Warning: This article is work in progress.

Apache is by far the most popular web server and powers the majority of sites on the internet. Linux distributions have made it so easy to install and run a LAMP stack that the majority of administrators tend to ignore security implications of running on out of the box settings. While these settings will work for most installations, running an enterprise stack is a different story. I have recently configured such a stack running on RHEL 6.2 powered by Apache, PHP and Oracle. While this is not a step by step guide, I have made extensive notes which can be reused if you need to harden your installation.

RHEL 6.2 setup

Since I run an array of virtualized KVM servers, I am using SAN storage for live migration scenarios but the usual partitioning rules applies. If you don’t run a NAS or SAN setup consider using at least RAID 1 with fast disks (storage is so cheap nowadays). I would at a minimum recommend the following partitions:

/boot
/var
/tmp
/
Swap = 1.5 times available memory

Make sure you set a grub password when installing the boot-loader.

If you plan to run Soft Raid which works quite well and I would recommend it over FakeRaid. Do not use FakeRaid under Linux, disable it in the BIOS and save yourself future headaches. Soft Raid works so well under RHEL6, I saw a lot of blocked/hung processes in RHEL5.5 and later versions after support for detecting hung tasks was introduced but under the latest and greatest OS no issues.

Note: If you setup RAID 1 remember to run the grub setup and install the boot-loader on both drives so that you can still boot should one of drives fail. A typical example would be:

grub
device (hd0) /dev/sda
device (hd1) /dev/sdb
root (hd0,5)
setup (hd0)
root (hd1,5)
setup (hd1)
quit

Software Installation

It is good practice to install the minimum required packages and most experienced administrators will also have no GUI on a server. If you can manage your sever this way choose the minimal option during the software selection process. After the install is complete you can fire up yum and install your lamp stack. Even though I don’t run a GUI on the server there is the famous setup-tool which I like to keep as this is a quick way of tuning ntsysv services and adding firewall rules. So let’s install these ncurses based utilities which I am going to miss with the introduction of systemd which is nevertheless a great tool and speeds up boot time.

yum -y install setup setuptool ntsysv system-config-firewall-tui system-config-network-tui system-config-firewall-base

Note: If you need to export the display and run remote applications locally you should also install the following packages:

yum -y install xorg-x11-xauth xorg-x11-fonts*

Some fonts are old and not really needed but if you run Oracle you will find them useful.

Now you can install the apache and php modules you require. I will not cover these as it is dependent on your application. You should now have all the required software installed so let’s have a look at what we need to secure.

Updates and Patches

Now that the required software is installed make sure you apply the latest updates and patches by running: yum -y update && reboot as a new kernel will most likely be installed.

Boot-loader

You should have setup a boot-loader password during the installation.

Root Account/SSH Login

You should create a normal user account (with a strong password) and disable root login so that you have accountability and use su – when you need elevated privileges.

Edit /etc/ssh/sshd_config with your favorite editor and change PermitRootLogin yes to PermitRootLogin no

It is also good practice to add your keys to the authorized list on the server and use password less logins. From your own machines issue:

$ssh-copy-id -i user@server_name

Replace user with your user account and server_name with your server name or fqdn of the server. Now ssh to the server and you should be immediately logged in without being prompted for a password.

SELinux

Most people turn off SELinux because they simply don’t understand the layer of security it provides but if you take some time to read and learn how to operate it might just save your job one of these days when you mis-configure a service. So let’s enable SELinux in Enforcing mode:

Get the current status

[root@whizz ~]# getenforce Enforcing

If it returns permissive instead edit /etc/selinux/config and change SELINUX=permissive to SELINUX=enforcing

We should now relabel the file-system to make sure that all files have the proper contexts, so touch /.autorelabel to create a .autorelabel file in / so that at the next reboot the system relabels all files properly.

System Services

If you chose to install the setup-tool you can now type setup and navigate to System Services to tun off all services you do not require. Once done you can reboot your machine so that these services are disabled and your file-system gets relabelled properly.

Firewall

Make sure your firewall (iptables) is turned on and you allow only the ports required by the services you run.

The above should be part of your best practices for server security. Now that the system is secured we can look at application security.

Apache

Edit the /etc/httpd/conf/httpd.conf  to start securing your web-server:

ServerTokens Prod

This configures Apache to return only Apache as product in the server response header on very page request, suppressing OS, major and minor version info

TraceEnable off

This will causes apache to return a 403 FORBIDDEN error to the client when TRACE / HTTP/1.0 is executed on the server. You can test by telnet(ing) to the server on port 80 and then type TRACE / HTTP/1.0.

KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 3

While these options are more useful for performance tuning, having them turned on can reduce stress on the server.

#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so

You should comment the WebDAV modules as most people don’t really use it and my security scanner gives me red warnings when enabled. If you don’t know what WebDav is, then you probably don’t need it.

ServerAdmin acaleechun@gnulinux.mu

You should setup an email address which will be displayed when something goes wrong and the user is asked to contact the administrator. Cause a server misconfiguration (Error 500) and you will see what I mean.

ServerName www.gnulinux.mu:80

Your server name as it appears to the WWW.

Options -Indexes FollowSymLinks
AllowOverride None

Disable indexes to prevent people from trying to browse your directories and minus to FollowSymLinks if you don’t use mod_rewrite and want apache not to follow symlinks. AllowOverride should be set to None unless you need to use an access file in which case you need to specify AllowOverride All

LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\” \”%{X-Forwarded-For}i\”" common
CustomLog logs/access_log combined

I also change the logging syntax to ensure that maximum information is recorded including the real IP address (X-Forwarded-For) as I use a load balancer.

ServerSignature Off

This hides the apache signature making it hard for crackers to find exploits against the exact version of your server. Running generic attacks against your server gives you time to record and ban offending IP addresses.

PHP (5.3.x)

All php directives are well documented in the php.ini file so take some time to read them and don’t blindly change the values.

short_open_tag = Off

disable_functions=exec,passthru,shell_exec,system,proc_open,
popen,curl_multi_exec,parse_ini_file,show_source

expose_php = Off

max_execution_time = 30

max_input_time = 60

memory_limit = 128M

post_max_size = 256K

file_uploads = Off

upload_tmp_dir = /var/lib/php/uploads

upload_max_filesize = 256K

allow_url_fopen = Off

allow_url_include = Off

date.timezone = Indian/Mauritius

Kernel Parameters (sysctl.conf)

#Control TCP Timestamps
net.ipv4.tcp_timestamps = 0

These notes were taken well after the system was installed so I will revisit the setup, do a diff on the config files and update the notes as needed till it is completely usable

How does Abobe consitently manage to shoot itself in the foot?  According to a blog post by Adobe, after the 11.2 release, Flash Player for Linux will only be available through a new “Pepper” API as a part of Google Chrome, and won’t be available as a separate download any-more. However, Adobe will continue to offer security updates for Flash Player 11.2 for Linux for five years.

Mozilla is not interested in or working on Pepper at this time as per their wiki. But even if Mozilla changes its mind, the post on Adobe’s website says that Flash will be bundled with Google Chrome only.

At this point, Mozilla’s options are to use an alternative or hope that in 5 years, Flash won’t matter and HTML5 will be used pretty much everywhere.

I haven’t written anything during the past two months and I could easily blame it on the work I’ve been doing but the truth is that I’ve been lazy. During this time there has been a few releases that I should be tracking (as a matter of fact I am on production server but not on this blog) so let’s see what has popped out of the box:

13th of September: The 7th update from CentOS (5.7) – http://wiki.centos.org/Manuals/ReleaseNotes/CentOS5.7

1-3rd of November: oVirt is released following the workshops and the official release is scheduled for the 31st January 2012

8th of November: Fedora 16 is released – http://docs.fedoraproject.org/en-US/Fedora/16/html/Release_Notes/

6th of December: Red Hat releases the second update to Red Hat Enterprise Linux 6 (6.2)

9th of December: CentOS releases the first long awaited update to CentOS 6 (6.1) – http://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.1

16th of December: Red Hat announces the availability of Red Hat Enterprise Linux 5.8 Beta

What’s missing?

Spacewalk seems to have missed the roadmap release (Wiki is experiencing some issues so I can’t confirm the dates)

Red Hat Enterprise Virtualization Beta 3 is now available for download and this definitely worth a try if you have used the previous version with Windows components. It includes rewritten components in Java and major improvements to the Spice protocol.

CentOS 6.2: Yes you’ve read properly CentOS 6.2 is currently 99% complete and in QA so expect the release to happen within a few days. If you’re wondering how come the release is tailing CentOS 6.1 which just got released or why 6.0 and 6.1 took such a long time to come out read What happened to 6.1

You must have also noted that I haven’t got any posts on setting up a perfect desktop under Fedora 15 or Fedora 16 and the reason is the shift to the Gnome 3 desktop. I won’t rant too much about Gnome 3 as there are enough posts complaining about how Gnome developers think that the average Joe is an idiot and needs a completely new desktop interface to work. I’ve never felt so unproductive with a Gnome desktop, while the shell extensions and tweak tool makes life a bit easier I still can’t work properly but I have set-up Fedora 16 on a separate laptop  to give it another chance.

One nice tool you may want to look at if you wish to simplify the set-up of a desktop under Fedora 16 is Fedora Utils. As the project mentions you can easily install codecs and additional software, fix problems, tweak and clean up your system, view system information and much more with just few clicks.

Update

1) As of today (21st of December) CentOS 6.2 has been released – http://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.2 . As usual the best place to start when looking for help with CentOS is at the wiki ( http://wiki.centos.org/GettingHelp ) which lists various options and communities who might be able to help. If you think there is a bug in the system, do report it at http://bugs.centos.org – but keep in mind that the bugs system is *not* a support mechanism.

A big thank you to the CentOS team who contributed towards making 6.2, specially the enormous effort put in by everyone on the QA team – right on the heels of the 6.1 release. And the excellent work being done on the test-automation.

Downloading CentOS-6.2 for new installs:

When possible, consider using torrents to run the downloads. In most cases you will find its also the fastest means to download the distro. There are currently over a thousand  people seeding CentOS-6 and it’s possible to get upto 400mbps downloads via these torrents.

Torrent files for the DVD’s are available at :
http://mirror.centos.org/centos/6.2/isos/i386/CentOS-6.2-i386-bin-DVD1to2.torrent
http://mirror.centos.org/centos/6.2/isos/x86_64/CentOS-6.2-x86_64-bin-DVD1to2.torrent

2) As of today, the 22nd of December Spacewalk 1.6 has been released with IPv6 Server/client support, Fedora 16 server/client and much more. You can read the release notes at https://fedorahosted.org/spacewalk/wiki/ReleaseNotes16

Please sign our statement to show your support!

Microsoft has announced that if computer makers wish to distribute machines with the Windows 8 compatibility logo, they will have to implement a measure called “Secure Boot.” Secure Boot is designed to protect against malware by preventing computers from loading unauthorized binary programs when booting. In practice, this means that computers implementing it won’t boot unauthorized operating systems — including initially authorized systems that have been modified without being re-approved.

This could be a feature, as long as the user is able to authorize the programs she wants to use, so she can run free software written and modified by herself or people she trusts. However, we are concerned that Microsoft and hardware manufacturers will implement so-called Secure Boot in a way that will prevent users from booting anything other than Windows. In this case, the requirement is a restriction on the user, not a security feature at all.

