ProductsDesktop Server For Scientific Computing For IBM POWER For IBM System z For SAP Business Applications Red Hat Network Satellite ManagementExtended Update Support High Availability High Performance Network Load Balancer Resilient Storage Scalable File System Smart Management Extended Lifecycle SupportWeb Server Developer Studio Portfolio Edition JBoss Operations Network FuseSource Integration Products Web Framework Kit Application Platform Data Grid Portal Platform SOA Platform Business Rules Management System (BRMS) Data Services Platform Messaging JBoss Community or JBoss enterprise
SolutionsApplication development Business process management Enterprise application integration Interoperability Operational efficiency Security VirtualizationMigrate to Red Hat Enterprise Linux Systems management Upgrading to Red Hat Enterprise Linux JBoss Enterprise Middleware IBM AIX to Red Hat Enterprise Linux HP-UX to Red Hat Enterprise Linux Solaris to Red Hat Enterprise Linux UNIX to Red Hat Enterprise Linux Start a conversation with Red Hat Migration services
TrainingPopular and new courses JBoss Middleware Administration curriculum Core System Administration curriculum JBoss Middleware Development curriculum Advanced System Administration curriculum Linux Development curriculum Cloud Computing and Virtualization curriculum
ConsultingStandard Operating Environment (SOE) Strategic Migration Planning Service-oriented architecture (SOA) Enterprise Data Solutions Business Process Management
Ask Shadowman: Red Hat Network
He's smart. He's mysterious. He's got only one name like Madonna or a Brazilian soccer player. And every month Shadowman answers the toughest technical questions anyone has ever dared ask a two-dimensional logo. This month's mission: To respond to your questions about Red Hat Network. A remarkable feat considering Shadowman's face is missing a mouth...
Join us again in May when Shadowman scales the walls of the enterprise to answer your questions about Red Hat Linux Advanced Server, our new enterprise-class operating system.
Got a question that you'd like Shadowman to answer? Ask him.
Brian M. writes:
-> 23:38:17.562019 eth0 > arp who-has 192.168.0.254 tell 192.168.0.2 (0:50:ba:be:59:65) -> 23:38:17.562019 eth0 < arp reply 192.168.0.254 is-at 0:0:c0:51:e8:c1 (0:50:ba:be:59:65) -> 23:38:17.562019 eth0 > 192.168.0.2.1025 > 192.168.0.254.domain: 53518+ A? www.rhns.redhat.com. (37) (DF) -> 23:38:22.572019 eth0 > 192.168.0.2.1025 > 192.168.0.254.domain: 53518+ A? www.rhns.redhat.com. (37) (DF) -> 23:38:27.582019 eth0 > 192.168.0.2.1025 > 192.168.0.254.domain: 53519+ A? www.rhns.redhat.com.Ourhouse. (46) (DF)
This goes on for many more packets - I didn't post whole thing due to length, but can provide. Can someone tell me why my computer is 'calling home?'
But first, a little background before answering your question. The first thing to keep in mind about Red Hat Network is that it is based on a client/server architecture. Basically, that means that the client (your system) must connect to the server (the Red Hat Network systems) in order to make anything happen.
It's always the same dance:
But sometimes, you want the server to start the conversation--like when Red Hat Network determines that an update should be installed on your system.
How do you make this scenario fit into the client/server architecture? The short answer is that you don't--the client-server model doesn't support it. So a different approach is necessary; and that's what you're seeing.
In this case, your system has been profiled and registered with Red Hat Network. Once that is done, your system will "check in" with the Red Hat Network on a periodic basis, looking for updates and actions to be performed. If there is an update or action available for your system, this periodic check will discover them, making it look like your system was actually "tapped on the shoulder" by Red Hat Network.
If you temporarily want to stop this from happening (say you're sitting in a hotel room in Dubuque reading email on your laptop, and the modem's just connected at 4800 baud, and you *really* don't want that nifty 100MB XFree86 update downloading right now, thank you very much), just enter this command (while logged in as root, of course):
You can also disable it forever with another command (again, as root):
Whew! Shadowman needs a vacation after that one...
Kaizaad B. asks:
The things Shadowman does for his readers!
Jarod F. wonders:
Yes, Shadowman realizes that this is not going to work in every instance. However, Shadowman does wonder: Why do you want to install an RPM that is already installed? Maybe somebody deleted some files by mistake, hmmm? That's why rm has the -i option...
Unable to Communicate in Calgary asks:
It turns out that Shadowman's iptables Kung-Fu is nothing special (even though it is highly effective against script kiddies and grandmothers with port scanners). Any firewall that allows outbound connections on ports 80 (http) and 443 (https) will not impact Red Hat Network-related activities.
An easy way to test this is simply to try browsing both non-secure and secure websites -- if you can do that, you can use Red Hat Network.
Robert P. shouted into the wind:
No really, stop laughing... Are you concerned?
There are three things that allow Shadowman to sleep soundly at night:
Brian S. whispered:
1. First, you must do something to make connection attempts directed to Red Hat Network go instead to your evil Red Hat Network clone. DNS spoofing and/or playing games with routing would probably do the trick. This is, admittedly, difficult but not impossible.
2. Next, you must set up your own evil Red Hat Network clone. Again, difficult but not impossible.
3. Then you must obtain (or fake) a secure certificate signed by the same Certificate Authority that we use for Red Hat Network. This is absolutely necessary, as the Red Hat Network client authenticates the server every time it connects. This is quite a bit more difficult than the previous two steps.
That's it! You can now serve Red Hat-signed RPMs using your evil Red Hat Network clone. What's that, you say? The point of all this is to silently install evil RPMs on unsuspecting systems? Unfortunately, as RPMs are downloaded, their signatures are checked against Red Hat's key. So this means you'll also need to:
4. Create a fake digitally-signed RPM (of course, the crypto folks like to say that this is "computationally infeasible" -- does this get crypto folks dates? Shadowman doubts it). Or, you need to steal Red Hat's private RPM-signing key (even Shadowman doesn't know where it's kept), and then coerce one of the three people in the world (and Shadowman isn't one of those people) that know the key's passphrase into giving it to you. (And just a little hint -- if one of these three people end up missing, or suddenly purchasing the Republic of Nauru, we'll be changing the keys.)
After learning all this, Shadowman feels that this is another thing that helps him sleep soundly at night.
Peter E. (of Melbourne Australia) said:
The answer is that, while today's kernel RPMs do a pretty good job of:
it's still possible to shoot oneself in the foot, and be left without a leg to stand on (if Shadowman may be so bold as to mix his metaphors).
Of course, most seasoned system administrators are aware of the importance of maintaining at least one bootable kernel (and those unseasoned sysadmins that make this mistake quickly become seasoned -- usually while on a slowly-turning spit, over a hickory fire, stoked by the users they claim to support).
So rather than promote this kind of fate for sysadmins everywhere, the Red Hat Network default settings encourage system administrators to consider this matter carefully before blindly enabling kernel updates. It can be done -- but you need to be sure you check the results whenever a kernel update is installed.
As for your second question, Shadowman will slip into your local dialect to answer:
Shadowman was off to the dunny after a ripper king brown, when his mates hooked around the Johnny Horner, and went back o' beyond, leaving Shadowman Adrians with a drongo ear basher, which was hard yakka, and bob's your uncle!
Maarten L. spoke clearly:
(Note that registration is required to read the whitepaper -- Shadowman wants to be sure you're studying!)
Kevin H. noted:
Martin F. intoned:
William B. mumbled:
Next, remove the machine from your Red Hat Network home account (You can then send mail to email@example.com and tell them to lock the account, if you like).
The last step is to use rhn_register to register the machine. Because the machine has already been registered, you'll be asked if you want to continue anyway; click on the "yes" button. Register the machine as you normally would (making sure to use your Red Hat Network office account).
After you log into your Red Hat Network office account and entitle the machine, you'll be all set. It's so simple even Shadowman can do it!
Ted J. screamed: