, for $8 you can purchase an adaptor that is natively
supported and will work out of the box:

https://www.amazon.com/Edimax-EW-7811Un-150Mbps-Raspberry-Supports/dp/B003MTTJOY/ref=sr_1_1?ie=UTF8=1512370979=8-1=edimax+n150


https://www.newegg.com/Product/Product.aspx?Item=N82E16833315091_re=edimax_n150-_-33-315-091-_-Product


The above adaptor is based on the Realtek RTL8188CUS chipset and uses
the rtl8192cu kernel driver.


At some point I will be replacing mine, but with a low-profile PCI-E 
card. I've had bad luck with USB wifi adapters, sometimes for example 
they lose connection when a microwave is turned on and when I was 
visiting my parents, had one that lost connection whenever the AC unit 
kicked on.


My best wifi experience in Linux has been with my T series thinkpad, it 
uses some kind of Intel wireless chipset that is in the kernel.


I'm going to be looking for a low profile Intel PCI-E card, but for now 
my broadcom PCI-E actually works quite well - with the exception of 
needing to rebuild every now and then (last time was 7.3 to 7.4 update)


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] modestly priced laptop for C7

[Alice Wonder]

On 11/02/2017 10:41 AM, Fred Smith wrote:

I'm looking to replace my (old, creaky) netbook (Acer Aspire One D255e,
a screaming dual core 1.6 GHz Atom, and a whole 2 gigs of RAM) with
something faster but not too large. Sometimes (usually) the netbook is
painfully slow.

Something like a  hi-res 14 (or 15) inch screen (full HD), minimum of 4 gigs
RAM, HD of a half terabyte or bigger.

I'd like to not have to go over 600-700 dollars, so I know my choices
are somewhat limited if I want to avoid the 400-500 dollar windows 10
junk^H^H^H^Hsystems from BJs, etc.

Something with a quad-core processor, and all hardware works with C7.

I've glanced at Lenovo Thinkpads on amazon where there are several
"factory refurbished" ones with similar specs to what I mention above
in the $500-700 range, but I don't know if they're any good or not

I'm open to suggestions from any/all of you!

thanks in advance!

Fred



CentOS works well on T-Series thinkpads but be careful of the video, 
some use an nvidia card which at least historically had issues in Linux 
that caused the battery to run down faster and caused the laptop to run hot.


T series thinkpads use Intel wifi that "just works" with CentOS - at 
least in my limited experience. Many laptops require 3rd party drivers 
with proprietary firmware to get the wifi working, which can be a pain 
in the neck when point release update happens (e.g. 7.3 to 7.4) because 
you then have to rebuild the RPM in the new point release or the driver 
won't work, and often that means downloading a new nosrc.rpm - which may 
not immediately be available.


Somewhere there's a list of wifi hardware that works out of the box with 
the Linux kernel, whatever brand you buy I would recommend the wifi 
device is on that list.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Incorrect characters in Chinese font

[Alice Wonder]

On 10/29/2017 03:12 PM, H wrote:

On 10/29/2017 03:49 PM, Frank Cox wrote:

On Sun, 29 Oct 2017 15:03:49 -0400
H wrote:


I had three characters I was not able to translate and after much
hair-pulling realized to my surprise that they may be incorrectly drawn in
Centos 7.

My first guess would be a faulty characters in whatever font you're using.

Compare it with a working font and see if that's the problem.  Type the 
problematic characters into a text editor.  Change the font in the text editor 
to a different one.  Did the character suddenly become correct?  If so, you've 
found the problem.

Then the short-term fix is to use a different (correct) font and the long-term 
solution will start with filing a bug report against the faulty font.


Frank, you are right. I switched from Monospace to DejaVu Sans and the three 
characters are correctly depicted.

Now, how do I report the problem with the Monospace font used in CentOS 7?




Monospace is probably not the name of the font, but is telling the 
application to use the default monospace font - which may be set by 
something else.


What application is it?

It's quite possible that Monospace is actually DejaVu Sans Mono or 
Liberation Mono or whatever the URW equivalent to Courier is.


If the glyph is one that uses combining unicode code-points, many 
monospace fonts do not support all of them properly.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] /var/run/... being deleted :((

[Alice Wonder]

On 10/11/2017 12:20 PM, Lamar Owen wrote:

On 09/21/2017 08:14 AM, hw wrote:

what keeps deleting files and directories under /var/run?  Having them
deleted
is extremely annoying because after a reboot, things are suddenly
broken because
services don´t start.


*snip*


The fact of the matter is that the EL7 behavior is to store /var/run in
a temporary way, and that's not at all likely to be changed in EL7,

*snip*


When I need daemon (or other not human user) produced data to persist a 
reboot, I use /srv - I don't know if that is technically correct or not, 
but it seems highly unlikely /srv would ever be a candidate for wipe on 
boot.


Perhaps the package in question could simply be patched to use /srv ??

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] /boot partition too small

[Alice Wonder]

On 10/10/2017 07:04 AM, Vanhorn, Mike wrote:

If there are many old kernels in there, you can probably remove the oldest 
one(s) to make room for newer ones.


This is what I do. When /boot hits about 80% I go through and remove old 
kernels I will never boot into anyway.


Usually that's at four kernels.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Thunderbird in CentOS 7.4

[Alice Wonder]

On 09/27/2017 11:14 PM, Phil Perry wrote:

On 28/09/17 04:19, Alice Wonder wrote:

With the current Thunderbird I can not connect to one of my IMAP
servers that uses a self-signed cert. Virtually identical IMAP servers
that use CA signed certs work

I was a bit out of date when I updated to 7.4 and was running
Thunderbird 45.6.x and it worked.

When I connected from evolution (which I do not like) it worked.

When I connected with my laptop still running 45.6.x it works.

so - I rebuilt thunderbird 45.8.0 from 7.3 updates (newest that isn't
5x.x.x series) and did an --oldpackage update with RPM and it works
again.

When rebuilding the old thunderbird in mock I had to add the following:

BuildRequires:  dbus-glib-devel

Either the build system used by CentOS automatically includes that, or
a build dependency use to pull that it but no longer does.

Anyway if anyone is having a similar problem, that's a solution.

-=-

This is what I see in the mail server log when current CentOS
thunderbird tries to connect:

Sep 25 20:17:49 librelamp dovecot: imap-login: Disconnected (no auth
attempts in 1 secs): user=<>,
rip=2600:1010:b064:f260:e83e:562d:2316:18df,
lip=2600:3c01::f03c:91ff:fee4:310c, TLS handshaking: SSL_accept()
failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca: SSL alert number 48,
session=<u7agQAlasK8mABAQsGTyYOg+Vi0jFhjf>

---

Since it works with current evolution and with older thunderbird, I
assume it is a bug in current thunderbird when the server is using a
self-signed cert.

Don't know if same thing happens on pop.

I use IMAP on 143 using starttls


I have no problem using a self-signed cert on my own private mail
server, although admittedly I'm using POP, not IMAP.

Have you imported your certificate(s) in thunderbird?

Preferences > Advanced > Certificates


When Thundirbird first attempts it offers to import. Under older version 
it only asks once, and when I import, it's fine until I replace the 
certificate (once a year, cert is good for three years but I generate 
new once a year - I just make it good for three in case life gets in the 
way).


The nee thunderbird continually asks but still fails to connect.

However as soon as I switched back to the older version, it didn't even 
need to ask because I had already made an exception for that certificate.


Old thunderbird works as expected, new doesn't.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Thunderbird in CentOS 7.4

[Alice Wonder]

With the current Thunderbird I can not connect to one of my IMAP servers 
that uses a self-signed cert. Virtually identical IMAP servers that use 
CA signed certs work


I was a bit out of date when I updated to 7.4 and was running 
Thunderbird 45.6.x and it worked.


When I connected from evolution (which I do not like) it worked.

When I connected with my laptop still running 45.6.x it works.

so - I rebuilt thunderbird 45.8.0 from 7.3 updates (newest that isn't 
5x.x.x series) and did an --oldpackage update with RPM and it works again.


When rebuilding the old thunderbird in mock I had to add the following:

BuildRequires:  dbus-glib-devel

Either the build system used by CentOS automatically includes that, or a 
build dependency use to pull that it but no longer does.


Anyway if anyone is having a similar problem, that's a solution.

-=-

This is what I see in the mail server log when current CentOS 
thunderbird tries to connect:


Sep 25 20:17:49 librelamp dovecot: imap-login: Disconnected (no auth 
attempts in 1 secs): user=<>, 
rip=2600:1010:b064:f260:e83e:562d:2316:18df, 
lip=2600:3c01::f03c:91ff:fee4:310c, TLS handshaking: SSL_accept() 
failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown 
ca: SSL alert number 48, session=


---

Since it works with current evolution and with older thunderbird, I 
assume it is a bug in current thunderbird when the server is using a 
self-signed cert.


Don't know if same thing happens on pop.

I use IMAP on 143 using starttls
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 7.4 network issues

[Alice Wonder]

On 09/25/2017 01:10 AM, Phoenix, Merka wrote:

Alice,


Two onboard nics, Intel, eno1 and eno2

If either of them is set to onboot then network won't start.

one error message says :bad vendor preset disabled


This bug report from the upstream vendor (RH) for RHEL 7 might help in 
troubleshooting what's causing the error message:

See: https://bugzilla.redhat.com/show_bug.cgi?id=1399448

Apparently something "broke" (changed) between 7.2 and 7.3 in how the 
networking scripts bring up the interfaces.

Cheers!



I'll figure that out later. I found a USB key in my camera bag (I'm out 
of town, but took my desktop with me) and used the updated src.rpm from 
elrepo for my wireless. So it connects now.


I need to get an Intel wireless nic with drivers in the kernel, that's 
what my thinkpad has and it always just works.


I'll figure out what's up with the wired connections later.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] 7.4 network issues

[Alice Wonder]

Two onboard nics, Intel, eno1 and eno2

If either of them is set to onboot then network won't start.

one error message says :bad vendor preset disabled

Another error message (in red) says Failed to start LSB

If I can find a USB key there is an updated kmod-wl src.rpm that *may* 
bring up my wifi, but I am not sure I have access to a USB key at the 
moment.


The motherboard is supermicro and the onboard nics are Intel which I 
thought were well supported, but I do remember going from 7.2 to 7.3 on 
a server IPv6 was bricked because of changes to how the /sbin/ifconfig 
scripts were configured.


This one (is a xeon, server board, but its my desktop) I think started 
life as 7.2 and was at 7.3 before this update - in case there's a 
similar issue with incompatibilities with config file after update.


I've not used the nics before, always just used wifi.

What's the secret to getting them to connect via dhcp onboot at least 
long enough to try and get the broadcom wifi working again?


--
-=-
Sent my from my laptop, may not be able to respond timely
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bricked my system

[Alice Wonder]

I got in and removed that kmod and got it booted.

Now I have to figure it out why it won't connect via ethernet even 
though its set to DHCP and should.


Seems every major CentOS update changes the network stuff in a way that 
causes headaches. That's probably just my frustration speaking but 
that's what it feels like.


On 09/25/2017 12:24 AM, Frank Cox wrote:

On Mon, 25 Sep 2017 00:18:16 -0700
Alice Wonder wrote:


It's caused by the wl-whatever kmod update I tried trying to get network
back, but I can't remove that rpm if I can't boot.


https://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-rescuemode-boot.html



--
-=-
Sent my from my laptop, may not be able to respond timely
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Bricked my system

[Alice Wonder]

Updated to CentOS 7.4

No wifi. The wifi was using wl-something driver that had third party 
firmware but it wasn't seen.


Attempted to get network with ethernet from the mobo to router but it 
wouldn't come up.


So I rebuilt the wl-whatever kernel module and installed the updated 
version built against the newer kernel.


Now when attempting to boot it gets stuck at "i8042 no controller found" 
and stops.


That message is always there, either lack of serial port or lack of PS/2 
ports - I forget - but the boot now hangs there.


It's caused by the wl-whatever kmod update I tried trying to get network 
back, but I can't remove that rpm if I can't boot.


Help.

--
-=-
Sent my from my laptop, may not be able to respond timely
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Headphones volume control not working in CentOS 7

[Alice Wonder]

On 07/28/2017 03:28 PM, Bernard Lheureux wrote:

Hi all,

I hope someone could enlighten me...
How could I resolve the fact that the volume controls of all the
headphones I try on CentOS 7 are not working, they are OK on CentOS 6
but impossible to make them work on my Thinkpad Laptop with an iPhone
headphones or a Marshal Monitor plugged with a jack connector...
Those 2 headphones work correctly in CentOS 6...
What could I do to get the same behavior on CentOS 7 and this damned
Gnome 3 ?
Thanks for your help...



Not sure, volume control on my USB headphones work just fine on CentOS 
7. Both on the headphones itself and from the desktop.


On both my home built PC and on my Thinkpad T410 (where it also works 
from volume buttons on keyboard)


I use MATE though, but I don't know if that is why.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] TeX Live on CentOS 7

[Alice Wonder]

On 07/21/2017 10:18 PM, Nicolas Kovacs wrote:

Le 21/07/2017 à 23:14, Alice Wonder a écrit :

I always install official TeXLive in /usr/local/texlive - yum update
thanks me. Every few months I update it, but keeping it outside of RPM
means I don't get tons of individual packages, many that I never use,
constantly updating in yum.


And how do you manage conflicts with packages? Do you blacklist them in
Yum's repo configuration? And how about the stuff dependending on them?
Install it manually using --nodeps?

Niki



There aren't any conflicts. I did make the following file:

# /etc/profile.d/texlive.sh
#if [ ${UID} -gt 1000 ]; then
export PATH=/usr/local/texlive/2016/bin/x86_64-linux:$PATH
#fi

If a package on my system wants a CentOS texlive as dependency it gets 
it, there are texlive packages installed.


But users get the texlive in /usr/local/texlive

The directory /usr/local/texlive is owned by a user:group 
texlive:texlive and I log in as that user to run tlmgr to update the 
install.


--
-=-
Sent my from my laptop, may not be able to respond timely
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] TeX Live on CentOS 7

[Alice Wonder]

I always install official TeXLive in /usr/local/texlive - yum update 
thanks me. Every few months I update it, but keeping it outside of RPM 
means I don't get tons of individual packages, many that I never use, 
constantly updating in yum.


On 07/21/2017 11:46 AM, Denniston, Todd A CIV NAVSURFWARCENDIV Crane, 
JXVS wrote:

-Original Message-
From: Nicolas Kovacs [mailto:i...@microlinux.fr]
Sent: Friday, July 21, 2017 2:29 AM
To: CentOS
Subject: [CentOS] TeX Live on CentOS 7

Hi,

I just installed the OpenVAS vulnerability scanner on my CentOS 7
workstation. Everything seems to work fine, except PDF generation. The
'openvas-check-setup' script tells me that PDF generation works fine,
but whenever I want to generate a report, the result is unusable and
can't open in Evince or Okular.

After googling a bit, I found out that several users complained that Tex
Live is broken under RHEL/CentOS 7.

While I did use LaTeX a long time ago to write documents, I don't use it
anymore nowadays (just Markdown or LibreOffice). But I do need a working
installation of TeX Live for OpenVAS PDF reports.

What can I do now? Perform a manual installation of TeX Live with their
provided installer (to /opt) and then blacklist all texlive* packages? I
admit I'm a bit surprised that a distribution like RHEL/CentOS that
prises quality wouldn't provide a working TeX Live in their package
repositories.

Any suggestions?


The users that were complaining, were they all OpenVAS user?

Going from my experiences on CentOS 6, I find it surprising that LaTeX is not 
working.
Does even the trivial.tex from [0] compile?
Can you get the LaTeX file that OpenVAS is generating, and on the command line 
run pdflatex (or other latex compile command) on it and capture the error 
messages?
This might point to missing packages/fonts.

It may be possible that not enough of texlive has been installed.   I tend to 
do a `yum install \*latex\*` (and answer no) to see what is available and then 
install every latex thing that is not a -devel package. That way I never have 
to think about getting packages again, or if I do I will pretty much know I'll 
have to get it from CTAN myself.
seeing [1] from the opanvas wiki makes me think you should try `yum install 
\*latex\*extra\*` and see if it is now available.  And as seen elsewhere [2] 
sometimes rpm packager's don't name them the same as LaTeX packagers.   And it 
looks like[3] a lot of folks take the same 'trash the distro' perspective as 
openvas[1] which is unfortunate.  Perhaps we could ask the CentOS-extras (and a 
RHEL or EPEL ticket) folks if they would be willing to rebuild the needed 
packages from an old Fedora RPM if they are not yet available in a EL 
repository.  Have you checked EPEL?


[0] https://www.centos.org/forums/viewtopic.php?t=48421
[1] https://wiki.openvas.org/index.php/Generate_a_PDF_report#CentOS_7
[2] https://tex.stackexchange.com/a/166140
[3] https://www.centos.org/forums/viewtopic.php?t=54410

--
Even when this disclaimer is not here:
I am not a contracting officer. I do not have authority to make or modify the 
terms of any contract.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



--
-=-
Sent my from my laptop, may not be able to respond timely
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Extreme frustration with GIMP

[Alice Wonder]

I am not a graphics person. Also can't afford to hire one.

Trying to follow instructions at 
https://docs.gimp.org/en/gimp-tutorial-quickie-separate.html


I use the "intelligent scissors" just like they say, spend quite a bit 
of effort doing so.


Then click the foreground select tool - just like they say - and 
suddenly everything I did with the intelligent tool is undone.


WTF?

Does anyone know of an actual GIMP tutorial for removing background that 
doesn't cause me to throw a damn brick through my monitor?


Photoshop makes it easy, but clearly GIMP developers have a completely 
different philosophy on how a graphics tool should work and I can't 
figure out what their philosophy is.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] GPX files

[Alice Wonder]

At one point in time I wrote a script that converted gpx to kml so I 
could view them in Google Earth but it's been years since I did that.


I don't know if Google Earth for Linux still exists.

On 05/30/2017 04:02 PM, J Martin Rushton wrote:

I have a Garmin 78s marine GPS receiver and it stores tracks in GPX
format.  This is an XML encoded set of points giving longitude,
latitude, time and sea depth.  Garmin support viewing this via their
Garmin Express product, but there only seem to be Windows and Mac
versions.  I've emailed them and await a reply.  In the mean time, does
anyone know of any Linux products that will emable me to view track data
on a decent sized screen?  I don't want to re-invent the wheel by coding
up a hack myself.

Thanks,
Martin



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Low random entropy

[Alice Wonder]

On 05/27/2017 08:32 PM, Robert Moskowitz wrote:



On 05/26/2017 08:35 PM, Leon Fauster wrote:

Am 27.05.2017 um 01:09 schrieb Robert Moskowitz :

I am use to low random entropy on my arm boards, not an intel.

On my Lenovo x120e,

cat /proc/sys/kernel/random/entropy_avail

reports 3190 bits of entropy.

On my armv7 with Centos7 I would get 130 unless I installed rng-tools
and then I get ~1300.  SSH into one and it drops back to 30! for a
few minutes.  Sigh.

Anyway on my new Zotac nano ad12 with an AMD E-1800 duo core, I am
seeing 180.

I installed rng-tools and no change.  Does anyone here know how to
improve the random entropy?


http://issihosts.com/haveged/

EPEL: yum install haveged


WOW!!!

installed, enabled, and started.

Entropy jumped from ~130 bits to ~2000 bits

thanks

Note to anyone running a web server, or creating certs.  You need
entropy.  Without it your keys are weak and attackable.  Probably even
known already.



Indeed. Installing haveged is the first thing I do when setting up a new 
CentOS 7 machine.


Rebooting and verifying it starts on boot is the second.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] What's Next

[Alice Wonder]

On 05/16/2017 09:54 PM, John R Pierce wrote:

On 5/16/2017 8:34 PM, Eugene Poole wrote:

OK, AMD has announced it's new line of server and desktop processors.
What level of CentOS has been tested on them? OK then, when will
CentOS be tested on them? Or do we wait for Red Hat?


If AMD's new CPUs aren't 100% compatible with existing software w/o
needing special versions, AMD is shooting themselves in the foot.




There's a difference between compatible and optimal.

I can use my nVidia card with CentOS without needing to install any 
special drivers. It will work. However it works better with drivers 
specifically designed for it.


The same *may* be true of chipsets for AMD. I do not know, but would 
like to know. It's possible that it will install and boot but work 
better with drivers that Red Hat does not (yet) include in their kernel.


Time will tell. I suspect if that is the case and if AMD is open with 
their chipset that RHEL engineers will backport the drivers. But that 
may not be an issue so I guess it is wait and see, unless someone knows.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SAN certificates for multiple domains and multiple services

[Alice Wonder]

I'm not sure I understand fully what you are doing but for postfix, use 
self-signed certs.


I have a script for generating a self-signed X.509v3 with SAN

https://github.com/AliceWonderMiscreations/SimpleCA/blob/master/keyGenMX_Dane.sh

(that project is not even close to being ready yet, ignore the various 
.md files there, but that particular script is ready and I use it in 
production)


The way that script is used -

sh keyGenMX_Dane.sh example1.com example2.com example1.net example2.net

It will create a self-signed X.509v3 certificate with SAN for whatever 
domains are listed as arguments.


It creates a 3-year certificate, you can edit it to do longer if you want.

It creates 3072-bit RSA but you can edit the script to do 2048 or 4096 
if you prefer.


Whatever you use, it is recommended your postfix be configured to use DH 
parameters of equal or greater bits.


It also calculates the DANE TLSA fingerprints if you want to use those 
with DNSSEC but you don't have to.


-=-

Spending money on a commercial CA signed certificate for postfix is a 
waste of money because other servers don't check the certificate before 
sending, because the alternative to encryption is plain text anyway.


On 04/28/2017 01:37 AM, Nicolas Kovacs wrote:

Hi,

I'm currently installing and configuring CentOS 7 on a public server.
The machine will host a few small-to-midsize projects that are currently
running on a handful of Slackware servers: public library databases, our
public school's agenda, a small webradio, OwnCloud for myself and a
local non-profit, etc.

Until recently I've mostly used self-signed SSL certificates for stuff
needing a secure connection. Then, some time ago, I discovered
LetsEncrypt and Certbot, which works very well, so I moved secure web
hosting to using a free LetsEncrypt certificate.

Now I want to take this to the next level and use these free
certificates for multiple services. Not only web hosting, but also
Postfix/Dovecot for mail and Prosody for XMPP.

I had to fiddle a bit for permissions, so everything can access the
certificate and key files right. I created a certs group and gave
everything under /etc/letsencrypt/live to root:certs. Then, when a
system user has to access this stuff, I simply add him to the certs group.

Then came a moment when I hit a wall, because Postfix can't handle
multiple certificates, only one. Let's say I have these domains on my
server:

  * example1.com
  * example2.com
  * example1.net
  * example2.net

When setting up Postfix, I can do one of these things:

1. continue to use a self-signed SSL certificate

2. choose one "preferred" domain on my server

3. setup multi-domain (SAN) certificates

I tried the SAN certificates (after experimenting a lot and getting it
right), and this stuff seems to work. I have one big bundle of
certificates stored under /etc/letsencrypt/live/sd-41XXX.dedibox.fr
(sd-41XXX.dedibox.fr being my server's FQDN), and I have all the
certificates for all domains and subdomains of example1.com,
example2.com, example1.net and example2.net.

So before I go any further with this, I'm asking the more technically
proficient admins here. Are there any drawbacks to using this solution?
Is it problematic to bundle all my certificates into one big fat SAN
certificate? This being said, the machine will host a maximum of two
dozen domains, each with a handful of subdomains like mail.example1.com,
xmpp.example1.com, etc.)

Cheers,

Niki Kovacs



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] What besides Postfix should not start until system time set?

[Alice Wonder]

On 04/20/2017 02:00 PM, Robert Moskowitz wrote:

So I have learned that Postfix should delay until Chronyd has moved the
system time from 0 to current.

What other services need to be delayed?


Apache?
Bind?

Of course if this is a nameserver, Chronyd will probably not be able to
resolve the NTP server addresses until Bind is running!

thanks


I use unbound on all my servers listening only on the localhost, not 
sure if it needs the current time to be accurate when it starts or not 
but it never seems to be an issue.


I'm of the opinion every server should have locally provided DNSSEC 
enforcing DNS services simply because it takes away a potential attack 
vector to have local DNS queries stay local.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Simple OCSP server ??

[Alice Wonder]

Oh I don't know, their github works.

However it seems that it isn't able to deal with more than one ocsp 
signing key.


On 04/16/2017 08:40 AM, Robert Moskowitz wrote:



On 04/14/2017 10:41 PM, Alice Wonder wrote:

https://www.openca.org/ might fit my needs.


their Centos repo does not exist, it seems?



On 04/14/2017 06:29 PM, Alice Wonder wrote:

Hello list,

I'm contemplating running my own CA to implement the new proposed ISP
for validation of S/MIME certificates via DANE.

I already use self-signed for my MX servers (with 3 1 1 dane records on
TCP port 25) but I don't want to use self-signed for S/MIME for user
specific x.509 certs because

A) That's potentially a lot of DNS records
B) That requires a hash of the e-mail addresses in DNS

Instead, I will be using a wildcard in DNS with an intermediary that
signs the user x.509 certificates.

Using an intermediary to sign their certificates though means I can't
just revoke their certificates by removing the DNS certificate, I'll
need to provide an OCSP server for when one of their private keys gets
compromised.

I found
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html

but it looks like that is intended for enterprise, more complex than I
need.

Anyone know of a good simple script for providing OCSP ??

-=-

Not relevant to question but just important for me to note, I will *not*
be asking people to install my root certificate in their e-mail clients.
I think it is a bad practice to get users in the habit of installing
root certificates.

I think the PKI system has way way way to many root certificates as it
is. I want a world where DANE validates most certificates, and only a
few root certificates are needed for things like banks where EV
certificates are a must.

DANE as a way to validate S/MIME I think will be a godsend to e-mail
security, I hope clients implement it.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: systemd Poll - So Long, and Thanks for All the fish.

[Alice Wonder]

On 04/16/2017 06:51 AM, Andrew Holway wrote:


There is no doubt that most security agencies have a long list of zero-

day exploits in their toolbox - I would hazard to suggest that they
wouldn't be doing their job if they didn't! But I seriously doubt they
would commission exploitable code in something that is openly
auditable.

P.



P., I used to think that too... indeed, I was thoroughly convinced of it.
But reality changed my mind.



Indeed. I think the assertion "OSS is somehow safer because of community
audit" is a logical fallacy. How would one go about "auditing" in the first
place? Even if the various Intelligence agencies are not injecting
vulnerabilities then they would certainly be in a strong position to
discover some of the holes already existing some time before they become
public.


I'm more worried about cloud services and the large number of root 
certificates that software trusts by default.


That's where a lot of the hacks are going to happen, and AFAIK the only 
defense against it is DNSSEC + DANE which very few zones actually utilize.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Simple OCSP server ??

[Alice Wonder]

https://www.openca.org/ might fit my needs.

On 04/14/2017 06:29 PM, Alice Wonder wrote:

Hello list,

I'm contemplating running my own CA to implement the new proposed ISP
for validation of S/MIME certificates via DANE.

I already use self-signed for my MX servers (with 3 1 1 dane records on
TCP port 25) but I don't want to use self-signed for S/MIME for user
specific x.509 certs because

A) That's potentially a lot of DNS records
B) That requires a hash of the e-mail addresses in DNS

Instead, I will be using a wildcard in DNS with an intermediary that
signs the user x.509 certificates.

Using an intermediary to sign their certificates though means I can't
just revoke their certificates by removing the DNS certificate, I'll
need to provide an OCSP server for when one of their private keys gets
compromised.

I found
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html
but it looks like that is intended for enterprise, more complex than I
need.

Anyone know of a good simple script for providing OCSP ??

-=-

Not relevant to question but just important for me to note, I will *not*
be asking people to install my root certificate in their e-mail clients.
I think it is a bad practice to get users in the habit of installing
root certificates.

I think the PKI system has way way way to many root certificates as it
is. I want a world where DANE validates most certificates, and only a
few root certificates are needed for things like banks where EV
certificates are a must.

DANE as a way to validate S/MIME I think will be a godsend to e-mail
security, I hope clients implement it.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] connection state tracking with DNS [was Primary DNS...]

[Alice Wonder]

On 04/14/2017 06:54 PM, Gordon Messmer wrote:

On 04/11/2017 04:16 PM, Alice Wonder wrote:

Hi, I would like to see this addressed.
Is there a firewalld solution to this issue?



Yes:

# Disable connection tracking for UDP DNS traffic
#
https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m
conntrack --ctstate UNTRACKED -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m
conntrack --ctstate UNTRACKED -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p
udp -m udp --dport 53 -j CT --notrack
firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p
udp -m udp --sport 53 -j CT --notrack
firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp
-m udp --dport 53 -j CT --notrack
firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp
-m udp --sport 53 -j CT --notrack
firewall-cmd --reload




Thank you!


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Simple OCSP server ??

[Alice Wonder]

Hello list,

I'm contemplating running my own CA to implement the new proposed ISP 
for validation of S/MIME certificates via DANE.


I already use self-signed for my MX servers (with 3 1 1 dane records on 
TCP port 25) but I don't want to use self-signed for S/MIME for user 
specific x.509 certs because


A) That's potentially a lot of DNS records
B) That requires a hash of the e-mail addresses in DNS

Instead, I will be using a wildcard in DNS with an intermediary that 
signs the user x.509 certificates.


Using an intermediary to sign their certificates though means I can't 
just revoke their certificates by removing the DNS certificate, I'll 
need to provide an OCSP server for when one of their private keys gets 
compromised.


I found 
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html 
but it looks like that is intended for enterprise, more complex than I need.


Anyone know of a good simple script for providing OCSP ??

-=-

Not relevant to question but just important for me to note, I will *not* 
be asking people to install my root certificate in their e-mail clients. 
I think it is a bad practice to get users in the habit of installing 
root certificates.


I think the PKI system has way way way to many root certificates as it 
is. I want a world where DANE validates most certificates, and only a 
few root certificates are needed for things like banks where EV 
certificates are a must.


DANE as a way to validate S/MIME I think will be a godsend to e-mail 
security, I hope clients implement it.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] bind vs. bind-chroot

[Alice Wonder]

On 04/13/2017 03:15 AM, Robert Moskowitz wrote:



On 04/13/2017 04:23 AM, Alice Wonder wrote:

On 04/13/2017 01:05 AM, Nicolas Kovacs wrote:

Le 13/04/2017 à 04:27, Robert Moskowitz a écrit :

But make sure to have SELinux enabled if you do not run it chrooted.

I have mine running that way.


I bluntly admit not using SELinux, because until now, I mainly used more
bone-headed systems that didn't implement it. Maybe this is the right
time to get started.

I understand there's a wealth of information about SELinux. Any
recommendations for a newbie-friendly primer? I don't mind to RTFM, even
extensive documentation, but I prefer stuff that's well-written.

Cheers,

Niki



I don't use SELinux because it gets in my way far more than it every
actually protects me from anything.

I'm sure there are systems where it absolutely is necessary, but I
don't like to have stuff fail because I used mv instead of cp to
install a certificate, for example.


I need to do DNSSEC next; got to bother Mark Andrew over at ISC, did not
get to sit down with him on this at IETF.  So I don't know what certs I
will need as yet.  For my mailserver, I am using self-signed, and see my
Apache setup, towards the end, how I create a set of certs:

http://medon.htt-consult.com/Centos7-mailserver.html#Setting%20up%20Apache

I had some help on this from the OpenSSL list.



For authoritative DNS I also do not use chroot but authoritative DNS
is all those servers do, and I use zones signed externally via DNSSEC
(no private keys on the server)


Something to consider, but I would do it on one of my internal systems.
Not a third party; why should I trust them?  Unless they are providing a
full DNS PKI service.




I meant DNSSEC signing is done externally to the authoritative DNS.

I do the signing myself. Point being if someone hacked my authoritative 
DNS server, they could not alter my zone files in a way DNSSEC enforcing 
resolvers would accept because the signing keys are not there.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] bind vs. bind-chroot

[Alice Wonder]

On 04/13/2017 01:05 AM, Nicolas Kovacs wrote:

Le 13/04/2017 à 04:27, Robert Moskowitz a écrit :

But make sure to have SELinux enabled if you do not run it chrooted.

I have mine running that way.


I bluntly admit not using SELinux, because until now, I mainly used more
bone-headed systems that didn't implement it. Maybe this is the right
time to get started.

I understand there's a wealth of information about SELinux. Any
recommendations for a newbie-friendly primer? I don't mind to RTFM, even
extensive documentation, but I prefer stuff that's well-written.

Cheers,

Niki



I don't use SELinux because it gets in my way far more than it every 
actually protects me from anything.


I'm sure there are systems where it absolutely is necessary, but I don't 
like to have stuff fail because I used mv instead of cp to install a 
certificate, for example.


For authoritative DNS I also do not use chroot but authoritative DNS is 
all those servers do, and I use zones signed externally via DNSSEC (no 
private keys on the server)

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Enterprise Linux Slack

[Alice Wonder]

On 04/12/2017 09:36 AM, Phelps, Matthew wrote:

On Wed, Apr 12, 2017 at 12:26 PM, Nux!  wrote:


To be honest Freenode is nice and I'd be sad to see it replaced with
anything.
So cool to be a "/join #project" away from getting help.



IRC is a problem for those of us behind government/corporate firewalls. IRC
is perceived as a hacker haven and is usually blocked.




I seem to recall some web-based IRC clients existing.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] humor (was Re: OT: systemd Poll)

[Alice Wonder]

On 04/12/2017 05:59 AM, Leroy Tennison wrote:

Why don't we discuss something ***less*** controversial, like 
politics or religion?



Even when I'm the one complaining (and I don't about systemd), I'm 
always reminded of some TV clip I saw when I was young and can't place 
of a bunch of old people complaining :


"Well we've never done it that way before"

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Enterprise Linux Slack

[Alice Wonder]

On 04/12/2017 05:28 AM, Alice Wonder wrote:

On 04/12/2017 05:23 AM, Andrew Holway wrote:

Hallo,

Considering the relative decline of IRC (sorry folks) I have set up a
Slack
for Enterprise Linux. I've been using "pythondev.slack.com" and honestly,
its a fantastic tool for community support with really nice features for
computer centric discussion.

https://enterpriselinux.slack.com/shared_invite/MTY4MTM5NjQ2NTc5LTE0OTE5OTkyNTctMjkyNGU1NWQzOA


My hope is that those running Rhel and Centos can have a common place to
flame war about SystemD, what to do when FreeIPA replication breaks
and how
to give your network interfaces sensible names without having to use a
pastebin.

Thoughts? Experiances?



Well it claims to have sent me an e-mail but so far it hasn't.



Might be:

Apr 12 12:29:23 li796-67 postfix/smtpd[942]: warning: hostname 
ddit888.net does not resolve to address 211.72.214.34: Name or service 
not known
Apr 12 12:29:23 li796-67 postfix/smtpd[942]: connect from 
unknown[211.72.214.34]
Apr 12 12:29:25 li796-67 postfix/smtpd[942]: disconnect from 
unknown[211.72.214.34]


Not sure, it connected and then disconnected at the right time but no 
message. All other maillog entries at the right time are accounted for.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Enterprise Linux Slack

[Alice Wonder]

On 04/12/2017 05:23 AM, Andrew Holway wrote:

Hallo,

Considering the relative decline of IRC (sorry folks) I have set up a Slack
for Enterprise Linux. I've been using "pythondev.slack.com" and honestly,
its a fantastic tool for community support with really nice features for
computer centric discussion.

https://enterpriselinux.slack.com/shared_invite/MTY4MTM5NjQ2NTc5LTE0OTE5OTkyNTctMjkyNGU1NWQzOA

My hope is that those running Rhel and Centos can have a common place to
flame war about SystemD, what to do when FreeIPA replication breaks and how
to give your network interfaces sensible names without having to use a
pastebin.

Thoughts? Experiances?



Well it claims to have sent me an e-mail but so far it hasn't.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Network Manager / CentOS 7 / local unbound

[Alice Wonder]

I think configuring NetworkManager not to touch it is the right solution.

Unless there are cases where NetworkManager ignores its configuration 
but I haven't seen those.


A fancier solution might be to have some kind of systemd script that 
rewrites it if and only if the unbound daemon has successfully started 
and I thought about looking in to doing that, but that means if the 
unbound daemon for some reason doesn't start, it would be using the less 
secure ISP provided DNS resolution and I'd rather have it fail so I know 
there's a problem and can investigate.


On 04/12/2017 02:02 AM, Nux! wrote:

OR just make the file immutable if it's so critical to you.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

- Original Message -

From: "Jon LaBadie" <j...@labadie.us>
To: "CentOS mailing list" <centos@centos.org>
Sent: Wednesday, 12 April, 2017 07:16:22
Subject: Re: [CentOS] Network Manager / CentOS 7 / local unbound



On Tue, Apr 11, 2017 at 01:40:21AM -0700, Alice Wonder wrote:

Hello list -

http://unix.stackexchange.com/questions/90035/how-to-set-dns-resolver-in-fedora-using-network-manager

That says it works for CentOS 5 and I *suspect* the methods there (3 listed)
would work, but what is the best way with NetworkManager to set it up to use
the localhost for DNS ?

I'm paranoid about DNS spoofing and really prefer to have a local instance
of DNSSEC enforcing unbound running on my CentOS 7 virtual machines (e.g.
linode)

Currently I just use a cron job that runs once a minute to over-write was it
is /etc/resolv.conf so they don't use the DHCP assigned nameservers, but
that does leave a short window every time the network is restarted.


Besides the suggested configs, if still worried you could set up
an inotify watch on /etc/resolv.conf to let you know, or take
action, whenever it changes.

jon
--
Jon H. LaBadie j...@jgcomp.com
11226 South Shore Rd.  (703) 787-0688 (H)
Reston, VA  20190  (703) 935-6720 (C)
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] connection state tracking with DNS [was Primary DNS...]

[Alice Wonder]

Hi, I would like to see this addressed.

I found more information on the issue at 
https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html


Is there a firewalld solution to this issue?

On 04/11/2017 11:05 AM, Chris Adams wrote:

One additional DNS server note: you should disable firewalld for any DNS
server, caching or authoritative.  If you need firewalling, use straight
iptables.

The reason is that firewalld always enables connection state tracking
(at least as far as I can tell), and that should never be used in front
of a DNS server.  A public authoritative server or any caching server
can get a high rate of requests, and having the kernel firewalling
trying to track connection states is a bottleneck (one that will be
reached before DNS software's limits).

If you must firewall a DNS server, use straight iptables and do not use
connection state tracking.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: systemd Poll

[Alice Wonder]

On 04/11/2017 10:36 AM, Gordon Messmer wrote:

On 04/11/2017 10:16 AM, Nicolas Kovacs wrote:

I just read through this thread, and I must say I'm a bit worried, to
the point that I'm asking myself: is CentOS still as reliable as it was?



Yes. I've been very happy with release 7 across hundreds of servers and
dozens of configurations.




Ditto that. CentOS 7 has been an amazing release for me.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7

[Alice Wonder]

If you are looking for a recursive resolver, I would highly recommend 
unbound.


If you are looking for an authoritative DNS server, I would highly 
recommend NSD.


I run both and find both extremely easy to configure and maintain.

Both are available from the EPEL repositories.

I stopped using bind years ago and never looked back.

On 04/11/2017 10:05 AM, Nicolas Kovacs wrote:

Hi,

I just installed CentOS 7 on a public server. I'd like to setup BIND as
a primary DNS server for a few domains.

Until now, all my public machines were running Slackware Linux, and
setting up BIND on a Slackware machine is relatively easy. In its out of
the box configuration, it has a bone-headed caching nameserver role,
which is quite easy to expand to a primary nameserver. Here's my
documentation. It's in French, but the *nix bits are universal.

http://blog.microlinux.fr/bind-slackware/

On my server running CentOS, I notice things are more complicated in the
default configuration. The problem here is not so much documentation,
but more like the wealth of information on the subject of BIND on
CentOS, with often contradicting information.

Is there a *reliable* more or less quick & dirty tutorial on how to get
BIND up and running as a primary public nameserver, with the default
configuration as a starting point? Think "recipe for pasta" and not
"degree in food chemistry". :o)

Cheers,

Niki



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: systemd Poll

[Alice Wonder]

On 04/11/2017 05:39 AM, Alice Wonder wrote:

On 04/11/2017 05:30 AM, Jonathan Billings wrote:

On Tue, Apr 11, 2017 at 08:09:01AM -0400, Pete Orrall wrote:

And *why* random NIC names? Quick, you've got servers from 5
manufacturers, of different ages... what's the NIC going to be
called? Do
names like enp5s0 offer any convenience to *anyone* not a hardware
engineer?


As someone else had stated, it's not related to SystemD but
Fedora/RHEL has changed the way they handle some things.  NICs, for
instance, are no longer named after the device number (eth0, eth1,
eth2, etc.) but after the *driver* name.  Yes, it's a change but it
also makes sense.  IIRC this is how FreeBSD handles NIC names.


It's true that FreeBSD names their network interfaces after the driver.

But the consistent device naming in Linux comes from slot index
numbers, physical location and even the MAC (if so configured), and
not what driver it uses.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Consistent_Network_Device_Naming.html#sec-Naming_Schemes_Hierarchy




Okay that makes sense.

eno1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
ether 0c:c4:7a:c8:a5:4c  txqueuelen 1000  (Ethernet)
eno2: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
ether 0c:c4:7a:c8:a5:4d  txqueuelen 1000  (Ethernet)

Those two are my onboard nic, Intel - Scheme 1

enp10s0f0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
ether 00:1b:21:94:72:37  txqueuelen 1000  (Ethernet)
enp10s0f1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
ether 00:1b:21:94:72:36  txqueuelen 1000  (Ethernet)
enp9s0f0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
ether 00:1b:21:94:72:35  txqueuelen 1000  (Ethernet)
enp9s0f1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

Those four are on a PCI-E card, Intel - Scheme 3

05:00.0 Ethernet controller: Intel Corporation I210 Gigabit Network
Connection (rev 03)
06:00.0 Ethernet controller: Intel Corporation I210 Gigabit Network
Connection (rev 03)
09:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet
Controller (Copper) (rev 06)
09:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet
Controller (Copper) (rev 06)
0a:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet
Controller (Copper) (rev 06)
0a:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet
Controller (Copper) (rev 06)

Anyway thanks for that link.


er, I meant to add that the 09: seems to correspond with the enp9s* and 
the 0a: seems to correspond with the enp10s*


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: systemd Poll

[Alice Wonder]

On 04/11/2017 05:30 AM, Jonathan Billings wrote:

On Tue, Apr 11, 2017 at 08:09:01AM -0400, Pete Orrall wrote:

And *why* random NIC names? Quick, you've got servers from 5
manufacturers, of different ages... what's the NIC going to be called? Do
names like enp5s0 offer any convenience to *anyone* not a hardware
engineer?


As someone else had stated, it's not related to SystemD but
Fedora/RHEL has changed the way they handle some things.  NICs, for
instance, are no longer named after the device number (eth0, eth1,
eth2, etc.) but after the *driver* name.  Yes, it's a change but it
also makes sense.  IIRC this is how FreeBSD handles NIC names.


It's true that FreeBSD names their network interfaces after the driver.

But the consistent device naming in Linux comes from slot index
numbers, physical location and even the MAC (if so configured), and
not what driver it uses.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Consistent_Network_Device_Naming.html#sec-Naming_Schemes_Hierarchy



Okay that makes sense.

eno1: flags=4099  mtu 1500
ether 0c:c4:7a:c8:a5:4c  txqueuelen 1000  (Ethernet)
eno2: flags=4099  mtu 1500
ether 0c:c4:7a:c8:a5:4d  txqueuelen 1000  (Ethernet)

Those two are my onboard nic, Intel - Scheme 1

enp10s0f0: flags=4099  mtu 1500
ether 00:1b:21:94:72:37  txqueuelen 1000  (Ethernet)
enp10s0f1: flags=4099  mtu 1500
ether 00:1b:21:94:72:36  txqueuelen 1000  (Ethernet)
enp9s0f0: flags=4099  mtu 1500
ether 00:1b:21:94:72:35  txqueuelen 1000  (Ethernet)
enp9s0f1: flags=4099  mtu 1500

Those four are on a PCI-E card, Intel - Scheme 3

05:00.0 Ethernet controller: Intel Corporation I210 Gigabit Network 
Connection (rev 03)
06:00.0 Ethernet controller: Intel Corporation I210 Gigabit Network 
Connection (rev 03)
09:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet 
Controller (Copper) (rev 06)
09:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet 
Controller (Copper) (rev 06)
0a:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet 
Controller (Copper) (rev 06)
0a:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet 
Controller (Copper) (rev 06)


Anyway thanks for that link.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Network Manager / CentOS 7 / local unbound

[Alice Wonder]

From the man page that does tell it not to mess with /etc/resolv.conf - 
thank you. That will work.


On 04/11/2017 02:21 AM, anax wrote:

Hi Alice
man NetworkManager.conf

in /etc/NetworkManager/NetworkManager.conf


dns=none





*snip*

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Network Manager / CentOS 7 / local unbound

[Alice Wonder]

Hello list -

http://unix.stackexchange.com/questions/90035/how-to-set-dns-resolver-in-fedora-using-network-manager

That says it works for CentOS 5 and I *suspect* the methods there (3 
listed) would work, but what is the best way with NetworkManager to set 
it up to use the localhost for DNS ?


I'm paranoid about DNS spoofing and really prefer to have a local 
instance of DNSSEC enforcing unbound running on my CentOS 7 virtual 
machines (e.g. linode)


Currently I just use a cron job that runs once a minute to over-write 
was it is /etc/resolv.conf so they don't use the DHCP assigned 
nameservers, but that does leave a short window every time the network 
is restarted.


I'd like to know the proper way to set up Network Manager to just create

nameserver 127.0.0.1
nameserver ::1

in /etc/resolv.conf

Via google, it seems every distro approaches it differently and most 
instructions I have seen involve a GUI.


I did not see how to do it in the CentOS documentation but it might be 
there and I just did not figure out how to search it for what I wanted.


Those stackexchange methods look like they might work but they reference 
CentOS 5 and I know some NetworkManager stuff changed even just between 
7.2 and 7.3 as I experienced incorrect IPv6 address after update as a 
result of those changes.


Is there an "official" way to tell NetworkManager what I want in 
/etc/resolv.conf ? Or better yet, a way to just tell it to leave that 
file alone?

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: systemd Poll

[Alice Wonder]

On 04/08/2017 09:39 PM, Anthony K wrote:

According to "Arthur Schopenhauer":

"All truth passes through three stages.
First, it is ridiculed.
Second, it is violently opposed.
Third, it is accepted as being self-evident."

I must admit that I skipped through the first and second stages - I
never found creating init scripts a joy and instead opted to write my
own scripts that I launched via inittab.  As such, I welcomed the
simplicity systemd's service files without fuss.

So, at which stage are you in w/ regards to adopting systemd?  Are you
still ridiculing it, violently opposed to it, or have you mellowed to it?



I am using systemd, don't really have a problem with it.

It was different at first but so far I manage to have adjusted.

It's different. For better or worse I can't say, but I can do what I 
need to do with it.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Withdraw - Re: Roundcubemail 1.1.8 possible bug?

[Alice Wonder]

Leaving it off is a bad recommendation. Many have pointed that out.

The problem is that sometimes it results in content being sent after the 
php sends the content, when there is white space after the closing ?>


However the proper thing to do is make sure that you do not have white 
space after the closing ?>


Leaving the ?> off is sloppy coding and a sloppy solution.

On 04/05/2017 04:36 PM, Robert Moskowitz wrote:

I do not code php, I only use it in things like Roundcubemail, so I was
at first surprised that the config file was missing the closing ?> tag.
Then I noticed that ALL of the various php config files where missing
it.  So I did some googling and found out it is actually recommended to
leave it off.

Humph.

On 04/05/2017 12:09 PM, Robert Moskowitz wrote:

I am installing Roundcubemail on Centos7-arm

roundcubemail-1.1.8-1.el7.noarch

The installer web app creates a config.inc.php to save within the
/etc/roundcubemail/ directory.  It warns that:

"Make sure that there are no characters outside the  brackets
when saving the file."

Thing is  there is no ?> at the end of this.  It is left out. So I got
to add that myself.  I should be able to just copy the content of the
text box, and paste it into a cat > /etc/roundcubemail/config.inc.php,
but I am left having to at least having to add the ending ?>


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] M.2 PCI-E card

[Alice Wonder]

On 04/03/2017 06:17 PM, Chris Adams wrote:

Once upon a time, Alice Wonder <al...@domblogger.net> said:

I need a low profile PCI-E card that allows for up to 2 M.2 SSD
drives that is known to work with the stock kernel in CentOS 7.

Can anyone recommend one?


I can't recommend a specific one, but any adapter card should work.
However, note that M.2 is not a single "thing" to the computer; the
drive interface can be SATA, PCI-E AHCI, or PCI-E NVMe.  The first two
would look the same as a traditional SATA device to the OS, so should be
fine.  The third is a different interface; I haven't looked to see if
the CentOS 7 kernel supports NVMe (I suspect it does, but you should
check before buying an NVMe device).  I know that NVMe works fine with
recent Fedora.

Also note when choosing an adapter; the M.2 slot is keyed different for
the different device types, so make sure you get an adapter that matches
your device.



Thanks! I ordered a 2.5" SATA drive and they screwed up and sent me M.2 
- I'll be sure to look at the booklet (Intel SSD 5 but there may be more 
than one variant?)

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] M.2 PCI-E card

[Alice Wonder]

Hello list,

My instinct says the vast majority will "just work" but I'll ask anyway.

I need a low profile PCI-E card that allows for up to 2 M.2 SSD drives 
that is known to work with the stock kernel in CentOS 7.


Can anyone recommend one?

Thanks
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail is considered deprecated

[Alice Wonder]

On 03/31/2017 02:57 PM, Valeri Galtsev wrote:


On Fri, March 31, 2017 4:46 pm, Alice Wonder wrote:

On 03/31/2017 02:40 PM, Kenneth Porter wrote:

On 3/31/2017 2:15 PM, Valeri Galtsev wrote:

Well, it sounds like you are one of the companies with whose effort I
have
to fight constantly in my own effort to protect our users from spam...


What makes Postfix superior in fighting spam?


I actually made two independent statements:

1. That I use postfix forever (postfix was written by Wietse Venema with
security in mind).

2. That the company the OP works for judging from my reading of OP's post
makes money by facilitating the creation of spam (by their customers).

By no means I meant to say posfix is superior to sendmail in fighting
spam. Neither of them is designed for fighting spam, each of them is
merely MTA. Postfix, however, having human readable configs with rather
logical logics makes it easier (for me) to administer, therefore easier
(for me again) to integrate with anti-spam components (amavisd,
spamassassin, clamav - the last to scan for viruses - or rather virii I
should say as that is plural of latin word ;-)

Just my $0.02.

Valeri


That's pretty much why I started using postfix, I don't remember when 
but I believe it was with Red Hat 7 (pre Fedora days). It was much 
easier for me to configure postfix on a web application server and have 
it send encrypted to their MX then it was to configure sendmail. It was 
possible with sendmail but I wasted hours trying to get sendmail 
configured, first time with postfix was cake.


Now I use it because of the support for opportunistic DANE (I run an 
updated version, built from CentOS src.rpm but with version bump) so 
that when the receiving MX has DNSSEC with a TLSA record on port 25, I 
know the message is either delivered to that MX encrypted or not at all.


The attack that strips the STARTTLS causing plain text won't work when 
the receiving MX is configured with DANE. Right now comcast is the only 
major ISP in the united states that has MX servers configured with DANE, 
but several small ones do as well, and several in Europe are as well 
(especially .nl and .de mail servers)


I don't know if sendmail has been updated to support DANE yet or not, 
but last time I looked, it did not.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail is considered deprecated

[Alice Wonder]

On 03/31/2017 02:40 PM, Kenneth Porter wrote:

On 3/31/2017 2:15 PM, Valeri Galtsev wrote:

Well, it sounds like you are one of the companies with whose effort I
have
to fight constantly in my own effort to protect our users from spam...


What makes Postfix superior in fighting spam?

How do I integrate MIMEDefang, SpamAssassin, and ClamAV with Postfix?
Are there migration guides for moving one's Sendmail anti-spam and AV
configurations to Postfix?


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


I don't know about MIMEDefang but SpamAssassin and ClamAV are pretty 
straight forward. There are guides for both with Postfix all over the net.