The potential restricted boot requirement comes as part of a specification called the Unified Extensible Firmware Interface (UEFI), which defines an interface between computer hardware and the software it runs. It is software that allows your computer to boot, and it is intended to replace the traditional BIOS. Most Lenovo, HP, and Dell computers ship with UEFI, and other manufacturers are not far behind. All Apple computers ship with EFI and components from UEFI. When booting, this software starts a chain which, using a public key cryptography-based authentication protocol, can check your operating system’s kernel and other components to make sure they have not been modified in unauthorized ways. If the components fail the check, then the computer won’t boot.

The threat is not the UEFI specification itself, but in how computer manufacturers choose to implement the boot restrictions. Depending on a manufacturer’s implementation, they could lock users out of their own computers, preventing them from ever booting into or installing a free software operating system.

It is essential that manufacturers get their implementation of UEFI right. To respect user freedom and truly protect user security, they must either allow computer owners to disable the boot restrictions, or provide a sure-fire way for them to install and run a free software operating system of their choice. Computer owners must not be required to seek external authorization to exercise their freedoms.

The alternative is frightening and unacceptable: users would have to go through complicated and risky measures to circumvent the restrictions; the popular trend of reviving old hardware with GNU/Linux would come to an end, causing more hardware to be tossed in landfills; and proprietary operating system companies would gain a giant advantage over the free software movement, because of their connections with manufacturers.

We will be monitoring developments in this area closely, and actively campaigning to make sure this important freedom is protected. Our first step is to demonstrate that people value this freedom, and will not purchase or recommend computers that attempt to restrict it.

Please sign our statement to show your support!

Matt Lee (FSF campaigns manager)

It was just a matter of time for those familiar with Red Hat acquisitions and their long history of walking the open source way. The right time has now come for those who want to try RHEV and see what it is like, without engaging in a proof of concept project with Red Hat’s sales team with oVirt. The project has been seeded with assets from Red Hat by open sourcing it’s virtualization management software (RHEV), and from partners, customers, and competitors to build an open virtualization community to enable the growth and adoption of open virtualization solutions. oVirt will be launched with a workshop November 1st – 3rd so watch out.

I’ve been working on setting up Spacewalk 1.4 on CentOS 6 to have a shiny new deployment server for my company and it has been a bumpy ride to get everything working correctly. Most of the instructions from the Spacewalk wiki are reusable for CentOS 6 and it is also a good idea to follow some of the steps from the CentOS Spacewalk HowTos if you want to import the ISO images and set-up custom channels.

I made a few notes that might be helpful to someone else:

Installation

I did an initial installation with Oracle 11gR2 and the OracleXE. Oracle 11gR2 has no issues but with OracleXE if your time zone is set to Indian/Mauritius or GMT +4, when you start Spacewalk you get a blank screen and a quick look at /var/log/tomcat/catalina.out will display ORA errors related to the time zone. Just change the time zone to GMT, restart Spacewalk and you should see the user account creation page. You can adjust the time zone under Preferences — Local Preferences. If someone has found another workaround for this bug, please let me know.

Channels/Activation Keys and Configuration Management works like a charm.

Distributions and Kickstarts

These items caused some issues I have never seen with Spacewalk. Importing ISO images and setting up distributions work as expected but the actual Kickstarts (Anaconda) causes some serious issues.

CentOS 5: python-ethtool is missing from the Spacewalk client tools so I have downloaded it from EPEL5 and pushed it into the Spacewalk client tools custom channel I have set-up.

There is also a dependency on python-hashlib which is also available from EPEL5. I have created a custom channel which is a child channel of CentOS 5 and uploaded (rhnpush) the package for the kickstart to complete without errors and register the system. Remember the Spacewalk client Tools and EPEL channel for the missing packages must be child channels and made available to Anaconda during install time to avoid Kickstart failures.

