Boot using a iSCSI root from an usb-stick with bridged ethernet device on Fedora/CentOS

Today I had a nice discussion with someone on the Fedora IRC channel about a problem booting from an USB stick with an iSCSI root filesystem and a bridged interface. He was facing the problem that the brctl tool was not available at boot time. CentOS and Fedora are using dracut to have everythink in place you need at boot time. For this use case brctl missed and he was not able to boot his machine.

In his special case he needed to setup the bridge at boot time because his root filesystem needs the connection not to be reconfigured and he needed a bridge device for his later KVM virtualization stuff on that machine. A dedicated second iSCSI interface wasn’t an option.

After reading some dracut documentation I came over a blog post from a Russian which showed how to add the missing brctl binary to the initramdisk and make thinks work.

To include brctl into the initrd for your current kernel run:

dracut -I /sbin/brctl --force

That should create a working initrd with brctl to use the bridge configuration of dracut.

Here you can find the complete forum entry to see how the grub config has to look like to boot it from iSCSI on CentOS7:

http://www.linux.org.ru/forum/admin/10652702

 

Turn splash screen off and remove it from initrd on Fedora 20

To remove the splash screen on Fedora and boot up with details run:

sudo plymouth-set-default-theme details

For me on Fedora 20 it did not work out of the box:

sudo plymouth-set-default-theme details --rebuild-initrd

The new created initrd go the name initrd-3.15.6-200.img and not initramfs-3.15.6-200.fc20.x86_64.img which would be the correct name. Just replace the old initramfs file with our new created one and reboot. Now you should get the detail view while booting your machine.

 

 

Custom Kernel on Fedora 20

The last time I built a Linux kernel for my machine was quite a time ago. In my Linux hacking times when I did my private researches on how Linux works and how the software can be built for it, I used  Gentoo and there it was normal to build every package from source code, including the kernel. The portage system was a copy of the well known ports package system from FreeBSD. It contains all the metadata for the software packages to be built from scratch with its dependencies. But back to my custom and vanilla kernel on Fedora 20.

Prepare your system

You will need the basic C build environment which can be installed using a package group as root or using sudo:

yum groupinstall 'C Development Tools and Libraries'

Download the kernel sources from kernel.org

I picked the last stable version which is current 3.16.1 and downloaded the sources to /usr/src/kernels to extract it there.

To extract a .xz compressed tar archive use:

tar xvfJ <archive.tar.xz>

Configure your kernel

I prefer a minimalistic kernel. That why I am building my own kernel. I don’t like to have support for hardware in my system which I don’t want to use. I don’t use bluetooth, isdn, scsi or legacy audio devices in my workstation and so I decided to remove everything I don’t need.

Change into the kernel source directory you just extracted and run the kernel menu config tool:

cd /usr/src/kernels/linux-3.16.1
make menuconfig

I don’t explain how you have to configure your kernel that it will work for you. This is what you have to learn yourself. Read the options and decide if you need the support for that option. There is a lot of documentation out there how you can configure your kernel. And if you are not sure what hardware you have, you maybe should stay with the generic kernel and explore your system with tools like lsusb, lspci and lsmod.

Build your kernel and install your modules

This is quite easy. To build your kernel just run:

make

And to install the created modules after your build was successful, run:

make modules_install

Install your kernel to boot and create initrd

Now you need to copy your kernel image to /boot:

cp /usr/src/kernels/linux-3.16.1/arch/x86_64/boot/bzImage /boot/vmlinuz-3.16.1

Create initrd:

mkinitrd /boot/initramfs-3.16.1.img 3.16.1

Regenerate the Grub config to add the new kernel option

grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

Reboot and have fun with your new kernel

 

Security reviews became sexy nowadays, we need to make them happen

If you’re interested in software security you will have noticed that there where some bigger  security problems with widely used software the last year. The attention this problems get in common media raised the last two years. We had some big security problems in the past as well, just remember the problem with all the SSH keys on Debian systems which where generated with bad entropy. This critical security problem of one of the most used Linux distributions should have had as much attention as heartbeat had.

OpenSource is not the answer for everything but the only way

For me this hopefully kills a former adoption that open source is more secure by default. This is complete bullshit in most cases. If you have a look at these open source graveyards like SourceForge, GitHub or Google Code you will mostly find a lot of dead projects with poor quality. Why I am so sure about that? Because I am part of the problem. Most of us have committed or published to some of these projects with good intentions to share something and give it to those who maybe can use it. And maybe the quality at its time was good and everything worked fine but time changes.

If I think about this today we all should delete this old rubbish to prevent it form being used somewhere else. It would be nice if source code which no one is maintaining would delete itself some day, but as long this does not happen we have to take care of it ourself or setup a proper maintaining infrastructure for it. Just because some code is open source does not guarantee that it is reviewed. Only because the code is open and could be reviewed has brought us to where we are today. I never have meet this somebody who reviews code for fun and for free all day long. And even if we have someone like Andy Lutomirski who looks like he has incredible fun doing such a job for parts of the Linux kernel there are not enough Andys around for every Open Source project.

OpenSource needs more money

All the good intentions to share the source code to make it reviewed by more people and to make it more secure does not work in all projects. We need more money to pay people to read our critical software components. Nobody will do this for free, not frequently and motivated over a long time. And we need to do it again and again and again. It is not only Truecrypt, the Linux kernel or the most used web servers that need our attention.

To do this reviews we do not only need more people at the openssl foundation or a fork like libressl. This maybe can fix the problem for openssl but not for all the other libraries which can have a similar impact when they are screwed up. There is already an infrastructure we can use to spend the money which is needed to make our systems more secure. Security always was expensive and a community of volunteers can not handle it without our support over such a long time.

We should start to spend more money for open source. Security comes at its price. Don’t misunderstand this, I don’t want to make every open source project to take money for their source code, but we need to establish ways to secure someone does the job nobody wants to do.

And we should make it sexy for the companies we work for to spend money, too. Some of this companies build there complete business with this free and open tools and still relay on them. If you’re a grown established company, give back a piece of the cake to those who helped you to get where you are today.

What organization should we give our money

To those who support the developers doing such a great job for us. Some good candidates are:

They bring a lot of software to us we often or never recognized that we are using it every single day.

Some more details howto configure your nginx server with SSL

The guys from bsdnow.tv did a great job by putting together a tutorial with some more details on a proper Nginx configuration and a very good choice for SSL parameters. There where some parts I didn’t know neither and the tutorial is create as always.

If you want to configure a web server with SSL/TLS support and you’re not sure what parameters to set for SSL/TLS, watch their tutorial at the end of the episode and you will learn a lot.

Here the link to the video: http://www.bsdnow.tv/episodes/2014_08_20-engineering_nginx

And here the link to the tutorial for nginx and SSL/TLS: http://www.bsdnow.tv/tutorials/nginx

If you don’t know them yet, take you some time to browser trough their videos!

Beside this you can check your SSL/TLS configuration using the ssllabs test to improve your current settings or check frequently to not miss a newly found vulnerability: https://www.ssllabs.com/ssltest/

 

 

Quake style terminal for KDE

A quite useful extension for my KDE application is yakuake. In my default configuration this shows a terminal window by pressing F12 button and hides the windows by pressing it again. This is widely known as the Quake terminal style from the game which had this behaviour included for its command console.

yakuake on a kde desktop on fedora 20

Migration in progress

This post is mostly about the blog itself. As you may noticed I am migrated the blog to full HTTPS the last week. This now should allow you to access the site without any certification warnings over HTTPS. All contents should be migrated. There should be a working redirection mechanism to redirect you to the HTTPS site as well. At this point I recommend the HTTPS Everywhere plugin which does automatic redirection on other sites: https://www.eff.org/https-everywhere

It is just a small step and don’t feel to secure only because you are accessing sites through HTTPS.

The next days I will update the server to support all state of the art HTTPS versions. So if you have trouble to access the site in future please check your device does not contain a broken implementation as I will not support known broken or vulnerable implementations.

Have fun and use cryptography.

Dual boot system with UEFI and Fedora 20 and Windows 8.1

In short sentences:

Yes it is possible! Even with secure boot enabled!

The long version:

On my workstation I use a dual boot configuration for some games and my Linux based development and testing. Since I am using a UEFI only configuration it was quite easy to use a dualboot configuration with Fedora 20 and Windows 8.1.

I turned off the legacy mode on my board and reactived the secure boot option I disabled some time ago for testing. The most UEFI boards should come with this options as their default values. Since I connected each system HardDisk/SSD seperated for installation, Fedora couldn’t recognize the Windows disk and the boot menu entries automatically. This was just to protect my data since I am using two equal SSDs with the same size I didn’t want to risk to select the wrong and loose all my data.

The Fedora disk is my first boot disk and I only added these lines to the grub.cfg located on the EFI partition (/boot/efi/EFI/fedora/grub.cfg) to add the Windows entry:

menuentry 'Windows Boot Manager' {
 set root='hd1,gpt2'
 chainloader /EFI/Microsoft/Boot/bootmgfw.efi
 boot
}

That’s it. Reboot and test it. If everything is working as expected you should add this lines the correct way using /etc/grub.d/40_custom

#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.

menuentry 'Windows Boot Manager' {
 set root='hd1,gpt2'
 chainloader /EFI/Microsoft/Boot/bootmgfw.efi
 boot
}

and run:

grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

Make the Fedora/CentOS/RHEL update service the fastest

Since I played with some publish and subscribe protocols in the last months, I came to an idea to speed up the notification and delivery of software updates over the existing mechanism while reducing, or better optimizing, the needed resources.

Here a graphic to show what I try to implement:

Drawing software update push service

As an example in RHEL/CentOs or Fedora you can start yum and pull the latest updates frequently to see if there are some new packages. This can be done with manual cron jobs or the yum-updatesd. Every machine pulls in a defined frequency the complete package index and looks if something new was released. In my understanding it would be more efficient if the system gets notified that some new package is available or even better the system is listening only to updates and information of packages that are installed on that specific machine and need  be monitored. This not only can speed up and optimize the client-server communication this also could be a good way of optimizing the distribution of packages between repository mirrors. Each mirror can be notified if there is a new package and gets it pushed to make the package available as fast as possible.

I am aware that distribution of packages does not need to be optimized by milliseconds but in some environments such a notification mechanism can save money and bandwidth if a lot of clients need to be updated.

My plan is to discuss this with a proposal for a concrete implementation for yum based systems an the developers mailing list of Fedora to get a feeling if this is a real world requirement or if there is no need in optimizing this situation.

Up to now MQTT looks quite promising for me to do the notification mechanism or even push packages to the subscribed machines. With some control server in back this can make package deployment more efficient and faster. The package verification mechanism can work as now only the transport mechanism or the notification of a new package needs to be added to the existing infrastructure. Since MQTT supports SSL/TLS based connections and Websockets there should no bigger problem with security or blocked ports then today.