Tim Dunphy | 19 Oct 17:55 2014

rsync question: building list taking forever


 I've setup an rsync between two directories that I've mounted locally on a
jump box. Long story short, the two directories are both NFS shares from
two different hosts. Our security dept won't allow us to SSH between the
two data centers, directly. But the jump host can contact both. So what
I've done is mount the NFS shares from one host in each data center on the
jump box using sshfs.

The directory I'm trying to rsync from has 111GB of data in it. I don't
think I've ever setup an rsync for quite so much data before.

 But I started the rsync at approx. 7pm last night. And as of now the rsync
is still building it's file list.

[root <at> sshproxygw ~]# rsync -avzp /mnt/db_space/timd/www1/
building file list ...

So my question to you is, is this a normal amount of time to wait for the
file list to be built? Considering the amount of data involved. I have it
running in a screen session I can attach to to find out what's going on.



GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
(Continue reading)

Johnny Hughes | 19 Oct 03:40 2014

CentOS-6 updates

We are currently building and testing our CentOS-6.6 release.  It
normally takes about 2-4 weeks for us to get a full point release out. 
We can not release updates that are based on 6.6 until we get 6.6 out. 
All current updates will be released on the same day as the release.

We have a CR repo (
http://wiki.centos.org/AdditionalResources/Repositories/CR ) and we are
likely going to release the CR repo around 7-10 days after the release
of RHEL-6.6.  All updates will also be released into there when it is

Please remember, there are around 350 Source RPMs that need to be built
and tested for 6.6 and it normally takes 7-10 days for CR and 14-28 days
for the full release. We are going as fast as we can, but point releases
take time.

Johnny Hughes

CentOS mailing list
Frank Cox | 18 Oct 23:04 2014

Centos 7 tmpwatch

I have noticed that tmpwatch isn't automatically installed with Centos 7, or at least it wasn't when I set up
this computer.

I further noticed that the Centos 7 tmpwatch rpm no longer includes /etc/cron.daily/tmpwatch

I suspect that at least part of the reason for this is because the /tmp directory is now mounted as a tmpfs by
default, so it's automatically cleared when the machine is rebooted.

However, this does nothing to maintain /var/tmp and /var/cache

Installing the Centos 7 tmpwatch rpm and copying the /etc/cron.daily/tmpwatch file from a Centos 6
installation onto a Centos 7 machine might not be particularly wise because the excluded directories
listed in the Centos 6 tmpwatch script don't include such things as the systemd-private* directories
that should probably not be made to disappear on a Centos 7 installation.

This leads to two questions:  Is tmpwatch even required on Centos 7 anymore, or has it been superseded
somehow?  And if it is required (or a good idea), is there an updated script to put into /etc/cron.daily that
accounts for directories and files that should not be molested by tmpwatch?


MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com
Aaron Siegel | 18 Oct 19:14 2014

Re: curl: (35) Cannot communicate securely with peer:


Thank you for your post.

I am sorry for the second post, my transition to evolution is ...

I like to have a better understanding of this problem before I open a
bug report. 

Looking at the report openssl 1.01h has the cipher which support
www.kraxel.org certificate specifically the

	OpenSSL 1.0.1h	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

It appears my cipher, openssl 1.01e, accepts the certificate used by
kraxel, the output of sslscan:
	Accepted	TLS12	256	ECDHE-RSA-AES256-GCM-SHA384 

So why does this not work?  Why would this be a bug if I just need to
upgrade openssl to 1.01h from 1.01e?

Thank for your assistance,


On Sat, 2014-10-18 at 18:25 +0200, Reindl Harald wrote:
> Am 18.10.2014 um 18:15 schrieb Aaron Siegel:
> > I am stumped. I am trying to us the kraxel qemu repository, it appears
> > the repository moved to secure server since then I have not been able to
(Continue reading)

Rafał Radecki | 18 Oct 18:45 2014

Your experience with os hardening tool - Bastille?

Hi All:)

I would like to start using a tool for automating of os hardening. I found
some informations about Bastille. One things which attracted my attention
is that in http://bastille-linux.sourceforge.net/news_updates.htm the last
post is from January 29th, 2012 :D

Is the tool ready to use at the moment with CentOS 6/7? Are there any
alternatives which you can recommend?

