RHEL

firewall-config GUIUpdate: Somehow I forgot to mention a GUI for firewalld named firewall-config. Be sure to check that out if you prefer a GUI.

I have run across a few people who are perplexed by firewalld and I must admit that I was for a while until I did some reading and experimentation. What is firewalld? It is basically a replacement for the ancient iptables service on RHEL and Fedora systems. So many of us were just used to manually editing /etc/sysconfig/iptables and then coping that file from system to system as desired, that the switch to firewalld was a bit scary. I mean, who wants to learn something new, right?

Another thing that is scary about firewalld is the complexity of the rules it shows when you do something like: iptables -L

While the configuration, tools and output has dramatically changed... really firewalld makes things easier and more manageable. Really. One of the problems with Linux across distros is that there really hasn't been a standardized way to handle the host-based firewall. Each distro seems to have their own way of doing it... and popular packages like Shorewall have been around for years. I think firewalld tries for a happy medium somewhere between simple and complex and a standard that distros can choose to adopt.

Anyway, here are some basics (as root or via sudo) but if you want more be sure and check out the documentation:

Main documentation: www.firewalld.org/documentation/
Fedora Documentation: fedoraproject.org/wiki/FirewallD
RHEL Documentation: access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html

firewall-cmd --list-all (shows human readable firewall settings)

firewall-cmd --add-service=sshd --permanent (opens up port 22 which is sshd and saves to config)
firewall-cmd --add-service=http --permanent (opens up port 80 which is http and saves to config)
firewall-cmd --add-service=https --permanent (opens up port 443 which is https and saves to config)
firewall-cmd --remove-service=https --permanent (closes port 443 and saves to config)

If you want don't want your changes saved just leave off --permanent.

Want to open arbitrary ports for some service (like voxelands-server for example)? That is easy too:

firewall-cmd --add-port=30000/tcp --permanent

Want UDP? Ok:

firewall-cmd --add-port=30000/udp --permanent

After your changes it doesn't hurt to verify again with:

firewall-cmd --list-all

Want to manage firewalld via a config management system? There is a formula for SaltStack here and supposedly Ansible also supports firewalld.

Want to edit a file instead of running firewall-cmd? That's possible too. firewalld stores everything somewhere under /etc/firewalld/. In particular the changes listed above would get written to /etc/firewalld/zones/public.xml. Yeah, it's an "xml" file but make a change or two via firewall-cmd and see what it adds or removes from it and you'll see that it is very easy to monkey-see-monkey-do for those that want to edit the file directly. After updating or replacing any of firewalld's configuration files you want to make firewalld aware of the change with:

systemctl reload firewalld

If you are brave enough to manually edit the config just be aware that you are responsible for your typos.

I've only touched the tip of the iceburg for the most common stuff. Need more info? Yeah, there is a ton of documentation including a couple of man pages.

As you may have gathered, I really like RHEL 7 and its clones. I have run into one problem though. In Chapter 24 of the RHEL 7 Release Notes they enumerate quite a bit of hardware that they have dropped support for. Included are about 3 pages of RAID controllers and some NICs. I have a few HP Proliant DL380 G5 servers at work that have the HP Smart Array P400 RAID Controller in them and they are no longer officially supported with the release of RHEL 7.0. They work just fine with RHEL 5 and RHEL 6. HP actually has drivers that they provide for RHEL 5 and RHEL 6 but almost no one uses them because the hardware just worked with the stock RHEL kernels. Since the G5 machines (that's generation 5 not PowerPC G5) are 6 or 7 years old now, HP has stopped providing firmeware updates nor will they be providing drivers for newer Linux distros.

Just to verify, I booted one of the servers with the RHEL 7 install DVD and nope... it says there are no hard disks available. :(

The devs over at ElRepo have saved my day. I filed a request for enhancement (RFE) in their Mantis bug tracker system asking if they could build the CCISS driver package for the EL7 kernel. I had an answer within a hour or two... and a test package within a couple of hours. If you aren't familiar with ElRepo, they are a fairly popular third-party repo for EL. Not quite as popular as the Fedora Project's EPEL repo though. One thing ElRepo specializes in is drivers.

I do recommend staying away from third-party repos and drivers as much as possible but given the fact that the stock RHEL 7 installer says my servers have no hard drives I was stuck. If you don't have any hard drives, you can't do an install. I have never had to use a driver disk with the RHEL installer but I guess such things exist. Not being familiar with them, I just took the kmod-cciss package the ElRepo dev built, copied it to my local repository, added it to the package list of my CentOS LiveDVD kickstart file. Then I used livecd-creator to build a LiveDVD. My personal respin includes GNOME, KDE, Firefox, LibreOffice, GIMP, Inkscape, virt-manager, SPICE, etc... and now the ElRepo kmod-cciss package as well. After building the ISO I burned it to DVD and booted a problem server with it. Bingo, EL7 sees the controller and the disks attached to it now.

Not having used third-party drivers much in the past I was fairly ignorant about them. There are kmod, akmod, and dkms type driver packages. Do you know the differences between them? I mean with something as important to the operation of the system as RAID controller that presents all disks to the system... you don't want it breaking when you upgrade the kernel, right? It is my understanding that kmod-based packages aren't tired to a specific build of the kernel. So the kmod-cciss package I got from ElRepo should (in theory) work with every kernel update for EL 7.0 that comes out. When EL 7.1 comes out, it'll probably be a slightly different branch... and before trying to switch to future 7.1 kernels, I'd probably need to update the kmod-cciss package... or at least that is my understanding.

Anyway, so far it is working great. We'll see if I have any regrets as time goes by. I will definitely take care to be very aware of when kernel updates get installed and always keep a known-to-work kernel around just in case.

The mirrors are syncing and the release announcement has been made... although the main website needs to be updated... and oddly distrowatch.com is dead.

Anyway, I uploaded contributed OpenVZ OS Templates built from the the final release with updates applied... and I have a LiveDVD that includes GNOME3, KDE4, Firefox, LibreOffice, GIMP and Inkscape for anyone who is interested.

I'm guessing Scientific Linux 7 will be out in another two weeks.

One of the Scientific Linux developers sent out an announcement to the SL-devel mailing list just a couple of hours ago about SL 7 Alpha being released. They have a netinstall CD iso and a 6GB DVD. I got the entire tree downloaded in about 30-ish minutes... and got to work building a LiveDVD as well as OpenVZ OS Templates... using the scripts I had used for CentOS and Oracle... again with a tiny bit of editing.

Everything built and I have a LiveDVD that is 1.5GB in size that includes GNOME3, KDE4, Firefox, LibreOffice, GIMP, and Inkscape. What more does a person need? :)

Oracle Linux 7 RC - KDE 4 with FirefoxI noticed on DistroWatch yesterday that Oracle released Oracle Linux 7 RC... with RC being "release candidate". Having done all of the work recently building a CentOS 7 Public QA LiveDVD as well as OpenVZ OS Templates I thought I'd give it a try with Oracle Linux. The race is on. Who will release GA first? CentOS or Oracle?

Oracle is a little different - First of all, I'm not even sure what the name of the thing is. I've heard of OEL (Oracle Enterprise Linux), Oracle Linux, and a few other names. I think I'll just call it OEL. OEL is a pay distro *BUT* they do offer free downloads of their install media as well as updates. Originally updates were pay-only but they opened that up a while back when they had a promotional campaign claiming they were faster with updates than CentOS (turns out they aren't but close). I guess their business plan is you can use OEL for free and have updates... but there are some value add features (like Ksplice and Dtrace, etc) and support that cost extra. To download their iso install media you have to have an account on their system but that is cost-free and it just so happens I already had one because I've downloaded previous releases like OEL6.

Setting up the LiveDVD build environment - I downloaded the install media. I copied all of the .rpm files from the install media to a directory on a local web server and ran "createrepo ." within that directory. Then I made a four line oracle-7-rc.repo file pointing to the local package repo I just made.

Then I booted the install DVD inside of a newly created KVM virtual machine and did an install selecting that I wanted a GUI desktop (this is Server install media and "minimal" is the default) which is GNOME 3... and added to that the KDE desktop environment. After the install was over the machine was up and running. Then I installed the livecd-tools package previously mentioned made by that CentOS guy. Oracle was missing two perl-something-something packages needed for the livecd-tools dependencies so I just copied the missing two packages (along with the livecd-tools packages and epel-release) to my Oracle 7 RC package repo directory and re-ran createrepo. BTW, you don't have to turn off SELinux anymore for livecd-creator to work. That probably changed a long time ago but I only recently noticed. Ding, build environment complete.

Oracle Linux 7 RC - GNOME 3 ClassicFixing up the kickstart - Then I copied my centos-7-pubqa.ks kickstart file and modified it. Within that kickstart I had referred to a number of package groups but in my local package repo package groups weren't working well for me. I don't know if package group names are different between CentOS and Oracle (probably) or if I needed more package metadata than I had with my simple, local package repository. As a result I needed to cough up a more complete and accurate package list for my kickstart. Hey, I liked the install I had in my KVM machine so I just did an 'rpm -qa --qf "%{n}\n" | sort > packages.txt' to generate a complete package list with the version portion stripped off suitable for a kickstart file. I emptied out everything in the package section of the kickstart an then just inserted the contents of the packages.txt file. Then I ran livecd-creator giving it the appropriate flags to generate an iso from the kickstart with the desired name (oracle-7-rc-001-x86_64.iso). After about an hour and approximately 1,400 packages... I had a 1.2GB .iso. I then tested that inside of a KVM virtual machine and it worked great... both as a try-it-before-you-install-it Live Desktop... and as an installer too.

OpenVZ OS Template building - I took the scripts (regular and minimal) I had created for CentOS 7 Public QA to build OpenVZ OS Templates and made the minor modifications needed to point to my local Oracle package repo. I had to change a few of the package names (like centos-release became oraclelinux-release and centos-logos became oracle-logos... and had to add in the rhn-client-tools package) and the desired output file name... but other than that, a simple edit. Those took about 10 minutes to build. I copied the .tar.xz files over to an OpenVZ host node and made a few containers to test things out. They worked as expected.

What else is different? - Turns out Oracle didn't have packages for LibreOffice on their install DVD. I thought that was weird because they had GNOME 3, KDE and some desktop applications including Firefox, GIMP, and Inkscape... but no LibreOffice. I assume after GA happens and their full package repositories become available that those packages will be included. The DVD includes just a little shy of 4,300 packages.

Where to go from here? - I will be releasing the OpenVZ OS Templates after Oracle's GA release but I don't think I can publicly release the LiveDVD as that might violate their license agreement. I don't read legalize so I'm not certain, but I just showed you above how you can make your own. I've attached the .ks I used as well as the scripts for OpenVZ to this post. You'll have to put in the correct URL for your own local repo or the one made available by Oracle after GA. And of course you'll want to modify the package set as desired. My kickstart probably has a some junk in it left over from the Fedora kickstart I based it on, but it does build and work just fine. Feel free to clean it up and make it more perfect if you want.

Enjoy!

CentOS 7 Public QA - KDE Desktop with FirefoxIf you didn't hear the news, Red Hat released Red Hat Enterprise Linux 7 on Tuesday, June 10th. I've done three installs so far at work... and have been reading through their wonderful documentation. I'm really digging the newer versions of things and systemd... yes, especially systemd. No, no, really!

As you also probably know, Red Hat sponsors the CentOS Project now... and they are working hard on getting CentOS 7 done. Andrew from the BillingsLUG predicts CentOS 7 will be out within two weeks of RHEL 7... so that would be by June 24th. My guess is 6 weeks... which would be by July 22nd. If they don't make it in 6 weeks, my next guess is August 10th, because that's my 50th birthday.

Anyway. So yeah, the CentOS Project has been hard AND they have been, unlike in the past, doing everything out in the open... transparency it is called. Yesterday they announced they had the packages building. Then someone on the centos-devel mailing list said they had a Docker CentOS 7 container image. I gave that a try. Then the centos-devs said they had the first build attempt completed although they have NOT gone through all of the packages yet and removed Red Hat's branding... so it's a very preliminary build. Then they announced they had a network install CD (~ 341MB). I gave that a try and it worked great.

Then I decided I wanted to work on my own remix if possible. I used reposync to download all of the packages... and wget to get the handful of other dirs/files in the install tree. Then I made a KVM virtual machine via a network install pointed at my own copy of the tree. Then I added the livecd-creator package that one CentOS developer ported from Fedora. Then I installed fedora-kickstarts from Fedora 19... and hacked on their KDE LiveCD kickstart until I had it building CentOS 7. The first build didn't go so well. For whatever reason, all of the GUI stuff was there except for Xorg. I was able to use that first install, get it going in text-only mode to figure out what packages I needed to add to my kickstart's package list to get X going. Bingo... only three additional lines although two of them had an asterisk in them.

It built. It booted. It installed. It booted and worked post-install. Not bad.

What does it contain? Well, I'm a KDE fan. EL7 only offers GNOME 3 and KDE anyway. So, it has KDE... but oddly they don't offer KDM (KDE Display Manager aka GUI login screen) so it uses GDM (GNOME Display Manager). While Red Hat defaults to the XFS filesystem in their install media (they don't have any Live media by the way, just install-only) livecd-creator would not build the .iso if I set the default to xfs... so I had to set it to ext4. So, the system you get from the live installer has ext4 partitions. While it is the KDE desktop I added some stuff that isn't KDE-specific... like Firefox, Libre Office, GIMP, and Inkscape. I didn't refer to the EPEL 7 repository in my kickstart so the first good build only includes stock packages. Later I'll probably add in EPEL and add some additional packages like tmux, x2goserver... and a few other sundry packages. Any suggestions?

I should have included some screenshots with this post but I'm too lazy and tired after spending about 6 hours working on this little project today. If you want to give it a try let me know and I can email you the URL to the .iso file. Oh, btw... the installed system does not include a working centos.repo file so after a fresh install is booted, one has to manually add one by creating a file named /etc/yum.repos.d/qa-nightly.repo. Put in it the following:

[qa-nightly]
name=qa-nightly
baseurl=http://buildlogs.centos.org/centos/7/os/x86_64-latest
enabled=1
gpgcheck=0

Then you can use yum to install anything else you'd like. I recommend you also add EPEL 7 (epel-release-7-0.1.noarch.rpm). Enjoy! MEL (Montana Enterprise Linux), kiss my grits!

Update: CentOS has since released Public QA LiveMedia of their own.

I've used RHEL, CentOS and Fedora for many years... and as many of you already know... back in January, CentOS became a sponsored project of Red Hat. For the upcoming CentOS 7 release they are going beyond just the normal release that is an as-perfect-as-possible clone of RHEL. They have this concept of variants... where Special Interest Groups (SIGs) are formed around making special purpose builds of CentOS... spins or remixs if you will. I don't know a lot about it yet but I think I have the basic concept correct.

Looking at the numbers on http://stats.openvz.org/ I see:

Top  host   distros
-------------------
CentOS	     56,725
Scientific    2,471
RHEL	        869
Debian	        576
Fedora	        111
Ubuntu	         82
Gentoo	         54
openSUS          18
ALT Linux        10
Sabayon	          6

and

Top 10  CT  distros
-------------------
centos	    245,468
debian	    106,350
ubuntu	     83,197
OR	      8,354
gentoo	      7,017
pagoda	      4,024
scientific    3,604
fedora	      3,173
seedunlimited 1,965

Although reporting is optional, the popularity of CentOS as both an OpenVZ host and an OpenVZ container surely has to do with the fact that the two stable branches of the OpenVZ kernel are derived from RHEL kernels.

Wouldn't be nice if there were a CentOS variant that has the OpenVZ kernel and utils pre-installed? I think so.

While I have made CentOS remixes in the past just for my own personal use... I have not had any official engagement with the CentOS community. I was curious if there were some OpenVZ users out there who are already affiliated with the CentOS Project and who might want to get together in an effort to start a SIG and ultimately an OpenVZ CentOS 7 variant. Anyone? I guess if not, I could make a personal goal of building a CentOS and/or Scientific Linux 6-based remix that includes OpenVZ... as well as working on it after RHEL7 and clones are released... and after such time the OpenVZ Project has released a stable branch based on the RHEL7 kernel.

I will acknowledge up front that some of the top CentOS devs / contributors have historically been fairly nasty to OpenVZ users on the #centos IRC channel. They generally did not want to help someone using a CentOS system running under an OpenVZ kernel... but then again... their reputation is for being obnoxious to many groups of people. :) I don't think we should let that stop us.

Comments, feedback, questions?

Update: Wow, looking here, they already have OpenVZ listed as being of interest in their Virtualization SIG.

Just noticed I have a ton of updates for a few RHEL 6 boxes... and to me that indicates there is a new update release. So I logged into Red Hat Network and sure enough RHEL 6.3 has been released. I like finding out about it early in the morning and downloading it before everyone else has noticed.

With CentOS and Scientific Linux both pretty adept in rebuilding 6 now, I'd expect new releases from both within 6 weeks or less. Scientific Linux might be at a disadvantage because they lost one of their main guys but they have replaced him. CentOS on the other hand recently announced that some company was sponsoring two CentOS developers so they could work full-time on CentOS. Who will win?

I haven't had a chance to check out the release notes yet but I will soon. I'm hoping a lot of the KVM, libvirt, and virt-manager stuff that has been in Fedora for a while will have filtered back to this update.

Update: July 9th, 2012 - CentOS 6.3 is syncing to the mirrors today so it has won.

Automating Configuration, Deployment and Maintenance for Red Hat and CentOS by Kay Williams from Rendition Software.

Red Hat Enterprise Linux 5 (Tikanga) was released on March 14, 2007 and yesterday was RHEL 5's 3rd birthday. Since then we have gotten 4 update releases.

Given the fact that Red Hat's original plan was to have a new RHEL release every 18 - 24 months, one has to wonder where RHEL 6 is and why it is so late. My best guess is that RHEL 6 (which so far has had a non-public alpha release within Red Hat as witnessed in some Bugzilla reports) will come out sometime this summer... possibly in time for the Red Hat Summit in Boston (June 22-25, 2010). For that to happen I would expect a public beta for RHEL 6 to be released in the not too distant future. We'll see how that pans out.

While we are waiting, how about some idle discussion?