Don't Fear the firewalld

| | |

firewall-configfirewall-config GUIUpdate: Somehow I forgot to mention a GUI for firewalld named firewall-config. Be sure to check that out if you prefer a GUI.

I have run across a few people who are perplexed by firewalld and I must admit that I was for a while until I did some reading and experimentation. What is firewalld? It is basically a replacement for the ancient iptables service on RHEL and Fedora systems. So many of us were just used to manually editing /etc/sysconfig/iptables and then coping that file from system to system as desired, that the switch to firewalld was a bit scary. I mean, who wants to learn something new, right?

Another thing that is scary about firewalld is the complexity of the rules it shows when you do something like: iptables -L

While the configuration, tools and output has dramatically changed... really firewalld makes things easier and more manageable. Really. One of the problems with Linux across distros is that there really hasn't been a standardized way to handle the host-based firewall. Each distro seems to have their own way of doing it... and popular packages like Shorewall have been around for years. I think firewalld tries for a happy medium somewhere between simple and complex and a standard that distros can choose to adopt.

Anyway, here are some basics (as root or via sudo) but if you want more be sure and check out the documentation:

Main documentation: www.firewalld.org/documentation/
Fedora Documentation: fedoraproject.org/wiki/FirewallD
RHEL Documentation: access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html

firewall-cmd --list-all (shows human readable firewall settings)

firewall-cmd --add-service=sshd --permanent (opens up port 22 which is sshd and saves to config)
firewall-cmd --add-service=http --permanent (opens up port 80 which is http and saves to config)
firewall-cmd --add-service=https --permanent (opens up port 443 which is https and saves to config)
firewall-cmd --remove-service=https --permanent (closes port 443 and saves to config)

If you want don't want your changes saved just leave off --permanent.

Want to open arbitrary ports for some service (like voxelands-server for example)? That is easy too:

firewall-cmd --add-port=30000/tcp --permanent

Want UDP? Ok:

firewall-cmd --add-port=30000/udp --permanent

After your changes it doesn't hurt to verify again with:

firewall-cmd --list-all

Want to manage firewalld via a config management system? There is a formula for SaltStack here and supposedly Ansible also supports firewalld.

Want to edit a file instead of running firewall-cmd? That's possible too. firewalld stores everything somewhere under /etc/firewalld/. In particular the changes listed above would get written to /etc/firewalld/zones/public.xml. Yeah, it's an "xml" file but make a change or two via firewall-cmd and see what it adds or removes from it and you'll see that it is very easy to monkey-see-monkey-do for those that want to edit the file directly. After updating or replacing any of firewalld's configuration files you want to make firewalld aware of the change with:

systemctl reload firewalld

If you are brave enough to manually edit the config just be aware that you are responsible for your typos.

I've only touched the tip of the iceburg for the most common stuff. Need more info? Yeah, there is a ton of documentation including a couple of man pages.

Getting the CCISS RAID controller to work on EL7

| |

As you may have gathered, I really like RHEL 7 and its clones. I have run into one problem though. In Chapter 24 of the RHEL 7 Release Notes they enumerate quite a bit of hardware that they have dropped support for. Included are about 3 pages of RAID controllers and some NICs. I have a few HP Proliant DL380 G5 servers at work that have the HP Smart Array P400 RAID Controller in them and they are no longer officially supported with the release of RHEL 7.0. They work just fine with RHEL 5 and RHEL 6. HP actually has drivers that they provide for RHEL 5 and RHEL 6 but almost no one uses them because the hardware just worked with the stock RHEL kernels. Since the G5 machines (that's generation 5 not PowerPC G5) are 6 or 7 years old now, HP has stopped providing firmeware updates nor will they be providing drivers for newer Linux distros.

Just to verify, I booted one of the servers with the RHEL 7 install DVD and nope... it says there are no hard disks available. :(

The devs over at ElRepo have saved my day. I filed a request for enhancement (RFE) in their Mantis bug tracker system asking if they could build the CCISS driver package for the EL7 kernel. I had an answer within a hour or two... and a test package within a couple of hours. If you aren't familiar with ElRepo, they are a fairly popular third-party repo for EL. Not quite as popular as the Fedora Project's EPEL repo though. One thing ElRepo specializes in is drivers.

I do recommend staying away from third-party repos and drivers as much as possible but given the fact that the stock RHEL 7 installer says my servers have no hard drives I was stuck. If you don't have any hard drives, you can't do an install. I have never had to use a driver disk with the RHEL installer but I guess such things exist. Not being familiar with them, I just took the kmod-cciss package the ElRepo dev built, copied it to my local repository, added it to the package list of my CentOS LiveDVD kickstart file. Then I used livecd-creator to build a LiveDVD. My personal respin includes GNOME, KDE, Firefox, LibreOffice, GIMP, Inkscape, virt-manager, SPICE, etc... and now the ElRepo kmod-cciss package as well. After building the ISO I burned it to DVD and booted a problem server with it. Bingo, EL7 sees the controller and the disks attached to it now.

