Re: [xcat-user] Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278)
Another thing to consider, if you have a Management Node with the Bash vulnerability, you probably have that level of bash in your images that were built on the MN and they have the vulnerability. To fix the images, there a few options For diskless images, you can chroot or use xdsh -i and apply the patch directly to the image. Run packimage and reboot. For statefull installs, if you have a patched Bash rpm, you could add it to otherpkgs pkglist. If it is a version later than the base Bash rpm, this will update bash on the install with the patched Bash level.You can even use updatenode to update it immediately on all your statefull nodes.This also works for stateless nodes, but you may prefer to have your stateless images correct. If only a patch is available, then setup to sync the patch to the node and create a postscript to install the patch. If you add the syncfile to the image synclist and postscript to the postscript list, then either install, netboot or updatenode will fix things for you. Good Docs: http://sourceforge.net/p/xcat/wiki/Using_Updatenode/ http://sourceforge.net/p/xcat/wiki/Postscripts_and_Prescripts/ There are probably other good suggestions from our user community. Lissa K. Valletta 8-3/B10 Poughkeepsie, NY 12601 (tie 293) 433-3102 From: Lissa Valletta/Poughkeepsie/IBM@IBMUS To: xCAT Users Mailing list xcat-user@lists.sourceforge.net Date: 10/01/2014 10:53 AM Subject:Re: [xcat-user] Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278) You have a very good point; thanks for pointing this out. We will have to discuss in development how to fix this.Fortunately the use of the kernel is short-lived only for discovery, install, etc. This does not impact a running MN or running compute nodes. Lissa K. Valletta 8-3/B10 Poughkeepsie, NY 12601 (tie 293) 433-3102 Inactive hide details for Mark Loveridge ---10/01/2014 10:07:26 AM---Schlumberger-Private Mark Loveridge ---10/01/2014 10:07:26 AM---Schlumberger-Private From: Mark Loveridge ma...@slb.com To: xCAT Users Mailing list xcat-user@lists.sourceforge.net Date: 10/01/2014 10:07 AM Subject: Re: [xcat-user] Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278) Schlumberger-Private The version of bash in the genesis kernel is potentially vulnerable – though it probably isn’t exploitable in the out-of-the-box configuration. Are there any plans to update the genesis image? I for one will be replacing the genesis version of bash with a patched version so that I feel more comfortable (and keep my managers happy). Mark From: Lissa Valletta [mailto:lis...@us.ibm.com] Sent: 30 September 2014 12:27 To: xCAT Users Mailing list Subject: [xcat-user] Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278) Title: Extreme Cloud Administration Toolkit (xCAT) is not affected by the Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278) Flash (Alert) Abstract Extreme Cloud Administration Toolkit (xCAT)is not vulnerable to the Bash vulnerabilities that have been referred to as “Bash Bug” or “Shellshock” and the two memory corruption vulnerabilities. Content · Extreme Cloud Administration Toolkit (xCAT) in all editions and all platforms is NOT vulnerable to the Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278). Remediation: Check your OS for recommended patches. Lissa K. Valletta 8-3/B10 Poughkeepsie, NY 12601 (tie 293) 433-3102 -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
Re: [xcat-user] Error Issues zVM
Chuck Belive it or not, Mike and I worked and we determined that RACF wasn't allowing zHCP to couple the switch and in turn, zHCP couldn't talk to xCAT. For your reference for anyone with RACF and has the same problem as I, they must issue: rac pe system.xcatvsw1 class(vmlan) id(zhcp) access(control) That will give zHCP access to control the switch. Right now the error I am having is: Querying 1 zhcp(s) for disk pools. Querying disk pools from: zhcp (1 of 1) Error: zhcp: Failed zhcp: Return Code: 100 zhcp: Reason Code: 16 On Thu, Sep 11, 2014 at 7:12 AM, Lissa Valletta lis...@us.ibm.com wrote: This error is unimportant because zVM does not use ipmi lnx1:/opt/xcat/lib # /etc/init.d/xcatd restart Restarting xCATd Error loading module /opt/xcat/lib/perl/xCAT_plugin/ *ipmi.pm* http://ipmi.pm/ ...skipping But the second one is very important, that means xCAT is not install correctly.You got errors about missing dependencies. I believe you have not installed the latest xCAT dependencies. You install will not work with dependency errors. Were you following this documentation: https://sourceforge.net/p/xcat/wiki/XCAT_zVM_Setup/ In it you see you must download Download the latest xCAT tarballs, xcat-core-xxx.tar.bz2 and xcat-dep-xxx.tar.bz2 that is the xCAT code and it's dependencies. This section for SLES https://sourceforge.net/p/xcat/wiki/XCAT_zVM_Setup/#suse-linux-enterprise-server If you did download and setup zypper for both, then we need to see those dependencies error messages that came out when you ran zypper install xcat. Also give us the names of the tarballs you did download. For the latest release, it should have been http://sourceforge.net/projects/xcat/files/xcat/2.8.x_Linux/xcat-core-2.8.5.tar.bz2/download http://sourceforge.net/projects/xcat/files/xcat-dep/2.x_Linux/xcat-dep-201408200428.tar.bz2/download Lissa K. Valletta 8-3/B10 Poughkeepsie, NY 12601 (tie 293) 433-3102 [image: Inactive hide details for Michael Weiner ---09/10/2014 04:14:19 PM---I am running SLES 11 SP3 on z/VM. I issue zypper install x]Michael Weiner ---09/10/2014 04:14:19 PM---I am running SLES 11 SP3 on z/VM. I issue zypper install xCAT and I get an error about dependence an From: Michael Weiner mwei...@infinite-blue.com To: xcat-user@lists.sourceforge.net Date: 09/10/2014 04:14 PM Subject: [xcat-user] Error Issues -- I am running SLES 11 SP3 on z/VM. I issue *zypper install xCAT* and I get an error about dependence and I had ignored them, installation went on fine ( I think). However, the plugin I get lnx1:/opt/xcat/lib # /etc/init.d/xcatd restart Restarting xCATd Error loading module /opt/xcat/lib/perl/xCAT_plugin/ *ipmi.pm* http://ipmi.pm/ ...skipping lnx1:/opt/xcat/lib # tabdump site Unable to open socket connection to xcatd daemon on localhost:3001. Verify that the xcatd daemon is running and that your SSL setup is correct. Connection failure: SSL connect attempt failed with unknown errorerror::lib(0):func(0):reason(0) at /opt/xcat/lib/perl/xCAT/Client.pm line 241. Any ideas as to my errors? Thank you! -- Michael Weiner Systems Admin Infinity Systems Software, Inc. One Penn Plaza Suite 2010 New York, NY 10119 o: (646) 405-9300 c: (845) 641-0517 -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user -- Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user -- Michael Weiner Systems Admin Infinity Systems Software, Inc. One Penn Plaza Suite 2010 New York, NY 10119 o: (646) 405-9300 c: (845) 641-0517 -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk___ xCAT-user mailing list xCAT-user@lists.sourceforge.net
Re: [xcat-user] Questions on prerequisites for external DNS and makedns -e
Okay, so I moved to an RPM based install of BIND instead of from source and the problem did not go away. My setup is that I am using a development machine which I exported the current xCAT settings that are on my iDataPlex headnode to that dev VM which I installed xCAT on (definitely a newer version on the VM than the headnode) and when I first ran restorexCATdb I got errors when running 'makedns' which said: *Ignoring host node0014, it does not belong to any nets defined in networks table or the net it belongs to is configured to use an external nameserver*. I thought: That's odd, because the network definition looks fine to me and I don't see why xCAT would change it between versions. On the headnode the networks database looks like this for the relevant network (compute) a secondary network (I snipped out the other entries): #netname,net,mask,mgtifname,gateway,dhcpserver,tftpserver,nameservers,ntpservers,logservers,dynamicrange,staticrange,staticrangeincrement,nodehostname,ddnsdomain,vlanid,domain,comments,disable compute,10.20.0.0,255.255.0.0,eth0,,,10.20.0.1,10.20.0.1,,,10.20.200.254-10.20.254.254 10gig,10.60.0.0,255.255.0.0,,10.20.0.1,, When I restored the tables on the dev VM it would fail to parse compute but not for 10gig (the only obvious difference being that 10gig had less fields filled in). I modified the ddns.pm code to echo messages when parsing the networks to determine what was going on, and once I discovered that it liked 10gig but not compute I deleted all the extra fields in compute to make it match 10gig and suddenly it would parse. Maybe it has to do with the dynamicrange field in the networks definition? Below are my code modifications (just adding sendmsg commands) and the corresponding output from a test execution: # exclude the nodes not belong to any nets defined in networks table # because only the nets defined in networks table will be add # zones later. my $found = 0; foreach (@networks) { xCAT::SvrUtils::sendmsg(ADDR is $addr , $callback); xCAT::SvrUtils::sendmsg(MASK is $_-{mask} , $callback); xCAT::SvrUtils::sendmsg(NETWORK is $_-{net} , $callback); if(xCAT::NetworkUtils-ishostinsubnet($addr, $_-{mask}, $_-{net})) { $found = 1; xCAT::SvrUtils::sendmsg(Found! , $callback); } else { xCAT::SvrUtils::sendmsg(Not Found! , $callback); } } if ($found) { push @nodes,$node; $ctx-{nodeips}-{$node}-{$addr}=1; } else { unless ($node =~ /localhost/) { xCAT::SvrUtils::sendmsg(:Ignoring host $node, it does not belong to any nets defined in networks table or the net it belongs to is configured to use an external nameserver., $callback); } } --- My test run: # makedns -e node0014 Handling node0014 in /etc/hosts. ADDR is 10.20.101.14 MASK is NETWORK is Not Found! ADDR is 10.20.101.14 MASK is NETWORK is Not Found! ADDR is 10.20.101.14 MASK is 255.255.0.0 NETWORK is 10.40.0.0 Not Found! ADDR is 10.20.101.14 MASK is 255.255.0.0 NETWORK is 10.20.0.0 Found! - ADDR is 10.20.101.14 MASK is 255.255.0.0 NETWORK is 10.60.0.0 Not Found! - As you can see, some other networks are being parsed as blank (the first two encountered in the foreach loop) but after I modified the compute/ 10.20.0.0 network then it printed finally my Found! message (perviously it was also parsing as blank). I suspect that there are other lurking problems in the tables between the two xCAT versions due to the backup/restore of the databases which might be causing this problem. I'm not sure how to address this without a full reinstall from scratch for xCAT if a backup/restore between versions is not possible/compatible. I'm exploring alternatives though. Regards, Josh On Wed, Oct 1, 2014 at 10:45 AM, Josh Nielsen jniel...@hudsonalpha.org wrote: So I'm thinking that either: A) My DNS server (BIND) is somehow misconfigured (which may include some bug when BIND is compiled from the latest source) - even though the keys obviously work in some instances and I am indeed getting partial remote updates successfully. - OR - B) There is a bug in makedns or the underlying config/tools it uses on the OS. Possibly there was some unclean transfer or mismatch of settings when I used dumpxCATdb/restorexCATdb, even though I updated the site table and have my resolv.conf pointing only to the external DNS server. Even so, as I pointed out, some of the entries are being correctly sent with the key, but I am occasionally seeing request is not signed for some requests OR I am not seeing the request for a forward lookup entry at all (which is