Re: [CentOS] Kernel panic when booting into FIPS mode
So as usual, I was skipping a step. I did need to include the boot= kernel parameter since /boot was separate from root. It wasn't getting mounted. Everything seems to be working now. On Sun, Apr 20, 2014 at 11:59 PM, Evan Rowley wrote: > I don't have expertise on this issue, but it would be interesting if that > bit of shell script there were adjusted to also print out the fstab and > possibly other diagnostic information relevant to the problem. That way, > you might get a clue as to where /boot is coming from. Then again, I'm not > even sure if that is something you can edit with your current situation. > You did say the system was unbootable. It's probably an edit you'd need to > make while mounting the hard disk from another system, like a live cd for > example. > > On Sunday, April 20, 2014, Dale Harris wrote: > >> Sorry if you see this twice, I may have goofed: >> >> Hey, >> >> So I was playing around with trying to get a CentOS 6.5 system >> FIPS-140 complaint. However, my system panics because it cannot find >> the hmac file associated with my kernel. It's basically as what is >> going on is described in this bug report: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=805538 >> >> The /sbin/fips.sh script in the initramfs there is a bit of code: >> >> if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then >> warn "/boot/.vmlinuz-${KERNEL}.hmac does not exist" >> return 1 >> fi >> >> But that file does exist on the system. I guess the initramfs may not >> see the /boot directory on the system? Or is it trying to look for >> /boot inside the initramfs? If so that would explain my problem. I >> haven't verified any of this yet. But seems like /boot ought to be >> mounted for the system... anyone know of a fix for this? >> >> >> -- >> Dale Harris >> rod...@maybe.org >> rod...@gmail.com >> /.-) >> ___ >> CentOS mailing list >> CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > > > -- > - EJR > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos -- Dale Harris rod...@maybe.org rod...@gmail.com /.-) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Motion Detecting Camera
On Mar 11, 2014, at 6:09 AM, mark wrote: >> So if he "wants to be out of the business", why is he having you spec the >> solution? >> >> Call a security company and tell them what you want, and they'll send the >> bill and they'll be "in the business"... LOL! >> >> Sorry, just thought your boss sounds as silly as mine... > > My boss is *very* reasonable. You didn't read the post. A "security" company > would need clearance to even walk into the room (we actually care about the > security of PII and HIPAA data). And that would add a *LOT* to the division > budget. Sorry, were you offering to pay more in taxes (if you're in the US) > every year, and tell them where you were donating more money? > > The business he's talking about is this every year, year and a half of me > wasting a lot of time figuring out workarounds for ancient webcams and bugs > that keep returning > > mark (Sorry for reviving an old thread, but ... ) Apologies Mark, I just thought it entertaining. As far as paying more in taxes, not sure what the point is... there's no correlation between spending and income anymore. Anyway, hope you found a good solution. The above is OT, but haven't gotten back to CentOS list mail in quite a while... -- Nate Duehr denverpi...@me.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kernel panic when booting into FIPS mode
On Apr 20, 2014, at 8:01 PM, Dale Harris wrote: > > > But that file does exist on the system. I guess the initramfs may not > see the /boot directory on the system? Or is it trying to look for > /boot inside the initramfs? If so that would explain my problem. I > haven't verified any of this yet. But seems like /boot ought to be > mounted for the system... anyone know of a fix for this? Is /boot a separate filesystem? If so, I would check to see if it is actually mounted as /boot from the initramfs. It might just be /, at least until the initramfs is unmounted and the root filesystem is mounted on top of it. That's what I'd look for. /boot separate filesystem == it's / on initial boot /boot part of / == it's /boot on initial boot. --Russell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Kernel panic when booting into FIPS mode
