Re: [CentOS] Does e2fsck.conf contain "broken_system_clock = 1" per default on CentOS7?

[Gabriele Pohl]

On Sun, 31 Jul 2016 15:17:19 +0200
Gabriele Pohl wrote:

> On Wed, 27 Jul 2016 09:46:02 +0100 (BST)
> John Hodrien wrote:
> 
> > On Tue, 26 Jul 2016, Gabriele Pohl wrote:  
> > > I now changed the value to 0 and rebooted.
> > >
> > > After that fsck based on Interval setting were done.
> > >
> > > Unfortunately that is not true for the root partition.
> > 
> > I believe e2fsk happens both pre root mount, and post.  You'll want to
> > rebuild your initramfs to make it take effect for the root volume I'd 
> > guess.  
> 
> agreed as I see the config is included there:
> 
> # lsinitrd | grep e2fsck
> -rw-r--r--   1 root root  112 Mar  5  2015 etc/e2fsck.conf
> -rwxr-xr-x   3 root root0 Jun 25 06:56 usr/sbin/e2fsck
> 
> I have to wait for the next maintenance downtime to verify.
> 
> I will report the result then.

With new initramfs also the root partition was checked.

I opened a bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1365594

fyi and thanks for your help.

Gabriele
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does e2fsck.conf contain "broken_system_clock = 1" per default on CentOS7?

[Gabriele Pohl]

On Wed, 27 Jul 2016 09:46:02 +0100 (BST)
John Hodrien <j.h.hodr...@leeds.ac.uk> wrote:

> On Tue, 26 Jul 2016, Gabriele Pohl wrote:
> > I now changed the value to 0 and rebooted.
> >
> > After that fsck based on Interval setting were done.
> >
> > Unfortunately that is not true for the root partition.
> > For that I had to use maxCount settings to trigger fsck.
> 
> I believe e2fsk happens both pre root mount, and post.  You'll want to
> rebuild your initramfs to make it take effect for the root volume I'd guess.

agreed as I see the config is included there:

# lsinitrd | grep e2fsck
-rw-r--r--   1 root root  112 Mar  5  2015 etc/e2fsck.conf
-rwxr-xr-x   3 root root0 Jun 25 06:56 usr/sbin/e2fsck

I have to wait for the next maintenance downtime to verify.

I will report the result then.

Thanks again for your help :)

Cheers,

Gabriele
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does e2fsck.conf contain "broken_system_clock = 1" per default on CentOS7?

[Gabriele Pohl]

On Tue, 26 Jul 2016 16:21:00 +0100 (BST)
John Hodrien <j.h.hodr...@leeds.ac.uk> wrote:

> On Tue, 26 Jul 2016, Gabriele Pohl wrote:
> 
> > on all of my CentOS7 VMs on different hypervisors
> > the config file e2fsck.conf contains the line
> >
> > broken_system_clock = 1
> >
> > Do you see similiar /default/ settings on
> > your machines? Is it an issue only on VMs?
> > I have no CentOS7 host on bare metal to compare.  
> 
> Same on real hardware.  But you can check this yourself:
> 
> $ rpm -qf /etc/e2fsck.conf 
> e2fsprogs-1.42.9-7.el7.x86_64
> $ rpm -V e2fsprogs
> $ rpm -q e2fsprogs --scripts
> $

thanks for the hint :)

I now changed the value to 0 and rebooted.

After that fsck based on Interval setting were done.

Unfortunately that is not true for the root partition.
For that I had to use maxCount settings to trigger fsck.

fyi and cheers,

Gabriele
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Does e2fsck.conf contain "broken_system_clock = 1" per default on CentOS7?

[Gabriele Pohl]

On Tue, 26 Jul 2016 17:03:52 +0200
Gabriele Pohl <g...@dipohl.de> wrote:
> on all of my CentOS7 VMs on different hypervisors
> the config file e2fsck.conf contains the line
> 
> broken_system_clock = 1
> 
> I found this because on all of them, the 
> root partition was not checked triggered
> by interval setting with tune2fs.

I see this issue was already addressed for
earlier fedora versions in bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=963283

fyi and still interested to read your observations
in CentOS7 Release

Gabriele
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Does e2fsck.conf contain "broken_system_clock = 1" per default on CentOS7?

[Gabriele Pohl]

Hi,

on all of my CentOS7 VMs on different hypervisors
the config file e2fsck.conf contains the line

broken_system_clock = 1

I found this because on all of them, the 
root partition was not checked triggered
by interval setting with tune2fs.

Do you see similiar /default/ settings on
your machines? Is it an issue only on VMs?
I have no CentOS7 host on bare metal to compare.

Thanks and cheers,

Gabriele
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] output of "ls" (was: Re: Postgrey on CentOS 6)

[Gabriele Pohl]

On Fri, 22 Apr 2016 16:05:52 +
Richard Mann  wrote:
> > What does the "." at the right side
> > of the attributes list mean?
> >   
> 
> Following the file mode bits is a single character that specifies
>  whether an alternate access method such as an access control list
>  applies to the file.  When the character following the file mode
>  bits is a space, there is no alternate access method.  When it is
>  a printing character, then there is such a method.
> 
>  GNU `ls' uses a `.' character to indicate a file with an SELinux
>  security context, but no other alternate access method.
> 
>  A file with any other combination of alternate access methods is
>  marked with a `+' character.

ah, I only had a look at the man page of "ls",
but this explanation can be found by

info coreutils 'ls invocation'

I will expand my search to info pages from now on ;(

Sorry for the noise and thanks for your hint!

Gabriele


pgpxKQXxUpMPi.pgp
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] output of "ls" (was: Re: Postgrey on CentOS 6)

[Gabriele Pohl]

On Sat, 23 Apr 2016 02:23:28 +1200
Peter <pe...@pajamian.dhs.org> wrote:

> On 23/04/16 02:13, Gabriele Pohl wrote:
> > I administer a postfix mail server on CentOS 6.
> > Now I want to setup another with similar configuration.
> > 
> > But the postgrey package is no longer available in Epel
> > for this CentOS release as I have seen now:
> > https://admin.fedoraproject.org/pkgdb/package/rpms/postgrey/
> > 
> > 2. Can you give advice for an alternative setup 
> >of greylisting for postfix on CentOS 6?  
> 
> Postgrey is largely obsoleted by postscreen which comes with postfix
> versions 2.8 and up.  You can get the latest postfix (including
> postscreen) for CentOS 6 from GhettoForge (www.ghettoforge.org).

Thanks for your help and so quickly :)

I decided to try with current version of postgrey
from projects github repository.
https://github.com/schweikert/postgrey/releases/tag/version-1.36
as I want to avoid using more 3rd party repos.

Doing the first steps in manual installation
(create directory and user) I found out, 
that I lack from knowledge on "ls" output..

There is a difference that I don't understand.

What does the "." at the right side 
of the attributes list mean?

directory manually created on the shell:
drwxr-x--x 2 postgrey postfix 4096 Apr 22 17:19 /var/spool/postfix/postgrey/

created by package installation:
drwxr-x--x. 2 postgrey postfix 4096 Apr 13 16:23 /var/spool/postfix/postgrey

I used this commands to create the first one

# mkdir /var/spool/postfix/postgrey
# chmod 751 /var/spool/postfix/postgrey
# groupadd --gid 493 postgrey
# useradd --system --gid 493 --uid 493 --home /var/spool/postfix/postgrey -M 
--shell /sbin/nologin postgrey
# chown postgrey /var/spool/postfix/postgrey
# chgrp postfix /var/spool/postfix/postgrey

Can you give explanation what is causing the difference
compared to the package created directory?

Gabriele


pgpn_djcuCwMc.pgp
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Postgrey on CentOS 6

[Gabriele Pohl]

Hi,

I administer a postfix mail server on CentOS 6.
Now I want to setup another with similar configuration.

But the postgrey package is no longer available in Epel
for this CentOS release as I have seen now:
https://admin.fedoraproject.org/pkgdb/package/rpms/postgrey/

1. Will I have to make an upgrade of the existing mail server
   to get security patches again or is it not critical to
   use the old package?

2. Can you give advice for an alternative setup 
   of greylisting for postfix on CentOS 6?

Cheers,

Gabriele


pgpUQAt2lMbCi.pgp
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] lunar notation in crontab

[Gabriele Pohl]

On Sun, 6 Dec 2015 02:25:53 -0800
Alice Wonder  wrote:

> On 12/06/2015 02:23 AM, ken wrote:
> > Crontab offers many refined facilities for Western calendaring, but none
> > for traditional Eastern-- lunar-- designations. 
> 
> This could be very useful in biology where a lot of cycles are lunar based.

It can  also be useful for female sysadmins
to schedule cleaning jobs to times when she
is eager for this sort of work in the 
according phases of her menstrual cycle :)

When a lot of users are interested in the feature,
the appropriate addressee for the enhancement request 
are the Developers:

https://fedorahosted.org/cronie/

Thanks for sharing the idea ~

Gabriele
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bacula backup system

[Gabriele Pohl]

Hi Allessandro and all Bacula users 
and especially to (potential) Bacula contributors, 

On Mon, 11 May 2015 20:49:08 +0200
Alessandro Baggi alessandro.ba...@gmail.com wrote:
 In my last request I have asked info about backuppc and other backup
 solutions. After some test I have choosen bacula. 

Concerning the topic Free Software I read that 
the relations between the FSFE and Kern Sibbald changed. 
https://fsfe.org/news/2015/news-20150414-01.en.html

Since 2006, the FSFE has been the fiduciary for 
the copyrights held by developers in the Bacula.org software, 
on the basis of a Fiduciary License Agreement (FLA)

Effective the 6th of March 2015, the FLA between Kern Sibbald 
and FSFE has been terminated at the request of Kern Sibbald. 
The FSFE is committed to ensuring to the best of its ability 
that Bacula.org software remains Free Software, and can 
only regret that Kern Sibbald in this way chose to terminate the FLA.

In the Copyright Assignment Agreement that
Contributors have to sign
http://www.bacula.org/downloads/CAA-bacula.en.pdf

I found the the following 

-- 8 --
Contributors .. grants a License, including, ..

5. the right to use, reproduce, redistribute and 
make derivative works of the Software 
under other including non-free licenses.
-- 8 --

I wouldn't like to sign this.

To whom it may concern and kind regards,

Gabriele
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] yum-plugin-security

[Gabriele Pohl]

Hi all,

I have difficulties to understand the output of yum-plugin-security.

I am on a X86_64 machine and when I query for security updates, 
yum lists i686 packages, that I don't have installed.


# yum check-update --security
Loaded plugins: changelog, fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: centos.mirror.linuxwerk.com
 * epel: mirrors.n-ix.net
 * extras: centos.mirror.sharkservers.co.uk
 * updates: centos.mirror.sharkservers.co.uk
Limiting package lists to security relevant ones
No packages needed for security; 34 packages available

cyrus-sasl-devel.i686  2.1.23-15.el6_6.1
 updates
cyrus-sasl-lib.i6862.1.23-15.el6_6.1
 updates
device-mapper-multipath-libs.i686  0.4.9-80.el6_6.1 
 updates
libXfont.i686  1.4.5-4.el6_6
 updates
nss-softokn.i686   3.14.3-18.el6_6  
 updates
nss-softokn-freebl.i6863.14.3-18.el6_6  
 updates
perl-libs.i686 4:5.10.1-136.el6_6.1 
 updates


I would have expected, that it will list no packages,
as it's statement is No packages needed for security

When I run the query with no filtering on security relevant packages,
it shows the X86_64 versions of the above listed packages.

Do we have a problem of inconsistent data in the repo?
Are only the i686 packages marked with security-update flag?


# yum check-update 
Loaded plugins: changelog, fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: centos.mirror.linuxwerk.com
 * epel: mirrors.n-ix.net
 * extras: centos.mirror.sharkservers.co.uk
 * updates: centos.mirror.sharkservers.co.uk

cyrus-sasl.x86_64  2.1.23-15.el6_6.1
 updates
cyrus-sasl-devel.x86_642.1.23-15.el6_6.1
 updates
cyrus-sasl-lib.x86_64  2.1.23-15.el6_6.1
 updates
..
device-mapper-multipath-libs.x86_640.4.9-80.el6_6.1 
 updates
..
libXfont.x86_641.4.5-4.el6_6
 updates
..
nss-softokn.x86_64 3.14.3-18.el6_6  
 updates
nss-softokn-freebl.x86_64  3.14.3-18.el6_6  
 updates
..
perl-libs.x86_64   4:5.10.1-136.el6_6.1 
 updates


Cheers and thanks for your explanation / instruction

Gabriele
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum-plugin-security

[Gabriele Pohl]

On Sat, 22 Nov 2014 12:44:57 + (GMT)
Nux! n...@li.nux.ro wrote:
 This plugin does not work on CentOS, at least not yet, there were previous 
 discussions. e.g.
 http://centos-devel.1051824.n5.nabble.com/CentOS-devel-yum-plugin-security-and-shellshock-td5710031.html
 
 HTH

yes it helped thanks!

Although the state of the thing itself is not very helpful :(

My intention was to automatically get warned,
when there are pending security updates.
I therefore reworked the yum plugin of Munin [1]

But as I see now, this will not work for CentOS
as long as the data (a working updateinfo.xml)
is not existent in the repos..

I will add a note in the Munin yum plugin to
inform other CentOS users about this #fail.

It would be good to add such a hint also in the 
CentOS package of the yum-plugin-security. 
Until now there is no info about the no-op 
nor in the man page neither under /usr/share/doc.

Shall I create a bug report addressing the missing doc?
Or will it get answered with won't fix as the fix
would need to fork an own CentOS version of the plugin,
so no longer simply copy the package from upstream (rh)

# rpm -ql yum-plugin-security
/etc/yum/pluginconf.d/security.conf
/usr/lib/yum-plugins/security.py
/usr/lib/yum-plugins/security.pyc
/usr/lib/yum-plugins/security.pyo
/usr/share/doc/yum-plugin-security-1.1.30
/usr/share/doc/yum-plugin-security-1.1.30/COPYING
/usr/share/man/man8/yum-security.8.gz

Cheers,

Gabriele



[1] 
https://github.com/munin-monitoring/munin/commits/devel/plugins/node.d.linux/yum.in
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum-plugin-security

[Gabriele Pohl]

On Sat, 22 Nov 2014 08:00:50 -0600
Johnny Hughes joh...@centos.org wrote:

 On 11/22/2014 05:49 AM, Gabriele Pohl wrote:
  I have difficulties to understand the output of yum-plugin-security.
  
  # yum check-update --security
 
 CentOS only tests that things work when doing all updates ... it does
 not test any other grouping of packages.

when I install the updates 
I usually install all pending updates btw.

As written in my other mail, the intention is
to get triggered when security updates are pending.

fyi and cheers,

Gabriele
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum-plugin-security

[Gabriele Pohl]

On Sat, 22 Nov 2014 12:07:00 -0600
Frank Cox thea...@melvilletheatre.com wrote:

 On Sat, 22 Nov 2014 15:32:32 +0100
 Gabriele Pohl wrote:
 
  As written in my other mail, the intention is
  to get triggered when security updates are pending.
 
 why not set up something to watch the centos-announce list, 
 parse the subject lines for Security, and then 
 do whatever you need to do after that.

because I want the alert for my individual machines.
So the proposed method is no solution 
for an automagical trigger :)

As said in my earlier mail I use Munin
for system monitoring and want the raven
to croak when a node has pending security updates:

http://gallery.munin-monitoring.org/distro/plugins/node.d.linux/yum.html

But thanks for sharing your idea ~

Cheers,

Gabriele
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum-plugin-security

[Gabriele Pohl]

On Sat, 22 Nov 2014 13:17:59 -0600
Frank Cox thea...@melvilletheatre.com wrote:

 On Sat, 22 Nov 2014 19:52:30 +0100
 Gabriele Pohl wrote:
  
  because I want the alert for my individual machines.
  So the proposed method is no solution 
  for an automagical trigger :)
 
 You still can do that without expending too much effort.

Although the proposal you made is /possible/ to implement,
I will not do it, because I think that this is 
the wrong way to solve the issue.

 One way would be to monitor centos-announce, parse the subject lines, 
 copy the security update filenames to a text or database file. 
 (sqlite is made for this kind of thing.)
 You can either keep a list on each machine or have a central data repository, 
 whichever suits you best.

Pardon me, but I think it is madness to maintain the info outside of yum.

And your method is not suitable to use within Munin monitoring.
And a Munin capable solution is what I am looking for with highest priority.

 Then all you need to do is have each machine run yum check-update 
 on whatever timed basis you wish.  Capture the list of pending updates, 
 compare it against your database, and then do your thing.

I don't like to spend time in creating ugly workarounds..
and therefore would highly appreciate if the CentOS-Developers
will add the data to the yum repositories.
Then I can use Munin to monitor the pending security packages
also for CentOS as now only for my RHEL machines.

All the best and thanks again,

Gabriele
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum-plugin-security

[Gabriele Pohl]

On Sat, 22 Nov 2014 17:10:40 -0600
John R. Dennison j...@gerdesas.com wrote:

 On Sat, Nov 22, 2014 at 11:41:17PM +0100, Gabriele Pohl wrote:
  
  I don't like to spend time in creating ugly workarounds..
  and therefore would highly appreciate if the CentOS-Developers
  will add the data to the yum repositories.
  Then I can use Munin to monitor the pending security packages
  also for CentOS as now only for my RHEL machines.
 
 It's not that simple.  Please have a look at the list archives in the
 past couple months where this was addressed.  The threads were either
 here or on the centos-devel mailing list.

thanks to Nux! who posted the following link in
the first reply of this thread:


Begin forwarded message:

Date: Sat, 22 Nov 2014 12:44:57 + (GMT)
From: Nux! n...@li.nux.ro
To: CentOS mailing list centos@centos.org
Subject: Re: [CentOS] yum-plugin-security


This plugin does not work on CentOS, at least not yet, there were previous 
discussions. e.g.
http://centos-devel.1051824.n5.nabble.com/CentOS-devel-yum-plugin-security-and-shellshock-td5710031.html


I read this thread and also another, which is refered to therein:
http://lists.centos.org/pipermail/centos-devel/2014-September/011893.html

 If memory serves the primary factor that is holding this up is a space
 requirements issue; the threads can shed more light on it, however.

To tell the truth, as a person who is not familiar with the 
internal structures and procedures of tree building and 
maintenance of the repositories, I don't really understand 
why it should be so difficult to handle a security-update flag 
for the update packages, but I have to believe the experts, 
who make statements on this topic.

Here is what I picked up when reading the thread from devel list:

1. For a valid approach data for all packages over 
the complete history of the major version is needed.

2. At the time the data is only sent to the announce mailing list
and it will need a big effort with also manual work to 
collect all the data back from there.

3. it would add significantly to the size required to
mirror CentOS and require a redesign of how we do trees completely (we
currently only push the latest tree for each live major version). (Johnny 
Hughes)

4. The developers fear that the yum-plugin-security functions
may seduce people to only install the security relevant packages,
which can cause problems.

5. The tools used by scientific linux repo maintainers,
who support a security classification,  
are availabe under free software license.
https://cdcvs.fnal.gov/redmine/projects/python-updateinfo

My personal view is represented by the mails of Kevin Stange in this thread.
And I still hope that the issue will be solved by 
integrating the security update flag into the
CentOS repositories in the future.

so far and thanks for your replies to all contributors in this thread,

Gabriele
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos