[CentOS] Strange Kernel for Centos 5.5

uname -a should give the 2.6.18-xxx.y.z.el5 (with .centos.plus
optionally) or you're not running a RH/CentOS/SL kernel.

Check you /boot and grub.conf for whether you have the current kernel at
all
(2.6.18-194.32.1.el5.centos.plus in my case)
*******************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error please
notify the system manager. This footnote also confirms that this
email message has been swept for the presence of computer viruses.
www.Hubbell.com - Hubbell Incorporated**

Hi Brian T. & Robert,

Thanks for your input.

I did a uname -a on a selection of Centos 5.5 machines and found the
servers, netbooks and laptops were all a variety of 2.6.18-194.32.1.el5
and 2.6.19-194.32.1.el5-centos.plus. Only the VPS were different most
likely, as Robert suggested, because of the base operating system.

I can update the VPS kernels and am looking forward to the surprises,
all nice ones I hope, in 5.6 and then 6.0.

Sometimes I just wonder about the luckiness of us non-Windoze people. We
have a really marvellous choice of operating systems (BSDs, Solaris,
Linux et al) and its all free and outstandingly good and reliable.

I feel sorry for the Windoze victims. Its a really horrible experience
using a bug-laden and Micro$oft knows best machine where it is awkward
trying to make changes and avoid the ghastly mess of M$ Internet
Security - ugh! Centos is so relaxing and enjoyable :-)

On 11/02/11 03:05, Always Learning wrote:
[...snip...]
Be careful with saying such things. A lot can be said about Windows as an
operating system and Microsoft as a company. But be very careful about
talking about its users, you do not know the reason why they run another OS
than those which you love.

Those who uses *nix oriented/based OSes aren't better people or superior to
those not doing so. They are just different, with a different different
needs. It doesn't necessarily make them victims or unlucky.


kind regards,

David Sommerseth

They probably run Windoze because:-

(1) they are unaware of other operating systems;

(2) their application only runs on Windoze;

(3) their employer is a Windoze-only user;

(4) when they purchased their new computer it was pre-installed with
Windoze, for which they had to pay the Micro$oft premium (something
which needs challenging in the EU), and XP on netbook refuses to work if
the the hard disk is partitioned to create space for Linux whilst
Windows 7 deliberately occupies all 4 primary sectors and the entire
hard disk space just to obstruct users from installing another operating
system;

(4) they work for Micro$oft;

(5) they mistakenly believe Windoze is the best operating system in the
world;
I think *nix users are more enlightened people and more aware of
computers, in the widest sense, generally. They are individuals who
enjoy things like 'Windows for Adults' (i.e. Gnome etc.) rather than
'Windoze for Young Impressionable Children'. They are much luckier to
enjoy a better, less stressful and more reliable operating system.

With best regards,

Paul.

Programmer et al 1967-2011.
Windows user 1992-2010.
Joyful Linux user and programmer et al 2010-

Yes, there can, and has been, a lot said. A *LOT* of it has not been
positive (at least since WinDoze 95). I can go on for a while, though it's
OT, as to their *lousy* design decisions, and then there's all the
lawsuits that they lost, where they paid to cut out competetors.
Sure it does. And we're Superior (tm), don'tcha know?

mark "actually liked DOS"

But those have next to nothing to do with their current products. If
you go back to '95 and look at the security/design flaws in shipping
Linux products it is not pretty either. Pretty much everything had wide
open holes in required network services like bind/sendmail/ftp as well
as the kernel itself (wade through the changelogs on any of the programs
if you aren't convinced). I do agree that pre XP/SP2 versions of
windows were badly broken and still resent the trouble they caused, but
it's probably time to forget that.
Or lack of problems. Since MS started enabling a firewall by default
and supplying regular updates it mostly just works. I still run XP on
my work laptop, close it to sleep with running apps, open to wake up (in
seconds) on a different network, bouncing between wired/docked and
wireless undocked transparently and it runs for months at a time.
Another laptop at home does the same with Windows 7 (minus the dock).
It has been much easier to use windows running the NX client with freenx
on Linux than to keep working video drivers for native X on linux. I
can boot into Linux on my work laptop, but why? The only real reason is
if I want to access an ext3 formatted disk via USB and that turns out to
work just as well under vmware player, keeping XP's more agile network
management and leaving my other open apps running.

about
They have *everything* to do. Look, I *said* this is OT, but since you
insist, the overwhelmingly *bad* design decision was to put the GUI into
ring 0, instead of the way Windows 3, and X on *Nix, and *everybody* else
did, resulting in a GUI error bringing down the *entire* system.
<snip>

mark

I thought Vista brought that to be much more inline with how it is on linux.

It's still the case that a graphics driver error on linux can take out the
entire system, so it's not like linux is some sort of gold standard on this
front.

jh

e.g., any modern Ubuntu can write 300 GB per day of syslog if equipped
with at least certain Nvidia video cards (I'm unaware of which ones
might work).

That makes the system unusable, essentially a self-invoked denial of service.

Apparently there is a little internal disagreement in the
Debian/Ubuntu camp about Nouveau.

https://help.ubuntu.com/community/BinaryDriverHowto/Nvidia#Recommended

which says, in part:

<quote>
Recommended step for Ubuntu 10.04 or higher
Nouveau, an open source driver, is installed by default. You can
remove it by command-line by entering this:

sudo apt-get --purge remove xserver-xorg-video-nouveau
</quote>

Yes, but with Linux and many, many, many combination of shipping
software and existing hardware you actually have GUI errors. With the
combinations of windows drivers and hardware I've used, I haven't seen
any such error in years. While I agree that even running a GUI at all
on a server is a waste of resources, in practice it is not something
that matters. My company runs about 10x the number of windows servers
as Linux. Not my choice of course, but we don't see OS-related
differences in reliability, just different quirks you have to work around.

The only part that runs in ring 0 is the video driver. The GUI itself
runs in userspace.

In Linux the graphics driver runs in userspace, but even that can freeze
a machine because it requires direct hardware access. My Radeon HD
2400 PRO driver will cause an immediate lockup if I run X, then quit X,
then start X again.

So the ring-0 stuff is a bit of a red herring.

the "GUI" is a fairly nebulous term. The graphics display driver
is indeed at ring zero for performance (in fact in early versions of NT,
it ran in ring 1 or 2, but the performance hit of the ring transitions
to access IO ports on early graphics cards was overwhelming so in NT4 it
was moved to ring0). However, the GDI, User (window manager), desktop,
and about everything else are in ring3 user space.

I'll assume that you've actually worked with the code; I haven't. However,
I also trust it about as far as I can through a sumo wrestler, since I
*know* as a fact that M$ frequently had apps make direct calls, *not* to
the system, but directly to the hardware because the code ran so slowly.
For example, the classic proof was when Apple went from Moto chips to
PowerPC, and it broke Word, where they were doing just that (and I've
heard that from friends who are Macaholics).

mark

Oh stop digging deeper. You get app crashes and even lock ups too on
UNIX/Linux. There is only one thing that we can all agree on. All
Microsoft ware are high security risks and should be run inside a
software fortress so to speak.

Everything else is pretty much the same nowadays.

Make a bet? Video drivers, alone, and the feeping creaturism of the
base web browser create significant risks.

RHEL and CentOS have much, much tighter basic privilege handling. The
complexity of the NTFS ACL structure, for example, is so frequently
mishandled that it's often ignored and simply dealt with as
"Administrator". The result is privilege escalation chaos.

This turns out to be one of the problems with SELinux, in fact. It's
so powerful and complex, and ill managed in many instances, that many
developers simply disable it and ignore it, especially for web
applications. (Don't get me going on the pain of integrating locally
built Lilac and Bugzilla with SELinux: eeewwwwh!)
Not as big, serioiusly. The separation between "userspace" and
"kernelspace" and "root access" was much better than it has been in
the Windows world.
Or need to play Half-Life. (Games are why my desktop is Windows, it
runs CentOS comfortably in VirtualBox.)
Sadly, freenx is abandonware. So is neatx. (I've been working with
them lately.) The clients and servers from NoMachine are pretty good,
and play nicely on CentOS. (I'm using them now for personal use, which
their license allows.) The new NX version 4 alpha release is very,
very alpha. We'll see how it works out in the long term. I've been
trying to pay them for licenses, but the licensing model hasn't fitted
anything I can *explain* to the people who sign checks.

And how is the user-group-world permissions system any better?

I work daily with both *nix & NTFS ACL's and given the choice I prefer
NTFS' for the finer grained control.

You want to create a folder in which user A & B have access to but
nobody else? In *nix you create a group that both those users belong
to and set the folder to use that group's permissions. In NTFS you set
the ACL's so those two users have (almost) full access to the folder.
Simple enough.

Now say you need to create another folder which only users B & C have
access to? In *nix you create another group, one that B & C belong to,
and assign that group permissions to that folder. NTFS? Set the ACL's
so that only B & C have access.

Now let's say we want User A to have read only access to that second
folder? They're not the owner, and don't belong to the group, so world
permissions are your only choice. What if this folder is a
confidential folder containing files the CEO & VP should be able to
alter but the Admin Assistant needs to be able to pick files from? You
really don't want a lowly peon down in shipping seeing the
confidential memo now do you?

In NTFS you just add user A to the folder with read only permissions.

Now expand this out to hundreds of folders and watch the *nix groups
multiply like rabbits.

Admittedly a few areas of NTFS ACL's cause some confusion, inheritance
and precedence rules among them, but if you take the time to read how
they work and play with it before putting it into production it's
actually quite easy to work with.

RTFM? :-)

On Fri, 11 Feb 2011 at 6:38pm, Drew wrote
Erm, *nix has fully functional ACLs as well. 'man setfacl'

In fact, you can do things very easily with *nix acls that are very
difficult in Windows. For example, you can set different 'Default'
permissions (what will be on things created in the directory) than the
permissions that are actually on the directory. You can set different
masks for different groups or users in the same directory, etc.

That's not accurate. You can do exactly that very trivially with Container
Inheritance flags only etc...

It is NOT trivial in Windows to have the permissions on a directory set
so that Bob has rwx permission on the directory, but when new files (or
directories) are created in that directory Bob has r-- permissions on
the files inside the said directory.

You can "assign" different permissions on each file and directory in
Windows by turning off inheritance and making an assignment. You can
not easily make default create permissions be different than the
container the objects are created in.

regardless of the OS, any time you start to get tricky with per object
permissions, before long you end up with a complex mess that's a pain in
the butt to keep track of.

And this is especially true if you don't first map the users to a group role or
job position, then set appropriate permissions for files/directories based on
the roles instead of the individuals that are temporarily involved with them.
You really don't want to maintain systems by searching the entire filesystem for
acls containing a user and changing it to some other user. And generally you'll
want a mail group associated with the role as well. I always liked the way SME
server let you associate users with groups in its web admin interface and then
took care of the details of setting up permission groups and mail groups for
you. Too bad it doesn't do LDAP to make it suitable for places with more than
one server.

If you *need* that level, you use NTFSv4 ACL's. But the result is
often that it gets so complex, so fast, that ever figuring out who
ever owned or had access to something in the first place is a
nightmare. It slows filesystems, it complicates backups, and it's
proven itself fairly dangerous because of the tendency to toss in
extraneous access.
Yes, it solves some problems. But the complexity and inconsistencies
get pretty nasty pretty fast, and I've found the results a nightmare
in privilege escalation issues, and the mishandling so very common in
basic system configuration files and common software that it's rarely
worth the difficulty to resolve.
Only if you're trying for that fine a grain of control. If you need to
handle that fine grained control, it's not a file system issue it's a
procedural one.
Easy to work with, and way, way, way too common to screw up.

in unix you can use acls as well. See getacl/setacl. No sweat.

Anyway, neither in windows nor in unix/linux you want to specify
permissions on a per user level. Always groups. If the user leaves the
company and the permissions are on a per user level you need to start
all over again. If on a per group level, just disable/remove the user
from the group and it keeps working for the rest of members.

Bonus points if you enable your helpdesk group to administer the groups
and the children folders so you no longer have to waste any time with
this boring stuff.

And what do you do when you have cases that a user needs access to these
set of files/directories but not all the files/directories the group has
access to?

We create specific groups and netgroups for teams/subteams accessing
specific shares and servers.

If you are in such a scenario, then you have not planned your folder
structure well enough :-)

What do you do when you have thousands of users in your company? Do
you keep individual permissions or do you use group permissions?

I know what I'd rather do, specially if I need to audit that folder
structure.

You are assuming that company structure is somehow sensible. Just saying
that 'always groups' may not work everywhere.

So exactly what couldn't you do after exploiting one of the holes in bind or
sendmail or the kernel? It is only recently that bind was moved to a chroot and
sendmail to mostly run as a non-root user.
Yes, it's too bad memory wasn't cheap back when X was designed or maybe they
would have done client caching in the first place.

Me too!

Depending on what sort of VM system the data centre uses, it is possible
to have a non-standard kernel. This is my VPS (CentOS 4.8):

sauron.deepsoft.com% ssh sharky.deepsoft.com cat /etc/redhat-release
CentOS release 4.8 (Final)
sauron.deepsoft.com% ssh sharky.deepsoft.com uname -r
2.6.18-194.17.1.el5.028stab070.7

*I* don't have control over the kernel -- this is set up as part of the
virtual machine setup, by the people I am renting the VPS from.