[CentOS] New glibc for CentOS-6 and CentOS-7 and CVE-2015-7547
Michael H
michael at wemoto.com
Wed Feb 17 14:46:34 UTC 2016
On 17/02/16 14:39, Johnny Hughes wrote:
> On 02/17/2016 08:10 AM, Michael H wrote:
>>> The easy answer is yes .. glibc requires so many things to be
>>> restarted, that is the best bet. Or certainly the easiest.
>>>
>>> Note: in CentOS 7, there is also a kernel update which is rated
>>> as Important .. so you should boot to that anyway:
>>> https://lists.centos.org/pipermail/centos-announce/2016-February/021705.html
>>>
>>>
>>>
Here is a good link to figure out what to restart if you don't want to
>>> reboot:
>>>
>>> https://rwmj.wordpress.com/2014/07/10/which-services-need-restarting-after-an-upgrade/
>>>
>>>
>>>
and there is this thread:
>>> http://markmail.org/message/dodinyrhwgey35mh
>>>
>>> But generalyl, after a glibc update or a kernel update ..
>>> rebooting is easiest and it ensures everything is protected.
>>
>> Wow, so, I updated my server (yum update -y) which applied a new
>> kernel and the new glibc among other things, After the update
>> completed it knocked my master postgresql database offline.
>>
>>
>> Feb 17 13:46:11 db1 systemd: Starting PostgreSQL database
>> server... Feb 17 13:46:11 db1 pg_ctl: LOG: invalid value for
>> parameter "max_stack_depth": 16384 Feb 17 13:46:11 db1 pg_ctl:
>> DETAIL: "max_stack_depth" must not exceed 7680kB. Feb 17
>> 13:46:11 db1 pg_ctl: HINT: Increase the platform's stack depth
>> limit via "ulimit -s" or local equivalent. Feb 17 13:46:11 db1
>> pg_ctl: FATAL: configuration file
>> "/var/lib/pgsql/data/postgresql.conf" contains errors Feb 17
>> 13:46:16 db1 pg_ctl: pg_ctl: could not start server Feb 17
>> 13:46:16 db1 pg_ctl: Examine the log output. Feb 17 13:46:16 db1
>> systemd: postgresql.service: control process exited, code=exited
>> status=1 Feb 17 13:46:16 db1 systemd: Failed to start PostgreSQL
>> database server. Feb 17 13:46:16 db1 systemd: Unit
>> postgresql.service entered failed state. Feb 17 13:46:16 db1
>> systemd: postgresql.service failed.
>>
>>
>> I have kernel parameters specified in /etc/sysctl.conf
>>
>> vm.swappiness=0 vm.overcommit_memory=2 vm.overcommit_ratio=90
>> kernel.shmmax=35433480192 kernel.shmall=8650752
>>
>> After the update my postgresql service could not start because
>> these parameters had been reset, I promptly rebooted to server to
>> re-apply them.
>>
>> Has something changed?!? after a reboot the service still
>> complained that my max_stack_depth was too high because kernel
>> shmmax and shmall were too low with the same error shown above.
>>
>> [root at db1 ~]# ulimit -a core file size (blocks, -c) 0
>> data seg size (kbytes, -d) unlimited scheduling
>> priority (-e) 0 file size (blocks, -f)
>> unlimited pending signals (-i) 514616 max locked
>> memory (kbytes, -l) 64 max memory size (kbytes, -m)
>> unlimited open files (-n) 1024 pipe size
>> (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200
>> real-time priority (-r) 0 stack size
>> (kbytes, -s) 8192 cpu time (seconds, -t) unlimited
>> max user processes (-u) 514616 virtual memory
>> (kbytes, -v) unlimited file locks (-x)
>> unlimited
>>
>> confirms that my entries in /etc/sysctl.conf were ignored.
>>
>> Why would these not work anymore?
>>
>> Are the parameters specified elsewhere now?
>>
>> any information would be very helpful!
>>
>> Thanks
>>
>> Michael (slightly more grey now)
>
> Since you are talking about SystemD .. I assume c7.
>
> In c7 .. there is a symlink to /etc/sysctl.d/99-sysctl.conf to
> /etc/sysctl.conf
>
> Have you verified your sysctl.conf actually contains those settings
> still.
Contents are still in tact.
>
> Your best bet on CentOS-7 is to create a new file in
> /etc/sysctl.d/ called something like 99-postgres.conf and put youjr
> mods in there. That way it will never change.
>
> Also .. verify all the files in /etc/sysctl.d/ and /etc/sysctl.conf
> are set to this label for selinux:
>
> unconfined_u:object_r:etc_t:s0
# ll -dZ /etc/sysctl.d
drwxr-xr-x. root root system_u:object_r:etc_t:s0 /etc/sysctl.d
# ll -Z /etc/sysctl.conf
-rw-r--r--. root root system_u:object_r:system_conf_t:s0 /etc/sysctl.conf
I tried restorecon -Frv /etc/sysctl* to no avail.
Should I manually re-label these or is this an issue with the
selinux-policy package having the incorrect defaults?
>
> See this for labeling: red.ht/1ooTpiI
>
> But, /etc/sysctl.conf should still work in centos-7.
Thanks,
Michael
More information about the CentOS
mailing list