RHEL 8

by

Enable PowerTools Repository Using Ansible

If you wish to use Ansible to fix Unable to Install hdf5, hdf5-devel and hdf5-static on Rocky Linux 8.7 by installing DNG-Plugin-Core, EPEL-Release for Rocky Linux, do take a look 

 - name: Install DNF-Plugin-Core and EPEL-Release for Rocky
    dnf:
        name: 
           - dnf-plugins-core 
           - epel-release  
        state: latest      
    when: ansible_distribution == "Rocky"

  - name: Enable powertools repository
    command: dnf config-manager --set-enabled powertools
    when: ansible_distribution == "Rocky"
    changed_when: false

Advertisement
by

Unable to Install hdf5, hdf5-devel and hdf5-static on Rocky Linux 8.7

If you are doing a dnf install on hdf5 packages, you will notice errors like the one below

nothing provides libsz.so.2()(64bit) needed by hdf5-1.10.5-4.el8.x86_64
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

To resolve the issue, you will need to install and enable PowerTools

Step 1: Install DNF plugins package

dnf install dnf-plugins-core

Step 2: Install EPEL

The reason is that some software from its source code requires some dependencies that are available in EPEL

dnf install epel-release

Step 3: Enable PowerTools repository on Rocky Linux 8

dnf config-manager --set-enabled powertools

Step 4: Now try installing HDF5

dnf install hdf5 hdf5-devel hdf5-static
by

Starting Commands for Ansible

Number 1: Preparing Ansible.cfg

ansible.cfg is used to customize the behavior of Ansible and define various settings and options for managing infrastructure and deploying applications. Inside you ansible_cluster. Create an ansible.cfg

[defaults]
inventory = inventory
private_key_file = ~/.ssh/id_rsa
become = true
become_user = root

Number 2: To Test the Connection with Nodes via SSH

[root@h001 ansible_cluster]# ansible all -m ping
192.168.200.161 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}
192.168.200.160 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}
192.168.200.162 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}
192.168.200.163 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}

Number 3: Listing Hosts

[root@h001 ansible_cluster]# ansible all --list-hosts
  hosts (4):
    192.168.200.160
    192.168.200.161
    192.168.200.162
    192.168.200.163

Number 4: Gather Facts about Hosts

Lots of information regarding the hosts….. If you want to limit to a single hosts, use the parameter “–limit”

[root@h001 ansible_cluster]# ansible all -m gather_facts --limit 192.168.200.161
192.168.200.161 | SUCCESS => {
    "ansible_facts": {
        "ansible_all_ipv4_addresses": [
            "192.168.200.161"
        ],
        "ansible_all_ipv6_addresses": [
            "fe80::5eed:8cff:fe80:aee3"
        ],
        "ansible_apparmor": {
            "status": "disabled"
        },
        "ansible_architecture": "x86_64",
        "ansible_bios_date": "02/02/2023",
        "ansible_bios_vendor": "HPE",
        "ansible_bios_version": "U46",
        "ansible_board_asset_tag": "NA",
        "ansible_board_name": "ProLiant DL360 Gen10 Plus",
...
...
...

Number 4a: Gather Facts about Hosts Distribution

[root@h001 ansible_cluster]# ansible all -m gather_facts --limit 192.168.200.161 |grep distribution
        "ansible_distribution": "Rocky",
        "ansible_distribution_file_parsed": true,
        "ansible_distribution_file_path": "/etc/redhat-release",
        "ansible_distribution_file_variety": "RedHat",
        "ansible_distribution_major_version": "8",
        "ansible_distribution_release": "Green Obsidian",
        "ansible_distribution_version": "8.7",

References:

  1. Learn Linux TV Chapter 4
  2. Ansible Quickstart
  3. Ansible CLI cheatsheet
by

Could not load the Qt platform plugin “xcb” in “” even though it was found for Rocky Linux 8

If you encounter this issue 

qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: xcb.

You can resolve the issue by installing the xcb package

# dnf install xcb*
Last metadata expiration check: 1:39:51 ago on Tue 09 May 2023 11:47:04 AM +08.
Package xcb-util-0.4.0-10.el8.x86_64 is already installed.
Dependencies resolved.
====================================================================================================================================================================================================================
 Package                                                   Architecture                                 Version                                               Repository                                       Size
====================================================================================================================================================================================================================
Installing:
 xcb-util-image                                            x86_64                                       0.4.0-9.el8                                           appstream                                        20 k
 xcb-util-keysyms                                          x86_64                                       0.4.0-7.el8                                           appstream                                        15 k
 xcb-util-renderutil                                       x86_64                                       0.3.9-10.el8                                          appstream                                        18 k
 xcb-util-wm                                               x86_64                                       0.4.1-12.el8                                          appstream                                        31 k

Transaction Summary
====================================================================================================================================================================================================================
Install  4 Packages

Total download size: 83 k
Installed size: 134 k
Is this ok [y/N]: y

by

Setting up 2 Gateways with a Default Gateway for most Traffic and the 2nd Gateway for selected Subnet Traffic on Rocky Linux 8

Issues:

Suppose you have 2 network cards and their own gateway. The challenge is that you can only have 1 default gateway. How do we work this out?

Solution:

Type the following command

$ ip route show
default via 192.168.1.254 dev eno0 proto static metric 104
192.168.2.0/24 via 192.168.2.254 dev eno1 proto static metric 103
10.10.1.0/24 via 192.168.2.254 dev eno1 proto static metric 103

That means the default route for traffic is via eno1. All traffic except 192.168.2.0 and 10.10.1.0 will pass through the second gateway. How do we do it?

Set Default Route for all traffic

To set all traffic through the default gateway, do the following

$ ip route add default via 192.168.1.254 dev eno0 proto static metric 104

Set Selected IP Subnet for 2nd Gateway

$ ip route add 192.168.2.0/24 via 192.168.2.254 dev eno1 proto static metric 103
$ ip route add 10.10.1.0/24 via 192.168.2.254 dev eno1 proto static metric 103

Setting the DNS Correctly for each Network Card

If each of the Network Cards requires a different DNS, do make sure you put in the /etc/sysconfig/network-scripts

$ vim /etc/sysconfig/network-scripts/ifcfg-eno0
....
....
DEVICE=eno0
ONBOOT=yes
IPADDR=192.168.1.1
GATEWAY=192.168.1.254
DNS1=192.168.1.252
DNS2=192.168.1.253
NETMASK=255.255.255.0

$ vim /etc/sysconfig/network-scripts/ifcfg-eno1
....
....
DEVICE=eno1
ONBOOT=yes
IPADDR=192.168.2.1
GATEWAY=192.168.2.254
DNS1=192.168.2.252
DNS2=192.168.2.253
NETMASK=255.255.255.0

Deleting Route from Table

ip route delete 192.168.2.0/24 via 192.168.2.254 dev eno1 proto static metric 103

Different DNS Servers and Different Domains (For RHEL 8)

You can configure systemd-resolved service and NetworkManager to send DNS queries for a specific domain to a selected DNS server. The Information can be found in Chapter 38. Using different DNS servers for different domains

By default, Red Hat Enterprise Linux (RHEL) sends all DNS requests to the first DNS server specified in the /etc/resolv.conf file. If this server does not reply, RHEL uses the next server in this file.

In environments where one DNS server cannot resolve all domains, administrators can configure RHEL to send DNS requests for a specific domain to a selected DNS server. For example, you can configure one DNS server to resolve queries for example.com and another DNS server to resolve queries for example.net. For all other DNS requests, RHEL uses the DNS server configured in the connection with the default gateway.

Procedure 1: Start and enable the systemd-resolved service:

# systemctl --now enable systemd-resolved

Procedure 2: Edit the /etc/NetworkManager/NetworkManager.conf file, and set the following entry in the [main] section:

dns=systemd-resolved

Procedure 3: Reload the NetworkManager service:

# systemctl reload NetworkManager

Procedure 4: Verify that the nameserver entry in the /etc/resolv.conf file refers to 127.0.0.53:

# cat /etc/resolv.conf
nameserver 127.0.0.53

Verify that the systemd-resolved service listens on port 53 on the local IP address 127.0.0.53:

# ss -tulpn | grep "127.0.0.53"
udp  UNCONN 0  0      127.0.0.53%lo:53   0.0.0.0:*    users:(("systemd-resolve",pid=1050,fd=12))
tcp  LISTEN 0  4096   127.0.0.53%lo:53   0.0.0.0:*    users:(("systemd-resolve",pid=1050,fd=13))

Add the /etc/resolv.conf for the 2nd DNS

# Generated by NetworkManager
nameserver 127.0.0.53
nameserver 192.168.0.1
options edns0 trust-ad

References:

  1. Chapter 38. Using different DNS servers for different domains
  2. Two Default Gateways on One System
  3. Linux Set up Routing with IP Command
by

Installing 7-zip on CentOS-7 and Rocky Linux 8

7-zip is free software with open source. It has a high compression ratio in 7z format with LZMA and LZMA2 compression. Supported formats:

  • Packing / unpacking: 7z, XZ, BZIP2, GZIP, TAR, ZIP and WIM
  • Unpacking only: APFS, AR, ARJ, CAB, CHM, CPIO, CramFS, DMG, EXT, FAT, GPT, HFS, IHEX, ISO, LZH, LZMA, MBR, MSI, NSIS, NTFS, QCOW2, RAR, RPM, SquashFS, UDF, UEFI, VDI, VHD, VHDX, VMDK, XAR and Z.

Get 7-zip in Linux

$ wget https://sourceforge.net/projects/sevenzip/files/7-Zip/22.01/7z2201-linux-x64.tar.xz --no-check-certificate

Unpack 7-zip in Linux

$ tar xf 7z2101-linux-x64.tar.xz

Running Issues

If you are encountering issues like (especially on CentOS-7)

[user1@node1 7-zip]$ ./7zz
./7zz: /lib64/libstdc++.so.6: version CXXABI_1.3.8' not found (required by ./7zz) 
./7zz: /lib64/libstdc++.so.6: versionCXXABI_1.3.9' not found (required by ./7zz)

You need a more recent GNU Compilers rather than the default one used in CentOS-7 which is very old, you may want to compile more recent GNU. Remember to complete the $LD_LIBRARY_PATH and $PATH something like this

export PATH=$PATH:/usr/local/gcc-6.5.0/bin
export LD_LIBRARY_PATH= $LD_LIBRARY_PATH:/usr/local/gcc-6.5.0/lib64
by

abrt-cli status’ timed out is always shown when logging on or changing users

When change or login to specific user, ‘abrt-cli status’ timed out is always shown

Last login: Mon Dec 19 23:32:58 +08 2022 on pts/21 
'abrt-cli status' timed out

To resolve the issue, you may want to check the status of the ‘abrtd’ service, the output will indicate a locked file

# systemctl status abrtd
● abrtd.service - ABRT Automated Bug Reporting Tool
   Loaded: loaded (/usr/lib/systemd/system/abrtd.service; disabled; vendor preset: enabled)
   Active: active (running) since Mon 2022-12-19 23:34:58 +08; 2s ago
 Main PID: 273413 (abrtd)
   CGroup: /system.slice/abrtd.service
           └─273413 /usr/sbin/abrtd -d -s

Dec 19 23:34:58 node1 systemd[1]: Started ABRT Automated Bug Reporting Tool.
Dec 19 23:34:58 node1 systemd[1]: Starting ABRT Automated Bug Reporting Tool...
Dec 19 23:34:58 node1 abrtd[273413]: Lock file '.lock' is locked by process 191242
Dec 19 23:34:59 node1 abrtd[273413]: Lock file '.lock' is locked by process 191242
Dec 19 23:34:59 node1 abrtd[273413]: Lock file '.lock' is locked by process 191242
Dec 19 23:35:00 node1 abrtd[273413]: Lock file '.lock' is locked by process 191242
Dec 19 23:35:00 node1 abrtd[273413]: Lock file '.lock' is locked by process 191242

Stop the abrt Service first. 

# systemctl stop abrtd

Kill the Process holding the Lock File

# pkill -9 systemctl stop abrtd

Start the Service again

# systemctl start abrtd

The Lock File should go away.

# systemctl status abrtd
● abrtd.service - ABRT Automated Bug Reporting Tool
   Loaded: loaded (/usr/lib/systemd/system/abrtd.service; disabled; vendor preset: enabled)
   Active: active (running) since Mon 2022-12-19 23:48:02 +08; 4s ago
 Main PID: 334010 (abrtd)
   CGroup: /system.slice/abrtd.service
           └─334010 /usr/sbin/abrtd -d -s

Dec 19 23:48:02 hpc-gekko1 systemd[1]: Started ABRT Automated Bug Reporting Tool.
Dec 19 23:48:02 hpc-gekko1 systemd[1]: Starting ABRT Automated Bug Reporting Tool...
Dec 19 23:48:02 hpc-gekko1 abrtd[334010]: Init complete, entering main loop
by

How to disable CBC Mode Ciphers in RHEL 8 or Rocky Linux 8

This writeup is reference from The Geek Diary

Edit /etc/sysconfig/sshd and uncomment CRYPTO_POLICY line:

CRYPTO_POLICY=

Edit /etc/ssh/sshd_config file. Add Ciphers, MACs and KexAlgorithms have been added

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

After making changes to the configuration file, you may want to do a sanity check on the configuration file

# sshd -t

Restart sshd services

# systemctl restart sshd

To test if weak CBC Ciphers are enabled

$ ssh -vv -oCiphers=3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc [youruserid@IP of your Server]

References: