In Enterprise Linux, it is often desirable to minimize the number of updates to install. Many admins just want to apply security-related updates. This is easily done using yum security plugin. First, install the plugin:

yum install yum-plugin-security

To install only the security updates :

yum --security update

You’ll see something similar to:

===================================================================================
 Package           Arch        Version             Repository                 Size
===================================================================================
Updating:
 mysql             x86_64      5.1.69-1.el6_4      rhel-x86_64-server-6      907 k
 mysql-libs        x86_64      5.1.69-1.el6_4      rhel-x86_64-server-6      1.2 M
 mysql-server      x86_64      5.1.69-1.el6_4      rhel-x86_64-server-6      8.7 M

Transaction Summary
===================================================================================

That’s it. But there are many other things you can do. For example, yum updateinfo has some handy options. Try the following:

yum updateinfo summary
yum updateinfo list security
yum updateinfo list available
yum updateinfo list bugzillas

The first command may show:

Updates Information Summary: available
    3 Important Security notice(s)
    2 Bugfix notice(s)
updateinfo summary done

The second command will display the advisory info such as:

RHSA-2013:0772 Important/Sec. mysql-5.1.69-1.el6_4.x86_64

Then you can apply the update based on the advisory:

yum update --advisory RHSA-2013:0772

Notes for CentOS and Scientific Linux users
At the time of this writing, CentOS does not have the yum security feature implemented. This may change in a near future. Stay tuned.

Scientific Linux has been providing the package updates in two repositories, sl-security and sl-fastbugs. The sl-security repo contains security-related packages plus their dependencies and is shipped enabled by default. The sl-fastbugs repository is for non-security updates which is shipped disabled. Thus, applying security only updates is the default behavior.

You can have the MOTD (message of the day) display messages that may be unique to the machine. One way to do this is to create a script that runs when a user logs on to the system.

First, create a script, make it executable, and save it in /etc/profile.d. Here is an example script named mot.d:

#!/bin/bash
#
echo -e "
##################################
#
# Welcome to `hostname`
# This system is running `cat /etc/redhat-release`
# kernel is `uname -r`
#
# You are logged in as `whoami`
#
##################################
"

Next, edit /etc/ssh/sshd_config as follows:

PrintMotd no

This will disable motd. Now restart the sshd service.

That’s it! When you log in, you’d see something similar to:

##################################
#
# Welcome to machine1
# This system is running Red Hat Enterprise Linux Server release 6.4 (Santiago)
# kernel is 2.6.32-358.2.1.el6.x86_64
#
# You are logged in as user2
#
##################################

[ Please note that this does not work if your login shell is (t)csh. ]

Customizing ssh banner message

You can also create customized greetings for users connecting to your system through ssh. Note that this message is displayed before the actual login.

Create a text file that should appear as the greetings, for example, /etc/sshgreetings.txt.

$ cat /etc/sshgreetings.txt
###############################
#                             #
#      Welcome to Machine1    #
#                             #
###############################

Then edit /etc/ssh/sshd_config as follows:

Banner /etc/sshgreetings.txt

One might say, “OK, I will get to the next appointment 1 second ahead, good!”. So who cares? System administrators would take the matter seriously though. In fact, you may remember a story of Linux machines crashing at the last occurrence of a leap second [1]. It was due to bad code in the kernel prior to 2.6.29 and many OSs were affected including RHEL 4 and 5 [2].

The code has been fixed since. Make sure your kernel is newer than kernel-2.6.18-164.el5 (RHEL/CentOS/SL). RHEL/CentOS/SL 6 kernels are not affected.

A quick note to add is that the above issue applies only if you are running NTP. If the system is not running NTP, you need to correct the clock manually.

[1] http://ask.slashdot.org/article.pl?sid=09/01/01/1930202

[2] https://bugzilla.redhat.com/show_bug.cgi?id=479765

To remove these options from the list of available actions, create a PolicyKit file named 10-disable-suspend-hibernate.pkla (for example) with the following contents:

[Disable suspend]
Identity=unix-group:*
Action=org.freedesktop.devicekit.power.suspend;org.freedesktop.devicekit.power.hibernate
ResultAny=no
ResultInactive=no
ResultActive=no

and save it in the /var/lib/polkit-1/localauthority/50-local.d directory.

In VMWare Workstation 7.1.4 build-385536, I see this info with the modinfo command:

vermagic:       2.6.32-71.el6.x86_64 SMP mod_unload modversions

A workaround is to compile the vmmon module on EL 6.1.
Make sure you have kernel-devel installed that matches the running kernel.
Start as a user (not root):

(1) mkdir ~/vmsrc ; cd ~/vmsrc
(2) tar xvf /usr/lib/vmware/modules/source/vmmon.tar
(3) cd vmmon-only
(4) make [Note: this builds vmmon.ko]
(5) strip --strip-debug vmmon.ko [This is optional. Note the two dashes]
(6) su -
(7) cd /lib/modules/`uname -r`/misc
(8) mv vmmon.o vmmon.o.dist [Note: save the original just in case]
(9) cp /(path to user's home)/vmsrc/vmmon-only/vmmon.ko vmmon.o

That should do it!

There are two versions currently being maintained: the long-term kernel 2.6.35 and the latest stable line (2.6.37 as of this writing). Is the newer version better? Not really so. The first alarming sign came from Dag and the maintainer of kernel-ml, Alan. The Gnome power management did not operate correctly for their laptops with kernel-ml-2.6.36.

Alan recently noted that, the further away the LKA (Linux kernel archive) kernel becomes from the 2.6.18 kernel (which is the basis of EL5), the less likely a stable LKA kernel will be usable. In fact, on certain hardware, kernel-ml 2.6.35 runs fine whereas 2.6.37 does not [1,2].

Quoting Phil, “I see more “value” in the kernel-ml-2.6.35 offering. I agree that sooner or later you are likely to hit a point of diminishing returns, and perhaps you’ve already reached that point with the current kernel-ml-2.6.37.”

So, is this kernel too far ?

[1] http://lists.elrepo.org/pipermail/elrepo/2011-February/000473.html
[2] http://lists.elrepo.org/pipermail/elrepo/2011-March/000542.html

It is possible to disable it. Problem is … it is not easy to do it. The following command (one-liner) will disable the gdm greeter’s listing of users:

sudo -u gdm gconftool-2 --type bool --set /apps/gdm/simple-greeter \\
/disable_user_list true

By the way, you can see the set value by:

sudo -u gdm gconftool-2 --get /apps/gdm/simple-greeter/disable_user_list

Note that the command was run as gdm. Running the same gconftool-2 command as root would not work. Alternatively, you can modify the systemwide configuration. It will be just easy if you manually edit the file /etc/gconf/gconf.xml.defaults/%gconf-tree.xml and change the boolean for disable_user_list from false to true.

egrep '(vmx|svm)' --color=always /proc/cpuinfo

There was an intriguing post by pjwelsh in the CentOS forums . Apparently he has a VT-capable CPU but it did not show up in /proc/cpuinfo. When he tried Fedora, it was there.

When someone as knowledgeable as pjwelsh reports an issue, it really needs attention but the thread did not yield any answer.

Then more recently, a post that seemingly reports the same problem appeared in the Forums. It was time to do more investigation.

Turns out it was a known issue and there was an entry in the Red Hat bugzilla explaining how that happened.

As work for 5.5 we masked out a bunch more cpuid flags, one of which was vmxe. This has caused some confusion since many people are used to looking in /proc/cpuinfo for vmx in order to detect if the hardware is capable of virtualization. To avoid the confusion, we’ll bring it back. It does, however, open a door for a guest admin to shoot themselves in the foot (i.e. attempt to load the KVM module on a Xen guest, which will crash the guest). The svm flag for AMD machines is also brought back.

Hmmm, seems over-cleaning to me. The fix was applied as of kernel-2.6.18-194.17.1.el5.

When you attempt to connect to a remote machine using freenx, you might encounter this message:

The NX service is not available or the NX access was disabled on host XXX.

This is likely due to SELinux blocking the connection. If you are using QtNX, it just hangs without any message.  Here is how to solve the issue.

(1) Disable auditd.

service auditd stop

(2) Rename /var/log/audit/audit.log or move it somewhere else.

(3) Enable auditd

service auditd start

(4) Try connection from the client. It will fail. This writes the audit.log file.

(5) Generate SELinux policy rules from the log file and install it.

cat /var/log/audit/audit.log | audit2allow -M freenx
semodule -i freenx.pp

(6) You can see the policy by reading the .te file.

cat freenx.te

module freenx 1.0;

require {
type nx_server_var_lib_t;
type sshd_t;
class file read;
}

#============= sshd_t ==============
allow sshd_t nx_server_var_lib_t:file read;

(7) Now, try connecting from the client again. It will fail again. Repeat the steps (1) to (5) using ‘freenx2′ instead of ‘freenx’.

(8) You will most likely need to repeat the process yet one more time until the connection finally succeeds. So, once again repeat the steps (1) to (5) but this time using ‘freenx3′ instead of ‘freenx’.

If you look at the policy files generated, you will find what was added by each action.


Search term  M/L Forums
============ === ======
install        0    25
installation   0     7
kernel         0    23
driver(s)      0    22
DNS            3    37
postfix       19    24
sendmail       5    30
selinux        0    23
apache         0    23
httpd          0    40
xen            3    33
kickstart      5    25
crash          2    21
panic          2    27


Google’s tendency to pick up forum posts rather than mailing list posts is much more obvious now than it was last year.  It looks as if Google is fond of the forums better than the mailing lists Or is it simply because there are more posts in the forums?

Regardless of the reason, what this means is that it is important to keep the quality of the forum contents high.  I would say that the current status is quite good; there are a number of forum regulars providing help.  Inappropriate replies, if they appear, get corrected by senior members.  Still, the forums can use more helping hands.  Why don’t you join in and make this CentOS help venue even better?