Not having used third-party drivers much in the past I was fairly ignorant about them. There are kmod, akmod, and dkms type driver packages. Do you know the differences between them? I mean with something as important to the operation of the system as RAID controller that presents all disks to the system... you don't want it breaking when you upgrade the kernel, right? It is my understanding that kmod-based packages aren't tired to a specific build of the kernel. So the kmod-cciss package I got from ElRepo should (in theory) work with every kernel update for EL 7.0 that comes out. When EL 7.1 comes out, it'll probably be a slightly different branch... and before trying to switch to future 7.1 kernels, I'd probably need to update the kmod-cciss package... or at least that is my understanding.

Anyway, so far it is working great. We'll see if I have any regrets as time goes by. I will definitely take care to be very aware of when kernel updates get installed and always keep a known-to-work kernel around just in case.

CentOS 7 Released

| |

The mirrors are syncing and the release announcement has been made... although the main website needs to be updated... and oddly distrowatch.com is dead.

Anyway, I uploaded contributed OpenVZ OS Templates built from the the final release with updates applied... and I have a LiveDVD that includes GNOME3, KDE4, Firefox, LibreOffice, GIMP and Inkscape for anyone who is interested.

I'm guessing Scientific Linux 7 will be out in another two weeks.

Scientific Linux 7 Alpha released - LiveDVD and OS Templates built

| | |

One of the Scientific Linux developers sent out an announcement to the SL-devel mailing list just a couple of hours ago about SL 7 Alpha being released. They have a netinstall CD iso and a 6GB DVD. I got the entire tree downloaded in about 30-ish minutes... and got to work building a LiveDVD as well as OpenVZ OS Templates... using the scripts I had used for CentOS and Oracle... again with a tiny bit of editing.

Everything built and I have a LiveDVD that is 1.5GB in size that includes GNOME3, KDE4, Firefox, LibreOffice, GIMP, and Inkscape. What more does a person need? :)

OpenVZ: Contributed OS Template of CentOS 7 Public QA


I wondered if I could make an OS Template of the CentOS 7 Public QA release... and I could. Here's more info copied and pasted from the email I sent to the OpenVZ Users Mailing list announcing its availability:


As you may already know, Red Hat released Red Hat Enterprise Linux 7 on Tuesday (June 10th). A while ago the two main CentOS developers got hired by Red Hat to work on CentOS because Red Hat is now the sponsor behind CentOS... like they are behind Fedora. Anyway... the CentOS folks are working hard and fast to try to get CentOS 7 out ASAP... although they are going to keep their high release quality standards (it's as good as RHEL and as bad as RHEL, hehe). Something new they are doing now is trying to be as transparent and public as possible. They have placed their build system in the open, all of the package code in git, etc.

On June 13th CentOS announced that they have made the initial built of (most of) the rpm packages for CentOS 7. On June 14th they announced the build-tree was fairly complete including a boot.iso that could be used for a network install. Anyway, for the full story, read http://seven.centos.org/.

I've been busy working with the "CentOS 7 Public QA" release making an installable LiveDVD (check) and making an OpenVZ OS Template (check). The later is what this email is about. I have uploaded "centos-7-pubqa-20140615.tar.xz" (and .asc GPG sig file) to the OpenVZ contributed OS Templates directory. A few notes:

1) CentOS 5 uses SysV init. CentOS 6 uses Upstart basically in SysV compatibility mode. CentOS 7 uses systemd. If you create a container from an OS Template named centos-{something} I think it'll use the current CentOS config scripts provided by vzctl... which probably won't work because of the big change in init systems. CentOS 7 is a LOT like the last few releases of Fedora that have also been systemd-based... so what I did on my OpenVZ host where I wanted to use this centos-7-pubqa-20140615.tar.xz contributed OS Template was... make a symlink in /vz/templace/cache/ named fedora-19-x86_64.tar.xz that points to centos-7-pubqa-20140615.tar.xz. Then when I used vzctl to create the container, I told it to use the fedora19 OS template. Of course if you already have an OS Template named fedora-19-x86_64.tar.* make the symlink named something else and refer to it appropriately. I asked for a clarification from Kir on that... because maybe I'm imagining the issue.

2) The current CentOS 7 Public QA build-tree does not provide /etc/yum.repos.d/centos*.repo files. Why? Because the location of the current build system and all of the rpm packages is in a temporary place and won't be finalized until the final release comes out. In my OS Template I created /etc/yum.repos.d/centos-7-public-qa-20140615.repo that refers to the *CURRENT* location of all of the packages. Doing that makes yum work... and you can install and remove software as desired. I'm sure they will be updating the build-tree and package location quite a bit between now and final release... so if the current location goes away or there is a newer build... you'll have to update the .repo file to point to wherever it needs to point. It was working fine when I uploaded it.

3) RHEL7 is only offered in a 64bit flavor... and as a result... the OS Template is 64bit. It will not run on a 32bit OpenVZ host node. Don't even try it. It won't hurt anything but you'll get an error and if you don't know what the issue is, you'll probably go to IRC and bug people there about it... which would be a waste of everyone's time... but if you do do that... hopefully we'll be able to tell you what the problem is. The OS Template name I gave was already long enough and I didn't want to add x86_64 to it... because people would probably think there was a missing i686 build coming. There isn't.

4) How did I make this OS Template? It was rather simple. I created a CentOS 7 KVM virtual machine installing from the network media currently available. I did a minimal install. Then I rsync'ed the contents of VM's virtual disks to an OpenVZ host node. Then I made the minor changes needed... (not all but most) mentioned in the OpenVZ p2v wiki page. Then I tar.xz'ed it up and plopped it in /vz/template/cache... made a container out of it... and it worked first attempt. Then I cleaned it up by removing unneeded packages (grub2, kernel, firmware packages, unwanted services [firewalld, ipr*, etc], etc). Then I added a few things I like (httpd, screen, mc, nano, links, etc). Then I tested it. Then I made a new OS Template by tar.xz'ing up the container's directory. Then I made a new container out of the new OS Template and tested. Works pretty darn well. I'm sure there are some lingering dirs/files from packages I removed... and probably another handful or two of packages that could be removed to make it smaller but hey... it is ~98MB as a .tar.xz. Installed it takes up slightly less than 700MB. Not too bad for a first attempt.

If you have any comments or questions, just ask. Enjoy!

Update: One of the heads of the CentOS Project told me that he thought releasing such an OS Template was a little too "user facing" for a Public QA release and asked me to take it down, so I did. I'll continue to build the testing OS Templates until the QA version comes out at which point I should have a final CentOS 7 OS Template out on release day.

Montana Enterprise Linux 7?

| |

CentOS 7 Public QA - KDE Desktop with FirefoxCentOS 7 Public QA - KDE Desktop with FirefoxIf you didn't hear the news, Red Hat released Red Hat Enterprise Linux 7 on Tuesday, June 10th. I've done three installs so far at work... and have been reading through their wonderful documentation. I'm really digging the newer versions of things and systemd... yes, especially systemd. No, no, really!

As you also probably know, Red Hat sponsors the CentOS Project now... and they are working hard on getting CentOS 7 done. Andrew from the BillingsLUG predicts CentOS 7 will be out within two weeks of RHEL 7... so that would be by June 24th. My guess is 6 weeks... which would be by July 22nd. If they don't make it in 6 weeks, my next guess is August 10th, because that's my 50th birthday.

Anyway. So yeah, the CentOS Project has been hard AND they have been, unlike in the past, doing everything out in the open... transparency it is called. Yesterday they announced they had the packages building. Then someone on the centos-devel mailing list said they had a Docker CentOS 7 container image. I gave that a try. Then the centos-devs said they had the first build attempt completed although they have NOT gone through all of the packages yet and removed Red Hat's branding... so it's a very preliminary build. Then they announced they had a network install CD (~ 341MB). I gave that a try and it worked great.

Then I decided I wanted to work on my own remix if possible. I used reposync to download all of the packages... and wget to get the handful of other dirs/files in the install tree. Then I made a KVM virtual machine via a network install pointed at my own copy of the tree. Then I added the livecd-creator package that one CentOS developer ported from Fedora. Then I installed fedora-kickstarts from Fedora 19... and hacked on their KDE LiveCD kickstart until I had it building CentOS 7. The first build didn't go so well. For whatever reason, all of the GUI stuff was there except for Xorg. I was able to use that first install, get it going in text-only mode to figure out what packages I needed to add to my kickstart's package list to get X going. Bingo... only three additional lines although two of them had an asterisk in them.

It built. It booted. It installed. It booted and worked post-install. Not bad.

What does it contain? Well, I'm a KDE fan. EL7 only offers GNOME 3 and KDE anyway. So, it has KDE... but oddly they don't offer KDM (KDE Display Manager aka GUI login screen) so it uses GDM (GNOME Display Manager). While Red Hat defaults to the XFS filesystem in their install media (they don't have any Live media by the way, just install-only) livecd-creator would not build the .iso if I set the default to xfs... so I had to set it to ext4. So, the system you get from the live installer has ext4 partitions. While it is the KDE desktop I added some stuff that isn't KDE-specific... like Firefox, Libre Office, GIMP, and Inkscape. I didn't refer to the EPEL 7 repository in my kickstart so the first good build only includes stock packages. Later I'll probably add in EPEL and add some additional packages like tmux, x2goserver... and a few other sundry packages. Any suggestions?

I should have included some screenshots with this post but I'm too lazy and tired after spending about 6 hours working on this little project today. If you want to give it a try let me know and I can email you the URL to the .iso file. Oh, btw... the installed system does not include a working centos.repo file so after a fresh install is booted, one has to manually add one by creating a file named /etc/yum.repos.d/qa-nightly.repo. Put in it the following:


Then you can use yum to install anything else you'd like. I recommend you also add EPEL 7 (epel-release-7-0.1.noarch.rpm). Enjoy! MEL (Montana Enterprise Linux), kiss my grits!

Update: CentOS has since released Public QA LiveMedia of their own.

Video: FISL 2014 - Growing CentOS as a Platform

| |

Brazil has a big FLOSS conference named FISL. I'm not sure what that stands for and whatever it is is probably in Portuguese. Anyway, I was surfing through some of their video presentations and happened across this gem... being that I'm a big RHEL, CentOS fan:

Growing CentOS as a Platform (Jim Perrin)

How about an OpenVZ CentOS Variant?

| |

I've used RHEL, CentOS and Fedora for many years... and as many of you already know... back in January, CentOS became a sponsored project of Red Hat. For the upcoming CentOS 7 release they are going beyond just the normal release that is an as-perfect-as-possible clone of RHEL. They have this concept of variants... where Special Interest Groups (SIGs) are formed around making special purpose builds of CentOS... spins or remixs if you will. I don't know a lot about it yet but I think I have the basic concept correct.

Looking at the numbers on http://stats.openvz.org/ I see:

Top  host   distros
CentOS	     56,725
Scientific    2,471
RHEL	        869
Debian	        576
Fedora	        111
Ubuntu	         82
Gentoo	         54
openSUS          18
ALT Linux        10
Sabayon	          6


Top 10  CT  distros
centos	    245,468
debian	    106,350
ubuntu	     83,197
OR	      8,354
gentoo	      7,017
pagoda	      4,024
scientific    3,604
fedora	      3,173
seedunlimited 1,965

Although reporting is optional, the popularity of CentOS as both an OpenVZ host and an OpenVZ container surely has to do with the fact that the two stable branches of the OpenVZ kernel are derived from RHEL kernels.

Wouldn't be nice if there were a CentOS variant that has the OpenVZ kernel and utils pre-installed? I think so.

While I have made CentOS remixes in the past just for my own personal use... I have not had any official engagement with the CentOS community. I was curious if there were some OpenVZ users out there who are already affiliated with the CentOS Project and who might want to get together in an effort to start a SIG and ultimately an OpenVZ CentOS 7 variant. Anyone? I guess if not, I could make a personal goal of building a CentOS and/or Scientific Linux 6-based remix that includes OpenVZ... as well as working on it after RHEL7 and clones are released... and after such time the OpenVZ Project has released a stable branch based on the RHEL7 kernel.

I will acknowledge up front that some of the top CentOS devs / contributors have historically been fairly nasty to OpenVZ users on the #centos IRC channel. They generally did not want to help someone using a CentOS system running under an OpenVZ kernel... but then again... their reputation is for being obnoxious to many groups of people. :) I don't think we should let that stop us.

Comments, feedback, questions?

Update: Wow, looking here, they already have OpenVZ listed as being of interest in their Virtualization SIG.

Video: The CentOS Project

I use CentOS quite a bit myself and I know a lot of other CentOS users. Here is a video of one of the main developers (Karanbir Singh ) within the CentOS Project explaining how the CentOS Project works and builds what it builds. Enjoy!

Red Hat Enterprise Linux 6.3 is out

| | |

Just noticed I have a ton of updates for a few RHEL 6 boxes... and to me that indicates there is a new update release. So I logged into Red Hat Network and sure enough RHEL 6.3 has been released. I like finding out about it early in the morning and downloading it before everyone else has noticed.

With CentOS and Scientific Linux both pretty adept in rebuilding 6 now, I'd expect new releases from both within 6 weeks or less. Scientific Linux might be at a disadvantage because they lost one of their main guys but they have replaced him. CentOS on the other hand recently announced that some company was sponsoring two CentOS developers so they could work full-time on CentOS. Who will win?

I haven't had a chance to check out the release notes yet but I will soon. I'm hoping a lot of the KVM, libvirt, and virt-manager stuff that has been in Fedora for a while will have filtered back to this update.

Update: July 9th, 2012 - CentOS 6.3 is syncing to the mirrors today so it has won.

Syndicate content