Yum install/update errors “cpio: rename”

Occasionally, RPMs will set the xattr immutable flag on important libraries as a safety mechanism to try to prevent core OS breakage. Unfortunately, this will cause package upgrade failures with vague error messages. Eg.:

[root@archive ~]# yum update -y nss
Loaded plugins: fastestmirror, priorities, security, upgrade-helper
Loading mirror speeds from cached hostfile
 * epel: mirrors.sdm.noao.edu
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package nss.i386 0:3.13.6-3.el5_9 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package       Arch           Version                   Repository         Size
================================================================================
Updating:
 nss           i386           3.13.6-3.el5_9            updates           1.1 M

Transaction Summary
================================================================================
Install       0 Package(s)
Upgrade       1 Package(s)

Total download size: 1.1 M
Downloading Packages:
nss-3.13.6-3.el5_9.i386.rpm                              | 1.1 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating       : nss                                                      1/2 
Error unpacking rpm package nss-3.13.6-3.el5_9.i386
error: unpacking of archive failed on file /usr/lib/libfreebl3.so: cpio: rename

Failed:
  nss.i386 0:3.13.6-3.el5_9                                                     

Complete!

RPM uses cpio as it’s archive format, which is why we’re seeing a cpio error when trying to replace the file /usr/lib/libfreebl3.so.
Lets investigate that file.

[root@archive ~]# ls -la /usr/lib/libfreebl3.so
-rwxr-xr-x 1 root root 240612 Apr  8  2007 /usr/lib/libfreebl3.so
[root@archive ~]# lsattr /usr/lib/libfreebl3.so
----i-------- /usr/lib/libfreebl3.so

The “immutable” flag has been set which means that file can not be modified or unlinked reguardless of it’s standard POSIX permissions. We need to remove that flag in order for the package upgrade to complete.

[root@archive ~]# chattr -i /usr/lib/libfreebl3.so
[root@archive ~]# lsattr /usr/lib/libfreebl3.so
------------- /usr/lib/libfreebl3.so

Now we can try to update the nss package again…

[root@archive ~]# yum update -y nss
Loaded plugins: fastestmirror, priorities, security, upgrade-helper
Loading mirror speeds from cached hostfile
 * epel: mirrors.sdm.noao.edu
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package nss.i386 0:3.13.6-3.el5_9 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package       Arch           Version                   Repository         Size
================================================================================
Updating:
 nss           i386           3.13.6-3.el5_9            updates           1.1 M

Transaction Summary
================================================================================
Install       0 Package(s)
Upgrade       1 Package(s)

Total download size: 1.1 M
Downloading Packages:
nss-3.13.6-3.el5_9.i386.rpm                              | 1.1 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating       : nss                                                      1/2 
Error unpacking rpm package nss-3.13.6-3.el5_9.i386
error: unpacking of archive failed on file /usr/lib/libsoftokn3.so: cpio: rename

Failed:
  nss.i386 0:3.13.6-3.el5_9                                                     

Complete!

Looks like we found another file with xattrs set…

[root@archive ~]# ls -la /usr/lib/libsoftokn3.so
-rwxr-xr-x 1 root root 348040 Apr  8  2007 /usr/lib/libsoftokn3.so
[root@archive ~]# lsattr /usr/lib/libsoftokn3.so
----i-------- /usr/lib/libsoftokn3.so
[root@archive ~]# chattr -i /usr/lib/libsoftokn3.so
[root@archive ~]# lsattr /usr/lib/libsoftokn3.so
------------- /usr/lib/libsoftokn3.so

Let try that update yet again…

[root@archive ~]# yum update -y nss
Loaded plugins: fastestmirror, priorities, security, upgrade-helper
Loading mirror speeds from cached hostfile
 * epel: mirrors.sdm.noao.edu
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package nss.i386 0:3.13.6-3.el5_9 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package       Arch           Version                   Repository         Size
================================================================================
Updating:
 nss           i386           3.13.6-3.el5_9            updates           1.1 M

Transaction Summary
================================================================================
Install       0 Package(s)
Upgrade       1 Package(s)

Total download size: 1.1 M
Downloading Packages:
nss-3.13.6-3.el5_9.i386.rpm                              | 1.1 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating       : nss                                                      1/2 
/sbin/ldconfig: /usr/lib/libsoftokn3.so is not a symbolic link

/sbin/ldconfig: /usr/lib/libfreebl3.so is not a symbolic link

  Cleanup        : nss                                                      2/2 

Updated:
  nss.i386 0:3.13.6-3.el5_9                                                     

Complete!

Source: https://joshua.hoblitt.com/rtfm/2013/05/dealing_with_rpm_cpio_rename_package_installupdate_errors/

Instalar PHP 5.5 no CentOS 5

Verificar se existem pacotes instalados:

# yum list installed | grep php

Se existirem pacotes então é necessário removê-los:

# yum remove php php-cli php-common php-gd php-ldap php-mbstring php-mcrypt php-mysql php-pdo

Instalar o repositório webtatic

# rpm -Uvh http://mirror.webtatic.com/yum/el5/latest.rpm

Podemos então verificar quais os pacotes disponíveis:

# yum --enablerepo=webtatic list available | grep php55w

A seguir, instalamos os pacotes do PHP 5.5

# yum --enablerepo=webtatic install php55w php55w-cli php55w-common php55w-gd php55w-ldap php55w-mbstring php55w-mcrypt php55w-mysql php55w-pdo php55w-soap php55w-intl php55w-opcache

Nota: No meu caso, já tinha o repositório instalado anteriormente e não deixava instalar os pacotes do PHP 5.5 porque as chaves do repositório não eram válidas. Foi necessário atualizar as chaves:

# rpm --import http://repo.webtatic.com/yum/RPM-GPG-KEY-webtatic-andy

PHP já deve estar na versão 5.5. Podemos verificar com o comando:

# php -v
PHP 5.5.38 (cli) (built: Jul 21 2016 13:42:32)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies

Finalmente, reiniciamos o Apache:

# service httpd restart

Update node.js + npm on Windows

The new best way to upgrade NPM on Windows:

https://github.com/felixrieseberg/npm-windows-upgrade

Run PowerShell as Administrator

Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force
npm install -g npm-windows-upgrade
npm-windows-upgrade

Note: Do not run npm i -g npm. Instead use npm-windows-upgrade to update npm going forward. Also if you run the NodeJS installer, it will replace the node version.

  • Upgrades npm in-place, where node installed it.
  • Easy updating, update the to the latest by running npm-windows-upgrade -p -v latest.
  • Does not modify the default path.
  • Does not change the default global package location.
  • Allows easy upgrades and downgrades.
  • Officially recommended by the NPM team.

 

Source: http://stackoverflow.com/questions/18412129/how-do-i-update-node-and-npm-on-windows

Configurar Logwatch para usar ssmtp

This guide will explain how to set up ssmtp (a simple SMTP delivery agent) for emailing logs to an email address using logwatch.

Firstly in a terminal, enter

yum install ssmtp

After the ssmtp has installed edit the configuration file with

vim /etc/ssmtp/ssmtp.conf

and edit the configuration file

#
# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=!!!insert outgoing email address here!!!

# The place where the mail goes. The actual machine name is required no
# MX records are consulted. Commonly mailhosts are named mail.domain.com
mailhub=smtp.gmail.com:587

# Where will the mail seem to come from?
rewriteDomain=!!!enter your domain name here!!!

# The full hostname
hostname=!!!insert outgoing email address here!!!

# Are users allowed to set their own From: address? Not recommended with gmail
# YES - Allow the user to specify their own From: address
# NO - Use the system generated From: address
#FromLineOverride=YES

# Username and password for Google's Gmail servers
# From addresses are settled by Mutt's rc file, so
# with this setup one can still achieve multi-user SMTP
AuthUser=!!!email user name!!!
AuthPass=!!!email password!!!

#Uncomment these settings for use with gmail
#UseTLS=YES
#UseSTARTTLS=YES
#mailhub=smtp.gmail.com:587

You can now test that ssmtp is working with

cat - | /usr/sbin/ssmtp -v <your-email-address>

enter ctrl+D to send the test message

If the message has been received we can go on and configure logwatch

 

Edit logwatch to change mailer

# vim /etc/logwatch/conf/logwatch.conf
mailer = "ssmtp -v <your-email-address>"

To test it works send the security log with

sudo logwatch --logfile secure --detail high --mailto <your-email-address> --range yesterday

The certificate for ServerName.com will expire in x days

O servidor estava a enviar este email:

################# SSL Certificate Warning ################

Certificate for hostname 'ServerName.com', in file (or by nickname):
 /etc/pki/tls/certs/localhost.crt

The certificate needs to be renewed; this can be done
 using the 'genkey' program.

Browsers will not be able to correctly connect to this
 web site using SSL until the certificate is renewed.

##########################################################
 Generated by certwatch(1)

You can use the ‘genkey’ program to renew an SSL certificate if your certificate is signed by a CA (Certificate Authority), but if you’re using a self-signed certificate (like me), then genkey won’t work. The quickest solution is to merely re-create your own certificate.

Step 1: Verify Your Current Certificate Directives

If your certificate has recently expired, then it’s probably been at least a year since you tinkered with it. The warning email told you the path of your certificate file, but you should also verify the filenames, locations, and the directives of your web server’s SSL configuration by doing:

grep SSLCertificate /etc/httpd/conf.d/ssl.conf

You should get something like:

# Point SSLCertificateFile at a PEM encoded certificate. If
 SSLCertificateFile /etc/pki/tls/certs/server.crt
 SSLCertificateKeyFile /etc/pki/tls/private/server.key
 # Point SSLCertificateChainFile at a file containing the
 # the referenced file can be the same as SSLCertificateFile
 #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

You’re interested in the SSLCertificateFile and SSLCertificateKeyFile directives. This example uses server.crt and server.key as the names of the certificate files. Yours may be different. Just replace them as necessary in the following instructions.

Next, take note of the permissions of those two files:

ls -lh /etc/pki/tls/certs/server.crt
 -rw------- 1 root root 1.5K Jun 24 23:02 /etc/pki/tls/certs/server.crt

ls -lh /etc/pki/tls/private/server.key
 -rw------- 1 root root 891 Jun 24 23:02 /etc/pki/tls/private/server.key

They are owned by root and can only be read and written to by root (permission 600). Your new files will need the same permissions when you’re done.

Step 2: Create the New Self-Signed Certificate and Key Files

Type the following:

openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/server.crt -keyout /etc/pki/tls/private/server.key

Answer the questions as they are presented to create your new certificate files, starting with the two-letter country code and ending with your email address. If you make a mistake, don’t worry. Just re-run the command and it will overwrite the files.

Your file permissions may not have been affected, but in some cases you’ll need to update their permissions. Do:

chmod 600 /etc/pki/tls/certs/server.crt
chmod 600 /etc/pki/tls/private/server.key

Step 3: Restart Your Web Server

Type service httpd restart to restart your web server and tell it to use the new certificate files.

You’re done!

 

Source: http://www.stevejenkins.com/blog/2010/08/renewing-a-self-signed-ssl-certificate-on-fedoracentos/

Linux: Alterar home de user

To alter an existing user’s home directory. usermod is the command to edit an existing user. -d (abbreviation for –home) will change the user’s home directory. Adding -m (abbreviation for –move-home will also move the content from the user’s current directory to the new directory.

usermod -m -d /newhome/username username

Instalar certificado SSL no Apache

https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-httpd-secure-server.html#private-signed-cert

https://www.linode.com/docs/security/ssl/ssl-certificates-with-apache-2-on-centos

Converter chaves:
http://stackoverflow.com/questions/8774574/how-can-i-convert-a-pfx-certificate-file-for-use-with-apache-on-a-linux-server

Mais do que um certificado por domínio:
http://serverfault.com/questions/392149/domains-and-subdomains-virtualhosts-with-different-ssl-certificates

https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

https://www.digicert.com/ssl-certificate-installation-apache.htm

Configure Munin to graph MySQL on CentOS 5/6

If you’re running a CentOS 5/6 Server and installed Munin to graph the system stats, you’ll mostly likely notice that the generated graphs do not include MySQL.

Unfortunately, by default, Munin tries to read MySQL data using the root account and no password and fails.

But there’s an easy way to fix this:

Enter your MySQL Database Server administration interface and create a new user munin with a safe password (remember it, you’ll need it later), set it to only log in from localhost and add the Superuser permission.

Then navigate to Database Permissions and add the previously created munin user on database mysql, again only for localhost and only grant the Select table data permission.

Moving on, open the /etc/munin/plugin-conf.d/munin-node file in your favourite editor and add (or edit if already exists):

[mysql*]
env.mysqladmin /usr/bin/mysqladmin
env.mysqluser munin
env.mysqlpassword your-previously-defined-password

If you’re using innodb tables, you will need to create the /etc/munin/plugin-conf.d/mysql_innodb file and this in it to ignore error about it (which Munin will most likely generate):

[mysql_innodb]
env.warning 0
env.critical 0

Now it’s time to test if the plugin works. Run in the console:

munin-node-configure --suggest | grep mysql

You should get something like

mysql_                     | yes  | yes (+bin_relay_log +commands +connections +files_tables +innodb_bpool +innodb_bpool_act +innodb_insert_buf +innodb_io +innodb_io_pend +innodb_log +innodb_rows +innodb_semaphores +innodb_tnx +myisam_indexes +network_traffic +qcache +qcache_mem +replication +select_types +slow +sorts +table_locks +tmp_tables)

If you’re missing any required Perl modules, you’ll see a | no | no and the needed modules’ names.

mysql_                     | no   | no [Missing dependency Cache::Cache]

Install them and then try again.

yum install perl-Cache-Cache perl-IPC-ShareLite

If all is well, it’s time to activate the plugin by running

ln -s /usr/share/munin/plugins/mysql_* /etc/munin/plugins

and then restart munin-node

service munin-node restart

Then just wait 10-20 minutes for your graphs to show up.

Fail2ban unban IP

Since 0.8.8 there is the unbanip option. It can be triggered by the set command.

fail2ban-client set ssh-iptables unbanip m.y.i.p

more generic:

fail2ban-client set :jail unbanip :ip

Syntaxis

Instalar plugin Java no Firefox (CentOS)

Java must be installed on the system first. This procedure only works with the version you download from Oracle; it will not work with the OpenJDK version of Java you’ll have when using the ‘yum install java’ command.

Download Linux x64 RPM from Oracle’s Java Downloads for All Operating Systems page.

Close Firefox.

Change to root user and enter password.

su

Change directory to /usr/java. If it isn’t created, create it.

mkdir /usr/java
cd /usr/java

Execute rpm on the Java RPM you just downloaded…

rpm -ivh /home/basejump/Downloads/jre-7u21-linux-x64.rpm

Validate with:

java -version

Delete the original RPM; you don’t need that anymore.

rm -rf /home/basejump/Downloads/jre-8u60-linux-x64.rpm

From the /usr/java directory, Find the Firefox plugin (which gets installed with java):

find . | grep libnpjp

For me, that returned:

/usr/java/jre1.8.0_60/lib/amd64/libnpjp2.so

Change to directory for Firefox plugins:

cd /usr/lib64/mozilla/plugins

Be careful. There is also a /usr/lib/mozilla/plugins directory. Be sure you’re in lib64!

Create symbolic link to the plugin:

ln -fs /usr/java/jre1.8.0_60/lib/amd64/libnpjp2.so libnpjp2.so

Start Firefox and validate by going to Tools > Addons > Plugins. You should now see Java Plug-in 1.x.x enabled.