Re: [CentOS] Centos 6 Update?
On 05/04/11 01:29, Rudi Ahlers wrote: On Tue, Apr 5, 2011 at 1:22 AM, Brian Mathis brian.mathis+cen...@betteradmin.com wrote: On Mon, Apr 4, 2011 at 6:57 PM, R P Herrold herr...@owlriver.com wrote: On Mon, 4 Apr 2011, Ljubomir Ljubojevic wrote: OK guys. Why don't you fork the CentOS project and build your own??? Why don't ANYBODY fork CentOS project? What are you/they waiting for? Whining is easy, build something on your own. Too strongly stated. I am aware of at least two private rebuild efforts that I have advised over the rough spots in the last 4 months. But those efforts have not sought to replicate CentOS, but rather to 'scratch an itch' with a different goal than CentOS goals of replicating a rebuild of the upstream sources, with needed trademark and branding alterations, seeking binary identical-ness with all that the upstream ships insofar as possible But re-producing CentOS through a fork is just not sensible, because CentOS is not just a pile of packages meeting some standard [it is also hard work to no obvious new good purpose] CentOS is also the mirror network; it is the mailing lists; it is the builders being willing to ignore the temptation to release a 'rough draft' at the expense of breaking the reputation (justified by past releases) to quiet perhaps ten people whining for something, anything, at the expense of potentially harming millions of installations There is a playpen for people who want the latest and greatest with a six month release cycle that use the RPM packaging system and the yum updater. But it not named CentOS -- Russ herrold Russ, Appreciate your efforts, but let's make one thing clear: The SINGLE source of ALL the current community issues (or whining as you put it) is: ***LACK OF INFORMATION*** ***LACK OF INFORMATION*** ***LACK OF INFORMATION*** about what is going on. No one cares if it's going to take another 3 months. All that is needed to stop the weekly explosions are some regular updates about the process. Something like Working on xyz package but ran into this problem. Still have to look at packages abc and def would more than satisfy a vast majority of people complaining here. It's mind boggling that the project just doesn't seem to understand that. and prolong development even further.. Wow! I didn't know the hard core CentOS supporters was so sensitive to delays that they would complain about developers spending 30 minutes every now and then to write a status update. Their time must be precious ... What happened to the It comes when it comes mantra? kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6 Update?
On 05/04/11 01:29, John R. Dennison wrote: On Mon, Apr 04, 2011 at 07:22:43PM -0400, Brian Mathis wrote: All that is needed to stop the weekly explosions are some regular updates about the process. Something like Working on xyz package but ran into this problem. Still have to look at packages abc and def would more than satisfy a vast majority of people complaining here. It's mind boggling that the project just doesn't seem to understand that. Couple questions for you, if you wouldn't mind? Do you complain to Redhat about similar issues? Do you complain to your sales rep about when the next release is going to drop, or what the hold-up on a release is? Assuming that you're a customer you would be quite dissatisfied with their reply, or to be more accurate, their lack of a reply. Why must CentOS be held to a different set of standards than the upstream? Redhat posts NO status updates and publishes NO timelines but yet CentOS gets no end of grief over their lack of the same. Maybe because CentOS and Red Hat are different entities with different goals? Maybe that Red Hat has a much bigger responsibility for their stock holders and that any public exposure of RHEL related things might impact the market speculations which again could hurt the stock price you probably get the point ... fact is: CentOS do not have such constraints, being a community project. And the parts where Red Hat is and can be open about the development phase is in Fedora. Most of you know by now that RHEL6 is based on a Fedora 12/13 base. I do personally wish that there would be more status updates from TPTB but to be demanding of more updates is ridiculous. I don't interpret it as a demand, more like a wish for a more open development process and progress - which is not a unreasonable request for a community project. There is nothing bad about voicing this. And I am convinced Brian is correct about that these regular explosions threads with when does it come would be considerably reduced with more transparency in the development process. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6 Update?
On 05/04/11 00:51, Jimmy Bradley wrote: I've seen the posts over and over again about when is 6 going to be out? I appreciate the time the developers put in to make cent os available. My main question about when is 6 going to be out is, does it really matter? 5.5 works just fine, so if it's not broke, why fix it? Maybe because the RHEL/CentOS 5.5 kernel got several security issues already? http://rhn.redhat.com/errata/RHSA-2011-0017.html For some of us CentOS users, this is critical. Especially when there has been no security updates for CentOS 5 since early January. It was the right decision to postpone CentOS 6 to get CentOS 5.6 out first. But it still have taken a lot longer than what we've been used to. And for people going to do fresh installs of CentOS, it would be most likely better to aim directly for CentOS 6 than CentOS 5.5/5.6. But the waiting without knowing what to expect when, that is a frustration amplifier, especially for those having project deadlines. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] why are warning be treated as errors?
On 07/04/11 15:10, Steve Clark wrote: Hello, I am trying to compile RHEL-6 kernel srpm on Fedora 14 and run into the following problem. From what I read -Werror flag causes warnings to be treated as errors - but I don't see that flag on in the following. Any ideas? Most likely because it's considered risky to have warnings. They might hide potential issues if not being fixed. And halting on warnings is a nice way how to catch them among all the log data a kernel compile can produce. However, this question probably belongs more to the Fedora Kernel mailing list [1], as this is a Fedora issue not a CentOS issue. You know, two different distributions ;-) kind regards, David Sommerseth [1] https://www.redhat.com/mailman/listinfo/fedora-kernel-list gcc -Wp,-MD,arch/x86/kernel/acpi/realmode/.wakemain.o.d -nostdinc -isystem /usr/lib/gcc/i686-redhat-linux/4.5.1/include -nostdinc -isystem /usr/lib/gcc/i686-redhat-linux/4.5.1/include -Iinclude -I/home/sclark/rpmbuild/BUILD/kernel-2.6.32/arch/x86/include -include include/linux/autoconf.h -D__KERNEL__ -Iinclude -I/home/sclark/rpmbuild/BUILD/kernel-2.6.32/arch/x86/include -include include/linux/autoconf.h -g -Os -D_SETUP -D_WAKEUP -D__KERNEL__ -I/home/sclark/rpmbuild/BUILD/kernel-2.6.32/arch/x86/kernel/acpi/realmode/../../../boot -Wall -Wstrict-prototypes -march=i386 -mregparm=3 -include /home/sclark/rpmbuild/BUILD/kernel-2.6.32/arch/x86/kernel/acpi/realmode/../../../boot/code16gcc.h -fno-strict-aliasing -fomit-frame-pointer -ffreestanding -fno-toplevel-reorder -fno-stack-protector -mpreferred-stack-boundary=2 -m32 -DKBUILD_STR(s)=#s -DKBUILD_BASENAME=KBUILD_STR(wakemain) -DKBUILD_MODNAME=KBUILD_STR(wakemain) -DDEBUG_HASH=57 -DDEBUG_HASH2=38 -c -o arch/x86/kernel/acpi/realmode/.tmp_wakemain.o arch/x86/kernel/acpi/realmode/wakemain.c cc1: warnings being treated as errors arch/x86/kernel/apic/apic.c: In function 'lapic_suspend': arch/x86/kernel/apic/apic.c:2008:3: error: statement with no effect arch/x86/kernel/apic/apic.c: In function 'lapic_resume': arch/x86/kernel/apic/apic.c:2085:3: error: statement with no effect make[5]: *** [arch/x86/kernel/apic/apic.o] Error 1 make[4]: *** [arch/x86/kernel/apic] Error 2 Thanks, ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Best way to extend pv partition for LVM
On 04/04/11 11:11, John Hodrien wrote: On Sat, 2 Apr 2011, Jay Leafey wrote: You COULD use option #1, but it requires some additional resources and a LOT of shuffling. Why do you need to shuffle? fdisk /dev/sda delete the PV partition create a new PV partition starting at the same sector but ending at the end of the now larger disk. write it out and reboot. I forget whether the reboot is still necessary, but I think fdisk will warn you it is if you've got mounted filesystems on that disk. pvresize /dev/sda1 Reboot shouldn't be needed. You might want to run partprobe though. A fourth approach is to use pvmove, to move data off /dev/sda ... do the fdisk stuff then pvcreate and add the PV into your VG again. This however requires that the existing PVs can hold all the data which was in the /dev/sda device. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Download the repo DAG of CentOS 5.5
On 03/04/11 20:45, Fidel Dominguez-Valero wrote: ok, could you help me to do that? [root@server ~]# man reposync kind regards, David Sommerseth On Sun, 2011-04-03 at 21:36 +0300, Eero Volotinen wrote: 2011/4/3 Fidel Dominguez-Valero fdval...@gmail.com: Yes, I know that, but I want to download for make a local repository just use reposync to mirror it to local repository. -- Eero ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sshd: Authentication Failures: 137 Time(s)
On 04/04/11 11:18, Rainer Traut wrote: Hi, to prevent scripted dictionary attacks to sshd I applied those iptables rules: -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set --name SSH --rsource And this is part of logwatch: sshd: Authentication Failures: unknown (www.telkom.co.ke): 137 Time(s) unknown (mkongwe.jambo.co.ke): 130 Time(s) unknown (212.49.70.24): 107 Time(s) root (195.191.250.101): 8 Time(s) How is it possible for an attacker to try to logon more then 4 times? Can the attacker do this with only one TCP/IP connection without establishing a new one? Or have the scripts been adapted to this? This is just a hunch, but --seconds 60 indicates that it will only look back one minute to check if it could find a hit. So if the attacker tries to connect again after 2 minutes or even 61 seconds, it won't trigger this rule. Try increasing this value to 3600 (1 hour). Maybe you want even longer. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sshd: Authentication Failures: 137 Time(s)
On 04/04/11 15:35, henry ritzlmayr wrote: Am Montag, den 04.04.2011, 15:07 +0200 schrieb Rainer Traut: Am 04.04.2011 12:34, schrieb Marian Marinov: How is it possible for an attacker to try to logon more then 4 times? Can the attacker do this with only one TCP/IP connection without establishing a new one? Or have the scripts been adapted to this? The attackers are not trying constantly.. Just a few bursts of trys. Look at denyhosts ( http://denyhosts.sourceforge.net/ ). I also have a tool for protecting from brute force attacks called Hawk ( https://github.com/hackman/Hawk-IDS-IPS ). Ok, thanks to both of you, it seems the scripts getting better and better. Will change my iptables rule to keep the blacklist for longer. Thx Rainer Also check MaxAuthTries in /etc/ssh/sshd_config Specifies the maximum number of authentication attempts permitted per connection. That won't do too much. It only tells the ssh server how many attempts to accept before closing the TCP connection. The attacker can still just re-connect and try again, which is what usually happens during these attempts. Of course, setting MaxAuthTries to 1, will slow the attacker a little bit down, as it needs to re-establish the SSH connection again. Moving over to disallowing password authentication and only use pubkey with ~/.ssh/authorized_keys is probably going to do a better job securing the server. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Virtualization platform choice
On 29/03/11 21:13, Kenni Lund wrote: Den 29/03/2011 15.41 skrev David Sommerseth d...@users.sourceforge.net: [...snip...] Thanks a lot for good information! The main problem is Windows guests, which easily chokes on hardware changes (forced reactivation of Windows or unbootable with BSOD). Each qemu-kvm version will behave differently, so moving from one major qemu-kvm version to another (0.1x - 0.1y), will most likely change the virtual hardware seen by the guest, unless you have libvirt etc. configured to keep track of the guest hardware. Do you know how to set up this? Or where to look for more details about this? I do have one Windows guest, and I can't break this one. If it's only Linux guests, it should work fine when moving the guests between any recent Linux distribution with KVM. Of course, if you don't use libvirt or a similar management solution, the hardware in the guest will likely change, for example causing your MAC-addresses of your NICs to change, etc, when moving to a new KVM host. It's all using libvirt already, so this should be pretty much the same. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Virtualization platform choice
On 27/03/11 11:57, Jussi Hirvi wrote: Some may be bored with the subject - sorry... Still not decided about virtualization platform for my webhotel v2 (ns, mail, web servers, etc.). KVM would be a natural way to go, I suppose, only it is too bad CentOS 6 will not be out in time for me - I guess KVM would be more mature in CentOS 6. I believe KVM was introduced in RHEL5.4, so I presume CentOS5.5 have a working KVM support as well, in addition to Xen. Of course, it will be even better with CentOS6. For the impatient souls, ScientificLinux 6.0 is released - even though, discussions lately in this list raises some concerns regarding how good the binary compatibility is in SL6, compared to CentOS6. This makes me wondering how well it would go to migrate from SL6 to CentOS 6, if all KVM guests are on dedicated/separate LVM volumes and that you take a backup of /etc/libvirt. So when CentOS6 is released, scratch SL6 and install CentOS6, put back the SL6 libvirt configs ... would there be any issues in such an approach? And what about other KVM based host OSes? kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] cobbler installation of CentOS-5.5
On 28/03/11 16:49, Timothy Murphy wrote: I'm trying to install CentOS-5.5 on my new HP micro-server, which has no CD drive. I've set up cobbler and cobbler-web on my old server, and can access cobbler-web from my laptop. I have 3 queries about the installation. 1. Is there any advantage is using the 64-bit CentOS rather than 32-bit? Yes, there are advantages to use 64-bit instead of 32-bit. But it also depends on how much memory you have. If you have more that 4GB RAM, you should really not depend on 32-bit at all. This is a hardware limit on the CPU level. However, Intel did enable some hacks to make it possible to use more than 4GB RAM on the IA32 based CPUs. Those are mostly known as PAE enabled kernels. But few kernel developer really likes PAE. Another limitation is that 32-bit applications have limited memory available compared to a 64-bit application. PAE might even slow down the kernel. Don't go PAE if you can go 64-bit. There are really no good reasons why not to use 64-bit today. There are quite few software packages which is not ready for 64 bit nowadays, and those should rather be fixed than to keep users back on 32 bit. If you for some reason need to run 32-bit user stack, it is even possible to install and a 64 bit kernel on a 100% 32-bit user space. And a running 32-bit applications in a 64-bit setup is possible, as long as you have the 32-bit glibc and other needed support libraries installed. However, 32-bit applications have the same memory limitation when running. For some brief PAE discussion, see here: http://www.held.org.il/blog/2008/07/pae-whats-that-and-how-bad-for-performance/ http://kerneltrap.org/node/3816 http://www.linuxquestions.org/questions/linux-general-1/32-bit-os-and-4gb-memory-limit-707762/ Having all this said, RHEL supports up to 16GB with PAE on 32bit, thus CentOS will do the same. However, if can avoid it and install 64-bit, I recommend you to do that instead. PAE is really dying, and you'll likely have more issues with PAE than 64-bit in the long run. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPC Benchmark in Centos
On 11/03/11 16:50, Peter Penzov wrote: Hi, I'm interested is there any benchmark tests for Centos. How fast is for example Unix domain socket and Message Queue? I'm not aware of any scientific researches on this topic, but it might be others know. However, this should normally be a pretty simple task to measure. A little program which establishes a socket, SYSV or POSIX message queue, send X bytes and measure the time it takes. I've done some tests between SYSV and POSIX message queues. My experience is that the POSIX implementation is much more efficient. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] kernel vulnerabilities
On 09/03/11 17:06, Riccardo Veraldi wrote: excuse me, could you be more helpful ? Actually I am not able to get any security update from CentOS 5.5 repo. Is there something I must change in the repo files ? What he meant was that you could do this: http://lmgtfy.com/?q=centos+mailing+list+archivel=1 And go through the archives. There are plenty of information about your question there. But to summarize it again, there has not been any CentOS5 updates since early January (just check the announce list, available above) since they are working hard on getting CentOS 5.6 ready. Otherwise, I recommend you to get familiar with what's called netiquette, like this one: http://linux.sgms-centre.com/misc/netiquette.php Also look at the bottom of the web page from the link above as well. (Hint: top-posting) kind regards, David Sommerseth On 3/4/11 12:14 PM, Kai Schaetzl wrote: the archive would have told you. Kai ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BUG: soft lockup CPU stuck for 10seconds (Server went down)
On 07/03/11 08:31, Roland RoLaNd wrote: Hello, Today my server stopped responding. i went to the console and on the screen there were a continuous loop of the following info shown on the screen: BUG: soft lockup - CPU#0 stuck for 10s! [java:13959] and alot of other information. ii've took a screen shot of the info shown , you can find it under the following url: http://img585.imageshack.us/i/img00012201103070833.jpg/ and had to hard reset for it to be back up and running. i tried googling with no luck for direct relevant info. so hoping you can help out Some real kernel developers might have better insight on why this happens. But this hits APIC timers during a syscall. I would probably try to boot the box with 'noapic' in the kernel command line, to see if this improves things or not. Do you see the soft lockup - CPU#0 always? or does it also happen to other CPUs as well? And if it does, is the java process running on more CPUs? kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Scientific Linux 6.0 released (based on RHEL 6.0)
On 04/03/11 16:59, Digimer wrote: On 03/04/2011 07:35 AM, carlopmart wrote: On 03/04/2011 01:33 PM, Arun Khan wrote: I know this is the CentOS list. However, as there has been some interest in CentOS 6.0 (RHEL 6), I thought I'd share the news here. Scientific Linux 6 is based on RHEL 6 with add-ons for scientific computing. FWIW, the Admin tools etc. are pretty much the same as in RHEL, so are the base packages. Read more at http://www.scientificlinux.org/distributions/6x/60/ And?? Why do you want to start a new flame?? Pointing out the advancement of a similar product is legit, in my mind. We all need to relax. :) +1 kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] virtualization on the desktop a myth, or a reality?