You will also notice that Spacewalk refuses to install client tools from it’s own repository if you follow the tutorial on the CentOS Spacewalk HowTos. This happens because by default Spacewalk will refuse to distribute unsigned packages and for some strange reason the packages in the repositories have been signed by the RPM-GPG-KEY-spacewalk-2010 instead of RPM-GPG-KEY-spacewalk as described in the CentOS wiki:

wget http://spacewalk.redhat.com/yum/RPM-GPG-KEY-spacewalk
mv RPM-GPG-KEY-spacewalk /etc/pki/rpm-gpg/RPM-GPG-KEY-spacewalk
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-spacewalk

The correct key to import should be:

wget http://spacewalk.redhat.com/yum/RPM-GPG-KEY-spacewalk-2010
mv RPM-GPG-KEY-spacewalk /etc/pki/rpm-gpg/RPM-GPG-KEY-spacewalk-2010
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-spacewalk-2010

Make sure you enable the Key (GPG) in the Kickstart or the install will be incomplete and you will need to manually import the key.

CentOS 6: All packages are present in the repositories so importing the client channel should be good enough. However the install will not complete if you select the Installer Generation as Red Hat Enterprise 6. Anaconda just freaks out and will not continue. I have filed a bug report so let’s see what comes out of it.

Description of problem: The CentOS 6 installer fails to download the install.img during the install. A check on /var/log/tomcat6/catalina.out shows 404 errors. Changing the Installer Generation to Red Hat Enterprise Linux 5 allows the install to proceed and complete successfully. RHEL 6 and CentOS 5.6 using the same method works which bothers me. So if the installer generation is set to Red Hat Enterprise Linux 5 or Fedora the Kickstart will complete successfully.

The most annoying issue I have come across till now is related to partitioning. I did a mass deployment of RHEL 6 Servers using Spacewalk 1.3 on CentOS 5.5 a few months back and it worked flawlessly. I had a look at one of my previous Kickstarts and I do remember using the grow option with partitions. Below is an extract:

 bootloader --location mbr --driveorder=sda,sdb
 zerombr
 clearpart --all
 part raid.01 --size=500 --ondisk=sda
 part raid.02 --size=500 --ondisk=sdb
 part raid.03 --size=10240 --ondisk=sda
 part raid.04 --size=10240 --ondisk=sdb
 part raid.05 --size=10240 --ondisk=sda
 part raid.06 --size=10240 --ondisk=sdb
 part raid.07 --size=10240 --ondisk=sda
 part raid.08 --size=10240 --ondisk=sdb
 part raid.09 --grow --size=10240 --ondisk=sda
 part raid.10 --grow --size=10240 --ondisk=sdb
 part swap --size=8192 --ondisk=sda
 part swap --size=8192 --ondisk=sdb
 raid / --fstype=ext4 --level=1 --device=md3 raid.07 raid.08
 raid /boot --fstype=ext4 --level=1 --device=md0 raid.01 raid.02
 raid /tmp --fstype=ext4 --level=1 --device=md2 raid.05 raid.06
 raid /var --fstype=ext4 --level=1 --device=md1 raid.03 raid.04
 raid /opt --fstype=ext4 --level=1 --device=md4 raid.09 raid.10

While this Kickstart works flawlessly on RHEL6/CentOS6 the following slightly modified scheme to include LVM fails and it took me a while to figure out why, as I kept searching for errors in the partitioning scheme instead of looking at the traceback message

 clearpart --drives=sda,sdb --initlabel
 # Raid 1 SATA config
 part swap --size=8192 --ondisk=sda
 part raid.01 --size 500 --asprimary --ondrive=sda
 part raid.02 --size 200 --grow --ondrive=sda  part swap --size=8192 --ondisk=sdb
 part raid.03 --size 500 --asprimary --ondrive=sdb
 part raid.04 --size 200  --grow --ondrive=sdb  raid /boot --fstype ext4 --device md0 --level=RAID1 raid.01 raid.03
 raid pv.01 --fstype ext4 --device md1 --level=RAID1 raid.02 raid.04
 # LVM configuration
 volgroup sysvg pv.01
 logvol /var  --vgname=sysvg  --size=10240 --name=var
 logvol /tmp  --vgname=sysvg  --size=10240 --name=temp
 logvol / --vgname=sysvg  --size=10240 --name=root

No matter what size I set the logical volumes, Anaconda came up with a traceback error indicating that there was no free space to allocate the logical volumes. It took me a while to realize that the grow option was not working as per the first kickstart and the volume created was only 200MB even though the Red Hat Official documentation for RHEL6 states that the following works:

clearpart --drives=hda,hdc --initlabel
# Raid 1 IDE config
part raid.11    --size 1000     --asprimary     --ondrive=hda
part raid.12    --size 1000     --asprimary     --ondrive=hda
part raid.13    --size 2000     --asprimary     --ondrive=hda
part raid.14    --size 8000                     --ondrive=hda
part raid.15 --size 1 --grow --ondrive=hda
part raid.21    --size 1000     --asprimary     --ondrive=hdc
part raid.22    --size 1000     --asprimary     --ondrive=hdc
part raid.23    --size 2000     --asprimary     --ondrive=hdc
part raid.24    --size 8000                     --ondrive=hdc
part raid.25 --size 1 --grow --ondrive=hdc  

# You can add --spares=x
raid /          --fstype ext3 --device md0 --level=RAID1 raid.11 raid.21
raid /safe      --fstype ext3 --device md1 --level=RAID1 raid.12 raid.22
raid swap       --fstype swap --device md2 --level=RAID1 raid.13 raid.23
raid /usr       --fstype ext3 --device md3 --level=RAID1 raid.14 raid.24
raid pv.01      --fstype ext3 --device md4 --level=RAID1 raid.15 raid.25  

# LVM configuration so that we can resize /var and /usr/local later
volgroup sysvg pv.01
logvol /var             --vgname=sysvg  --size=8000     --name=var
logvol /var/freespace   --vgname=sysvg  --size=8000     --name=freespacetouse
logvol /usr/local       --vgname=sysvg  --size=1 --grow --name=usrlocal

So no matter if you use RHEL 6 or CentOS 6 the Kickstart fails unless you allocate an initial size which is equal or greater than the total size of the logical volumes. In my case the following worked.

 # Raid 1 SATA config
 part swap --size=8192 --ondisk=sda
 part raid.01 --size 500 --asprimary --ondrive=sda
 part raid.02 --size 40960 --grow --ondrive=sda

 part swap --size=8192 --ondisk=sdb
 part raid.03 --size 500 --asprimary --ondrive=sdb
 part raid.04 --size 40960 --grow --ondrive=sdb

Registration: There are some minor changes that affect the way packages are described in the Kickstarts.

On CentOS 5 I used to simply specify @ base and enable Configuration Management which would include the rhncfg-* tools and register the system with Spacewalk.

Below are the rhncfg-* tools that are added automatically when Configuration Management is enabled.

Under CentOS 6 unless I explicitly include rhn-setup, rhn-check and some dependencies (not really needed) the Kickstart installs correctly but ignores completely the registration process and does not install the rhn-tools.

There has been talks about why the spacewalk tools have been removed (again) from CentOS 6 and I really hope Karanbir does not remove them in the upcoming CentOS 6.1 release as this would greatly simplify the setup/registration of CentOS clients with Spacewalk.

Despite these issues, I still consider Spacewalk as one of the best tools available and of course CentOS 6 has just been released so extensive QA has not yet been done. Spacewalk 1.5 is lurking around so I expect things to get stable pretty soon. If you’re interested on setting up Spacewalk on CentOS 6 you should watch the official wiki and the CentOS wiki which most of the time provides much better documentation that the official site.

Update 21/07/2011

Spacewalk 1.5 has been released with a change set of:

• 81 bugs solved
• 624 changesets committed
• 904 commits done

So a lot of the issues described above may have been solved.

The Anaconda issue with RAID devices not working with –grow option has been reported since Fedora 14 and mind you it is not a bug. A bright mind has decided that –grow option is not a needed/supported feature and removed it. See bug 649768, a few people have asked clarifications as to why the feature is no more supported but no reply.

CentOS 6 release is in progress. The internal mirrors will now be opening up for external mirrors to sync from. This may take up to a couple of hours to propagate throughout the system, so external mirrors should start seeing the 6.0 soon.

Update: Links have started appearing in the wild, if you want to download through torrents use the following links and please help seed

http://burnbit.com/torrent/172773/CentOS_6_0_x86_64_bin_DVD1_iso

• Torrent Hash : 97725ad6e936ca9975444c56aab5cabcf2d75932

http://burnbit.com/torrent/172792/CentOS_6_0_x86_64_bin_DVD2_iso

• Torrent Hash : f2cae43709b931107aaa692794d8dfb0739e648d

Direct DVD links @ http://www.stargatenetworks.net/centos/6.0/isos/x86_64/

One note of caution if you download before the “bitflip” is lifted (open to public download) as per the mailing list.

If you download using torrents you can easily update the ISO using the new link if it is reissued but if you download ISO images you will need to re-download the whole image.

Sun Jul 10 14:51:21 EDT 2011

CentOS announces the immediate availability of CentOS-6.0 for i386 and x86_64 Architectures.

Some major changes to note are as follows:

All upstream repositories have been combined into one, to make it easier for end users to work with.

There are no CD images being released with CentOS-6, however there are some CD variants in the pipeline.

Since upstream (Red Hat) has a 6.1 version already released, CentOS will be using a Continous Release repository for 6.0 to bring all 6.1 and post 6.1 security updates to all 6.0 users, till such time as CentOS-6.1 is released itself. There will be more details about this posted within the next 48 hours.

LiveCDs and LiveDVDs for i386 and x86_64 will be released within the next few days. These will bring in the ability to directly install from the livemedia.

CentOS is working on a minimal install CD, that would bring up a base machine with just enough content to have a usable platform. This CD image will be released in the next few days.

In order to bring back the CentOS-4 Server CD style single iso image, CentOS is working on a LWS (Light Weight Server) varient of the main distro. Details for this will be posted in the next few days with release happening after the live media and the minimal cd editions.

There are some important changes to this release compared with the previous versions of CentOS and it is highly recommend to consult Release Notes at http://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.0

Downloading CentOS-6.0 for new installs:

When possible, consider using torrents to run the downloads. In most cases you will find its also the fastest means to download the distro. There are currently over a thousand people seeding CentOS-6 and it’s possible to get upto 100mbps downloads via these torrents.

Torrent files for the DVD’s are avilable at :

http://mirror.centos.org/centos/6.0/isos/i386/CentOS-6.0-i386-bin-DVD.torrent

http://mirror.centos.org/centos/6.0/isos/x86_64/CentOS-6.0-x86_64-bin-DVD.torrent

You can also use a mirror close to you :

http://www.centos.org/modules/tinycontent/index.php?id=30

And remember if you downloaded any content before the official announcement was made you have to verify the checksums of your ISOs (even if both DVDs install correctly) and correct them if any discrepancies are found. It is quite easy to do so, just download the official torrent and un-check the  ISOs from the list of files to be downloaded. Once the checksums have been downloaded into the correct folder, move your existing ISOs into the folder, mark the ISOs that you had previously un-checked for download. Verify the Local Data and the torrent client should pick up any difference and reuse much/most of the existing content.

P.S: I am using Transmission as my torrent client.

Congratulations to the CentOS team, it has been a very long wait…

I was baffled this morning when I got an email from the Open Source Software National Observatory (http://www.cenatic.es/) regarding a copyright infringement case sworn at the Supreme Court of Mauritius.

The plaintiff is a company called Linux Solutions Ltd. It seems to be covering an alleged breach of an NDA between a contracted freelancing developer and Linux Solutions. That contractor (the defendant) has apparently published some of the work he had done while contracting for the plaintiff.

While none of that seems to be clearly connected with the GPL, what is extremely disturbing is the sworn affidavit / oath by one of the executives of the plaintiff. Some extracts state:

5. Licenses of open-source software like “Linux” and “Asterisk” have no copyright restrictions which in effect puts no restrictions on their use or distribution. As a consequence, any work which is derived from the open source software as conceptualized, created, installed and managed, by the Applicant becomes the ownership of the Applicant.

6. In the light of the above, therefore, the applications, configuration files and features so developed by the Applicant are the sole property of the Applicant, make up the knowledge base of the Applicant, make the basis of its business operations, and are highly confident in nature. The applications, configurations and features have been built and acquired by the Applicant through important capital investments and manpower over a period of time.

What they are in fact stating under oath is stating at the Supreme Court is that: that GPL-Licensed software (which the Linux kernel definitely is), has no copyright restrictions? And that any derived work is the sole property of whoever created the derivative?

There is already an outcry in the OSS community and folks are looking at the Free Software legal community to help file legal documents to the Supreme Court of Mauritius.

As Herald Welte from Germany (Linux Kernel Developer, GSM Expert, Hacker, Freedom Fighter, Nerd. Kinky and founder of gpl-violations.org) said it well:  What kind of pot are they smoking in Mauritius?

CentOS 5.6 release will be announced shortly. If you can help seed the 5.6 torrents use the following links:

http://bit.ly/fbW4oM

http://bit.ly/fwI4wJ

http://bit.ly/fjcrpn

http://bit.ly/h1snle

If you’re impatient like me I have spotted a public mirror that already has the ISOs available for download. Have fun downloading from http://centos.cs.wisc.edu/pub/mirrors/linux/centos/5.6/isos/

Update 07/04/2011:  Updates for x86_64 ISOS for c5.6; Implications => new x86_64 torrent files in a few hours; Very small delta so your traffic is not wasted.  No implications to i386 or the livecd’s. Just want to also point out that CentOS-5.6 is *not* released. And packages, ISOS are liable to change till that happens.

New CentOS-5.6/x86_64 torrents released to the mirrors; download and drop over the prev file and most of your data will get reused.

http://bit.ly/fjvWLn

With so many questions being asked about the CentOS 5.6 release, Karanbir Singh (CentOS Project) has answered some of our main concerns as detailed below:

• TimeLine: Stuff is syncing around, it could be upto another day before you see packages, tree and isos on your local mirrors.
• Updates: Yes, it includes all updates released into the distro and most updates from that point on ( exceptions: java packages, subversion and openoffice.org ). These 3 package updates will come through in the next 24 hrs, but due to the churn in the mirrors, might be a few more hours before they are publicly visible on a mirror near you.
• LiveCD: Yes, the LiveCD’s for i386 and x86_64 are also included
• Plus Kernels: Yes, the plus kernels are included in the release with no delay.
• Torrents: Torrents will be published as soon as the release is announced. This is to work around the situation where people will download the torrent and use yum to hit mirrors that are not completely updated as yet. Causing non-trivial issues ( as they end up installing 5.5 pkgs that then need to be updated again ). So once the bit-flip happens, we use the mirror status monitors to workout the state-of-external-mirrors, once there is a reasonable number in sync, we will release torrents, publish md5sum and sha sum’s for the isos and announce the release.
• Update Announcements: There will be individual announcements for all updates released since EL5.6 was released upstream. There will be no announcements for packages rolled into the distro. So in a nutshell: it will be the same as its always been for CentOS-5.
• Will you need to change anything on your machine to get 5.6 ? : No, once its released and publicly available everywhere a regular ‘yum update’ will move your machine from centos-5.x to 5.6

Please keep in mind that till the release is announced ( keep an eye on http://lists.centos.org/mailman/listinfo/centos-announce, things can still change.

And finally : If you dont run a public mirror listed as a centos mirror, please do not rsync from the centos.org machines for the next 3 to 5 days. Use a large pipe mirror near you instead.