It's time to test CentOS 7.5

testing
v7

(Giacomo Sanchietti) #1

CentOS has released the CR repository to update any existing CentOS 7.4 to CentOS 7.5.

So it’s time to start some serious QA! /cc @quality_team @dev_team

Testing steps

What needs to be done to test the new release?

  1. Make sure everything is updated from stable updates:

    yum clean all && yum update
    
  2. Enable CR repository and update everything:

    yum clean all && yum --enablerepo=cr update
    
  3. When possible, reboot the machine to use the new kernel.
    After the update, verify that all kernel modules are correctly loaded.

  4. Check the Hot Points which we decided together then report back here. (Time has come @mrmarkuz @m.traeumner @iglqut @medworthy @GG_jr! :smiley: )

I’ve just upgrade 3 of our production machines, but it’s better if you test it on non-critical installation :wink:

Known issuess

No running issues so far, just minor update problem with nut package, see below.

NUT

nut package from epel has not been rebuilt against new freeipmi libraries, so you need to install from nethserver-testing. If you have nethserver-nut installed, enable nethserver-testing repository during the upgrade:

yum --enablerepo=cr,nethserver-testing update -y

Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1570146


Update to 7.5 problem(s)?
Update Link Error
#2

during weekend i tested installation on rpi3b+, but i had some error with some epel deps :frowning:
x86 update with nextcloud testing now…

edit: done some “random testing” updating basic ns7 installation, and so far, no particular problem.
Only one time after update httpd-admin service was down (i don’t understand why)

just one note, for testers who want to install packages from webui after the upgrade (or try to upgrade from webui), probably is easier to leave the cr repo enabled by default

# yum install yum-utils
# yum-config-manager --enable cr

(Markus Neuberger) #3

I tested it on a mail server and on a firewall, both HP Microserver with virtualization (VMware, proxmox).

Me too:

librabbitmq-tools (required by onlyoffice):

Error: Package: librabbitmq-tools-0.5.2-1.el7.x86_64 (@epel)
           Requires: librabbitmq.so.1()(64bit)
           Removing: librabbitmq-0.5.2-1.el7.x86_64 (@epel)
               librabbitmq.so.1()(64bit)
           Updated By: librabbitmq-0.8.0-2.el7.x86_64 (cr)
              ~librabbitmq.so.4()(64bit)
Error: Package: librabbitmq-tools-0.5.2-1.el7.x86_64 (@epel)
           Requires: librabbitmq(x86-64) = 0.5.2
           Removing: librabbitmq-0.5.2-1.el7.x86_64 (@epel)
               librabbitmq(x86-64) = 0.5.2-1.el7
           Updated By: librabbitmq-0.8.0-2.el7.x86_64 (cr)
               librabbitmq(x86-64) = 0.8.0-2.el7

I updated my Nethserver firewall:

On console after reboot:

nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already loaded

Dashboard shows:

grafik

/var/log/messages:

Apr 30 13:25:30 server admin-todos: modinfo: ERROR: Module xt_ndpi not found.

Except of DPI it seems to run without problems so far. Hot Point transparent web proxy is working and blocks EICAR file.


(Giacomo Sanchietti) #4

I think this package is now part of RHEL itself, but some work from EPEL is missing.
I only found this: https://bugzilla.redhat.com/show_bug.cgi?id=1568379
My guess: tools have been merged into the lib package (checkout this https://buildlogs.centos.org/c7.1804.00.x86_64/librabbitmq/20180411043234/0.8.0-2.el7.x86_64/librabbitmq-0.8.0-2.el7.x86_64.rpm)

Package info: https://apps.fedoraproject.org/packages/librabbitmq-tools/

@filippo_carletti is already working on it!


YUM update conflict librabbitmq
NextCloud - ONLYOFFICE
(kai) #5

i also do an update on a testmachine, first had to remove old kernels then the update works like expected. after reboot i got an error with the DPI Module, also the server was not able to start shorewall cause there was a conflict with the dpi module.

● shorewall.service - Shorewall IPv4 firewall
Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/shorewall.service.d
└─nethserver-firewall-base.conf
Active: failed (Result: exit-code) since Tue 2018-05-01 07:34:44 CEST; 2min 3s ago
Process: 5701 ExecStart=/usr/sbin/shorewall $OPTIONS start $STARTOPTIONS (code=exited, status=143)
Main PID: 5701 (code=exited, status=143)

May 01 07:34:44 xxx.xxxx.lan shorewall[5701]: Processing /etc/shorewall/tcclear …
May 01 07:34:44 xxx.xxxx.lan shorewall[5701]: Preparing iptables-restore input…
May 01 07:34:44 xxx.xxxx.lan shorewall[5701]: Running /sbin/iptables-restore --wait 60…
May 01 07:34:44 xxx.xxxx.lan shorewall[5701]: IPv4 Forwarding Enabled
May 01 07:34:44 xxx.xxxx.lan shorewall[5701]: Processing /etc/shorewall/stopped …
May 01 07:34:44 xxx.xxxx.lan shorewall[5701]: /usr/share/shorewall/lib.common: line 93: 5757 Terminated $SHOREWALL_SHELL $script $options $@
May 01 07:34:44 xxx.xxxx.lan systemd[1]: shorewall.service: main process exited, code=exited, status=143/n/a
May 01 07:34:44 xxx.xxxx.lan systemd[1]: Failed to start Shorewall IPv4 firewall.
May 01 07:34:44 xxx.xxxx.lan systemd[1]: Unit shorewall.service entered failed state.
May 01 07:34:44 xxx.xxxx.lan systemd[1]: shorewall.service failed.

After uninstalling the dpi module everything works well. still testing here. Stuff like sogo, squid etc. works like expected.

can not confirm that eicar test file is blocked. at my side (with transparent ssl proxy) file is not blocked by squid.


#6

tested install on clean centos-cr:
installed c7 1708
enabled cr repo and updated
installed nethserver as per manual

it seems all ok, no relevant error/fails in logs

i found this one in nethserver-install.log and honestly didn’t remeber if is normal (i’ll try on a 7.4 without cr)

certbot-0.23.0-1.el7.noarch                       269/295
restorecon:  lstat(/etc/letsencrypt) failed:  No such file or directory

(Giacomo Sanchietti) #7

@filippo_carletti has built nDPI 2.2 for the new kernel, check it out! /cc @mrmarkuz @hucky

I guess yes, btw it shouldn’t be harmful.


Update to 7.5 problem(s)?
(Markus Neuberger) #8

Great work @filippo_carletti :+1: , everything seems to work, the admin todo warning is away and I blocked FB successfully.

[root@server ~]# lsmod | grep xt_ndpi
xt_ndpi               439375  117
nf_conntrack          133053  30 nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda xt_ndpi,...

But there are kernel errors in /var/log/messages after activating a ndpi firewall rule, starting with

May 3 00:07:36 server kernel: BUG: scheduling while atomic: swapper/1/0/0x10000300

After deleting the firewall rule, there are no more error entries.

Maybe an older issue appearing again?


(kai) #9

can confirm, ndpi works after update nDPI-netfilter 2.2, great work @filippo_carletti !!!


(Giacomo Sanchietti) #10

I guess yes, we removed that patch but @filippo_carletti is trying to figure out if it’s really needed.


(Filippo Carletti) #11

I upload a new zip file containing kmod-xt_ndpi-2.0.3-1.2.g945c09b.ns7.x86_64.rpm which should fix the
BUG: scheduling while atomic problem.
Please, download, unzip, install and reboot.
Thank you.


(Giacomo Sanchietti) #12

We have also fixed icons for ndpi inside the Server Manager, these are the related PR with RPMs:


(Markus Neuberger) #13

You catched it! No “BUG: scheduling while atomic” errors anymore.

But I still get this one when starting/restarting shorewall since the cr 7.5 update:

May  3 14:05:37 server kernel: nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already loaded
May  3 14:05:37 server kernel: ipt_ULOG: ULOG: fail to register logger.

(Filippo Carletti) #14

In my test vm I can’t reproduce the scheduling while atomic bug, but Giacomo has it on his physical machine.

I have this warning too, I’ll work on it soon.


(Markus Neuberger) #15

I got it on a VMWare ESXi 6 VM.


(Giacomo Sanchietti) #16

I’d like to share the list of default changes planned for NS 7.5:

  • Mail server: the nethserver-mail module (based on amavis and spamassassin) will be replaced by nethserver-mail2 based on rspamd
  • TLS policy will be enforced to latest available
  • Server Manager will enforce session expiration: idle 15 minutes, max 8 hours
  • nDPI 1.7 will be replaced with nDPI 2.2
  • Subscription module, along with yum cron, will be installed as default
  • When NS is joined to a DC, the machine passowrd will be stored encrypted only inside the keytab
  • Windows file server page: “Grant full control to the creator” will be the new default
  • Webvirtmgr will be removed (the package is not maintained anymore since 2 years), the manual will describe how to correctly use NethServer for virtualization
  • Fail2Ban will be part of the core (thanks to @stephdl!)

I’d like also to have the rpm which enable @mrmarkuz and @stephdl repository inside the Forge.
This will prevent problem also in case of url changes in the repository infra :wink:


Install Kimchi on NethServer
WebVirtMgr alternatives
So, what are you working on? - 14 May 2018
#17

centos 7.5.1804 is now on all mirrors for all architectures… downloading…


(Davide Principi) #18

Software Center is now aware of it :wink:


(Juan Carlos Fernandez) #19

Has anyone tried to update NS7 using its default repo configuration?


(Davide Principi) #20

We are preparing the repositories for NS 7.5.1804 alpha