CentOS Remove Old Kernels

Tonight when upgrading a CentOS Linux server it was noted by YUM that 15MB more disk space was needed to upgrade grub and the kernel itself. Below are four quick steps to verify what kernels are installed, install yum-utils if it is not installed already, delete previous kernels and set YUM to remove old kernels when new kernels are installed. Depending on the size of your /boot directory you should make a decision on how many previous kernels you want to keep installed though I would recommend always keeping at least one previous kernel at a minimum. In the steps below we go off that recommendation and set YUM to always keep two kernels which would include the current kernel and one previous kernel.

YUM Warning Regarding /boot Disk Space:

As you can see below during the transaction test YUM runs during package installation, upgrades, etc. there is a warning that stops the update process because there is not enough room on the /boot partition.

Total                                                                                                                                                                          8.5 MB/s | 167 MB     00:19
Running rpm_check_debug
Running Transaction Test
Transaction Check Error:
  installing package needs 15MB on the /boot filesystem
  installing package grub-1:0.97-83.el6.x86_64 needs 15MB on the /boot filesystem
Error Summary
Disk Requirements:
  At least 15MB more space needed on the /boot filesystem.

Once you receive that warning it is always good to manually check the disk space left on the server to verify YUM is reporting accurately. You can see in the below output from a CentOS Linux server that there is only 14MB of disk space available and YUM is reporting that it needs at least 29MB of disk space to complete the grub and kernel upgrades.

Show Disk Usage Per Partition on CentOS Linux:

[root@dev ~# df -kh
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 228G 22G 194G 11% /
tmpfs 1.9G 0 1.9G 0% /dev/shm
/dev/sda1 99M 81M 14M 87% /boot
[root@dev ~]#

Follow the steps below to list currently installed kernels on your CentOS server, install yum-utils for the package-cleanup command, remove the oldest kernels on the CentOS Linux server and configure YUM to automatically remove older kernels when new kernels are installed in the future.

Remove Previous CentOS Linux Kernels:

  1. List Installed CentOS Linux Kernels: Use the RPM command listed in the example below to list the set of kernels currently installed on your CentOS Linux server.
    [root@dev ~]# rpm -q kernel
    [root@dev ~]#
  2. Install YUM Utilities Package On CentOS Linux: Now install the yum-utils package on Linux as shown in the example command below.
    [root@dev ~]# yum install yum-utils
    Loaded plugins: fastestmirror, security
    Loading mirror speeds from cached hostfile
     * atomic:
     * epel:
     * rpmforge:
    Setting up Install Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package yum-utils.noarch 0:1.1.30-14.el6 will be updated
    ---> Package yum-utils.noarch 0:1.1.30-17.el6_5 will be an update
    --> Finished Dependency Resolution
    Dependencies Resolved
     Package                    Arch                     Version               Repository                             Size
     yum-utils                  noarch                   1.1.30-17.el6_5       updates                                102 k
    Transaction Summary
    Upgrade       1 Package(s)
    Total size: 102 k
    Is this ok [y/N]: y
    Downloading Packages:
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Updating   : yum-utils-1.1.30-17.el6_5.noarch                             1/2
      Cleanup    : yum-utils-1.1.30-14.el6.noarch                               2/2
      Verifying  : yum-utils-1.1.30-17.el6_5.noarch                             1/2
      Verifying  : yum-utils-1.1.30-14.el6.noarch                               2/2
      yum-utils.noarch 0:1.1.30-17.el6_5                                                                                             Complete!
    [root@dev ~]#
  3. Remove Older CentOS Linux Kernels: Once the CentOS yum-utils package has been installed you will now have access to the package-cleanup command which will allow us to easily remove previous CentOS Linux kernels as shown in the below example command output.
    [root@dev ~]# package-cleanup --oldkernels --count=2
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * atomic:
     * epel:
     * rpmforge:
    --> Running transaction check
    ---> Package kernel.x86_64 0:2.6.32-358.el6 will be erased
    --> Finished Dependency Resolution
    Dependencies Resolved
     Package        Arch       Version           Repository                                                       Size
     kernel         x86_64    2.6.32-358.el6     @anaconda-CentOS-201303050102.x86_64/6.4                         116 M
    Transaction Summary
    Remove        1 Package(s)
    Installed size: 116 M
    Is this ok [y/N]: y
    Downloading Packages:
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Erasing    : kernel-2.6.32-358.el6.x86_64            1/1
      Verifying  : kernel-2.6.32-358.el6.x86_64            1/1
      kernel.x86_64 0:2.6.32-358.el6                                                                                               Complete!
    [root@dev ~]#
  4. Update YUM Configuration to Automatically Remove Old Kernels: Once we have the old CentOS Linux kernels removed we should now update the yum.conf file located in the /etc directory on CentOS Linux to automatically remove the oldest kernel every time a new kernel is installed. Again the minimum you should set the install_only limit is two so you can always roll back to the older kernel is need be. Use your favorite editor such as “vi” to edit the /etc/yum.conf file and modify the install_only configuration line from the default 5 to 2 as shown in the below examples.Default yum.conf install_only Configuration:

    Default yum.conf install_only Configuration:

  5. Verify CentOS Linux /boot Directory Free Disk Space: As you can see in the output below there is 42MB of disk space available even after using “yum update” to update packages that included a new kernel.
    [root@dev ~]# df -kh
    Filesystem      Size  Used Avail Use% Mounted on
    /dev/sda3       228G   22G  194G  11% /
    tmpfs           1.9G     0  1.9G   0% /dev/shm
    /dev/sda1        99M   53M   42M  57% /boot
    [root@dev ~]#

The end result will be that disk space for the /boot directory should always be under control. In my personal opinion the /boot directory should always be installed with more than 100MB of space so you can keep numerous older kernels or kernels for different tasks but many times you might take over administration of a server that is already configured and running.


Secure /tmp And /var/tmp Directories On CentOS Linux

A couple days ago a CentOS Linux server that I took over administration on had some mysterious files show up in the /tmp and /var/tmp directories. The files were placed in /tmp and /var/tmp by the apache user meaning there is some form of security hole in Apache, PHP, or one of the virtual hosts has an insecure application installed. Before looking into where the issue is I needed to lock things down so no applications could be executed from these directories in the future regardless of a security flaw in the future. Below are instructions on how to secure /tmp and /var/tmp.

Secure /tmp Directory On Linux:

  1. Generate 1GB File: Make sure that you have enough space on your hard drive using the df (df -kh) command. Then generate a one gigabyte file that will be used for the /tmp directory using the syntax below.
    [root@dev ~]# dd if=/dev/zero of=/dev/tmpDIR bs=1024 count=1000000
    1000000+0 records in
    1000000+0 records out
    1024000000 bytes (1.0 GB) copied, 5.32903 seconds, 192 MB/s

    As you can see in the above output it took the server 5.3 seconds to generate the 1GB file which will be used for both /tmp and /var/tmp once we are completed.

  2. Format File To EXT3: After the file is created you will need to format the file to ext3 or whatever filesystem you are using for the other directories on the Linux server using syntax similar to the below. The output is included below so you know that when the “Proceed anyway?” warning displays that you should type “y” for yes followed by enter to continue.
    [root@dev ~]# /sbin/mkfs.ext3 /dev/tmpDIR
    mke2fs 1.39 (29-May-2006)
    /dev/tmpDIR is not a block special device.
    Proceed anyway? (y,n) y
    Filesystem label=
    OS type: Linux
    Block size=4096 (log=2)
    Fragment size=4096 (log=2)
    125184 inodes, 250000 blocks
    12500 blocks (5.00%) reserved for the super user
    First data block=0
    Maximum filesystem blocks=260046848
    8 block groups
    32768 blocks per group, 32768 fragments per group
    15648 inodes per group
    Superblock backups stored on blocks:
            32768, 98304, 163840, 229376
    Writing inode tables: done
    Creating journal (4096 blocks): done
    Writing superblocks and filesystem accounting information: done
    This filesystem will be automatically checked every 24 mounts or
    180 days, whichever comes first.  Use tune2fs -c or -i to override.
    [root@dev ~]#
  3. Backup Current /tmp Directory: Now backup the current /tmp directory using the syntax below which will keep the same permissions for the files currently in /tmp.
    [root@dev ~]# cp -Rpf /tmp /tmpbak
  4. Mount New /tmp Directory: After backing up the data you can proceed with mounting the new /tmp directory with the syntax below.
    [root@dev ~]# mount -o loop,noexec,nosuid,rw /dev/tmpDIR /tmp

    Notice we are mounting the /tmp directory with noexec and nosuid which will stop direct execution of binary files and not allow set-user-identifier or set-group-identifier bits to take effect respectively.

  5. Modify /tmp Directory Permissions: Use the syntax below to modify the permissions of the new /tmp directory on the CentOS Linux server.
    [root@dev ~]# chmod 1777 /tmp
  6. Copy Old /tmp Data: After the directory is mounted and the proper permissions are set you should copy the data from the old /tmp directory into the newly created /tmp directory. First cd into the /tmpbak directory and then copy all of the contents using the syntax below.
    [root@dev ~]# cd /tmpbak
    [root@dev ~]#
    [root@dev ~]# cp -Rpf * /tmp/

    You may also need to run the same command again but instead of using just * use .* which will copy files beginning with a dot.

  7. Modify fstab: After verifying that the new /tmp directory is working properly you should add a line to the end of the /etc/fstab file so the new directory is mounted when the server reboots.
    /dev/tmpDIR              /tmp                    ext3    loop,nosuid,noexec,rw 0 0

After finishing the above steps you should now test the /tmp directory to verify it is secure by copying an executable to /tmp and attempt to execute it. Once verified you should also follow the steps below to secure /var/tmp which can also be abused and cause issues on your server.

Secure /var/tmp On A CentOS Linux Server:

  1. Temporarily Move /var/tmp: Move the /var/tmp directory to a new location so you can create a symlink to the /tmp directory we already secured.
    [root@dev ~]# mv /var/tmp /var/tmpbak
  2. Create A Symbolic Link: Once the directory has been moved you can now create a symbolic link to the /tmp directory using the syntax below. This will make /var/tmp the same as /tmp while keeping the path integrity.
    [root@dev ~]# ln -s /tmp /var/tmp
  3. Copy /var/tmp Contents: Once the symbolic link is generated you should copy the contents of the /var/tmpbak directory to /var/tmp using the syntax below.
    [root@dev ~]# cp -pR /var/tmpbak/* /tmp

    Make sure to verify all of the contents of the directory make it to the new directory.

Your /tmp and /var/tmp directories are now secured on your CentOS Linux server.