Re: [CentOS] [Infra] - Planned outage : lists.centos.org (migration to mailman3) : please read
Once upon a time, Fabian Arrotin said: > Migration is scheduled for """"Tuesday April 8th, 7:00 am UTC time"""". > You can convert to local time with $(date -d '2024-04-08 07:00 UTC') April 8, 2024, is Monday, not Tuesday. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Current RHEL fragmentation landscape
Once upon a time, Gordon Messmer said: > If Red Hat were doing development in RHEL minor releases that wasn't > published elsewhere, I would probably have a different view of > thing, but they aren't. There's nothing there that isn't published > elsewhere. This will not be the case for the second half of a RHEL major release life cycle, because the corresponding Stream will be EOL and no longer updated. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Mirror problems with elfutils-debuginfod-client
Once upon a time, Chris Adams said: > The package elfutils-debuginfod-client is needed for even a minimal > install, but it is not available on most mirrors. I suspect some are > excluding mirroring debuginfo packages with just a *debuginfo* pattern > to rsync, where they should do something like *-debuginfo-*.rpm (which > should be good for now as I don't see any package with just "debuginfo" > in the name, even in Fedora). Sorry, made a mistake in my checking, here's an updated list. It also appears that they are just excluding "*debug*", because they don't have packages like kernel-debug. Also, some servers returned in the metalink file have both HTTP and HTTPS, but HTTP just redirects to HTTPS. The HTTP should just be removed as it serves no purpose. Servers missing elfutils-debuginfod-client: forksystems.mm.fcix.net ftp-chi.osuosl.org ftp-nyc.osuosl.org ftp-osl.osuosl.org mirror.fcix.net mirror.xenyth.net nocix.mm.fcix.net ohioix.mm.fcix.net volico.mm.fcix.net -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Mirror problems with elfutils-debuginfod-client
The package elfutils-debuginfod-client is needed for even a minimal install, but it is not available on most mirrors. I suspect some are excluding mirroring debuginfo packages with just a *debuginfo* pattern to rsync, where they should do something like *-debuginfo-*.rpm (which should be good for now as I don't see any package with just "debuginfo" in the name, even in Fedora). The following mirrors are affected: centos-stream-distro.1gservers.com dfw.mirror.rackspace.com forksystems.mm.fcix.net ftp-chi.osuosl.org ftp-nyc.osuosl.org ftp-osl.osuosl.org ftpmirror.your.org iad.mirror.rackspace.com mirror.datto.com mirror.facebook.net mirror.fcix.net mirror.rackspace.com mirror.servaxnet.com mirror.siena.edu mirror.team-cymru.com mirror.xenyth.net mirror2.sandyriver.net mirrors.ocf.berkeley.edu nocix.mm.fcix.net ohioix.mm.fcix.net ord.mirror.rackspace.com repos.eggycrew.com volico.mm.fcix.net -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache mpm itk
Once upon a time, Gionatan Danti said: > Il 2022-09-23 19:06 Gionatan Danti ha scritto: > >Hi all, > >the EPEL repository for CentOS7 contains httpd-itk, an apache module > >for running different vhosts under specific user/group ID. > > > >For RHEL8 I can find it only in 3rd party repos, while I misses it > >entirely for RHEL9. > > > >Is the module deprecated? Can it be re-included into EPEL? > >Regards. > > Hi all, > anyone with some ideas? Any explanations on why httpd-itk is absent > from both EPEL-8 an EPEL-9? The package was orphaned in Fedora, so there's no maintainer to create and manage builds. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bash test ?
Once upon a time, lejeczek said:
> There is a several ways to run tests in shell, but 'test' which is
> own binary as I understand, defeats me..
> in those three examples - regardless of how one can "bend" quoting &
> expanding - the same identical variable syntax is used and yet
> different tests render the same result.
It's because shell variable expansion happens before the command is run.
When you do:
unset _Val; test -z ${_Val}
The shell expands ${_Val} to nothing, then does whitespace removal, and
runs test with a single argument, "-z". When instead you do:
unset _Val; test -z "${_Val}"
The shell sees the quoted string and keeps it as an empty argument, so
test gets run with two arguments: "-z", and "" (null aka a zero-length
string).
It appears that test treats -z/-n (and other tests) with no following
argument as always successful, rather than an error. Checking the
POSIX/Single Unix Specification standard, this is compliant; it says
that any time test is run with one argument, the exit is true (0) if the
argument is not null, false otherwise (e.g. test "" is false, while
test -blob is true).
Note that bash has test and [ as shell builtins, but the external
command /usr/bin/test and /usr/bin/[ have the same behavior.
The [[ ]] method is a bash extension, and treats a test operator without
a corresponding operand (e.g. [[ -z ]]) as an error condition instead of
returning true.
--
Chris Adams
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] wget http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/images/pxeboot/vmlinuz --max-redirect=0 --no-hsts
Once upon a time, Jelle de Jong said: > Thank you in advance for making the mirror.stream.centos.org work > with HTTP again and letting users choose between HTTP and HTTPS. If you really must load directly from remote sites, you can set up your own local proxy (nginx should be able to do this for example). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Mount removed raid disk back on same machine as original raid
Once upon a time, Bowie Bailey said: > What is going to happen when I try to mount a drive that the system > thinks is part of an existing array? I don't _think_ anything special will happen - md RAID doesn't go actively looking for drives like that AFAIK. And RAID 1 means you should be able to ignore RAID and just access the contents directly. However, the contents could still be a problem. If LVM was in use on it, that will be a problem, because LVM does auto-probe and will react when it sees the same UUID (IIRC LVM will only block access to the newly seen drive). I don't think any filesystems care (I know I've mounted snapshots of ext4 and IIRC xfs on the same system, haven't touched btrfs). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Looking for a RAID1 box
Once upon a time, Simon Matter said: > Are you sure that's still true? I've done it that way in the past but it > seems at least with EL8 you can put /boot/efi on md raid1 with metadata > format 1.0. That way the EFI firmware will see it as two independent FAT > filesystems. Only thing you have to be sure is that nothing ever writes to > these filesystems when Linux is not running, otherwise your /boot/efi md > raid will become corrupt. > > Can someone who has this running confirm that it works? Yes, that's even how RHEL/Fedora set it up currently I believe. But like you say, it only works as long as there's no other OS on the system and the UEFI firmware itself is never used to change anything on the FS. It's not entirely clear that most UEFI firmwares would handle a drive failure correctly either (since it's outside the scope of UEFI), so IIRC there's been some consideration in Fedora of dropping this support. And... I'm not sure if GRUB2 handles RAID 1 /boot fully correctly, for things where it writes to the FS (grubenv updates for "savedefault" for example). But, there's other issues with GRUB2's FS handling anyway, so this case is probably far down the list. I think that having RAID 1 for /boot and/or /boot/efi can be helpful (and I've set it up, definitely not saying "don't do that"), but has to be handled with care and possibly (probably?) would need manual intervention to get booting again after a drive failure or replacement. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 9 Stream mirrorlist url's
Once upon a time, Jos Vos said: > I'm trying to port a CentOS 8 Stream kickstart file to CentOS 9 Stream, > but I cannot find what repo mirrorlist url's I now have to use. The metalinks are preferred now (not sure if there are mirrorlist entries for 9-Stream). I have: url --metalink=https://mirrors.centos.org/metalink?repo=centos-baseos-9-stream=x86_64 repo --name=appstream --metalink=https://mirrors.centos.org/metalink?repo=centos-appstream-9-stream=x86_64 repo --name=crb --metalink=https://mirrors.centos.org/metalink?repo=centos-crb-9-stream=x86_64 -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPv6 token with /60 and prefix delegation
Once upon a time, Kenneth Porter said: > Right now it's a CentOS 8 system running NetworkManager. The LAN > side is going to run the Kea DHCP server but for now I'm just trying > to get the WAN side going. The typical IPv6 CPU router setup is: - WAN receives Router Advertisement that says there is stateful config - WAN does DHCPv6 to get WAN IP (typically either a /64 or a /128) - WAN does sepearate DHCPv6 to get a prefix delegation (e.g. /64, /60, /56) - router assigns /64 prefixes from PD to LAN interface(s) as needed So when you get a /60 via PD, that doesn't go on the WAN interface at all, that's for use on LAN interfaces. NM can get an apply a WAN IP in that setup just by setting ipv6.method=auto. There's some support in NM for also running PD and assigning prefixes to LAN interfaces (although not sure it is in CentOS 8), but I think it's incomplete. Instead, you can use something like: https://github.com/sshambar/nmutils to add event scripts to NM to handle it (although IIRC I had a couple of issues with those scripts too, but didn't get back to working it all out). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] kickstart storage configuration hangs
Once upon a time, Leon Fauster said: > I guess anaconda is not ready? Because even the ks file > from the manually installed system does not work ... I installed a 9-stream VM from kickstart today, so I don't think it is a general issue. Did you look at the logs to see what is happening? -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Any downside to mount -o noatime?
Once upon a time, Kenneth Porter said: > I'm using BackupPC to do rsync-based backups of all my systems. The > "incremental" backups look only at size and timestamp changes. The > less-frequent "full" backups checksum all my files. That means an > extra write for every file that gets checked. Well, not really. atime writes would get batched just like any other write, and filesystems have inode metadata grouped together, so it'd be more like one flush of a few inode metadata blocks for a whole lot of atime updates. Unless you had zero other writes (in which case, why back up), this will still be lost in the noise of total writes. Any old SSD will handle that just fine for many years to come. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Any downside to mount -o noatime?
Once upon a time, Kenneth Porter said: > According to the man page for mount, relatime updates atime whenever > mtime or ctime are updated, or if neither has been updated in the > last 24 hours. Which is still prohibitive if you're doing an > incremental (rsync) backup and checking file contents on the "full" > backup weekly or monthly. Unless you never write to the disk, that will still be lost in the noise of writes. But if it still bothers you, use rsync --open-noatime. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [EXT] c9s: CPU ISA level lower than required
Once upon a time, Simon Matter said: > Is there an easy way to figure out if a CPU does support x86-64-v2? > Something like a list of CPU families or a list of flags to check? Run "/lib64/ld-linux-x86-64.so.2 --help" - the output should include: Subdirectories of glibc-hwcaps directories, in priority order: x86-64-v4 x86-64-v3 (supported, searched) x86-64-v2 (supported, searched) So for example, the system I ran this on is -v3, but not -v4. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] EPEL repo RPM in CentOS 9-stream?
Will the Fedora EPEL repo RPM be added to any CentOS 9-stream core repos, like epel-release is in 7 and 8-stream extras? -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS-virt] Script for making a KVM VM from a kickstart
I have been building up a script to quickly and easily make CentOS/RHEL and Fedora VMs from kickstart files for a long time, and thought I'd see if anyone else was interested. It's especially useful IMHO if you are working on building kickstarts, because you can fairly rapidly iterate and test. I've got it built as an RPM, so if others think this is useful, I might submit it to Fedora and EPEL. Let me know what you think! https://github.com/cmadamsgit/ks-install -- Chris Adams ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS] Qemu - enabling "bridge mode" for primary physical interface for VMs
Once upon a time, Lists said: > Thank you, I'll be trying this on a spare machine here before I try it in > production. Carefully reading the directions, although I see where bridge-br0 > is created, I don't see where bridge-slave-em1 is defined? This part: > > # Make a connection for the physical ethernet em1 to be part of the bridge > > nmcli con add type ethernet ifname em1 master bridge-br0 does it. If you don't specify a connection name, NM names a new bridge member connection profile as "bridge-slave-". -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 9-stream "CRB" repo
I'm starting to look at CentOS 9-stream... what is the CRB repo? It appears to be a lot of development libraries and such, but I didn't see a definition or "CRB" anywhere. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Qemu - enabling "bridge mode" for primary physical interface for VMs
Once upon a time, Lists said: > I understand that it's possible to allow the 4 VM guest systems to each have > a > "direct" fixed IP address and access the addresses \via the host network > adapter, while the host retains its fixed IP. If you are running NetworkManager (the default), it's not too hard. Here's an example step-by-step for changing an existing interface "em1" to be a bridge "br0": # Create a bridge interface nmcli con add type bridge ifname br0 bridge.stp no # Copy all the IPv4/IPv6 config from an existing interface nmcli con mod bridge-br0 $(nmcli -f ipv4.method,ipv4.addresses,ipv4.gateway,ipv6.method,ipv6.addresses,ipv6.gateway con show em1 | grep -v -- -- | sed 's/: */ /') # -or- just set an IPv4 address/gateway to known values nmcli con mod bridge-br0 ipv4.method manual ipv4.address 10.1.1.2/24 ipv4.gateway 10.1.1.1 ipv6.method ignore # Make a connection for the physical ethernet em1 to be part of the bridge nmcli con add type ethernet ifname em1 master bridge-br0 # Switch from the "regular" em1 to the bridge nmcli con down em1; nmcli con up bridge-br0; nmcli con up bridge-slave-em1 # Disable the original config nmcli con mod em1 autoconnect 0 Then you set your VMs to use the bridge - in the libvirt XML for example, you'd have something like: Inside the VM, configure the interface just as if it was a physical system on that subnet. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 9-stream modules?
Once upon a time, Stephen John Smoogen said: > On Sun, 14 Nov 2021 at 17:48, Chris Adams wrote: > > I started looking at 9-stream a bit... and I notice there are no package > > modules. All the things that were modules in 8/8-stream appear to have > > been folded back into the base OS, with no variants included (like > > different versions of MariaDB and php for example). Is this expected to > > be the way forward, or are modules just still to be filled out? > > Modules will probably occur later in time. Made up example follows > which bears no resemblance to reality: Perl-5.400 comes out and it is > a good candidate for use, then it will be added as a module which > would replace regular packages. Same with PHP, IDM and other > 'fast-but-useful' tool-sets. Okay, thanks to you and to Josh Boyer for the info. This appears to be a little different from CentOS 8 (and Fedora), where such things are always modules, so I just wanted to make sure I wasn't missing anything. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 9-stream modules?
I started looking at 9-stream a bit... and I notice there are no package modules. All the things that were modules in 8/8-stream appear to have been folded back into the base OS, with no variants included (like different versions of MariaDB and php for example). Is this expected to be the way forward, or are modules just still to be filled out? -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Mementos
Once upon a time, mark said: > Cleaning up, and found something relevant here: anyone want a > memento - I have an original RH 5.2 set. That'd be RHL - RH is the company. :) My oldest Red Hat Linux release is 3.0.3 - first Linux distribution I got on CD (instead of just downloading a floppy image after floppy image). I wonder if it would install in a modern VM? -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [External] Re: Microsoft Teams on CentOS 7. Does the latest version work?
Once upon a time, Phil Perry said: > So Teams now needs a newer version of libstdc++ than that in RHEL7. > As others have mentioned, Microsoft clearly do not understand how to > package software using RPM and you are probably better off with a > snap/flatpak solution. Umm, I would say that there is a proper dependency on a required library, they do understand how to package software using RPM. They're just choosing to build on a newer OS version that has dependencies that aren't handled on CentOS 7. I don't know if they specify supported distributions anywhere (I didn't find a list in a quick search), so don't think they claim that CentOS 7 is supported. I think they just say "here's an RPM" and "here's a repo". -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [External] Re: Microsoft Teams on CentOS 7. Does the latest version work?
Once upon a time, Toralf Lund said: > But in that situation, you expect runtime errors. In this case, the > application doesn't just install, it also starts and stays running > for as long as I care to let it. It just doesn't do anything useful. > Not as far as I can tell, anyway. I guess part of the question was > if I'm missing something. Like, perhaps it doesn't open any windows > by default, but there's some obscure way to make them come up... Like a number of "desktop apps" for web-based sites, Teams is an Electron app. That means it's really a package of Chrome plus the site's client HTML/CSS/JavaScript, so you get all the fun bugs of Chrome (with no way to upgrade it). Microsoft's RPM does appear to have all the proper RPM dependencies, so that's probably not the issue (as long as it installs, they should be satisfied). Have you run Teams before on this system? If so, I've found that it tends to bog down over time, which I suspect is something like it growing a cache without bounds or the like. If that's the case, I suggest removing its data and re-logging in. It looks like that "~/.config/Microsoft/Microsoft Teams". -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos versions in the future?
Once upon a time, Gionatan Danti said: > While I fully understand & agree on the motivation for keeping Rocky > (and other clones) 1:1 with Red Hat, it should be understood that > current RHEL packages selection itself is drifting away from > small/medium business needs. So the core issue is a more fundamental > one: Red Hat, our upstream, is walking away from traditional server > needs. Like any commercial product, RHEL exists for Red Hat's customers... so if you want to see something specific from RHEL, you need to be a customer to give input. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [C8 stream] unix_chkpwd wants access to /proc
Once upon a time, Chris Adams said: > Once upon a time, Łukasz Posadowski said: > > From 11.06 journal is logging a lot of denied access to /proc for > > unix_chkpwd by selinux. They are so frequent, that I see them in > > htop. :) Right now I have 2122 logges denials. > > > > Is it OK for unix_chkpwd to poke in /proc? It has to know who is > > logged in, do probably yes, bit I'm not sure. > > I haven't dug into it, but I'm thinking there was some policy or library > change that isn't quite right... sssd_be also has the same denial on > startup (so every boot). Went ahead and poked at it - the issue is the new version of libcap-ng. Opened https://bugzilla.redhat.com/show_bug.cgi?id=1971688 -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [C8 stream] unix_chkpwd wants access to /proc
Once upon a time, Łukasz Posadowski said: > From 11.06 journal is logging a lot of denied access to /proc for > unix_chkpwd by selinux. They are so frequent, that I see them in > htop. :) Right now I have 2122 logges denials. > > Is it OK for unix_chkpwd to poke in /proc? It has to know who is > logged in, do probably yes, bit I'm not sure. I haven't dug into it, but I'm thinking there was some policy or library change that isn't quite right... sssd_be also has the same denial on startup (so every boot). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos versions in the future?
Once upon a time, Carlos Oliva said: > Thank you for your response Martin. We should probably consider > moving to the alternatives that you mentioned or Ubuntu. Centos was > no longer a Community effort after RH was bought by a propriatory > company. The vast majority of open source software is developed by companies like Red Hat/IBM (IBM was a significant Linux contributor long before they bought Red Hat; the original SCO lawsuit was about code IBM contributed to the Linux kernel). That's not just true of Linux; a lot of FreeBSD development is done by a few companies (sometimes imperfectly, as seen with the VPN mess just before FreeBSD 13 release). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] password algorithm with authconfig vs authselect
Once upon a time, Leon Fauster said: > How does the new "way" looks like (>=EL8), to switch the password > algorithm? It looks like authselect doesn't support that. While authconfig tried to be a super-multi-tool that knew how to configure all the things, I think it got to a point where it was too difficult to maintain (keeping track of which options were required, conflicted with each other, etc.). So authselect instead ships a pre-set group of config files that have been tested, with some options in them. Right now, the password algorithm is always sha512. I think that could be turned into what authselect calls a "feature", but I'm not sure (that'd be a good request for the project, using their project page at https://github.com/authselect/authselect). It looks like features might support only enable/disable, not custom string values. The "officially correct" way to do that today seems to be to create a custom profile (which can be based on an existing profile), change the values, then apply the custom profile. This seems like a lot to just set the algorithm, but I'm guessing that at this point, there aren't many requests to do that (so it isn't a well-supported thing to change). It looks like something like this might do it: authselect create-profile sha256 --base-on=sssd sed -i 's/sha512/sha256/g' /etc/authselect/custom/sha256/* authselect select custom/sha256 -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Proxmox Backup Server equivalent for the RHEL/CentOS world ?
Once upon a time, Simon Matter said: > I haven't followed oVirt/RHV but I'm wondering how free it is? Is it as > "free" as RHEL or as CentOS/Alma/Rocky/Navy/Oracle Linux? oVirt is the upstream for RHV. Development takes place in oVirt, but (to me anyway) like Fedora, that doesn't mean it is an unfinished or beta product - they do development and have test releases and such. But, like any freely-available software, sometimes you get to find new ways to break it (and then go hunting for help on mailing lists and such). :) I've run oVirt in production for over 6 years (don't actually remember exactly when I started but at least that long). > BTW, from what I know Proxmox does make use of ZFS for some nice features, > does oVirt/RHV have some comparable solutions? All of my oVirt experience has been with external iSCSI storage arrays - my main cluster was a mail server farm for 60K residential users, so we needed TBs of fast storage. oVirt supports a hyperconverged setup with Gluster as well; I set it up once in a lab, but we didn't end up using it (so I can't offer any experience with it). We used to have a TrueNAS (commercial FreeBSD+ZFS storage array), and... we had issues with it. I was not a fan and probably would avoid ZFS and FreeNAS/TrueNAS based on my experiences (but maybe they've gotten better). We hit multiple bugs with it that took a long time to resolve. We were also unhappy with the hardware and its support from iX Systems (the company behind FreeNAS/TrueNAS). Aside from bugs, one drawback of ZFS for me was that, when we needed more storage and added more drives, there was no way to rebalance the space. We ended up getting "hot spots" because a flood of data was written to just the new drives. The ZFS "solution" is just to backup and restore your data (which is not an enterprise or highly available option to me). Rebalance is hard, but I ran DEC Unix back in the day, and their AdvFS not only supported rebalance, it ran it regularly from a cron job (which may have been a hack around the kernel not balancing well to begin with of course). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Proxmox Backup Server equivalent for the RHEL/CentOS world ?
Once upon a time, Nicolas Kovacs said: > Le 12/04/2021 à 23:11, Chris Adams a écrit : > > oVirt > > itself doesn't include backup software (it supports VM snapshots and > > clones), but there are several third-party backup tools (both free and > > commercial) compatible with oVirt/RHV, like Storeware's vProtect (I > > haven't used it but seen others mention it). > > I'd be very grateful for some links to these third-party backup tools, with a > preference for free (as in beer + speech) stuff. Google is your friend - check out the ovirt-users mailing list archive. I'm not doing VM-based backups (had system backups already before setting up this VM environment and haven't had the opportunity to change), so I can't really say. I know there are people using Ansible plays against the oVirt API to do things, so there are probably scripts for that in the usual places like github. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Proxmox Backup Server equivalent for the RHEL/CentOS world ?
Once upon a time, Nicolas Kovacs said: > Both PVE and PBS are based on Debian, and now I wonder if RHEL-based systems > have something similar to offer. I believe Red Hat Virtualization, and its open upstream oVirt, are comparable to Proxmox. I have used oVirt for a number of years. oVirt itself doesn't include backup software (it supports VM snapshots and clones), but there are several third-party backup tools (both free and commercial) compatible with oVirt/RHV, like Storeware's vProtect (I haven't used it but seen others mention it). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] nmcli
Once upon a time, Peter Larsen said: > >how do I just remove the single ADDRESS I added as an alias ? not the whole > thing ? > > You first remove all ipv4.addresses and then add the one you want. Then you > save/activate. That's not necessary. For any setting that can be multi-valued (such as addresses and routes), you can prefix with + or - to add or remove just one entry. For example, to remove just address 10.1.1.2/24: nmcli con mod em1 -ipv4.address 10.1.1.2/24 nmcli con up em1 -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Network Manager - rotate connection profile
Once upon a time, Frank Cox said: > I have an occasional need to switch a few computers from one Internet > provider to a different one. Both Internet providers feed into the same > network, one at 192.168.0.1 and the other at 192.168.0.254. > > So to change from one provider to the other I run nmtui to change the gateway > and dns server addresses, then deactivate and reactivate the connection and > I'm done. You could just create multiple connection profiles, like "provA" and "provB". Then to switch A->B would be "nmcli con down provA; nmcli con up provB". You'd only want one to autoconnect though, so maybe: nmcli con down provA nmcli con mod provA autoconnect 0 nmcli con up provB nmcli con mod provB autoconnect 1 Or you could even get fancier with a script that would check the currently active and switch to the other one. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ThinkStation with BIOS RAID and disk error messages in gparted
Once upon a time, Simon Matter said: > I'm a bit confused what you have here. Did you mix pseudo hardware RAID > (BIOS RAID 0) with software RAID here? Because /dev/md126 clearly is part > of a software RAID. IIRC the old dmraid support for motherboard RAID has been phased out, but mdraid has grown support for Intel (and maybe some other?) common motherboard RAID. So, /dev/md doesn't inherently mean "Linux software RAID" for a while now. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Script to rebuild CentOS 8 boot ISO with plus kernel
I want to install CentOS 8 on some older Dells that have storage controllers dropped by RHEL 8. The CentOS 8 kernel-plus package supports them, so I wrote a script that rebuilds the boot ISO to boot and install using the kernel-plus package from the centosplus repo. https://github.com/cmadamsgit/misc-scripts/ I know you can use driver disks to load additional modules from elsewhere, but I wanted to end up with the kernel-plus anyway, so why not just do it during install? Lightly tested, but seems to work. Posting here in case it is useful to others. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] kvm & external snapshots
Once upon a time, Gregory P. Ennis said: > I have used the command line : > > snapshot-create-as --diskspec vda,snapshot=external,file=/u4/guest/MaBa- > clone/test.snap.img--domain MaBa-clone --name MaBa-clone_snap --description > "Snap > before 9Aug2020" I believe that when creating an external snapshot, you have to either specify --disk-only (to not snapshot RAM), or supply --memspec (to specify how/where to save RAM). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fixing grub/shim issue Centos 7
Once upon a time, Alessandro Baggi said: > you are right but is not UEFI a standard and it shouldn't work the > same on several vendors? I ask this because this patch broken all my > uefi workstations. The great thing about standards is there's so many to choose from! Also relevant: https://xkcd.com/927/ UEFI has gone through a number of revisions over the years, and has optional bits like Secure Boot (which itself has gone through revisions). Almost any set of standards has undefined corners where vendors interpret things differently. Vendors also have bugs in weird places sometimes. The firmware and boot loaders arguably are the least "exercised" parts of a system - both change rarely and there are few implementations. There's not many combinations, and they don't change a lot. I'm interested to read about the cause of this issue - something like this can be a lesson on "hmm, hadn't thought of that before" type things to watch for in other areas. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fixing grub/shim issue Centos 7
Once upon a time, Johnny Hughes said: > The issues should now be resolved. > > If you just mount /mnt/sysimage, set an ip address and upgrade (to get > th new shim) .. then: > > yum reinstall I'm curious - why does the kernel need to be reinstalled? The shim-x64 package installs its files directly to the EFI partition where they are needed. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Boot failed on latest CentOS 7 update
Once upon a time, Jonathan Billings said: > On Aug 2, 2020, at 14:43, Pete Biggs wrote: > > You don't have to use UEFI secure booting - most machines can fall back > > to legacy booting using BIOS settings. If you do that, you won't use > > any Microsoft signed code. > > Back in 2017, Intel said that it was going to deprecate the “Legacy” CSM by > 2020. They might have changed their schedule but I suspect we’ll start seeing > hardware without anything but UEFI. I believe that is still Intel's plan. However, as happens often, people are confusing UEFI and Secure Boot. UEFI is a replacement for the ages-old BIOS - Secure Boot is an extension to UEFI to create a "trusted" (for whatever that may mean) boot chain to get to the OS. You can have UEFI without having Secure Boot enabled (that's what I do on my systems). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB-serial adapter for CentOS 7
Once upon a time, mailist said: > Even if you did have an RS232 port on the box, the serial drivers > for CentOS 7 have > never worked correctly. I had an application using RS232 that > worked perfectly > under CentOS 6, and then worked intermittently under CentOS 7, and > failed miserably > on CentOS 8. The handwriting on the RedHat wall says, "nobody uses > RS232 anymore!" I've used serial ports just fine on CentOS 7 (haven't had a physical CentOS 8 system so far, so can't say there, but have used serial consoles on CentOS 8 VMs), as well as newer Fedora (similar but newer kernels). Are you sure you weren't doing something in an unsupported and/or undefined way that just happened to work on CentOS 6? -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] USB-serial adapter for CentOS 7
Once upon a time, John Pierce said: > yes, but is it 'basic serial UPS' or is it 'enhanced serial UPS' ?the > former do NOT use the rx/tx data of the serial port at all, they ONLY use > the serial port control signals, and they probably will NOT work with a > USB port because they require very specific behavior from those signals at > power up and reboot times. I've used various serial devices, including UPSes, via various USB-to-serial adapters (Prolific PL2303 and FTDI FT2232C), and all the signaling works fine. Only issue you sometimes have is that there are many cheap adapters on Amazon that claim to be Prolific or FTDI but are in fact counterfeit clones - those may or may not work reliably for ANY purpose. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Not getting bootloader installed with CentOS 8 + mdraid
Once upon a time, Chris Adams said: > I am trying to use a kickstart to install CentOS 8.2 on a server with a > pair of drives with Linux software RAID 1. The install completes, but > the resulting system will not boot - I get "Booting from Hard drive C:" > from the BIOS (Dell in legacy BIOS mode, not UEFI) and it stops. If I > then start the installer in rescue mode and run grub2-install on the two > drives, it boots okay. Never mind, this was user error. :) I have a kickstart that discard unused space in %post to make VM images smaller, and it tries too hard (and the SSDs listened!) - it got the unpartitioned space between the partition table and the first partition, and GRUB2 uses more of that when /boot is on RAID1. Oops. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Not getting bootloader installed with CentOS 8 + mdraid
I am trying to use a kickstart to install CentOS 8.2 on a server with a pair of drives with Linux software RAID 1. The install completes, but the resulting system will not boot - I get "Booting from Hard drive C:" from the BIOS (Dell in legacy BIOS mode, not UEFI) and it stops. If I then start the installer in rescue mode and run grub2-install on the two drives, it boots okay. If I take out the RAID config and just install on the first drive, it boots fine - it appears to just be an issue with RAID. I tried my kickstart in a KVM VM with two disks, and it works there (I get RAID and a bootloader). Anybody else run into this? Any ideas? I've been installing from kickstarts for ages, including software RAID, but not CentOS 8 with software RAID until now. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Blog article about the state of CentOS
Once upon a time, Noam Bernstein said: > Of course. My only question is whether the observation that the gap for > CentOS 8 is indeed larger than we have come to be used to for CentOS 7. So, I took a look... and the answer is "it's not" (with a small sample set). I took dates from Wikipedia for RHEL and the archived release notes for CentOS. I didn't bother with the .0 releases (since that's a lot of new work anyway). Right now, CentOS 8 is far faster than CentOS 7 and 6 were at this stage. release RHEL date CentOS date days 6.1 2011-05-19 2011-12-12 207 6.2 2011-12-06 2012-07-24 231 6.3 2012-05-20 2012-09-30 133 6.4 2013-02-21 2013-05-21 89 6.5 2013-11-21 2014-02-26 97 6.6 2014-10-13 2014-11-15 33 6.7 2015-07-22 2015-09-05 45 6.8 2016-05-10 2016-07-28 79 6.9 2017-03-21 2017-04-05 15 6.102018-06-19 2018-07-03 14 7.1 2015-03-05 2015-10-11 220 7.2 2015-11-19 2016-02-19 92 7.3 2016-11-03 2016-12-21 48 7.4 2017-08-01 2018-03-21 232 7.5 2018-04-10 2018-10-30 203 7.6 2018-10-30 2019-01-28 90 7.7 2019-08-06 (didn't find release notes) 7.8 2020-03-31 2020-04-27 27 8.1 2019-11-05 2020-01-15 71 8.2 2020-04-28 2020-06-15 48 -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Blog article about the state of CentOS
Once upon a time, Alessandro Baggi said: > As reported in my previous message I'm not worried about how much time is > required to build the new (major/minor) release, it will be ready when it > will be. My major concern is about the "security update blackout" that take > long as the build process. I'm not involved in building CentOS, but the issue is that it is a rebuild of upstream. When RHEL 8.2 is released, there are no more upstream updates released for RHEL 8.1; they are all on top of the RHEL 8.2 release. So, until the time that CentOS can rebuild RHEL 8.2 and make a new CentOS release, there can't be any updates for CentOS 8.1. RHEL 8 introduced modules, which complicated the build system and required new tooling, so CentOS has had a bunch of "under the hood" work to catch up. Hopefully, once that's ironed out, the gap between a RHEL 8.x release and the corresponding CentOS release will drop. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Minicom and Ncurses
Once upon a time, Nicolas Kovacs said: > I have to do some maintenance on a CentOS 7 proxy installed on a routerboard > without a video card. The only way to access this machine directly is via > Minicom and serial port. > > I'm using NetworkManager TUI (nmtui) to configure network interfaces, but > Ncurses rendering in Minicom works in the sense that chickens fly and horses > swim. What you get is a forest of question marks with a few barely > recognizable > options lost in between. > > Is there some magical trick to render Ncurses interfaces correctly in Minicom > ? I'd guess the TERM is not set correctly. IIRC Minicom by default emulates a traditional VT102 terminal, while the default Linux TERM variable is usually "linux" (which is a superset of VT102). Try setting TERM=vt102 first. Alternately, if you have screen installed, it can also be used for serial access... run "screen /dev/ttyS0 9600" (change the device and speed as needed). Screen has its own superset of VT102, so you can set TERM=screen, but it is also possibly close enough to the linux terminal emulation to work directly (they're both ANSI supersets with similar extensions). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld / iptables / nftables
Once upon a time, Jonathan Billings said: > 'iptables' and 'nftables' are competing technologies. In CentOS 8, > firewalld's backend was switched from iptables to nftables. So it > would be expected that the iptables command wouldn't have any rules > defined, it isn't being used by firewalld. That is partially incorrect. While iptables and nftables are two different in-kernel firewalls, the iptables CLI command is now a wrapper that can translate to the nftables backend for compatibility. However, it can only manage a subset of nftables information (basically what it can create in the iptables back-compat mode). The nftables rules created by firewalld don't fall into that category, so can't be viewed by iptables. Instead, use the nft command, like "nft list ruleset" to see a dump of all current rules. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ip6tables equivalent for NAT?
Once upon a time, Kenneth Porter said: > I figure that TCP is easy: Add a rule to the forward chain to allow > SYN packets. There's already connection tracking to handle > established connections. Does connection tracking handle UDP? If I > allow all UDP from the LAN interface and one sends a DNS query from > LAN to WAN, will the reply get back? I don't want to blanket > authorize all UDP. ICMPv6, maybe, to allow traceroutes. Unless > that's also handled by the tracking system. Anything that's already working through IPv4 NAT should work just fine through IPv6 with connection tracking. IPv4 NAT is a stateful, connection tracking, packet mangling firewall. With IPv6, you can just do the same thing without the packet mangling misfeatures of NAT, with just connection tracking. But don't go blocking ICMP - doing that in IPv4 already can break things, and it can break even more things in IPv6. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Diagnosing IPv6 routing
Once upon a time, Kenneth Porter said: > I discovered that IPv6 is sort of working when I got an email > rejection from Comcast for not having an IPv6 PTR record. I > discovered I could telnet to port 25 on their MX server over IPv6! I > then found I could tracroute6 to them, but I couldn't to my Linode > VPS in Fremont. It gets to the data center and stops. Going the > other way, my Linode can traceroute6 almost to my AT > server. Neither can reach the open port 25 on the other, but both > can reach mx1.comcast.net via IPv6. Yeah, unfortunately things like that can happen, v4 or v6 (like I couldn't get to a local TV station's website a little while ago from my home connection, but could from elsewhere). >From your traceroutes, it kind of looks like it's possible that it's something on your gateway (but I'm not really sure). Do you have any IPv6 firewall running there? One other note about mail on v6 - not only do you need to have a valid reverse (with matching forward) DNS record, you probably need to do TLS with a valid cert (Let's Encrypt is free and easy). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Diagnosing IPv6 routing
Once upon a time, Kenneth Porter said: > --On Tuesday, April 28, 2020 10:16 PM -0500 Chris Adams > wrote: > >And frankly, giving you a /56 is pretty crappy, since ARIN rules say to > >give every site a /48. I'd only do a /56 for a home connection prefix > >delegation. But, that's AT! :) > > I'd just read about that when researching this. Maybe they decided > that since we only have about a dozen people at our site, we won't > have a lot of subnets. What do small offices DO with 256 public > subnets, anyway? I suppose eventually we'll have an IoT subnet on > every person. The idea with IPv6 is not to even necessarily think about it in terms of direct numbers, but in layers. It is not uncommon to have several layers of routers, firewalls, guest wifi networks, etc., and each layer should request a prefix delegation from its parent. So rather than 256 subnets, think about it as 8 layers (at most... but if a layer has more than 2 children, you have fewer layers available). So for example, if your Internet gateway has a desktop firewall, a guest wifi, a public DMZ, and a development lab gateway connected, and you want to allow for more things at that layer, there's 3 of your 8 bits in a /56. If the dev lab needs to fan out more, and maybe your public DMZ needs to break up for production and QA-testing networks, and you add a VPN concentrator to the desktop network... you can go through those bits fast. In IPv4, people would just NAT the crap out of everything, having to tunnel from one NATted network to another, making life really difficult. The plan is no NAT in IPv6, so allow for all potential allocations up front. Also, allocations should be larger than necessary and sparse, so that you never need another allocation (even if you grow to 1000 employees and multiple buildings on a campus). This is to hopefully prevent routing tables from exploding like IPv4 did (and also to avoid you having to renumber everything just to stay in a single block). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Diagnosing IPv6 routing
Once upon a time, Kenneth Porter said: > I'm using OpenWrt at home and it's working mostly fine there. Except > with my Android phone. I'm not getting a DNS setting for V6, but I > do have the setting in the router's config file. The Win10 clients > work fine, though. Apparently Android has issues with DHCPv6, and > I'm betting it's interfering with my SLAAC config. Yeah, Android refuses to support DHCPv6, so you either have to have IPv4 DNS or SLAAC. I have IPv4 DNS on my home network, so don't have an issue. I did just look, and OpenWRT is putting the DNS option for SLAAC in the RA, so that should work too (but I think that's something relatively recent for OpenWRT). I didn't get that you have a static assignment (presumably a business connection) - they may not do RAs on that (I don't at my ISP job). Business connections (or at least, connections with static assignments) tend to operate differently. For that, they should have given you a static v6 address and gateway, just like they did for v4. So... there's one thing you could try (but probably won't work to a regular router interface) - see if there's a MAC-derived fe80::/64 link-local address on their end. Get the MAC of the gateway from the v4 ARP entry and expand it to a LL v6 address as fe80:::xxff:fexx: (split the MAC, put ff:fe in the middle). Try ping6 that address with %em2 appended (have to append the interface when using link-local addresses). I doubt it'll work, since I know Juniper (which IIRC AT likes) doesn't assign those (I can't remember for sure about Cisco and don't have a handy test target). And frankly, giving you a /56 is pretty crappy, since ARIN rules say to give every site a /48. I'd only do a /56 for a home connection prefix delegation. But, that's AT! :) -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Diagnosing IPv6 routing
Once upon a time, Kenneth Porter said: > On 4/28/2020 3:17 PM, Chris Adams wrote: > >- gateway sends a router solicitation and gets a router advertisement > > with "stateful config" set, which tells gateway to do DHCPv6 (but > > default route comes from RA) > > I'm not seeing any outbound IPv6 traffic from my CentOS 7 box on the > WAN interface. I do see RA's emitting from the LAN interface, from > radvd. Is there some setting in NM tells it to send solicitations? > Is there some way to push one manually? What's in /etc/sysconfig/network-scripts/ifcfg-? I wonder if you have IPv6 disabled. I'm not using a "regular" (CentOS, Fedora, etc.) Linux as a gateway; I have OpenWRT on a dedicated box. I couldn't find a way to handle the prefix delegation with the typical desktop/server tools (but it has been a while since I looked). OpenWRT has their own daemon for that. However, my local systems are all sending RA solicitations and getting DHCPv6-assigned addresses with NetworkManager (which matches the first steps of what you need on the WAN, just not the prefix delegation). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Diagnosing IPv6 routing
Once upon a time, Kenneth Porter said: > I just got 50 Mbps symmetric fiber from AT and it includes a /56 > of IPv6 addresses, replacing a much slower ADSL line. I never tried > to get IPv6 working on the old connection. I'm using CentOS 7 as a > gateway and it's worked great for several versions for IPv4. > > I'm not seeing any IPv6 default route on the WAN interface. I > suspect I'm not getting route announcements. I think I have all the > IPv6 variables in ifcfg-em2 set right. But I do notice that the > accept_ra file in proc for that interface has value 1, not 2. > Changing it to 2 doesn't change anything, though. No route appears. > > While I wait for an answer to my trouble ticket, is there some way > to verify that I'm not receiving any RA packets? Is there a way to > force a solicitation for one? Is there a tcpdump invocation I can > use to watch for them? Are there log messages that will tell me when > an RA has been seen and added to the routing table or ignored? I haven't touched AT's IPv6, but the typical way WAN IPv6 works is: - gateway sends a router solicitation and gets a router advertisement with "stateful config" set, which tells gateway to do DHCPv6 (but default route comes from RA) - gateway does DHCPv6 to get a WAN IP - after that completes, gateway does DHCPv6 for prefix delegation If you are running NetworkManager, then IIRC the accept_ra flag doesn't matter, because NM manages everything rather than have the kernel handle autoconfiguration (because NM needs to know what's going on with IPs). As for watching, "tcpdump -p -i -v ip6" should show everything (and since you don't have any routing yet, you don't really need to filter out anything else!). You could filter "ip6 and multicast", because RAs and DHCPv6 (and ND, neighbor discovery, the counterpart to ARP) are all multicast. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] C8 and backup solution
Once upon a time, Valeri Galtsev said: > On 4/3/20 8:34 AM, John Pierce wrote: > >Do note, backup systems that use rsync or similar file by file copies of a > >running system do not make coherent atomic snapshots, so things like > >relational databases should be excluded from those, and backed by database > >tools > > Long ago I learned to back up databases by dumping them (with a flag > "lock" or similar to make sure no changed are made during dump), and > backing up dump file. It isn't just databases - there are other things that backing up individual files one at a time is not so good. The best way to handle that is to freeze/snapshot the whole filesystem, and then back up the snapshot. This can be scripted pretty easily if the filesystem is on LVM. Even better is to freeze _all_ filesystems simultaneously - this is usually easiest if the system is a virtual machine and/or the storage is on a SAN with snapshot capabilities. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.10 bind DNSSEC issues
Once upon a time, Robert Heller said: > Yes. The installed ISC DLV key installed with > bind-9.8.2-0.68.rc1.el6_10.3.x86_64 seems to have expired and there does not > appear to be a new bind-9.8.2 RPM with a new key. I guess you can *manually* > fetch a new key (look in the installed /etc/named.iscdlv.key file) ISC DLV has been obsolete for a while now, you should disable it. > dnssec-lookaside auto; I think setting this to "no" and restarting named should do it. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] System Time
Once upon a time, Pete Biggs said: > There's also a massive problem with > signal strength in the UK - the (singular) time transmitter is in the > middle of the country in Cumbria and in the south it's virtually > impossible getting a signal any further than about 2 feet from a window > - not a hope of getting anything in an office building! There are different systems around the world (WWVB in the US for example), and I don't think there's a system at all in many countries. Also, putting a receiver inside a computer case would pretty much never work for the low radio frequencies used by these systems, so there'd have to be an external antenna (a lot of effort to go to when you could just use network time sources). Radio clock accuracy is typically in the 100ms range, so is good enough for most people's computer clock usage. > GPS times also have problems. They are very accurately wrong! The > atomic clocks on the satellites haven't been updated since they were > launched, so no leap seconds. That is not a problem - GPS time is defined as being continuous, unlike UTC. However, the GPS signal includes the UTC offset, which is updated when UTC applies a leap second, so you can calculate correct UTC from just the radio signal. I'm not as familiar with the GPS alternatives (Galileo, GLONASS, Beidou, and more), but I believe they'd all be the same (a continuous time base, with offsets specified in the data). Also, again, GPS signals are weak and require an external antenna. I do have an external GPS receiver and external antenna hooked up to one system at home, so I have a stratum-1 NTP server (probably accurate to about 1µs). Basically for most, the "chip inside the box to set the clock" is the network chip. :) If you need clock setting on a disconnected network, you can get a dedicated time server. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NetworkManager on servers
Once upon a time, Stephen John Smoogen said: > The reason is that having 1 way to configure networks makes it so the > developer and tech support only have to diagnose issues from 1 set of tools > versus two different ones (and occasionally 2 competing ones if both are > trying to do their job at the same time). Not only that - the hodge-podge bash network scripts are kind of a mess. It is impressive that they do what they do so reliably after so long, but every new feature appears to have been hacked in by a different developer, leaving parts of them almost indecipherable. That's not intended as a criticism of the scripts or the people who wrote that code - it's just that IMHO they managed to go beyond what is reasonable in bash scripting, which makes for a difficult to read (and I'm sure fix/extend) set of scripts. And even on servers now, there are often dynamic network changes that work much better with NetworkManager than the old-style static scripts. Containers, VMs, and VPNs all come and go, and work better with a single system configuring their networks (rather than each layer implementing their own setup). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Switching from lokkit (iptables) to firewalld
Once upon a time, Stephen John Smoogen said: > It will because it is a linear list that every packet has to be 'judged' > against. Even if you break it down to 2 or 3 trees it will still take a > while. Putting them in ipset would be much better performance (uses hash, so not a linear search). It also makes for a much more readable and manageable firewall config. I use ipsets for most everything these days, even where there are just a few IPs/networks involved. However... > Any list of ip addresses is going to be outdated by a year because of how > ranges are so dynamic these days. Most 'bad-guys' can jump around a couple > hundred thousand or million ip addresses without much cost on their part > and can get new ranges to screw around weekly. Yeah, it's going to be a useless list. If you want to protect services, then short-term blocking like fail2ban is okay - better is to just allow your "known good" sources and not try to block things bit by bit. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Need info on adobe flash player plugin 32 for CentOS7
Once upon a time, Kay Schenk said: > I kept getting messages that my old Flash Player 31 was obsolete so > I went in search of an update. Adobe stopped releasing Flash for Linux a while back. IIRC the only "supported" Flash on Linux is distributed as a part of Google Chrome (and that's going away sometime soon too, Chrome on all platforms will no longer support Flash). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 8 - auto-loading kickstart from USB doesn't work
While updating my base kickstart for CentOS 8.1, I noticed it won't auto-load from a USB device. I'm testing in a VM, but usually add a USB drive for the ks.cfg because my kickstart skips USB drives when picking where to install. If I leave the drive a virtio, or make it a CD, it works. I found https://bugzilla.redhat.com/show_bug.cgi?id=1770969 which then references a RHEL-subscriber-only solution. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] copying files to fill flash drives
Once upon a time, Frank Cox said: > FILL would take the name of a directory and then start writing files from > that directory onto a series of floppy disks in such a way that each disk was > made as full as possible, but without modifying the files that it was writing. I remember using a program like that. I'm not sure if something like that is available for Linux, and if it would handle USB (you'd have to actually look at each stick since they aren't always exactly the same size). If it helps your search, what you are looking for is an application of the knapsack algorithm. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Nasty Fail2Ban update for Centos 7
Once upon a time, Allan said: > Just noticed that Fail2Ban have generated a 6MB error log because > of the update, and FirewallD a 1MB log of errors ! > (not sure if any of those were really working after this) It might be helpful to actually post some of the errors and your local config (what you have changed from defaults). Without that, nobody can help figure out what is happening on your system. I'm the person that asked for the update - the previous firewalld config was incomplete (set banaction but not banaction_allports), and I wanted to see IPv6 support. I'm using the update on multiple CentOS 7 systems (some with firewalld and some with iptables) without errors. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VPN connections subject to hijack attack
Once upon a time, Stephen John Smoogen said: > So for ipv4 CentOS 7 and 8 may not be vulnerable out of the door (they > set to 1 versus 0 which the announcement says is kernel default and > sfe). However, they found ipv6 works without rp_filter so this is a > problem. Yeah, I didn't realize until recently that the Linux kernel only supports uRPF-style filtering on IPv4, not IPv6. That's not good IMHO. There is an iptables rpfilter extension, and I believe firewalld includes it on IPv6 by default, but firewalld isn't appropriate for all setups. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] C8 and NetworkManager problem
Once upon a time, Alessandro Baggi said: > 3) I noticed that with NetworkManager a bridge must have an address. > If I don't specify an address for the bridge, NM will try to assign > some address, enable the connection forever (reporting errors in > messages and on notification bar). Do you have the device configured to not configure IP? From the CLI, do "nmcli con mod ipv4.method disabled ipv6.method ignore". -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] C8 and NetworkManager problem
Once upon a time, Alessandro Baggi said: > Really I don't know, I can say that they have an entry in fstab and > I have several mnt-share.mount unit as generated. Are the fstab entries marked "_netdev"? -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Post-installation setup script for CentOS 7 servers
Once upon a time, Kenneth Porter said: > What file holds all those settings, now? As a rule, I prefer to edit > text files to finding the right GUI/TUI utility to muck with them. > I'd also like to know how the new and old files interact. The same config files are in /etc/sysconfig/network-scripts (the supported options may vary some). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to know when a system is compromised
Once upon a time, Leroy Tennison said: > The executable could be placed on mounted read-only media That's not as secure as you think. Linux bind mounts can mount a file over another file (plus there's overlay filesystems), so it's possible to replace a binary even on a read-only device. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 8: what changed (regular UNIX admin commands)?
Once upon a time, Stephen John Smoogen said: > I think that the deprecation of ifconfig and route was started before > RHEL-7 came out.. and yet I just can't get used to them. I've started using "ip" for more things lately... partly because I'm lazy, and once I learned the commands can be abbreviated, I can type less. :) ifconfig -> ip l (or maybe ip -s l if I want counters) route -> ip r arp -> ip n I'm also getting more used to nmcli for connection and configuration management (which also allows abbreviation - wooo for laziness!). firewalld is not really the same thing as iptables though; it's more of a management layer on top of just writing raw rules. One big issue I have though is that firewalld always sets up kernel connection state tracking, which is not a good thing for some uses (high-traffic DNS servers for example). The bigger change there is switching from iptables to nftables - while you can keep using the iptables command and language (there's a translation), to get the most out of it, you have to learn the nft command and language (which is different). I've barely scratched the surface on that one. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 8 network-scripts
Once upon a time, Ljubomir Ljubojevic said: > Bridge for VM's is main reason I hate NM. I now mess with both NM and > br0 controled by network because I use Windows VM on my laptop. As soon > as you disconnect LAN cable your eth and bridge connection are gone and > stupid KVM can not recover and reconnect to newly activated bridge when > you return LAN cable, even only a second later... See the NetworkManager-config-server package. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 8 Mate?
Once upon a time, Chris Adams said: > Once upon a time, Robert Nichols said: > > the lack of VM snapshot capability is a total deal-breaker for me. > > The capability is still there and works just the same as before. The > only change is that the new preferred tool for graphical VM management, > Cockpit, doesn't yet support making snapshots. virt-manager is still > there for now (presumably until Cockpit grows all the necessary > support), and the underlying virsh support hasn't changed. To add: I forgot that virt-manager snapshot functionality already didn't work in RHEL 7, because of upstream support changes and underlying libvirt complications. While it is possible to manage snapshots directly with libvirt (via the virsh CLI tool), it's a little complicated to do and the layered tools don't support it (at least not yet). AFAIK, this isn't anything new with RHEL 8, it's just documented now. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 8 Mate?
Once upon a time, Robert Nichols said: > the lack of VM snapshot capability is a total deal-breaker for me. The capability is still there and works just the same as before. The only change is that the new preferred tool for graphical VM management, Cockpit, doesn't yet support making snapshots. virt-manager is still there for now (presumably until Cockpit grows all the necessary support), and the underlying virsh support hasn't changed. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Replacing sendmail with postfix (was: deprecations leading up to C8)
Once upon a time, Kenneth Porter said: > Perfect. I think the only other significant customizations I have > are lines to use the MIMEDefang and OpenDKIM milters. When last I > looked into migrating, I recall that Postfix handled milters just > fine. Milters work a little different under postfix IIRC... I haven't tried them (which is a little sad, since I think I may have been the first person to write a sendmail milter :) ). > Meanwhile, I'd considered replacing procmail with the Dovecot > delivery program to get access to Sieve filtering but didn't see how > to easily invoke SpamAssassin as I do now in /etc/procmailrc. Is > Procmail still the default delivery agent in RHEL8? Postfix can use lmtp or procmail (I don't remember which is default). IIRC sieve may not provide external scripting for security reasons. I use spamassassin via amavisd-new, with messages going postfix -> amavisd -> second postfix (all via SMTP). It's more complicated, and not really necessary for the small setup (but I run larger mail servers with that setup, so I do the same for my personal servers as well). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Replacing sendmail with postfix (was: deprecations leading up to C8)
Once upon a time, Kenneth Porter said: > How would you implement the section here titled "Sendmail > workaround" using Postfix? http://www.postfix.org/postconf.5.html#recipient_delimiter -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Question on server speed
Once upon a time, Warren Young said: > Back when we had serial mice, the most common data rate was 1200 bps. That’s > 0.0012 Mbit/sec. If your 480 Mbit/sec USB-2 or 5/10/20 Mbit/sec USB-3 bus is > so jammed up that it can’t trickle through that much data per second from the > mouse while an SSD on the same bus is blocked on I/O, it’s dreck hardware. Yes, you have described USB. The newer storage-specific transfer modes for USB3 try to do better, but it's still a shared bus and requires lots of CPU "assistance" to do just about anything. And there are lots of systems that have some USB3 and some USB2 ports - accidentally plug your external SSD into a USB2 port and start copying lots of data, and the system can just about appear to be hung. Welcome to USB! -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] adding uefi to kickstart CentOS 7
Once upon a time, Jerry Geis said: > I am trying to add an efi partition to my working kickstart file. Rather than try to set the EFI partition, I just put "reqpart" in and let the installer decide when it needs it (and how to do it). I still have "--location=mbr" in the bootloader line and it seems to just do the right thing. One other thing - you don't have a /boot - not sure if the installer still requires that or not. Here's an example from a KS I just used on an EFI system (I use LVM so it's somewhat different): zerombr clearpart --initlabel --drives=sda bootloader --location=mbr --boot-drive=sda reqpart part /boot --ondisk=sda --asprimary --size=1024 --fstype=xfs part pv.1 --ondisk=sda --size=3600 --grow volgroup centos pv.1 logvol / --vgname=centos --name=root --fstype=xfs --size=1536 --grow logvol swap --vgname=centos --name=swap --size=2048 -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Question about ntp
Once upon a time, Jobst Schmalenbach said: > Chrony cannot supply time info, so if you have clients requesting time info > the server cannot serve time, you need ntpd for that. I have many windows > stations that pull time from my CentOS servers. That is not correct. In the default config, chrony doesn't serve time, which is a good thing (see: all the problems with ntpd serving a lot more than time). All you have to do is uncomment/add "allow" lines in /etc/chrony.conf. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bypassing 'A stop job is running' when rebooting CentOS 7
Once upon a time, James Szinger said: > On Wed, May 22, 2019 at 7:44 AM mark wrote: > > The joys of systemd > > I'm not sure it's right to blame systemd. Systemd asked nicely for > the service to shutdown. The service didn't, probably because the > update change something and pulled the rug out from beneath it. Right - before systemd, any old init script could also block shutdown. > This hasn't happened to me recently, but I think I've tried Ctl-C and > Ctl-Alt-Del without much success. That leaves the Big Red Switch > (which is mostly small and black these days). There's a "magic" thing systemd does now - hit C-A-D seven times in two seconds and it'll stop what it is waiting for and just go ahead and reboot. Will kill anything not shut down, but at least it'll still try to cleanly unmount filesystems and such I believe. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to find out the number of updates for a system
Once upon a time, John Pierce said: > otoh, its pretty rare that an update has a new dependency...if the > package is installed, its existing dependencies are also installed, and if > they have updates, check-update would show them all, would it not? It's not as rare as you might think, especially at point-release time. There are often new dependencies when packages get updates beyond just bug patching, sometimes an installed package might get obsoleted by a different package (can't remember if that shows up in check-update), etc. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how to find out the number of updates for a system
Once upon a time, mark said: > Ralf Prengel wrote: > > Hallo, > > I need the information how many updates are available for a system. > > What is the best way to find it out in a one line bash script. > > > yum check-update, perhaps? Note that "yum check-update" or "yum list updates" won't tell you how many packages would be installed with "yum update"... dependencies and such are not resolved for check-update/list updates. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] root .bash_profile?
Once upon a time, Bee.Lists said: > No, this isn’t a case of multi partitions, clusters, or anything silly. I > just want a set of aliases loaded for su. /root/.bash_profile isn’t loading, > and there isn’t any obvious choice as to where the loaded .bash* were loading > from. .bash_profile will not be read when you just run "su", because .bash_profile is read in a login shell, and "su" does not create a login shell. .bashrc will be read (and is really where aliases belong anyway), or you can "su -" to create a login shell. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEL 8 released
Once upon a time, Johnny Hughes said: > We obviously can not yet make an educated guess on WHEN this process > might or might not be completed .. or WHEN the new version will be > available. So, next Tuesday then? :) Thanks for the update, and all the hard work! -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] kickstart compat C7 -> C8
Once upon a time, Stephen John Smoogen said: > Software seems to grow to the maximum space it can occupy. I think in 1989 > we were complaining about BSD not being able to fit on our VAX 750's boot > drive anymore and we needed to put in a 40MB drive system instead. I expect > by the 2040's we will be looking at petabyte drives and wondering how we > can fit anything on it. I first installed Linux on a 386SX (16MHz IIRC) system with a pair of 20MB hard drives and 2MB RAM... it took a little while. :) I think we ended up just using one drive for the root filesystem and the other for swap! This was probably 1992 or 1993, can't remember. Today I installed Linux on a system wtih 48 CPU cores... -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] kickstart compat C7 -> C8
Once upon a time, Leon Fauster via CentOS said: > And this only for Fedora29, a C7 installation works fine (dynamically > expands to the boundaries of the disk). You are asking about Fedora - you'd probably get better results on the Fedora mailing lists, forums, etc. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEL 8 released
Once upon a time, Digimer said: > If past releases are anything to go by, I would expect it will take a > few months. Figuring out how to rebuild all the RPMs to get binary > compatibility is a slow process. Be patient with the CentOS devs, please. :) To add to that - the whole switch to modularity with RHEL 8 adds complications to the build system that have to be figured out. I believe for example that EPEL can't use modules yet (the details on that are still being worked out). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] UEFI and PXE
Once upon a time, isdtor said: > Yes, it looks like I'm out of luck and need to find a newer machine to test > this with. Moving the tftp server works to an extent - server boots right > into a grub prompt. Weird. I have a couple of Intel-based systems that do UEFI PXE boot okay, but they're much newer than the 11th gen PowerEdge (I have some of those still in service but they're not running UEFI mode). Also, they're client-type systems, not servers (a Thinkpad notebook and an Intel NUC), so possibly different firmware base. I vaguely remember in the distant past having some kind of problem like this, and I think on those systems, I used a boot floppy (yes, that long ago!) with gPXE on it. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] UEFI and PXE
Once upon a time, isdtor said: > 11:06:51.413549 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto > UDP (17), length 390) > 10.1.2.2.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length > 362, xid 0x4007adc6, Flags [Broadcast] (0x8000) > Your-IP 10.1.2.57 > Server-IP 10.1.2.1 <-- > Client-Ethernet-Address 00:1b:21:d8:69:1c > file "linux-install/bootx64.efi" > Vendor-rfc1048 Extensions > Magic Cookie 0x63825363 > DHCP-Message Option 53, length 1: ACK > Server-ID Option 54, length 4: 10.1.2.2 > Lease-Time Option 51, length 4: 43200 > Subnet-Mask Option 1, length 4: 255.255.255.0 > Default-Gateway Option 3, length 4: 10.1.2.250 > Domain-Name-Server Option 6, length 8: 10.1.2.2 > Hostname Option 12, length 5: "client" > Domain-Name Option 15, length 20: "foo.bar.com" > NTP Option 42, length 8: 10.1.2.2 > RN Option 58, length 4: 21600 > RB Option 59, length 4: 37800 > TFTP Option 66, length 11: "10.1.2.1" <-- > END Option 255, length 0 I do see a couple of differences - main one is that my boot file is in option 67, not the BOOTP "file" field. Also, my option 66 is a hostname, not an IP. I don't know how you tell ISC DHCP to use option 67 instead of the file field, but maybe that could trigger different client behavior? More odd is that dnsmasq is adding a null terminator to both options 66 and 67. My UEFI PXE clients seem to accept it just fine though. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] UEFI and PXE
Once upon a time, Steven Tardy said: > The “ICMP unreachable” should be a dead giveaway. . . You cut out the part of the email where the OP said that the UEFI system was ignoring the next-server part of the DHCP reply and trying to TFTP to the DHCP server instead of the TFTP server. Of course that got ICMP unreachable, but it isn't a firewall problem. To the OP: can you post a full tcpdump decode of the DHCP offer? I seem to remember having some issue with ISC DHCP in the past not getting the next server set correctly - maybe a packet will jog some memory (and I'll go try to grab the same from my dnsmasq DHCP for comparison). -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] UEFI and PXE
Once upon a time, isdtor said:
> We have a working PXE setup. I've tried to adapt it to UEFI as per
> RHEL6 manual, but the client won't boot.
I have BIOS+UEFI PXE boot set up, although it took some doing. I still
use SYSLINUX for BIOS, but GRUB2 plus Red Hat's secure boot shim for
UEFI. I never could get SYSLINUX's UEFI support working very well or
reliably, and it didn't support secure boot at all last I looked.
I also feed most of the content out via HTTP (much faster than TFTP).
That includes generating menus on the fly from perl CGIs (I'm
old-fashioned that way :) ).
I'm using dnsmasq as my DHCP server, so I have this in its config (where
pxesrv.cmadams.net has IP 10.10.10.2):
# EFI boot will set ARCH option (93)
dhcp-match=set:efi64,option:client-arch,7
tag-if=set:bios,tag:!efi32,tag:!efi64
# PXE boot
dhcp-boot=tag:efi64,shimx64.efi,pxesrv.cmadams.net,10.10.10.2
dhcp-boot=tag:bios,bios/lpxelinux.0,pxesrv.cmadams.net,10.10.10.2
dhcp-option-force=lan,209,pxelinux.conf
In my TFTP root, I then extract the following RPMs into subdirectories
(from Fedora 29 currently):
syslinux-tftpboot shim-x64 grub2-efi-x64 grub2-efi-x64-modules
I put each in a subdirectory and then add symlinks to make it easier to
replace things with the contents of newer RPMs. I'm including a script
I use that sets that up (and can be re-run at any time to download the
latest RPMs - this assumes the PXE server is Fedora though, but you
should be able to adapt it easily enough).
Since you already have a working BIOS PXE, I'll assume you know how to
make that config file. The kernel/initrd lines take HTTP URLs just
fine, so that's much faster.
Here's what the output of my grub2.pl CGI looks like (I use gfxterm so I
can load a larger font that I set up locally in the TFTP root - you
should be able to just skip that line):
terminal_input console
loadfont /12x26.pf2
insmod gfxterm
set gfxmode=auto
terminal_output gfxterm
set timeout=-1
set timeout=-1
menuentry 'Install Fedora release 29 x86_64' {
set root=(http,pxesrv.cmadams.net)
linuxefi
/pub/fedora/linux/releases/29/Server/x86_64/os/images/pxeboot/vmlinuz
inst.root=http://pxesrv.cmadams.net/pub/fedora/linux/releases/29/Server/x86_64/os/
inst.stage2=http://pxesrv.cmadams.net/pub/fedora/linux/releases/29/Server/x86_64/os/
repo=http://pxesrv.cmadams.net/pub/fedora/linux/releases/29/Everything/x86_64/os
quiet BOOTIF=$net_default_mac
initrdefi
/pub/fedora/linux/releases/29/Server/x86_64/os/images/pxeboot/initrd.img
}
Hope this helps - at least show you some ways to do things. Here's my
tftpboot setup script:
#!/bin/bash
# Set up a BIOS/UEFI PXE TFTP boot tree on a Fedora system
set -e
# Fetch and extract the RPMs
dnf download syslinux-tftpboot shim-x64 grub2-efi-x64 grub2-efi-x64-modules
memtest86+
for rpm in *.rpm; do
pkg=${rpm%.rpm}
if [ ! -d $pkg ]; then
mkdir $pkg
cd $pkg
rpm2cpio ../$rpm | cpio -dumi
cd ..
name=$(rpm -q --qf '%{name}' -p $rpm)
rm -f $name
ln -s $pkg $name
fi
rm $rpm
done
# BIOS setup
if [ ! -d bios ]; then
mkdir bios
cd bios
ln -s
../syslinux-tftpboot/tftpboot/{ldlinux.c32,libutil.c32,lpxelinux.0,memdisk,menu.c32}
.
ln -s ../memtest86+/boot/memtest86+-* memtest-cur
echo "ui menu.c32 http://pxesrv.cmadams.net/local/pxe.pl; >
pxelinux.conf
cd ..
fi
# EFI setup
if [ ! -d EFI ]; then
mkdir EFI
cd EFI
ln -s ../grub2-efi-x64-modules/usr/lib/grub fedora
cd ..
ln -s shim-x64/boot/efi/EFI/fedora/shimx64.efi .
ln -s grub2-efi-x64/boot/efi/EFI/fedora/grubx64.efi .
echo "sournce (http,pxesrv,cmadams.net)/local/grub2.pl" > grub.cfg
fi
****
--
Chris Adams
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] When should I reboot?
Once upon a time, Tony Mountifield said: > That shouldn't matter. The running programs will have mapped the original > glibc into memory, which will create a reference to the original inode, even > though the directory entries pointing to it are gone. See the output of "lsof" > for one of those processes, and you will see the libraries tagged as > (deleted). There can be problems when a running process tries to dlopen() a shared library file and gets a new version. For example, if a running process tries to do a host or user lookup (and hadn't used the method before), it could crash. Also, just because a process is still running OK with the old library doesn't mean you want it to; there could be a security change in the update that means old processes are vulnerable. You can use the "needs-restarting" program from the yum-utils package to see a list of processes that appear to need a restart due to library (or binary) changes. It isn't 100% accurate, but it is pretty close. There are some things that can't be restarted (like PID 1); then you should probably reboot. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] C7, ipmi, NIC2, still fighting
Once upon a time, mark said: > This is that system with the missing management port, and I'm still > fighting it. Everything *looks* right: > > 3: enp6s0: mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > link/ether 00:25:90:0a:42:87 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.100/24 brd 192.168.0.255 scope global enp6s0 > > ip route > 192.168.0.0/24 dev enp6s0 proto kernel scope link src 192.168.0.100 > > and ipmitool lan print > IP Address Source : Static Address > IP Address : 192.168.0.132 > Subnet Mask : 255.255.255.0 > MAC Address : 00:25:90:0a:42:92 > <...> > Default Gateway IP : 192.168.0.100 > Default Gateway MAC : 00:25:90:0a:42:87 No, that does not look right. You have configured the gateway of the IPMI to be the host OS side of the NIC. You can't do that... in a lot of systems I've seen, the IPMI side of the NIC can't even talk to the host OS on the network. The IPMI LAN is an independent controller, separate from the host OS. It does not use any routing/firewall/etc. from the host OS. It is just another device on the network that happens to share the same physical port as the host. It should be configured to talk to the same network gateway and such as the host OS. Think of it as if you have two independent systems inside one box; a PC and an IPMI device. It is similar to them being two devices with an ethernet switch between them (and another port to the outside world). It doesn't actually work that way (because they are sharing the physical port), but it is close. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Semi-OT: ipmitool or ipmicfg: set BMC to use NIC 2
Once upon a time, mark said: > It's the end of the week, and maybe I'm being dense, but I still don't get > it: how do I tell the BMC to use eth1? Do I give it eth1's MAC address as > a gateway? Choosing the NIC(s) for IPMI is not a general configuration of IPMI; that's going to be a vendor/hardware specific setting (if it can be done at all). Different vendors have different methods of configuring which NIC(s) have IPMI access. You won't be able to configure that with ipmitool; it'll typically have to be set in the BIOS and/or BMC boot configuration menus. -- Chris Adams ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Persisting Routes In A Routing Table Other Than The Default
Once upon a time, Adam Tauno Williams <awill...@whitemice.org> said:
> On Tue, 2018-05-15 at 13:04 -0500, Chris Adams wrote:
> > Once upon a time, Adam Tauno Williams <awill...@whitemice.org> said:
> > > Rules load automatically via the /etc/sysconfig/network-
> > > scripts/rules-
> > > {interface} files. Routes added to /etc/sysconfig/network-
> > > scripts/routes-{interface} are always added to the default policy.
> > What are you putting in the routes- file? I just put something
> > like:
> > table 200 default via 192.168.41.1 dev eth1
>
> My route-ens192 file looks like -
>
> ...
> ADDRESS20=192.168.10.0
> NETMASK20=255.255.255.0
> GATEWAY20=192.168.1.6
> METRIC20=0
> ADDRESS21=192.168.40.0
> NETMASK21=255.255.255.0
> GATEWAY21=192.168.1.6
> METRIC21=0
> ...
>
> Adding a ^table line doesn't do anything.
You can't mix and match the two styles of route file entries, and IIRC
the only way to set a "table" is with the type I posted. So, you'd have
to replace the contents of the file like:
table 123 192.168.10.0/24 via 192.168.1.6 dev eth1
table 123 192.168.40.0/24 via 192.168.1.6 dev eth1
and so on. Each line in the file is all the arguments to "ip route add"
for a single entry.
--
Chris Adams <li...@cmadams.net>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Persisting Routes In A Routing Table Other Than The Default
Once upon a time, Adam Tauno Williams <awill...@whitemice.org> said:
> Rules load automatically via the /etc/sysconfig/network-scripts/rules-
> {interface} files. Routes added to /etc/sysconfig/network-
> scripts/routes-{interface} are always added to the default policy.
What are you putting in the routes- file? I just put something
like:
table 200 default via 192.168.41.1 dev eth1
--
Chris Adams <li...@cmadams.net>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] XScreenSaver
Once upon a time, Nicolas Kovacs <i...@microlinux.fr> said: > No, there's no configuration setting. And no way to turn it off. Patrick > Volkerding wrote about this some time ago in Slackware's ChangeLog.txt, > explaining he decided to upgrade this single piece of software > mid-release just to get rid of the nagging warning screen. It's Open Source - patching to remove such a nag is legal and a service to the users. It's a screensaver program - how many updates does it need anyway? If it is just updates to add more fancy animations, there is zero reason to demand people upgrade. -- Chris Adams <li...@cmadams.net> ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] DHCPv6 prefix delegation
Is there an DHCPv6 client in CentOS that supports prefix delegation correctly? The old version of dhclient can't set a requested prefix delegation length, so isn't very useful, and I can't get the even-older wide-dhcpv6 from EPEL to work. -- Chris Adams <li...@cmadams.net> ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?
Once upon a time, Valeri Galtsev <galt...@kicp.uchicago.edu> said: > https://letsencrypt.org/ > > - you will have to run web server to have certificate signed by > them Not necessarily - we do most of our Let's Encrypt validation with DNS rather than HTTP. -- Chris Adams <li...@cmadams.net> ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RADIUS
Once upon a time, hw <h...@gc-24.de> said: > The task is to provide wireless coverage for employees and customers on > company premises. It is desirable to be able to keep track of customers, > as in knowing where exactly on the premises they currently are (within > like 3--5 feet, which is apparently tough), and simpler things like knowing > how long they stay and if they have been on the premises before. To avoid > legal issues, it is probably advisable that customers need to agree to > some sort of terms of usage. What you are talking about requires very specialized wifi setups, which AFAIK no freely-available tools implement. You need to be talking to enterprise wifi hardware vendors to get that kind of thing. RADIUS is an AAA (Authentication, Authorization, and Accounting) protocol. It might be one small tool used in authorization, like letting employees on the network, but that would be up to the wifi vendor's controller system (some can use RADIUS, some can use AD, some use their own systems, etc.). -- Chris Adams <li...@cmadams.net> ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Xen hypervisor on CentOS 7.4 with modern UEFI server not booting from grub
Once upon a time, John Naggets <hostingnugg...@gmail.com> said: > Jonathan brings it exactly to the point: we have to face UEFI because > legacy mode is fading out, if I enable legacy mode I can't even boot > anymore through the network (PXE) as these newer network cards can > only boot PXE with UEFI. UEFI PXE is different than BIOS PXE and needs to download different software from the TFTP server. I use syslinux for BIOS PXE, but it doesn't seem to work with UEFI PXE so I use grub2 (I use the secure boot shim from Fedora to support as many setups as practical). You can have both available at the same time (takes a DHCP tweak). Just like the early days of BIOS PXE however, UEFI PXE clients don't always seem to do the right thing. I have an Intel NUC (7th gen), and it always fails with UEFI PXE. -- Chris Adams <li...@cmadams.net> ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
