Updating to Satellite 6.16 and RHEL9

Satellite 6.16 has been released, and it's a good time to get my lab systems updated to the latest version :-)

The process is fairly similar to my previous post for Upgrading Satellite 6.11 from RHEL7 to RHEL8

Anyhow, I found a couple of snags related to leapp (limit of file descriptors) and a Jira issue that is still to be published that will make you want to delay your RHEL9 update for a couple of weeks.

The whole process is documented in the Satellite 6.16 - Upgrading Red Hat Satellite chapter.

Satellite 6.15 to 6.16 Upgrade (RHEL8)

This process is the same as previous versions, with the one caveat that now satellite-maintain supports three different verbs:

  • satellite-maintain self-upgrade to update the satellite-maintain tools.
  • satellite-maintain update run -y to update RHEL+Satellite within the same Satellite version (6.x).
  • satellite-maintain upgrade run -y to update RHEL+Satellite to the next Satellite version (6.x+1).

Now the update process itself:


    root@sat.p1.lab ~ # satellite-maintain self-upgrade
    Running Enables the specified version's maintenance repository and,
    updates the satellite-maintain packages
    ================================================================================
    Update package(s) rubygem-foreman_maintain, satellite-maintain:       [OK]
    --------------------------------------------------------------------------------


    root@sat.p1.lab ~ # time satellite-maintain upgrade run -y
    Checking for new version of satellite-maintain...
    Security: kernel-core-4.18.0-553.27.1.el8_10.x86_64 is an installed security update
    Security: kernel-core-4.18.0-553.8.1.el8_10.x86_64 is the currently running version
    Nothing to update, can't find new version of satellite-maintain.
    Running preparation steps required to run the next scenarios
    ================================================================================
    Check whether all services are running:                               [OK]
    --------------------------------------------------------------------------------
    Check whether system has any non Red Hat repositories (e.g.: EPEL) enabled:
    - Checking repositories enabled on the system                         [OK]
    --------------------------------------------------------------------------------


    Running Checks before upgrading
    ================================================================================
    Check number of fact names in database:                               [OK]
    --------------------------------------------------------------------------------
    Clean old Kernel and initramfs files from tftp-boot:                  [OK]
    --------------------------------------------------------------------------------
    Check for verifying syntax for ISP DHCP configurations:               [OK]
    --------------------------------------------------------------------------------
    Check whether all services are running:                               [OK]
    --------------------------------------------------------------------------------
    Check whether all services are running using the ping call:           [OK]
    --------------------------------------------------------------------------------
    Check for paused tasks:                                               [OK]
    --------------------------------------------------------------------------------
    Check to verify no empty CA cert requests exist:                      [OK]
    --------------------------------------------------------------------------------
    Check whether system is self-registered or not:                       [OK]
    --------------------------------------------------------------------------------
    Check to verify if any hotfix installed on system:
    | Checking for presence of hotfix(es). It may take some time to verify.
                                                                        [OK]
    --------------------------------------------------------------------------------
    Check if TMOUT environment variable is set:                           [OK]
    --------------------------------------------------------------------------------
    Check if any upstream repositories are enabled on system:
    - Checking for presence of upstream repositories                      [OK]
    --------------------------------------------------------------------------------
    Check to make sure root(/) partition has enough space:                [OK]
    --------------------------------------------------------------------------------
    Check to make sure /var/lib/candlepin has enough space:               [OK]
    --------------------------------------------------------------------------------
    Make sure server is running on required database version:             [OK]
    --------------------------------------------------------------------------------
    Check for roles that have filters with multiple resources attached:   [OK]
    --------------------------------------------------------------------------------
    Check for duplicate permissions from database:                        [OK]
    --------------------------------------------------------------------------------
    Check if system requirements match current tuning profile:            [OK]
    --------------------------------------------------------------------------------
    Check whether reports have correct associations:                      [OK]
    --------------------------------------------------------------------------------
    Check for running tasks:                                              [OK]
    --------------------------------------------------------------------------------
    Check for old tasks in paused/stopped state:                          [OK]
    --------------------------------------------------------------------------------
    Check for pending tasks which are safe to delete:                     [OK]
    --------------------------------------------------------------------------------
    Check for tasks in planning state:                                    [OK]
    --------------------------------------------------------------------------------
    Check for running pulpcore tasks:                                     [OK]
    --------------------------------------------------------------------------------
    Check if system has any non Red Hat RPMs installed (e.g.: Fedora):    [OK]
    --------------------------------------------------------------------------------
    Check to validate dnf configuration before upgrade:                   [OK]
    --------------------------------------------------------------------------------
    Check whether system has any non Red Hat repositories (e.g.: EPEL) enabled:
    | Checking repositories enabled on the system                         [OK]
    --------------------------------------------------------------------------------
    Check if ipv6.disable=1 is set at kernel level:                       [OK]
    --------------------------------------------------------------------------------
    Check to make sure PostgreSQL 13 work directory has enough space for upgrade:
                                                                        [OK]
    --------------------------------------------------------------------------------
    Check if any organizations are using entitlement mode:
    | Checking organization content access modes                          [OK]
    --------------------------------------------------------------------------------
    Validate availability of repositories:
    - Validating availability of repositories for 6.16                    [OK]
    --------------------------------------------------------------------------------


    The pre-upgrade checks indicate that the system is ready for upgrade.
    It's recommended to perform a backup at this stage.
    Confirm to continue with the modification part of the upgrade (assuming yes)
    Running preparation steps required to run the next scenarios
    ================================================================================
    Check whether all services are running:                               [OK]
    --------------------------------------------------------------------------------


    Running Procedures before migrating
    ================================================================================
    disable active sync plans:
    | Total 0 sync plans are now disabled.                                [OK]
    --------------------------------------------------------------------------------
    Add maintenance_mode tables/chain to nftables/iptables:               [OK]
    --------------------------------------------------------------------------------
    Stop cron service:

    Stopping the following service(s):
    crond
    \ All services stopped                                                [OK]
    --------------------------------------------------------------------------------


    Running Migration scripts
    ================================================================================
    Setup repositories:
    / Configuring repositories for 6.16                                   [OK]
    --------------------------------------------------------------------------------
    Switch the given stream modules:                                      [OK]
    --------------------------------------------------------------------------------
    Enable the given stream modules:                                      [OK]
    --------------------------------------------------------------------------------
    Download package(s) :                                                 [OK]
    --------------------------------------------------------------------------------
    Stop applicable services:

    Stopping the following service(s):
    redis, mosquitto, postgresql, pulpcore-api, pulpcore-content, pulpcore-api.socket, pulpcore-content.socket, pulpcore-worker@1.service, pulpcore-worker@2.service, tomcat, dynflow-sidekiq@orchestrator, foreman, httpd, foreman.socket, dynflow-sidekiq@worker-1, dynflow-sidekiq@worker-hosts-queue-1, foreman-proxy, foreman-cockpit
    | All services stopped                                                [OK]
    --------------------------------------------------------------------------------
    Update package(s) :                                                   [OK]
    --------------------------------------------------------------------------------
    Running satellite-installer :                                         [OK]
    --------------------------------------------------------------------------------
    Execute upgrade:run rake task:                                        [OK]
    --------------------------------------------------------------------------------


    Running preparation steps required to run the next scenarios
    ================================================================================
    Check whether all services are running:                               [OK]
    --------------------------------------------------------------------------------


    Running Procedures after migrating
    ================================================================================
    Refresh detected features:                                            [OK]
    --------------------------------------------------------------------------------
    Start applicable services:

    Starting the following service(s):
    redis, mosquitto, postgresql, pulpcore-api, pulpcore-content, pulpcore-worker@1.service, pulpcore-worker@2.service, tomcat, dynflow-sidekiq@orchestrator, foreman, httpd, dynflow-sidekiq@worker-1, dynflow-sidekiq@worker-hosts-queue-1, foreman-proxy, foreman-cockpit
    | All services started                                                [OK]
    --------------------------------------------------------------------------------
    Start cron service:

    Starting the following service(s):
    crond
    - All services started                                                [OK]
    --------------------------------------------------------------------------------
    re-enable sync plans:
    \ Total 0 sync plans are now enabled.                                 [OK]
    --------------------------------------------------------------------------------
    Remove maintenance mode table/chain from nftables/iptables:           [OK]
    --------------------------------------------------------------------------------


    Running preparation steps required to run the next scenarios
    ================================================================================
    Check whether all services are running:                               [OK]
    --------------------------------------------------------------------------------


    Running Checks after upgrading
    ================================================================================
    Check number of fact names in database:                               [OK]
    --------------------------------------------------------------------------------
    Clean old Kernel and initramfs files from tftp-boot:                  [OK]
    --------------------------------------------------------------------------------
    Check for verifying syntax for ISP DHCP configurations:               [OK]
    --------------------------------------------------------------------------------
    Check whether all services are running:                               [OK]
    --------------------------------------------------------------------------------
    Check whether all services are running using the ping call:           [OK]
    --------------------------------------------------------------------------------
    Check for paused tasks:                                               [OK]
    --------------------------------------------------------------------------------
    Check to verify no empty CA cert requests exist:                      [OK]
    --------------------------------------------------------------------------------
    Check whether system is self-registered or not:                       [OK]
    --------------------------------------------------------------------------------
    Check if system needs reboot:                                         [WARNING]
    Updating Subscription Management repositories.
    Core libraries or services have been updated since boot-up:
    * glibc
    * kernel
    * linux-firmware
    * microcode_ctl
    * systemd

    Reboot is required to fully utilize these updates.
    More information: https://access.redhat.com/solutions/27943
    --------------------------------------------------------------------------------
    Initialize and expose container image metadata in the pulpcore db:
    \ Adding image metadata to pulp. You can continue using the system normally while the task runs in the background.
                                                                        [OK]
    --------------------------------------------------------------------------------
    Import container manifest metadata:
    \ Adding image metadata. You can continue using the system normally while the task runs in the background.kground.
                                                                        [OK]
    --------------------------------------------------------------------------------


    --------------------------------------------------------------------------------
    Upgrade finished.

    real    16m15.508s
    user    6m37.830s
    sys 0m59.038s

Note that the satellite-maintain upgrade process waits until the data migration tasks mentioned above are done. Once it finishes, it's safe to start/stop the Satellite services or reboot the system (eg, to prepare for Leapp).

Leapp upgrade to RHEL9

This process is documented in the Satellite 6.16 - Upgrading Red Hat Enterprise Linux on Satellite or Capsule chapter.


    root@sat.p1.lab ~ # dnf install --disableplugin=foreman-protector install leapp leapp-upgrade-el8toel9

The following answerfile can be created once you ensure VDO is not in use in your RHEL8 system:


    root@sat.p1.lab ~ # cat  /var/log/leapp/answerfile
    [check_vdo]
    # Title:              None
    # Reason:             Confirmation
    # ============================= check_vdo.confirm =============================
    # Label:              Are all VDO devices, if any, successfully converted to LVM management?
    # Description:        Enter True if no VDO devices are present on the system or all VDO devices on the system have been successfully converted to LVM management. Entering True will circumvent check of failures and undetermined devices. Recognized VDO devices that have not been converted to LVM management can still block the upgrade despite the answer.All VDO devices must be converted to LVM management before upgrading.
    # Reason:             To maximize safety all block devices on a system that meet the criteria as possible VDO devices are checked to verify that, if VDOs, they have been converted to LVM management. If the devices are not converted and the upgrade proceeds the data on unconverted VDO devices will be inaccessible. In order to perform checking the 'vdo' package must be installed. If the 'vdo' package is not installed and there are any doubts the 'vdo' package should be installed and the upgrade process re-run to check for unconverted VDO devices. If the check of any device fails for any reason an upgrade inhibiting report is generated. This may be problematic if devices are dynamically removed from the system subsequent to having been identified during device discovery. If it is certain that all VDO devices have been successfully converted to LVM management this dialog may be answered in the affirmative which will circumvent block device checking.
    # Type:               bool
    # Default:            None
    # Available choices: True/False
    confirm = True

    root@sat.p1.lab ~ # leapp preupgrade
    root@sat.p1.lab ~ # time leapp upgrade && reboot
    [...]

Again, at this point leapp will perform the OS upgrade, perform a Selinux relabel of all files and re-run the Satellite installer once in RHEL9.

Note that at this time the following issue missing PES event to remove shim-ia32 when upgrading to RHEL9 is still pending to be released. It should be fixed in the next few days.


    # cat /etc/redhat-release
    Red Hat Enterprise Linux release 9.4 (Plow)

    # rpm -qi satellite
    Name        : satellite
    Version     : 6.16.0
    Release     : 2.el9sat
    Architecture: noarch
    Install Date: Tue 05 Nov 2024 05:31:57 PM EST

All in all, a very painless upgrade that removes all requirements to have RHEL8 in your environment. Go RHEL9!

Happy hacking!

Updating your kernel when /boot is too small

Some cloud images provide a /boot filesystem which is too small to hold the required files to boot 2 different kernel versions.

In this tip we'll see how to identify when an update was unsuccesfull and what to do in order to run the latest kernel in the next reboot.

Identifying /boot size

This boot filesystem is only 495 MB in size, and size it's a RHEL9 system, it is too small to hold two kernels:

# df -h /boot/
Filesystem      Size  Used Avail Use% Mounted on
/dev/vda3       495M  360M  136M  73% /boot

Identifying issues while upgradng

When we upgrade the system with yum, the following error is shown on screen:

# yum upgrade -y
[...]
  Running scriptlet: kernel-core-5.14.0-427.22.1.el9_4.x86_64                                                                                                                                                                  963/963 
cp: error writing '/boot/initramfs-5.14.0-427.22.1.el9_4.x86_64.img': No space left on device
dracut: dracut: creation of /boot/initramfs-5.14.0-427.22.1.el9_4.x86_64.img failed
warning: %posttrans(kernel-core-5.14.0-427.22.1.el9_4.x86_64) scriptlet failed, exit status 1

Error in POSTTRANS scriptlet in rpm package kernel-core

This means that the newly-regenerated initramfs is incomplete/corrupt as it didn't have enough space to be properly created. The next boot using that initramfs will fail and leave you with an unbootable kernel.

We can also see errors in the messages file:

# cat /var/log/messages| grep -P "dracut: creation.*failed" 
Jul  2 10:11:42 server.example.com dracut[27623]: dracut: creation of /boot/initramfs-5.14.0-427.22.1.el9_4.x86_64.img fail

Luckily the old kernel is still working and we can just boot the old kernel to get the system properly updated.

Erasing the old kernel and rebuilding the initramfs

We can now identify the old and new versions of the kernel:

# rpm -qa| grep kern | sort
kernel-5.14.0-362.13.1.el9_3.x86_64
kernel-5.14.0-427.22.1.el9_4.x86_64
kernel-core-5.14.0-362.13.1.el9_3.x86_64
kernel-core-5.14.0-427.22.1.el9_4.x86_64
kernel-modules-5.14.0-362.13.1.el9_3.x86_64
kernel-modules-5.14.0-427.22.1.el9_4.x86_64
kernel-modules-core-5.14.0-362.13.1.el9_3.x86_64
kernel-modules-core-5.14.0-427.22.1.el9_4.x86_64

We have 5.14.0-362.13.1.el9_3 (old) and 5.14.0-427.22.1.el9_4 (new).

We can remove the old version of the kernel (the running one).

BEWARE THIS IS A DANGEROUS STEP! You may render your system unbootable if you don't follow the steps properly and manage to fully install the new kernel.

Remove the old kernel packages with rpm . dnf will not let you do so because it's the running kernel.

# rpm -qa| grep kern | grep 5.14.0-362.13.1.el9_3 | xargs rpm -e 
/usr/sbin/weak-modules: line 1086: cd: /lib/modules/5.14.0-362.13.1.el9_3.x86_64/weak-updates: No such file or directory
warning: file /lib/modules/5.14.0-362.13.1.el9_3.x86_64/modules.builtin.modinfo: remove failed: No such file or directory
warning: file /lib/modules/5.14.0-362.13.1.el9_3.x86_64/modules.builtin: remove failed: No such file or directory

Once you've removed the old kernel, you should have plenty of space in /boot to let it install the new kernel and regenerate the new initramfs automatically with dracut.

A simple way to do that is to just reinstall the kernel package with dnf:

# yum reinstall kernel && reboot
Updating Subscription Management repositories.
Last metadata expiration check: 0:24:06 ago on Tue Jul  2 09:55:07 2024.
Dependencies resolved.
=====================================================================================================
 Package               Architecture    Version                 Repository                     Size
=====================================================================================================
Reinstalling:
 kernel                x86_64          5.14.0-427.22.1.el9_4   rhel-9-for-x86_64-baseos-rpms  5.5 M

Transaction Summary
=====================================================================================================
Total download size: 5.5 M
Installed size: 0  
Is this ok [y/N]: y

This task ensures that:

  • The kernel package is reinstalled.
  • The initramfs is regenerated for all installed kernel packages (only one in our current scenario).

Once this step is done, you'll be running the latest kernel.

Happy hacking!

Re-configuring workers in Satellite 6.13 for performance tunning

While there is a very complete Satellite 6.13 Performance tuning guide, I always struggle to find these parameters whenever I happen to change the CPU and RAM resources when Satellite is configured as a Virtual Machine.

Usually I care about tunning two things:

  • a) The number of Puma workers (helps with Satellite WebUI responsiveness and with the number of dynflow tasks it can handle)

  • b) The number of pulp workers so I can synchronize more repositories in parallel.

To tune this, in a 16 vCPU machine, I would use something like:

satellite-installer \
 --foreman-foreman-service-puma-workers=8 \
 --foreman-foreman-service-puma-threads-min=16 \
 --foreman-foreman-service-puma-threads-max=16 \
 --foreman-proxy-content-pulpcore-worker-count=8

Happy hacking!

Checking SSL and TLS configuration with sslyze

Just a quick tip on checking a server's SSL/TLS configuration without too much issues.

sslyze is a python package that can be used to check the accepted ciphers of a certain service, eg:

 pip install sslyze

 python -m sslyze server.example.com

CHECKING CONNECTIVITY TO SERVER(S)
----------------------------------

server.example.com:443            => 192.168.1.208   WARNING: Server requested optional client authentication


SCAN RESULTS FOR server.example.com:443 - 192.168.1.208
-------------------------------------------------

* Certificates Information:
    Hostname sent for SNI:             server.example.com
    Number of certificates detected:   1


    Certificate #0 ( _RSAPublicKey )
    SHA1 Fingerprint:                  2e57a27485b980d25ea0d8d642ab31d5b6a64b6e
    Common Name:                       server.example.com
    Issuer:                            server.example.com
    Serial Number:                     217661717633682589085577779257221678089539599645
    Not Before:                        2023-02-15
    Not After:                         2038-01-18
    Public Key Algorithm:              _RSAPublicKey
    Signature Algorithm:               sha256
    Key Size:                          4096
    Exponent:                          65537
    SubjAltName - DNS Names:           ['server.example.com']

    Certificate #0 - Trust
    Hostname Validation:               OK - Certificate matches server hostname
    Android CA Store (13.0.0_r9):      FAILED - Certificate is NOT Trusted: self-signed certificate in certificate chain
    Apple CA Store (iOS 16, iPadOS 16, macOS 13, tvOS 16, and watchOS 9):FAILED - Certificate is NOT Trusted: self-signed certificate in certificate chain
    Java CA Store (jdk-13.0.2):        FAILED - Certificate is NOT Trusted: self-signed certificate in certificate chain
    Mozilla CA Store (2022-12-11):     FAILED - Certificate is NOT Trusted: self-signed certificate in certificate chain
    Windows CA Store (2023-02-19):     FAILED - Certificate is NOT Trusted: self-signed certificate in certificate chain
    Symantec 2018 Deprecation:         ERROR - Could not build verified chain (certificate untrusted?)
    Received Chain:                    server.example.com --> server.example.com
    Verified Chain:                    ERROR - Could not build verified chain (certificate untrusted?)
    Received Chain Contains Anchor:    ERROR - Could not build verified chain (certificate untrusted?)
    Received Chain Order:              OK - Order is valid
    Verified Chain contains SHA1:      ERROR - Could not build verified chain (certificate untrusted?)

    Certificate #0 - Extensions
    OCSP Must-Staple:                  NOT SUPPORTED - Extension not found
    Certificate Transparency:          NOT SUPPORTED - Extension not found

    Certificate #0 - OCSP Stapling
                                        NOT SUPPORTED - Server did not send back an OCSP response

* SSL 2.0 Cipher Suites:
    Attempted to connect using 7 cipher suites; the server rejected all cipher suites.

* SSL 3.0 Cipher Suites:
    Attempted to connect using 80 cipher suites; the server rejected all cipher suites.

* TLS 1.0 Cipher Suites:
    Attempted to connect using 80 cipher suites; the server rejected all cipher suites.

* TLS 1.1 Cipher Suites:
    Attempted to connect using 80 cipher suites; the server rejected all cipher suites.

* TLS 1.2 Cipher Suites:
    Attempted to connect using 156 cipher suites.

    The server accepted the following 23 cipher suites:
        TLS_RSA_WITH_AES_256_GCM_SHA384                   256                      
        TLS_RSA_WITH_AES_256_CCM                          256                      
        TLS_RSA_WITH_AES_256_CBC_SHA256                   256                      
        TLS_RSA_WITH_AES_256_CBC_SHA                      256                      
        TLS_RSA_WITH_AES_128_GCM_SHA256                   128                      
        TLS_RSA_WITH_AES_128_CCM                          128                      
        TLS_RSA_WITH_AES_128_CBC_SHA256                   128                      
        TLS_RSA_WITH_AES_128_CBC_SHA                      128                      
        TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256       256       ECDH: X25519 (253 bits)
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             256       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                256       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             128       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256             128       ECDH: prime256v1 (256 bits)
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                128       ECDH: prime256v1 (256 bits)
        TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256         256       DH (4096 bits) 
        TLS_DHE_RSA_WITH_AES_256_GCM_SHA384               256       DH (4096 bits) 
        TLS_DHE_RSA_WITH_AES_256_CCM                      256       DH (4096 bits) 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256               256       DH (4096 bits) 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  256       DH (4096 bits) 
        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256               128       DH (4096 bits) 
        TLS_DHE_RSA_WITH_AES_128_CCM                      128       DH (4096 bits) 
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256               128       DH (4096 bits) 
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  128       DH (4096 bits)

    The group of cipher suites supported by the server has the following properties:
    Forward Secrecy                    OK - Supported
    Legacy RC4 Algorithm               OK - Not Supported


* TLS 1.3 Cipher Suites:
    Attempted to connect using 5 cipher suites.

    The server accepted the following 4 cipher suites:
        TLS_CHACHA20_POLY1305_SHA256                      256       ECDH: X25519 (253 bits)
        TLS_AES_256_GCM_SHA384                            256       ECDH: X25519 (253 bits)
        TLS_AES_128_GCM_SHA256                            128       ECDH: X25519 (253 bits)
        TLS_AES_128_CCM_SHA256                            128       ECDH: X25519 (253 bits)


* Deflate Compression:
                                        OK - Compression disabled

* OpenSSL CCS Injection:
                                        OK - Not vulnerable to OpenSSL CCS injection

* OpenSSL Heartbleed:
                                        OK - Not vulnerable to Heartbleed

* Client certificated required for --robot: use --cert and --key to provide one.

* Session Renegotiation:
    Client Renegotiation DoS Attack:   OK - Not vulnerable
    Secure Renegotiation:              OK - Supported

* Elliptic Curve Key Exchange:
    Supported curves:                  X25519, X448, prime256v1, secp384r1, secp521r1
    Rejected curves:                   prime192v1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1

SCANS COMPLETED IN 6.953993 S
-----------------------------

COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION
--------------------------------------------

    Checking results against Mozilla's "MozillaTlsConfigurationEnum.INTERMEDIATE" configuration. See https://ssl-config.mozilla.org/ for more details.

    server.example.com:443: ERROR - Scan did not run successfully; review the scan logs above.

Happy hacking!

Introducing satellite-conf-report

tl;dr: I wrote a quick shell script that gathers your Satellite/Foreman configuration and generates a Markdown file with it. It uses hammer commands underneath, and can help you in the following scenarios:

  • Reporting the basic configuration of a Satellite system.
  • Help with configuration drift - you can compare reports from different dates.
  • Quickly share the configuration with others.
  • Help perform configuration analysis / health checks.

The satellite-conf-report script is available int he following Github repo:

https://github.com/frangdlt/satellite-conf-report

Happy hacking!

Installing and running shrewsoft VPN client in Fedora 38

Shrewsoft created a VPN client and last build was done in 2013. We can still run such an ancient software in Fedora 38 with this couple of tricks.

Installation

First you need to enable the COPR repository for legacy OpenSSL 1.10

dnf copr enable dioni21/compat-openssl10

After that, you can manually install the shrewsoft package with:

yum localinstall https://download.copr.fedorainfracloud.org/results/pessoft/ike/fedora-rawhide-x86_64/00780930-ike/ike-2.2.1-13.fc29.x86_64.rpm

Running Shrewsoft VPN client

First you need to ensure that the IKE daemon is runing. You can launch it under your regular user:

/usr/sbin/iked &

Then launch the VPN client GUI with:

/usr/bin/ikec

Finally import your VPN profile and enjoy :-)

Happy hacking!

Overriding the system hostname when registering into Red Hat Satellite

Sometimes you need to ensure that a system registered into Satellite has a specific hostname, because the current one is unacceptable for a number of reasons (it might collide with another one, etc).

The Satellite documentations points to the fact that you can override the name by configuring a setting in the subscription-manager facts, however this does not seem to work in newer (6.12+) versions of Red Hat Satellite.

In the latest testing I did, this way ensures the system is registered with the requested hostname in Satellite.

  • Ensure the old host and content hosts are deleted from Satellite (if required).
  • Add the requested hostname in /etc/hosts of the system, bound to one of its IPs. It does not matter if it's not the first entry associated to the IP.
  • Ensure that /etc/rhsm/facts/katello.facts has this settings:

    {
    "network.fqdn":"new-name.example.com",
    "network.hostname":"new-name.example.com",
    "network.hostname-override":"new-name.example.com"
    }
    
  • Register the system again with subscription-manager, eg:

    subscription-manager register --org="ORGANIZATION" --activationkey="ACTIVATIONKEY" --force --name=new-name.example.com
    

In addition to this, it seems that simply setting the network.hostname-override parameter does not longer work by default. Satellite can be configured to obey this parameter, but the rest of the configuration is still required.

Some relevant documents:

  • https://access.redhat.com/solutions/3166211 - Registered content host appears with a different hostname in Red Hat Satellite WebUI.
  • https://access.redhat.com/solutions/3732221 - network.hostname-override is not overriding the hostname of server for registration

Happy hacking!

Setting VSCode as the default Gnome editor

Quick post. I had the need to change the default Gnome editor from gedit to VSCode. There isn't a straight-forward way to do this, so I found this quick way and wanted to make a note in the blog so I don't forget ;-) .

➜ xdg-mime  query default text/plain 
gedit.desktop

➜ xdg-mime default code.desktop text/plain

➜ xdg-mime  query default text/plain  
code.desktop

You can also check the list of existing applications by searching for *.desktop files installed in your system, eg:

➜ find /usr/share/applications  -name "*.desktop"

Happy hacking!

Registering old RHEL systems into new Satellite versions

Sometimes you find out you need to register really ancient Red Hat Enterprise Linux systems into a new Satellite, but this poses a number of challenges, namely around support, and having the right tools in the system (subscription-manager, curl and others) available so the system can be successfully managed by Red Hat Satellite.

Supported Satellite client operating systems

Red Hat maintains a list of supported operating systems per version on Satellite here:

https://access.redhat.com/solutions/5607011 - What are the supported operating systems for hosts of Red Hat Satellite 6 ?

The reality is a bit more complex, as Red Hat only tests new Satellite versions with actively supported RHEL operating systems. For RHEL6, this means that the only tested combinations are those using RHEL 6.10 using the ELS (Extended Lifecycle Support) add-on.

For ancient RHEL 7.0 and RHEL 7.1 versions, it's even more complicated because curl lacks some cryptographic cyphers, which make connecting to Satellite impossible.

The workaround is to upgrade the relevant system packages to the latest version PRIOR to attempting to register the system into Satellite 6.x .

So here are some notes on how to accomplish that:

Registering RHEL 6 older than 6.10 are not supported with Satellite 6.10+. Registration does not work.

  • It is required to update the subscription-manager, rpm, and other components to those provided by RHEL 6.10 prior to onboarding the system into Satellite 6.12 .
  • This process might render the "subscription-manager" inoperable. It is recommended to perform a full backup of the system, and implement access to the RHEL 6.10 DVD prior to attempting this upgrade.
  • The RHEL 6.10 content can be made available via the RHEL ISO, or hosted in a web server or NFS server.
  • Red Hat Engineering does not certify a full list of packages that need to be upgraded. However, when testing the following list of packages seems to be sufficient to allow a successful registration:
  • yum upgrade -y "yum*" "subscription-manager*" "rpm" python-requests.noarch python-rhsm.x86_64 python-six.noarch python-urlgrabber.noarch python-urllib3.noarch openssl
  • More packages might be required depending on the installed packages in the managed system that needs to be migrated.

RHEL 7.0 and RHEL 7.1 cannot be registered with Satellite.

  • In a similar way to RHEL 6, RHEL 7.0 and RHEL 7.1 cannot connect to a new satellite because of openssl ciphers and because of subscription-manager components. Registration errors might include curl: (35) Peer reports incompatible or unsupported protocol version.
  • The problem can be solved by upgrading the following packages prior to registration. Packages should come from RHEL 7.9.
  • yum upgrade -y openssl curl "yum*" "subscription-manager*" "rpm" python-six python-rhsm
  • Again, this process might render the "subscription-manager" inoperable. It is recommended to perform a full backup of the system, and implement access to the RHEL 7.9 DVD prior to attempting this upgrade.
  • The RHEL 7.9 content can be made available via the RHEL ISO, or hosted in a web server or NFS server.

Happy Satellite-ing!

Installing a Brother DCP-L2550DN printer and scanner in Fedora 37

Bother DCP-L2550DN printer

My trusty, 15 year old Brother HL-2030 printer died with a Laser sensor error, so it was due time for a replacement. Brother has been known to make good printers and I wanted to get a replacement ASAP.

My requirements for the printer were:

  • Laser B&W / monochrome. I only print a few pages per year, but I really need to work OK (as I'm usually very remote to the printer).
  • Reasonable low cost (under 200€).
  • Network attachable (Ethernet), wifi optional.
  • Fedora compatible.

So I found this Brother DCP-L2550DN on Amazon, and after a couple of days for shipping, I was ready to get it installed.

Installing the printer

In my case, I just had to remove the old printer, and replace in place with the new one. I connected the same USB-A (computer) to USB-B (printer) cable, and it was immediately recognized by lsusb.

#> lsusb | grep -i Brother
Bus 001 Device 005: ID 04f9:0423 Brother Industries, Ltd DCP-L2550DN series

The Brother support page instructs you to download the installer script, which in my case was:

  • linux-brprinter-installer-2.2.3-1
  • dcpl2550dnpdrv-4.0.0-1.i386.rpm
  • brscan-skey-0.3.1-2.x86_64.rpm
  • brscan4-0.4.11-1.x86_64.rpm

After running the script and asking for the specific model (DCP-L2550DN in my case, hyphen included), CUPS reported it as configured.

#> ./linux-brprinter-installer-2.2.3-1 
Input model name ->DCP-L2550DN

You are going to install following packages.
   dcpl2550dnpdrv-4.0.0-1.i386.rpm
   brscan4-0.4.11-1.x86_64.rpm
   brscan-skey-0.3.1-2.x86_64.rpm
OK? [y/N] ->y

rpm -ihv --nodeps --replacefiles --replacepkgs dcpl2550dnpdrv-4.0.0-1.i386.rpm
Verifying...                          ########################################
Preparing...                          ########################################
Updating / installing...
dcpl2550dnpdrv-4.0.0-1                ########################################
ln: failed to create symbolic link '/opt/brother/Printers/DCPL2550DN/lpd/rawtobr3': File exists
ln: failed to create symbolic link '/opt/brother/Printers/DCPL2550DN/lpd/brprintconflsr3': File exists
ln: failed to create symbolic link '/etc/opt/brother/Printers/DCPL2550DN/inf/brDCPL2550DNrc': File exists
ln: failed to create symbolic link '/usr/lib/cups/filter/brother_lpdwrapper_DCPL2550DN': File exists
ln: failed to create symbolic link '/usr/share/cups/model/brother-DCPL2550DN-cups-en.ppd': File exists
ln: failed to create symbolic link '/usr/share/ppd/brother/brother-DCPL2550DN-cups-en.ppd': File exists
lpadmin -p DCPL2550DN -E -v usb://Brother/DCP-L2550DN%20series?serial=E78284M2N111836 -P /usr/share/ppd/brother/brother-DCPL2550DN-cups-en.ppd
lpadmin: Printer drivers are deprecated and will stop working in a future version of CUPS.
ValueError: File context for /etc/opt/brother/Printers/DCPL2550DN/inf(/.*)? already defined
ValueError: File context for /opt/brother/Printers/DCPL2550DN/inf(/.*)? already defined
ValueError: File context for /opt/brother/Printers/DCPL2550DN/lpd(/.*)? already defined
ValueError: File context for /opt/brother/Printers/DCPL2550DN/cupswrapper(/.*)? already defined
#
semanage fcontext -a -t bin_t /opt/brother
ValueError: File context for /opt/brother already defined
restorecon -R /opt/brother
semanage fcontext -a -t cupsd_rw_etc_t /etc/opt/brother
ValueError: File context for /etc/opt/brother already defined
restorecon -R /etc/opt/brother
semanage fcontext -a -t cupsd_rw_etc_t /opt/brother/Printers/(.*/)?inf(/.*)?
ValueError: File context for /opt/brother/Printers/(.*/)?inf(/.*)? already defined
restorecon -R /opt/brother/Printers
semanage fcontext -a -t cupsd_rw_etc_t /etc/opt/brother/Printers/(.*/)?inf(/.*)?
ValueError: File context for /etc/opt/brother/Printers/(.*/)?inf(/.*)? already defined
restorecon -R /etc/opt/brother/Printers
semanage fcontext -a -t bin_t /opt/brother/Printers/(.*/)?lpd(/.*)?
ValueError: File context for /opt/brother/Printers/(.*/)?lpd(/.*)? already defined
restorecon -R /opt/brother/Printers
semanage fcontext -a -t bin_t /opt/brother/Printers/(.*/)?cupswrapper(/.*)?
ValueError: File context for /opt/brother/Printers/(.*/)?cupswrapper(/.*)? already defined
restorecon -R /opt/brother/Printers
restorecon -RFv /usr/lib/cups/filter
setsebool -P cups_execmem 1
Will you specify the Device URI? [Y/n] ->


0: beh
1: ipp
2: cups-brf:/
3: https
4: socket
5: serial:/dev/ttyS0?baud=115200
6: lpd
7: http
8: ipps
9: smb
10 (I): Specify IP address.
11 (A): Auto. (usb://dev/usblp0)

select the number of destination Device URI. ->11

lpadmin -p DCPL2550DN -v usb:///etc/usblp0 -E
Test Print? [y/N] ->

You are going to install following packages.
   brscan4-0.4.11-1.x86_64.rpm
rpm -ihv --nodeps --replacefiles --replacepkgs brscan4-0.4.11-1.x86_64.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:brscan4-0.4.11-1                 ################################# [100%]
This software is based in part on the work of the Independent JPEG Group.
You are going to install following packages.
   brscan-skey-0.3.1-2.x86_64.rpm
rpm -ihv --nodeps --replacefiles --replacepkgs brscan-skey-0.3.1-2.x86_64.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:brscan-skey-0.3.1-2              ################################# [100%]
ln: failed to create symbolic link '/etc/opt/brother/scanner/brscan-skey/brscan_mail.config': File exists
ln: failed to create symbolic link '/etc/opt/brother/scanner/brscan-skey/brscan-skey.config': File exists
ln: failed to create symbolic link '/etc/opt/brother/scanner/brscan-skey/brscan-snmp.cfg': File exists
ln: failed to create symbolic link '/etc/opt/brother/scanner/brscan-skey/scantofile.config': File exists
ln: failed to create symbolic link '/etc/opt/brother/scanner/brscan-skey/scantoimage.config': File exists
ln: failed to create symbolic link '/etc/opt/brother/scanner/brscan-skey/scantoocr.config': File exists
ln: failed to create symbolic link '/etc/opt/brother/scanner/brscan-skey/scantoemail.config': File exists
ln: failed to create symbolic link '/usr/bin/brscan-skey': File exists

I tried printing a test page but nothing would work because it was configured to use a device called /dev/usb/lp0 , or /dev/usblp0 . Neither of those existed on my system so I was troubleshooting for a while.

Some useful resources:

https://fedoraproject.org/wiki/How_to_debug_printing_problems

Configuring the right CUPS queue

In the end, I used good old system-config-printer graphical assistant, which automatically detected the printer, and configured it in cups in the following manner:

#> lpstat -p
printer Brother-DCP-L2550DN-series is idle.  enabled since Thu Mar 30 14:46:53 2023
Description:    Brother DCP-L2550DN series
Location:   mycomputer
Driver: Brother DCPL2550DN for CUPS (grayscale, duplex)
Connection: usb://Brother/DCP-L2550DN%20series?serial=XXXXXXXXXXXXX
Default Options:    Banners=none, none paper=iso_a4_210x297mm sides=one-sided

Configuring SANE

This was my first try with SANE in 20+ years using Linux, and I only had to install the driver as performed with the automatic installer.

Fedora ships simple-scan, which takes care of scanning pages both from the external feeder or the internal scanner. It works nicely and can output images to both JPGs or PDFs (for documents).

Happy hacking!