I don't have expertise on this issue, but it would be interesting if that bit of shell script there were adjusted to also print out the fstab and possibly other diagnostic information relevant to the problem. That way, you might get a clue as to where /boot is coming from. Then again, I'm not even sure if that is something you can edit with your current situation. You did say the system was unbootable. It's probably an edit you'd need to make while mounting the hard disk from another system, like a live cd for example. On Sunday, April 20, 2014, Dale Harris > wrote: > Sorry if you see this twice, I may have goofed: > > Hey, > > So I was playing around with trying to get a CentOS 6.5 system > FIPS-140 complaint. However, my system panics because it cannot find > the hmac file associated with my kernel. It's basically as what is > going on is described in this bug report: > > https://bugzilla.redhat.com/show_bug.cgi?id=805538 > > The /sbin/fips.sh script in the initramfs there is a bit of code: > > if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then > warn "/boot/.vmlinuz-${KERNEL}.hmac does not exist" > return 1 > fi > > But that file does exist on the system. I guess the initramfs may not > see the /boot directory on the system? Or is it trying to look for > /boot inside the initramfs? If so that would explain my problem. I > haven't verified any of this yet. But seems like /boot ought to be > mounted for the system... anyone know of a fix for this? > > > -- > Dale Harris > rod...@maybe.org > rod...@gmail.com > /.-) > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > -- - EJR ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kernel panic when booting into FIPS mode
I don't have expertise on this issue, but it would be interesting if that bit of shell script there were adjusted to also print out the fstab and possibly other diagnostic information relevant to the problem. That way, you might get a clue as to where /boot is coming from. Then again, I'm not even sure if that is something you can edit with your current situation. You did say the system was unbootable. It's probably an edit you'd need to make while mounting the hard disk from another system, like a live cd for example. On Sunday, April 20, 2014, Dale Harris wrote: > Sorry if you see this twice, I may have goofed: > > Hey, > > So I was playing around with trying to get a CentOS 6.5 system > FIPS-140 complaint. However, my system panics because it cannot find > the hmac file associated with my kernel. It's basically as what is > going on is described in this bug report: > > https://bugzilla.redhat.com/show_bug.cgi?id=805538 > > The /sbin/fips.sh script in the initramfs there is a bit of code: > > if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then > warn "/boot/.vmlinuz-${KERNEL}.hmac does not exist" > return 1 > fi > > But that file does exist on the system. I guess the initramfs may not > see the /boot directory on the system? Or is it trying to look for > /boot inside the initramfs? If so that would explain my problem. I > haven't verified any of this yet. But seems like /boot ought to be > mounted for the system... anyone know of a fix for this? > > > -- > Dale Harris > rod...@maybe.org > rod...@gmail.com > /.-) > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > -- - EJR ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Kernel panic when booting into FIPS mode
Sorry if you see this twice, I may have goofed: Hey, So I was playing around with trying to get a CentOS 6.5 system FIPS-140 complaint. However, my system panics because it cannot find the hmac file associated with my kernel. It's basically as what is going on is described in this bug report: https://bugzilla.redhat.com/show_bug.cgi?id=805538 The /sbin/fips.sh script in the initramfs there is a bit of code: if ! [ -e "/boot/.vmlinuz-${KERNEL}.hmac" ]; then warn "/boot/.vmlinuz-${KERNEL}.hmac does not exist" return 1 fi But that file does exist on the system. I guess the initramfs may not see the /boot directory on the system? Or is it trying to look for /boot inside the initramfs? If so that would explain my problem. I haven't verified any of this yet. But seems like /boot ought to be mounted for the system... anyone know of a fix for this? -- Dale Harris rod...@maybe.org rod...@gmail.com /.-) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On 2014-04-21, Always Learning wrote: > > On Sun, 2014-04-20 at 19:27 -0500, Jim Perrin wrote: > >> The problem here wouldn't be so much building it from source. You'd have >> to rebuild everything that would make use of it as well. For example >> sshd is linked against it. -> > > Why ? > > If the guy wants to use TCP Wrappers with one other specific > application / bit of system software (= IP Tables) and wishes to build > it from source, why should he have to worry about SSHD compatibility if > he does not want to use TCP Wrappers with SSHD ? That's not how I read Jim's response. I read it as, if you wished to use tcpwrappers with sshd, you'd have to rebuild sshd. If you only have one app you need to rebuild that's not so bad, but if you have a half dozen it could be annoying. --keith -- kkel...@wombat.san-francisco.ca.us ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Sun, 2014-04-20 at 19:27 -0500, Jim Perrin wrote: > The problem here wouldn't be so much building it from source. You'd have > to rebuild everything that would make use of it as well. For example > sshd is linked against it. -> Why ? If the guy wants to use TCP Wrappers with one other specific application / bit of system software (= IP Tables) and wishes to build it from source, why should he have to worry about SSHD compatibility if he does not want to use TCP Wrappers with SSHD ? Best regards, -- Paul. England, EU. Our systems are exclusively Centos. No Micro$oft Windoze here. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Normalizing WAV files
Hey all, I've been googling trying to find a tool that I can use to normalize a directory full of WAV files. I found a reference to normalize in the atrpms repo but it wants to clobber several of the base rpms. Does anyone know of a tool in CentOS 6 that can normalize a directory full of WAV files that I can install without hosing up my system? -- _ °v° /(_)\ ^ ^ Mark LaPierre Registered Linux user No #267004 https://linuxcounter.net/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On 04/20/2014 06:48 PM, John Horne wrote: > On Thu, 2014-03-20 at 15:48 -0400, Matthew Miller wrote: >> Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? >> > A very late reply - yes we use it in conjunction with iptables (on > CentOS 5/6 and Fedora). Tcp_wrappers allows filtering based on DNS name, > which (as far as I am aware) iptables does not. It is very easy to > configure, and takes immediate effect (no restarting of processes > required). > >> And, would you care strongly if it went away (or would you just >> migrate to something else)? >> > Since we use it I would obviously rather it did not go away :-) If we > had to we would probably build our own from source, but initially may > well just look to see if iptables could do all of what we wanted. The problem here wouldn't be so much building it from source. You'd have to rebuild everything that would make use of it as well. For example sshd is linked against it. -> [jperrin@monster localbuild]$ ldd /usr/sbin/sshd | grep wrap libwrap.so.0 => /lib64/libwrap.so.0 > >> >> What do you think? Do you rely on hosts.allow/hosts.deny a primary security >> mechanism? As defense-in-depth? Do you have policies which mandate it? >> > No policies as such, but we include its installation as part of our > standard server build process. It is part of the security used on our > servers, and, as others have mentioned, multiple layers is the way to go > rather than relying on just one tool. > > > > > John. > -- Jim Perrin The CentOS Project | http://www.centos.org twitter: @BitIntegrity | GPG Key: FA09AD77 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, 2014-03-20 at 15:48 -0400, Matthew Miller wrote: > Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? > A very late reply - yes we use it in conjunction with iptables (on CentOS 5/6 and Fedora). Tcp_wrappers allows filtering based on DNS name, which (as far as I am aware) iptables does not. It is very easy to configure, and takes immediate effect (no restarting of processes required). > And, would you care strongly if it went away (or would you just > migrate to something else)? > Since we use it I would obviously rather it did not go away :-) If we had to we would probably build our own from source, but initially may well just look to see if iptables could do all of what we wanted. > > What do you think? Do you rely on hosts.allow/hosts.deny a primary security > mechanism? As defense-in-depth? Do you have policies which mandate it? > No policies as such, but we include its installation as part of our standard server build process. It is part of the security used on our servers, and, as others have mentioned, multiple layers is the way to go rather than relying on just one tool. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Ext4 mess .... and EXT4-fs error (device sdc): ext4_mb_generate_buddy
Hi, I'm faced with a very strange behaviour: Centos 6.5 server, Hardware ISCSI HBA from Emulex OneConnect, most recent drivers and firmware from emulex installed. Directly attached a 10G ISCSI Storage from QSan. Two Raid volumes, Raid 5, 8 Disks each at 2 TB so 14 TB each logic raid volume. Both volumes are logged in and usable as sdb and sdc to the server. Formatted with ext4 -m 0 -v /dev/sd... Now I copied about 600 GB from an old server to one of the new volumes. No problems at all. But moving other data from the old server to the second volume shows the error in the logs: EXT4-fs error (device sdc): ext4_mb_generate_buddy: EXT4-fs: group 2592: 0 blocks in bitmap, 24544 in gd group grows by 16. But the more strange thing I realised today is, that all the data on the first volume (on sdb) shows up on sdc as well + the new data too. Now I'm totally confused and currently there are no more messages in the system log. The files on sdc don't show up on sdb! If I do e.g. a md5sum on the files on both volumes they are the same as is the contents of e.g. some textfiles I checked. May be someone has an idea what might cause a) the error and b) why dose the data from sdb also shows up on sdc? b) also occurred also with the original redhat/centos driver for the ISCSI HBA. May be I have to use partitions and not the whole device or LVM, ... xfs? Other storages from Qsan dont show that problem and other storages with bigger filesystems or e.g. xfs are o.k. too. confused regards . Götz ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos