Re: [CentOS] Is there a rpm command to find the package that created a particular user or particular group?

[Ian Forde]

Just saw this.  Here's how to do it via brute force.  I have the user
"ovirtagent" on one of my boxes, and wanted to find out who provided it.
 So I did the following:

rpm --qf "%{NAME}\n" -qa | while read rname ; do if rpm -q --scripts
${rname} | grep -q ovirtagent ; then echo $rname ; fi ; done

It's not efficient, but it works.

  -I


On Thu, Jun 27, 2013 at 12:36 PM, Rob Townley  wrote:

> --scripts is helpful, the following returns a great deal of package scripts
> having to do with users and groups, but ideally would return just the
> package names involved in creating the user or group.
>
> rpm -qa --scripts | egrep 'user|group|id\s|getent|pass'
>
> rpm -qa --scripts | less does not seem  to list any package names, but may
> be a more formal rpm would help:
>
> rpm --queryformat "%{FILEUSERNAME} %{TRIGGERSCRIPTS}
> %{TRIGGERSCRIPTPROG}\n" --query httpd
>
> does not return a script name and i do not see anything else in rpm
> --querytags that would help.
>
> Has to be a way, but not today.
>
>
>
>
> On Thu, Jun 27, 2013 at 1:52 PM, Leon Fauster  >wrote:
>
> > Am 27.06.2013 um 20:36 schrieb Rob Townley :
> > > Given a particular user or particular group, is there a rpm command
> that
> > > returns what package created that particular user or particular group?
> > >
> > > Analogous to `rpm -q --whatprovides /etc/security/limits.conf` returns
> > the
> > > package "pam".
> > > Is there an rpm command that returns what package generated a
> particular
> > > user?
> > >
> > > Most of us already know that the httpd package is associated with the
> > user
> > > apache.  But there are passwd and group entries that i would like to
> > verify
> > > and want to know exactly how they got on my system.  Further i would
> like
> > > to know which the security implications of adding another group to a
> user
> > > account.
> > >
> > > Something like the following command:
> > > `rpm --query --user apache`  would return "httpd"
> > > `rpm --query --group pulse-access`   might return pulseaudio
> >
> >
> > take a look at the pre/post-script parts of the rpms
> >
> > rpm -q --scripts httpd
> >
> > other users/groups are "installed" via centos setup (anaconda).
> >
> > --
> > LF
> >
> >
> >
> >
> >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] r-x and r-x.

[Ian Forde]

Yep - you'll want to do a 'ls -lZ' on both dirs and compare the
differences...
On Apr 24, 2013 8:32 AM, "Larry Martell"  wrote:

> On Wed, Apr 24, 2013 at 8:50 AM, Johan Vermeulen
>  wrote:
> > Dear All,
> >
> > I'm currently troubleshooting NetworkManger scripts.
> >
> > I see a difference in machine A :
> >
> > drwxr-xr-x 2 root root 4096 apr 24 16:33 .
> > drwxr-xr-x 5 root root 4096 jan  9 12:13 ..
> > -rwxr-xr-x 1 root root  175 jan  9 12:13 00-netreport
> > -rwxr-xr-x 1 root root  335 okt 22  2012 04-iscsi
> > -rwxr-xr-x 1 root root  345 jan  9 12:13 05-netfs
> > -rwxr-xr-x 1 root root  926 sep 25  2012 10-dhclient
> > -rwxr-xr-x 1 root root  301 apr 24 15:58 20-backuplauncher
> > -rwxr-xr-x 1 root root  220 jun 22  2012 yum-NetworkManager-dispatcher
> >
> > and machine B:
> >
> > drwxr-xr-x. 2 root root 4096 apr 24 16:34 .
> > drwxr-xr-x. 5 root root 4096 apr 23 12:06 ..
> > -rwxr-xr-x. 1 root root  175 jan  9 12:13 00-netreport
> > -rwxr-xr-x. 1 root root  345 jan  9 12:13 05-netfs
> > -rwxr-xr-x. 1 root root  926 sep 25  2012 10-dhclient
> > -rwxr-xr-x. 1 root root  326 apr 23 13:42 15-nfslauncher
> > -rwxr-xr-x. 1 root root  307 apr 24 16:10 20-backuplauncher
> > -rwxr-xr-x. 1 root root  220 jun 22  2012 yum-NetworkManager-dispatcher
> >
> > the difference being -rwxr-xr-x and -rwxr-xr-x.
> >
> > so with or without a dot (.)
> >
> > Does that mean anything?
> >
> > Thanks for any advise on this.
>
>
> The . means the file has an access list with SELinux. You could try
> disabling SELinux on machine B and seeing if that fixes the issue.
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NFS mount auto remount in case of problems.

[Ian Forde]

Why not use DRBD in lieu of shared storage?

On Wed, Feb 20, 2013 at 2:52 AM, Leon Fauster wrote:

> Am 20.02.2013 um 11:29 schrieb Rafał Radecki :
> > Hi All.
> >
> > I have a setup in which I have two servers serving nfs share. The nfs
> > service is made highly available with pacemaker. When the primary
> > server goes down the secondary starts nfs service. Service IP is
> > floating between servers but they have NO "shared" storage/filesystem
> > so NFS state/connection information in case of failover is lost. I
> > have two clients. When the failover from primary to secondary occurs
> > the mount is stale and I need to manually remount the share.
> > Is there a way in linux/CentOS to automatically remount nfs share in
> > such case? Or should I just write a script which (for example) check
> > /proc/mounts and execute it from crontab? I am curious if it can be
> > done with "standard" linux services (automounter?) ;)
>
>
>
> what is the order of the resources nfs and ip?
>
> --
> LF
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ACL/permissions question

[Ian Forde]

You could always try 'chattr +i /home/joe' to make it immutable.  Check out
the man page for details...
On Jan 31, 2013 11:44 PM, "Boris Epstein"  wrote:

> Hello listmates,
>
> If I have a regular, ACL-capable filesystem on Linux (say, ext4 or xfs) is
> there a way for me to establish the following:
>
> 1) There is a directory, say, /home/joe . It is owned by user joe . No one
> but joe (and root, of course) can read or write anything in this directory.
>
> 2) No one can change permissions on that directory, not even joe. In other
> words, in joe all of a sudden joe decided to open his directory up to the
> world (or the group he is a member of) by doing something akin to:
>
> chmod 777 /home/joe
>
> he would not succeed.
>
> Thanks in advance for any help.
>
> Boris.
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] load balancer recommendations

[Ian Forde]

FYI - HAProxy is in EPEL, so it's a fairly easy installation to test.
 Especially in virtual environments... ;)

  -I

On Sat, Jan 19, 2013 at 4:22 PM, Boris Epstein  wrote:

> Absolutely. The solution seems really robust and the price is not bad.
>
> In my case, however, this is not the answer as I need a solution that can
> be implemented in a whole variety of networks, including virtual ones.
>
> Thanks anyways.
>
> Boris.
>
>
> On Sat, Jan 19, 2013 at 7:18 PM, Joseph Spenner  >wrote:
>
> > From: Boris Epstein 
> >
> > To: CentOS mailing list 
> > Sent: Saturday, January 19, 2013 5:10 PM
> > Subject: Re: [CentOS] load balancer recommendations
> >
> > Joseph,
> >
> > Thanks!
> >
> > Did you mean this:
> >
> > https://www.barracudanetworks.com/products/loadbalancer
> >
> > But this looks like an integrated solution, hardware and software. I am
> > just looking for the software part.
> >
> > Boris.
> >
> > On Sat, Jan 19, 2013 at 7:06 PM, Joseph Spenner  > >wrote:
> >
> > >
> > > I've had pretty good luck with Barracuda load balancers..  You can
> > > configure them to keep a user session on a single server, which is
> often
> > > desired, and spread new connections to other servers as they arrive.
> > > The only problem I had with them, ironically, was they would crash if I
> > > purchased their "Live Updates" feature.  It's some sort of auto
> updating
> > > black-list service you can buy which helps protect the device and your
> > > resources.  But after I disabled that, the device has been rock solid.
> > > Been working great since about 2006.
> > >
> >
> > Yes.  It might be worth just getting the whole canned solution, though.
> > It is Linux based.
> > At the time, the thing was about $1800, which isn't really that bad, and
> > it just works.  There's a web interface to configure it, and it's
> > relatively intuitive.
> >
> >
> >
> >  If life gives you lemons, keep them-- because hey.. free lemons.
> > "~heart~ Sticker"  fixer:
> > http://microflush.org/stuff/stickers/heartFix.html
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] python26-memcached on centOS 5.5

[Ian Forde]

On Thu, Feb 9, 2012 at 4:40 AM, Anand Jeyahar
 wrote:
> Hi all,
>  thanks a lot. Turns out that rpm is just a place holder.. i figured out the 
> rpm -qpil command and realized i had to build from  source. got it(memcached) 
> running now.
>
>
> __-
>
> Thanks and Regards
> Anand Jeyahar
> Senior Systems Analyst,
> CSSCorp Pvt. Ltd.,
> Mob:  +91 80561 33088
> Extn: 7101080
> 
> From: centos-boun...@centos.org [centos-boun...@centos.org] On Behalf Of 
> Anand Jeyahar [anand.jeya...@demandmedia.com]
> Sent: Thursday, February 09, 2012 4:34 AM
> To: centos@centos.org
> Subject: [CentOS] python26-memcached on centOS 5.5
>
> Hi,
>   Is anyone here running memcached + python2.6 + django setup on a CentOS 
> 5.5?? Am trying to set one up here and have trouble with the 
> python26-memcached installation.
> So far i have installed (via yum):
>
>      1.python26
>      2. python26-memcached
>      3. libevent
>      4. memcached-devel
>
>   Now when i try to run `import memcache`  from the python2.6 shell i get an 
> ImportError: No module named memcache.
> The python26 installation picks up other modules(django etc..) fine. So 
> there's no configuration problem from python26 interpreter.
>
> I am not able to figure out the problem. Any ideas/suggestions? Is building 
> from source my only way out??

uh... 'yum install memcached' would have done it...
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Network Situation

[Ian Forde]

On Wed, Dec 14, 2011 at 11:01 AM, Denniston, Todd A CIV
NAVSURFWARCENDIV Crane  wrote:
>> -Original Message-
>> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
>> Behalf Of Gene Poole
>> Sent: Wednesday, December 14, 2011 13:08
>> To: centos@centos.org
>> Subject: [CentOS] Network Situation
>>
> 
>> If I install CentOS 6.0 and sometime later upgrade to CentOS 6.2, will
>> the fact that I'm running software raid-1 on the /boot partition
>> cause me grief?
> 
>
> 6.2 is the kind of release that those in the community and TUV call a
> 'point release'.
> Reading the FAQ may help you.
> "14. What is the versioning/release scheme of CentOS and how does it
> compare to the upstream vendor?"
> http://wiki.centos.org/FAQ/General#head-6e2c3746ec45ac3142917466760321e8
> 68f43c0e
>
> And I think the backport link to redhat in the following FAQ could be
> useful for you to understand.
> "20. Where can I get the latest version of XyZ.rpm for CentOS? I cannot
> find it anywhere."

1. CentOS (and upstream) 6.[012] still use the ethX convention.  I
expect that to continue throughout the lifetime of the 6.[0-9] series,
as upstream aims for consistency throughout the lifetime of 6.
2. Yes - you can eliminate NetworkManager.  I'm writing this on a
CentOS 6.1 desktop that's also running KVM.  I don't run
NetworkManager on this, as I want a static IP address defined at boot
that does not have anything else trying to mess with the network
config.
3. I can't speak to Fedora 15 -> CentOS 6 KVM compatibility, but if
you're moving existing guests, I'd be surprised if things didn't work.
4. RAID 1 from CentOS 6.0 to 6.2?  Shouldn't be a problem.
5. Software RAID from Fedora 12 working in CentOS 6.0.  Problems?  Probably not.
6. Caveats?  Plenty.  CentOS 6 is based upon RHEL6, which is based on
Fedora 12/13.  So going from Fedora 15, you're going a little back in
time.  You'd have to look at the release notes from Fedora 13 and up
to see the differences, as well as the CentOS/RHEL 6 release notes to
get the major changes from way back.  Example: no systemd.  I don't
know much more, as I haven't used Fedora in years...

Hope that helps...

  -Ian
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to enable Flow Control on CentOS?

[Ian Forde]

On Sun, 2011-07-10 at 22:08 -0500, Les Mikesell wrote:
> On 7/9/11 12:18 PM, Giles Coochey wrote:
> > Gigabit is different.
> 
> No, the default of auto-negotiating  works there too.
> 

In 1000BASE-T, autonegotiation is required, according to 
http://en.wikipedia.org/wiki/Gigabit_Ethernet#1000BASE-T

Which, in turn, refers to (click through without username required)
http://standards.ieee.org/getieee802/download/802.3-2008_section2.pdf
that states (in section 28D.5, part a) that Auto-negotiation in
1000BASE-T is required...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 5.6 and KVM failure

[Ian Forde]

On Thu, 2011-04-21 at 20:16 +0200, Kenni Lund wrote:
> 2011/4/21 Ian Forde :
> > Turns out that wasn't the only problem I faced in my migration.  With 2
> > KVM servers, both sharing a volume mounted via NFS for VMs, I migrated
> > all VMs to the second node, upgraded the first, them moved them all back
> > to KVM1.  Instant disk corruption on all VMs.  Boom.
> 
> Are you sure it was the migration and not the raw/qcow2 error which
> caused the disk corruption?

In the second pair of KVM servers, I'd made the changes to the xml files
and restarted libvirtd.  Then did migration of a VM.  Then watched the
corruption.  It's possible I may have needed to reboot the VM before
migrating, so that KVM absolutely knows what it is.  But nevertheless,
I'm now a little gunshy about live migration...

> I just had two Windows Servers with image corruption after upgrading
> from 5.5 to 5.6 and booting the first time with the raw setting,
> before changing it to qcow2 :-/
> 
> These two images were both on the same host, which is plain CentOS 5
> *BUT* with a 2.6.37 kernel (and therefore 2.6.37 KVM module) from
> elrepo...
> 
> It could be my special case of running with a vanilla KVM-module +
> CentOS KVM userspace which allows the corruption to happen, but if
> other people are seeing disk corruption with the regular
> kernel/kmod-kvm, then this "known issue" should probably have a big
> fat red warning in the release notes..

Yeah.  I completely agree.  I've got a steaming mess of VMs that I now
have to go and rebuild...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 5.6 and KVM failure

[Ian Forde]

On Sun, 2011-04-10 at 03:47 -0500, Johnny Hughes wrote:
> On 04/09/2011 12:04 PM, compdoc wrote:
> >> A similar incident was reported during the QA. Look at the .xml file.
> >> If it says type='raw', change it to type='qcow2' and restart libvirtd.
> >> Would that fix the problem ?
> >>
> >> Akemi
> > 
> > Thank you. After reading your message, I googled the error and found a
> > webpage that describes a slightly different procedure than yours, but which
> > does the same thing:
> > 
> > http://ubuntuforums.org/showthread.php?t=1638708
> > 
> > Everything is working now.
> > 
> > :)
> 
> I am going to add this to the Release Notes for 5.6 on the Wiki now.

Turns out that wasn't the only problem I faced in my migration.  With 2
KVM servers, both sharing a volume mounted via NFS for VMs, I migrated
all VMs to the second node, upgraded the first, them moved them all back
to KVM1.  Instant disk corruption on all VMs.  Boom.

I have a second pair of KVM servers.  I tested one VM with my normal
migrate-them-out-of-the-way procedure, and it, too, suffered MASSIVE
filesystem corruption.  This was even after I'd made the qcow2 mods and
restarted libvirtd.

The only way I was able to not have to rebuild the remaining
non-corrupted VMs was to shut them down on one node then bring them back
up again.  Turns out live migration doesn't work in this upgrade.
(Though I'll test regular live migration tomorrow, given that all 4 KVM
servers have now been upgraded.)

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] VMware (was Re: current bind version)

[Ian Forde]

On Thu, 2011-02-24 at 22:47 -0600, Les Mikesell wrote:
> Player isn't good for most of my usage because most of the time I don't want 
> the 
> console display at all - I just connect to the guests remotely with 
> freenx/ssh/vnc when necessary.  And I have Server 1.x setups that have run 
> for 
> years with no attention or downtime.  I agree that ESXi is better, but it 
> wasn't 
> free when I built the VMs and I'm running some native Centos stuff on the 
> host 
> along with several guests.
> 
> Anyway, my point was that the fabled library ABI stability of RHEL turned out 
> not to work for VMware Server 2.0.   But CentOS did come through with 
> bug-for-bug compatibility as promised, causing the same crashing behavior 
> after 
> the same minor-rev update.

I went through this a while back both at work and at home.  At work I
converted the whole shebang from VMware Server 2.0 over to KVM.  At home
I went with ESXi.  Both were fairly painless to do, though with ESXi you
need a Windows box to manage it.  Eventually, I'll probably convert the
home machine to KVM.  Maybe.  OTOH, I like not having a boot drive
(other than the SD card) on the box.

Hmm...

(thinking aloud) Is anyone doing KVM on a box from a USB stick or SD
card?  Saves a disk, and that's what VMware is doing with ESXi...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?

[Ian Forde]

On Fri, 2011-02-18 at 15:51 -0500, John Hinton wrote:
> Very good information, Ed. And yes, you will almost certainly be 
> fighting with the compliance company, as I have not yet seen any who 
> recognized CentOS. RHEL, yes. CentOS however does not hold the same 
> 'trusted standard' or clout as the major 'name brand' providers. Yes, 
> the trouble is the versioning numbers used by RH. If the system 'is' RH, 
> most of the time those 'exceptions' are noted by the scanner but you may 
> find yourself trying to 'teach them' a lot. Hopefully they have improved 
> on this front.

McAfee (after they acquired HackerSafe) Secure recognizes the backported
fixes.  Even on CentOS...

> I really think much of this is no more than smoking mirrors. For 
> instance they do not ask about username/password policies and obviously 
> do not scan for such. So this scanning leaves a lot to be desired. After 
> I met all scan problems, my affected clients discovered they just 
> answered a question wrong and found that since CC processing was not 
> actually happening on my systems, but instead through other processors, 
> this all went away and ended the need to address the same issues 
> (backports) for the same applications, sometimes still under the same 
> version, just due to a new scan. Basically a huge waste of my time. But 
> I must admit, I did learn of just a couple of areas which I did tighten 
> up. The rest was just red tape and I started feeling one particular 
> compliance company was more into self promotion of their service by 
> showing these non-existent flaws. I suppose one could compare it to the 
> AV companies that allow broken virus sigs to set off alarms. "We just 
> saved your computer ."

Regarding CC processing, check version 2.0 of the DSS.  On page 7,
referring to the scope, I found the term, "processed, stored or
transmitted", so that may (or may not) change how you approach it.

> But, if you must, I did find the Nessus output was fairly close to what 
> the compliance companies found and gave me a bit of time to tune systems 
> before the real scan. It has been a while, but I think Nessus found some 
> things I thought more important, which the commercial scanner did not 
> mention.
> 
> And hey, if you do breeze through with CentOS being recognized as a RHEL 
> clone, I would love to hear about that back to this list.

Yep - McAfee is just fine with it...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Recommendation for a Good Vulnerability Scanning Service?

[Ian Forde]

On Fri, 2011-02-18 at 15:09 -0500, Michael B Allen wrote:
> Are you talking about the SAQC? I run all CC transactions through one
> CentOS VPS webserver (actually I have two servers that I periodically
> wipe out and alternate between every year or two). So I don't have POS
> terminals or any Windows PCs in the mix. We don't save any card holder
> data at all. So my SAQC was a breeze. I just had to add N/A for
> questions like the "do you run anti-virus software" and explain that
> everything goes through the one Linux machine for which no anti-virus
> software exists or is necessary.

You're going to want to go to www.pcisecuritystandards.org for the full
scoop.  I'd advise you to have your counsel examine the PCI DSS
documents.  IANAL, but I recall from version 2.0 of the doc found at
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
(click-through agreement required) that, and I quote from page 7: "PCI
DSS applies wherever account data is stored, processed or transmitted".

So it's not about saving data per se.  Just the act of having it
transmitted to your systems may (again, IANAL) make PCI DSS apply.

I've been dealing with PCI Compliance at work for a few years.  It's not
really something you want to skimp through, as the fines can be quite
severe when things go wrong.  As I said, you may want to talk to your
lawyer...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bug in freeradius 1.1.3-1.5.el5_4 rpm

[Ian Forde]

On Wed, 2010-05-19 at 09:09 +0100, Lars Hecking wrote:
> lheck...@users.sourceforge.net writes:
> > Ian Forde writes:
> > > I upgraded one of my servers to CentOS 5.4 today.  The freeradius
> > > service (radiusd) didn't start up due to permissions errors.  I tracked
> > > it to the permissions on the /etc/raddb/certs/ directory being set to
> > > 640 rather than 750, so the radius user couldn't enter the directory.
> > > In the spec file from the source rpm, line 200 should read:
> > > 
> > > %attr(750,root,radiusd) %config (noreplace) /etc/raddb/certs
> > > 
> > > rather than the current:
> > > 
> > > %attr(640,root,radiusd) %config (noreplace) /etc/raddb/certs
> > > 
> > > Note that this bug also exists in the the 1.1.3-1.4.el5 version that's
> > > part of the CentOS 5.4 release.  I'm not sure if it exists upstream
> > > though, but there it is... ;)
> >  
> >  Thanks for the heads-up. This bug was already in 5.3, but it looks like it
> >  was never reported.
> 
>  Still broken in 5.5.

Yeah - just got slapped by it again on one of my boxes...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Cron and Cluster

[Ian Forde]

On Wed, 2010-03-31 at 00:33 +, Joseph L. Casale wrote:
> >What kind of cluster? the term cluster can mean almost
> >anything these days.
> 
> Sorry, my bad. RHCS

I can tell you how I did it for a 2-node heartbeat cluster.  I enabled
the cron jobs on both servers, and had the following snippet at the top
of each script:

[ ! -f /usr/local/etc/db_inc.sh ] && exit 3
. /usr/local/etc/db_inc.sh
getactivestatus

if [ "${activestate}" = "no" ]; then
exit 0
fi

So in the file /usr/local/etc/db_inc.sh, I would define a function that
would return whether or not I was the active node.  An example of this
would be:

getactivestatus() {
if [ `cl_status rscstatus` = "all" ]; then
activestate="yes"
else
activestate="no"
fi
}

You'll need a command that determines the active/passive status for RHCS
to put into the getactivestatus() function, then you should be all
set...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos Installation on Multiple machines

[Ian Forde]

On Wed, 2010-03-24 at 09:26 -0400, Tom Diehl wrote:
> On Wed, 24 Mar 2010, premr...@digilink.in wrote:
> 
> > Hi,
> >
> > I want to install customized centos on multiple systems. Can PXE boot do
> > that ?
> > Apart from this is there any other way of doing image copy of centos OS
> > and installing it on several client machines through network. I used
> > clonezilla, but after image cloning, i will again have to use the
> > clonezilla LIVE CD on client machine to do a image restore.
> >
> > I want to make a clone of centos OS and store it in a server and keeping
> > installing it on multiple machines with same hardware features from
> > network. Is this possible ?
> 
> You should look at https://fedorahosted.org/cobbler/ and kickstart. This will
> give repeatable automated installs over a variety of hardware.
> 
> Regards,
> 

Or, you can look at System Imager.  Designed just for that purpose.  Do
an image copy, then deploy on several machines on the network...

http://wiki.systemimager.org/index.php/Main_Page

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] upgrade

[Ian Forde]

On Sat, 2010-03-20 at 15:31 +0100, Kai Schaetzl wrote:
> Mattias wrote on Sat, 20 Mar 2010 12:48:34 -:
> 
> > Ok but how to to do all that
> > I use the repo on vault.centos.org
> 
> Why? This contains old software. You had to specifically change the repo 
> files for that. Just remove/go back to what it originally was.

And just before you reboot, you may want to do the following:

updatedb
locate rpmnew ; locate rpmsave

and resolve any config file changes that you see...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Looking for Newsletter Stuff

[Ian Forde]

On Mar 5, 2010, at 9:10 AM, Benjamin Donnachie  wrote:

> On 5 March 2010 17:07, Garry.Dale  wrote:
>> I like this idea, too.  However, I feel compelled to point out a
>> violation within your Data Center [5].
>> [5] 
>> http://wiki.centos.org/GarryDale?action=AttachFile&do=get&target=didiCIMG0027.jpg
>
> Mandatory in the UK!  At least at my desk :)

Nice! Might want to install Synergy on those boxes though and get rid  
of those extra keyboards!

   -I
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Clustering apache

[Ian Forde]

On Wed, 2010-02-17 at 10:27 -0600, Dan Burkland wrote:
> I’m a greenhorn when it comes to clustering in RHEL/CentOS and
> recently setup an active/standby clustering using Apache & Heartbeat.
> It seems to be a good entry step into clustering however after testing
> it I was disappointed in that the resource manager does not start
> httpd on node2 if httpd on node1 is dead (only starts httpd on node2
> if the heartbeat daemon on node1 is dead). Is there anyway to achieve
> this setup if not with Heartbeat with some sort of other HA solution?

(Bear in mind - I'm talking about Heartbeat V1 config style here, not
v2/3.)

I've used mon successfully to enable that.  You can add mon as a
clustered resource in addition to apache, then configure mon to look for
the apache process.  If it finds that httpd isn't running, it will kill
the heartbeat process, thereby forcing a failover.

In Heartbeat V2/3, I believe that pacemaker does something similar,
though I'm not certain, as I'm mortally allergic to xml-based config
files that have been massively overbuilt. ;)

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Mount USB disk at startup?

[Ian Forde]

On Thu, 2010-02-04 at 14:19 -0800, Kenneth Porter wrote:
> --On Thursday, February 04, 2010 8:36 AM -0600 Robert Nichols 
>  wrote:
> 
> > Looks like that's about all you can do.  USB devices aren't available
> > until hotplug discovers them, and that's proceeding in parallel with the
> > rest of the boot sequence.  Be sure to put a timeout in that loop lest it
> > hang forever if that external device is absent.
> 
> Even better would be to make the script event-driven and launched by the 
> hotplug process. Then there's no busy-wait.
> 
> This page has some info:
> 
> 
> 
> The detail links on this page aren't working for me but look promising:
> 
> 
> 

Since the OP is looking to have their USB drive mounted before mythtv's
backend process starts up, I'd recommend disabling the mythbackend
startup script:

chkconfig mythbackend off

Then doing a manual mount in /etc/rc.local, followed by starting
mythbackend.

/sbin/mount /dev/sdb1 /wherever
/sbin/service mythbackend start

Of course, I wouldn't recommend using a USB drive for storing myth
recordings, as it eventually bite you due to USB2's limited bandwidth...

-I (also a mythtv user!)

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Is ext4 safe for a production server?

[Ian Forde]

On Dec 7, 2009, at 10:30 AM, Florin Andrei   
wrote:

> John R Pierce wrote:
>>
>> I've always avoided XFS because A) it wsan't supported natively in  
>> RHEL
>> anyways, and B) I've heard far too many stories about catastrophic  
>> loss
>> problems and day long FSCK sessions after power failures [1] or what
>> have you
>
> I've both heard about and experienced first-hand data loss (pretty
> severe actually, some incidents pretty recent) with XFS after power
> failure. It used to be great for performance (not so great now that  
> Ext4
> is on the rise), but reliability was never its strong point. The  
> bias on
> this list is surprising and unjustified.

Given that I stated my experience with XFS, and my rationale for using  
it in *my* production environment, I take exception to your calling  
said experience unjustified.


> FWIW, I was at SGI when XFS for Linux was released, and I probably was
> among its first users. It was great back then, but now it's over- 
> rated.
>
> -- 
> Florin Andrei
>
> http://florin.myip.org
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Is ext4 safe for a production server?

[Ian Forde]

On Sat, 2009-12-05 at 22:47 -0500, Brian Mathis wrote:
> On Sat, Dec 5, 2009 at 10:20 AM, Miguel Medalha  wrote:
> > I am about to install a new server running CentOS 5.4. The server will
> > contain pretty critical data that we can't afford to corrupt.
> >
> > I would like to benefit from the extra speed and features of a ext4
> > filesystem but I don't have any experience with it.
> > Is there some member of the list who can enlighten me on whether ext4 is
> > mature enough to be used on a production server without too much risk?
> >
> > Thank you!
> >
> 
> Regardless of the technical issues offered here, ask yourself this: Do
> you really want to be experimenting with a new file system on a
> production server with "pretty critical data"?  Since you asked about
> "too much risk", I think you already answered the question.
> 
> Any sane process would involve installing it on a low priority test
> server, running for a while to see how it goes, and learning about new
> features or tools.  After you've done that on a few lower priority
> servers, for maybe a year or so, then you might start to _think_ about
> using it on a production server like this.
> 
> My guess is that any additional speed can come from tuning other areas
> of your server and disk subsystem.  What hardware do you have?  What
> kind of disks?  Using RAID?  What level?  Have you looked into
> aligning your partitions with the RAID blocks?  I'm sure that some of
> the hardcore disk I/O people on the list can ask better questions and
> give more meaningful recommendations.

Funny that - that's the kind of answer I was hoping to see on this list.
The key issue was the fact that it's a production server.  As a data
point, I've been using mythtv at home for about 6 years.  (Has it really
been that long? Wow!)  During that time, I've been using XFS filesystems
for media storage for about the last 4 or 5.  I haven't had a problem
with it yet, though that doesn't preclude the possibility of it
occurring at some later date.

(Even, now that I've written this, it may fail several seconds from now,
given that I may have jinxed it!)

Anyhoo - due to this experience with it for my data at home which is
constantly been written and rewritten - (mythtv is pretty intensive on
systems - run it for a few years and BELIEVE ME - you'll find out where
the weak points in various OS components are...) I've found XFS safe
enough to use at work on production database servers.

It works for me.  It may not for you, but I'm happy so far.

Again - this may all change tomorrow, but YMMV, as there's no such thing
as software liability, and open source may eat your cat, make your dog
toss its cookies on your lap, and cause the universe to unspool itself
in your Wheaties tomorrow.  We all take our chances, and it's a matter
of how much risk we're willing to shoulder.  As I said, I went through
my process and deemed it acceptable...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] AIDE or OSSEC on CentOS 5.4 x86_64?

[Ian Forde]

On Nov 29, 2009, at 3:52 PM, David McGuffey  
 wrote:

>
> On Sun, 2009-11-29 at 20:31 +, John Horne wrote:
>> On Sat, 2009-11-28 at 18:57 -0500, David McGuffey wrote:
>>> Starting with a fresh load and after I finish hardening the load
>>> following the Center for Internet Security (CIS) guidance, I'm  
>>> wondering
>>> whether AIDE or OSSEC would be a better intrusion detection system.
>>>
>>> I installed AIDE and did a quick test of AIDE and after  
>>> initializing the
>>> db and applying the recent cups update, I found that 1700+ files had
>>> changed.  Those are a lot of changes to wade through to determine if
>>> they are legit or not. If that is all that AIDE can do, then it is  
>>> not
>>> "manageable."
>>>
>>> Seems to me that any IDS must be tied to the yum update process so  
>>> that
>>> one is not dealing with hundreds/thousands of changes that were  
>>> brought
>>> in by a yum update that I choose to apply.
>>>
>>> Is OSSEC any less noisy?
>>>
>> More so as far as I can tell.
>>
>> Don't forget that prelinking will cause files to regularly change  
>> their
>> hash value whether they have been updated or not. Aide does have a  
>> patch
>> to cater for prelinking (as far as I know it is not in the current
>> release so you'll have to search their archives for it). OSSEC does  
>> not
>> know about prelinking, so will frequently report files having  
>> changed.
>>
>> Shameless plug: You could take a look at rootkit hunter
>> (http://sourceforge.net/projects/rkhunter/), its file properties  
>> testof
>> knows about prelinking and can use the local RPM database to verify
>> files, so an updated file won't be flagged as having changed unless
>> someone has deliberately changed it.
>>
>> Another alternative is Samhain. As far as I remember it can handle
>> prelinking, but will report updated files as having been changed.
>
> Thanks.
>
> I'm not looking for a "tech" solution so I can sit on my butt and let
> the tools do their magic.  What bothered me was that I did the  
> install,
> configured the load the way I wanted it, ran AIDE to init the db.  A
> couple of days later, the CentOS list informed us that cups needed  
> to be
> updated.  I did the update and immediately ran AIDE to see what  
> changed.
> That cups update changed nearly 1,700 files.
>
> That caused me to think...there should be a way to tie the IDS to the
> patching (that I deliberately authorized), so that the changes related
> to the patching are either ignored, or collected at the end of the
> report under the header something like:
>
> "The following changes appear to be tied to authorized patching
> activity...if you did not authorize these changes, then find out why
> they changed..."
>
> I still want to see the changes, but it would be nice to see the  
> ones I
> authorized through the update service to be partitioned off from the
> ones that seem to have no reasonable explanation.

Seems to be that a yum plugin could be written that would accomplish  
this. Consider - it would only allow signed rpm updates, and ask for  
permission (or use a key) to update to LIDS database...
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] PHP updates

[Ian Forde]

On Fri, 2009-11-27 at 08:34 -0500, Bob McConnell wrote:
> Michael Kress wrote:
> > Craig White wrote:
> >> and if enough people actually convinced the developers that
> >> 5.2.9-2.el5.centos were feasible, then they would probably move it into
> >> the 'Extras' repository.
> > 
> > ... here's one trying to 'convince'! ;-)
> > I'm using that package from c5-testing since a month or so and I
> > encountered no problems.
> > Regards
> > Michael
> 
> I'll go one further. We run commercial web sites on CentOS 5.3 which 
> must also be PCI compliant. Because of the security issues, the auditors 
> have been complaining for two months that we don't have PHP 5.2.11 
> installed yet, putting our PCI certification in jeopardy. When 5.2.12 is 
> released, probably next month, we will have 30 days to get it installed.
> 
> We are trying to figure out how to handle this issue short of having to 
> compile PHP ourselves. That would violate the agreement we have with the 
> hosting service.

Bob - there are many of us that are in that situation, but it's actually
quite an easy requirement to satisfy.

Let's start with Upstream...

Because Upstream certifies/qualifies their fixes against known
vulnerabilities, you shouldn't get dinged on version number checking as
long as you're using up to date backported fix packages from Upstream.

Now... As long as CentOS has the same backported fixes to respond to the
same CVE vulnerabilities, you should be okay.  Just tell your auditors
to research "backports".

Check out the first 2 paragraphs of:
http://twiki.cpanel.net/twiki/bin/view/AllDocumentation/PCIComplianceInfo/ScanningSoftware

Also, search the mailing list archives... you'll find more information.
For proof of CVE fixes, do a:

rpm -q --changelog php |grep -i cve

As long as you've resolved outstanding known vulnerabilities, you should
be able to get exceptions/exemption granted for version numbers.

Of course, IANAL, and this does not constitute legal advise, but it's a
path that you can pursue for a speedier resolution of this issue rather
than go through the pain of finding php 5.2.10 rpms and qualifying them
yourself.

Remember - If it weren't for fixes from Upstream/CentOS, neither
Upstream nor CentOS would be able to be tested for compliancy without
MAJOR source-code hoops, which would defeat the purpose of using these
OSes in eCommerce in the first place! ;)

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Recommend Mail Server

[Ian Forde]

On Nov 23, 2009, at 5:34 PM, Christopher Chan > wrote:



Les Mikesell wrote:




You probably really want ldap for that sort of thing.


You probably really want to reconsider using ldap for anything that  
gets

loads of changes daily.


In the case of a mail relay, at one point  years back I decided to  
drop (not bounce) all email to bogus recipients at the relay level  
rather than let it get to (yuck) Exchange, which would bounce it. The  
trick was having an updated recipient list. My first thought was to  
query Active Directory for each user, thus getting an up-to-date result.


This turned out to be a *bad* idea for a couple of reasons. 1) if I  
can't reach AD, mail won't queue up on the relays, which is one of  
their major functions. 2) I'm making the relays directly dependent on  
AD latency. 3) any flood of email from outside can cause a large  
amount of queries against AD, causing a DOS that the relays are  
supposed to shield the internal network from.


So instead, I found a script to gather the list of users from AD, did  
some modifications and wrote some wrappers. The result? A script that  
runs from cron to get the list of valid addresses, convert them into  
an access file that sendmail (or postfix, in the first case years ago)  
can use instead. There's a little more latency, but as long as I do  
some sanity checking (too many changes? Send an alert and don't change  
the access file) it works just fine. Ldap-based, yes. But loosely  
coupled. A good compromise in my experience...___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Recommend Mail Server

[Ian Forde]

Sent from my iPhone

On Nov 23, 2009, at 6:14 PM, Les Mikesell  wrote:

>
> On the contrary, having the ability to extend through external  
> software gives
> you unlimited options.  Note that postfix eventually got around to  
> copying this
> feature.  Also with mimedefang you can do most of your special  
> configuration in
> perl instead of having to learn yet another syntax.
>
Hmm... I wouldn't exactly call that an advantage... I'd much rather  
plug in a kilter and spend 20 minutes configuring it properly than  
have to wrestle custom perl for getting mail flowing...
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Install libnet-server-perl on Centos

[Ian Forde]

Sent from my iPhone

On Nov 9, 2009, at 10:25 AM, m.r...@5-cent.us wrote:

>> Dhiraj Chatpar wrote:
>>> Please help me as i am not able to find any way to install Libnet  
>>> Perl
>>> Server
>>>
>>> I used to install this on debian using
>>> apt-get install libnet-server-perl
>>> Command
>>>
>>> I just cannot figure out how to install this on Centos. Please help
>>
>> You need the perl-Net-Server package.  But this is not in the stock
>> repositories for CentOS.
>> You need to add a repository for RPMforge or EPEL to get it.
>> After that, a "yum install perl-Net-Server" should do.
>>
> Or maybe cpan install Net::Server will work

Please don't suggest using cpan as a first resort. On an operating  
system with package management, using said package manager should  
always be tried first.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Bug in freeradius 1.1.3-1.5.el5_4 rpm

[Ian Forde]

I upgraded one of my servers to CentOS 5.4 today.  The freeradius
service (radiusd) didn't start up due to permissions errors.  I tracked
it to the permissions on the /etc/raddb/certs/ directory being set to
640 rather than 750, so the radius user couldn't enter the directory.
In the spec file from the source rpm, line 200 should read:

%attr(750,root,radiusd) %config (noreplace) /etc/raddb/certs

rather than the current:

%attr(640,root,radiusd) %config (noreplace) /etc/raddb/certs

Note that this bug also exists in the the 1.1.3-1.4.el5 version that's
part of the CentOS 5.4 release.  I'm not sure if it exists upstream
though, but there it is... ;)

  -I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] guestbook for centos 4 or 5 ???

[Ian Forde]

On Sep 12, 2009, at 7:57 PM, "R-Elists"  wrote:

>
>
>>
>> May I ask what purpose the guestbook should serve?
>>
>> You could just install wordpress and moderate every comment
>> before it's posted.
>> Guestbooks only accumulate spams.
>> Who writes into guestbooks nowadays?
>> I've got a blog myself and of the 500 or so comments it has
>> accumulated, 495 are spam.
>> Of those that are not spam, three are useless and one
>> commenter could also have emailed me, because she has my address.
>>
>> Guestbooks are sooo "90s"
>> ;-)
>> Rainer
>
> Ranier,
>
> um basically a customer asked if i had something already for it...
>
> i said ill look into it.
>
> the first thing i also thought of was *wordpress*, yet then each  
> person in
> the family will want their own blog and i havent setup wordpress  
> where it
> will support multiple blogs with only one instance of wordpress in one
> apache virtual domain space etc
>

Why not try wordpress mu then?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] what is the best way to delete so many queue files?

[Ian Forde]

Heh - I always preferred the indirect approach. Move the dir out of the
way, recreate it, and delete in your own time...

# service sendmail stop
# cd /var/spool
# mv clientmqueue clientmqueue-todelete
# mkdir clientmqueue
# chown --reference=clientmqueue-todelete clientmqueue
# chmod --reference=clientmqueue-todelete clientmqueue
# service sendmail start
# rm -rf clientmqueue-todelete

-I

On Mon, 2009-08-31 at 14:57 -0700, nate wrote:
> MontyRee wrote:
> 
> > What is the best way to delete fast without too much load?
> 
> If you put /var on another file system you could:
> - go to single user mode
> - copy all files off of /var except those in the queue directory
> - re-format the file system
> - copy all the files back
> - go to multi user mode
> 
> If there are a TON of files that could be much much faster
> than deleting them individually.
> 
> otherwise:
> 
> find /var/spool/clientmqueue -type f -exec rm -f {} \;
> 
> Another option I've never tried passing two commands to find
> at the same time, but assuming doing that is not possible you
> could create a script that calls rm -f and sleeps a second in
> between each file deletion -
> 
> [na...@us-cfe002:/tmp]$ cat test.sh
> #!/bin/bash
> rm -fv $1
> echo "Sleeping 1 second"
> sleep 1
> 
> 
> [na...@us-cfe002:/tmp]$ find blah3/ -type f -exec /tmp/test.sh {} \;
> removed `blah3/pd4-ads01-splunk-diag-20090827_193250.tgz'
> Sleeping 1 second
> removed `blah3/pd3-ads01-splunk-diag-20090827_183136.tgz'
> Sleeping 1 second
> removed `blah3/pd4-ads01-splunk-listtails.log'
> Sleeping 1 second
> removed `blah3/pd3-bgas01-splunk-listtails.log'
> Sleeping 1 second
> removed `blah3/pd3-ads01-splunk-listtails.log'
> Sleeping 1 second
> removed `blah3/splunk-diags-multiserver-20090827_1700.tar'
> Sleeping 1 second
> removed `blah3/pd4-bgas01-splunk-listtails.log'
> Sleeping 1 second
> removed `blah3/pd3-bgas01-splunk-diag-20090827_183148.tgz'
> Sleeping 1 second
> removed `blah3/pd4-bgas01-splunk-diag-20090827_193229.tgz'
> Sleeping 1 second
> 
> 
> adjust sleep level as desired..
> 
> nate
> 
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] What's the configure specs for the generic Apache install of CentOS x86_64 5.3?

[Ian Forde]

On Jul 27, 2009, at 6:28 PM, Rainer Duffner   
wrote:

>
> Am 28.07.2009 um 03:23 schrieb Robert Heller:
>
>>
>> Right.  The other option, if there is some specific thing you need
>> changed is to grab the source RPM and tweek the .spec file and  
>> include
>> your own patch(es).  Keep the patch(es), along with a patch file for
>> the
>> .spec file someplace, so you can patch future versions.  But Ian is
>> right: you need a really good reason NOT to just use the distro
>> provided
>> RPM, along with whatever extras from EPEL (or rpmforge, etc.) you
>> might
>> need.  Also: check out CentOSPlus as well, if you need more bleeding
>> edge or whatever.
>
>
>
>
> Ever tried moving the install-location to /usr/local by changing the
> spec-file?
>
> Last time I looked, there was so much hard-coded stuff in the spec-
> file that it was almost impossible to change.

Right - that's kind of the point. If you want to customize your Apache  
build, then the spec file modification route is the way to go, though  
you should really know what you're doing and why. If all you want to  
do is build a non-CentOS/upstream-supplied Apache module, then  
building an rpm for it is the best way. Failing that, you can use  
Apache's built-in tool for DSO building: apxs, which is part of the  
httpd-devel package. Of course, if you want to build everything from  
source, this may not be the optimum distro for you and you may wish to  
explore Gentoo...;)

   -I
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] What's the configure specs for the generic Apache install of CentOS x86_64 5.3?

[Ian Forde]

On Mon, 2009-07-27 at 16:06 -0700, Al Sparks wrote:
> Perhaps I can use that to determine what ./configure options to use when 
> compiling, but really, I don't see any differences in the two except some 
> directory paths, and APR version (the CentOS version uses APR 1.3.0 and my 
> version uses APR 1.2.7).
> 
> I actually did look into specifying 
>   --with-apr=PATH prefix for installed APR or the full path to
>  apr-config
>--with-apr-util=PATHprefix for installed APU or the full path to
> 
> I'll give it a try.
>=== Al

If you compile your own apache, you lose *ALL* of the patches that
upstream has put in place, and you break the rpm-listed definition of
what the apache package is.  Doesn't sound like a big deal now, right?
Wait until later... you'll definitely regret it... EPEL or apxs would be
the way to go for this...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] What's the configure specs for the generic Apache install of CentOS x86_64 5.3?

[Ian Forde]

On Mon, 2009-07-27 at 14:09 -0700, Al Sparks wrote:
> I'm trying to install apache 2.2.x from a tarball.

That'll pretty much break the apache rpm installation...

> And it works.  But I'm also trying to install modsecure, and I can't get that 
> to work.

If you stick with the rpm-based Apache installation, it might be as
simple as:

yum install httpd-devel
apxs -cia mod_security.c

as listed on:
http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/modsecurity-manual.html#02-installation

Of course, you could also grab the RPMS from EPEL...
http://download.fedora.redhat.com/pub/epel/5/x86_64/mod_security-2.5.9-1.el5.x86_64.rpm


> It might help to know what CentOS uses to install Apache when doing the 
> ./configure.

That'll be in the SPEC file from the source rpm... also, I believe that
be default, you don't get the server-info page unless you're coming in
from localhost.

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] DRBD very slow....

[Ian Forde]

On Wed, 2009-07-22 at 11:16 +0200, Coert Waagmeester wrote:
> The highest speed I can get through that link with drbd is 11 MB/sec
> (megabytes)

Not good...

> But if I copy a 1 gig file over that link I get 110 MB/sec.

That tells me that the network connection is fine.  The issue is at a
higher layer...

> Why is DRBD so slow? 

Let's see...

> common {
>   protocol C;
>   syncer { rate 80M; }
>   net {
> allow-two-primaries;
>   }
> }

You want allow-two-primaries?  That implies that you're using something
like ocfs2, but that's probably immaterial to the discussion... Here's a
question - do you have another syncer statement in the resource
definition that's set to a lower number?  That would definitely throttle
the sync rate...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS/SNMP update breaks MRTG?

[Ian Forde]

On Tue, 2009-07-14 at 12:07 +0800, Noob Centos Admin wrote:
> Hi,
> 
> > Did the update overwrite your snmpd.conf file?  The 'view' on the default 
> > one
> > may not permit access to the things mrtg needs to see.  Try changing it to 
> > .1 to
> > expose everything.
> 
> It might have done so. To be honest I have no idea since I've never
> touched the SNMP configuration before this and simply used the
> default. Currently there's nothing inside the snmpd.conf except a
> rocommunity which is the public user.
> 
> I've added lines from an online source that claims that is the default
> snmpd configuration and it looks like it should be allowing view all
> to the public user. In any case, even prior to adding these lines, I
> could get the relevant values off SNMP using command line with the
> public community user, so I don't think I was blocking any thing iv
> SNMP

Just a couple of random suggestions...

One of the things I always do after patching a box is do an 'updatedb',
followed by 'locate rpmsave' and 'locate rpmnew'.  Then I resolve the
differences.

The other suggestion comes from a recent experience I had when updating
a box running cacti.  Did the upgrade, then cacti broke completely.
Turns out that I didn't have the default fonts that cacti expected.  I
ended up having to install dejavu-lgc-fonts from rpmforge to resolve it.
Why do I bring this up?  Because cacti depends upon rrdtool, just like
mrtg...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unexplained reboots in DRBD82 + OCFS2 setup

[Ian Forde]

On Wed, 2009-06-24 at 07:22 -0700, nate wrote:
> Kris Buytaert wrote:
> >
> >
> > We're trying to setup a dual-primary DRBD environment, with a shared
> > disk with either OCFS2 or GFS.   The environment is a Centos 5.3 with
> > DRBD82 (but also tried with DRBD83 from testing) .
> 
> Both OCFS2 and GFS are meant to be used on SANs with shared storage(same
> LUNs being accessed by multiple servers), I just re-confirmed that DRBD
> is not a shared storage mechanism but just a simple block mirroring
> technology between a couple of nodes(as I originally thought).

Actually, it's both.
http://www.drbd.org/users-guide-emb/ch-fundamentals.html gives the
overview.  It's shared storage with local disk access. And if you're
using Gig-E for the interconnect, it's *fast*. ;)

> I think you are mixing incompatible technologies. Even if you can
> get it working, just seems like a really bad idea.

That functionality is built in.  DRBD fully supports use of OCFS2 on top
of it in dual-primary mode.  See
http://www.drbd.org/users-guide-emb/ch-ocfs2.html

> Perhaps what you could do is setup an iSCSI initiator on your DRBD
> cluster, export a LUN to another cluster running OCFS2 or GFS(last I
> checked GFS required at least 3 nodes less than that and the cluster
> goes to read-only mode, I didn't see any minimum requirements for
> OCFS2).

You could do that, but it would probably be overkill.  Too many moving
parts.  You'd also slow down the speed.  You're talking about app node
-> Gig-E -> OCFS2/GFS cluster -> Gig-E -> iSCSI/DRBD cluster.  I'd
rather have app node -> Gig-E -> OCFS2/DRBD cluster.  And it's *much*
easier to setup.  GFS is a bit of a pita to setup.  I used to do it for
RH professionally and it's not entirely painless...

> Though the whole concept of DRBD just screams to me crap performance
> compared to a real shared storage system, wouldn't touch it with
> a 50 foot pole myself.

Nah... performance is pretty sweet.  Local disk access, sub-second
resync after rebooting one of the nodes, and the cost is *much* lower
than a "real" shared-storage system... if cost is a factor, I'd
seriously consider trialing the DRBD/OCFS2 combo.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] kickstart question

[Ian Forde]

On Fri, 2009-06-12 at 14:54 +0200, Rainer Duffner wrote:
> Jerry Geis schrieb:
> > Hi all,
> >
> > I have a kickstart file that works for /dev/sda.
> > I now need to detect an HP server and use /dev/cciss instead of hard 
> > coded /dev/sda.
> >
> > How can I detect what the name of the device is and use /dev/cciss and 
> > not /dev/sda?
> >
> > Jerry
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >   
> 
> 
> You want to use cobbler (www.et.redhat.com).

Or you can use a begin script that does a 'fdisk -l' and parses out the
available disks and puts that into the ks file...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 5.3 -> Apache - Under Attack ? Oh hell....

[Ian Forde]

On Wed, 2009-06-03 at 01:57 -0400, JohnS wrote:
> On Wed, 2009-06-03 at 00:46 -0500, John R. Dennison wrote:
> > On Wed, Jun 03, 2009 at 12:30:10AM -0500, Neil Aggarwal wrote:
> > > 
> > > It would be prudent to review his web code to see
> > > if he did something in an insecure way.  If his code
> > > is open to attack, it will be so even if he puts it
> > > on a new machine.
> > 
> > Hence my statements to evaluate the web-apps he has running :)
> > 
> > I will bet dollars to donuts he had a web app with a known issue
> > that was not patched.  Also goes back to my previous statement
> > of fully patching.
> > 
> ---
> Dollars to Donuts ehhh???
> How many donuts you think it will take to pay for legal costs and clean
> up if there are customer data on the machine? I think right about now I
> would:
> 1. Notify Risk Management and Your Compliancy Officer.
> 2. Take it off the network connections.
> 3. Do a live rsync and dd image + ram copy = running processes/hidden.
> 4. Same as 3. but with the machine off.
> 5. The company attorney needs to be notified.
> 6. By State and Federal Law in the US you have so many days to report
> incidents like this to users (customers) and law enforcement.

If, by step 4, you mean remove the drive[1], stick it into USB
enclosure, make a copy of it, then stick the original into a plastic bag
in full view of a witness[2] then give it to them, I agree
wholeheartedly[3].  I've been through this before and this is, IMHO[4] a
safer way to operate.

-I

[1] Assuming no RAID.  If you have RAID, you can go to a separate box
and make a live backup via:
goodhost# ssh badhost '(cat /dev/sda)' > badhost-sda.ddout
[2] Your manager or corporate counsel will do in this example.  Better
if its both.
[3] This does *NOT* constitute legal advice.  Talk to your corporate
counsel before taking action, as this may constitute a criminal matter.
[4] See [3] above.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Random server reboot after update to CentOS 5.3

[Ian Forde]

On Thu, 2009-05-21 at 15:13 +0200, Peter Hopfgartner wrote: 
> Dear ML
> 
> We upgraded a Dell Poweredge PE 1950 Server the 8th of May. Since then 
> the server rebooted 3 times without external cause (it is located in a 
> server farm with redundant power supply etc.). Looking at the servers 
> monitoring infrastructure with Dell's own OpenManage tools, I  get 
> strange errors:
> 
>  [r...@servernew ~]# omreport system esmlog
> 
> ()
> 
> Severity  : Critical
> Date and Time : Mon May 11 17:46:59 2009
> Description   : System Software event: run-time critical stop was asserted
> 
> Severity  : Critical
> Date and Time : Fri May 15 21:07:57 2009
> Description   : System Software event: run-time critical stop was asserted
> 
> Severity  : Critical
> Date and Time : Wed May 20 21:00:53 2009
> Description   : System Software event: run-time critical stop was asserted
> 
> 
> (...)
> 
> This class of errors never happened before in over a year that the 
> server is running.
> 
> There is no mention of any anomaly, except the boot messages itself, in 
> /var/log/messages.
> 
> The server runs the 64 bit flavor of CentOS hosting some XEN virtual 
> machines and some PostgreSQL and MySQL databases. It run without any 
> issues with CentOS 5.1 and 5.2.
> 
> I interpreted these issues as some kernel/software related problem, but 
> do not know how to make a more accurate diagnosis of the problem.
> 
> Can anybody give me some hint? Has anybody had some similar issue?

Hmm... you *definitely* want to take this one to the Dell Linux list.
Having said that, I did some googling for:

omreport run-time critical stop was asserted

and found only one hit for someone that faced it in April 2007.  And
Dell told them that it may have been software.  I'd start there.  Some
additional questions: What version of CentOS?  What kernel version?
What version of the Dell tools?

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Certificate system

[Ian Forde]

On Fri, 2009-04-24 at 17:22 +0200, j.witvl...@mindef.nl wrote:
> Hi all,
> 
> Can anybody inform me wether the  "RedHat Certificate System" or
> actually a CentOS equivalent is available for CentOS. 
> Just skimmed on a download site through the RPM's for 5.3 and I
> couldn't find it. 
> According to their pressrelease, it the code should be gpl, allthough
> I can't find any rpm for RH, FC or Centos.
> 
> It seems that this is one of the few CA-packages for large scale
> deployment of certificates. 
> Only alternative AFAIK is OpenCA, which seems to be hardly
> maintained… 
> ( binaries on their site are old, and source code yields lots of
> errors during build..)

Build? Why build?  Check out TinyCA2, for which you can find rpms in
rpmforge...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Controlling log file sizes

[Ian Forde]

On Sat, 2009-04-11 at 22:25 +0100, Anne Wilson wrote:
> My fetchmail and procmail log files are getting rather large, and there's 
> really no reason to keep entries for ever.  How do others handle this?  I 
> know 
> I could manually delete the older stuff then re-save the file, but it doesn't 
> seem a good method.

Use logrotate - it's built-in.  Check the files in /etc/logrotate.d/ for
examples, as well as the logrotate man page...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rpmnew puzzles

[Ian Forde]

On Thu, 2009-04-09 at 15:30 +0100, Anne Wilson wrote:
> On Thursday 09 April 2009 15:01:37 George Negoita wrote:
> > On Thu, Apr 9, 2009 at 3:39 PM, Anne Wilson  
> wrote:
> > > I'm puzzled by such statements as
> > >
> > > diff /var/clamav/daily.cvd /var/clamav/daily.cvd.rpmnew
> > > Binary files /var/clamav/daily.cvd and /var/clamav/daily.cvd.rpmnew
> > > differ
> > >
> > > I thought the point of rpmnew files was so that we could check what has
> > > been changed?
> >
> > You can check to see what has been changed, since you have both
> > versions, but you should use a tool that can compare binary files (if
> > that makes any sense to you).
> >
> > In your case, you can safely delete daily.cvd.rpmnew, because, most
> > probable, freshclam already updated daily.cvd to a newer version.
> 
> Thanks, both of you.  I did wonder if it was a generated file, but couldn't 
> see the need for the rpmnew if it was.  I'll need to carefully go through the 
> /etc/clamd.conf.rpmnew, though.  A quick look tells me I've lost the mailto, 
> so I need to check what else has changed.

And this is where vimdiff is your best friend... ;)

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] gnet-2.0, gio-2.0

[Ian Forde]

On Thu, 2009-03-05 at 09:21 +0100, Ondrej Filip wrote:
> Who makes packages for centos? Or who makes decisions about it?
> 
> Hope it's not dummy question.

http://www.centos.org/modules/tinycontent/index.php?id=2

See the section entitled: "CentOS : Community ENTerprise Operating
System"

so if RH pulls them, CentOS pulls them. Unless they end up in
centos-plus...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] gnet-2.0, gio-2.0

[Ian Forde]

On Thu, 2009-03-05 at 07:59 +0100, Ondrej Filip wrote:
> I asked on Saturday and I didn't get reply. I'm trying again.
> 
> I'm porting one project to centos where we use gnet and gio libraries. Will
> be these libraries part of centos in future? I'm not sure what relationship
> is between these libraries and glib.

That seems more of a question for upstream - meaning Red Hat...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 4 X 500 gb drives - best software raid config for a backup server?

[Ian Forde]

On Sat, 2009-02-21 at 18:09 -0600, Les Mikesell wrote:
> Yes, but raid1 in software has none of those problems, since as far as 
> the boot loader is concerned, you are booting from a single drive.  And 
> there is a trade-off in complexity, since sw raid works the same on 
> Linux across different hardware and you need to round up different 
> vendors instructions and utilities for hardware raid - and have a backup 
> controller around for recovery.

RAID in software, whether RAID1 or RAID5/6, always has manual steps
involved in recovery.  If one is using standardized hardware, such as HP
DL-x80 hardware or Dell x950 boxes, HW RAID obviates the need for a
"recovery procedure".  It's just easier.  You can still boot from a
single drive, since that's what the bootloader sees.  There are no
vendor instructions or utilities needed for recovery.  Nor is there a
backup controller needed.  The *only* time I'd use software RAID on
Linux is if I didn't have a standard hardware base that supported
hotswap and commandless recovery, which in any enterprise within which I
were to be employed, I'd insist upon (and deploy)...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 4 X 500 gb drives - best software raid config for a backup server?

[Ian Forde]

On Sat, 2009-02-21 at 17:24 -0600, Les Mikesell wrote:
> Ian Forde wrote:
> > Might not be a bad idea to see how they're able to use
> > mdadm to detect and autosync drives.  I don't *ever* want to go through
> > something like:
> > 
> > http://kev.coolcavemen.com/2008/07/heroic-journey-to-raid-5-data-recovery/
> > 
> > Not when a little planning can help me skip it... ;)
> 
> If you are really concerned about data recovery and can chunk up your 
> filesystem mount points so things fit on a single disk (usually not too 
> hard with 1 or 1.5 TB drives available now) just use software raid1 
> since you can simply mount any single disk from it and access the files. 
>   It becomes much more difficult with other raid levels or multi-disk lvm.

My point is that at home, I'd rather do network mounts to a fileserver
utilizing HW RAID.  At work, I'd rather use HW RAID with hot-swap disks.
This way, there's are no hoops to go through.  Time is a more important
resource to me... SW RAID is a path that I went down well over a decade
ago in Solaris (DiskSuite and Veritas VM), followed by Linux mdadm.  If
you've ever had to do a Veritas encapsulated boot disk recovery, you'll
know why I'd rather never go down that road *ever again*... ;)

-I

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 4 X 500 gb drives - best software raid config for a backup server?

[Ian Forde]

On Sat, 2009-02-21 at 08:40 +0800, Chan Chung Hang Christopher wrote:
> Ian Forde wrote:
> > I'd have to say no on the processing power for RAID 5.  Moore's law has
> > grown CPU capabilities over the last 15 or so years.  HW RAID
> > controllers haven't gotten that much faster because they haven't needed
> > to.  It's faster to do it in software, though it's preferable to offload
> > it to HW RAID so that any apps aren't affected directly.
> >   
> You will have to prove that. I have previously posted posts with links 
> to benchmarks that show that hardware raid with sufficient processing 
> power beat the pants of software raid when it comes to raid5/6 
> implementations. Hardware raid cards no longer come with crappy i960 cpus.

Just by doing some quick googling, I came across:

http://blogs.zdnet.com/storage/?p=126
http://storagemojo.com/2007/04/24/mo-better-zfs-performance-stats/
http://milek.blogspot.com/2007/04/hw-raid-vs-zfs-software-raid-part-iii.html

Now, bear in mind that I'm no ZFS fanboy, but I'm saying that it's not
so cut and dry anymore. The equation changes, of course, when we're
talking about a purposed fileserver versus an application server that
needs RAID.  (The app server can suffer because its losing access to CPU
resources.)  But the point of contention is still there.  Both are
viable solutions, when considering that SW RAID was never a serious
contender for performance over the years, look at where it is now.  This
tells me that it's trending up towards equaling or bettering HW RAID
performance.  And that's not talking about price points.  When throwing
that in...

But again - I still like HW RAID.  I think we're in agreement on this.

> > I would agree on that cache memory is an advantage, especially when
> > considering battery-backed cache memory.  
> There is more to it. That cache memory also cuts down on bus traffic but 
> the real kicker is that there is no bus contention between the board's 
> cpu and disk data whereas software raid needs to read of the disks for 
> its calculations and therefore suffers latencies that hardware raid 
> boards (which have direct connections to disks) do not. Of course, if 
> the cache size is insufficient, then the hardware raid board will not 
> perform much better if not worse than software raid.

Indeed.

> > But those aren't the only significant areas.  HW RAID allows for
> > hot-swap and pain-free (meaning zero commands needed) disk replacement.
> >   
> 
> Hmm...really? I guess it depends on the board. (okay, okay, thinking of 
> antique 3ware 750x series may not be fair)

I was thinking about when I was running a farm of 500 HP DL-x80 series
boxes and disk replacement became a 9x5 job that we farmed out.  Just
give a list of servers and locations (first drive or second drive) and
the person could pull old drives out, put new drives in, and resync was
automatic.  Same thing is true for Dell PERC hardware.  I note that
that's not necessarily true with ALL HW RAID controllers, as they have
to support hot-swap, and the chassis has to have hot-swap slots. But
still, I've only seen one SW RAID implementation that does auto-sync.
That's the Infrant ReadyNAS (http://www.readynas.com).  I wonder how
they did it?  Might not be a bad idea to see how they're able to use
mdadm to detect and autosync drives.  I don't *ever* want to go through
something like:

http://kev.coolcavemen.com/2008/07/heroic-journey-to-raid-5-data-recovery/

Not when a little planning can help me skip it... ;)

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 4 X 500 gb drives - best software raid config for a backup server?

[Ian Forde]

On Fri, 2009-02-20 at 22:52 +0800, Chan Chung Hang Christopher wrote:
> Bollocks. The only area in which hardware raid has a significant 
> performance advantage over software raid is raid5/6 given sufficient 
> cache memory and processing power.

I'd have to say no on the processing power for RAID 5.  Moore's law has
grown CPU capabilities over the last 15 or so years.  HW RAID
controllers haven't gotten that much faster because they haven't needed
to.  It's faster to do it in software, though it's preferable to offload
it to HW RAID so that any apps aren't affected directly.

I would agree on that cache memory is an advantage, especially when
considering battery-backed cache memory.

But those aren't the only significant areas.  HW RAID allows for
hot-swap and pain-free (meaning zero commands needed) disk replacement.

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] iptables question

[Ian Forde]

On Thu, 2009-02-19 at 18:46 -0600, ward.p.fonte...@wellsfargo.com wrote:
> Hi,
> 
> I have two servers in the same subnet, one has this arrangement:
> 
> BOX A [3 ips, one real two vips]
> 
> BOX B [1 ip]
> 
> I need to redirect input from one of the vips (192.168.0.1:8080) on BOX
> A to BOX B (192.168.0.2:8080) and I'm about to pull my hair out. Can
> anyone lend a hand? All my searching leads me to home firewall type
> arrangements using DNAT. I tried to bend one of those to fit my
> situation but it was a no go (most likely due to my lack of knowledge
> with iptables)

Why not keep the vip and move it over to the other box?  Heartbeat is
perfectly suited to such a task...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] realtime backup

[Ian Forde]

On Wed, 2009-02-18 at 13:57 -0800, Scott Silva wrote:
> on 2-18-2009 1:45 PM Scott Silva spake the following:
> > on 2-18-2009 1:36 PM Ian Forde spake the following:
> >> On Wed, 2009-02-18 at 15:35 -0500, Toby Bluhm wrote:
> >>> For a speedy backup, could put the db on LVM. Then your procedure would 
> >>> be shutdown/freeze db, make lv snapshot, startup/unfreeze db, 
> >>> rsync/backup data, remove snapshot.
> >> That's what I'd suggest too, but be warned that performance on that
> >> database (if gets to be of any size to be useful) would completely
> >> suck... not unlike driving at 90mph and with the ebrake on and
> >> constantly up-and-down-shifting...
> >>
> >>-I
> > 
> > Would a decent alternative be a master/slave, with the dumps being done
> > from the slave. That way if the slave bogs down during the dump, it can 
> > catch
> > up afterwards. The master shouldn't slow down at all, or very minimally as 
> > it
> > is caching the slave transactions.
> > 
> One too many "would's"...

;) That would work, and I've done that (though not at the 5-minute
interval) in production environments.  But since the OP hasn't responded
to this thread with any type of follow-up detail (like the size of the
db), I'm wondering how much time I want to spend putting out possible
solutions...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] realtime backup

[Ian Forde]

On Wed, 2009-02-18 at 15:35 -0500, Toby Bluhm wrote:
> For a speedy backup, could put the db on LVM. Then your procedure would 
> be shutdown/freeze db, make lv snapshot, startup/unfreeze db, 
> rsync/backup data, remove snapshot.

That's what I'd suggest too, but be warned that performance on that
database (if gets to be of any size to be useful) would completely
suck... not unlike driving at 90mph and with the ebrake on and
constantly up-and-down-shifting...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 4 X 500 gb drives - best software raid config for a backup server?

[Ian Forde]

On Wed, 2009-02-18 at 08:13 -0800, dnk wrote:
> On 18-Feb-09, at 2:01 AM, John Doe wrote:
> 
> >>> For controller, what is the interface on your drives??  SCSI, SAS??
> >> Dell 2950, SAS 6 Host Bus Controller.
> >
> > Integrated SAS 6/i(base): 4 port SAS controller (does support RAID  
> > 0/1)
> > But I don't know if that is descent hw raid or crap raid...
> >
> > JD
> 
> This was kind of the reason I was thinking software raid.
> 
> Has anyone had any raid experience with this card?

Yep - it's real HW raid, though with a 2950, I would have gone for the
PERC instead.  The integrated SAS is usually a Fusion-MPT (LSI/Symbios)
card.  Do a 'lspci' to be sure.  I've got a few of these configured and
I can check the raid status with the mpt-status command (from the
mpt-status rpm).  Note that doing a 'fdisk -l' only yields one disk when
RAID is setup.  So yes - it's real HW raid.  Just not much in the way of
cache, which is why I prefer using PERCs instead...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] MySql server on Centos 5

[Ian Forde]

On Mon, 2009-02-16 at 11:54 -0700, Warren Young wrote:
> Ian Forde wrote:
> > 
> > You can always use the MySQL community RPMs.
> > http://dev.mysql.com/downloads/mysql/5.0.html#downloads
> 
> Second that.  I'm not normally a big fan of replacing stock system 
> packages with third-party ones, but I've never had a problem with MySQL 
> AB's RPMs on CentOS.

There is one caveat - if you're running Apache and php on the same box,
you'll first have to remove both the stock mysql and php-mysql rpms.
Then install the MySQL Community packages, followed by php-mysql.

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] MySql server on Centos 5

[Ian Forde]

On Mon, 2009-02-16 at 15:22 +, Tom Brown wrote:
> > I have a question about Mysql.
> > I use mysql 5.0.68 on Centos 4 from Centos plus repository.
> >
> > The old hardware steers me to Centos 5, however there is mysql 5.0.45. Some
> > program solutions which we are using on the old server (production for 500
> > users) do not work properly on new one (some querys producing reports).
> >
> > Is there a source where I can find version for Centos 5 server equal to the
> > Mysql version which I run on the old server. I'd like to use some kind of
> > repository.
> >
> > Looking forward for sugesstions.
> >
> >   
> 
> 
> i think the short answer is no - you'd have to package that yourself and 
> depending on what else this box does you may or quite well may not 
> encounter other issues.

You can always use the MySQL community RPMs. 
http://dev.mysql.com/downloads/mysql/5.0.html#downloads

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] network driver at installation time

[Ian Forde]

On Sun, 2009-02-15 at 22:34 -0500, Jerry Geis wrote:
> Is there anyway to load a network driver at installation time. Centos 
> 5.2 x86_64.

Yep - it's definitely in the kickstart docs - don't remember where
though...

> Alternatively, is there a way to do a USB network driver at boot?

See above... ;)

> Either is fine... Presently I have a rtl 8168 that just hangs at DHCP 
> request.
> I want to use all the kickstart information I have setup, but need the 
> network to work for that.

>From what I recall, there's an entry to the start of the kickstart
something like "linux ks=whatever dd" or something like that... How to
automate it into unattended kickstart?  I haven't done that yet, so I'm
not sure.

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Suggestion for Server Room monitoring

[Ian Forde]

On Mon, 2009-02-16 at 09:59 +0800, Fajar Priyanto wrote:
> Hi all,
> I have a situation like this:
> Our little server room is always on. It has an air conditioning unit,
> but barely enough.
> So sometimes during weekend, the temperature could reach unhealthy
> level, like 29 degree Celsius.
> Currently, there's no personnel to monitor it 24 hours a day.
> I'm thinking of using a tool to monitor the temperature, and then send
> sms/email when it reaches certain threshold.
> Anyone has an idea? Could be software based or hardware one.
> Thank you.

If you've got an APC UPS, there's a chance you can get a temperature
sensor that attaches to it.  That can be checked from Nagios, which can
send alerts when thresholds are reached.  You can also graph temperature
over time (via SNMP) using Cacti, so that you can verify that Nagios is
doing the right thing.  Note that even if you use lm_sensors rather than
an external temperature sensor[1], it's still a good idea to use Nagios
and/or Cacti in conjunction with it.  I believe Nagios has a
check_lmsensors plugin available. ;)

-I

[1] - lm_sensors reports internal temperature, which is usually much
higher than external temperature. So tune your thresholds accordingly...

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] tinydns/djbdns opinion poll

[Ian Forde]

On Thu, 2009-02-12 at 11:08 -0600, Les Mikesell wrote:
> That sounds like the kiss of death for any critical service.  Can't it 
> figure out ahead of time that this is going to happen and let the 
> service keep running unchanged with a warning message about needing the 
> update instead?

You're missing the point.  If the service is already running, the
changes won't take effect until you restart the service with the new
binaries. And the whole patching exercise is what maintenance windows
are for, anyway.  Note that it's critical SERVICE, not critical SERVER.
The former is more important than the latter, so ideally you should be
able to take down the latter in order to upgrade one implementation of
the former.

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] tinydns/djbdns opinion poll

[Ian Forde]

On Wed, 2009-02-11 at 17:34 -0500, James B. Byrne wrote:
> With one very large caveat.
> 
> Be aware that updating bind via yum can result in your existing bind
> configuration files being renamed to something.rmpsave and your name
> server left in a dysfunctional state. I suggest that you consider
> excluding bind from normal updates and only update it when you are
> ready and able to check for possible configuration issues.

That's true of pretty much every rpm that has config files... it's part
of my standard updating routine:

yum update
updatedb
locate rpmsave
locate rpmnew
fix any config files...
restart services and/or reboot if necessary...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] real SATA RAID

[Ian Forde]

On Sun, 2009-02-08 at 15:33 -0600, Sam wrote:
> The software raid in linux with mdadm is very powerful.  Alot of people 
> stay away from software raid because they think that a hardware solution 
> would be easier to work with.  But with a hardware solution, how do you 
> monitor the status of your drives?  There is usually windows software 
> for that but normally a linux client is non existent.  All of the 
> monitoring and management is built into mdadm.  Once you learn it, it is 
> very easy to use and you can move your raid array from system to system 
> as long as mdadm is installed.  You certainly can't move a hardware raid 
>   setup to another machine unless the cards are identical.

While I think that Linux software RAID is both solid and stable, when
running a production environment I'd much rather use hardware RAID with
hot-swappable drives.  Example? Dell PERC RAID.  Yes - historically
there have been problems - but today it's rock solid.  Monitoring it?
Easy - there are Nagios plugins for omreport.  Drive fails?  Pull the
drive and put the new one in.  Nothing else to do.  Same thing with HP
DL-[35]xx class boxes...

And if you're running, say, a farm of a few hundred servers, you can
just have someone go in once a week armed with a list of disks to pull
and replace.