On 03/03/11 00:41, Ross Walker wrote: [...snip...] This works with Xen or KVM, though the management and compartmentalization of Xen helps. Does CentOS support the shared memory pages, memory dedup, in Xen? That would allow for a lot more Linux VMs. I don't think the KSM support has been backported to the RHEL5/CentOS5 kernels. I might remember wrong though. _If_ KSM is available on the 2.6.18 based kernels, it should definitely work for KVM on RHEL5/CentOS5. However, I doubt it has been backported to the Xen dom0 kernels. If I've understood it correctly, the Xen hypervisor is its own microkernel and dom0 is kind of a virtual guest with more privileges than domUs, to be able to administer and control the guests. IIRC, this micro kernel got its own scheduler and memory management too. While with KVM, the host kernel (which loads the kvm.ko module) is the hypervisor, and all the virtual guests are qemu-kvm user space processes. And KSM will merge same pages for user space processes, no matter if it is KVM guests or other applications. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 6
On 03/03/11 02:49, aurfal...@gmail.com wrote: On Mar 2, 2011, at 5:43 PM, Johnny Hughes wrote: On 03/02/2011 04:45 PM, David Hrbáč wrote: Dne 2.3.2011 01:14, Dag Wieers napsal(a): From http://en.wikipedia.org/wiki/CentOS RHEL4:2005-02-14 CentOS-4: 2005-03-0923 days RHEL5:2007-03-14 CentOS-5: 2007-04-1229 days RHEL6:2010-11-10 CentOS-6: TBD 112+ days Priority is CentOS 5.6, which is what people are actually using. It is very likely a RHEL 6.1 Beta is out before CentOS-6.0. Early RHEL 6.1 Beta access has been offered by Red Hat to RHCE's already. RHEL5.6:2011-01-12 Centos-5.6:TBD50+ days AND? Do you think we can't count? Do you think we are not trying or damnedest to get it done as fast as we possibly can? What, exactly, is the problem here? You have my permission to use something else. Does that help? Dave, Wow you actually got a dev to waste time in responding to your post. I'd say your a pie hole, the brown eyed suzie kind. Go buy RHEL for a few hundies then. No! This is a lame excuse. The developer chose to respond to it. He could just have ignored that post. He is not required to give any answer. The developer *chose* to waste time giving a completely useless response. He could rather have looked another way and continued doing something else, which would be more productive in this case. To be honest, I dislike the attitude of some CentOS developers, basically telling people to f*** off whenever a nerve is hit. If there was another CentOS alternative which stays as close to RHEL as CentOS does, I would really been using that instead. I appreciate the work of the developers a lot. I appreciate CentOS a lot. I know and understand that there is a lot of work behind CentOS. But the developers are not gods who can do whatever they like just because of their position. And if developers complains about lack of community help ... maybe they should look a little bit closer on how they treat the community first. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IP6 Anyone?
On 01/03/11 21:02, John R Pierce wrote: On 03/01/11 11:51 AM, Always Learning wrote: 4 hex digits vs. 1-3 decimal digits provides adequate disambiguation. 1:2:3:4 or 1.2.3.4 ? Each segment of the former is a valid 'decimal' number and also a valid 'hexadecimal' number. Each segment of the later is a valid decimal number. except thats not a valid ipv6 address, it has too few components. 1:2::3:4 would be (implying 1:2:0:0:0:0:3:4). if you used '.' as your seperator, 1.2..3.4 would be too, and its distinguishable from ipv4 due to the .. Until you then need to support this syntax: 2001::10.2.2.191 '.' might be a good separator, but for the vast variety of writing addresses which IPv6 supports ... and that it is a different protocol from IPv4, I'm glad the separator is different. ':' might not be ideal, but I find it a lot better than a lot of other alternatives. Anyway, the standard is settled, and it has been available for over 15 years ... it's too late to change it in IPv6. kind regards, David Sommerseth. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] virtualization on the desktop a myth, or a reality?
On 02/03/11 19:07, Les Mikesell wrote: On 3/2/2011 11:29 AM, Rudi Ahlers wrote: So, I installed CentOS + KDE, chose the Virtualization package and used Virtual Machine Manager to setup another CentOS VM inside CentOS (I only have a CentOS ISO on this SAN, since we don't use Debian / Slackware / FC / Ubuntu / etc). The installation was probably about the same speed as it would be on raw hardware. But, using the interface is painfully slow. I opened up Firefox and browsed the web a bit. The mouse cursor lagged a bit and whenever I loaded a slow / large website, it seemed asif the whole VM lagged behind. X without hardware acceleration is pretty ugly - you end up making the CPU do block moves even for simple things like screen scroling. Not sure how how the virtual interface works, but a better approach is either running X natively on your local hardware with the desktop/app remote (if you are on a low latency LAN) or freenx on the server and the NX client locally (works regardless of the connection speed). What about making the VM running X server, accepting TCP connections, and access the VM from your host using a local X client display. A lot of bad things can be said about the X network protocol, but at least it works smoother than VNC. The X protocol requires bandwidth (compared to VNC), but working against a virtual network adapter doesn't necessarily kill the performance. Other than that, SPICE is probably the future [1] on Linux. That should slowly begin to be useful in RHEL5, RHEL6 and Fedora 14, if I'm not much mistaken. Not sure how much is implemented in RHEL5/CentOS5 though. However, for SPICE to work, you need to use KVM. And you need the qemu-kvm part to initialise the SPICE display properly as well. kind regards, David Sommerseth [1] http://www.youtube.com/watch?v=S4DZwYqnyJM http://www.youtube.com/watch?v=uvfkj8V6ylM ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] virtualization on the desktop a myth, or a reality?
On 02/03/11 21:12, Dag Wieers wrote: On Wed, 2 Mar 2011, David Sommerseth wrote: Other than that, SPICE is probably the future [1] on Linux. That should slowly begin to be useful in RHEL5, RHEL6 and Fedora 14, if I'm not much mistaken. Not sure how much is implemented in RHEL5/CentOS5 though. However, for SPICE to work, you need to use KVM. And you need the qemu-kvm part to initialise the SPICE display properly as well. You need qemu-spice for using SPICE, which does not ship with RHEL5 or RHEL6. On top of that, SPICE is only supported by Red Hat for RHEV, not libvirt. That may change in the future, ... but when, nobody knows ;-) It used to be a separate qemu-spice. But I believe with Fedora 14 (and most probably RHEL6, I haven't checked) that should now be merged into qemu upstream. http://fedoraproject.org/wiki/Features/Spice So I presume SPICE will be more widely supported in RHEL, considering Fedora is the maturing stage for many RHEL features. Which means, CentOS should get it in the end as well. I believe they've mostly spent time stabilising it, and slowly working towards open sourcing the SPICE code. IIRC, the SPICE technology was acquired when Red Hat bought Qumranet. So it's probably been quite a journey so far for these guys :) kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] kernel eclipse segfault
On 01/03/11 08:02, sync wrote: Hi, all : My user called Tom, and his vnc desktop suddenly did not work just now. Then I went to see the server log message , and found the following message: kernel: Xvnc[2779]: segfault at 008 rip 0077af44 rsp 7fff5ee310c0 error 4 kernel: eclipse[25300]: segfault at 008 rip 03210cfbc6c rsp 7fff470c66a0 error 4 gconfd( tom-2764): Gconf server is not in use , shutting down gconfd: Exitting .. By the way, my server os is CentOS 5.3 x86_64 and kernel version is : 2.6.18-128.el5 It looks it is the eclipse tool problem which cause the kernel crash, isn't it ? Partly correct. The kernel kills the program with SEGV, because the program has tried to do something it shouldn't do. That's why you see that segfault message in dmesg/log files. It is not an indication of kernel failure. It's an indication the kernel took action. Could someone can give me some suggestion which can avoid that message happend again? You need to figure out which program causes this error. You have both Xvnc and eclipse failures. It might be that when one of them segfaults, it brings down the other one too, as a segfault. It's impossible to say exactly what the error is, just based on this information. The only thing which is clear, it's a user space error and not a kernel issue. Btw. you're running on a very old CentOS base (5.3). I would first try to upgrade to at 5.5, and see if the error still is persistent. 5.3 has not received much love since 5.4 and 5.5 is released. Now all the focus is on getting 5.6 out the door too. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Canon MX870
On 01/03/11 19:40, Boris Epstein wrote: Hello listmates, I am considering getting this multi-functional printer (printer/scanner/fax): http://www.tigerdirect.com/applications/SearchTools/item-details.asp?EdpNo=6052773CatId=2709 http://www.tigerdirect.com/applications/SearchTools/item-details.asp?EdpNo=6052773CatId=2709 Has anybody used it under Linux? What was that experience like? After having had a Canon MP600 MFP device myself for some time, I would not consider Canon at all. Driver support in Linux is far from optimal. You got TurboPrint which kind of solves it, but on some platforms even TurboPrint dies when printing too big documents. Canon tried to do some open source driver stuff for the Asian market, and trying to rebuild that was a nightmare on 64 bit, because they basically just supported 32 bit. And these drivers have not been updated for quite some time. I also don't see MX870 in the supported list in the Open Printing project [1]. So I wouldn't bet on good support out-of-the-box. A couple of the MX printers are even classified as paper weights. Personally, I'm getting rid of my Canon soon, and I'm going for a HP printer. It might not be the optimal vendor in regards to price. Print quality is usually good, though. But they do support their devices with open source drivers, which I do embrace. Another brand I would consider is Epson. Sorry about the rant, but my Canon user experience in Linux is far from good. The MP600 is a great device, hardware wise (except lacking IPv6 support, even though the Canon support claims it has that). But I do expect decent Linux support nowadays, or else I'll call it crap. So no more Canon for me. At least until Canon does a real open source effort. kind regards, David Sommerseth [1] http://www.openprinting.org/printers ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IP6 Anyone?
On 27/02/11 06:46, Always Learning wrote: Octets Thanks for pointing-out my misunderstanding. I'll remember 2 octets are really 2 characters (IBM's bytes) = 2 digits, 4 octal numbers or 4 hexadecimal numbers. This is a confusing summary. 3 bits = 1 octal number (values 0-7) 4 bits = 1 nibble (values 0-15 or in hex 0x0-0xF) 8 bits = 2 nibbles = 1 byte or 1 octet (values 0-255 or in hex 0x00-0xFF) Don't mix in octal numbers, as that's a completely different numeric system which is very seldom used nowadays. Octal numbers are smaller than nibbles, which is usually the smallest unit referred to in today's computers. IPv4 uses 32 bits addresses, hence 4 bytes (4 bytes * 8 bits per byte = 32 bits). Organised into 4 group, separated by dot. Each group contains 1 byte, where user interfaces uses decimal notation, with values from 0 to 255 IPv6 uses 128 bits addresses, hence 16 bytes (16 bytes * 8 bits per byte = 128 bits). Organised into 8 groups separated by colon. Each group contains of 2 bytes, where user interfaces uses hexadecimal notation, with values 0x to 0x. That's basically it. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IP6 Anyone?
On 27/02/11 14:44, Always Learning wrote: I was actually wrong. I can 'play' with not 2 but 4 groups of the IP6 allocation. Golly, what can I do with 64 x 64 x 64 x 64 address combinations? Hire then out? Have a different IP6 address for every hour of the year? If you got allocated a /48 net from you ISP you will have this setup: ISP prefix, 48 bit:16bit subnetting:64 bit address scope This gives you 65536 subnets with 64 bit subnet mask (/64). An example, 'AA' indicates the ISP, 'BB' indicates the subnet: :::::/64 ISP prefix 16 + 16 + 16 = 48 bits Your own subnets + 16= 64 bits If you are given a /56 net from you ISP, it will look more like this: ISP prefix, 48 bit:cont. ISP prefix 8 bit8 bit subnetting:64 bit addr This gives you 256 subnets with 64 bit subnet mask. An example: :::AABB::/64 ISP prefix 16 + 16 + 16 + 8 = 56 bits Your own subnets+ 8 = 64 bits It is really not recommended to segment your own networks in smaller subnets than /64 nets. F.ex. if you want to use radvd for stateless auto-configuration, it will expect 64 bit subnets. It is doable to make smaller subnets, but don't do that unless you really know what you're doing. Using 64bit subnets makes it so easy to handle them. You know that the first 64bits of an address is the prefix to your own subnet. As there are no network address (like 192.168.0.0), no broadcast address (like 192.168.0.255), any addresses within a /64 subnet will be a valid IPv6 address for that subnet. And it will be a global IP address in addition. The rest, is just firewalling and routing. Which is basically the same as in the IPv4 world, just with different address syntax. Put the IP4 address in the last 4 groups? (2001::10.2.2.191) I recommend you to *not* mix in stuff like this, at least in the very beginning. Run a dual stack IPv4 and IPv6 environment. It's easier to maintain, and they both run fine together in the same physical network segment. That vast surplus of IP6 addresses is just for one server - I have several. Yes, IPv6 gives every site a lot of more possibilities. And in IPv6 each NIC can have multiple IPv6 addresses, without using aliasing which is needed for IPv4. If you want to allocate 30 IPv6 addresses to one adapter, you may do so very easily. Just use 'ip -6 addr add ipv6 addr dev eth0' kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PCI ethernet card for CentOS
On 26/02/11 15:38, Timothy Murphy wrote: I need to get a second ethernet card for my HP Proliant CentOS server, to attach a LinkSys WRT54GL router to. I see that there are many Realtek RTL8169S gigabit cards going for a song on eBay. Is anyone using one of these under CentOS? Do they work OK? (I used to have a couple of Realtek cards - not gigabit - and they worked fine.) Or does anyone have a strong recommendation for other cards? Any advice or suggestions gratefully received. I really recommend you something else than these Realcrap cards. They might work fine in many settings, but you never really know. If you google around, you'll find plenty of stories where these cards are really unpredictable, and my own experiences are also not good. You can probably find pretty decent Intel EtherExpress PRO/100 cards, which really has an incomparable quality. As you're talking about the WRT54GL, you don't need to think about 1Gbit cards. Which makes the PRO/100 cards optimal. Just my 2 cents. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VMware (was Re: current bind version)
On 25/02/11 14:52, Les Mikesell wrote: On 2/25/11 4:48 AM, Johnny Hughes wrote: Anyway, my point was that the fabled library ABI stability of RHEL turned out not to work for VMware Server 2.0. But CentOS did come through with bug-for-bug compatibility as promised, causing the same crashing behavior after the same minor-rev update. The ABI is not for things like VMWare when they screw up their updates This was not a VMWare update. It was a glibc update - and the breakage was dramatic, not just the slow memory leak someone else mentioned. I don't know this case specifically. But generally speaking, there are some cases where applications are built depending on a bug in a library to work properly. When that bug gets fixed in the library, the application breaks. ABI doesn't ensure that all applications will work forever. It only assures that the application binary interface doesn't change. That means that arguments being passed through library functions does not change, that functions does not disappear, looses or gains more arguments or that the return type from functions doesn't change. It does not guarantee that the behaviour of the functions doesn't change, if the behaviour was wrong to start with. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Alternative to cPanel
On 23/02/11 16:24, Lucian wrote: On Wed, Feb 23, 2011 at 2:49 PM, Trutwin, Joshua jtrut...@csbsju.edu wrote: +1 for Virtualmin. People will brag that it's insecure etc, but it has always done the job for me and I have more than 100 installations of it. I never had security problems because of it. That one user with more than 100 installations haven't experienced security issues with a product doesn't mean that there is no security issues. It can just as much mean nobody tried to hack any of those installations, or that they have tried but not succeeded yet, or that there are no security issues ... but to distinguish this, then you need to have more solid arguments than I haven't experienced it ... because you might not have experienced it _yet_. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Any update on 5.6 / 6?
On 15/02/11 02:48, Brian Mathis wrote: On Mon, Feb 14, 2011 at 4:05 PM, John R. Dennison j...@gerdesas.com wrote: On Mon, Feb 14, 2011 at 05:00:43PM -0400, robert mena wrote: Hi, Despite the mailing list and twitter I did not find any updated info on either versions regarding the current status. So, what is the current status of both versions? (like 60%) Your request just moved it back by 15% and 2 weeks, not to mention all the innocent kittens that were killed. John I wish people would take these requests as: Hey guys, I really love this project and I know there's a new version on the way. I've been following all the right places for news, but I just can't contain my excitement. Does anyone know when the next release is? I'm more excited about it than most people are about Apple's new iThing ...and react accordingly. Instead, we get: Don't bother people. Get off my lawn. Go pay for it if you want it so bad. To be fair this thread hasn't been as bad as most, but reflecting some excitement is free. Anyway, here's my response: Hey man, I'm just as excited as you. I really want to see what C6 looks like and to start playing with it. I'm so happy there's a modern kernel and recent packages so I don't have to hunt them down. I think C6 is going to be really cool. I know the CentOS guys put in a lot of work and I have a lot of respect for them, but they're busy with real life too. KB posted something on his Twitter, but you know how deadlines can be. Stuff comes up. All we can really do is wait until it comes out. If you wanted to help out, here's a link for info on how to do that... [someone please fill in link here]. +1 ... Such feedback would really be a lot better than anything else. Keep people in the darkness, and they'll start looking for the light switch ... provide them with a candle, and they'll sit more calmness, observing and having fun. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Any update on 5.6 / 6?
On 15/02/11 17:25, Gilbert Sebenste wrote: Let's see. 7 weeks after a RHEL release, we have: For RHEL6, lets make that 14 weeks. And RHEL5.6 got released 9 weeks after RHEL6. It's amazing how much smoother things would be, in regards to controlling the anticipation *if* we could find some regular updates on the progress. We don't need exact dates, but an idea of how the progress is going. Also some progress information of what is troublesome? What is taking time? How can the rest of the community help? This information could be given out even bi-weekly, and I'm sure it would calm down this tension a lot. The whole CentOS release progress is surprisingly closed, considering it is an open source project. Is it really too much to ask for information on the progress? And frankly, these references below doesn't shed too much light on the situation http://twitter.com/centos http://www.karan.org/blog/index.php http://planet.centos.org/ I'm sorry if I've missed some other more obvious places with more updated information ... so if that is the case, please enlighten me. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Any update on 5.6 / 6?
On 16/02/11 13:31, Stephen Cox wrote: On Wed, Feb 16, 2011 at 12:31 PM, David Sommerseth d...@users.sourceforge.net mailto:d...@users.sourceforge.net wrote: Is it really too much to ask for information on the progress? And frankly, these references below doesn't shed too much light on the situation List, Please relax. The CentOS team are doing their job. We aren't client or customers, we are supporters. Exactly! Supporters who could most probably do even more, than just to sit here idle waiting for the next release - if we only knew what the issues are they are facing. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
On 16/02/11 13:28, James Bensley wrote: Hi List, We have a CentOS VPS running a web site in a DC far away. The chap that dev's this site told me he couldn't SFTP in yesterday, his password was being rejected (I went to his desk to confirm and saw it was telling him the password was incorrect but neither him nor me had changed it and we are the only two with access to this VPS). So I logged in as root and reset his password, be he still couldn't log in (same problem, claiming the password was wrong). [root@server ~]# passwd webdevuser Changing password for user webdevuser. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updates successfully. I tried to SSH in as the web dev user and it wouldn't let me in. Returning back to my root console window; [root@server ~]# su - webdevuser [webdevuser@server ~]# passwd Changing password for user webdevuser. Changing password for webdevuser. (current) UNIX password: passwd: Authentication token manipulation error Firstly; I am stracthing my head as to why his password was no longer working in the first place? Secondly; Why I can't reset it? Googling around many people suggest there is a discrepancy between the /etc/passwd and /etc/shadow files and by deleting /etc/shadow and using pwconv to recreate shadow and the same for /etc/groups, deleting gshadow recreating it with grpconv will solve the problem but I still can't login as the web dev user. Any ideas anyone? - Could the account have become locked somehow? (passwd -u $user) Or could the account have become expired? - Are the permissions strict on the users ~/.ssh? (0700 on the directory, and 0600 on any files inside that directory - like authorized_keys ...) - Is SELinux in Enforced mode and are the SELinux file context correct on /home? (restorecon -rv /home) Also double check /var/log/messages, /var/log/secure and /var/log/audit/audit.log carefully when trying to log in as that user. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Any update on 5.6 / 6?
On 16/02/11 14:18, John R. Dennison wrote: On Wed, Feb 16, 2011 at 01:50:55PM +0100, David Sommerseth wrote: Exactly! Supporters who could most probably do even more, than just to sit here idle waiting for the next release - if we only knew what the issues are they are facing. I find it amusing that all these offers of help and assistance, even the round-about ones such as this, occur when people get antsy about the release. Did you step up when the call for people to get involved at the very beginning of the CentOS 6 release cycle occurred? From everything I've heard on the various IRC channels the response to that initial call for help was, shall we say, lackluster at best. That's a fair critique! It's incredibly easy to consume; much more difficult to produce. And it is even more difficult to join and participate if you don't know exactly what you are going to do. Having a much more open process with more information, might encourage people to step up. A call for help at the very beginning, and then practically not hearing anything afterwards, may just as well be a signal that we got the resources we need. [...snip...] If people want transparency in the process (which I include myself in to some extent; I feel things could, and honestly should, be more open, for some value of more) then I must point out that the project's upstream provides no transparency at all, including a complete lack of release time-line. If they don't do so, why all the clamoring for CentOS to do so? Just a thought. That Red Hat keeps their work schedule private is not directly comparable to a CentOS community effort, how I see it. Red Hat is also a big financial organisation, which CentOS is not. In that context, Red Hat is much more responsible for stock holders, informing the stock market on economical issues. And market speculations needs to be controlled much more differently. It will be market speculations, like it or not, no matter what, all which most often are related to product releases. In addition, Red Hat also are responsible for customer and partner agreements, certification training, etc, etc. It's a big machinery, which is tightly connected to the Open Source work Red Hat does. And revealing some of the Open Source process might reveal other things indirectly, which makes the market speculate more wildly. CentOS does not need to be responsible for a board of stock holders (or what the proper term is), partners, (paying) customers, training organisations, etc, etc. In such regard, CentOS is quite more lucky - it can focus primarily on the Open Source part. Red Hat does also much more than just pulling the pieces together to form the RHEL distribution. These pieces are improved continuously to make them work well in the big distribution perspective, as well making sure it is tested on a vast variety of certified hardware [1]. CentOS basically takes the core result of all those processes and the labour Red Hat has put into RHEL, strips out/replaces the trademarks with CentOS replacements, recompiles everything and have a release ready. Hence, the CentOS process should, in theory at least, be a lot easier than the RHEL process - the majority of the hard work is already done when Red Hat delivers an installable RHEL distribution. Given that CentOS can focus primarily on the Open Source part, it should also be able to be more transparent on its process. kind regards, David Sommerseth [1] http://www.redhat.com/rhel/compatibility/hardware/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Any update on 5.6 / 6?
On 16/02/11 14:15, Johnny Hughes wrote:
[...snip...]
These phantom RPMS (non released by Red Hat, but in their build tree
for their initial development of the OS) are sometimes very hard to
replicate. They are versions that are no where to be found.
Fair enough. But please misunderstand me correctly. We all *do*
understand that there is a lot of work behind it, and we *do* appreciate
the work all of you do put into CentOS.
But *not* knowing what you're fighting against, just leaves the community
restless ... and the more restless the community gets, the more noisy it gets.
[...snip...]
We don't need exact dates, but an idea of how the progress is going. Also
some progress information of what is troublesome? What is taking time?
How can the rest of the community help? This information could be given
out even bi-weekly, and I'm sure it would calm down this tension a lot.
And how much more time does that add to the development process. It is
already taking too long for you, so you want the developers to spend
more time on other things? They don't have enough time now to spend on
CentOS, how is adding time to the process going to help. When they try,
it is seen as not enough (see you comments below).
Does one or two hours (which I believe is a major over-estimate) bi-weekly
for writing an little update (which could be as little as one or two
paragraphs long) by one of those of you who are deeply involved and knows
what going on really set you back *that* much?
We're not asking for a full executive summary. Just to have a feeling how
the progress is going forward.
The whole CentOS release progress is surprisingly closed, considering it is
an open source project.
CentOS releases our source on exactly the same day as our binary files.
I said release *progress*, in the context that CentOS is an open source
project, being community driven.
The result, when it is released, is very open - just as it should be.
[...snip...]
We do not KNOW how long it is going to take to get this right ..
especially CentOS 6. We have NO IDEA what problems we are going to
incur until we hit them. There is NO WAY to know what RPM is not going
to build correctly until it fails to build. There is no way to figure
out why it did not build until you see the errors.
Fair enough! I don't expect exact dates, which I stated earlier. I simply
asked for an *estimate*, and an estimate can be adjusted as time goes on.
It's as easy as We estimated 2 weeks in the last report, unfortunately it
will probably take 3 more weeks to get this right due to some unexpected
issues with {short simple brief summary} ... do you have any idea how much
such a sentence can calm down anticipating people?
[...snip...]
The bottom line is that is process is trial and error, especially the
first one in a series (the .0 build).
I do completely understand, and I'm sure more of the community does as
well. We do understand this is difficult and time consuming. And my
responses have not been a critique of *what* the developers/packagers are
doing. All who are involved in the hard work are doing *a lot* of good
work, which we all *do* appreciate.
But we are missing *some* information on the progress. And *something* is
way better than *nothing*, which is the current situation.
kind regards,
David Sommerseth
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
On 16/02/11 15:16, James Bensley wrote: i'd suggest looking at the log files (/var/log/secure and .../messages), for indications of why you're having trouble logging in as the other user. you can also, in a terminal window from a mere mortal (not root) login, try: su - user as that may give you some feedback. something like having an invalid shell will cause what you're seeing. As root, if I 'su - webdevuser' it doesn't prompt me for a password and drops me in as the user, presumably what is intended? This is normal behaviour. root can su to which ever user without being asked for any password by default. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Any update on 5.6 / 6?
On 16/02/11 15:47, Karanbir Singh wrote: On 02/16/2011 02:22 PM, Morten P.D. Stevens wrote: The best example is Scientific Linux. There are schedules and an open development process. What is the reason for the closed development process in CentOS? Its funny you say that Morten, since you actually offered to help. Didnt you ? But then when I asked you to look at something specific, you backed off saying you had other things to do ( I remember being quite taken aback by your response at the time ). If whoever wants to help out in a community project, and then see that when a task come and then gives a response that this was the wrong timing, due to other obligations - this is pretty fair response. Committing to a community project does not mean you have the resources available for your disposal whenever you need it. People committing to a community project just gives you an idea that people are interested in helping out. Why you dont you just stick to lurking, since you clearly dont actually want to do anything to help - just get in the way and try to make a lot of noise you dont either understand or want to put any effort into understanding. Would you call that a fair take on the state of your envolvement Morten ? Okay, I see that the CentOS developers are under a high pressure and stress level. Maybe a too high stress level. So I'm willing to stretch myself that far to see this incident in that light. Even though I do not know the background for this attack, I do dislike this kind of personal attacks - at least in the full public. I'm disappointed to see such happening here by the key people in the CentOS community. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Any update on 5.6 / 6?
On 16/02/11 15:58, Karanbir Singh wrote: Hi David, On 02/16/2011 12:50 PM, David Sommerseth wrote: Exactly! Supporters who could most probably do even more, than just to sit here idle waiting for the next release - if we only knew what the issues are they are facing. So what happened in the early days of when EL6 came out - we asked people to help, there were many threads on how people could get involved ( on the centos-devel list, which is - I am sure you will agree, the appropriate place ). Nothing happened, not one person beyond the usual-people actually did anything. I understand centos-devel might seem to be the proper place to ask for help. But sometimes, I believe it's better to have a much broader audience for such messages. However, let this be a discussion after CentOS5.6 and CentOS6 is released. Rather start a new fresh thread when everyone (especially developers) have had some rest after the releases. [...snip...] Now the bit that really cheeses me off is that we cant go through the same loop again and again everytime someone new comes along and cant be bothered to see what has happened in the past. I am not saying you did this, its possible you didnt know about the existence of these threads on centos-devel etc. This I've been seeing in many other projects as well. However, those places where this happens the least, are where there are some communication of the progress. And I admit I have not paid too much attention to the centos-devel list. Basically, because I know the next CentOS releases will come when they come. But I would like to know more about the progress, which has been my agenda in today's mails. That is something which, in my eyes (I might be wrong though), belongs more to this generic list. To cut a long story short - lots of people who use centos dont understand what the project is about, what we do, why we do it and how they can help. On the other hand, we also seem unable to hold people's attention ( and i mean people at large, not just the centos community ) in order to get them thinking about the project ( and not the distro, remember project != distro, needs of the hour are trivial, needs for the project to sustain and exist are more important ). And this is indeed challenging. And you probably need a combination of what Fedora does with their ambassadors and what Canonical manages with profiling Ubuntu as a Linux distribution for everyone, to be able to get the people at large scale. Unfortunately, CentOS will most likely be for a more narrow group ... those who wants a stable release for a long time. Which basically ends up mostly being on servers, as the desktop side needs to be much more a moving target against newer versions. And this is practically the same issues RHEL fights with as well. We can try to solve these problems now, or we can get the distro's out - then goto solving these issues. As many have suggested, and I partially buy into - solving the problems while there is a need for the distro is likely to get a better and wider reception. On the other hand, getting the distro's out gets more urgent with every package release upstream and app release side-stream / internet / inhouse etc. I agree with you, that solving issues is definitely the way to go. However, when you only solve issues along the way without providing any information on why things takes time - and it begins to take a lot of time, then people begin to want to see results. Again, as I've said many times today, providing *some* information on the progress can calm things down for a while. But keeping people in the darkness, will result in a lot of noise. The problems can be solved. Of all similar projects I know of and have had the privilege to be a part of, none come close to the maturity and pragmatic thought levels that the CentOS community has. On the other hand, the drive-by posters and people with random fluff to not-really-contribute are always going to an issue. I guess its reasonable to expect them around as well, serves as a nice reminder as to what the extreme sets are. Absolutely! For now, as was really decided on the centos-devel list, lets just do things the way centos has in the past. lets get the distro's out - and then look at solving specific issues. The whole idea that people cant help is just noise, hopefully the website ver2 project will make that visible a bit more than has been so far. I do know that once the distro's are out; the number of people wanting to 'help' is also going to fall drastically. On the other hand, the ones who do stick around are all people who really do want to help! Good! And it's a good thing that you're looking into more visibility. I believe this can remove, or at least reduce, some of the impatience and restlessness which can be found on this list. People come and go, in all kind of projects, and major releases gives a lot of attraction
Re: [CentOS] CentOS 5 on a Thinkpad T60 laptop
On 16/02/11 18:08, Always Learning wrote: On Wed, 2011-02-16 at 15:52 +0100, Mathieu Baudier wrote: I'm considering buying a second-hand Thinkpad T60 (with 2 GB RAM), as a secondary laptop in order to run CentOS 5 on the field. One thing you might, or happily might not, have difficulties with is the wifi driver. Most drivers are available from various sources. C5 is based on kernel 2.6.18. More wifi drivers were added to kernel 2.6.27, I think. C6 will be based on kernel 2.6.34, I believe. As long as the CentOS kernel is based on the RHEL kernel works, a lot of drivers from newer kernels will have been backported to the 2.6.18 based kernel, which makes newer hardware work on RHEL kernels. The RHEL 2.6.18 kernel only sounds old and expired due to its name. But the content inside really isn't as old as it sounds like - even though there are a big part of original 2.6.18 code in it as well. Check the release notes for more info ... Like for RHEL5.5 http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/5.5_Release_Notes/ar01s04.html kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Strange Kernel for Centos 5.5
On 11/02/11 03:05, Always Learning wrote: [...snip...] Sometimes I just wonder about the luckiness of us non-Windoze people. We have a really marvellous choice of operating systems (BSDs, Solaris, Linux et al) and its all free and outstandingly good and reliable. I feel sorry for the Windoze victims. Its a really horrible experience using a bug-laden and Micro$oft knows best machine where it is awkward trying to make changes and avoid the ghastly mess of M$ Internet Security - ugh! Centos is so relaxing and enjoyable :-) Be careful with saying such things. A lot can be said about Windows as an operating system and Microsoft as a company. But be very careful about talking about its users, you do not know the reason why they run another OS than those which you love. Those who uses *nix oriented/based OSes aren't better people or superior to those not doing so. They are just different, with a different different needs. It doesn't necessarily make them victims or unlucky. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Let's talk about HTTPS Everywhere
On 19/01/11 12:41, John R. Dennison wrote: On Wed, Jan 19, 2011 at 03:29:12AM -0800, S Mathias wrote: [...snip...] 4) If it's so great why isn't it more prevalent? It's not yet a 1.0 release; this may have something to do with it. The version number doesn't need to say anything at all. If a software version is 0.7, doesn't mean it's less stable or useful than if the version is 1.0. It all depends on the developer(s) and how they evaluate their work. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEL 5.6 is out
On 14/01/11 16:47, Gilbert Sebenste wrote: On Fri, 14 Jan 2011, Eero Volotinen wrote: 2011/1/14 Brunner, Brian T.bbrun...@gai-tronics.com: Is this how other CentOS users feel when they hear a RHEL announcement? No, I think: These men and women are so awesome, giving up their time to make us a great operating system at no charge. Whether it be a week, a month, or a year after RHEL release, I am so grateful for all of them and the huge amounts of time and effort they *donate* to do all of this!! And I'll be blunt here: that should be our mindset for ALL of us on this list, and it would accelerate the timetable of new CentOS releases by: 1. Not having Karanbir and others stop and waste their time on snarky comments, endless when will it be out, I want it NOW! tirades, and other garbage Seriously, this could be improved by having some better clues on when it would be ready or not. F.ex. they could state on the mailing list will be ready during March. And towards the end they could say Early or late March or in worst case We need to extend the test period to late April. That gives some ideas when and can really calm a community down. Not knowing anything is the worst which ever happens. If they don't know, come with some guestimates and correct them during the process. A more transparent process on what is happening and what the plan is, that is what is really needed in community projects. snip/ Sorry, but I'm not in a good mood right now, but I'm tired of people complaining about the slow releases. As for me, I'm very grateful and thankful for what all the *volunteers* do for CentOS. Imperfectly? Sure. That's what patience and grace are for. Patience is truly gold. But without having at least some vague ideas when, these complains or questions will *never* stop. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPv6, HE tunnel and ip6tables problems
On 11/01/11 21:12, Blake Hudson wrote: Original Message Subject: [CentOS] IPv6, HE tunnel and ip6tables problems From: Stephen Harris li...@spuddy.org To: CentOS mailing list centos@centos.org Date: Tuesday, January 11, 2011 1:09:25 PM CentOS 5.5, fully patched. I have a HE tunnel (tunnelbroker.net) IPv6 tunnel. This works pretty well and is simple to setup. Everything works fine. Until I try to set up an ip6tables firewall. ... It might be that I need to compile a generic kernel; apparently 2.6.20 fixes a number of ip6tables issues; CentOS 5 is based on 2.6.18. Maybe CentOS 6 (*nudge nudge*) will work :-) I'm not sure I want to leave my home network on IPv6 without a firewall; not sure I trust all the machines I have on local network to be safe from remote probes! I wonder if anyone has any suggestions... Thanks! I have been waiting for RHEL6/CentOS6 because, as I understand it, CentOS5 does not have a statefull IP6 firewall - e.g. incoming traffic would have to have a default ACCEPT policy or only specific applications allowed (based on source port) on a case by case basis. Perhaps this is the issue you are running into. However, I would think you'd receive an error attempting to set --state ESTABLISHED,RELATED within iptables if this were the case. That matches what I've heard and experienced as well. I heard something that backporting the changes from the 2.6.20-something kernel down to 2.6.18 where statefull IPv6 filtering arrived, was too big or too risky to the stability. I don't know the details, just something I caught on IRC or so. I would be delighted if someone could share their experiences with ip6 and CentOS5, especially from a security or service provider standpoint. My experiences is that IPv6 in CentOS5 works very well, but is not optimal due to lack of stateful firewalling. However, I'm certain that is solved in CentOS6/RHEL6. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to recreate eth0 - Realtek 8169sc
On 10/01/11 05:41, Rudi Ahlers wrote: On Sun, Jan 9, 2011 at 11:13 PM, Robert Spangler mli...@zoominternet.net wrote: On Sunday 09 January 2011 13:33, Rudi Ahlers wrote: Our intranet's WAN interface just stopped working yesterday, and I can't figure it out. Look in /etc/sysconfig/network-scripts. There you should see ifcfg-eth# If ifcfg-eth0 isn't there copy ifcfg-eth1 to ifccfg-eth0 and then configure ifcfg-eth0 to the information needed for your WAN link. The device file exists, but it's like asif the network card itself doesn't exist. My immediate hunch is ... and I'm sorry to say it ... but your NIC is often referred to as Realcrap NICs - unfortunately that's not without a reason. However, check what lspci says. If you don't see your NIC there, it is most likely a hardware issue (or caused by BIOS changes). If you see it, then look closely in dmesg for anything related to loading the kernel module for this NIC. See if that spits out any error messages. You may also try to reload your NICs kernel module (modprobe -r module modprobe module). Another thing is to figure out what you did before it stopped working. If you want to say I did nothing and that means you rebooted your box, upgraded packages or other things which might sound safe and innocent, it might just as well be connected. The only times I've experienced issues and where I really did nothing, it was related to physical hardware issues. But those times where I did nothing (rebooting, upgrading, innocent configuration changes) and got troubles ... it was always connected to that I did the nothing thing. Sometimes even disabling useless features in BIOS turned out to disable quite a useful feature after all. So no rock is too small to be turned around now. Go carefully through all your changes you did before it stopped working. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 06/01/11 04:03, Paul Johnson wrote: On Wed, Jan 5, 2011 at 12:57 PM, Daniel J Walsh dwa...@redhat.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/05/2011 11:50 AM, Paul Johnson wrote: Turn on the httpd_can_sendmail boolean. We do not want all apache servers to be able to send mail by default. # setsebool -P httpd_can_sendmail 1 man httpd_selinux ... Dear Mr Walsh: Thanks very much for the information. I did as you said, turned SELinux back on, and now mediawiki can send email, like it is supposed to! I would not have figured it out if you had not posted your advice. I hope this thread finds it way to google so other people will see it is a solved problem! Whenever SELinux seems to try to bite me, I first list out all boolean settings, using grep. In your case I would do something like this: [r...@host: ~]# semanage boolean -l | grep mail allow_postfix_local_write_mail_spool - off Allow postfix_local doma.. httpd_can_sendmail - off Allow http daemon to send mail.. [r...@host: ~]# getsebool -a | grep mail allow_postfix_local_write_mail_spool -- off httpd_can_sendmail -- off [r...@host: ~]# semanage boolean and getsebool gives basically the same information, except semanage give a little helpful description in addition. If that's not helping, audit2why or audit2allow usually helps me to understand a little bit more what is going on. And from there I usually figure out if I need to enable more booleans or if I have a specific setup of my own which need a hand crafted SELinux module. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intel NIC
On 24/12/10 06:35, Rajagopal Swaminathan wrote: Greetings, On Thu, Dec 23, 2010 at 4:27 PM, Les Mikesell lesmikes...@gmail.com wrote: On 12/23/2010 10:02 AM, Alexander Dalloz wrote: The licensed vCenter stuff refers to a single app that is simultaneously aware of all of your ESXi servers and their guests and can move/fail resources across servers - concepts that I don't think the other hypervisors even have. Duh.. What is RHEV then? I am in front of the box now. Can you tell me which feature is missing? if any, perhaps we can raise a point with redhat. Maybe this one answers some of your questions ... http://www.redhat.com/virtualization/rhev/server/features-benefits/ kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Server unresponsive until reboot, memory exhausted
On 29/12/10 17:06, cpol...@surewest.net wrote: On 12/28/2010 01:41 PM, james wrote: You may be right about the restart, but I would like to know WHAT is crashing my web server regardless. We are not running any shiftily coded sites or apps on this server that I'm aware of (obviously something is shifty!). Is anyone aware of any other methods for drilling into the problem? You may be dealing with a request that crashes before any data makes it into the logs. Here's a trick I have used (posted Feb 10, 2008 by Phantom in alt.apache.configuration): ls -l `ps -C httpd h | sed -r s/^\s*([0-9]+) .+$/\/proc\/\\1\/cwd/` which prints out the directory that each Apache worker thread is accessing. If you can narrow it down to the pid, you can use lsof to identify the particular file being being processed. Please keep us posted! If you can track down the pid, you can easily check which file descriptors being in used and which files or sockets they relate to by checking the /prod/$PID/fd directory. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Dual or quad fast ethernet NICs (that work with CentOS)
On 28/12/10 13:13, robert mena wrote: Hi, I am looking for dual or quad fast ethernet NICs that work with CentOS. There is no need for high performance so regular fast/pci is ok. I have very good experiences with Intel PRO/1000 (aka. EtherExpress, if I'm not mistaken) cards in general, both the single NIC and dual NIC models. e1000 or e1000e drivers works flawlessly. I would not expect quad-based cards of the similar type to be any problem either. This is an extract from one of the firewalls I got, having 2xdual NIC cards: 0a:02.0 Ethernet controller: Intel Corporation 82546GB Gigabit Ethernet Controller (rev 03) 0a:02.1 Ethernet controller: Intel Corporation 82546GB Gigabit Ethernet Controller (rev 03) 0a:03.0 Ethernet controller: Intel Corporation 82546GB Gigabit Ethernet Controller (rev 03) 0a:03.1 Ethernet controller: Intel Corporation 82546GB Gigabit Ethernet Controller (rev 03) These cards uses the e1000 driver. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Opinions wanted...user management options....Home network
On 17/12/10 16:55, Tom Bishop wrote: So I need some opinions on which way to go, for my home network I am running almost all linux, and I am starting to want to manage all of the users accounts, uid/gids for all of the devices some of which are laptops...so what is the best path going forward, on the server end I am running Centos5.5 and will be moving to centos 6 once it is released...the laptops and desktops run various flavors of Ubuntu/Fedora..Thanks in advanced, if there are any questions let me know Install the centos-ds suite. That'll give you a great directory server, accessible via LDAP. Then you can consider to setup a kerberos server as well, where you can easily do single sign-on between your hosts as well. centos-ds is the rebranded Red Hat Directory server, also available in Fedora as 389 Directory Server. So the docs for setting up and administering it shouldn't be too far away. kind regards, David Sommerseht ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving from Fedora -- Advice??
On 17/12/10 18:24, Scott Robbins wrote: On Sat, Dec 18, 2010 at 01:11:49AM +0800, Guenther Boelter wrote: On 12/18/2010 01:04 AM, Beartooth wrote: I'm running Fedora14 on all machines, including my wife's -- and I'm the nearest (distant) thing there is to tech support. What's wrong with Fedora in that case, what do you think is the benefit of using CentOS instead? Fedora will break things. They're still, in many ways, figuring out what they are, but they do serve as a test bed, or perhaps development platform, for various things that aren't ready for prime time. I so often hear that Fedora breaks things. I've been running F-11 and F-12 on a server as KVM host, without issues. I've been using F8-F13 on several computers (3 laptops and a workstation), and I can't really say it has broken anything on my setups. It might be I'm not using it right to experience such breakage. Use cases are everything from mail, surf and OO.org to development tasks In fact, for me, Fedora has been way more stable and solid than the time I was running Ubuntu (from Gibson to Ibix), where I got worried every time there were new updates available. But rightfully enough, I've never tried CentOS on the desktop. Maybe CentOS 6 will be a good choice for that. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: programming language for morons (newbie friendly language in Open Source world)
error prone. If you forget xmlFreeDoc(), this little application leaks memory. There are no checks for NULL pointers, causing a segmentation fault. While the single printf() line would just print (null) instead and not crash. Sometimes the latter is preferred and acceptable, but a segfault is almost never acceptable. But the printf() solution also have a few other nasty gotchas which libxml2 will handle gracefully. Imagine if the message string contains HTML data, or just a single ampersand. However, sometimes your program will just dump out numbers, and then suddenly printf() is just as good as the libxml2. So there are times when using external libraries/modules/extensions are completely overkill. And there are times when doing it yourself is task too big. Most good and skilled developers usually see where this border line goes. The rest of the developers just hack something together and provides something which usually works very fine and that you don't need to read the code afterwards. Bottom line is: It doesn't matter which language you use or which modules that language supports. What matters is: a) Is the language suitable for the task, b) Can the developer use the language and needed modules efficiently, c) Does the developer know how to solve the complete task wisely ... the rest is just a matter of personal taste. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: programming language for morons (newbie friendly language in Open Source world)
On 15/12/10 11:02, Rajagopal Swaminathan wrote: Greetings, On Wed, Dec 15, 2010 at 3:20 AM, m.r...@5-cent.us wrote: Kwan Lowe wrote: Um, that COBOL code I fixed? That reminds me of a structural analysis fortran program into pascal in dos using expanded/extended memory with disk as virtual memory without a single goto etc. Gosh I didn't keep track of the lines of code I shaved off it I guess at least one line per goto/branch. Sigh... missing the fun of cursing heartily the original programmer/developer... Gone are those days. This is the place to continue the curse ... http://thedailywtf.com/Series/CodeSOD.aspx kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Issues with CentOS in enterprise
On 14/12/10 02:15, Nico Kadel-Garcia wrote: On Mon, Dec 13, 2010 at 1:37 PM, Gé Weijers g...@weijers.org wrote: On Mon, 13 Dec 2010, Nico Kadel-Garcia wrote: RHEL is much better about that, although by now the production RHEL 5 is 4 years out of date, the leading edge RHEL 6 is now one year out of date after the lengthy release testing, and CentOS will always lag that. I believe out of date is the wrong wording. RHEL/CentOS 5 is maintained, i.e. security issues and bugs are fixed. There's nothing out of date about a tool that works and is cost-effective. RHEL 6 still has to prove itself. From harsh experience, I'm afraid it's the right wording. You can only go so far with backporting, and critical feature additions (such as the availability of GSSAPI in OpenSSH, warnings of local password storage in Subversion, git emacs macros incompatible with the out of date Emacs, and PHP dependencies unfulfilled for contemporary tools make it quite stale. In my day job I support dozens of developer desktops that run CentOS 5 with a modified kernel supporting non-standard devices. It takes a few hours a week. Trying to track the bleeding edge supporting, say, Ubuntu would take much more time. Well, yes. But the edge on RHEL 5 is 4 years old,a nd RHEL 6 (end eventually CentOS 6) will have been blunted for a year by the time it's published. It's a problem if you try to backport contemporary tools (which I do). RHEL/CentOS isn't supposed to be cutting-edge. That has never been the intention. It's supposed to be stable for 7-10 years. And I believe CentOS strives for the same, as they basically just re-wrap and re-brand RHEL packages. That means that some of the software will stay behind, especially if there are no nasty bugs and security issues with them. Other critical software pieces will be updated, especially when it is related to bugs which endangers the stability or security of the system. But for an update of the software to happen, developers and tester strive to make sure it won't break compatibility or cause instabilities. The kernel itself is a brilliant example. It's based on 2.6.18, but it contains a lot of features and hardware support which even came as late as in the 2.6.3x series. Just look at the KVM support which came in RHEL/CentOS 5.4. KVM was first introduced officially in the 2.6.20 kernel, IIRC. In addition, security issues which has been located in all kernel versions which also affects the 2.6.18 based kernel is backported. See this link for a more info: https://access.redhat.com/support/policy/updates/errata/ What makes some of these backports tricky is that they work hard to maintain ABI (Application Binary Interface). That means that if you have an application using a specific library on RHEL/CentOS, that application should not need to be rebuilt at all if an updated library is installed. This gets even more difficult when looking at kABI (Kernel ABI), where the kernel can not change things in a way which breaks user space tools or libraries. And this stability has its cost ... that you will not find bleeding edge versions on most of the software. There are some exceptions, but that is very seldom (Upgrading from Firefox 1.5 in RHEL5 to a 3.x based one, comes to mind). When it comes to git support in Emacs, that is most probably due to that you try to install a newer git module in Emacs than what is supported. And IIRC, you even need to pull in git via EPEL, as git is not even a part of the standard RHEL5 package set. So in this case, git support isn't even expected in a standard RHEL/CentOS installation. Like it or not, but that's how the RHEL/CentOS world is defined. And also take into consideration that RHEL6 is shipped with approx. 2.000 packages. And there are over 10.000 packages available for Fedora. Such a limited package scope is needed to be able to provide stability. And this stability is why so many loves to run RHEL/CentOS/ScientificLinux instead of many other Linux distros on their servers. For the desktop side, I personally do see this restricted package list and long lasting package support (7-10 years) as a much more difficult barrier. But for the server side, I'm happy it is as it is. It gives me less to worry about. So if you want a bleeding edge environment, go for Fedora. What goes in here might go into RHEL and then CentOS with time. What's not going into a new RHEL release might show up in EPEL, especially if you take care of that to happen. You can have that power if you want to. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: programming language for morons (newbie friendly language in Open Source world)
On 13/12/10 17:32, Lamar Owen wrote: On Monday, December 13, 2010 11:14:24 am Sven Aluoor wrote: What programming language should I learn? Python. You can find useful examples of python code throughout CentOS, beginning the yum itself. Get yourself a copy of 'Dive into Python' (can be had as a free download, legalling) and, well, dive into python! I completely agree! Python is really worth looking at. And a lot of the tools on RHEL/CentOS are written in Python. http://diveintopython.org/ I see quite some people suggest Perl. I've been in that camp as well, but I personally find Python much more intuitive than Perl, and also a lot more consistent. Perl is truly like paint, you can splash the colours around just like you want. The learning curve for Perl is quite higher than Python in my experience. Dive into Python helped me to really get started, and it went fast with this book. Python enforces you to be more consistent, which is not a bad thing if you want to understand better what you are doing in the very beginning. Later on Perl, Ruby, C#, Java, C/C++ might be a good alternatives, as they probably are much stronger in a lot of fields for more complex tasks. But remember each tool has its own use case. You don't need a hammer when you have screws. It's the same with programming languages. And Python and Perl are often used as the Swiss Army Knife. Useful for a lot of ad-hoc and not too heavy routine tasks, but you won't rely on it when going hunting in the wilderness. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: programming language for morons (newbie friendly language in Open Source world)
On 14/12/10 00:20, Warren Young wrote: On 12/13/2010 3:02 PM, Adam Tauno Williams wrote: On Mon, 2010-12-13 at 14:49 -0700, Warren Young wrote: C# exists more for political and business reasons than technical ones; it fills the same space Java could fill, in a platform-agnostic world. False. C# has significant technical advantages over Java - good Generics and LINQ just being two. I meant to say it was *created* more for political and business reasons than technical ones. Yes, the two have diverged since that time. Another advantage over Java is the namespaces were not created by a addled drug addict. I don't think naming arguments hold much water. Memorization is a key part of learning any programming language. Nothing is truly intuitive in computing. (The only intuitive interface is the nipple.) You may like your set of names more than another, but they all have to be memorized if you want to use them. To the OP's complaint, I think both languages have a similar problem, that being the depth and scope of each platform's namespaces. They're both elephantine. With Perl, at least, you can start by ignoring CPAN and everything they added in Perl 5. The Perl 4 core is a powerful but readily grasped step up from shell scripting. Besides, you shouldn't be throwing stones. There's another mono that is currently more common, according to Google. Another poster mentioned a documentation advantage, but I imagine a lot of that advantage is eroded by being Windows and Microsoft centric. ...The portability is extremely good Extremely? http://www.mono-project.com/Compatibility Mono is an impressive project, but you can't tell me someone wouldn't get into trouble by developing using Microsoft's documentation only. Besides, CentOS doesn't come with a CLR, so I suspect it's not portable enough for the OP. Mono is a Intellectual Property and licence minefield. http://www.linuxplanet.com/linuxplanet/reports/6801/1/ http://en.wikipedia.org/wiki/Mono_%28software%29#Mono_and_Microsoft.E2.80.99s_patents And considering what's happening with Novell these days as well, I would be concerned relying on Mono until things gets clearer. The Microsoft agreement and Novell had is about to expire soon as well, iirc. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: programming language for morons (newbie friendly language in Open Source world)
On 14/12/10 05:46, Nico Kadel-Garcia wrote: On Mon, Dec 13, 2010 at 11:14 AM, Sven Aluoor alu...@gmail.com wrote: Hi folks I have more than 12 years experience with UNIX system administration, but I am too stupid for programming. My only programming experience is shell scripting. I tried to learn Java, but don't understand it because it is too complicated for my limited brainpower. What programming language should I learn? A friend said that C-Sharp (Mono) is very simple. Is this true? Learn Perl. That's not so hard Learn it well This is a lot harder : it's far more flexible and more scalable than shell, but doesn't ignore your hardwon lessons completely. Most scripting languages are more scalable than shell, despite shell being quite comprehensive. But most other scripting languages (than shell) can do the same advanced tasks quite simpler. A competent Perl programmer who has learned to *check their error conditions* is worth their weight oyster-crafted gemstones. Quite so true. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What NAS device(s) do you use? And why?
On 12/12/10 08:56, John R Pierce wrote: IBM sells some nice one rack units as well. speaking of.anyone have any experience with the IBM DS3500 storage? I've been considering the DS3500 for my dev lab storage. These come 24x2.5 (or 12x3.5) SAS 2U boxes with redundant storage controllers that have 2x2 SAS host ports and either 2x4 gigE iscsi or 2x4gb FC ports. you get to pay extra for more host partitions and stuff. they are basically rebranded LSI/Engenio 2600 and come in both 12x3.5 or 24x2.5 2U SAS chassis... there's also SAS expansion ports you can add several additional storage bays to. I have zero (0) experience with IBM branded storage.I do have a IBM Bladecenter and Power 520 AIX server in my lab, so I'm not all together unfamiliar with IBM. I don't know about the DS3500, but I'm using a DS3200 with SAS HBA interface. It the moment it's used by a Fedora 12 box (I'm freezing on this release and awaits for C6 to appear), and it works just flawlessly. Nice, quite intuitive and informative admin interface which is accessible directly via TCP/IP to the storage unit (out-of-band) or using the SAS interface directly (in-band). The only thing to pick on the admin interface is that it's Java and I had to tweak the start script a little bit to make it run as a non-root user via a VPN connection. Another thing is that an instance of the admin interface must be running for automated e-mail alerts if something happens. Except of that, I'm very happy with it! The unit have 12 slots for disks and it is possible to connect more units together. Its also one available slot for another controller, so that two servers may use it via separate physical channels. It also have two power supplies as standard and it even complains badly if one of them is not connected. The host adapter is the IBM 3Gb SAS HBA Controller v2, which uses the mptsas (Fusion-MPT SAS) driver, so Linux support is present. I don't know, but I would even expect this driver to be recent enough in RHEL5/C5 as well. I do not have any particular experience with other storage brands and I chose this one due to my very good experience with IBM servers and their Linux support. And I would definitely go out and by another IBM storage again if I needed to. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] /bin/env
On 12/12/10 06:50, Brian Mathis wrote: On Fri, Dec 10, 2010 at 2:20 PM, James B. Byrnebyrn...@harte-lyne.ca wrote: Please forgive my ignorance but I need a explanation of how to accomplish the following since I cannot figure it out from the documents. I have a Ruby script with a shebang line that looks like this: #!/usr/bin/env ruby On one particular host I have two Ruby interpreters installed; one the CentOS base version 1.8.6 in /usr/bin/ruby the other version 1.8.7 in /usr/local/bin/ruby. In my shell the which command finds /usr/local/bin/ruby. In a cron job the /usr/bin/ruby is used by the /bin/env invocation. My question is: How does one configure /bin/env to return the /usr/local/bin/ruby version? or does that question even make sense? I have looked at the alternatives command but that seems just a tad involved. And since this is a production server I am not quite ready to trust to RVM either. In the short term I have simply removed the CentOS version which has resolved the immediate issue. However, I would like to know how to handle this a little more elegantly in future. I'm not sure who came up with the /usr/bin/env thing (though I understand what they were trying to do), but it's exceedingly stupid. Even the smallest bit of testing would have easily revealed these kinds of problems with it. The solution is to simply not use it and directly invoke the interpreter. I probably disagrees with you here. The /usr/bin/env thing solves issues with script interpreters being installed in a different location than usually, like /opt/my-own-tweaks/bin. You may disagree that this is not appropriate, but in some settings this is highly needed if you think about cross-platform support. F.ex. a program using scripts which really only works with bash and on some Unix boxes that is unstalled under, say /usr/gnu/bin. So by putting /usr/gnu/bin in an appropriate position in the global PATH variable and using /usr/bin/env ... that script will also work without any tweaks on a multitude of platforms without needing to be modified. And of course you have similar issues when running a script via cron. I would rather try to figure out why /usr/bin/env doesn't report /usr/local/bin early in the path for cron jobs to start with. That's the core issue in this context. So as was suggested earlier, compare the PATH variable from a shell and via a cron job and try to figure out why it is different. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ultimate backup choice
On 11/12/10 13:17, S Mathias wrote: i have: SERVER A SERVER B with full root permisson [ssh, etc] each server has a folder. i want to backup a folder in SERVER A. are there any backup methods, that meets these two requirements? : 1) running from e.g.: a cronjob 2) when running, it just checks the folder in SERVER A and SERVER B. if a file/folder has been added/removed/modified in the SERVER A's folder, then it copies/removes it/them to SERVER B's folder. I've been running BoxBackup on several servers and is quite satisfied. Good security and works flawlessly. I'm mostly running them in lazy mode, which means the backup daemon picks up changed files after a while and sends them to the backup server. All backup clients uses SSL certificate so all data is transferred and stored encrypted on the server as well. In addition to a neat simple manual soft RAID solution, where data can be spread over three directories. I'm in the process now of setting up rsync of these directories to separate storages outside the building. As if one of these directories are lost or stolen, the data makes no sense unless you get a copy of another directory to build up the third directory. And considered each backup client uses separate encryption keys, the security is still good. http://www.boxbackup.org/ The only disadvantage I've found is that the restore features can be a bit cumbersome, and dates on directories are not preserved so well. Windows client support exists, but if you have files bigger than 2GB, they need to be restored on a Linux box. So nothing big and amazing, but slightly more advanced than rsync and simpler than Bacula or Amanda backup. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimal VPN
On 09/12/10 17:29, Steve Clark wrote: On 12/09/2010 10:30 AM, David Sommerseth wrote: On 25/11/10 14:12, j.witvl...@mindef.nl wrote: [...snip...] Furthermore, openvpn is only compatible with openvpn, while using ipsec you might be able to connect to other boxes. That is mostly true, except for those vendors adding their own proprietary extensions to their ipsec implementations ... thus making it a vendor lock-in again. Hmm... We run ipsec, (using ipsec-tools on both Linux and FreeBSD), to Cisco, Juniper, NetScreen and many others without problem. What vendors are you talking about? I don't have personal hand-on experiences with ipsec issues. However, I would expect things to work flawlessly as long as you don't enable vendor specific features, or if you enable compatible features. http://www.veiligmobiel.com/IPsecCompatibility.htm And I believe it will be even more differences if you try to use a tunnelled setup versus a transport setup, where the tunnelled mode will act more a like a SSL based VPN. If I have understood it correctly. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Issues with stat() call on CentOS5 vs CentOS4
On 10/12/10 18:23, Dougal Ballantyne wrote:
Dear CentOS,
I have recently upgraded several servers from CentOS4 to CentOS5 and I am
noticing a strange change to the stat() call. I have written a very
small program to test and show the behavior. I am calling stat()
against a file which is exported from my NAS and mounted with 32k
read/write sizes.
[doug...@centos4 tmp]$ cat my_stat.c
#includeunistd.h
#includestdio.h
#includesys/stat.h
#includesys/types.h
int main(int argc, char **argv)
{
if(argc != 2)
return 1;
struct stat fileStat;
if(stat(argv[1],fileStat) 0)
return 1;
printf(Block size: \t\t%d\n,fileStat.st_blksize);
return 0;
}
[doug...@centos4 tmp]$
[doug...@centos4 tmp]$ gcc -o my_stat.exe my_stat.c
[doug...@centos4 tmp]$
[doug...@centos4 tmp]$ ./my_stat.exe /mnt/nas/testfile
Block size: 32768
[doug...@centos4 tmp]$
[doug...@centos4 tmp]$ cat /etc/redhat-release
CentOS release 4.7 (Final)
[doug...@centos4 tmp]$
[doug...@centos5 tmp]$ ./my_stat.exe /mnt/nas/testfile
Block size: 4096
[doug...@centos5 tmp]$
[doug...@centos5 tmp]$ cat /etc/redhat-release
CentOS release 5.5 (Final)
[doug...@centos5 tmp]$
On CentOS5 it is reporting 4k block sizes when it should report 32k. Has
anyone seen this or aware of what is causing this change in behavior?
What kind of network file system is used to mount your NAS?
