Category Archives: CentOS 6

Configure CentOS 6 to be Verbose at Boot

Configure CentOS 6 to output more verbosely to the screen at boot.

GRUB

Have GRUB display the menu interface. GRUB will still automatically boot the default entry, unless interrupted.
Modify the GRUB configuration file /boot/grub/grub.conf. Comment out the line that contains “hiddenmenu”.

#hiddenmenu

Linux Kernel

Modify the GRUB configuration file /boot/grub/grub.conf. Remove the kernel parameters “quite” and “rhgb” from each kernel entry.
“quiet” causes the kernel to not print out messages while the kernel loads.
“rhgb” enables the Red Hat graphical boot after the kernel loads. You may see this as a logo being displayed to the screen and a progress bar.
Before:

#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
#hiddenmenu
title CentOS (2.6.32-431.3.1.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-431.3.1.el6.x86_64 ro root=/dev/mapper/system-root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=system/root rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=system/swap  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
        initrd /initramfs-2.6.32-431.3.1.el6.x86_64.img
title CentOS (2.6.32-431.1.2.0.1.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-431.1.2.0.1.el6.x86_64 ro root=/dev/mapper/system-root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=system/root rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=system/swap  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
        initrd /initramfs-2.6.32-431.1.2.0.1.el6.x86_64.img
title CentOS (2.6.32-431.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-431.el6.x86_64 ro root=/dev/mapper/system-root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=system/root rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=system/swap  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
        initrd /initramfs-2.6.32-431.el6.x86_64.img

After:

#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
#hiddenmenu
title CentOS (2.6.32-431.3.1.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-431.3.1.el6.x86_64 ro root=/dev/mapper/system-root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=system/root rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=system/swap  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM
        initrd /initramfs-2.6.32-431.3.1.el6.x86_64.img
title CentOS (2.6.32-431.1.2.0.1.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-431.1.2.0.1.el6.x86_64 ro root=/dev/mapper/system-root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=system/root rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=system/swap  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM
        initrd /initramfs-2.6.32-431.1.2.0.1.el6.x86_64.img
title CentOS (2.6.32-431.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-431.el6.x86_64 ro root=/dev/mapper/system-root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=system/root rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=system/swap  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM
        initrd /initramfs-2.6.32-431.el6.x86_64.img

This is all you need to do. Unlike Ubuntu, you do not need to run a script such as update-grub. Future kernel package updates will not add the “rhgb” and “quiet” kernel parameters back.

My System Configuration

  • CentOS 6.5 x86 64-bit

References

Running Aide on CentOS 6 Results in Modified mtime and ctime on Directories

Each time aide is run with either the –check or –update option, it always detects differences between the database and the filesystem. Specifically, the mtime and ctime on certain directories:

