Re: [CentOS] NIC naming conventions and vmware

2018-03-07 Thread Diego Chacón 
Hi,

The older running Centos 7?

All machines are in the same vmware host?

It is not your case, but are interesting:
https://access.redhat.com/solutions/2592561

On Wed, Mar 7, 2018 at 2:31 PM, John Ratliff  wrote:

> I have a couple of CentOS 7 machines running in a vmware environment. On
> all the older ones I've deployed, the NIC is named ens160, but on all of
> the new ones, it is named ens192. I can't find any difference in the
> hardware that would account for this.
>
> Any suggestions on what I can do to figure out why some are named ens160
> and some ens192?
>
> Thanks.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
*Diego Chacón Rojas*
** E-mail: di...@gridshield.net *
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] An selinux issue

2018-03-07 Thread m . roth 
CentUS 7.4

>From sealert:
SELinux is preventing /usr/sbin/sshd from read access on the file
/etc/ssh/moduli.

*  Plugin restorecon (94.8 confidence) suggests  


If you want to fix the label.
/etc/ssh/moduli default label should be etc_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/ssh/moduli
<...>
Additional Information:
Source Contextsystem_u:system_r:sshd_t:s0-s0:c0.c1023
Target Contextsystem_u:object_r:unlabeled_t:s0
Target Objects/etc/ssh/moduli [ file ]
Sourcesshd
Source Path   /usr/sbin/sshd
-

Except:
ls -laFZ /etc/ssh/moduli
-rw-r--r--. root root system:object_r:etc_t:s0 /etc/ssh/moduli

ls -laFZ /usr/sbin/sshd
-rwxr-xr-x. root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd*

And I even restarted sshd. So, what's selinux seeing that I'm not?


  mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIC naming conventions and vmware

2018-03-07 Thread Clint Dilks 
On Thu, Mar 8, 2018 at 9:31 AM, John Ratliff  wrote:

> I have a couple of CentOS 7 machines running in a vmware environment. On
> all the older ones I've deployed, the NIC is named ens160, but on all of
> the new ones, it is named ens192. I can't find any difference in the
> hardware that would account for this.
>
> Any suggestions on what I can do to figure out why some are named ens160
> and some ens192?
>
>
Hi John,

This may not be helpful but I can confirm that you should be getting
consistent naming.
Normally I actually get something like eno16777984  But I have a couple
systems that get named in the way that you mention.  When this happens I
normally see ens160 as the first nic and 192 if a second is defined.
I haven't dug too deeply into this but I would suggest that you look at the
udev rules that are defined in /etc/udev/rules.d/ and see if this explains
what is happening.   You may also want to check that the VMware Hardware
version is what you expect.








> Thanks.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] kpartx can not detach

2018-03-07 Thread Jim Perrin 


On 03/07/2018 04:48 AM, Leon Fauster wrote:
> OS: EL6 - sometimes I use 
> 
> kpartx -a /mnt/.../lvdisk.img 
> 
> to map the partitions and mount them via 
> 
> /dev/mapper/loop0pX
> 
> After using the disk (unmounting it) I noticed that 
> detaching such mapping via kpartx -d does not result 
> in freeing up the loop devices. Results: System reboots 
> shows that the filesystem where lvdisk.img is located 
> can't be unmounted. 
> 
> lsof, fuser, ps does not show any usage. Even removing the 
> device node via 
> 
> dmsetup remove /dev/mapper/loop0pX
> 
> does not help. Trying to unmount the underlying filesystem 
> still shows /mnt: device is busy.
> 
> Any other suggestions would be greatly appreciated!


Do you have an open shell/terminal session hanging out in the /mnt
directory you used?


-- 
Jim Perrin
The CentOS Project | http://www.centos.org
twitter: @BitIntegrity | GPG Key: FA09AD77
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] NIC naming conventions and vmware

2018-03-07 Thread John Ratliff 
I have a couple of CentOS 7 machines running in a vmware environment. On 
all the older ones I've deployed, the NIC is named ens160, but on all of 
the new ones, it is named ens192. I can't find any difference in the 
hardware that would account for this.


Any suggestions on what I can do to figure out why some are named ens160 
and some ens192?


Thanks.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIC naming conventions and vmware

2018-03-07 Thread Joseph L. Casale 
-Original Message-
From: CentOS  On Behalf Of John Ratliff
Sent: Wednesday, March 7, 2018 1:31 PM
To: CentOS 
Subject: [CentOS] NIC naming conventions and vmware
 
> I have a couple of CentOS 7 machines running in a vmware environment. On
> all the older ones I've deployed, the NIC is named ens160, but on all of
> the new ones, it is named ens192. I can't find any difference in the
> hardware that would account for this.
> 
> Any suggestions on what I can do to figure out why some are named ens160
> and some ens192?

The difference comes from the virtual machine host operating
system definition and the virtual network adapter type selected
where the first choice constrains the available options for the second.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RADIUS

2018-03-07 Thread Steven Tardy 
On Wed, Mar 7, 2018 at 11:57 AM hw  wrote:

> Apparently Cisco can do it:
>
>
> https://www.cisco.com/c/en/us/products/collateral/wireless/wireless-location-appliance/product_data_sheet0900aecd80293728.html


I was going to mention Cisco WCS which uses wireless “controllers” and
“lightweight” access points, but seems you’ve found it. Personally used
Cisco WCS a decade ago . . . being able to give law enforcement a detailed
map of a building (from autocad file) with a potential stolen wireless
device triangulated within 5 feet is pretty impressive.

Don’t know if this can handle all of your other/security/guest requirements
but can 100% handle physical location.

>
> 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-07 Thread Nicolas Kovacs 
Le 06/03/2018 à 18:48, hw a écrit :
> And how do you get a list of IPs from which data could be retrieved
> which the students are not supposed to see?
> 
> How is this done anyway, does the government give out a list of URLs
> or IPs which you are required to block?  If not, what if you overlook
> something?

Here's some information.

https://dsi.ut-capitole.fr/documentations/cache/squidguard_en.html

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RADIUS

2018-03-07 Thread hw 

Gordon Messmer wrote:

On 03/01/2018 09:26 AM, hw wrote:

I was asking for documentation telling me how RADIUS can be used, not only
that it can be used.


RADIUS is a backend component of 802.1x and WPA2 Enterprise.  You appear to be 
looking for information on how to use those two.  If you look for documentation 
on those, you should be able to find what you're looking for.


ok


The task is to provide wireless coverage for employees and customers on
company premises.  It is desirable to be able to keep track of customers,
as in knowing where exactly on the premises they currently are (within
like 3--5 feet, which is apparently tough), and simpler things like knowing
how long they stay and if they have been on the premises before.


You probably want to capture the WAP logs.  Their location will be best 
correlated with the specific WAP they connect to, assuming you have multiple.  
The client MAC address will be your best indication of whether or not they've 
been there before.


The location of customers would remain a problem because they could be
anywhere within a radius of about 100m around an access point they are
connected to.

Employees could use a program on their phones to help locating them, but
I have no idea how to program a phone.  It´s not like you could find
good documentation about that ...
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RADIUS

2018-03-07 Thread hw 

Gordon Messmer wrote:

On 03/01/2018 03:06 AM, hw wrote:



It is illogical to lump all network access together into a single category.

...

If your device can communicate with a switch, even for the purpose of 
authenticating, then it has network access.


The device has access to the switch which, depending on what answer to an
authentication request it gets from a RADIUS server, decides if and how it
lets the device access the network.


You're still lumping networks into a single category.

Not "the" network, but "a" network.


There is only one network here.


Unauthenticated clients are, by definition connected to A network consisting of 
the device and the switch.  They might also be connected to a network 
consisting of the device, a switch, and a TFTP server that provides the boot 
image to the client.  And since there is nothing else on that network, other 
than a read-only TFTP server that your devices require in order to boot, it's 
difficult to understand why you think there is a security risk here.


Let me quote:


"the RADIUS protocol serves three primary functions:

• Authenticates users or devices before allowing them access to a network"[1]


Why would I give access to a network consisting of an unauthorized device,
a switch and a TFTP server to such device and thereby possibly to an attacker?
Can you guarantee that there is no way for an attacker who can have such a
network connection will not find a way to proceed with an attack?  They can
bring a device that does not PXE boot and is equipped with everything they
might need to perform their attack.

When the only things the devices of attackers can communicate with are switches
or wireless access points which do not give them access to a network (other than
the devices and the switches or access points themselves), it is likely to be 
more
difficult to perform a sucessful attack than it is when they get access to a 
wider
network, like one that involves a server.

[1]: http://networkradius.com/doc/FreeRADIUS%20Technical%20Guide.pdf




Security is the process of restricting access to a resource to only the devices and 
persons that require it.  If your devices require a boot image before they can 
authenticate, then restricting their access to that resource can no longer be described 
as "security."


That´s kinda what I said.




Where do your hypothetical customers in a store get the user credentials that 
you want to authenticate via RADIUS?


They might get it from employees of the store or read it from signs
inside the store, perhaps depending on what kind of access rights they
are supposed to have.


If you're sharing passwords, then you don't need RADIUS.  Set up separate SSIDs 
that are attached to VLANs with appropriate access levels, and continue using 
WPA2 Personal.  Using RADIUS will be no more secure than that.  It's not magic.


Right, but what about keeping track of customers?  Apparently RADIUS has some
accounting features, and it might be an advantage to use those.


It does, but you will get exactly the same information using WPA2 Personal that you will 
from WPA2 Enterprise and RADIUS.  "A client connected to the WAP at such and such 
time.  It disconnected at such and such time."


It might be possible to find out how much data was transferred with accounting.



If you're sharing passwords, RADIUS is the most complex way to get the 
information.  You can get the same info by simply logging WAP events to a log 
server.


Yes, it´s very simple to use the same password on all phones of employees and no
password on the wireless for customers.  Logging the events might be enough 
then.

Somehow that doesn´t feel like it is a good solution, but I don´t know.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RADIUS

2018-03-07 Thread hw 

Stephen John Smoogen wrote:

On 2 March 2018 at 12:07, hw  wrote:



Oh yeah. Who ever gave you those marching orders needs to talk with
all kinds of lawyers... even researching for it might be problematic
in some countries due to a multitude of laws. You are walking out of
setting up a wireless environment into full-scale surveillance.



That´s not my problem to solve, but think about it:  You can get a lot more
information using CCTV cameras, and those are everywhere.  Unfortunately,
nobody cares, and it´s not like you have a choice.  So why would there
be any legal issues?



1) Devices which omit radio frequency wavelength radiation are covered
by different laws and agencies than those which emit light based
radiation. This means that the agency that says you can put in a cctv
may not be the same as the one that allows you to put in a RF sensor.
2) There are laws using where monitoring of the public can happen and
where the monitoring devices can be placed and what information can be
kept on them. These are covered from everything from local to EU laws.
The laws can also be conflicting and need careful consideration.


Ok, those are considerations for the lawyers.  If they can´t figure out
that it can be much worse filming someone who doesn´t even have a choice
about being filmed than it can be to use wireless access points to
determine the whereabouts of someone who has a choice to either use the
access points or not, someone needs to do something about those lawyers.


3) Depending on the location this occurs, it is your problem to bring
up if you are aware that it could be a problem. The "I was only
following orders" defense has been thrown out for people and the
engineers/custodians who put the stuff in were found liable for
damages as much as the boss who said to do it.


Prove that I was aware of something and aware that I should bring it up
and that I then didn´t bring it up.

If someone made a law saying that nobody can say anymore that they were
only doing what they were supposed to do, I´d like to know where to find
this law.  I would also like to know how that law is enforced.

"Following orders" has apparently been a problem with the Nazis a long
time ago, and when the law suits after WW2 were performed, claiming that
one of the intentions was to show how following orders may not always
be the right thing to do and that people might be punished for doing so,
the outcome was a total failure because nothing has changed.  There are
still people making decisions without being held responsible for what
they are doing, and other people who carry them out, also without being
held responsible for what they are doing, and since they control all the
powers that are, what they are doing crushes anything and anyone that or
who might get into their way, and these people don´t care and don´t even
blink when they harm millions.  This is called democracy, and noone is
responsible because it isn´t called "following orders" anymore.  The same
principles that did a great deal to make it possible to murder so many
people a long time ago are entirely unbroken and still in effect, and
thanks to advances in technology, nowadays the means at their disposal are
ridiculously more powerful than they were.

Unfortunately, we aren´t told this, and I´m afraid almost noone
understands this.  You can imagine why we aren´t told.  What I don´t
understand is why they didn´t change anything back then.  Perhaps they
didn´t understand what the real danger is and where it comes from.

Now tell me: Who am I to question the orders and what power could I
possibly have to refuse them without it being to my disadvantage?

> [...]


I´m surprised that wireless access point controllers, by default, do not
use the strength of the signal received from a device by three or more
access
points to simply triangulate the position of the device.  Of course, you
only get the positions of devices relative to access points, but once you
have that, you only need to use a map of the place that shows all the access
points and the positions of devices relative to them to figure out where
everyone is.

That´s a rather simple thing to do, isn´t it?  Some documentation of HPs
MSRs
stated that the controller can distribute the wireless devices between
access
points to even out the bandwidth, and if it can do that, it could as well
distribute them for triangulation.



It isn't. Wireless is much noisier and uses longer wavelengths than
light. It is like walking through a hall of mirrors with sunglasses
on. You are only able to see certain things, lots of things reflect,
everything within sensor range which is broadcasting is showing up
even if it is a different SSID, and a ton of other items. This means
that where you might only need 2 sensors for light, you need dozens to
hundreds for radio waves. However the more sensors you have, they also
may reflect, rebroadcast, dampen, ghost echo signals. Then you have
the fact that RF is absorbed

Re: [CentOS] RADIUS

2018-03-07 Thread hw 

Pete Biggs wrote:



That´s not my problem to solve, but think about it:  You can get a lot more
information using CCTV cameras, and those are everywhere.  Unfortunately,
nobody cares, and it´s not like you have a choice.  So why would there
be any legal issues?


It's called "A Law". Different places have different laws. Different
places have different attitudes towards being lawful.



I´m surprised that wireless access point controllers, by default, do not
use the strength of the signal received from a device by three or more access
points to simply triangulate the position of the device.  Of course, you
only get the positions of devices relative to access points, but once you
have that, you only need to use a map of the place that shows all the access
points and the positions of devices relative to them to figure out where
everyone is.


I'm surprised you didn't find anything about this on Google - you did
try Google didn't you?

http://bfy.tw/GtiP


You´ve cheated by using different search terms than I did ...


top hit

   https://www.accuware.com/


They use video or bluetooth, not wireless.


or this paper

   
https://www.technologyreview.com/s/542561/wi-fi-trick-gives-devices-super-accurate-indoor-location-fixes/


They are doing it the other way round by having the device use the signal
strengths of access points to triangulate its own position by using
specialized hard- and software to solve accuracy problems.

Anyway, these are both interesting references.


OK. I know I said before it was basically impossible - but I hadn't
googled for it then. It just goes to show that asking CentOS admins
about cutting edge WiFi issues is not going to get you very far.


Well, we asked someone who might know how to do it and they never responded,
so asking people who don´t know gets you even farther than asking people
who do.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] kpartx can not detach

2018-03-07 Thread Leon Fauster 
OS: EL6 - sometimes I use 

kpartx -a /mnt/.../lvdisk.img 

to map the partitions and mount them via 

/dev/mapper/loop0pX

After using the disk (unmounting it) I noticed that 
detaching such mapping via kpartx -d does not result 
in freeing up the loop devices. Results: System reboots 
shows that the filesystem where lvdisk.img is located 
can't be unmounted. 

lsof, fuser, ps does not show any usage. Even removing the 
device node via 

dmsetup remove /dev/mapper/loop0pX

does not help. Trying to unmount the underlying filesystem 
still shows /mnt: device is busy.

Any other suggestions would be greatly appreciated!



--
Thanks
LF


 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] latest skype (version 8.16.0.4) on Centos 7

2018-03-07 Thread wwp 
Hello Fred,


On Mon, 5 Mar 2018 13:53:16 -0500 Fred Smith  
wrote:

> Hi all!
> 
> I've finally been reduced to having to install Skype on my Linux box.
> I resisted for years, but now ended up trying it.
> 
> and while the latest RPM installs just fine, it refuses to acknowledge
> that I have a microphone!
> 
> In fact I have two: 1 in the USB web cam (it finds the cam), the second
> in a Plantronics USB headset, which works fine but not with skype.
> it is as if it doesn't exist.
> 
> So, when I connect to someone I can hear them, see them, and they can
> see me, but I'm producing no sound output.
> 
> All the web hits I can find for nonfunctional microphone on the web
> are for Ubuntu. GAH!
> 
> running ldd against the skypeforlinux binary results in a huge list
> of shared libraries, including libasound (which is what the ubuntu
> messages say is missing).
> 
> Anybody got a clue?

BTw, there's package update (8.17.0.2-1), maybe try it?


Regards,

-- 
wwp


pgprRgrn2AUT5.pgp
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] RADIUS

2018-03-07 Thread hw 

Pete Biggs wrote:



What do you want?


I was asking for documentation telling me how RADIUS can be used, not only
that it can be used.


RADIUS is just an authentication (plus a bit more) protocol - what you
are asking is like asking how LDAP can be used. Usually it's treated
like a magic black box by applications in that one of the configuration
options is to "use a RADIUS server" and then you just configure the
necessary information in the client so it talks to the correct box. The
reason RADIUS is used rather than some other authentication protocol is
that it is designed to be used in a network authentication role.

Rather than focussing on the RADIUS aspect, you would probably be
better looking at the configuration and technology around how you want
the network to operate. The way the RADIUS server is used will be
obvious once you've sorted that out.


When I figure out how the network is supposed to operate, RADIUS might not
be needed, and useful functionality it could provide would not exist because
I couldn´t figure it in for I didn´t know any better.  I´d be doing a bad
job.



What are your constraints? [AKA what have you been told to do.]


The task is to provide wireless coverage for employees and customers on
company premises.  It is desirable to be able to keep track of customers,
as in knowing where exactly on the premises they currently are (within
like 3--5 feet, which is apparently tough),


Tough? I would say basically impossible. The only way of getting that


Apparently Cisco can do it:

https://www.cisco.com/c/en/us/products/collateral/wireless/wireless-location-appliance/product_data_sheet0900aecd80293728.html


sort of accuracy is to either have lots of pico cells so you know which
AP a device is connected to, or be able to triangulate. WiFi has a
reasonable range and devices like to hang on to an AP for as long as
possible, even if they can pass off on to a closer more powerful one.

I know retailers are looking at targeting customers via their location,
but I think that currently needs the co-operation of the customer's
device via a downloaded app.


  and simpler things like knowing
how long they stay and if they have been on the premises before.


I can see now why you wanted to stop customers/employees from using
their 4G connection.


There is no point in offering wireless to customers when they aren´t
going to use it.


That is what using RADIUS apparently leads to when you have devices using
PXE boot.  Maybe they need to be considered as a security risk and be
replaced.


You mentioned X2Go and that your PXE booting clients used it. I know
X2Go and the client is a standalone app that uses ssh to login to the
server to initiate a remote desktop type environment.  There's nothing
in X2Go per se that requires a persistent network connection before
they connect. So, am I right in assuming that your PXE clients are
actually diskless machines that get all of their environment from the
network?


They are, and they boot to where a user needs to enter a username and a
password to log in.  Perhaps that can be changed, but I´m glad that it
works as well as it does and am not inclined to touch it.  It seems rather
fragile, the documentation isn´t too great and you are left to your magic
guesswork about how it might work.

There are things that bother me like that you can not set a screen resolution
based on the user that logs in, and I had to set it to a fixed resolution for
all clients.  Replacing these devices rather than messing with them would have
some advantages --- and disadvantages.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-virt] kernel 4.9.86-30 missing mpt2sas module

2018-03-07 Thread Pasi Kärkkäinen 
On Tue, Mar 06, 2018 at 04:27:05PM +0100, T.Weyergraf wrote:
> Hi
> 
> I am attempting to setup Xen 4.10 with kernel 4.9.86-30 (
> virt7-xen-410-testing, virt7-common-testing ) on CentOS7
> After installing everything, the machine was unable to boot and hung in
> dracut stating it could not find its root device.
> 
> The testsystem I use is a somewhat aged Dell M915 Blade (Quad opteron 61xx),
> using an MPT SAS controller for it's SAS boot drives. Stock CentOS 7 reports
> mpt2sas module being used to access the controller.
> That module is not present in the modules directory of the 4.9.86:
> 
> 4.9.86-30:
> # pwd
> /lib/modules/4.9.86-30.el7.x86_64
> # find . -name "*mpt2*" -print
> #
> 
> stock 3.10.0-693:
> # pwd
> /lib/modules/3.10.0-693.el7.x86_64
> # find . -name "*mpt2*" -print
> ./kernel/drivers/scsi/mpt3sas/mpt2sas.ko.xz
> 
> The fun part is, that according to the shipped config, it should be there:
> # grep MPT2 /boot/config-4.9.86-30.el7.x86_64
> CONFIG_SCSI_MPT2SAS_MAX_SGE=128
> CONFIG_SCSI_MPT2SAS=m
> 
> Any idea, what happened? I will try myself to build a new kernel from the
> corresponding source package to check, what went wrong.
>

Upstream Linux kernel migrated both the mpt2sas and mpt3sas drivers to a single 
driver: mpt3sas, which should support all the devices.


-- Pasi
 
> As a side note: anyone here, who tried that combo? I know, it's somewhat
> cutting edge, but as I am finally looking into some sort of modern
> Xen4CentOS setup to replace our aged setup in our infrastructure, i thought
> i'd rather settle with something as new as possible to avoid running into
> "not supported anymore soon" issues. Check hypervisor support matrix on
> frontpage https://xenproject.org/
> 
> Regards
> Thomas Weyergraf
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt