Definite's Extractor

My findings on Life, Linux, Open Source, and so on.

Category Archives: RHEL

Install Google-Chrome in OpenStack RHEL 7 instances

We have automated tests that require runnable Google Chrome. Yet the Google Chrome kept crashing.

The first encountered is:

libGL error: failed to load driver: swrast
libGL error: Try again with LIBGL_DEBUG=verbose for more details.

This one is easy, install mesa-dri-drivers solved this.

Then cames:

ERROR:sandbox_linux.cc(338)] : InitializeSandbox() called with multiple threads in process gpu-process

My initial guess was SELinux, but journalctl returns nothing about it. After a few hours, I thought, how about firefox? Maybe it helps to set the SELinux and install the missing dependencies? And… Tada, both Firefox and Google Chrome worked. Eventually, I dug out that Google Chrome requires fonts to works. Specifically, liberation-fonts-common and liberation-sans-fonts.

To sum up, following command worked for me:

sudo yum -y install mesa-dri-drivers liberation-fonts-common liberation-sans-fonts

systemd: remember to keep the daemons alive

My sinopia daemon refused to start. After dig out the journal, I found that ExecStop run straight after ExecStart, what the…

After some research, I found that for daemons, or any other program that put themselves at the background, systemd thought they are stopped, thus stop the service for you. To prevent this, you need following in your systemd service file:

[Service]
...
RemainAfterExit=yes

so your daemons can live happily ever after.

The END

nodejs/npm yum repo for EL7

The nodejs and npm in EL7 is too old, so I borrowed the  to latest nodejs spec from  rawhide. Long story short, the result is at:

https://copr.fedorainfracloud.org/coprs/dchen/nodejs/

Please read the disclaimer and do follow the installation instruction if you choose to proceed. I don’t usually put the disclaimer like that but you need to know that:

  1. The build dependency of nodejs include openssl-1.0.2, but EL7 only shipped with 1.0.1, yet nodejs can run with openssl-1.0.1.
  2. openssl-libs is an important package, without it,  yum, curl and rpm URL install won’t work, so restore it is a bit tricky. The instruction is, however, written in the copr page.

Longer story:

To build this copr, following dependencies need to go in as well:

  1. libuv
  2. crypto-policies
  3. openssl-1.0.2

libuv is piece of cake. But crypto-policies and openssl bring the worst packager nightmare: circular dependency. After F23, crypto-policies require openssl-devel to build, yet openssl require crypto-policies to run.

I eventually dug out crypto-policies from F21 and built it, thus broke the circular dependency and finished the build.

RHEL 7 mock build with staff_selinux

By default, mock won’t work with staff_selinux mode in RHEL 7. The instruction from Fedora is mostly correct, but insufficient for staff_selinux. This is because:

  1. /usr/bin/mock is now a sym-link to /usr/bin/consolehelper, thus consolehelper permission should be also allowed.
  2. The Fedora mock policy module does not have the types like staff_consolehelper_t.

There are a lot more reasons, but long story short, I have edited a policy file (PackageMaintainers_MockTricks_mock.te) that should covered the most mock usage. My SELinux skill quickly build up by editing that file. 🙂

Time for script that setup the mock, assuming you are running as root:

# getting dependencies
yum -y install selinux-policy-devel policycoreutils-python mock

# Download policy files
wget https://fedoraproject.org/w/uploads/2/2f/PackageMaintainers_MockTricks_mock.if
wget https://fedoraproject.org/w/uploads/7/73/PackageMaintainers_MockTricks_mock.fc
wget https://dchen.fedorapeople.org/files/PackageMaintainers_MockTricks_mock.te

# Build and install
make -f /usr/share/selinux/devel/Makefile
semodule -i PackageMaintainers_MockTricks_mock.pp

That’s it.

But just in case you are still getting SELinux AVC denials, you can get around yourself by using following scripts:

grep -E -e "(mock|consolehelper)" /var/log/audit/audit.log | audit2allow -M my_mock
semodule -i my_mock.pp

Autostart in lxqt + fluxbox

Now day I start playing with fluxbox, which is light weight, yet surprisingly has excellent feature set. For one, it can remember window location  and  size.

The other window mangers that are capable of window remembering have their own downside:

  • KDE: It is indeed full featured but heavy weight. The other weird thing is it asks password for Calendar in Google Chrome whenever my session start, even I do not intent to use it.
  • Enlightenment: starting from 0.20, they dropped systray (Xembed) support. Basically that means the Network Manager and Input Method indicators are gone.

The fluxbox built-in panel (a.k.a. toolbar) has the basic feature sets which I can live with, but it would be better to have the volume control, battery status and popup calendar when I click on the clock.

First candidate is fbpanel, but it’s popup calendar is block by the panel itself.

Then I found lxqt-panel. It has good feature sets like memory graph. But it fail to find the launcher icons, and “logout” won’t logout you.

At last, I came out with use lxqt as session, but fluxbox as window manager. But the autostart did not seem to work. Luckily, you can use startfluxbox as window manager, and you can put whatever you want to autostart in ~/.fluxbox/startup.

Enjoy.

SELinux for synergy , or generally other tcp/udp services

If you enforcing your SELinux and set your user to non unconfined_u, like either user_u or staff_u. You may found that your synergy or other tcp/udp service stop working. That is because your role cannot listen the ports that your services required.

To allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users), run:

sudo setsebool selinuxuser_tcp_server 1

and for UDP:

sudo setsebool selinuxuser_udp_server 1

Reference:

  1. user SELinux Policy documentation (8)

Enlightenment 0.19.9 and EFL 1.15.1 is ready for RHEL and CentOS 7

I have update the Enlightenment E19 to

  • enlightenment-0.19.9
  • efl-1.15.1
  • elementry-1.15.1

And packages that depend on efl are rebuilt.

In my enlightenment repo, I also put xscreensaver and required dependency.

Note that the packages I built supports neither wayland nor SCIM.

Enlightenment E19 on RHEL 7

I quite like Enlightenment and Terminology. However, they are not available on RHEL 7.

Thus I’ve made a copr repo  for RHEL7.

Note that I disable couples of things to make it work in RHEL 7.

  • Wayland support: See https://bugzilla.redhat.com/show_bug.cgi?id=1214597
  • SCIM: I don’t want to port SCIM in RHEL 7, normally you can use IBus for input methods.
  • vlc: This cannot be in copr, nor do I have time to build it.
    It is a pity, as you won’t able to see some fancy features provided by EFL filemanager and terminology.

synergy-1.6.2-1 for RHEL/CentOS 7

If you want to install synergy-1.6.2 on RHEL 7,  it is in my EPEL Collection. Use following script to install it As root:

cd /etc/yum.repos.d/
wget https://repos.fedorapeople.org/repos/dchen/epel-collection/epel-epel-collection.repo
yum -y install synergy

That’s it.

HOWTO: Block Google to simulate the Google-less environment

Some Chinese Zanata users report they cannot use Zanata in China.

In order to simulate the environment, I run following script:

iptables -I INPUT -s 64.233.160.0/16 -j DROP
iptables -I INPUT -s 66.249.64.0/16 -j DROP
iptables -I INPUT -s 72.14.192.0/16 -j DROP
iptables -I INPUT -s 74.125.0.0/16 -j DROP
iptables -I INPUT -s 209.85.128.0/16 -j DROP
iptables -I INPUT -s 216.58.0.0/16 -j DROP
iptables -I INPUT -s 216.239.32.0/16 -j DROP

Since I just want a quick environment to simulate the Google-less users, nor do I obtained the exact blocked IP ranges,  I did not spend much time on fixing false positive and false negative of these IP ranges.  So do check whether your web services are fallen with in the range before you test it.

Reference:

https://bugzilla.redhat.com/show_bug.cgi?id=1186084