# aide --check
AIDE found differences between database and filesystem!!
Start timestamp: 2014-01-05 08:03:47
Summary:
  Total number of files:        39240
  Added files:                  0
  Removed files:                0
  Changed files:                20
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /usr/sbin
changed: /usr/libexec
changed: /usr/libexec/gcc/x86_64-redhat-linux/4.4.4
changed: /usr/libexec/getconf
changed: /usr/libexec/polkit-1
changed: /usr/libexec/utempter
changed: /usr/libexec/awk
changed: /usr/bin
changed: /usr/lib64
changed: /usr/lib64/pm-utils/bin
changed: /usr/lib64/nss/unsupported-tools
changed: /usr/lib64/sa
changed: /usr/lib64/perl5/CORE
changed: /root
changed: /root/.viminfo
changed: /lib/udev
changed: /bin
changed: /lib64
changed: /lib64/dbus-1
changed: /sbin
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /usr/sbin
  Mtime    : 2014-01-05 08:00:49              , 2014-01-05 08:01:20
  Ctime    : 2014-01-05 08:00:49              , 2014-01-05 08:01:20
Directory: /usr/libexec
  Mtime    : 2014-01-05 08:00:49              , 2014-01-05 08:01:21
  Ctime    : 2014-01-05 08:00:49              , 2014-01-05 08:01:21
Directory: /usr/libexec/gcc/x86_64-redhat-linux/4.4.4
  Mtime    : 2014-01-05 08:00:49              , 2014-01-05 08:01:21
  Ctime    : 2014-01-05 08:00:49              , 2014-01-05 08:01:21
Directory: /usr/libexec/getconf
  Mtime    : 2014-01-05 08:00:49              , 2014-01-05 08:01:21
  Ctime    : 2014-01-05 08:00:49              , 2014-01-05 08:01:21
Directory: /usr/libexec/polkit-1
  Mtime    : 2014-01-05 08:00:50              , 2014-01-05 08:01:21
  Ctime    : 2014-01-05 08:00:50              , 2014-01-05 08:01:21
Directory: /usr/libexec/utempter
  Mtime    : 2014-01-05 08:00:50              , 2014-01-05 08:01:21
  Ctime    : 2014-01-05 08:00:50              , 2014-01-05 08:01:21
Directory: /usr/libexec/awk
  Mtime    : 2014-01-05 08:00:50              , 2014-01-05 08:01:21
  Ctime    : 2014-01-05 08:00:50              , 2014-01-05 08:01:21
Directory: /usr/bin
  Mtime    : 2014-01-05 08:00:57              , 2014-01-05 08:01:29
  Ctime    : 2014-01-05 08:00:57              , 2014-01-05 08:01:29
Directory: /usr/lib64
  Mtime    : 2014-01-05 08:01:09              , 2014-01-05 08:01:42
  Ctime    : 2014-01-05 08:01:09              , 2014-01-05 08:01:42
Directory: /usr/lib64/pm-utils/bin
  Mtime    : 2014-01-05 08:01:09              , 2014-01-05 08:01:42
  Ctime    : 2014-01-05 08:01:09              , 2014-01-05 08:01:42
Directory: /usr/lib64/nss/unsupported-tools
  Mtime    : 2014-01-05 08:01:09              , 2014-01-05 08:01:42
  Ctime    : 2014-01-05 08:01:09              , 2014-01-05 08:01:42
Directory: /usr/lib64/sa
  Mtime    : 2014-01-05 08:01:10              , 2014-01-05 08:01:43
  Ctime    : 2014-01-05 08:01:10              , 2014-01-05 08:01:43
Directory: /usr/lib64/perl5/CORE
  Mtime    : 2014-01-05 08:01:10              , 2014-01-05 08:01:44
  Ctime    : 2014-01-05 08:01:10              , 2014-01-05 08:01:44
Directory: /root
  Mtime    : 2014-01-05 07:59:25              , 2014-01-05 08:03:45
  Ctime    : 2014-01-05 07:59:25              , 2014-01-05 08:03:45
File: /root/.viminfo
  Inode    : 267392                           , 267393
Directory: /lib/udev
  Mtime    : 2014-01-05 08:01:14              , 2014-01-05 08:01:48
  Ctime    : 2014-01-05 08:01:14              , 2014-01-05 08:01:48
Directory: /bin
  Mtime    : 2014-01-05 08:01:15              , 2014-01-05 08:01:49
  Ctime    : 2014-01-05 08:01:15              , 2014-01-05 08:01:49
Directory: /lib64
  Mtime    : 2014-01-05 08:01:16              , 2014-01-05 08:01:50
  Ctime    : 2014-01-05 08:01:16              , 2014-01-05 08:01:50
Directory: /lib64/dbus-1
  Mtime    : 2014-01-05 08:01:16              , 2014-01-05 08:01:50
  Ctime    : 2014-01-05 08:01:16              , 2014-01-05 08:01:50
Directory: /sbin
  Mtime    : 2014-01-05 08:01:18              , 2014-01-05 08:01:52
  Ctime    : 2014-01-05 08:01:18              , 2014-01-05 08:01:52

After each execution of aide, the mtime and ctime on these directories are changed. Hence, aide detects and reports these changes.
This is due to prelinking. If you disable prelinking, then this problem will go away. To disable prelinking, modify the configuration file /etc/sysconfig/prelink. Change “PRELINKING=yes” to “PRELINKING=no“. Then manually run /etc/cron.daily/prelink as root. After updating the aide database, subsequent aide checks will not have this problem.

My System Configuration

  • CentOS 6.5 x86 64-bit
  • Aide 0.14
# aide --version
Aide 0.14
Compiled with the following options:
WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_PRELINK
WITH_XATTR
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

References

Two-Step Authentication for SSH on CentOS 6 Using Google Authenticator

Google Authenticator implements TOTP (timebased one-time-password) security tokens from RFC6238 via the Google mobile app Google Authenticator. The Authenticator provides a six digit one-time password users must provide in addition to their username and password to login, sometimes branded “two-step authentication”. Here, we install and configure a pluggable authentication module (PAM) which allows login using one-time passcodes.

Download and Install

At the time of this writing, only an old version of libpam-google-authenticator is available in the EPEL package repository. Hence, we are going to compile it from source. First, install prerequisites:

# yum install make gcc pam-devel

TOTP (timebased one-time-password) security tokens are time sensitive. Hence, make sure that your system has ntpd running, and is configured to start the service at boot:

# service ntpd start
Starting ntpd:                                             [  OK  ]
# chkconfig  ntpd on

Then download and install libpam-google-authenticator from source:

# cd /tmp
# wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
# bunzip2 libpam-google-authenticator-1.0-source.tar.bz2
# tar xf libpam-google-authenticator-1.0-source.tar
# cd libpam-google-authenticator-1.0
# make
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o google-authenticator.o google-authenticator.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o base32.o base32.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o hmac.o hmac.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o sha1.o sha1.c
gcc -g   -o google-authenticator google-authenticator.o base32.o hmac.o sha1.o  -ldl
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator.o pam_google_authenticator.c
gcc -shared -g   -o pam_google_authenticator.so pam_google_authenticator.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o demo.o demo.c
gcc -DDEMO --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_demo.o pam_google_authenticator.c
gcc -g   -rdynamic -o demo demo.o pam_google_authenticator_demo.o base32.o hmac.o sha1.o  -ldl
gcc -DTESTING --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden        \
              -o pam_google_authenticator_testing.o pam_google_authenticator.c
gcc -shared -g   -o pam_google_authenticator_testing.so pam_google_authenticator_testing.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
gcc -g   -rdynamic -o pam_google_authenticator_unittest pam_google_authenticator_unittest.o base32.o hmac.o sha1.o -lc  -ldl
# make install
cp pam_google_authenticator.so /lib64/security
cp google-authenticator /usr/local/bin

Set Up Google Authenticator

Before configuring SSH, first set up Google Authenticator. Run “google-authenticator” as the user you wish to log in with via SSH. You will be prompted with a few questions.

Do you want me to update your "~/.google_authenticator" file (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DABCD12E3FGHIJKLMN
Your new secret key is: ABCD12E3FGHIJKLMN
Your verification code is 98765432
Your emergency scratch codes are:
  01234567
  89012345
  67890123
  45678901
  23456789
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

These settings are stored in the user’s ~/.google_authenticator file.
Copy and paste the URL into your browser and scan the QR code that is displayed with the app Google Authenticator on your mobile device. If you can’t scan the QR code, then you can enter the information manually with the given secret key and verification code. A new verification code should be displayed every 30 seconds.
Emergency one-time use verification codes are also given for you to write down in a secure place in case you were to not have your mobile device with you.

Configure PAM

Have PAM require Google Authenticator for SSH authentication. Modify /etc/pam.d/sshd and add the line “auth required pam_google_authenticator.so” at the top.

#%PAM-1.0
auth       required     pam_google_authenticator.so
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

This will require all users to use Google Authenticator for SSH authentication. To only require those users with Google Authenticator configured for their account (the ~/.google_authenticator file exists), then instead enter “auth required pam_google_authenticator.so nullok“.
The order in which you place items in this file matters. Given this configuration, you will first be prompted for your Google Authenticator verification code, then for your system account password when you SSH into the system.

Configure the SSH Service

Modify /etc/ssh/sshd_config. Verify these settings:

PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes

Restart the SSH service:

# service sshd restart

When you SSH into the system as a user configured for Google Authenticator, you will have to enter the verification code that is displayed in you Google Authenticator app, and then by your system password at the next prompt:

login as: root
Verification code: 01234567
Password: *******
#

If you have any problems, look in the /var/log/secure system log file.
If you have SELinux enabled, you may not be able to login, and get this error in /var/log/secure:

Jan  3 23:42:50 hostname sshd(pam_google_authenticator)[1654]: Failed to update secret file "/home/username/.google_authenticator"
Jan  3 23:42:50 hostname  sshd[1652]: error: PAM: Cannot make/remove an entry for the specified session for username from 192.168.0.5

This is probably due /home/username/.google_authenticator not having an appropriate Type Enforcement (TE):

# ls -Z /home/username/.google_authenticator
-r--------. username username unconfined_u:object_r:user_home_t:s0 /home/username/.google_authenticator

See here for additional information on this issue.

Skip Google Authenticator Authentication if Logging in from the Local Network

You may trust systems on you local network enough not not require that SSH connections from them use Google Authenticator. If so, modify /etc/pam.d/sshd so that it looks like this:

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth       required     pam_google_authenticator.so

Then add the file /etc/security/access-local.conf with the contents:

# Google Authenticator can be skipped on local network
+ : ALL : 192.168.0.0/24
+ : ALL : LOCAL
- : ALL : ALL

This assumes your local network is subnet 192.168.0.0/24.

My System Configuration

  • CentOS 6.5 x86 64-bit
  • Google Authenticator libpam 1.0

References

Installing DenyHosts on CentOS 6

DenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is intended to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses. Upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host. DenyHosts uses TCP Wrappers and not iptables.

Install DenyHosts

First, add the EPEL repository. Then simply install the package from the EPEL repository:

# yum install denyhosts

Configure DenyHosts

Before starting DenyHosts, configure a white list of IPs that DenyHosts should never block. Again, DenyHosts uses TCP Wrappers. Hence, edit /etc/hosts.allow and add IPs, entire subnets, etc. For example,

sshd: 12.34.56.78
sshd: 192.168.0.0/255.255.255.0

Start DenyHosts

# service denyhosts start

Configure the system to start DenyHosts at boot:

# chkconfig denyhosts on

Basic things to be aware of:

  • IPs to white list should be added to /etc/hosts.allow.
  • IPs that DenyHosts blocks will be added to /etc/hosts.deny.
  • The DenyHosts configuration file is /etc/denyhosts.conf.
  • DenyHosts logs everything that it does to /var/log/denyhosts.
  • DenyHosts watches /var/log/secure for SSH login attempts.
  • If a host is ever added to the block list by mistake, just remove it from /etc/hosts.deny. You can also manually add hosts you want to block.

Go through the DenyHosts configuration file (/etc/denyhosts.conf) and tune it to your liking. Be sure to restart DenyHosts (service denyhosts restart) if you change anything.

My System Configuration

  • CentOS 6.5 x86 64-bit
  • DenyHosts 2.6

References

Adding the EPEL (Extra Packages for Enterprise Linux) Repository to CentOS 6

The Extra Packages for Enterprise Linux (EPEL) repository provides rebuilds of Fedora packages for EL5 and EL6. This is not a CentOS repository. It is a Fedora project. This repository is suppose to complement the packages found in the base repository by adding additional, useful applications. A list of the additional packages may be found on the project’s web page.
According to the EPEL web site, “EPEL is purely a complementary add-on repository and does not replace packages in RHEL or layered products.” It should work along with the base repository without issue. However, there is always the possibility that the same application gets added, or that it doesn’t mix well with other third-party repositories added to your system. Hence, consider using the Yum priorities module.
Install the epel-release package for EL6 to automatically configure and enable this repository on CentOS 6.

# cd /tmp/
# wget http://mirrors.rit.edu/fedora/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -Uvh epel-release-6-8.noarch.rpm
warning: epel-release-6-8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing...                ########################################### [100%]
   1:epel-release           ########################################### [100%]
# yum makecache
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
epel/metalink                                            |  13 kB     00:00
 * base: mirrors.lga7.us.voxel.net
 * epel: mirrors.servercentral.net
 * extras: mirrors.lga7.us.voxel.net
 * updates: ftpmirror.your.org
base                                                     | 3.7 kB     00:00
base/filelists_db                                        | 5.9 MB     00:01
base/other_db                                            | 2.8 MB     00:00
epel/group_gz                                            | 237 kB     00:00
epel/filelists_db                                        | 8.0 MB     00:02
epel/other_db                                            | 3.4 MB     00:00
epel/updateinfo                                          | 731 kB     00:00
extras                                                   | 3.4 kB     00:00
extras/filelists_db                                      |  11 kB     00:00
extras/prestodelta                                       |  907 B     00:00
extras/other_db                                          | 5.8 kB     00:00
updates                                                  | 3.4 kB     00:00
updates/filelists_db                                     | 649 kB     00:00
updates/prestodelta                                      | 241 kB     00:00
updates/other_db                                         | 107 kB     00:00
Metadata Cache Created

Verify the EPEL repository is enabled:

# yum repolist all
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: mirror.nexcess.net
 * epel: ftp.osuosl.org
 * extras: mirror.metrocast.net
 * updates: mirrors.rit.edu
repo id                repo name                                 status
C6.0-base              CentOS-6.0 - Base                         disabled
C6.0-centosplus        CentOS-6.0 - CentOSPlus                   disabled
C6.0-contrib           CentOS-6.0 - Contrib                      disabled
C6.0-extras            CentOS-6.0 - Extras                       disabled
C6.0-updates           CentOS-6.0 - Updates                      disabled
C6.1-base              CentOS-6.1 - Base                         disabled
C6.1-centosplus        CentOS-6.1 - CentOSPlus                   disabled
C6.1-contrib           CentOS-6.1 - Contrib                      disabled
C6.1-extras            CentOS-6.1 - Extras                       disabled
C6.1-updates           CentOS-6.1 - Updates                      disabled
C6.2-base              CentOS-6.2 - Base                         disabled
C6.2-centosplus        CentOS-6.2 - CentOSPlus                   disabled
C6.2-contrib           CentOS-6.2 - Contrib                      disabled
C6.2-extras            CentOS-6.2 - Extras                       disabled
C6.2-updates           CentOS-6.2 - Updates                      disabled
C6.3-base              CentOS-6.3 - Base                         disabled
C6.3-centosplus        CentOS-6.3 - CentOSPlus                   disabled
C6.3-contrib           CentOS-6.3 - Contrib                      disabled
C6.3-extras            CentOS-6.3 - Extras                       disabled
C6.3-updates           CentOS-6.3 - Updates                      disabled
C6.4-base              CentOS-6.4 - Base                         disabled
C6.4-centosplus        CentOS-6.4 - CentOSPlus                   disabled
C6.4-contrib           CentOS-6.4 - Contrib                      disabled
C6.4-extras            CentOS-6.4 - Extras                       disabled
C6.4-updates           CentOS-6.4 - Updates                      disabled
base                   CentOS-6 - Base                           enabled:  6,367
c6-media               CentOS-6 - Media                          disabled
centosplus             CentOS-6 - Plus                           disabled
contrib                CentOS-6 - Contrib                        disabled
debug                  CentOS-6 - Debuginfo                      disabled
epel                   Extra Packages for Enterprise Linux 6 - x enabled: 10,215
epel-debuginfo         Extra Packages for Enterprise Linux 6 - x disabled
epel-source            Extra Packages for Enterprise Linux 6 - x disabled
epel-testing           Extra Packages for Enterprise Linux 6 - T disabled
epel-testing-debuginfo Extra Packages for Enterprise Linux 6 - T disabled
epel-testing-source    Extra Packages for Enterprise Linux 6 - T disabled
extras                 CentOS-6 - Extras                         enabled:     14
updates                CentOS-6 - Updates                        enabled:    286
repolist: 16,882

Optionally, install the Yum priorities plugin. This plugin allows repositories to have different priorities. Packages in a repository with a lower priority can’t be overridden by packages from a repository with a higher priority even if repository has a later version.

# yum install yum-plugin-priorities

Verify that Yum plugins are enabled in /etc/yum.conf:

[main]
plugins=1

Verify that the Yum priorities plugin is enabled in /etc/yum/pluginconf.d/priorities.conf:

[main]
enabled = 1

Now add priorities to repositories by adding the line:

priority=N

to a repository entry, where N is an integer from 1 to 99. The default priority for repositories is 99. The repositories with the lowest numerical priority number have the highest priority. Hence, give all of the CentOS base and update repositories the highest possible priority (1). You do not need to modify the EPEL repository configuration files since they will default to the lower priority of 99. Modify /etc/yum.repos.d/CentOS-Base.repo to append

priority=1

to every repository definition.
Now check to see if any packages from the EPEL repository were excluded:

# yum repolist all
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
 * base: mirror.nexcess.net
 * epel: ftp.osuosl.org
 * extras: mirror.metrocast.net
 * updates: mirrors.rit.edu
82 packages excluded due to repository priority protections
repo id                repo name                              status
C6.0-base              CentOS-6.0 - Base                      disabled
C6.0-centosplus        CentOS-6.0 - CentOSPlus                disabled
C6.0-contrib           CentOS-6.0 - Contrib                   disabled
C6.0-extras            CentOS-6.0 - Extras                    disabled
C6.0-updates           CentOS-6.0 - Updates                   disabled
C6.1-base              CentOS-6.1 - Base                      disabled
C6.1-centosplus        CentOS-6.1 - CentOSPlus                disabled
C6.1-contrib           CentOS-6.1 - Contrib                   disabled
C6.1-extras            CentOS-6.1 - Extras                    disabled
C6.1-updates           CentOS-6.1 - Updates                   disabled
C6.2-base              CentOS-6.2 - Base                      disabled
C6.2-centosplus        CentOS-6.2 - CentOSPlus                disabled
C6.2-contrib           CentOS-6.2 - Contrib                   disabled
C6.2-extras            CentOS-6.2 - Extras                    disabled
C6.2-updates           CentOS-6.2 - Updates                   disabled
C6.3-base              CentOS-6.3 - Base                      disabled
C6.3-centosplus        CentOS-6.3 - CentOSPlus                disabled
C6.3-contrib           CentOS-6.3 - Contrib                   disabled
C6.3-extras            CentOS-6.3 - Extras                    disabled
C6.3-updates           CentOS-6.3 - Updates                   disabled
C6.4-base              CentOS-6.4 - Base                      disabled
C6.4-centosplus        CentOS-6.4 - CentOSPlus                disabled
C6.4-contrib           CentOS-6.4 - Contrib                   disabled
C6.4-extras            CentOS-6.4 - Extras                    disabled
C6.4-updates           CentOS-6.4 - Updates                   disabled
base                   CentOS-6 - Base                        enabled:     6,367
c6-media               CentOS-6 - Media                       disabled
centosplus             CentOS-6 - Plus                        disabled
contrib                CentOS-6 - Contrib                     disabled
debug                  CentOS-6 - Debuginfo                   disabled
epel                   Extra Packages for Enterprise Linux 6  enabled: 10,133+82
epel-debuginfo         Extra Packages for Enterprise Linux 6  disabled
epel-source            Extra Packages for Enterprise Linux 6  disabled
epel-testing           Extra Packages for Enterprise Linux 6  disabled
epel-testing-debuginfo Extra Packages for Enterprise Linux 6  disabled
epel-testing-source    Extra Packages for Enterprise Linux 6  disabled
extras                 CentOS-6 - Extras                      enabled:        14
updates                CentOS-6 - Updates                     enabled:       286
repolist: 16,800

This was actually a bit surprising! I was not expecting any packages from EPEL to be excluded because I was not expecting any packages that are in the base repository to also be in the EPEL repository. To determine which packages exist in both repositories, I temporarily disabled the Yum priorities module and did the following:

# yum --disablerepo="*" --enablerepo="base" list available | cut -d" " -f1 | sort > /tmp/base.txt
# yum --disablerepo="*" --enablerepo="epel" list available | cut -d" " -f1 | sort > /tmp/epel.txt
# comm -12 /tmp/base.txt /tmp/epel.txt
a2ps.i686
a2ps.x86_64
emacs-a2ps-el.x86_64
emacs-a2ps.x86_64
febootstrap.x86_64
freerdp-devel.i686
freerdp-devel.x86_64
freerdp-libs.i686
freerdp-libs.x86_64
freerdp-plugins.x86_64
freerdp.x86_64
ht2html.noarch
html2ps.noarch
lzop.x86_64
osutil.x86_64
perl-B-Keywords.noarch
perl-Class-MethodMaker.x86_64
perl-Config-Simple.noarch
perl-Devel-Cycle.noarch
perl-Exception-Class.noarch
perl-File-pushd.noarch
perl-Font-AFM.noarch
perl-HTML-Format.noarch
perl-IO-Tty.x86_64
perl-IPC-Run.noarch
perl-Locale-PO.noarch
perl-MIME-Lite.noarch
perl-MIME-Types.noarch
perl-Module-Find.noarch
perl-Net-SMTP-SSL.noarch
perl-PadWalker.x86_64
perl-Parse-RecDescent.noarch
perl-Perl-Critic.noarch
perl-Pod-Spell.noarch
perl-String-Format.noarch
perl-Syntax-Highlight-Engine-Kate.noarch
perl-Term-ProgressBar.noarch
perl-Test-Memory-Cycle.noarch
perl-Test-Perl-Critic.noarch
perl-Test-Spelling.noarch
perl-UNIVERSAL-can.noarch
perl-UNIVERSAL-isa.noarch
perl-XML-TokeParser.noarch
perl-XML-Writer.noarch
pexpect.noarch
pki-symkey.x86_64
PyPAM.x86_64
python-ipaddr.noarch
python-krbV.x86_64
python-repoze-who-friendlyform.noarch
python-suds.noarch
python-tw-forms.noarch
python-urwid.x86_64
scl-utils-build.x86_64
scons.noarch
snappy-devel.i686
snappy-devel.x86_64
snappy.i686
wordnet-devel.i686
wordnet-devel.x86_64
wordnet.i686
wordnet.x86_64
xerces-c-devel.i686
xerces-c-devel.x86_64
xerces-c-doc.noarch
xerces-c.i686
xerces-c.x86_64
xhtml2ps.noarch

At random, I compared the package “osutil”:

# yum --disablerepo="*" --enablerepo="base" info osutil
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
 * base: mirror.nexcess.net
Available Packages
Name        : osutil
Arch        : x86_64
Version     : 2.0.1
Release     : 1.el6
Size        : 25 k
Repo        : base
Summary     : Operating System Utilities JNI Package
URL         : http://pki.fedoraproject.org/
License     : GPLv2
Description : The Operating System Utilities Java Native Interface (JNI) package
            : supplies various native operating system operations to Java
            : programs.
# yum --disablerepo="*" --enablerepo="epel" info osutil
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
 * epel: ftp.osuosl.org
Available Packages
Name        : osutil
Arch        : x86_64
Version     : 1.3.1
Release     : 3.el6.1
Size        : 25 k
Repo        : epel
Summary     : Operating System Utilities JNI Package
URL         : http://pki.fedoraproject.org/
License     : GPLv2
Description : The Operating System Utilities Java Native Interface (JNI) package
            : supplies various native operating system operations to Java
            : programs.

