January 3, 2024 by kittycool only

How to disable vulnerable ciphers and encryption modes in Rocky Linux 8 to mitigate Terrapin Attack (CVE-2023-48795)

For more information on the Terrapin Attack (CVE-2023-48795), do take a look at Terrapin Attack (CVE-2023-48795): SSH Protocol Impacted.

As mentioned, in the blog entry, Terrapin Attack (CVE-2023-48795): SSH Protocol Impacted, the attack is possible only if you use vulnerable ciphers and encryption modes: ChaCha20-Poly1305, CTR-EtM, CBC-EtM. Note that the cyphers and the encryption modes themselves are not vulnerable, but their input (sequence number) can be manipulated by the attacker.

The mitigation is similar to How to disable CBC Mode Ciphers in RHEL 8 or Rocky Linux 8 except that you have to remove the “chacha20-poly1305@openssh.com” besides the CBC Mode Ciphers.

Step 1: Edit /etc/sysconfig/sshd and uncomment CRYPTO_POLICY line:

CRYPTO_POLICY=

Edit /etc/ssh/sshd_config file. Add Ciphers, MACs and KexAlgorithms have been added

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

After making changes to the configuration file, you may want to do a sanity check on the configuration file

# sshd -t

Restart sshd services

# systemctl restart sshd

To test if weak CBC Ciphers and ChaCha20-Poly1305 are enabled

$ ssh -vv -oCiphers=chacha20-poly1305@openssh.com,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc IP-Address-of-your-Server

You should receive a similar message

Unable to negotiate with 172.21.33.11 port 22: no matching cipher found. Their offer: aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

To verify that the Terrapin Attack Vulnerability is mitigated, take a look at Vulnerability Scanner. Pre-built binaries for all major platforms and the source code are available on GitHub.

./Terrapin_Scanner_Linux_amd64 -connect XXX.XXX.XXX.XXX

If you are not vulnerable, you may have an output like this.

References:

November 1, 2023 by kittycool only

Mounting NTFS on Rocky Linux 8

If you are planning to mount like a portable drive using Windows NTFS File System on the Rocky Linux 8, what you will see immediately when you issue the command after you plug the portable drive in

# mount /dev/sdd1 /data1
mount: /data1: unknown filesystem type 'ntfs'.

Step 1: Enable EPEL Repo

# dnf install epel-release

Step 2: Install NTFS-3g

# dnf install ntfs-3g

In some blogs written elsewhere, these 2 packages are more than enough, but I was still having issues. In my situation, I need to put in 5 packages

Step 3: Install all NTFS-3g packages

# dnf install *ntfs*

This time it works for me.

Step 4: Simply mount (Hooray!)

 # mount /dev/sdd1 /data1

September 15, 2023 by kittycool only

Compiling Quantum ESPRESSO-7.2 with Intel-2023.1 on Rocky Linux 8

Step 1: Download the package from Quantum ESPRESSO. You have to register and login before you can download.

# tar -zxvf qe-7.2.tar.gz

Step 2: Source Intel Environment

$ source /usr/local/intel/2023.1/setvars.sh
:: initializing oneAPI environment ...
   -bash: BASH_VERSION = 4.4.20(1)-release
   args: Using "$@" for setvars.sh arguments:
:: advisor -- latest
:: ccl -- latest
:: clck -- latest
:: compiler -- latest
:: dal -- latest
:: debugger -- latest
:: dev-utilities -- latest
:: dnnl -- latest
:: dpcpp-ct -- latest
:: dpl -- latest
:: inspector -- latest
:: intelpython -- latest
:: ipp -- latest
:: ippcp -- latest
:: ipp -- latest
:: itac -- latest
:: mkl -- latest
:: mpi -- latest
:: tbb -- latest
:: vtune -- latest
:: oneAPI environment initialized ::

Step 3: Remember to Prepare the Intel Optimised BLAS95, LAPACK95 and FFTW. Do take a look at

Compiling Intel BLAS95 and LAPACK95 Interface Wrapper Library

Compiling Intel FFTW3 and FFTW2 Interface Wrapper Library

Step 4: Compile the QE

Once you have loaded the Intel Configuration costly, QE will detect and configure. Compilation is very simple.

# ./configure --prefix=/usr/local/qe-2.7 ----with-scalapack=intel --enable-shared --enable-openmp | tee Configure.out
# make all
# make install

Step 5: Optional (If you wish to reconfigure again, do a clean up)

Do a clean up by using the command

# make veryclean

August 2, 2023 by kittycool only

Installing CUDA with Ansible for Rocky Linux 8

Installation Guide

You can take a look at Nvidia CUDA Installation Guide for more information

Step 1: Get the Nvidia CUDA Repo

You can find the Repo from the Nvidia Download Sites. It should be named cuda_rhel8.repo. Copy it and use it as a template with a j2 extension.

[cuda-rhel8-x86_64]
name=cuda-rhel8-x86_64
baseurl=https://developer.download.nvidia.com/compute/cuda/repos/rhel8/x86_64
enabled=1
gpgcheck=1
gpgkey=https://developer.download.nvidia.com/compute/cuda/repos/rhel8/x86_64/D42D0685.pub

Step 2: Use Ansible to Generate the repo from Templates.

The Ansible Script should look like this.

 - name: Generate /etc/yum.repos.d/cuda_rhel8.repo
   template:
    src: ../templates/cuda-rhel8-repo.j2
    dest: /etc/yum.repos.d/cuda_rhel8.repo
    owner: root
    group: root
    mode: 0644
   become: true
   when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"

Step 3: Install the Kernel-Headers and Kernel-Devel

The CUDA Driver requires that the kernel headers and development packages for the running version of the kernel be installed at the time of the driver installation, as well as whenever the driver is rebuilt.

- name: Install Kernel-Headers and  Kernel-Devel
  dnf:
    name:
        - kernel-devel
        - kernel-headers
    state: present
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"

Step 4: Disabling Nouveau

To install the Display Driver, the Nouveau drivers must first be disabled. I use a template to disable it. I created a template called blacklist-nouveau-conf.j2. Here is the content

blacklist nouveau
options nouveau modeset=0

The Ansible script for disabling Noveau using a template

- name: Generate blacklist nouveau
  template:
    src: ../templates/blacklist-nouveau-conf.j2
    dest: /etc/modprobe.d/blacklist-nouveau.conf
    owner: root
    group: root
    mode: 0644
  become: true
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"

Step 5: Install the Drivers and CUDA

- name: Install driver packages RHEL 8 and newer
  dnf:
    name: '@nvidia-driver:latest-dkms'
    state: present
    update_cache: yes
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"
  register: install_driver

- name: Install CUDA
  dnf:
    name: cuda
    state: present
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"
  register: install_cuda

Step 6: Reboot if there are changes to Drivers and CUDA

- name: Reboot if there are changes to Drivers or CUDA
  ansible.builtin.reboot:
  when:
    - install_driver.changed or install_cuda.changed
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"

Aftermath

After reboot, you should try to do “nvidia-smi” commands, hopefully, you should see

If you have an error “NVIDIA-SMI has failed because it couldn’t communicate with the NVIDIA driver for RHEL 8“, do follow the steps in NVIDIA-SMI has failed because it couldn’t communicate with the NVIDIA driver for RHEL 8 and run the ansible script in the blog.

You may also combine all these yml into one large yml file

Other better? Ansible Scripts

You may want to consider other better? options for https://github.com/NVIDIA/ansible-role-nvidia-docker

July 18, 2023 by kittycool only

Guide to Creating Symbolic Links with Ansible

You can use the ansible.builtin.file module. In my example below, I wanted to link the Module Environment profile.csh and profile.sh to be placed on the /etc/profile.d so that it will load on startup. Do take a look at the Ansible Document ansible.builtin.file module – Manage files and file properties

- name: Check for CUDA Link
  stat: path=/usr/local/cuda
  register: link_available

- name: Create a symbolic link for CUDA
  ansible.builtin.file:
    src: /usr/local/cuda-12.2
    dest: /usr/local/cuda
    owner: root
    group: root
    state: link
  when:
    - ansible_os_family == "RedHat"
    - ansible_distribution_major_version == "8"
    - link_available.stat.isdir is not defined and link_available.stat.isdir == False

July 11, 2023 by kittycool only

Using Ansible Expect Module to executes a command and responds to prompts

Ansible Documentation:

ansible.builtin.expect module – Executes a command and responds to prompts

Ansible Expect Module is very useful to listen for certain strings in stdout and react accordingly. This is particularly useful if you have to respond to accept a license agreement or enter some important information. Here is my sample

- name: Install RPM package from local system
  yum:
    name: /tmp/my-software.rpm
    state: present
    disable_gpg_check: true
  when: ansible_os_family == "RedHat"

- name:
  ansible.builtin.stat:
    path: /usr/local/mysoftware
  register: directory_check

- name: Setup Licensing Server's Connection if directory does not exist
  ansible.builtin.expect:
    command: /usr/local/mysoftware/install.sh
    responses:
      (?i)Do you already have a license server on your network? [y/N] "y"
      (?i)Enter the name (or IP address) of your license server "xx.xx.xx.xx"
      (?i)Install/update the MySoftware web service? [Y/n] "n"
  when: not directory_check.stat.isdir

June 27, 2023 by kittycool only

Removing the web console message from Cockpit Using Ansible

If you planning to use Ansible to Disable the web console message from Cockpit on Rocky Linux 8.5, it is very easy to write on Ansible,

- name: Remove /etc/motd.d/cockpit
  file:
    path: /etc/motd.d/cockpit
    state: absent
  when: ansible_os_family == "RedHat"

June 4, 2023 by kittycool only

Displaying the Number of Cores and Current Load average for All Nodes

If you wish to use Ansible to display the number of cores and current Load average for all your nodes, you may want to consider the code below.

- name: Display number of cores
  debug:
    var: ansible_processor_cores

- name: Get Load Average
  ansible.builtin.shell: "cat /proc/loadavg"
  register: load_avg_output
  changed_when: false

- name: Print Load Average for all Nodes
  debug:
    msg: "Load Average: {{ load_avg_output.stdout }}"

May 30, 2023 by kittycool only

Updating /etc/resolv.conf using Ansible for Rocky Linux 8

You may want to check the whether /etc/resolv.conf exists and if not exist, create the file file and update the DNS

- name: Check if resolv.conf file exists
  stat:
      path: /etc/resolv.conf
  register: file_info

- name: Create /etc/resolv.conf if it exists
  file:
     path: /etc/resolv.conf
     state: touch
  when: not file_info.stat.exists

- name: Set DNS nameservers in /etc/resolv.conf
  blockinfile:
      path: /etc/resolv.conf
      block: |
            search example.com
            nameserver x.x.x.x
            nameserver w.w.w.w
  when: ansible_distribution == "Rocky"

May 27, 2023 by kittycool only

Enable PowerTools Repository Using Ansible

If you wish to use Ansible to fix Unable to Install hdf5, hdf5-devel and hdf5-static on Rocky Linux 8.7 by installing DNG-Plugin-Core, EPEL-Release for Rocky Linux, do take a look

 - name: Install DNF-Plugin-Core and EPEL-Release for Rocky
    dnf:
        name: 
           - dnf-plugins-core 
           - epel-release  
        state: latest      
    when: ansible_distribution == "Rocky"

  - name: Enable powertools repository
    command: dnf config-manager --set-enabled powertools
    when: ansible_distribution == "Rocky"
    changed_when: false

The Linux Cluster

Linux Cluster Blog is a collection of how-to and tutorials for Linux Cluster and Enterprise Linux

RHEL 8