Odds and ends

To content | To menu | To search

CentOS

Entries feed - Comments feed

Thursday 15 May 2008

Impact of the Debian OpenSSL vulnerability

By Daniel on Thursday 15 May 2008, 23:23

We have posted a warning about the impact of the Debian OpenSSL vulnerability on the CentOS-announce list, but I think it is useful to repeat it here (for readers of CentOS Planet) as well:

A severe vulnerability was found in the random number generator (RNG)
of the Debian OpenSSL package, starting with version 0.9.8c-1 (and
similar packages in derived distributions such as Ubuntu). While this
bug is not present in the OpenSSL packages provided by CentOS, it may
still affect CentOS users.

The bug barred the OpenSSL random number generator from gaining enough
entropy required for generating unpredicatable keys. In fact it
appearss that the only source for entropy was the process ID of the
process generating a key, which is chosen from a very small range and
is predictable. As such, all keys generated using the Debian OpenSSL
library should be considered compromized. Programs that use OpenSSL
include OpenSSH and OpenVPN. Note that GnuPG and GNU TLS do not use
OpenSSL, so they are not affected.

This vulnerability can affect CentOS machines through the use of keys
that were generated with the OpenSSL package from Debian. For
instance, if a user uses OpenSSH public key authentication to log on
to a CentOS server, and this user generated the key pair with a
vulnerable OpenSSL library, the server is at heavy risk because the
key can be reproduced easily.

Additionally, all (good) DSA keys that were ever used on a vulnerable
Debian machine for signing or authentication should also be considered
compromized due to a known attack on DSA keys.

As a result of this bug, everyone should audit *every* key or
cerficicate that was generated with OpenSSL, to trace its origin and
make sure that it was not generated with a vulnerable Debian OpenSSL
package. Or in the case of DSA keys care should be taken that they
were not generated or used on a system with a vulnerable OpenSSL
package. Keys that are potentially compromised should be replaced with
strong keys.

The Debian Wiki[2] has a preliminary list of affected application. A
tool to detect potentially weak keys is also provided, but it contains
an incomplete list of affected keys and can give false positives.

The Metasploit project provides a full list of weak keys in various
configurations[3].

Questions on how this may affect CentOS users should be directed to
the CentOS users list. List subscription information is available
from:

http://lists.centos.org/mailman/listinfo/centos

With kind regards,
The CentOS Team

[1] http://www.debian.org/security/2008/dsa-1571
[2] http://wiki.debian.org/SSLkeys
[3] http://metasploit.com/users/hdm/tools/debian-openssl/

no comment

Wednesday 9 April 2008

CentOS vendor support

By Daniel on Wednesday 9 April 2008, 11:13

Official vendor support for an operating system contributes highly to the visibility of a system. Therefore it is very encouraging to see that VMWare is planning to support CentOS as a guest and host(?) system in its upcoming VMWare Workstation 6.5 product. Kudos go out to VMWare for planning to support CentOS, as well as releasing guest OS tools under a free software license.

Of course, we would love to see more vendors supporting CentOS. And given the fact that we try to be fully binary compatible with our upstream vendor, it should not require retraining of support personnel or much additional effort. It's surprising to see that some vendors do not support CentOS even when their infrastructure or developers rely on CentOS. Of course, many vendors will create their offerings based on customer demand. So, don't hesitate to speak up, and ask your software vendor to support CentOS. Maybe even drop a few lines on why you prefer CentOS over the operating systems that they do support (such as stability, long term support, etc.). Finally, let the community know if a major products starts supporting CentOS, other people may have been waiting for support as well (and as a kind "thank you" to that particular company).

4 comments

Thursday 24 January 2008

CentOS Projects

By Daniel on Thursday 24 January 2008, 10:36

Those who are not actively monitoring the Wiki or project lists may be interested to hear that CentOS now more fornally hosts several subprojects with their own Subversion trees and ticket tracking. A list of projects is available on the Wiki. Currently there are four projects, which all potentially add a lot of value to CentOS:

  • The CentOS Live CD project will be creating live CDs of the CentOS system, starting with CentOS 5.1. The project is driven by Patrice Guay, who also created the CentOS 5.0 Live CD, and who has renewed the live CD infrastructure to use the Fedora livecd-tools.
  • Project Cranberry is working on a sysadmin toolkit, which will contain a specific set of packages aimed at system maintenance and recovery.
  • Dasha is a project that aims to bring more drivers to CentOS, which can either be drivers that were disabled in the upstream kernel, drivers backported from newer kernels, and third party drivers. Since CentOS aims at stability rather than being cutting edge, this project is a welcome addition for newer hardware.
  • Pandora is a project that works on a comfortable package browser for the CentOS repositories, that also aims to provide RSS feeds and future integration with the CentOS bugtracker.