Interestingly, this says that this package in EPEL is older than the one in CentOS base. Hence, this package should never get installed anyways. I find the existence of these duplicate packages more interesting than cause for concern. Perhaps these packages are also in EPEL in order to satisfy package dependencies …?

My System Configuration

  • CentOS 6.5 x86 64-bit

References

VMware Workstation 10 on CentOS 6 Host with Windows 7 Guest Running iTunes

After installing iTunes on a Windows 7 guest, I would then plug my iPhone into a USB port on my CentOS 6 host. Inside of VMware Workstation 10, I selected the appropriate VM, then from the menu bar I selected VM > Removable Devices > Apple iPhone > Connect (Disconnect from host). This causes VMware to attach this USB device to the Windows guest instead of the CentOS host.
After doing this, I get the following message from VMware: “The Device “Apple iPhone” was not able to connect to its ideal host controller. An attempt will be made to connect this device to the best available host controller. This might result in undefined behavior for this device.”

Go to Start > Devices and Printers. You should see two new devices under the Unspecified section called “Apple Mobile Device USB Driver” and “Apple iPhone”.

Also, if you open up Explorer and go to Computer, you should see your iPhone listed as a Portable Device.

After browsing files on the iPhone within Explorer (using the iPhone as an internal storage device), I get a Windows blue screen including the message “BUGCODE_USB_DRIVER”. The guest machine crashes while the host remains stable.

Alternatively, if I opened iTunes while the iPhone is attached to the Windows guest, iTunes would display the error “iTunes could not connect to the iPhone because an invalid response was received from the device.”

Ultimately, I resolved the majority of my issues by powering off the Windows guest VM, going to VM > Settings > USB Controller >
Change USB Compatibility from USB 1.1 to USB 2.0. Save and restart the VM.
Every once in a while iTunes does not recognize the iPhone. Usually this can be resolved, by removing and re-adding the iPhone or closing and re-opening iTunes. Sometimes by adding the iPhone prior to starting iTunes.
In order for Sync over Wi-Fi to work, the guest Windows VM running iTunes should to have an IP on the same physical network as your iPhone. Power off the guest VM, go to VM > Settings > Network Adapter >
Select “Bridged” instead of “NAT”.

My System Configuration

  • VMware Workstation 10.1
  • Host: CentOS 6.5 x86 64-bit
  • Guest: Windows 7 Professional SP1
  • iTunes 11.1.3.8

References

CentOS Host OS Crashes When Installing VMware Tools on a Guest OS Within VMware Workstation 10

Installing VMware Tools on a Windows 7 Guest OS in VMware Workstation 10.1 running on a CentOS 6 host always resulted in the host OS crashing.
This appears to be due to a combination of VMware Workstation 10.1 running on CentOS 6 .5 with kernel 2.6.32-431.1.2.0.1.el6.x86_64 #1 SMP x86_64 GNU/Linux. I see these two interesting items on the screen output followed by a call trace.

BUG: scheduling while atomic: vmware/6035/0x000002000
Pid: 6035, comm: vmware Tainted: G D --------- 2.6.32-431.1.2.0.1.el6.x86_64 #1

2013-12-28_vmware-host-crash
To resolve this issue:

# service vmware-workstation-server stop
# service vmware stop
# mv -v /usr/lib/vmware/modules/binary /usr/lib/vmware/modules/binary~orig
# rm /lib/modules/$(uname -r)/misc/v*.ko
# depmod -a
# yum install make gcc keneral-headers-$(uname -r) kernel-devel
# /usr/bin/vmware-modconfig --console --install-all
# service vmware start
# service vmware-workstation-server start

I could now attempt to install VMware Tools on a Windows 7 Guest OS without the host crashing. However, I now ran into another complication. The VMware Tools install would hang around the point of installing the ThinPrint module. Basically, the VMware Tools install hangs due to cruft left over from previous install attempts. Follow VMware KB Article 1001354 to remove cruft left over from previous VMware Tools installs. Then try reinstalling again.
You do not need to repeat this procedure since the offending modules are being removed in the steps above. During subsequent kernel upgrades, modules will be recompiled automatically.
VMware claims that “this issue should be fixed with the next update (10.0.2), and we will publish a kb article.”
UPDATE: The VMware community appears to agree that this issue is resolved in the Workstation 10.0.2 release.

My System Configuration

  • VMware Workstation 10.1
  • Host: CentOS 6.5 x86 64-bit
  • Guest: Windows 7 Professional SP1

References

Install Additional Common Linux Packages on CentOS 6 Minimal Install

After performing a base install of CentOS 6 using the minimal install CD, you may find that a lot of commands that you would expect are not there. Do the following to install additional, basic Linux packages that are common to most Linux distributions:

# yum groupinstall "Base"

Run the following in order to see detailed information including a description and which packages it will install.

# yum groupinfo "Base"
Group: Base
 Description: The basic installation of CentOS Linux.
 Mandatory Packages:
   alsa-utils
   at
   authconfig
   bc
   bind-utils
   centos-indexhtml
   crontabs
   cyrus-sasl-plain
   dbus
   ed
   file
   logrotate
   lsof
   man
   ntsysv
   parted
   pciutils
   psacct
   quota
   setserial
   tmpwatch
   traceroute
 Default Packages:
   abrt-addon-ccpp
   abrt-addon-kerneloops
   abrt-addon-python
   abrt-cli
   acpid
   b43-fwcutter
   biosdevname
   blktrace
   bridge-utils
   bzip2
   cpuspeed
   cryptsetup-luks
   dmraid
   dosfstools
   eject
   ethtool
   fprintd-pam
   gnupg2
   hunspell
   hunspell-en
   irqbalance
   kexec-tools
   ledmon
   libaio
   lvm2
   man-pages
   man-pages-overrides
   mdadm
   microcode_ctl
   mlocate
   mtr
   nano
   ntp
   ntpdate
   openssh-clients
   pam_passwdqc
   pcmciautils
   pinfo
   plymouth
   pm-utils
   prelink
   rdate
   readahead
   rfkill
   rng-tools
   rsync
   scl-utils
   setuptool
   smartmontools
   sos
   strace
   sysstat
   system-config-firewall-tui
   system-config-network-tui
   systemtap-runtime
   tcpdump
   tcsh
   time
   unzip
   usbutils
   vconfig
   vim-enhanced
   virt-what
   wget
   which
   wireless-tools
   words
   xz
   yum-plugin-security
   yum-utils
   zip
 Optional Packages:
   PyPAM
   audispd-plugins
   brltty
   cpupowerutils
   device-mapper-persistent-data
   dos2unix
   dumpet
   ecryptfs-utils
   edac-utils
   genisoimage
   gpm
   kabi-yum-plugins
   kernel-doc
   linuxptp
   logwatch
   mkbootdisk
   mtools
   ncurses-term
   nss_db
   oddjob
   pax
   python-dmidecode
   python-volume_key
   rsyslog-gnutls
   rsyslog-gssapi
   rsyslog-relp
   sgpio
   sox
   squashfs-tools
   star
   tboot
   tunctl
   udftools
   unix2dos
   uuidd
   volume_key
   wodim
   x86info
   yum-plugin-aliases
   yum-plugin-changelog
   yum-plugin-downloadonly
   yum-plugin-tmprepo
   yum-plugin-verify
   yum-plugin-versionlock
   yum-presto
   zsh

There are additional package groups that may be useful in order to easily setup a particular service. To see a list of all the installed and available package groups:

# yum grouplist

My System Configuration

  • CentOS 6.5 x86 64-bit

References

Install a Desktop Environment on CentOS 6 Minimal Install

After performing a base install of CentOS 6 using the minimal install CD, do the following to install a basic GNOME desktop environment:

# yum groupinstall "Desktop" "Desktop Platform" "X Window System" "Fonts"

Run the following on a particular package group in order to see detailed information including a description and which packages it will install.

# yum groupinfo groupname

There are additional package groups if you want something more than a basic desktop environment. For example,

# yum -y groupinstall "General Purpose Desktop"

To see a list of all the installed and available package groups:

# yum grouplist

Once installed, you can start GNOME by running:

$ startx

or

$ /sbin/telinit 5

To have CentOS boot into runlevel 5 “X11” instead of runlevel 3 “Full multiuser mode”, modify the /etc/inittab file to change start up level from

id:3:initdefault:

to

id:5:initdefault:

My System Configuration

  • CentOS 6.5 x86 64-bit

References