Thursday, August 8, 2019

RHEL7.7 dracut Failed to install module libnvdimmvmxnet3

I just upgraded one of my systems from RHEL 7.6 to 7.7. During the update, I got the following error: 
dracut[43998]: Failed to install module libnvdimmvmxnet3
The fix is this: in /etc/dracut.conf.d/*.conf -- in my case, both nvdimm-security.conf and vmware-tools.conf, edit the "add_drivers" line to add a leading and trailing space. e.g. in nvdimm-security.conf, change: 
add_drivers+="libnvdimm"
to 
add_drivers+=" libnvdimm "
and in vmware-tools.conf, change: 
add_drivers+="vmxnet3 vmw_pvscsi"
to 
add_drivers+=" vmxnet3 vmw_pvscsi "
Then, run "dracut --force" to rebuild your initramfs. You should no longer get the "Failed to install module libnvdimmvmxnet3" error. The reason for the problem is that dracut is concatenating all the "add_drivers" strings together, without any processing. See the dracut.conf man page for the warning that was apparently ignored by the open-vm-tools folks: "Space-separated lists have to have a leading and trailing space"
Posted by Teridon at 8:10 AM 18 comments

Tuesday, June 4, 2019

rpm command pauses for 20 seconds

I'd just built a new system and found that when I issued any 'rpm' command, it paused for 20 seconds before doing anything.

Turns out that I had a build error in my kickstart, and it made /etc/hosts empty! So 'rpm' was trying to do a DNS lookup on 'localhost' and timing out. I don't know why rpm needs to do a lookup at all, but..

In any case, the fix was to add the "standard" /etc/hosts entries for localhost:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
Posted by Teridon at 8:29 AM 0 comments

Tuesday, April 2, 2019

How to use firewalld to filter traffic to docker

Note: My platform is on Docker CE 18.09 on Centos 7. YMMV I only recently started using docker, but there is one very important thing you need to know:
By default, all external source IPs are allowed to connect to the Docker daemon

Filtering by IP is actually easy once you know how, but I had a hell of a time finding the key information and for me that was three-fold:
1. If the "DOCKER-USER" chain is not present when Docker starts, Docker will add it and allow all connections being passed to it, therefore:
2. You must stop the docker service before configuring the DOCKER-USER iptables chain
3. You must add the DOCKER-USER chain (and rules) before the docker service starts

partial reference: https://github.com/moby/moby/issues/35043

i.e.:

service docker stop
firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -i ens224 -s 1.2.3.4 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 2 -i ens224 -s 5.6.7.8 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 3 -i ens224 -j DROP
service firewalld reload
service docker start
Posted by Teridon at 1:05 PM 0 comments

Friday, October 19, 2018

yum repolist without connecting to repos


Here's how you get yum to list all the configured repos, without actually connecting to any of them (e.g. if your system is offline):

yum -C repolist all

The "-C" option tells yum to use the local cache, no matter how old the cache is.


Posted by Teridon at 1:02 PM 0 comments
Labels: , , , , , ,

Wednesday, August 15, 2018

Windows Schannel error event ID 36871 a fatal error occurred while creating an SSL server credential. The internal error state is 10011


I recently encountered this error on a Windows 7 system, after a vendor-provided update to some third-party software.  RDP stopped working after the update, and the problem turned out to be layered.  The TL;DR version is this:  FIPS was enabled but the Cipher suite settings did not have any FIPS-compliant algorithms defined.

First, the simple part:  the vendor disabled RDP via GPO.  That's an easy thing to undo and I won't detail it here.

But even after enabling RDP via GPO, it still wouldn't work.  The RDP client wouldn't connect.  When I connected with openssl s_client I got this:

# openssl s_client -connect system:3389
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Looking in the Windows Event Log, I found an error from Schannel with Event ID 36871, and the error text "a fatal error occurred while creating an SSL server credential.  The internal error state is 10011."

I eventually narrowed this down to the fact that the vendor had turned on FIPS-compliant algorithms.  However, on this system, I had set the allowed cipher suites to "modern" algorithms like ECDHE-RSA-AES256-SHA384, which is not FIPS-compliant but is more secure; i.e. FIPS-compliant algorithms are old and less secure.

So the fix was to disable FIPS again.

Posted by Teridon at 8:10 AM 0 comments

Wednesday, August 9, 2017

Setup meinberg NTP client on Windows Server 2012 using ntp service account


I recently attempted to install the Meinberg NTP client on a Windows Server 2012 system, but ran into a problem during the installation.  At one point, the installer asks you what account to use for the service:  1)  a newly-created "ntp" service account, or 2) run as SYSTEM (there might be a third option, I don't remember.

Running ntp as SYSTEM seems like asking for trouble; you should always run services with the least privileges required.  So of course I chose to use the "ntp" service account.  I had successfully used it before on Windows 7 systems.

However, upon clicking "Next", the installer crashed!  Looks like the installer created an "ntp" account, but it was disabled, and had no password set.  Also, the service was not installed.

Here's what I did to workaround the issue:

  1. Run the installer again, this time using the SYSTEM account for the service
  2. Manually create the "ntp"user.  (optional:  set password to never expire)
  3. Open gpedit.msc 
  4. Under Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment, add "ntp" to the following:
  • Change the system time
  • Deny access to this computer form the network
  • Deny log on as a batch job
  • Deny log on locally
  • Increase scheduling priority
  • Log on as a service
That done, you can open "services.msc" and change the service to log on as the "ntp" account.  Then restart the service.
Posted by Teridon at 9:33 AM 0 comments
Labels: , , , ,

Friday, August 4, 2017

Bonnie Tyler - Total Eclipse of the Heart - lyrics to the second verse

The complete lyrics to Bonnie Tyler's "Total Eclipse of the Heart" are nowhere to be found on the internet! They are all missing the second verse. I think this is it (transcribed by me) 
Turn around, every now and then I get a little bit reckless
and I dream of something wild
Turnaround, every now and then I get a little bit helpless
and I'm lying like a child in your arms
Turnaround, every now and then I get a little bit angry
and I know I've got to get out and cry
Turnaround, every now and then I get a little bit terrified
but then I see the look in your eyes
Turnaround bright eyes, every now and then I fall apart
Turnaround bright eyes, every now and then I fall apart
Posted by Teridon at 4:30 PM 0 comments
Subscribe to: Posts (Atom)