MIMEDefang I have not heard of, but unless it does something really 
funky I suspect it also is easy to set up with Postfix.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail is considered deprecated

[Alice Wonder]

On 03/31/2017 01:57 PM, Xinhuan Zheng wrote:

Hello,

Today I searched redhat official portal and learned that Sendmail is considered 
deprecated. By default, CentOS 7 will use postfix as MTA. I need good advise on 
what it means to us. We are CentOS customers. We use that operating system for 
quite a few years. We rely on Sendmail for years for us to relay large quantity 
of emails to our customers for marketing purpose. We build our additional 
fallback servers as well for fallback relays. We build our customized 
configuration for Sendmail too. I really need help to figure out if we can 
continue using Sendmail (even deprecated) for future long term and what 
implication would be doing so.
Thanks,

- xinhuan
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



You can still install sendmail, but postfix is the default, a decision I 
personally support as I have found it to be a lot easier to administer 
than sendmail with a much better security track record.


Historically, you would use system-switch-mail to select your preferred 
MTA to switch from the default.


I don't know if that is still the method, since the default now is what 
I prefer.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sound problems... config?

[Alice Wonder]

On 03/29/2017 04:05 AM, ken wrote:

On 03/28/2017 11:40 PM, Alice Wonder wrote:

On 03/28/2017 05:53 PM, ken wrote:

The www has failed me with this, so I'm trying you guys.  Sound worked
great out of the box when I installed 7.2... Yay!  I could watch all
kinds of videos, like on facebook and youtube.  And I could listen to
most podcasts too.  But then something happened. It was either a kernel
upgrade or that I installed vlc (for watching videos on DVD) and the
whole stack of codecs for it... I don't know exactly when, but at some
point I no longer had sound with youtube  and other web videos. The
videos played fine, just no sound.  Note that using vlc, both video and
the audio with it play just fine.  I need to select the audio driver
(from a list in a vlc menu), however, else the sound won't work in vlc
either.

If I go into the Applications menu, then System Tools -> Settings ->
Sound, under "Choose a device for sound output:" there are no devices
listed.  There used to be.

If I run "aplayer file.wav", nothing plays (no sound at all) and I get
the error "main:786: audio open error: No such file or directory".  If,
on the other hand, I run "aplay file.wav -D plughw:0" (i.e., specify
the/a device), I do get sound, the file does play.

I ran alsa-info.sh and it posted tons of info from it on my setup at
http://www.alsa-project.org/db/?f=1dba91886be054df4816000768a0f5b109947a48.

Yet it still doesn't tell me what's missing.

Anyone here have an idea...? or thoughts about where to look next?

tia,
ken


I have similar issue with USB headphones. Worked fine in 7.2 but in
7.3 I frequently have to unplug and plug them back in before it
finally is able to be selected from the menus as my output.

Once it is selected, it stays selected until next reboot.


Alice,

Thanks for your reply.  I believe you and I are looking at two separate
problems.  My system is capable of switching between the onboard
speakers and the headphones with no problem at all (when the sound is
working at all).  That is, when there's sound out of the onboards, I can
plug in the headphones and sound instantly comes out of them, and vice
versa... even in the middle of one and the same video.

In your case the problem may have more to do with USB.  USB is
notoriously slow... at least it used to be.  This is due to timing,
i.e., after loading the USB sub-system, the system has to query the USB
device to find out what it is (e.g., mouse, joystick, headphones,
touchpad, etc.) and there are a bazillion different kinds of USB
devices... a long list of things to query.  Not only that, but a single
query takes time: the system has to give the device time to respond-- it
used to be a second or two.   And there are ever more USB devices.
Maybe too your headphones are near the bottom of the long list of USB
devices.

I don't know that this is your situation.  It could be something else (a
half dozen other hang-ups).  But you might want to test by plugging in
your USB headphones and then leaving the plug in, waiting a couple
minutes to see if they start to work.

Alice, could you please post the output of these three commands (for
comparison purposes):

uname -r
ps -ef|grep -i alsa
aplayer -L

Thanks.




[alice@localhost ~]$ uname -r
3.10.0-514.6.2.el7.x86_64
[alice@localhost ~]$ ps -ef |grep -i alsa
root   858 1  0 Feb27 ?00:00:00 /usr/sbin/alsactl -s -n 
19 -c -E ALSA_CONFIG_PATH=/etc/alsa/alsactl.conf 
--initfile=/lib/alsa/init/00main rdaemon

alice29238 29155  0 09:03 pts/19   00:00:00 grep --color=auto -i alsa
[alice@localhost ~]$ aplayer -L
bash: aplayer: command not found...
[alice@localhost ~]$

-=-

Intel xeon on supermicro board

No onboard sound but unfortunately the video card has Intel HD audio 
associated with the HDMI out that for some reason the system always 
defaults to after boot even though there is no audio out on the video 
card (nvidia card) other than the HDMI which I only use for video.


I had blacklisted the Intel HD and that worked under CentOS 7.2 but I 
couldn't USB audio to work in 7.3 until I removed the blacklisted Intel 
HD driver, but I'm not sure if that was cause and effect or coincidence.


I really wish USB sound would "just work" and that the sound preferences 
would remember I prefer USB after a reboot. Linux use to be better about 
that sort of thing.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sound problems... config?

[Alice Wonder]

On 03/28/2017 05:53 PM, ken wrote:

The www has failed me with this, so I'm trying you guys.  Sound worked
great out of the box when I installed 7.2... Yay!  I could watch all
kinds of videos, like on facebook and youtube.  And I could listen to
most podcasts too.  But then something happened. It was either a kernel
upgrade or that I installed vlc (for watching videos on DVD) and the
whole stack of codecs for it... I don't know exactly when, but at some
point I no longer had sound with youtube  and other web videos.  The
videos played fine, just no sound.  Note that using vlc, both video and
the audio with it play just fine.  I need to select the audio driver
(from a list in a vlc menu), however, else the sound won't work in vlc
either.

If I go into the Applications menu, then System Tools -> Settings ->
Sound, under "Choose a device for sound output:" there are no devices
listed.  There used to be.

If I run "aplayer file.wav", nothing plays (no sound at all) and I get
the error "main:786: audio open error: No such file or directory".  If,
on the other hand, I run "aplay file.wav -D plughw:0" (i.e., specify
the/a device), I do get sound, the file does play.

I ran alsa-info.sh and it posted tons of info from it on my setup at
http://www.alsa-project.org/db/?f=1dba91886be054df4816000768a0f5b109947a48.
Yet it still doesn't tell me what's missing.

Anyone here have an idea...? or thoughts about where to look next?

tia,
ken


I have similar issue with USB headphones. Worked fine in 7.2 but in 7.3 
I frequently have to unplug and plug them back in before it finally is 
able to be selected from the menus as my output.


Once it is selected, it stays selected until next reboot.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] qmail package for CentOS 7

[Alice Wonder]

On 03/14/2017 12:53 AM, Rajmohan Banavi wrote:

Is there any package available for qmail? I am having hard time finding it.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



I doubt it, qmail is quite deprecated and does not support any modern 
TLS capabilities without a ton of community provided patches.


I doubt even with community supported patches that it will ever support 
RFC 7672 which is important (it takes the "opportunistic" out of 
opportunistic TLS when both servers implement it, preventing protocol 
downgrade attacks that now are as easy as removing the STARTTLS)

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] From Networkmanager to self managed configuration files

[Alice Wonder]

On 03/08/2017 01:57 AM, Giles Coochey wrote:



The recommended configuration for EL7 is to use NetworkManager unless
you have a very specific edge case preventing you from doing so:


The truth is a lot of us run servers that don't need to have their
network "managed" by Networkmanager.



My experience was very difficult going to 7.2 to 7.3 because of a change 
in the behavior of NetworkManager with respect to IPv6 but once I had it 
figured out (thanks to people on this list) it worked out quite well and 
I kept NetworkManager.


But I certainly understand why some don't want to do that.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos