RHEL 8

by

Installing ClamAV on Rocky Linux 8

Do read up on What is ClamAV by Liquid Web for more information on Clam AV.

I thought I would list a few pointers that might be of use.

  • ClamAV is a free and open-source antivirus software and a cross-platform antivirus toolkit.
  • For Linux Systems, it offers Real-Time Protection, which is a crucial feature against zero-day attacks
  • ClamAV provides a multi-threaded virtual scanner, a tool for automatic virus database updates, and a command-line scanner.

a. Install ClamdAV and its services which include Antivirus and Antivirus Updater

# dnf install clamav clamd clamav-update

b. Setting up a Service Account

If you’re planning to run freshclam or clamd as a service on a Linux or Unix system, you should create a service account. The following instructions assume that you will use the an account named “clamav” for both services, although you may create a different account name for each if you wish.

# groupadd clamav
# useradd -g clamav -s /bin/false -c "Clam Antivirus" clamav

c. Configure SELINUX for ClamAV

# sudo setsebool -P antivirus_can_scan_system 1

d. Run ClamAV Database Update Command

# freshclam

e. Suggested configuration of /etc/clamd/scan.conf or /etc/clamd/clamd.conf as written by ClamAV Setup Notes

ExtendedDetectionInfo yes
FixStaleSocket yes
LocalSocket /var/run/clamav/clamd.ctl
LogFile /var/log/clamav/clamav.log
LogFileMaxSize 5M
LogRotate yes
LogTime yes
MaxDirectoryRecursion 15
MaxThreads 20
OnAccessExcludeUname clamav
OnAccessExcludeUname root
OnAccessIncludePath /home
OnAccessMountPath /home/johnfedoruk
OnAccessPrevention yes
User root
VirusEvent /etc/clamav/detected.sh

f. Create and Edit the systems freshclam.service

vim /usr/lib/systemd/system/freshclam.service
[Unit]
Description = ClamAV Scanner
After = network.target

[Service]
Type = forking
#if you want to update database automatically more than once a day change the number 1  
ExecStart = /usr/bin/freshclam -d -c 1
Restart = on-failure
PrivateTmp =true

[Install]
WantedBy=multi-user.target

g. Start and Enable FreshClam and Calmd Scanner Services

# systemctl start freshclam
# systemctl enable freshclam

h. Scanning a Directory

# clamscan -r /tmp

References:

  1. Installing ClamAV
  2. ClamAV Setup Notes
  3. Install ClamAV Antivirus on Rocky Linux 8 or Alma Linux 8
by

Issues when Installing Dockers on Rocky Linux 8.10

I was installing dockers on Rocky Linux 8.10. These were my steps:

dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
dnf install docker-ce docker-ce-cli containerd.io

I immediately got this error…..

Error: 
 Problem 1: problem with installed package podman-4:4.9.4-1.module+el8.10.0+1815+5fe7415e.x86_64
  - package podman-4:4.9.4-1.module+el8.10.0+1815+5fe7415e.x86_64 from @System requires runc >= 1.0.0-57, but none of the providers can be installed
  - package podman-4:4.9.4-1.module+el8.10.0+1815+5fe7415e.x86_64 from appstream requires runc >= 1.0.0-57, but none of the providers can be installed
  - package podman-4:4.9.4-1.module+el8.10.0+1825+623b0c20.x86_64 from appstream requires runc >= 1.0.0-57, but none of the providers can be installed
  - package podman-4:4.9.4-12.module+el8.10.0+1843+6892ab28.x86_64 from appstream requires runc >= 1.0.0-57, but none of the providers can be installed
  - package podman-4:4.9.4-13.module+el8.10.0+1871+e6fa1069.x86_64 from appstream requires runc >= 1.0.0-57, but none of the providers can be installed
  - package podman-4:4.9.4-13.module+el8.10.0+1874+ce489889.x86_64 from appstream requires runc >= 1.0.0-57, but none of the providers can be installed

To resolve the issues, do add the --allowerasing flag,

dnf install docker-ce docker-ce-cli containerd.io --allowerasing
================================================================================
 Package                   Arch   Version                Repository        Size
================================================================================
Installing:
 containerd.io             x86_64 1.6.32-3.1.el8         docker-ce-stable  35 M
     replacing  runc.x86_64 1:1.1.12-1.module+el8.10.0+1815+5fe7415e
 docker-ce                 x86_64 3:26.1.3-1.el8         docker-ce-stable  27 M
 docker-ce-cli             x86_64 1:26.1.3-1.el8         docker-ce-stable 7.8 M
Installing dependencies:
 libcgroup                 x86_64 0.41-19.el8            baseos            69 k
Installing weak dependencies:
 docker-buildx-plugin      x86_64 0.14.0-1.el8           docker-ce-stable  14 M
 docker-ce-rootless-extras x86_64 26.1.3-1.el8           docker-ce-stable 5.0 M
 docker-compose-plugin     x86_64 2.27.0-1.el8           docker-ce-stable  13 M
Removing dependent packages:
 buildah                   x86_64 1:1.34.0-1.module+el8.10.0+1815+5fe7415e
                                                         @AppStream        31 M
 cockpit-podman            noarch 84.1-1.module+el8.10.0+1815+5fe7415e
                                                         @AppStream       682 k
 containers-common         x86_64 2:1-81.module+el8.10.0+1815+5fe7415e
                                                         @AppStream       580 k
 podman                    x86_64 4:4.9.4-1.module+el8.10.0+1815+5fe7415e
                                                         @AppStream        52 M
 podman-catatonit          x86_64 4:4.9.4-1.module+el8.10.0+1815+5fe7415e
                                                         @AppStream       794 k

Transaction Summary
================================================================================
Install  7 Packages
Remove   5 Packages

Total download size: 102 M
Is this ok [y/N]: y

References:

by

How to disable vulnerable ciphers and encryption modes in Rocky Linux 8 to mitigate Terrapin Attack (CVE-2023-48795)

For more information on the Terrapin Attack (CVE-2023-48795), do take a look at Terrapin Attack (CVE-2023-48795): SSH Protocol Impacted.

As mentioned, in the blog entry, Terrapin Attack (CVE-2023-48795): SSH Protocol Impacted, the attack is possible only if you use vulnerable ciphers and encryption modes: ChaCha20-Poly1305, CTR-EtM, CBC-EtM. Note that the cyphers and the encryption modes themselves are not vulnerable, but their input (sequence number) can be manipulated by the attacker.

The mitigation is similar to How to disable CBC Mode Ciphers in RHEL 8 or Rocky Linux 8 except that you have to remove the “chacha20-poly1305@openssh.com” besides the CBC Mode Ciphers.

Step 1: Edit /etc/sysconfig/sshd and uncomment CRYPTO_POLICY line:

CRYPTO_POLICY=

Edit /etc/ssh/sshd_config file. Add Ciphers, MACs and KexAlgorithms have been added

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

After making changes to the configuration file, you may want to do a sanity check on the configuration file

# sshd -t

Restart sshd services

# systemctl restart sshd

To test if weak CBC Ciphers and  ChaCha20-Poly1305 are enabled

$ ssh -vv -oCiphers=chacha20-poly1305@openssh.com,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc IP-Address-of-your-Server

You should receive a similar message

Unable to negotiate with 172.21.33.11 port 22: no matching cipher found. Their offer: aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

To verify that the Terrapin Attack Vulnerability is mitigated, take a look at Vulnerability Scanner. Pre-built binaries for all major platforms and the source code are available on GitHub.

./Terrapin_Scanner_Linux_amd64 -connect XXX.XXX.XXX.XXX

If you are not vulnerable, you may have an output like this.

References:

  1. Terrapin Attack (CVE-2023-48795): SSH Protocol Impacted
  2. Terrapin Attack
  3. Terrapin (CVE-2023-48795): New Attack Impacts the SSH Protocol
  4. SSH protocol flaw – Terrapin Attack CVE-2023-48795: All you need to know
by

Mounting NTFS on Rocky Linux 8

If you are planning to mount like a portable drive using Windows NTFS File System on the Rocky Linux 8, what you will see immediately when you issue the command after you plug the portable drive in

# mount /dev/sdd1 /data1
mount: /data1: unknown filesystem type 'ntfs'.

Step 1: Enable EPEL Repo

# dnf install epel-release

Step 2: Install NTFS-3g

# dnf install ntfs-3g

In some blogs written elsewhere, these 2 packages are more than enough, but I was still having issues. In my situation, I need to put in 5 packages

Step 3: Install all NTFS-3g packages

# dnf install *ntfs*

This time it works for me.

Step 4: Simply mount (Hooray!)

 # mount /dev/sdd1 /data1
by

Compiling Quantum ESPRESSO-7.2 with Intel-2023.1 on Rocky Linux 8

Step 1: Download the package from Quantum ESPRESSO. You have to register and login before you can download.

# tar -zxvf qe-7.2.tar.gz

Step 2: Source Intel Environment

$ source /usr/local/intel/2023.1/setvars.sh
:: initializing oneAPI environment ...
   -bash: BASH_VERSION = 4.4.20(1)-release
   args: Using "$@" for setvars.sh arguments:
:: advisor -- latest
:: ccl -- latest
:: clck -- latest
:: compiler -- latest
:: dal -- latest
:: debugger -- latest
:: dev-utilities -- latest
:: dnnl -- latest
:: dpcpp-ct -- latest
:: dpl -- latest
:: inspector -- latest
:: intelpython -- latest
:: ipp -- latest
:: ippcp -- latest
:: ipp -- latest
:: itac -- latest
:: mkl -- latest
:: mpi -- latest
:: tbb -- latest
:: vtune -- latest
:: oneAPI environment initialized ::

Step 3: Remember to Prepare the Intel Optimised BLAS95, LAPACK95 and FFTW. Do take a look at

Step 4: Compile the QE

Once you have loaded the Intel Configuration costly, QE will detect and configure. Compilation is very simple. 

# ./configure --prefix=/usr/local/qe-2.7 ----with-scalapack=intel --enable-shared --enable-openmp | tee Configure.out
# make all
# make install

Step 5: Optional (If you wish to reconfigure again, do a clean up)

Do a clean up by using the command 

# make veryclean
by

Installing CUDA with Ansible for Rocky Linux 8

Installation Guide

You can take a look at Nvidia CUDA Installation Guide for more information

Step 1: Get the Nvidia CUDA Repo

You can find the Repo from the Nvidia Download Sites. It should be named cuda_rhel8.repo. Copy it and use it as a template with a j2 extension. 

[cuda-rhel8-x86_64]
name=cuda-rhel8-x86_64
baseurl=https://developer.download.nvidia.com/compute/cuda/repos/rhel8/x86_64
enabled=1
gpgcheck=1
gpgkey=https://developer.download.nvidia.com/compute/cuda/repos/rhel8/x86_64/D42D0685.pub

Step 2: Use Ansible to Generate the repo from Templates.

The Ansible Script should look like this. 

 - name: Generate /etc/yum.repos.d/cuda_rhel8.repo
   template:
    src: ../templates/cuda-rhel8-repo.j2
    dest: /etc/yum.repos.d/cuda_rhel8.repo
    owner: root
    group: root
    mode: 0644
   become: true
   when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"

Step 3: Install the Kernel-Headers and Kernel-Devel

The CUDA Driver requires that the kernel headers and development packages for the running version of the kernel be installed at the time of the driver installation, as well as whenever the driver is rebuilt. 

- name: Install Kernel-Headers and  Kernel-Devel
  dnf:
    name:
        - kernel-devel
        - kernel-headers
    state: present
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"

Step 4: Disabling Nouveau

To install the Display Driver, the Nouveau drivers must first be disabled. I use a template to disable it. I created a template called blacklist-nouveau-conf.j2. Here is the content

blacklist nouveau
options nouveau modeset=0

The Ansible script for disabling Noveau using a template

- name: Generate blacklist nouveau
  template:
    src: ../templates/blacklist-nouveau-conf.j2
    dest: /etc/modprobe.d/blacklist-nouveau.conf
    owner: root
    group: root
    mode: 0644
  become: true
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"

Step 5: Install the Drivers and CUDA

- name: Install driver packages RHEL 8 and newer
  dnf:
    name: '@nvidia-driver:latest-dkms'
    state: present
    update_cache: yes
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"
  register: install_driver

- name: Install CUDA
  dnf:
    name: cuda
    state: present
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"
  register: install_cuda

Step 6: Reboot if there are changes to Drivers and CUDA

- name: Reboot if there are changes to Drivers or CUDA
  ansible.builtin.reboot:
  when:
    - install_driver.changed or install_cuda.changed
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"

Aftermath

After reboot, you should try to do “nvidia-smi” commands, hopefully, you should see

If you have an error “NVIDIA-SMI has failed because it couldn’t communicate with the NVIDIA driver for RHEL 8“, do follow the steps in NVIDIA-SMI has failed because it couldn’t communicate with the NVIDIA driver for RHEL 8 and run the ansible script in the blog.

You may also combine all these yml into one large yml file

Other better? Ansible Scripts

You may want to consider other better? options for https://github.com/NVIDIA/ansible-role-nvidia-docker

by

Guide to Creating Symbolic Links with Ansible

You can use the ansible.builtin.file module. In my example below, I wanted to link the Module Environment profile.csh and profile.sh to be placed on the /etc/profile.d so that it will load on startup. Do take a look at the Ansible Document ansible.builtin.file module – Manage files and file properties

- name: Check for CUDA Link
  stat: path=/usr/local/cuda
  register: link_available

- name: Create a symbolic link for CUDA
  ansible.builtin.file:
    src: /usr/local/cuda-12.2
    dest: /usr/local/cuda
    owner: root
    group: root
    state: link
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"
    - link_available.stat.isdir is not defined and link_available.stat.isdir == False
by

Using Ansible Expect Module to executes a command and responds to prompts

Ansible Documentation:

Ansible Expect Module is very useful to listen for certain strings in stdout and react accordingly. This is particularly useful if you have to respond to accept a license agreement or enter some important information. Here is my sample

- name: Install RPM package from local system
  yum:
    name: /tmp/my-software.rpm
    state: present
    disable_gpg_check: true
  when: ansible_os_family == "RedHat"

- name:
  ansible.builtin.stat:
    path: /usr/local/mysoftware
  register: directory_check

- name: Setup Licensing Server's Connection if directory does not exist
  ansible.builtin.expect:
    command: /usr/local/mysoftware/install.sh
    responses:
      (?i)Do you already have a license server on your network? [y/N] "y"
      (?i)Enter the name (or IP address) of your license server "xx.xx.xx.xx"
      (?i)Install/update the MySoftware web service? [Y/n] "n"
  when: not directory_check.stat.isdir