kind regards,
David Sommerseth
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] system startup sound
On 10/12/10 17:17, Ritika Garg wrote: Whenever the system boots there is sound ( beep ). Is there any way to disable it? Depends on if it is an OS or hardware thing. If it's an OS thing, the easiest way is to do: [r...@centos:~ #] modprobe -r pcspkr Or to make this permanent, add the following line to /etc/modprobe.d/blacklist blacklist pcspkr kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 09/12/10 01:05, Christopher Chan wrote: On Thursday, December 09, 2010 02:55 AM, David Sommerseth wrote: Second, iptables is a de-facto standard for Linux, just as pf is pretty much the standard firewalling on BSD. Windows and Solaris got their own firewalling methods as well. My point is, neither of them are any Posix standards ... would you prefer to not use any of these firewall implementations due to lack of cross-platform Posix support? Ah...I believe it is ipfw that is standard on the BSDs although pf has been ported to FreeBSD... You might be pretty much right. The *BSD does have several firewall solutions, some unique to some *BSDs and some available to most of the BSD flavours, and I might have confused it. Thanks for straiten me out! kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 08/12/10 23:01, Warren Young wrote: On 12/8/2010 3:04 AM, David Sommerseth wrote: it is still not recommendable to trade security for simplicity. Security is never an absolute, is *always* a tradeoff against simplicity. We could store our servers 16 feet underground and encased in concrete to prevent tampering and accidental power cycling. We don't do that because union labor makes digging them back out when we really do intentionally want to power cycle them or perform physical maintenance impractical. Security is a continuum. One should rationally choose where along it one wants to be. There are defensible, rational reasons to choose to disable SELinux. Indeed! As long as there are rational reasons for it and that the reason is not because it is bothersome and troublesome to me, so therefore I always disable it. For the vast majority of issues with SELinux, it possible to overcome them using the provided tools. Of course, in a few scenarios, that is still not enough or possible. In such cases, I agree, disabling it is the only proper way to do. But in my experience, such situations are very seldom. It is possible to write pretty good SELinux policies yourself, by using audit2allow and analysing what your program tries to do and why. Doing a good job with a hand crafted SELinux module for your application removes your initial reason why to disable SELinux. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimal VPN
On 25/11/10 14:12, j.witvl...@mindef.nl wrote: [...snip...] Will you be confronted with IPv6 in the (not so) near future? Forget OpenVPN, it is still beta there, while it has been implemented in strongswan for ages, and part of there standard test plan. Okay, I'll admit up-front I'm biased, as I am involved in the OpenVPN project. But I can provide some info here. IPv6 is currently in the development tree. I'm using it on my personal equipment now, using IPv6 over TUN interface between a OpenWRT router and a Linux road warrior client. I'm also looking for how to get this code base compiled for maemo5 as well. Early next year, I'm going to run this development code on a couple of production boxes as well. Another developer (the guy who implemented the IPv6 support) is also using this IPv6 implementation in a bigger environment too. We're currently in the end of the beta round for OpenVPN-2.2 and will release a RC version around Christmas. The full release will come sometime around January. That code base is without IPv6. (2.2 is basically a bigger bugfix release with a couple of new features) The 2.3-beta round is scheduled sometime around February/March, with a release slated for late summer 2011. This release will include IPv6 support, both for transport (connect/listen/bind to IPv6 addresses) and payload (IPv6 over tun and tap via tunnel with IPv6 client configuration support). http://thread.gmane.org/gmane.network.openvpn.devel/4221 But for early adopters ... the current development code is stable enough for daily usage without too much troubles. And we would like to see more people testing out this code. https://community.openvpn.net/openvpn/wiki/TesterDocumentation Furthermore, openvpn is only compatible with openvpn, while using ipsec you might be able to connect to other boxes. That is mostly true, except for those vendors adding their own proprietary extensions to their ipsec implementations ... thus making it a vendor lock-in again. That's the wonderful thing about standards, everyone can have their own - unknown kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Optimal VPN
On 30/11/10 15:49, Ben McGinnes wrote: That is there must be a specific IP address assigned to a user/password combination. pptp does not really do this but I wrote sort of a backend (or maybe frontend? ;-) ) to change the IP address assigned based on a login and password. It is extra stuff I would prefer not to do though. RADIUS can assign a specific IP to a given user, but let OpenVPN handle the encryption. You don't even need RADIUS to provide specific IP addresses. You can either use --ifconfig-pool-persist or --client-config-dir. --ifconfig-pool-persist will create a file with a kind of a database of which IP addresses assigned to clients earlier, and will re-assign the same IP address if found here. That's the automatic way of doing it. However, if you're running out of IP addresses from your initial address pool, IP addresses will be reused. --client-config-dir combined with --push ifconfig ipaddr netmask in a client specific config file, will provide this feature consistently. It's also possible to use other plug-ins or scripts to provide client specific IP addresses and/or routes dynamically, based on who the client is ... Which is what the RADIUS plug-in does. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 08/12/10 04:15, Les Mikesell wrote: On 12/7/10 9:02 PM, Ryan Wagoner wrote: Well in fact I don't think that will even work with the present URL rules. Just on a lark I clicked on your string, and my firefox interpreted it as http://3ffe:1900. Unless there's a special http protocol string for ipv6? Tony Since : is used to denote the port you must put the IPv6 address in brackets. http://[3ffe:1900:4545:3:200:f8ff:fe21:67cf]/ Thunderbird doesn't make that a clickable link. Since the change to ipv6 is pretty much inevitable and probably most things will eventually work out, maybe we should focus on the little things (like programs not recognizing the addresses in various contexts) that are going to cause pain during the transition. Did you file a bug to the Thunderbird bugzilla regarding this? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 08/12/10 03:36, Ross Walker wrote: On Dec 7, 2010, at 9:20 PM, Adam Tauno Williams awill...@whitemice.org wrote: On Tue, 2010-12-07 at 20:37 -0500, Ross Walker wrote: On Dec 7, 2010, at 7:41 PM, Nico Kadel-Garcia nka...@gmail.com wrote: On Tue, Dec 7, 2010 at 10:04 AM, Adam Tauno Williams awill...@whitemice.org wrote: [...snip...] I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to forget it I'll wait until DNS is working again. You aren't crippled currently when DNS doesn't work? Because e-mail, Active Directory / Kerberos, and numerous other services just-don't-work without functioning DNS anyway. I'd say the network-minus-DNS is pretty much irrelevant in the real world. Well, there is DNS down and there is DNS issues causing some sites problems. These may or may not be due to our DNS servers, you get the idea. The problem with DNS being down is just as critical on IPv4 as with IPv6. The only difference is that it's a lot easier to remember or type IPv4 addresses ... at least now until we're really getting used to IPv6 addresses. By all means, DNS will be much more critically important in IPv6 though - as not everyone will be able to remember IPv6 addresses as well as IPv4 addresses. When your on your router or switch, want to traceroute or find out what port an address is on... Is there even ARP with v6? Nope, ARP is gone. But it gets a replacement as a part of IPv6, instead of ARP being an addition to IPv4. http://itkia.com/how-to-arp-a-in-ipv6/ http://www.tcpipguide.com/free/t_TCPIPIPv6NeighborDiscoveryProtocolND.htm kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 29/11/10 13:11, Steve Clark wrote: I don't know how it is now - but I tried running in permissive mode a few years ago. It would complain about some file, I would fix the file and the next thing I knew it was complaining about the same file again, and the file was part of the redhat installation. After that I gave up and just turned it off. If you use chcon to change the security context of a file, then it will be restored to the wrong security context on the next relabelling. If you rather use 'semanage fcontext' you can permanently set the security context for files. Then you can run restorecon or relabel your filesystem, and it should be set with the proper security context. Running semanage alone will not change the security context, but running restorecon afterwards will do that. Another way to do it, is to write a security module and load that security module with semodule. But that's a heavier path to take, especially if 'semanage fcontext' can do the job for you. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
. In the beginning, it was less understandable - now I barely understand I struggled with it in the beginning. But unless you *invest time* to learn the tools ... you'll only be frustrated that something doesn't work. And some people find it easier to give up and just disable it ... just like some people even did with firewalling in the early days. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 30/11/10 03:52, cpol...@surewest.net wrote: Christopher Chan wrote: Les Mikesell wrote: [...snip...] As was already mentioned in another post, run in permissive mode, for a few days if you must, and go through all the things the software does and voila! setroubleshoot and/or logs tell you what needs doing. Very optimistic, that. In my shop, some things run annually. A comprehensive system test = production, for a year. Just this morning a 1099 (annual tax-form) script failed in test. So you would rather disable SELinux completely - 365 days a year, rather than to switch to permissive mode when running this script once a year? I'm sorry, but I'm not able follow that logic. In fact after running successfully in permissive mode once, you should be able to figure out what your script does, use audit2allow and get a proper SELinux module for it ready in the matter of minutes or hours (depending on how invasive the script is). kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 30/11/10 17:21, Les Mikesell wrote: On 11/30/2010 9:51 AM, Lamar Owen wrote: If a particular app is so recalcitrant that SELinux needs to be turned off, that's when I'd be doing some drastic things, much like windows lab environments need done. Things like automatic revert to known-good snapshot on the production boxes for all but the data files. Things like isolation in a VM for those apps. Of course, that's also work, and getting SELinux working properly might be less work. Everyone wants less work per project to get more projects done, of course, but cutting corners is still cutting corners and one day it will come back to haunt the corner-cutter. Now it is your turn to quantify: How much would you charge to teach someone to be able to make those changes and how long would it take? This has to include the ability to quickly diagnose and fix any problem that might be caused by updates to the application or to the OS distribution. To teach, $50 per hour (if I were available to teach; at the moment I'm full on my work hours). The number of hours would depend upon the complexity of the application; for Scalix, assuming no familiarity with either Scalix or SELinux, eight to sixteen hours (one-two days). I'm not talking about a particular app. The thing I want quantified is what it will cost to train some number of people to be able to troubleshoot any problem that SELinux might cause with any app, given potential changes in updates to both the distribution provided stuff and the 3rd party coding at any time. https://www.redhat.com/courses/rhs429_red_hat_enterprise_selinux_policy_administration/ Complete this one with the exam, and you're certified on SELinux on RHEL. It might be other offerings as well, but I don't know about those. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 08/12/10 16:03, William Warren wrote: On 12/8/2010 9:13 AM, Christopher Chan wrote: On Wednesday, December 08, 2010 09:31 PM, Les Mikesell wrote: On 12/8/10 4:22 AM, David Sommerseth wrote: On 30/11/10 03:52, cpol...@surewest.net wrote: Christopher Chan wrote: Les Mikesell wrote: [...snip...] As was already mentioned in another post, run in permissive mode, for a few days if you must, and go through all the things the software does and voila! setroubleshoot and/or logs tell you what needs doing. Very optimistic, that. In my shop, some things run annually. A comprehensive system test = production, for a year. Just this morning a 1099 (annual tax-form) script failed in test. So you would rather disable SELinux completely - 365 days a year, rather than to switch to permissive mode when running this script once a year? I'm sorry, but I'm not able follow that logic. In our case if something fails once a year we lose customers and money. I'd expect that to be fairly common. Again, that particular process is unlikely to be missed and also show to be easily mitigated by doing a realtime switch from enforcing to permissive. Such annual processes are fairly common and usually run manually. You have yet to make a compelling case for completely disabling SELinux just for this sort of thing. loosing customers and money on an annual basis is a great reason to kill it. Make it able to work without updates interfering with a formerly running configuration on a regular basis and more folks will adopt it. Saying killing it because it is hurting your business isn't a valid reason is arrogant and frankly stupid. Frankly, there's several other distros that don't run SeLinux and they aren't anymore problematic when properly configured than RHEL is..and they just work. Let's put the SeLinux religion aside..make it not only technically superior but actually usable and helpful and you'll see a wider adoption. The kind of arrogance I've seen in this thread is a primary reason it won't get appreciable traction outside of RHEL and why it won't be a major tool in admins toolbox inside RHEL unless folks don't NEED the flexibility Linux in general offers and SELinux restricts. And that *is* the key point! The basic SELinux stuff which most users need to know about *isn't* as hard as people want it to be. Really!! I've been fighting with it for some time, until I took the time to learn about it. After that, it's pretty much an easy breeze. My biggest mistake in my learning process was that I made SELinux much more complex and chaotic in my head than what it really is. Anyhow, no matter which technology you're talking about, if you don't spend time learning it, it will be difficult until you learn it. To complain about a technology as non-functional or being bothersome without having tried to learn it, is a moot argument. Of course, there are most probably a lot of things which can make things even more intuitive. But I struggle to see those issues right now. There was a suggestion which sounds good at first glance earlier on here, that it should be a tool you could point a directory at ... and it would give some clues which files where breaking the file security context in the policy. That does sound like something helpful. Otherwise, don't make SELinux more complex than what it really is. The core concept is basically a different way how to restrict access for processes - on the same level as chmod, uid/gid and ACLs does on files. SELinux only does this even more fine grained and with ways to also restrict access to other things than only file access. Science should explain things as simply as possible but no simpler - Albert Einstein Btw ... Debian 5.0 (Lenny) ships with SELinux packages installed by default, but not enabled. They seem to be moving into the SELinux direction as well. http://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.en.html kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux - way of the future or good idea but !!!
On 08/12/10 17:10, Les Mikesell wrote: On 12/8/2010 4:04 AM, David Sommerseth wrote: [...snip...] Agreed, and something that equally needs standardization. iptables is a de-facto standard on all Linux distributions nowadays. It is not ratified by ISO, IETF or similar ... but how does that make the real life scenario any different? That's just a piece of paper. iptables works, and so does SELinux - when you learn how to use it. The real life situation is that iptables only works on linux and the way it works is distribution-dependent. So what you learn may lock you into a platform that may not always be your best choice. Please educate me here. I've been using Novell SuSE Linux, RHEL/CentOS/Fedora, Gentoo, Crux Linux, RootLinux, Slackware, Ubuntu and my N900's maemo5 which is Debian based and OpenWRT based routers ... and I have not seen iptables behave differently than expected on any of these ... I don't completely understand your argument. Some of these distroes does indeed have their own additional tools, like YaST2, ufw, system-config-firewall, etc, etc ... That will be different, but they all use iptables under the hood. I'm not talking about the simplified iptables front-end, as that *is* expected to be different. SELinux came as a result that someone found weaknesses and wanted to try avoid security issues. Just like when firewalls began to become so popular 20-30 years ago or so. There was a need to improve something, and someone did the job. Nobody cared much about firewalls in the early 80's. Why? Maybe because nobody thought anyone would abuse or misuse the network infrastructure? Does that mean you would not be comfortable moving your applications to SUSE, Solaris, OS X, Windows, etc.? I don't want that kind of lock-in. Considering Debian is on the move towards SELinux (Lenny installs SELinux packages by default, just not enabled by default), openSuSE is moving towards SELinux[1], Gentoo have hardened/SELinux projects going on ... so moving from RHEL/CentOS to other Linux distros will not be an issue in the future. Since I see that SELinux do begin to get some traction in other distroes as well, so I am not worried about a lock-in on SELinux. When it comes to Solaris, OSX and Windows, that is not comparable, as when you base your installations on Linux, you already at that point to limit yourself somewhat. And those OSes got completely other security mechanisms. If they are comparable, better or worse than SELinux, I don't know - because I prefer Linux in general - as it is a F/OSS product. But with the knowledge I now have with SELinux, I would be reluctant to move over to a platform which do not have something similar. [1] http://news.opensuse.org/2008/08/20/opensuse-to-add-selinux-basic-enablement-in-111/ SELinux has been around for about a decade or so. And I believe that the more widespread SELinux becomes, and the more users it gets, the more people will not understand such discussions like this. Agreed - if it is as standard and cross-platform as Posix support you will be able to depend on it without the associated side effect of being locked to a particular OS distribution. First of all SELinux is written for Linux. Or else it would probably have been called SEPosix. Second, iptables is a de-facto standard for Linux, just as pf is pretty much the standard firewalling on BSD. Windows and Solaris got their own firewalling methods as well. My point is, neither of them are any Posix standards ... would you prefer to not use any of these firewall implementations due to lack of cross-platform Posix support? kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 02:26, Les Mikesell wrote: On 12/6/10 6:27 PM, Brian Mathis wrote: You are enjoying a side-effect of NAT by thinking it is a firewall. The other nice side-effect of NAT is that you get an effectively infinite number of addresses behind it without any pre-arrangement with anyone else. Even if ISPs hand out what they expect to reasonably-sized blocks, won't it be much harder to deal with when you outgrow your allotment? We've had the opportunity to move to ipv6 for ages but we haven't (in the US, anyway). I think the reason is that most people like the way NAT works and don't really want a public address on every device. So you are afraid of out-growing from an assigned /48 net? Let's do some math here ... and I hope I get it right ... IPv4: aa:bb:cc:dd that's 32 bit IPv6: :::: this is 48 bits out of 128bits In the IPv6 scenario, you have been assigned '::::' as your IPv6 prefix by your ISP. So that means that you have 128-48 bits available for your own addressing scheme. That is 80 bits you have absolutely full control over. Of course, it's recommended to have subnets no smaller than 64 bits. So that makes it: IPv6 /64 subnets: ::::: That means you have 16 bits for subnets. 2^16 = 65536 subnets, each with 64bit addressing. And if my math doesn't fail me now, a 64 bit addressing scheme is doubling the IPv4 address scope 32 times. What I mean is that from 32 bit to 33 bit, you have 2 * 32 bit addressing scope. from 32 to 34, you have you have 4 * 32 bit addressing scope. For each bit you add, you double what you had. It is simply insanely many addresses. And if you fear that ISPs or IANA might run out of address spaces. Remember that they have 48 bits to play with, which is the IPv4 address scope doubled 16 times. Of course some ISP's will probably just hand out /64 networks to most of their customers (most probably to home users). But that's another story. And a /64 network is possible but not so easy to subnet further, and is also not recommended. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 12:23, Mathieu Baudier wrote: b) Do I get charged by my ISP on a per-device basis? Heh, if they want to micromanage... This is no science fiction. Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS) For a lot of people, it is always possible to vote with your wallet. If a provider is too restrictive for you, choose another one. I pay my fees to the ISP I feel is worthy to have me as customer. So if they want my money, they must please me. But I am also willing to pay a bit more to a competitor who can fulfil my demands if my current provider does not deliver according to the agreement and my expectations Of course this is not possible in places where there are only one option. But then try to approach, if possible, other ISPs anyway, to see what they can offer you. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 13:22, John Thomas wrote: Can a machine with only an IPV6 address communicate with a machine that only has an IPV4 or are they separate? They are separated. It's two different protocols, even though they are similar in many aspects. There are some projects trying to bridge that for single-stack IPv6 networks. But I've concluded running dual-stack with both IPv4 and IPv6 is less error prone, as such a proxy solutions will not always work 100% perfect. The IPv4 addresses needs to be translated into a IPv6 addresses by a local DNS service, and the proxy anyway need IPv4 access to reach the IPv4 host. David S. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
, the situation is more or less identical to IPv4) And if you're afraid if you're firewall drops its pants, then place two ore more firewalls in cascade. If one of them fails, the second or the following one(s) will cover it. If you have a need for a totally secret network, each network adapter can be assigned with as many IPv6 addresses you would like, so those machines you like to give access to the rest of the world may have that and those who are purely internal may be that as well, on a separate subnet not being routed outside your network. You can even put them in a separate VLAN which is not routed to the outside at all, thus keeping that network only to yourself. And if you insist on having all clients using *one* IP address out to the world, you have network proxies, like Squid [1]. This is a more proper way to do what you want, instead of abusing NAT as a security feature. NAT was not created for security. It was created to prolong the lifetime for IPv4. kind regards, David Sommerseth [1] http://wiki.squid-cache.org/Features/IPv6 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 18:01, Les Mikesell wrote: On 12/7/10 10:20 AM, Adam Tauno Williams wrote: [...snip...] permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else isn't NAT. That's a router/firewall. Happily IPv6 does that exactly. You didn't mention the number of devices - how does that play out when you exceed the number initially set up? How many devices? You mean exceeding the number of available inside a IPv6 subnet? I do hope you're kidding ... as for a /64 subnet we're talking about 4.294.967.296 addresses doubled 32 times. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 16:45, Adam Tauno Williams wrote: On Tue, 2010-12-07 at 10:32 -0500, Tom H wrote: On Tue, Dec 7, 2010 at 10:29 AM, Bob McConnell rmcco...@lightlink.com wrote: Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used. No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved. I consider that a serious security flaw. It is not. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. So you want to cheap on the legal contract you agreed to? No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use. The Russian mobsters can already do that; if you think NAT is protecting you from that then you are mistaken. NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network. Is 172.16.10.72 a private address of yours or of your ISP? +1 NAT isn't doing what Bob McConnell thinks it is. Any russian mobster can afford to hire a halfway decent hacker who will only laugh at the obfuscation added by NAT. Determining how many computers, and quite a bit of detail about them, are behind a NAT is not hard. You just watch the traffic and these things reveal themselves. Your traffic can be compromised just as easily with or without NAT. Very few actually useful attacks on a host require direct access to the interface; stateful firewalls made such vectors pretty useless a long time ago. You mean something along the way ... Oh, this Bob uses 172.16.10.72 ... let's run some traceroutes towards his gateway. That could be 64.57.176.18, right? Then we can just setup a direct route from us to his 172.16.10.0/24 network. Wait! Lets add 172.16.0.0/12, just to be sure we hit the right path kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 18:10, Bowie Bailey wrote: On 12/7/2010 11:36 AM, Tom H wrote: I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. I've been following the NAT debate here and something occurred to me. If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. With that one address, he can scan your entire network for any services available to the Internet. To some degree, at least if the attacker breaks into the firewall. But to use this approach without breaking into the firewall you would need to forge network packets pretty well to be able to trick a firewall to pass on packets from the outside to the inside, especially on stateful packet inspection, where the firewall would know if the connection is initiated from the inside or outside, and to which inside client the connection belongs to. With an IPv6 network without NAT, an attacker would need to know the specific IP of the computer he wants to attack. There is no NAT to forward along his SSH attack to the correct computer. To scan your network for vulnerabilities, he would have to scan every port on every IP. Even if he can come up with a list of the IPs that are in use, this is still much more work than scanning a single (NATed) IP. Bingo! You have caught the point exactly! An attacker will not know for sure if there is a firewall in between or not. Most probably he will presume so. But he still don't know for sure the IPv6 address of that firewall, or even if there are more cascaded firewalls in front of a public IPv6 address. Traceroute might give some clues, but if it's a strict firewall just dropping packages, this can take a looong loong time. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 18:39, Les Mikesell wrote: On 12/7/10 11:19 AM, David Sommerseth wrote: On 07/12/10 18:01, Les Mikesell wrote: On 12/7/10 10:20 AM, Adam Tauno Williams wrote: [...snip...] permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else isn't NAT. That's a router/firewall. Happily IPv6 does that exactly. You didn't mention the number of devices - how does that play out when you exceed the number initially set up? How many devices? You mean exceeding the number of available inside a IPv6 subnet? I do hope you're kidding ... as for a /64 subnet we're talking about 4.294.967.296 addresses doubled 32 times. Is that what people will automatically get in a home ISP connection? Yes. Either a /64 subnet or more likely a /48 subnet, where a /48 subnet == 65536 /64 subnets. And the 48 bits ISPs gives customers corresponds to 281.474.976.710.656 /48 subnets. Compare that number to IPv4 32 bits: 4.294.967.296 Kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 18:52, Bowie Bailey wrote: On 12/7/2010 12:43 PM, David Sommerseth wrote: On 07/12/10 18:10, Bowie Bailey wrote: On 12/7/2010 11:36 AM, Tom H wrote: I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. I've been following the NAT debate here and something occurred to me. If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. With that one address, he can scan your entire network for any services available to the Internet. To some degree, at least if the attacker breaks into the firewall. But to use this approach without breaking into the firewall you would need to forge network packets pretty well to be able to trick a firewall to pass on packets from the outside to the inside, especially on stateful packet inspection, where the firewall would know if the connection is initiated from the inside or outside, and to which inside client the connection belongs to. I wasn't referring to breaking into the firewall or forging packets. I was just referring to using the normal operation of the NAT to forward (for example) an SSH attack to the computer on the network that accepts SSH connections. Ahh, well, yeah. With NAT, you will expose your single public IP address no matter what, providing a good surface for starting an attack immediately, no matter who is doing what on the inside. Your public IP address will be available in all kind of logs and mail headers - and with more users on the inside using the Internet, the more likely it is that someone will find your address interesting. But that won't be much more different with IPv6, except that you spread the attack surface over multiple IP addresses in a huge address scope. But then by using the IPv6 Privacy Extensions, it will be more like shooting on a moving target. The public IP address being used today might not be the same which was used yesterday, or even some hours ago. However, if someone uses a public IPv6 address for SSH from the outside world, that IPv6 address will need to be static and known. And a static IPv6 address is still just as vulnerable for an attack as any public IPv4 address. But finding this IP address will be much more difficult due to the different huge address scope, unless there's a DNS pointer to it from www.my-own-cool-site.com. Stateful packet inspection works the same way regardless of whether or not you have NAT or IPv6, so it is mostly irrelevant to this discussion. Absolutely true. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 05/12/10 14:21, Tom H wrote: On Sun, Dec 5, 2010 at 8:13 AM, RedShift redsh...@pandora.be wrote: On 12/05/10 12:50, Rudi Ahlers wrote: (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), Haven't switched yet, I have IPv6 at home using sixxs. I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? I think that site-local (fec0:: - fef::) is the ipv6 more-or-less-equivalent of ipv4 private addresses. Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls. Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway. NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 06/12/10 15:29, Todd Rinaldo wrote: On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote: On 05/12/10 14:21, Tom H wrote: On Sun, Dec 5, 2010 at 8:13 AM, RedShift redsh...@pandora.be wrote: On 12/05/10 12:50, Rudi Ahlers wrote: (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), Haven't switched yet, I have IPv6 at home using sixxs. I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? I think that site-local (fec0:: - fef::) is the ipv6 more-or-less-equivalent of ipv4 private addresses. Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls. Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway. NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could. I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they? This can be a bit confusing, especially if you see this with IPv4 eyes. In IPv6, it basically is no such things as a private subnet (range). When you contact your ISP to get a IPv6 subnet, they will most probably give you a /48 network. That means you will have a IPv6 prefix which is unique. That is a reference to all _your_ IPv6 networks. Then you will normally segment this /48 subnet into more /64 networks. A /48 subnet gives you 65536 /64 networks. So the IPv6 prefix will be something like: :::::/64 the '::' part is the prefix your ISP will provide you, and this is the first 48bits of the IPv6 address. The '' part is up to you to decide what will be, and that's the next 16 bits of the address scope. So 48 + 16 = 64 bits. And 2^16 = 65536. And this is all you need to know about IPv6 addressing. Really! That's it. No network addresses, no broadcast addresses. Just pure usable IPv6 addresses. (You may of course make even more subnets below /64, but that's usually not recommended at - especially with auto-configured networks) So then ... the next phase. As everyone who gets a /48 nets should have it flexible enough to setup private networks, the firewall just needs to block completely in-going traffic to a /64 net defined by the admins as private. It can further be decided if this /64 net should have access to IPv6 addresses outside this local network. Again this is just a firewall rule and nothing more - allow or reject/drop. And then, the former proposed site-local subnet makes pretty much no sense, as IPv6 does not support NAT. As this network would not be able to communicate across a router/firewall. This subnet (fec0:: - fef::) should not be routed anywhere. And without NAT, it can't escape the subnet at all anyway. So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition. I hope this made it a little bit clearer. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 05/12/10 12:50, Rudi Ahlers wrote: Seeing as IPV4 is near it's end of life (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), I'm curios as who know whether everyone is ready for the changeover to IPV6? Is anyone using it in production already, and what are your experiences with it? I am using IPv6 quite frequently now, mostly at home where I use Hurricane Electric/Tunnelbroker, configured on a OpenWRT router. I have full stateless autoconfiguration running and all connected devices gets IPv6 access instantly. I even have an IPv6 enabled OpenVPN server running on this router, so I get IPv6 access via this router and to my internal boxes as well. I also have a CentOS5.5 firewall which I connect to via SSH over IPv6 on a remote site. I have not implemented IPv6 support internally on that site, due to the lack of proper stateful packet inspection (SPI) in iptables. That's why I'm waiting for CentOS6, as that will remove this obstacle. SPI support came first in 2.6.20-something for IPv6 and it's been considered too hard to backport that feature to the 2.6.18 kernels which RHEL5/CentOS5 is based on. However, stateless firewalling do work. Further I have a Gentoo based firewall on yet another remote site, which do have a 2.6.30-something kernel with proper IPv6 SPI support in iptables. At the moment I'm only accessing it SSH over IPv6, but I'm working on setting up IPv6 access for VPN, http/https and e-mail services there. There are some security considerations though, related to stateless auto configuration. Currently whichever client on a local network may start a radvd process which will announce where the default GW can be found - this redirecting IPv6 traffic via a hostile gateway. But I believe people are trying to solve this as well. One approach is to have an auto-responder which will send out invalidation broadcasts on new router broadcasts. In such a scenario an attacker may do the same as well, and then you're getting closer to the same chaos you may get by having two DHCP servers on the same subnet. However, that issue is only relevant on local networks and can't be performed as an attack from a different subnet. In my point of view, IPv6 is ready for prime-time. CentOS5/RHEL5 and older is not completely up-to-shape, due to the lack of SPI support in iptables. But RHEL6 and the coming CentOS6 should be good to go. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 06/12/10 15:53, Ross Walker wrote: On Dec 6, 2010, at 8:37 AM, Adam Tauno Williams awill...@whitemice.org wrote: NO NO NO NO NO NO NO and NO! (*...@!^*...@$ @*^*$@ *...@^*@ How many times does this have to be explained??? NAT *IS* *NOT* a @*(^*(^@(*@ security tool. It isn't. Stop saying it is. You use *firewalls* for security. Just block ingress traffic and you are just as well off as you are on NAT - and odds are in your NAT configure you are doing that already. All you do is eliminate the hacks, performance penalty, and interoperability problems created by NAT. NAT is a *problem*, not a solution for anything other than a deficient network protocol. There is no arguing that NAT is not a security tool, but if your firewall drops it's pants it's better to have non-routable addresses behind it. Good point. I'm just thinking out loud. What if the gateway/router/firewall does not know about the IPv6 network on the network interface where this sensitive IPv6 net is. And does it really need to be connected to this gateway at all, if it shouldn't be available to other networks at all? And if there are some odd reasons for doing so, what about having this IPv6 subnet in a separate VLAN without a IPv6 gateway to the rest of the world? kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