Of course, we are always on the look-out for new contributors to the CentOS project and community, and working on CentOS projects is one of the possible ways to contribute. You can help projects by:

  • Testing code and packages produced by the projects, and submitting bug reports for problems that you encounter at the project's Trac site.
  • Contributing code to particular projects that you are interested in.
  • Proposing a new project and driving it, if it is accepted as a CentOS-hosted project.

no comment

Thursday 22 November 2007

How do you like your tea?

By Daniel on Thursday 22 November 2007, 00:13

IcedTea packages are now available for CentOS 5/i386. IcedTea builds upon OpenJDK, and replaces the few binary plugs with stubs or classpath code. OpenJDK is the open source Java JDK that Sun Microsystems generously donated to the free software community.

Currently, not all Java software included in CentOS runs with IcedTea (most notably, Eclipse, but the latest version from the Eclipse Foundation works well after setting the language level to 5.0/1.5.0). But for many applications it seems to work well and fast.

no comment

Wednesday 14 November 2007

Slight yum-priorities breakage

By Daniel on Wednesday 14 November 2007, 09:50

Some people using CentOS 5 with RPMForge may have bumped into a problem where perl-Compress-Zlib from CentOS is upgraded with the same package from RPMForge. What happened? The original priorities plugin excluded packages just by their names. So, even if a higher priority repo has a package for one arch (say i386) and a lower priority repo has a package with the same name but a different arch (e.g. noarch), the package from the repository with the lower priority was excluded.

One user reported a more exotic usage case (rhbz #227540), where he needed per arch priorities, where for instance, a x86_64 package does not exclude a i386 package with a lower priority. Upstream (yum-utils) made a change to make priorities per-arch. Unfortunately, this has hit us now that perl-Compress-Zlib has become a noarch package, meaning that it will not be excluded, and that yum offers to upgrade the package with the package from RPMForge.

This has now been fixed in the HEAD git version of yum-priorities, where per-arch excludes are made optional rather than the default. After proper testing, we will probably include this version of priorities in CentOS 5-Extras (CentOS 4 is not affected).

I'd like to post a slight reaction to Dag's recent blog entry as well: my experiences are quite the contrary. yum is one of the nicest package managers I have found, the code is very readable, it's easy to write plugins for yum, it's easy to embed yum in other software. Sure, there are some problematic things (like signal handling in some yum versions), but the yum developers have been very responsive to my bug reports and patches.

no comment

Thursday 8 November 2007

yum 2.4 for CentOS 3 is now in CentOS Plus

By Daniel on Thursday 8 November 2007, 16:40

After extensive testing on the CentOS-devel list, Tru Huynh has added yum 2.4 (and all its dependencies) for CentOS 3 to the CentOS Plus repository for CentOS 3. yum 2.4 has numerous improvements over 2.0, and the accompanying yum plugins (fastestmirror, priorities, etc.) add useful functionality. A backported version of the yum C metadata parser was added as well. This makes the metadata parsing phase much faster. Instructions for installing yum 2.4 can be found in Tru's mail to the CentOS-announce list.

no comment

Monday 15 October 2007

T-DOSE impressions

By Daniel on Monday 15 October 2007, 00:10

T-DOSE was very nice. It's a great opportunity to meet up again with other CentOS contributors, and talk to a lot of people (some of which I have known for years through Internet fora and/or IRC). Some impressions:

  • T-DOSE was nicely organized, hopefully next year will even bring more people, booths, and talks. The location was also excellent (not too far away from the train station, modern and very functional) building.
  • Presenting stuff surely helps: some good soul pointed out that XenSource provides kernel patches against EL3 kernels. For some reason I didn't see or hear about it before.
  • I only attended one other presentation, from Wybo Wiersma of the Logi Logi foundation who has some really nice ideas about freedoms in a Web 2.0 world. While I am not sure their approach to providing more freedom is the most effective, the talk gave good food for thought, and some nice discussion.
  • For the photo addicts: there will a photo of the T-DOSE booth team :).
  • We need CentOS stickers and posters.

no comment

Thursday 11 October 2007

This weekend: T-DOSE

By Daniel on Thursday 11 October 2007, 17:14

If you live in or near The Netherlands, don't miss out on The Dutch Open Source Event (T-DOSE) that will be held on 13 and 14 October in Eindhoven. There's an interesting schedule, various projects have booths, and of course, there will be a social event.

Thanks to the tireless effort of Dag and other volunteers almost no West-European event goes by without CentOS presence. T-DOSE is no exception: there will be a booth and talks about dstat (Dag) and CentOS Virtualization (me). We could use additional help at the booth, so if you are interested, please visit the CentOS page for this event and let us know through the CentOS-promo list.

See you this weekend!

no comment

Monday 1 October 2007

Planet CentOS moves to planet.CentOS.org

By Daniel on Monday 1 October 2007, 10:55

We have just moved the Planet CentOS site to http://planet.centos.org/, making this the official CentOS blog aggregation site. I will make the old site (http://centos-planet.danieldk.org/) a redirect to the new location within a few days.

This is also a call to CentOS contributors (e.g. Wiki editors): if you would like your blog to be added to the Planet CentOS site, let me (daniel at centos dot org) know!

no comment

Sunday 2 September 2007

CentOS Virtualization SIG

By Daniel on Sunday 2 September 2007, 14:26

As of today, the first CentOS special interest group is active, the Virtualization SIG. A SIG is a smaller group within the CentOS project that focuses on a certain topic, and does promotion, support, and/or development in that area. Besides the creation of the Virtualization SIG, planning for some other SIGs is underway, e.g. an Artwork SIG.

The Virtualization SIG has various technical and support goals. As a part of the latter, the CentOS-virt list was created to discuss virtualization on CentOS and matters related to the virtualization SIG. For more information about the SIG and its goals, please read the announcement message to the CentOS-announce list.

no comment

Saturday 1 September 2007

KVM hits CentOS-extras

By Daniel on Saturday 1 September 2007, 09:35

KVM-35 is now available through the CentOS Extras repository for CentOS 5. To use it, install the kmod-kvm package for your kernel, and reboot your system (or restart udev) to make sure that the /dev/kvm device node gets correct permissions. At boot time, the kvm-amd or kvm-intel module will be loaded, based on the CPU extensions that were found in /proc/cpuinfo. Users that should be able to use KVM should be added to the kvm group. After that, virtual machines can be created through the qemu-kvm command, which is based on QEMU and follows the QEMU syntax.

no comment

Wednesday 1 August 2007

KVM SRPMs

By Daniel on Wednesday 1 August 2007, 23:55

Unofficial CentOS SRPMs are now available for KVM-33. KVM (Kernel Virtual Machine) is a loadable kernel module that provides virtualization infrastructure that utilizes the VT-X and AMD-V features of modern Intel and AMD CPUs. A modified version of qemu makes use of this infrastructure to run fully virtualized guest operating systems at an impressive speed. Personally, I use it for running older CentOS versions, and occassionally to run Windows 2000 for stuff I need to test there. It's well worth looking at, if you like the ease of use and maintenance of qemu.

no comment

Thursday 10 May 2007

yum-metadata-parser for yum 2.4

By Daniel on Thursday 10 May 2007, 08:26

Some CentOS 5 (or Fedora) users may have tried the new C metadata parser for yum, which is significantly faster than the Python-based parser for metadata. Yesterday, I have backported the C metadata parser to yum 2.4 for CentOS 4. It requires a relatively unintrusive patch against yum and a patch against yum-metadata-parser 1.1.0.

Of course, we all want benchmarks :). This is yum on CentOS 4 with the default repositories:

# yum clean all
# time yum whatprovides /bin/ls
[...]
real    0m45.158s
user    0m34.600s
sys     0m0.540s

and with the C metadata parser:

# yum clean all
# time yum whatprovides /bin/ls
[...]
real    0m15.580s
user    0m3.950s
sys     0m0.620s

Looking at the user/sys values, the actual CPU time spent on yum is 35.1 seconds versus 4.6 seconds.

Update: there's a patch for CentOS 3 too. Testing packages are now available through the CentOS Testing repository.

no comment