In short, IMHO, hardware RAID with hot-swap capabilities, on proven,
STANDARDIZED hardware makes it easier (and cheaper) to support a larger
number of boxes.  (If you don't have standardized hardware, and tend to
run somewhat of a mishmash, you're probably better off considering
software RAID...)

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] kickstart won't kick-off via network

[Ian Forde]

On Tue, 2009-02-03 at 11:17 -0600, Les Mikesell wrote:
> Isaac Hailperin wrote:
> > On Tue, 2009-02-03 at 15:42 +0100, Kai Schaetzl wrote:
> >> Isaac Hailperin wrote on Tue, 03 Feb 2009 14:45:44 +0100:
> >>
> >>> append initrd=distro/centos5.2/initrd.img ramdisk_size=7494
> >>> ks=http://9.0.0.1/all/profiles/cluto_centos5.2/cnode/ks.cfg
> >> this is not enough, you have to tell PXE about the network, which nic
> >> to
> >> use etc. I think there is a tutorial about doing PXE instalaltions on
> >> the
> >> wiki.
> >>
> > You are right: "ksdevice=eth1" did the trick.
> > Found at
> > http://wiki.centos.org/TipsAndTricks/KickStart
> 
> The order of NIC detection/naming at bootup seems to be more or less 
> random as of Centos 5.x.  How do you know which name to choose here?

In order to avoid this, you can use the "ksdevice=bootif" to use the
interface from which the system booted...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Linux HA or Heartbeat IP address question

[Ian Forde]

On Tue, 2009-02-03 at 13:58 +1100, Devraj Mukherjee wrote:
> Hi all,
> 
> I am following the guide on HowToForge to get Heartbeat going for two
> Apache web servers
> (http://www.howtoforge.com/high_availability_heartbeat_centos), a
> quick question for anyone who might have a similar setup.
> 
> Do I have to assign the service IP to either of the NICs or does
> Heartbeat do that automagically?

Heartbeat does it for you - basically, Heartbeat for apache can be setup
in less than 5 minutes. It's no more complicated than the link you
posted.  Each box has its own address, then there's the VIP.  To get a
little more advanced, you could configure a private link between them
with a crossover cable and monitor that in heartbeat if you wanted to,
but it's not required.  Also, I'd turn off auto_failback... but that's
just me.

Some notes:

1. Disable apache from automatic startup via:
chkconfig httpd off
2. Enable heartbeat to startup automatically via:
chkconfig heartbeat on
3. Consider using the aforementioned private link, as the broadcast
traffic can be maddening on a busy segment.
4. Consider using a private vlan rather than a crossover cable.  If a
crossover cable, or either side of a private link dies, and you've got
STONITH enabled, both nodes can, under certain circumstances, kill each
other.
5. Consider installing mon as well to monitor the cluster.
6. auto_failback means that that if you default to node01, then node01
fails, as soon as its back up, it'll fail back to node01.  That can be
good, but it can also be very bad... think of the case of using
Heartbeat with mysql, and ask yourself how often you want to fail over a
live database cluster. ;)

Have fun!

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] More than 2TB RAID...

[Ian Forde]

On Tue, 2009-01-27 at 18:46 -0500, Joshua Baker-LePain wrote:
> On Tue, 27 Jan 2009 at 6:43pm, Jake wrote
> 
> > I should say that I STRONGLY recommend not creating ext3 file systems in the
> > 2TB+ range - fsck takes too long and you'd hate to get hit by one of those
> > in what is supposed to be a "quick" reboot...and disabling them on the file
> > system isn't a good idea either.
> 
> On the other hand, nothing is as well supported on RHEL/CentOS as is ext3. 
> So if you're data is really important to you, think hard about using 
> another FS.

Actually, on RHEL, the *only* filesystems that upstream *officially*
supports are ext2/3 and GFS.  Not XFS, nor reiser, nor JFS.  Nada...

Well, maybe FAT for USB-attached storage... ;)

But if you're using CentOS, it's entirely up to you... If I were in
RHEL-land (meaning: at a company willing to pony up for licenses), I'd
consider a GFS2 cluster shared out via NFS.  Or maybe an OCFS2 NFS
cluster.  If at a company using CentOS, I'd consider an OFCS2/NFS
cluster or heartbeat/XFS/NFS.  For home? XFS (or JFS if you like).  But
then, I'm willing (and capable) of supporting the mess I create.  It all
depends upon one's comfort level with getting out of a jam when one
strays out of the "sweet spots" of available help...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Shell Script - Compare packages. rpm.

[Ian Forde]

On Mon, 2009-01-26 at 08:26 -0200, Tiago Dias wrote:
> Hi,
> 
>  I need a script which makes the package compação rpm's
> through two text files ... 
> 
>  Since a file is the output of the command rpm-qa > pkg.out 
> 
>  And the second file is a list of several packages rpm's,
> multiple versions and architectures. 
> 
>  My idea is to compare a package x file pkg.out with several
> packages y of the file update.out and know whether a package and has a
> larger version of the package x installed and with that I return I
> have a package to be updated. 
> 
> Does anyone can help me do this comparison? 

Looks like you want to see what the update packages are without doing
the updates, and without an internet connection.  About 5 years ago I
would have suggest running 'rpm --freshen --test
packagename-from-update.out'.  Today, I'd suggest saving even more time
and just a local instance of mrepo.  Configure your yum repos
in /etc/yum.repos.d/ to point to the repository, and install the
yum-updatesd package to find out what the new packages are... Why
reinvent the wheel? ;)

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Antivirus for CentOS? (yuck!)

[Ian Forde]

On Wed, 2009-01-21 at 21:06 -0500, Adam Tauno Williams wrote:
> > Yes, I know, it's really really embarrassing to have to ask but I'm
> > being pushed to the wall with PCI DSS Compliance procedure
> > (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
> > we don't need to install an anti-virus or find an anti-virus to run on
> > our CentOS 5 servers.
> > Whatever I do - it needs to be convincing enough to make the PCI
> > compliance guy tick the box.
> > 1. Has anyone here gone though such a procedure and got good arguments
> > against the need for anti-virus?
> 
> There is no good argument against running malware detection on any
> sever.

That depends upon how you define malware detection.  Antivirus software
for Linux typically scans for Windows viruses and malware.  On the other
hand, if you're talking about detection in the sense of Tripwire, or a
cron job that runs a 'rpm -V' every night, I completely agree that this
is something that should be done.

> CLAMAV works well.

For detecting Windows malware, which isn't really the point...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Antivirus for CentOS? (yuck!)

[Ian Forde]

On Thu, 2009-01-22 at 12:19 +1100, Amos Shapira wrote:
> Hi All,
> 
> Yes, I know, it's really really embarrassing to have to ask but I'm
> being pushed to the wall with PCI DSS Compliance procedure
> (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
> we don't need to install an anti-virus or find an anti-virus to run on
> our CentOS 5 servers.

Note - I am *NOT* a lawyer.  This advice is freely given, and may be
worth exactly what you paid for it... ;)

> Whatever I do - it needs to be convincing enough to make the PCI
> compliance guy tick the box.
> 
> So:
> 
> 1. Has anyone here gone though such a procedure and got good arguments
> against the need for anti-virus?

Yep - on the wikipedia page you referenced, look in the "Requirements"
section, section 5.  It says: "Use and regularly update anti-virus
software on all systems commonly affected by malware"

Note that CentOS isn't commonly affected by malware.  So you should be
okay here.

> 2. Alternatively - what linux anti-virus (oh, the shame of typing this
> word combination :() do you use which doesn't affect our systems
> performance too much.

None... clamav, amavis, etc... are used for protecting Windows boxes
behind the Linux boxes.  If you aren't running any Windows hosts on the
same network as the Linux hosts, that should take care of the sweet spot
of the AV argument.  (Though if you're connected to a site via VPN or
private link that has Windows boxes, that may be a different story.)

> The reviewed servers run both Internet-facing web applications and
> internal systems, mostly using proprietary protocol for internal
> communications. They are being administrated remotely via IPSec VPN
> (and possibly in the future also OpenVPN).

Yep - then you want to make sure that since you're using a VPN, nothing
(like say, an Apache worm) can jump over...

PCI Compliance can be a bear.  Just make sure that you have management
buy-in, and good external scanning vendor...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] kickstart over ilo serial port

[Ian Forde]

On Thu, 2009-01-15 at 11:11 +0100, Jure Pečar wrote:
> Hello,
> 
> Has anyone managed to redirect output of kickstart install to ILO
> serial console?
> 
> I have to test and deploy the remote install with kickstart but have
> trouble debugging it because I can't see the output.
> 
For kickstart using the serial console, just add "console=ttyS0,9600" to
the APPEND line in the kickstart profile that you use under
pxelinux.cfg/

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] xorg-x11-drv-nouveau for CentOS?

[Ian Forde]

On Mon, 2008-12-29 at 14:34 -0600, Frank Cox wrote:
> Ultimately, you're better off to use video chipsets with good open source
> drivers.  Currently, that means Intel and (recently) ATI.

That depends upon one's purpose.  If, for example, one wants to use
mythtv, I would use an NVidia card with the closed-source driver.
Primarily because for what I would need mythtv to do, it works *much*
better than both Intel and ATI chipsets/drivers...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail problem

[Ian Forde]

On Sun, 2008-12-28 at 07:27 +0100, swilting wrote:
> I wish to add options to sendmail
> 
> INPUT_MAIL_FILTER(`spamassassin',
> `S=local:/var/run/spamass-milter/spamass-milter.sock, F=T,
> T=C:5m;S:4m;R:4m;E:5m')dnl
> dnl MAILER(cyrusv2)dnl
> 
> INPUT_MAIL_FILTER(`greylist',
> `S=local:/var/run/milter-greylist/milter-greylist.sock')
> define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')
> define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')
> define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')
> define(`confMILTER_MACROS_ENVRCPT', `{greylist}')
> 
> 
> and 
> 
> LOCAL_CONFIG
> Kstorage macro
> LOCAL_RULESETS
> SLocal_check_rcpt
> R$+ $: $(storage {greylist} $) $&{client_addr}
> R$+ $: $>A <$1>  <+Connect> <$1>
> R<$+> <$*>  $: $(storage {greylist} $@ $1 $) $2
> 
> it does not seem to work
> 
> after retstart sendmail
> I errors
> 
> [r...@r13151 ~]# /sbin/service sendmail restart
> Arr�t de sm-client :   [  OK  ]
> Arr�t de sendmail :[�CHOU]
> D�marrage de sendmail :554 5.0.0 /etc/mail/sendmail.cf: line 1685:
> Xspamassassin: `=' expected
> WARNING: Xgreylist: local socket
> name /var/run/milter-greylist/milter-greylist.sock missing
> 451 4.0.0 InputFilter spamassassin not defined: No such file or
> directory
>[�CHOU]
> D�marrage de sm-client :   [  OK  ]
> [r...@r13151 ~]# 
> 
> that happens I've done yet
> 
> /sbin/servive greylistd start
> /sbin/servive spamassassin start
> 
> thank you for all your returns

I can think of 2 things... 1) Is milter-greylist installed? 2) You may
have the socket file wrong.  Check your milter-greylist configuration to
see the name of the socket file.

Also, make sure that both spamassassin and greylistd are started before
sendmail...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Ian Forde]

On Fri, 2008-12-19 at 16:02 +0530, Dhaval Thakar wrote:

> I prefer non-encryption vpn.

Uhh... without encryption, you take the "p" out of "vpn"...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] drbd 8.3.0 is out

[Ian Forde]

On Fri, 2008-12-19 at 10:20 +0100, Rainer Traut wrote:
> Hi,
> 
> is this the right place to ask for updated -extras- packages?
> 
> this seems to be the successor of the 8.2.x branch and contains various 
> bugfixes.

Uhhh... this was *just* released... that's a little quick to be asking,
isn't it? ;)  I'm pretty sure I won't be using this in production until
it's at least at 8.2.3 or so... 

Of course, that's not to say that testing packages won't be produced at
some point.  After all, wasn't there some overlap of 8.1.x and 8.2
packages?

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dlink DGE-530T on CentOS 4.7

[Ian Forde]

On Sun, 2008-12-07 at 16:04 -0500, Stephen Harris wrote:
> On Sun, Dec 07, 2008 at 12:57:05PM -0800, Akemi Yagi wrote:
> 
> > I was just about to suggest the same thing when I saw this reply.  The
> > OP is running CentOS-4, so this link may be relevant:
> > 
> > http://atrpms.net/dist/el4/sk98lin/
> > 
> > If their driver works, set up the atrpms repository on the system so
> > that the driver update takes place automatically.
> 
> Won't I have an issue, though, were the new kernel might be available before
> the ATrpms module is updated?  I was hoping for some sort of dkms solution.

Yep - that would be an issue... But since I also use quite a few other
modules from atrpms, I always check first...

> Otherwise I can always just recompile the module myself if there's no
> automatic version solution available.

You could, but I prefer the simplicity of rpms... this way I don't have
to do my own QA..

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dlink DGE-530T on CentOS 4.7

[Ian Forde]

On Sun, 2008-12-07 at 13:44 -0500, Stephen Harris wrote:
> Has anyone had any luck getting this to work?  The kernel provide skge,
> sky2 and sk98lin modules all fail to load.
> 
> I was able to download the latest version from the syskonnect.de site,
> and with some hacking/klduging of their install script managed to
> compile the module in there (a newer version of sk98lin, it seems)
> which recognised the card...  but this isn't really sustainable 'cos
> new kernels will cause problems.

Um... I've been using DGE-530T (PCI-Express) cards in a couple of boxes
running CentOS for a couple of years now... I'm using the sk98lin module
from the atrpms.net rpm... http://atrpms.net/dist/el5/sk98lin/

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] XFS or JFS on CentOS 5?

[Ian Forde]

On Thu, 2008-11-20 at 12:21 +, Karanbir Singh wrote:
> I use xfs, i dont use jfs. but only on x86_64

Ditto.

> xfs in CentOS is more widely used than jfs is in centos ( impression I 
> get from looking at logs on and off - generated at mirror.centos.org ).

(much snippage) - over on the mythtv list, you'll find that there are
more than a few people (including myself) that have been using XFS with
CentOS for *years* without problems.  XFS is better than ext3 when
dealing with files in the sizes of hundreds of megs and possible a
couple dozen gigs... (deleting a 60GB file on ext3 takes a *while*...)

That being said, RH doesn't support XFS and would rather one used ext3.
But this is CentOS.  We have -plus here, and kmods for those who want to
use it... remember - it's all GPL...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Oracle start up script issue with RHEL3 Cluster

[Ian Forde]

On Sun, 2008-11-16 at 09:39 -0500, Lanny Marcus wrote:
> On Sun, Nov 16, 2008 at 8:53 AM, lingu <[EMAIL PROTECTED]> wrote:
> >Thank a lot for your valuale information also we are getting lot
> > of mails in this mailing list about debian,ubuntu,knopix and even the
> > microsoft and the people are getting help for such mails too .I dont
> > think anything wrong about posting RHEL related issue on this list,
> > also i thought you know very well centos is the clone of RHEL .
> 
> Yes, I know that CentOS is a clone of RHEL. But, if you paid for RHEL,
> probably you have a right to their support. If not, to participate in
> their mailing lists.  On  a weekend, you probably will get a quicker
> reply from a RH mailing list than this one. Many of the experts who
> participate in this list are not around on the weekends.

In addition, Red Hat Cluster isn't cheap.  It's usually a pretty safe
assumption that if one has it deployed, then one has an active service
contract with RH, and thus has access to the official support
channels... which is why RHCS knowledge hasn't really percolated out to
the CentOS crowd to the degree that it has on the RHEL lists...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Re: Linux backup help

[Ian Forde]

On Fri, 2008-11-14 at 15:08 -0700, Warren Young wrote:
> Amos Shapira wrote:
> > Is there a way to "freeze" a list of installed packages and exact
> > versions, then tell yum (or any other tool/script) to install exactly
> > these verions either on the same or another systme?
> 
> There isn't a need for an explicit feature.  Just update one server, 
> test it, then copy all of /var/cache/yum/updates/packages to the other 
> machines.  You can then say "rpm -Fvh *.rpm" in that directory to bring 
> that machine up to the same level as the other one.

Actually, that's the problem that Red Hat Satellite Server can solve.
You can approve packages for deployment.  Thus, when provisioning new
servers, they get updates from the approved list.  And servers are
grouped by class.  For the free version, one should investigate Project
SpaceWalk.  http://www.redhat.com/spacewalk/

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Cluster Broken Pipe error and Heartbeat configuration

[Ian Forde]

On Wed, 2008-11-12 at 08:41 -0800, nate wrote:
> lingu wrote:
> 
> >  Can any one guide me  what is this above error indicates and how to
> > troubleshoot.After a long google search i found the below link from
> > redhat that is matching my scenario.Can i follow the same because it
> > is my very critical production server.
> 
> I suggest you contact Red Hat support for this issue if it's
> such a critical server and sounds like a pretty fragile situation.
> That's what they are there for. And your running a really old version
> of RH.

I'm inclined to agree the RH is probably the fastest way to get this
resolved.  That isn't such an old version of RHEL, btw... current RHEL3
version is 3.9, but RH recommends sticking with particular versions when
using RHCS (Red Hat Cluster Server) as Cluster can often come with
replacement versions of stock rpms (including the kernel)... From
checking http://www.redhat.com/docs/manuals/csgfs/ we can see that RH
didn't update RHCS for 3.9, so RHEL 3.8 is the current version supported
for RHCS...

> If it were me I would upgrade the system to be fiber channel instead
> of SCSI, and update to all the latest patches for your version of
> RH. The bug mentions how using SCSI attached storage as your shared
> storage medium is not at all proven reliable. At least some MSAs
> out there you can get a fiber channel head unit and a few HBAs, and
> perhaps a switch and hook things up without too much downtime and
> have a better system as a result.

I wouldn't do that... not right away anyway... SCSI has proven itself
reliable over the years for clustering just fine in my experience.
However, it's how you've got it configured that may cause headaches...

You should definitely configure a private LAN for the heartbeat.  It's
as simple as editing /etc/sysconfig/network-scripts/ifcfg-eth3 on each
box and setting up the IP addresses.

But I wouldn't use a crossover cable for this - create a 2-port vlan on
your switch for it (or use a cheap switch or whatever else will work).
If you use a crossover, if either NIC or the cable fails, link state
will be down on both nodes and both nodes will attempt (and possibly
succeed) to fence each other.  I'm not making this up - I've seen it
happen on cluster deployments. (In a past life I used to deploy RHCS for
RH.)

Best advice? Call Red Hat and speak to them... they'll give you the
recommended config... also, check out the RHCS docs...
http://www.redhat.com/docs/manuals/csgfs/browse/rh-cs-en-3/index.html

I'd also recommend taking the RHCS class.  It's um... enlightening... ;)

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Re: Mass installs of desktop systems on identical machines

[Ian Forde]

On Wed, 2008-10-15 at 07:36 +0200, Niki Kovacs wrote:
> Thanks very much everybody for your numerous comments. I guess I got 
> much more than I expected.

One more suggestion... try SystemImager...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Seeking advice about auth/home serving

[Ian Forde]

On Wed, 2008-10-15 at 09:52 +0200, Laurent Wandrebeck wrote:
> Hi,
> 
> I'm currently using nis/nfs3/autofs in a small network (20 boxes), and
> planning on using a more secure/elegant method. The thing is, which
> solution to adopt ? The network is mainly composed of Centos boxes,
> and a couple MS/Win ones.
> ldap/kerberos/nfs4 ? Directory Server ? Anything else ?
> Another point is, we have several servers with a local /data. Is there
> any solution to make each /data accessible to each server without
> having to maintain an awful fstab list per server ? (no way to deploy
> gfs).

Without knowing more specifics, you could always try using the /net
automount... as in: /net/servername/data

It's ugly, and rarely used, but it works for small networks...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] creating a user from an RPM package

[Ian Forde]

On Wed, 2008-10-15 at 16:22 +1300, Spiro Harvey wrote:
> What wizardry do you guys use in the SPEC file when creating/deleting a
> user from an RPM package?
> 
> I was going to create a macro like:
> 
> %define user(login,uid,gid,name,homedir,shell) \
> echo "$1:x:$2:$3:$4:$5:$6"  >>/etc/passwd; \
> echo "$1:!!:12005:0:9:7:::" >>/etc/shadow; \
> echo "$1:x:$3:" >>/etc/group; \
> mkdir -p $5; \
> chown $2:$3 $5
> 
> and then appropriate sedness and rm's when removing it, but I figure
> there has to be a cleaner way, or a builtin as this surely is a
> common feature. The RPM guide doesn't seem to mention it, or if it
> does, I missed it.
> 
> Alternatively, if you could point me to a package or a spec file that
> does this, I'd be much obliged.

You know, you could always use the useradd command...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rpmforge, perl-dbd-mysql, yum, priorities, centos, and you

[Ian Forde]

On Wed, 2008-10-08 at 10:40 -0700, Joe Pruett wrote:
> rpmforge has just released a new perl-DBD-mysql for el4 that has an 
> obsoletes against perl-DBD-MySQL and the protectbase yum plugin doesn't 
> grok obsoletes.  the priorities plugin does.  so if you are having issues 
> with this, install the yum-plugin-priorities first, make sure that the 
> CentOS-Base repo is priority 1 and the rpmforge repo is priority 2 or 
> higher (99 is the default).
> 
> also, i'd like to suggest that the priorities plugin be made added to the 
> base install and that the centos-base repos be configured with priority 1. 
> it looks like c4 has the priority setting, but c5 doesn't and neither have 
> the plugin installed.  it seems like this would create a little more 
> stable setup for people when they start adding other repos.

Anything like this would probably have to be an upstream thing.  But it
would probably be a good idea for people to put this into their
kickstart configs...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] CentOS on Dell Poweredge 2850

[Ian Forde]

On Wed, 2008-09-17 at 10:26 +0200, [EMAIL PROTECTED] wrote:
> Thx. A former unix-admin at the dept thinks it might be a little on the old
> side hardware-wise, this particular server is about four years old. I'm
> split...
> 
> This particular Poweredge modell is certified for RHEL 2 and 3. If I'd try to
> install RHEL5 on it, would bad things happen, or is it just a support issue?
> Seeing how CentOS 5.2 is equivalent to RHEL5, I don't see *what* could happen
> though... Kernel panics??

Still don't forsee any problems... I was running RHL 7.2 and 9 on
PowerEdge 2850 boxes 6 years ago without problems, though I didn't have
OMSA on them (not even sure if it was available for RHL at that time).
There shouldn't be a problem with CentOS 5.2 though.  You've got a PERC
5/i, and I know that's supported in OMSA under RHEL 5.2.  So I'd say
just go for it... and if you want more confirmation that it's certified
and supported for RHEL 5.2, you can check the http://support.dell.com
page, specify a PowerEdge 2850, and choose RHEL5.  The fact that it's
there indicates that it's working for Dell, let people outside of
Dell... RH had an entry at
https://hardware.redhat.com/show.cgi?id=232290 but the link is busted.
But it still shows that it's certified...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS on Dell Poweredge 2850

[Ian Forde]

On Wed, 2008-09-17 at 02:51 +0700, Lunix1618 wrote:
> Ian Forde wrote:
> > there underneath the OS.  You also may be able to do it using omconfig
> > after installing omsa.  This question really belongs on the Dell Linux
> > list though... I can say that I've expanded a RAID5 volume underneath
> > Windows quite recently on a 2850 and a 2950 without incident...
> >
> >   
> Are you sure that? I remember I found an article on Dell support site 
> explain that PERC 6/i doesn't support that. At the beginning I only have 
> 3 hdd, now I get more 3 hdd and after that I figured can not add new hdd 
> to existing volume. I am not install Open Manage yet ...will try it soon

You'll definitely need to install Openmanage first.  My 2950 boxes have
PERC 5i controllers in them.

> PS: sorry all for OT
> > Uhh... check the DRAC - you may be able to extend the RAID5 array from
> btw, how do you access to DRAC ? i configured IP address for it at 
> firmware boot but can not see the interface for it.

It's not part of the operating system.  You get to it via web browser
(https)

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS on Dell Poweredge 2850

[Ian Forde]

On Tue, 2008-09-16 at 16:35 +0700, Lunix1618 wrote:
> [EMAIL PROTECTED] wrote:
> > Hi all,
> >
> > Our department's planning to buy a refurbished Dell Poweredge 2850 running
> > dual-xeons and with a rather big raid array (8x 146GB).
> >
> > *My* plan is to install CentOS on this machine and I'd like to hear with you
> > guys if there are any gotchas' doing this.
> >
> > My main concern is the ability of CentOS to recognise the raid-controller of
> > the Dell and run a raid5-array as well as drivers for the onboard NICs.
> >   
> I am running Dell 2950 III and no issue with hardware recognization of 
> CentOs (5.2 Final)
> The one small thing is I can not extend the RAID volume because at the 
> beginning time we only have 03 HDD now when we buy new HDD we recognize 
> that RAID controller (PERC 6/i) doesn't support add new HDD to existing 
> volume :( so only a choice is rebuild it.

Uhh... check the DRAC - you may be able to extend the RAID5 array from
there underneath the OS.  You also may be able to do it using omconfig
after installing omsa.  This question really belongs on the Dell Linux
list though... I can say that I've expanded a RAID5 volume underneath
Windows quite recently on a 2850 and a 2950 without incident...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS on Dell Poweredge 2850

[Ian Forde]

On Tue, 2008-09-16 at 11:15 +0200, [EMAIL PROTECTED] wrote:
> Hi all,
> 
> Our department's planning to buy a refurbished Dell Poweredge 2850 running
> dual-xeons and with a rather big raid array (8x 146GB).
> 
> *My* plan is to install CentOS on this machine and I'd like to hear with you
> guys if there are any gotchas' doing this.
> 
> My main concern is the ability of CentOS to recognise the raid-controller of
> the Dell and run a raid5-array as well as drivers for the onboard NICs.
> 
> Any feedback on this is appreciated.

I don't forsee any problems.  I'm running CentOS 5.2 on a 2950 III and
omreport installs fine without any problems.  I can see the RAID array
and monitor via the Nagios omreport plugins (search nagios-exchange for
them).  Onboard NICs shouldn't be a problem either...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Changing swap resume signature location

[Ian Forde]

On Mon, 2008-09-01 at 13:25 -0400, Mag Gam wrote:
> 1. Format the swap partition again: sudo mkswap /dev/XXX
> 2. Activate swap partition sudo swapon /dev/XXX
> 3. Replace UUID=XXX in /etc/initramfs-tools/conf.d/resume by "resume=/dev/XXX"
> 4. Regenerate the initrd: sudo mkinitramfs -o /boot/initrd.img-2.6.XX
> (same version as the kernel)

Hmm... for CentOS this would be:

Become root (or use sudo - your choice...)
1. 'mkswap /dev/xxx'
2. Put the entry into /etc/fstab
3. 'swapon -a' (This will ensure that your fstab entry is good.  If it
doesn't load up, something's wrong...)
4. Recreate your initial ramdisk.  You could do something like:
'mkinitrd /boot/initrd-2.6.18-92.1.10.el5.img 2.6.18-92.1.10.el5' but
I'd recommend creating a new ramdisk (different filename) and creating a
new test grub entry...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] I need help with GRUB

[Ian Forde]

On Mon, 2008-09-01 at 09:47 +0530, Sadaruwan Samaraweera wrote:
> Hello,

>And the problem that I'm having is with my two Linux distros. Ive
> installed CentOS & Windows in my SATA HDD and I've used my complete
> 40GB PATA HDD for Ubuntu. Well all OS's work fine with out any
> problems but when I want to boot into CentOS I've to select the SATA
> as my booting HDD from the BIOS if I want to go to Ubuntu the I've to
> select my PATA as the default HDD from the menu. So what I want to do
> is I need to add Both distros in to one GRUB boot loader and the other
> thing is that both grubs that I've on both HDD s only detects the
> windows Partition not the Linux partion. So I need to to know how to
> add bothe Linux versions I've into one GRUB. I want to use the SATA
> HDD as my default HDD.

You'll want to merge the grub boot stanzas into one file, apply it to
one (or both) of the drives, and keep it in sync when you do kernel
updates (because those affect the grub menu)... This way, you won't have
to change the BIOS setting.

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help me

[Ian Forde]

On Wed, 2008-08-27 at 12:00 +0530, Sadaruwan Samaraweera wrote:
> Hi,
> 
>  Yes I know what your saying ok! I didn't ask him any descent question
> but I gave a solution based on my experience. So why hell r u guy's
> coming after me and as you said in the world of IT there are lot of
> perhaps OK buddy.

Yeesh.  Look - I'm not starting to start a flamewar here.  I'm just
saying that given the little information that was given, it would be
prudent to have the OP give more before catch-all answers are given.  I
understand that your solution worked for you, but how would any of us
know that they're experiencing the same problem as you did?

Oh - and incidentally, the proper "Red Hat" way to do this (trust me on
this one - I used to work for Red Hat, have two RHCE certs, and have
been a sysadmin for over 15 years) would be to get more info before
changing out network drivers.  Replacing stock parts of the OS is the
*FASTEST* way to have RH support say "we don't support you".  Now,
knowing that this is CentOS, things don't quite work that way here.  But
the general case still applies.  Stick with stock as much as you can
until you can demonstrably prove that it's broken and put in a
workaround until the "correct" solution is found.  That's the easiest
way to get help on this list.  (And, I suspect, many others...)  Just
look at the recent discussions on CPAN (shudder) and how it can really
crap up a system based upon RPMs...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help me

[Ian Forde]

On Tue, 2008-08-26 at 13:39 +0530, Sadaruwan Samaraweera wrote:
> Hi,
>  I think you need to get the proper device drivers not the generic
> ones that comes with the CentOS. Try updating your drivers or
> sometimes when you install a vendor driver or any other driver after a
> kernel update or a full system update you've to reinstall the drivers,
> It can recompile tt self to mach the new kernel. So try updating or
> getting a new driver from the vendor.

Without more information on the specific issue, the advice you just gave
regarding using vendor drivers can be extraordinarily dangerous.  I
would recommend:

1. OP giving more info (like, for example, specifics on the problem, hw
config, etc...)
2. Patching CentOS

before offering any solutions that can lead one down a painful path...
as an example, many vendors defer to the network drivers offered in the
kernel and have deprecated their own.  Nvidia, for one, comes to mind...

-I


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] RH's servers breached

[Ian Forde]

On Tue, 2008-08-26 at 13:54 +1200, Tony Wicks wrote:
> >> >
> >> >So there are new packages anyway in spite of the other bits.
> >> 
> >> Hi all, have I missed something or is there a CentOS update for 5x but
> none
> >> for 4x ? I've made sure my mirror is synced and looked around at a few
> >> others but can't seem to see an update ?
> >
> >I just fired up my 4.6 and did yum update. No ssh packages, so the
> >problem is not yours.
> 
> Do any of the maintainers have a comment on the 4x SSH update availability ?
> I have a couple of SSH bastion servers that I have shut down until the
> update is out just in case so was wondering as to when it would turn up.

I wouldn't worry about it too much unless there are unrelated security
fixes.  The SSH updates are against 4.7, so it would most likely be the
case that your current 4.6-based sshd package is still pretty solid...
The issue was against the then-current sshd packages... which would have
been issued after the ones you're currently using...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] apache

[Ian Forde]

On Tue, 2008-08-26 at 10:42 +0200, Ralph Angenendt wrote:
> Mad Unix wrote:
> > Am running Oracle10g on the server, I do OCI connection from php/apache to
> > my DB 10g
> > so how would you insert the values to apache...
> 
> To quote John (reading helps!):
> 
> | you would put those variable assignments in the front of /etc/init.d/httpd
> 
> Though I still don't understand why that would be needed.

I've run into this... the OCI component needs some information about
where Oracle is... my advise would be to *NOT* modify
the /etc/init.d/httpd script.  Better to put the declarations
into /etc/sysconfig/httpd.  That's what the file is there for, and if
you upgrade the Apache RPM, you don't have to worry about your startup
script mods...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail with TLS, permission problem

[Ian Forde]

On Tue, 2008-08-12 at 02:42 -0700, Ian Forde wrote:
> On Tue, 2008-08-12 at 12:38 +0300, Jussi Hirvi wrote:
> > Ralph Angenendt ([EMAIL PROTECTED]) kirjoitteli (12.8.2008 12:21):
> > >> Thanks for quick reply. That didn't help yet. The error message in 
> > >> maillog
> > >> is still the same: "sendmail.pem unsafe: Permission denied". The 
> > >> directory
> > >> perms are now: 
> > >> [EMAIL PROTECTED] mail]# ls -ld / /etc /etc/mail /etc/mail/certs
> > >> drwxr-xr-x 24 root root  4096 Mar 29  2007 /
> > >> drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc
> > >> drwxr-xr-x  5 root root  4096 Aug 12 12:14 /etc/mail
> > >> dr-x--  2 mail mail  4096 Aug 11 14:42 /etc/mail/certs
> > > 
> > > IIRC sendmail checks from /etc/mail downwards, so /etc/mail is open too
> > > wide still.
> > 
> > On another machine (Fecore Core 3, Sendmail 8.13) the /etc/mail perms are
> > 755 too, and it works - thoug there is no SMTP-AUTH on that machine.
> > 
> > I tried it, but the error message in maillog persists after Sendmail
> > restart. The perms are now:
> > 
> > [EMAIL PROTECTED] mail]# ls -ld / /etc /etc/mail /etc/mail/certs
> > drwxr-xr-x 24 root root  4096 Mar 29  2007 /
> > drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc
> > drwx--  5 root root  4096 Aug 12 12:37 /etc/mail
> > dr-x--  2 mail mail  4096 Aug 11 14:42 /etc/mail/certs
> > [EMAIL PROTECTED] mail]# ls -l /etc/mail/certs/
> > total 1924
> > -rw--- 1 mail mail1371 Aug 11 12:15 cacert.pem
> > -rw--- 1 mail mail 963 Aug 11 12:15 cakey.pem
> > -rw-r--r-- 1 root root 1952422 Aug 11 14:26 revoke.crl
> > -rw--- 1 mail mail2258 Aug 11 12:16 sendmail.pem
> > 
> > I cannot help thinking that this is *not* actually about the permissions -
> > it must be about something else.
> 
> In addition to doing 'chmod u-w sendmail.pem', change the ownership to
> root:root on all of those files... sendmail drops privs down to smmsp by
> default...

and change the ownership on the certs dir to root:root while you're
there... you're okay with 755 perms on /etc/mail, as long as it's
root:root.  Basically, stick with the stock permissions and you should
be fine...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail with TLS, permission problem

[Ian Forde]

On Tue, 2008-08-12 at 12:38 +0300, Jussi Hirvi wrote:
> Ralph Angenendt ([EMAIL PROTECTED]) kirjoitteli (12.8.2008 12:21):
> >> Thanks for quick reply. That didn't help yet. The error message in maillog
> >> is still the same: "sendmail.pem unsafe: Permission denied". The directory
> >> perms are now: 
> >> [EMAIL PROTECTED] mail]# ls -ld / /etc /etc/mail /etc/mail/certs
> >> drwxr-xr-x 24 root root  4096 Mar 29  2007 /
> >> drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc
> >> drwxr-xr-x  5 root root  4096 Aug 12 12:14 /etc/mail
> >> dr-x--  2 mail mail  4096 Aug 11 14:42 /etc/mail/certs
> > 
> > IIRC sendmail checks from /etc/mail downwards, so /etc/mail is open too
> > wide still.
> 
> On another machine (Fecore Core 3, Sendmail 8.13) the /etc/mail perms are
> 755 too, and it works - thoug there is no SMTP-AUTH on that machine.
> 
> I tried it, but the error message in maillog persists after Sendmail
> restart. The perms are now:
> 
> [EMAIL PROTECTED] mail]# ls -ld / /etc /etc/mail /etc/mail/certs
> drwxr-xr-x 24 root root  4096 Mar 29  2007 /
> drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc
> drwx--  5 root root  4096 Aug 12 12:37 /etc/mail
> dr-x--  2 mail mail  4096 Aug 11 14:42 /etc/mail/certs
> [EMAIL PROTECTED] mail]# ls -l /etc/mail/certs/
> total 1924
> -rw--- 1 mail mail1371 Aug 11 12:15 cacert.pem
> -rw--- 1 mail mail 963 Aug 11 12:15 cakey.pem
> -rw-r--r-- 1 root root 1952422 Aug 11 14:26 revoke.crl
> -rw--- 1 mail mail2258 Aug 11 12:16 sendmail.pem
> 
> I cannot help thinking that this is *not* actually about the permissions -
> it must be about something else.

In addition to doing 'chmod u-w sendmail.pem', change the ownership to
root:root on all of those files... sendmail drops privs down to smmsp by
default...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail with TLS, permission problem

[Ian Forde]

On Tue, 2008-08-12 at 11:21 +0200, Ralph Angenendt wrote:
> Jussi Hirvi wrote:
> > Ralph Angenendt ([EMAIL PROTECTED]) kirjoitteli (12.8.2008 11:24):
> > >> dr-xr-xr-x  2 mail mail  4096 Aug 11 14:42 /etc/mail/certs
> > > ^^^
> > > 
> > > Even allowing group to read there and enter there might be too much.
> > 
> > Thanks for quick reply. That didn't help yet. The error message in maillog
> > is still the same: "sendmail.pem unsafe: Permission denied". The directory
> > perms are now: 
> > [EMAIL PROTECTED] mail]# ls -ld / /etc /etc/mail /etc/mail/certs
> > drwxr-xr-x 24 root root  4096 Mar 29  2007 /
> > drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc
> > drwxr-xr-x  5 root root  4096 Aug 12 12:14 /etc/mail
> > dr-x--  2 mail mail  4096 Aug 11 14:42 /etc/mail/certs
> 
> IIRC sendmail checks from /etc/mail downwards, so /etc/mail is open too

do 'chmod u-w /etc/mail/certs/sendmail.pem' and see if it works... my
certs are in /etc/pki/tls/certs with perms set to 755 on the dirs on the
way down and everything works fine...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Re: SIGPIPE in assorted apps after "yum update"

[Ian Forde]

On Mon, 2008-07-07 at 07:07 -0600, John Hanks wrote:
> Paul Bijnens pointed out that Ian Forde had similar issues with dhcpd
> minutes before I posted my message. I missed that one as I scanned the
> archives, then joined the list to ask my question. My problem is also
> solved by removing ldap from the services line in /etc/nsswitch, in
> every app that was previously failing with the SIGPIPE errors. I'm
> still curious to understand why, but more so I'm grateful to have a
> fix for it. Should have joined the list a long time ago :)

Nah - 20 minutes sooner would have done it!  I joined the list to get an
answer too! ;)

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] ANSWER: Couple of CentOS 5.2 dhcp notes

[Ian Forde]

On Sun, 2008-07-06 at 15:57 -0700, Ian Forde wrote:
> 1. Apparently, since I updated from 5.1 to 5.2, dhcpd no longer wants to
> stay running.  The config is sound, and I can start it from the
> command-line with the "-d" flag and it serves up leases.  But without
> the -d flag, it just silently dies...

Well, *that* sucked.  I had to start the daemon with a '-p 67' option to
get it to stick.  So I stuck that into /etc/sysconfig/dhcpd as:

DHCPDARGS="-p 67"

and it started.  Which led me down the "strace with and without the -p
option and compare the output" path...

Turns out that without the -p option, it looks up the port number to
use.  nsswitch.conf in my case had "services: files ldap", which caused
it to fail.  I changed it to "services: files" and it worked.  What
kills me is that dhcpd died silently... and I have absolutely no desire
to put services into my ldap directory...

So I've taken out the -p argument, and all is well...

Thanks for the assist though!

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Getting something into centosplus for 5.2?

[Ian Forde]

On Sun, 2008-07-06 at 19:39 -0400, S.Tindall wrote:
> Seems like it would be simpler to get an adapter that work with 
> the current/native pl2303 driver.

Yeah... but mine works - with some extra work... didn't want to buy this
type of device twice but...

> For the purpose of serial consoles, these two adapters work for 
> me under pl2303 without any problems using current/past CentOS5 
> kernels:
> 
> Tripp-Lite U209-000-R:
>   http://www.tripplite.com/products/product.cfm?productID=2430

Just ordered one online, just in case.  Thanks!

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Getting something into centosplus for 5.2?

[Ian Forde]

On Mon, 2008-07-07 at 00:54 +0100, Karanbir Singh wrote:
> Ian Forde wrote:
> > I figure that this is the kind of situation that -plus is meant to
> > solve... 
> 
> open a request at http://bugs.centos.org/ - thats the *only* way to get 
> stuff into centos_plus, and if there is a patch or a proposed src.rpm 
> for new pkgs, things go faster.

Thanks!  Okay - it's done - ticket number is 2954
(http://bugs.centos.org/view.php?id=2954)

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Couple of CentOS 5.2 dhcp notes

[Ian Forde]

On Sun, 2008-07-06 at 19:34 -0400, Marko A. Jennings wrote:
> On Sun, July 6, 2008 6:57 pm, Ian Forde wrote:
> > 1. Apparently, since I updated from 5.1 to 5.2, dhcpd no longer wants to
> > stay running.  The config is sound, and I can start it from the
> > command-line with the "-d" flag and it serves up leases.  But without
> > the -d flag, it just silently dies...
> 
> What exit code does it return when you execute it from the command line
> without the "-d" flag?

0

In fact, here's the output... (IP, hostname, and Mac info changed...)

[EMAIL PROTECTED] etc]# dhcpd
Internet Systems Consortium DHCP Server V3.0.5-RedHat
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Wrote 0 leases to leases file.
Listening on LPF/eth0/00:00:de:ad:be:ef/10.0.0/24
Sending on   LPF/eth0/00:00:de:ad:be:ef/10.0.0/24
Sending on   Socket/fallback/fallback-net
[EMAIL PROTECTED] etc]# echo $?
0
[EMAIL PROTECTED] etc]# !ps
ps -ef | grep dhcpd
root 15058 11173  0 16:36 pts/000:00:00 grep dhcpd
[EMAIL PROTECTED] etc]# 

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Couple of CentOS 5.2 dhcp notes

[Ian Forde]

On Sun, 2008-07-06 at 19:12 -0400, Marko A. Jennings wrote:
> On Sun, July 6, 2008 6:57 pm, Ian Forde wrote:
> > 1. Apparently, since I updated from 5.1 to 5.2, dhcpd no longer wants to
> > stay running.  The config is sound, and I can start it from the
> > command-line with the "-d" flag and it serves up leases.  But without
> > the -d flag, it just silently dies...
> 
> Mine has been working without any problems before and after the 5.2
> update.  You might want to consider posting your configuration file.

Well, I stripped it down as much as I could - same problem exists... (IP
addresses and domain name changed, of course...)

ddns-update-style none;
ignore client-updates;

subnet 10.0.0.0 netmask 255.255.255.0 {
range dynamic-bootp 10.0.0.101 10.0.0.200;
default-lease-time 86400;
max-lease-time 604800;
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.0.255;
option routers 10.0.0.1;
option domain-name-servers 10.0.0.75, 10.0.0.76;
option domain-name "mydomain.com";
}

But like I was saying before, if it were a config problem, it wouldn't
have been able to start on the command-line in non-daemon mode.  Same
problem when I downloaded it from www.isc.org (3.0.7) and rolled a
source build.  So there's definitely something strange (or obvious that
I'm missing) going on...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Getting something into centosplus for 5.2?

[Ian Forde]

On Sun, 2008-07-06 at 15:57 -0700, Ray Van Dolson wrote:
> I won't speak on the -plus topic, but as far as upstream is concerned,
> you definitely need to open an RFE SR if you're a paying customer...
> probably won't be super speedy, but better than your bug sitting around
> forever ignored. :)

Heh - I figured 5 months was long enough, even though there are bugs
that have languished for years in upstream's bugzilla... But yes - for
it to get any traction, I would need to be a paying customer... that's
why I figured I'd try their route first, then plus... failing that, I'd
have to look at getting a kmod rpm for pl2303 into either plus or
atrpms...

(FWIW, it wasn't easy getting stuff into upstream when I worked for them
either... it takes time...)

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos