Re: [xcat-user] Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278)

2014-10-02 Thread Lissa Valletta 
Another thing to consider, if you have a Management Node with the Bash
vulnerability, you probably have that level of bash in your images that
were built on the MN and they have the vulnerability.
To fix the images, there a few options
   For diskless images, you can chroot  or use xdsh -i  and apply the
  patch directly to the image.  Run packimage and reboot.
  For statefull installs,  if you have a patched Bash rpm, you could
  add it to otherpkgs pkglist. If it is a version later than the base
  Bash rpm,  this will  update bash on the install with the patched
  Bash level.You can even use updatenode  to update it immediately
  on all your statefull nodes.This also works for stateless nodes,
  but you may prefer to have your stateless images correct.
  If only a patch is available,  then setup to  sync the patch to the
  node  and create a postscript to install the patch.  If you add the
  syncfile to the image synclist  and postscript to the postscript
  list, then either install, netboot or updatenode  will fix things for
  you.

   Good Docs:
  http://sourceforge.net/p/xcat/wiki/Using_Updatenode/
  http://sourceforge.net/p/xcat/wiki/Postscripts_and_Prescripts/

   There  are probably  other good suggestions from our user community.

   Lissa K. Valletta
   8-3/B10
   Poughkeepsie, NY 12601
   (tie 293) 433-3102





From:   Lissa Valletta/Poughkeepsie/IBM@IBMUS
To: xCAT Users Mailing list xcat-user@lists.sourceforge.net
Date:   10/01/2014 10:53 AM
Subject:Re: [xcat-user] Bash vulnerabilities (CVE-2014-6271,
CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and
CVE-2014-6278)



You have a very good point; thanks for pointing this out.  We will have to
discuss in development how to fix this.Fortunately the use of the
kernel is short-lived only for discovery, install, etc.   This does not
impact a running MN or running compute nodes.


Lissa K. Valletta
8-3/B10
Poughkeepsie, NY 12601
(tie 293) 433-3102



Inactive hide details for Mark Loveridge ---10/01/2014 10:07:26
AM---Schlumberger-Private Mark Loveridge
---10/01/2014 10:07:26 AM---Schlumberger-Private


From: Mark Loveridge ma...@slb.com
To: xCAT Users Mailing list xcat-user@lists.sourceforge.net
Date: 10/01/2014 10:07 AM
Subject: Re: [xcat-user] Bash vulnerabilities (CVE-2014-6271,
CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and
CVE-2014-6278)


   Schlumberger-Private




The version of bash in the genesis kernel is potentially vulnerable –
though it probably isn’t exploitable in the out-of-the-box configuration.

Are there any plans to update the genesis image?

I for one will be replacing the genesis version of bash with a patched
version so that I feel more comfortable (and keep my managers happy).

Mark

From: Lissa Valletta [mailto:lis...@us.ibm.com]
Sent: 30 September 2014 12:27
To: xCAT Users Mailing list
Subject: [xcat-user] Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169,
CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278)



Title: Extreme Cloud Administration Toolkit (xCAT) is not affected by the
Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278)
Flash (Alert)


Abstract
Extreme Cloud Administration Toolkit (xCAT)is not vulnerable to the Bash
vulnerabilities that have been referred to as “Bash Bug” or “Shellshock”
and the two memory corruption vulnerabilities.





Content


· Extreme Cloud Administration Toolkit (xCAT) in all editions and all
platforms is NOT vulnerable to the Bash vulnerabilities (CVE-2014-6271,
CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and
CVE-2014-6278).



Remediation: Check your OS for recommended patches.



Lissa K. Valletta
8-3/B10
Poughkeepsie, NY 12601
(tie 293) 433-3102
--

Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
___
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user
--

Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk

Re: [xcat-user] Error Issues zVM

2014-10-02 Thread Michael Weiner 
Chuck

Belive it or not, Mike and I worked and we determined that RACF wasn't
allowing zHCP to couple the switch and in turn, zHCP couldn't talk to xCAT.

For your reference for anyone with RACF and has the same problem as I, they
must issue:

rac pe system.xcatvsw1 class(vmlan) id(zhcp) access(control)

That will give zHCP access to control the switch.


Right now the error I am having is:

Querying 1 zhcp(s) for disk pools.

Querying disk pools from: zhcp (1 of 1)
Error: zhcp: Failed zhcp: Return Code: 100 zhcp: Reason Code: 16



On Thu, Sep 11, 2014 at 7:12 AM, Lissa Valletta lis...@us.ibm.com wrote:

 This error is unimportant because zVM does not use ipmi
 lnx1:/opt/xcat/lib # /etc/init.d/xcatd restart
 Restarting xCATd Error loading module /opt/xcat/lib/perl/xCAT_plugin/
 *ipmi.pm* http://ipmi.pm/  ...skipping


  But the second one is very important, that means xCAT is not install
 correctly.You got errors about missing dependencies.   I believe you
 have not installed the latest xCAT dependencies.   You install will not
 work with dependency errors. Were you following this documentation:
 https://sourceforge.net/p/xcat/wiki/XCAT_zVM_Setup/

 In it you see you must download Download the latest xCAT tarballs,
 xcat-core-xxx.tar.bz2 and xcat-dep-xxx.tar.bz2   that is the xCAT code and
 it's dependencies.

 This section for SLES

 https://sourceforge.net/p/xcat/wiki/XCAT_zVM_Setup/#suse-linux-enterprise-server

 If you did download and setup zypper for both, then we need to see those
 dependencies  error messages that came out when you ran zypper install xcat.

 Also give us the names of the tarballs you did download.  For the latest
 release, it should have been

 http://sourceforge.net/projects/xcat/files/xcat/2.8.x_Linux/xcat-core-2.8.5.tar.bz2/download

 http://sourceforge.net/projects/xcat/files/xcat-dep/2.x_Linux/xcat-dep-201408200428.tar.bz2/download


 Lissa K. Valletta
 8-3/B10
 Poughkeepsie, NY 12601
 (tie 293) 433-3102



 [image: Inactive hide details for Michael Weiner ---09/10/2014 04:14:19
 PM---I am running SLES 11 SP3 on z/VM. I issue zypper install x]Michael
 Weiner ---09/10/2014 04:14:19 PM---I am running SLES 11 SP3 on z/VM. I
 issue zypper install xCAT and I get an error about dependence an

 From: Michael Weiner mwei...@infinite-blue.com
 To: xcat-user@lists.sourceforge.net
 Date: 09/10/2014 04:14 PM
 Subject: [xcat-user] Error Issues
 --



 I am running SLES 11 SP3 on z/VM.

 I issue *zypper install xCAT* and I get an error about dependence and I
 had ignored them, installation went on fine ( I think).

 However, the plugin I get

 lnx1:/opt/xcat/lib # /etc/init.d/xcatd restart
 Restarting xCATd Error loading module /opt/xcat/lib/perl/xCAT_plugin/
 *ipmi.pm* http://ipmi.pm/  ...skipping


 lnx1:/opt/xcat/lib # tabdump site
 Unable to open socket connection to xcatd daemon on localhost:3001.
 Verify that the xcatd daemon is running and that your SSL setup is correct.
 Connection failure: SSL connect attempt failed with unknown
 errorerror::lib(0):func(0):reason(0) at
 /opt/xcat/lib/perl/xCAT/Client.pm line 241.

 Any ideas as to my errors?

 Thank you!

 --
 Michael Weiner
 Systems Admin
 Infinity Systems Software, Inc.
 One Penn Plaza Suite 2010
 New York, NY 10119
 o: (646) 405-9300
 c: (845) 641-0517
 --
 Want excitement?
 Manually upgrade your production database.
 When you want reliability, choose Perforce
 Perforce version control. Predictably reliable.

 http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
 ___
 xCAT-user mailing list
 xCAT-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/xcat-user



 --
 Want excitement?
 Manually upgrade your production database.
 When you want reliability, choose Perforce
 Perforce version control. Predictably reliable.

 http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
 ___
 xCAT-user mailing list
 xCAT-user@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/xcat-user




-- 
Michael Weiner
Systems Admin
Infinity Systems Software, Inc.
One Penn Plaza Suite 2010
New York, NY 10119
o: (646) 405-9300
c: (845) 641-0517
--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk___
xCAT-user mailing list
xCAT-user@lists.sourceforge.net

Re: [xcat-user] Questions on prerequisites for external DNS and makedns -e

2014-10-02 Thread Josh Nielsen 
Okay, so I moved to an RPM based install of BIND instead of from source and
the problem did not go away. My setup is that I am using a development
machine which I exported the current xCAT settings that are on my iDataPlex
headnode to that dev VM which I installed xCAT on (definitely a newer
version on the VM than the headnode) and when I first ran restorexCATdb I
got errors when running 'makedns' which said: *Ignoring host node0014, it
does not belong to any nets defined in networks table or the net it belongs
to is configured to use an external nameserver*.

I thought: That's odd, because the network definition looks fine to me and
I don't see why xCAT would change it between versions. On the headnode the
networks database looks like this for the relevant network (compute)  a
secondary network (I snipped out the other entries):

#netname,net,mask,mgtifname,gateway,dhcpserver,tftpserver,nameservers,ntpservers,logservers,dynamicrange,staticrange,staticrangeincrement,nodehostname,ddnsdomain,vlanid,domain,comments,disable
compute,10.20.0.0,255.255.0.0,eth0,,,10.20.0.1,10.20.0.1,,,10.20.200.254-10.20.254.254
10gig,10.60.0.0,255.255.0.0,,10.20.0.1,,

When I restored the tables on the dev VM it would fail to parse compute
but not for 10gig (the only obvious difference being that 10gig had
less fields filled in). I modified the ddns.pm code to echo messages when
parsing the networks to determine what was going on, and once I discovered
that it liked 10gig but not compute I deleted all the extra fields in
compute to make it match 10gig and suddenly it would parse. Maybe it
has to do with the dynamicrange field in the networks definition?

Below are my code modifications (just adding sendmsg commands) and the
corresponding output from a test execution:


   # exclude the nodes not belong to any nets defined in networks table
#   because only the nets defined in networks table will be add
#   zones later.
my $found = 0;
foreach (@networks)
{
xCAT::SvrUtils::sendmsg(ADDR is $addr , $callback);
xCAT::SvrUtils::sendmsg(MASK is $_-{mask} , $callback);
xCAT::SvrUtils::sendmsg(NETWORK is $_-{net} , $callback);
if(xCAT::NetworkUtils-ishostinsubnet($addr, $_-{mask},
$_-{net}))
{
$found = 1;
xCAT::SvrUtils::sendmsg(Found! , $callback);
}
else {
xCAT::SvrUtils::sendmsg(Not Found! , $callback);
}
}

if ($found)
{
push @nodes,$node;
$ctx-{nodeips}-{$node}-{$addr}=1;
}
else
{
unless ($node =~ /localhost/)
{
xCAT::SvrUtils::sendmsg(:Ignoring host $node, it does
not belong to any nets defined in networks table or the net it belongs to
is configured to use an external nameserver., $callback);
}
}

---

My test run:

# makedns -e node0014
Handling node0014 in /etc/hosts.
ADDR is 10.20.101.14
MASK is
NETWORK is
Not Found!

ADDR is 10.20.101.14
MASK is
NETWORK is
Not Found!

ADDR is 10.20.101.14
MASK is 255.255.0.0
NETWORK is 10.40.0.0
Not Found!

ADDR is 10.20.101.14
MASK is 255.255.0.0
NETWORK is 10.20.0.0
Found!
-
ADDR is 10.20.101.14
MASK is 255.255.0.0
NETWORK is 10.60.0.0
Not Found!
-


As you can see, some other networks are being parsed as blank (the first
two encountered in the foreach loop) but after I modified the compute/
10.20.0.0 network then it printed finally my Found! message (perviously
it was also parsing as blank). I suspect that there are other lurking
problems in the tables between the two xCAT versions due to the
backup/restore of the databases which might be causing this problem. I'm
not sure how to address this without a full reinstall from scratch for xCAT
if a backup/restore between versions is not possible/compatible. I'm
exploring alternatives though.

Regards,
Josh


On Wed, Oct 1, 2014 at 10:45 AM, Josh Nielsen jniel...@hudsonalpha.org
wrote:

 So I'm thinking that either:

 A) My DNS server (BIND) is somehow misconfigured (which may include some
 bug when BIND is compiled from the latest source) - even though the keys
 obviously work in some instances and I am indeed getting partial remote
 updates successfully.
 - OR -
 B) There is a bug in makedns or the underlying config/tools it uses on the
 OS. Possibly there was some unclean transfer or mismatch of settings when I
 used dumpxCATdb/restorexCATdb, even though I updated the site table and
 have my resolv.conf pointing only to the external DNS server. Even so, as I
 pointed out, some of the entries are being correctly sent with the key, but
 I am occasionally seeing request is not signed for some requests OR I am
 not seeing the request for a forward lookup entry at all (which is