Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
openSUSE:Leap:42.2:Update
kdump
kdump-doc-updates.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File kdump-doc-updates.patch of Package kdump
From: Petr Tesarik <ptesarik@suse.com> Date: Wed Oct 5 08:48:38 2016 +0200 Subject: Documentation updates References: bsc#997104, bsc#986081 Patch-mainline: v0.8.16 Git-commit: 18eefdbdb1b4da2cb722dd79fda7f2d2d0b2aef2 Improve the documentation of: - free disk space handling, - SSH public/private authentication Signed-off-by: Petr Tesarik <ptesarik@suse.com> --- doc/man/kdump.5.txt.in | 96 +++++++++++++++++++++++++++++++++++-------------- sysconfig.kdump.in | 6 ++- 2 files changed, 75 insertions(+), 27 deletions(-) --- a/doc/man/kdump.5.txt.in +++ b/doc/man/kdump.5.txt.in @@ -317,12 +317,13 @@ Default: "5" KDUMP_FREE_DISK_SIZE ~~~~~~~~~~~~~~~~~~~~ -Don't save the dump (or delete it afterwards) if after saving the dump less than -KDUMP_FREE_DISK_SIZE megabytes are free. Because when dump compression or dump -filtering (see KDUMP_DUMPLEVEL and KDUMP_DUMPFORMAT) is used, we don't know in -advance how large the dump will be, we have to delete the dump after saving it. +Make sure that at least KDUMP_FREE_DISK_SIZE megabytes are free on the target +partition after saving the dump file. Since the target dump file size may not +be known (because of compression and/or filtering), *kdump* always attempts to +save the dump, but checks remaining free space afterwards and deletes the dump +directory again if remaining space is less than the value specified here. -That option applies only to local file systems, i.e. KDUMP_SAVEDIR must start +This option applies only to local file systems, i.e. KDUMP_SAVEDIR must start with _file_. Default: "64" @@ -684,7 +685,7 @@ File Transfer Protocol (_ftp_) This URL type is used to specify paths on a remote FTP server. -_Format:_ *ftp*://[_user_[:__password__]@]_hostname_[:__port__]]/_path_ +_Format:_ *ftp*://[_user_[:__password__]@]_hostname_[:__port__]/_path_ The remote _user_ is optional, if no user is specified, anonymous FTP is assumed. Even if a username is specified, the _password_ is optional, if no @@ -693,7 +694,7 @@ password is specified, an empty password servers deny anonymous FTP with empty passwords. _hostname_ can be either a (DNS-)resolvable hostname, with or without a domain -name, or an IP address in totted decimal format. _port_ can be used to +name, or an IP address in dotted decimal format. _port_ can be used to specify the remote port, if no port is specified in the URL, the default FTP port is used. Finally, _path_ must conform to the same rules as for local files (see above). @@ -714,34 +715,76 @@ SFTP. It's important that an SFTP server on SUSE), the *kdumptool* does not use FISH (FIles transferred over SHell protocol). -_Format:_ *sftp*://[_user_[:__password__]@]_hostname_[:__port__]]/_path_ +_Format:_ *sftp*://\[__user__@]_hostname_[:__port__]/_path_ -It's valid to use "scp" as alias for "sftp" (for backward -compatibility), but the "sftp" prefix is recommended. +It's possible to use "scp" as an alias for "sftp" (for backward compatibility), +but it is a misnomer; *kdumptool* does not implement the SCP protocol and it +will use SFTP instead. -For the elements, see the description of FTP above. Please note that the use of -an password here is not recommended. The recommended way is to add the key where -the file should be copied to to the "authorized_keys" file of the user where the -dump is saved. For example, if you want to save the dump to the "kdump" user of -the machine "collector", then generate a private/public key pair on the machine -that saves the dump with `ssh-keygen -t dsa`. Append the file _id_dsa.pub_ (in -_root/.ssh/_) to _~dump/.ssh/authorized_keys_ on "collector". +See the description of FTP for an explanation of the _hostname_ and _port_ +elements. +After a system crash, the crashed machine first verifies the identity of the +target host to make sure it does not save the dump to an imposter. Then the +target host verifies the identity of the crashed machine. SSH private/public +key pairs are used in both cases. + +Server Identification +^^^^^^^^^^^^^^^^^^^^^ + +Since system dumps may contain sensitive information, *kdump* uses strict +host key checking for the target server. The SSH client must have a copy +of the public part of the target server's host key. The copy is kept in a +known_hosts file on the client. *Kdump* will use the key found in ++~root/.ssh/known_hosts+ when the kdump initrd is generated. + +Client Authentication +^^^^^^^^^^^^^^^^^^^^^ + +The crashed system uses root's private SSH key to login to the target system. +The public part of that key must be copied to the target user's ++~/.ssh/authorized_keys+ on the target host. + +Example Setup +^^^^^^^^^^^^^ + +To set up _crasher_ for saving dumps over SFTP to _dump@collector_, follow +these steps: + +1. Add the target host public key to +~root/.ssh/known_hosts+ on _crasher_, + e.g.: ++ -------------------------------------------------------------------------------- -root@earth:~# ssh-keygen -t dsa -... -root@earth:~# cat /root/.ssh/id_dsa.pub \ - | ssh kdump@collector "cat - >> /root/.ssh/authorized_keys" +root@crasher:~# ssh-keyscan -t rsa,ecdsa,ed25519 collector \ + >> ~/.ssh/known_hosts -------------------------------------------------------------------------------- - -Don't use any password to encrypt the key. *kdumptool* is designed to be used ++ +*WARNING:* Note that the above command accepts the identity of _collector_ +without any checking that it is genuine. This is a security risk unless the +network connection between _crasher_ and _collector_ can be fully trusted when +you run this command. + +2. Generate a private/public key pair for the _root_ user on _crasher_, e.g. + to make a 4096-bit RSA key, run this as _root_: ++ +-------------------------------------------------------------------------------- +root@crasher:~# ssh-keygen -t rsa -b 4096 -N "" -f ~/.ssh/id_rsa +-------------------------------------------------------------------------------- ++ +Do not use any password to encrypt the key. *kdumptool* is designed to be used non-interactively. +3. Append the content of +\~.ssh/id_rsa.pub+ to +~dump/.ssh/authorized_keys+ + on _collector_: ++ +-------------------------------------------------------------------------------- +root@crasher:~# ssh-copy-id dump@collector +-------------------------------------------------------------------------------- + _Examples:_ -* +sftp://kdump@collector:22/var/log/dump+ +* +sftp://dump@collector:22/var/log/dump+ * +sftp://neptunium/var/log/dump+ -* +scp://neptunium/var/log/dump+ Secure Shell Protocol (_ssh_) @@ -750,12 +793,13 @@ Secure Shell Protocol (_ssh_) Unlike the _sftp_ URL type, this protocol does not use SFTP, but rather transfers the data to a remote *dd* command. -_Format:_ *ssh*://[_user_[__password__]@]_hostname_[:__port__]]/_path_ +_Format:_ *ssh*://\[__user__@]_hostname_[:__port__]/_path_ Most of the notes for SFTP also apply to SSH, except: * SFTP need not be configured on the target host. * Shell access must be granted to the dump user. +* The shell must allow execution of +mkdir+, +dd+ and +mv+. _Examples:_ --- a/sysconfig.kdump.in +++ b/sysconfig.kdump.in @@ -129,11 +129,15 @@ KDUMP_TRANSFER="" # - a local file, for example "file:///var/log/dump" (or, deprecated, # just "/var/log/dump") # - a FTP server, for example "ftp://user:password@host/var/log/dump" -# - a SSH server, for example "ssh://user:password@host/var/log/dump" +# - a SFTP server, for example "sftp://user@host/var/log/dump" +# - a SSH server, for example "ssh://user@host/var/log/dump" # - a NFS share, for example "nfs://server/export/var/log/dump" # - a CIFS (SMB) share, for example # "cifs://user:password@host/share/var/log/dump" # +# SFTP and SSH targets use public/private key authentication, see the manual +# page for more details on setting it up. +# # See also: kdump(5) which contains an exact specification for the URL format. # Consider using the "yast2 kdump" module if you are unsure. #
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor