Linux

Drown security vulnerability

Protect yourself from drown attack by updating your openssl package.
Redhat patched openssl 1.0.1e

# rpm -q --changelog openssl-1.0.1e-51.el7_2.4.x86_64 | head
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.4
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn

* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.3
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method

goto https://drownattack.com/ for more info

Cluster ssh with nice fonts !

Cluster ssh is super nice, but out of the box it got ugly and small fonts.
Here’s my Cluster ssh config, which I respectfully ripped from the net:

# $HOME/.clusterssh/config
terminal_args=-fa  'DejaVu Sans Mono:style=Book' -fs 11
# note these are not consistent with the TTF font selection, so have to 'adjust' accordingly
#terminal_size=80x24
# for terminal_args=-fa  'DejaVu Sans Mono:style=Book' -fs 12:
#terminal_size=133x36
# for terminal_args=-fa  'DejaVu Sans Mono:style=Book' -fs 11
terminal_size=120x34

Thank you dansnotebook.blogspot.no

puppet 2.7.x complaining about “err: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not parse YAML data for node”

You’ll probably find numerous links that tell you to delete

/var/lib/puppet/yaml/[fqdn].yaml

in puppetmaster, node or both.

None of those solved my problem.

Upgradeing to puppet-2.7.25 didn’t help either .

On my puppet client, in /var/lib/puppet deleting

rm -fr state/ lib/ facts/ client*

at least let me run puppet again, but next run gives that 400 error again …

note to self: get back to this post when I get time to further debugging this really annoying issue

tcpdump tip

As I was debugging an issue at work related to http headers being forwarded by haproxy I used a couple tcpdump commands that was great, storing here for future reference .

tcpdump -s 1024 -l -A | grep X-Forwarded-For

tcpdump -s 1024 -l -A src 192.168.9.56 or dst 192.168.9.56

First one will print lines containing X-Forwarded-For, second one let you filter on src and/or destination .
Note that tcpdump by default does not include 127.0.0.1 or ::1 ( lo ) .

CentOS 7 dhcp + custom ‘search domain’

I’m running CentOS 7 on my workstation these days, like it a lot.
At work our dhcp setup dns search for the domain containing our windows hosts but the Unix and Linux hosts I work with are in an other domain.
In the network manager gui in gnome3 I can’t seem to figure out where to add this second search domain, so I’ve been adding it manually to resolv.conf after each boot …

Got tired of that so i added:

DOMAIN='myDomain.no'

in /etc/sysconfig/network-scripts/ifcfg-eno1 and did a

systemctl restart network.service

problem solved.

thnx superuser.com

UPDATE 30th october 2015:
This does not work at all at my workstation at my new job.
I’m not using NetworkManager any more, not sure if that’s the reason though.

By setting SEARCH in /etc/sysconfig/network instead things got a lot better:

# /etc/sysconfig/network
SEARCH='example.com sub.example.com'

View changelog for a package in Fedora/CentOS/Redhat

A really cool, and handy, feature of rpm is the ability to view the changelog for a package you’ve installed, or recently updated:

$ rpm -q --changelog gnome-shell | less

* Wed Apr 16 2014 Florian Müllner <fmuellner@redhat.com> - 3.8.4-32
- Improve vertical monitor layouts
  Resolves: rhbz#1096186

* Wed Mar 19 2014 Florian Müllner <fmuellner@redhat.com> - 3.8.4-31
- Fix some more background memory leaks
  Resolves: rhbz#1027192

* Wed Mar 12 2014 Ray Strode <rstrode@redhat.com> 3.8.4-30
- Fix automatic shield lifting when smartcard is inserted
  Resolves: #1063488

* Mon Mar 10 2014 Ray Strode <rstrode@redhat.com> 3.8.4-29
- Don't show user list if require smartcard is true
  Resolves: #1063390