Ken Smith | 31 Jul 16:19 2015

OT - parted guidance

Hi All, Slightly OT as this is on a Centos 6 system

I'm getting the fdisk message "partition does not start on a physical 
sector boundary" on a 4096 sector disk. I understand why this has happened.

I just want to be sure of my parted syntax before I really mess things 
up. (before anyone says it - I know - do a backup)

parted says that the offending partition 5 begins at 512 byte sector no. 
462999615. Its the first partition in the extended partition that begins 
at 462999552.

If I just want to move the partition back to the nearest 4096 boundary, 
which is 462999608, would the syntax be

unit s
move 5 462999608

Will parted sort itself out copying sector nos 462999615 to 462999608 
and then 462999616 to 462999609 and on an on? Or will it not cope with 
jiggling the partition down the disk by 7 sectors?




This message has been scanned for viruses and
dangerous content by MailScanner, and is
(Continue reading)

James B. Byrne | 31 Jul 15:37 2015

Re: Fedora change that will probably affect RHEL

On Thu, July 30, 2015 12:54, Chris Murphy wrote:

> On Thu, Jul 30, 2015 at 9:54 AM, Valeri Galtsev
> <galtsev@...> wrote:
>>> Now I use Google. They offer MFA opt in. And now I'm more secure
>>> than I was with the myopic ISP.
>> "More secure" only to the level one can trust google ;-)
> Yes I know, but I put them in approximately the same ballpark as
> having to trust my proprietary CPU, and proprietary logic board's
> proprietary firmware.

So your motherboards and nics can 'call-home' on a regular basis and
you would not mind if they did?

There is, in my opinion, a fundamental difference between accepting
the possibility of vendor installed trojans on hosts that may never be
connected to an external network and adopting an infrastructure that
depends upon such behaviour.

Ones risk tolerance varies according to the perceived value of the
asset to be protected.  The problem that Google, Amazon, NSA, FSB,
GCHQ, CCSE and the rest pose to the average person is that the average
person has no idea of how to value pervasive recording of their
private activities.  Thus there is no basis upon which they may form a
reasonable risk assessment.  Therefore no reasonable estimation of the
acceptable cost for prevention can be made.
(Continue reading)

centos | 31 Jul 14:00 2015

CentOS-announce Digest, Vol 125, Issue 13

Send CentOS-announce mailing list submissions to

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to

You can reach the person managing the list at

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-announce digest..."

Today's Topics:

   1. CESA-2015:1526 Important CentOS 7	java-1.6.0-openjdk Security
      Update (Johnny Hughes)
   2. CESA-2015:1526 Important CentOS 5	java-1.6.0-openjdk Security
      Update (Johnny Hughes)
   3. CEBA-2015:1521 CentOS 7 less FASTTRACK BugFix	Update
      (Johnny Hughes)


Message: 1
Date: Thu, 30 Jul 2015 23:38:45 +0000
From: Johnny Hughes <johnny@...>
To: centos-announce@...
Subject: [CentOS-announce] CESA-2015:1526 Important CentOS 7
(Continue reading)

FHDATA | 31 Jul 00:20 2015

centos6 and virtualbox audio problem


host:  centos6  64bit  (dell desktop)
guest: windows 7 64bit
virtualbox:  4.3.30

problem:  host has audio but guest does not.
i.e. when virtualbox comes up, it says:

No audio devices could  be opened.
ErrorID: HostAudioNotResponding

#lspci -nn | grep -i audio
00:1b.0 Audio device [0403]: Intel Corporation 6 Series/C200 Series Chipset Family High Definition
Audio Controller [8
086:1c20] (rev 04)
01:00.1 Audio device [0403]: NVIDIA Corporation GF119 HDMI Audio Controller [10de:0e08] (rev a1)

Pulse audio and Alsa installed on the host.

trying these settings have not worked so  far
letting me have audio on the guest:

Host Audio Driver: OSS,PULSE,ALSA
Audio Controller: Intel HD

I am not seeing any audio-related errors in virtualbox log.

lot of time spent on this so far; any idea as what to do
(Continue reading)

Nux! | 30 Jul 20:10 2015

livecd vs nfsroot vs what?


I'm trying to deploy some non-linux OS via pxe and I was thinking to just launch CentOS in RAM and then run dd or
qemu-img or something like this in order to complete the other OS install via template imaging.
My first idea was to build a custom CentOS livecd and use that in combination with pxe kernel parameters, but
perhaps there's a better way to do this.


Sent from the Delta quadrant using Borg technology!

Lamar Owen | 30 Jul 17:10 2015

Re: Fedora change that will probably affect RHEL

On 07/29/2015 07:40 PM, Chris Murphy wrote:
> On Wed, Jul 29, 2015 at 4:37 PM, Warren Young <wyml@...> wrote:
>> Security is *always* opposed to convenience.
> False. OS X by default runs only signed binaries, and if they come
> from the App Store they run in a sandbox. User gains significant
> security with this, and are completely unaware of it. There is no
> inconvenience.

While I agree with you about the long-term viability of passwords, I'll 
disagree with this statement.  There is a loss of convenience with 
signed binaries from a store: the user can no longer install directly 
from the program vendor's website but must go through the walled garden 
of the store, and developers are held hostage to having to meet the 
store's policy or get their signing key revoked and/or their app 
'de-stored' or worse.  There is significant inconvenience to users when 
their app is removed from the store for whatever reason and they cannot 
get updates (or reinstall their app, for which they may have paid a fee) 
anymore because the app is no longer in the store (and that could be for 
arbitrary reasons, including political ones).  This is, of course, the 
case to a more limited degree with CentOS and signed packages, since 
packages can be removed from repositories and installation of packages 
by default requires signed packages (but it's not as inconvenient, nor 
is it as secure, as the OS X model of only allowing signed binaries to 
run). For that comparison, repository = store.

> What is the inconvenience of encrypting your device compared to the
> security? Zero vs a ton more secure (either when turned off and data
> is at rest or a remote kill that makes it very fast to effectively
> wipe all data)
(Continue reading)

Lamar Owen | 30 Jul 16:32 2015

Re: Fedora change that will probably affect RHEL

On 07/28/2015 03:06 PM, Chris Adams wrote:
> Once upon a time, Warren Young <wyml <at>> said:
>> Much of the evil on the Internet today — DDoS armies, spam spewers, phishing botnets — is done on pnwed
hardware, much of which was compromised by previous botnets banging on weak SSH passwords.
> Since most of that crap comes from Windows hosts, the security of Linux
> SSH passwords seems hardly relevant.
I happen to know from firsthand experience that SSH slow bruteforcers on 
Linux are a significant portion of the 'botnet' traffic out there.  How 
do I know this?  From a hacked Linux server which was brute-forced and 
conscripted into being a slow bruteforcer node back in 2009 or so.  The 
particular payload that was dropped on that box was dropped into a 
normal user account with a moderately strong (but obviously not strong 
enough) password, and the code never even attempted to escalate 
privileges.  It didn't need to; the slow bruteforcer started and ran as 
the normal user account and actively attacked other hosts.  It did not 
attempt to install a rootkit and it ran as a normal user with a program 
name of something that was not out of the ordinary.  It did not trigger 
our rootkit detector or file modification monitors, since normal user 
directories aren't normally monitored.  Again, the attack vector was a 
relatively weak password (mixed case, letters and numbers, but less than 
ten characters long). And it ran slow enough that neither snort nor 
fail2ban were triggered.

While I am not at liberty to share the specifics of the code or the huge 
password files it contained, nor can I share the log files, given the 
amount of traffic generated and its patterns it is pretty easy to figure 
out that it was part of a very large operation.  Due to this we now 
block outgoing (and incoming) SSH on port 22 by default now, opening 
holes only upon request (and we're small enough to make that 
(Continue reading)

Stijn De Weirdt | 30 Jul 10:37 2015

how to get bug fixed by TUV

hi all,

i have a general question (a bit surprised ti's not on the centos faq):

we found a bug in a package in a centos install, and we are wondering 
what the best approach is to get TUV to fix it (and release an update), 
so it gets fixed in centos rebuild and thus on our nodes. or at the very 
least to get it on their todo list ;) seems an obvious candidate to get them reported via 
centos to TUV, but as centos doesn't modify the sources, i'm wondering 
if it is the correct way.

so is there a way to funnel these through to TUV, or 
should we get our own (minimal?) support contract with RedHat. if it's 
the latter, any tips what contract to choose? (money isn't really the 
issue if we don't have to register all our centos nodes (and i wouldn't 
mind having access to the KBs if that came with the contract ;))


the bug is (i 
consider it a bug and not a feature since it used to work with EL6, and 
people upgrading might run into this; but i guess it's all semantics ;)
Karanbir Singh | 29 Jul 18:45 2015

Last few days in CentOS

hi everyone,

I know this update has been a bit delayed, things have been pretty
hectic. But lots of good updates for everyone:

* Updates for CentOS Linux 5/7 : All updates from upstream are
released into the CentOS mirror network.

* Upstream 6.7 was released a few days back, we have all the rpms from
that release built and released to the early-adopters into the CentOS-CR
repos ( ref:
); lots of people have applied these updates and there are no major
reports of issues so far. If you are one of the people running with CR,
please let us know if you hit any issues.

* Updates released to EL6 since 6.7 was released are also rolled into
CR/ so if you are running this repo, you would be updated all the way.

* We have a first cut of the ISOS for CentOS-6.7 ready and in QA, there
are a couple of package changes, and we need to tweak the content that
ends up on DVD1 Vs/ DVD2 to make sure we can still retain max installs
from just DVD1. I aim to have these done and available to the QA folks
in the next day or two, with the intention to release early next week to

* Another key piece that we've been working on is the AltArch SIG; The
aim of this Special Interest Group is to help build and help maintain
CentOS Linux on other architectures than what the Core group is able to
(Continue reading)

m.roth | 29 Jul 16:43 2015

Semi-OT: configuring mongodb for sharding

Anyone know about this? Googling, all I can find is mongodb's 3.x manual,
nothing for the 2.4 we get from epel.

What I need to do, CentOS 6.6, is start it as a service, not a user, and
have it do sharding. I see examples of how to start it as a user... but I
can't find if there's a syntax for /etc/mongodb.conf to tell it that, and
I don't want to have to edit /etc/init.d/mongod....

Clues for the poor?

James B. Byrne | 29 Jul 15:24 2015

Re: Fedora change that will probably affect RHEL

On Tue, July 28, 2015 19:46, Warren Young wrote:
> iPads can’t be coopted into a botnet.  The rules for iPad passwords
> must necessarily be different than for CentOS.


***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:ByrneJB@...
Harte & Lyne Limited
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3