Thanks for all info :)

Aaron Siegel | 18 Oct 18:15 2014

curl: (35) Cannot communicate securely with peer:


I am stumped. I am trying to us the kraxel qemu repository, it appears
the repository moved to secure server since then I have not been able to
configure this properly. https://www.kraxel.org/repos/jenkins/
I receive the following error when I try to use the repository 
	curl: (35) Cannot communicate securely with peer: no common encryption

I have discovered this problem on my fedora 20 computer, the fedora
mailing list will not accept my email, I am experiencing this problem
with curl on both my Centos and fedora systems.  

I receive the same error with centos 7 minimal installation and fedora
20. What am I doing wrong, I have recently switch to the Fedora
platform, I have not read all the manuals but trying.

I have imported the gpg keys that Kraxel has posted on his blog using
rpm --import. I can only download file through my web browser. I was
going to clone his git repository and set up a local repository, bit git
report the same error. Which leads me to believe the problem is with my

I have even tried the firefox-db2pem.sh, I am not sure it did anything.

Does curl need to be recompiled with nss support? Is there a package I
need to compile? nss 3.17.2 is installed, non of the man page work. 

Looking deeper into the nss, 
	# certutil -L
(Continue reading)

Boris Epstein | 18 Oct 00:31 2014

djbdns under CentOS7: startup and socket issues

Hello all,

I am trying to get djbdns ( http://en.wikipedia.org/wiki/Djbdns ) running
on CentOS 7. So far I have wirtten the djbdns.service and djbdns.socket
files. The sockets (TCP and UDP 53) for some reason would not start and I
don't know how to debug that; the service does start but only when I start
it manually by running

systemctl start djbdns

So, I am a real noob when it comes to systemd, hence any advice on how to
proceed will be much appreciated.


Dan Hyatt | 17 Oct 22:55 2014

creating a floppy image from a linux file


I am still trying to get kick-start centos in my vmware5 because pxe 
cannot find the pxe server. I do not control the dhcp or pxe server.
I have both my kickstart file and my iso image for centos6.5 on my 
vmware datastore, but am trying to run my kickstart file from VMware guest.

Can I tell the command line to run from the datastore in VMWare? Or must 
I convert my kickstart file to a floppy image to run from VMware console?

I have the centos image on the DVD mounted from my datastore.  Now I 
need to convert the kickstart file to a floppy image to mount on the 
server from my datastore

This is what google and VMWare keeps telling me but it does not make 
sense unless I am copying off a floppy....
What I am trying to do is turn the kickstart file into a floppy image so 
I can kickstart off the floppy in vmware.

Create a disk image from the physical drive:
cat /dev/fd0 > imagefile.img

Copy image to the physical drive:
cat imagefile.img > /dev/fd0

Help figuring out that silly little piece that is keeping me from 
building a VM guest from my kickstart file is much appreciated.

(Continue reading)

Bowie Bailey | 17 Oct 20:43 2014

Samba 4.1.6

I just installed a CentOS 7 server and ran into a problem with Samba and 
the "force user" option.  Apparently, there was a fix for some "force 
user" issues in the 4.1.6 release.

Is there any likelihood of an update from upstream?  If not, is there 
another repo that provides a more up-to-date version of Samba?


James B. Byrne | 17 Oct 18:53 2014


I read this on the RHN commentary respecting cve-2014-3566:


. . .
The first aspect of POODLE, the SSL 3.0 protocol vulnerability, has already
been fixed through iterative protocol improvements, leading to the current TLS
version, 1.2. It is simply not possible to address this in the context of the
SSL 3.0 protocol, a protocol upgrade to one of the successors is needed. Note
that TLS versions before 1.1 had similar padding-related vulnerabilities,
which is why we recommend to switch to TLS 1.1, at least. (SSL and TLS are
still quite similar as protocols, the name change has non-technical reasons.)
. . .

If run nmap to view the ciphers on a host running apache-2.2.15 I see this:

# nmap --script ssl-enum-ciphers -p 443 inet09

Starting Nmap 6.01 ( http://nmap.org ) at 2014-10-17 12:48 EDT
Nmap scan report for for x.y.z.a
Host is up (0.00034s latency).
rDNS record for x.y.z.a
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.0
|     Ciphers (5)
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - unknown strength
(Continue reading)

Patrick Bervoets | 17 Oct 17:23 2014

What happens to in-use files when I restart samba?

One of the services that has to be restarted after the openssl update is samba.

And now I wonder if I can safely restart samba when there are possible files in-use (ie writes could be happening).

I can't find an answer on Google (could be me asking the wrong questions)

Thanks for any pointers

CentOS mailing list