Prelink is a PITA. I removed it, read how and why I did this.
Aide and Prelink
I am using AIDE, prelink and AIDE do not like each other. I did some research on the Internet to find out whether prelink helps saving time starting up programs. There are many articles on the net including stackoverflow, blogs and other articles – just search “prelink [good|helpful|useful]” and you will find many articles to educate yourself.
I found this and I made up my mind – the servers in question ALL have multiple CPU’s, hardware RAID, fast hard drives (including SSD’s), loads of ram, server boards, non user based (most are sendmail/httpd/samba/etc) – so prelink does not make a lot of difference.
When I heard that later Linux Kernels allow sharing of libraries in memory the days of prelink where counted, I just had to find some time.
The problems (amongst others) I had running aide are these:
- /usr/sbin/prelink: /SOME_PATH/SOME_FILE: at least one of file’s dependencies has changed since prelinking
Error on exit of prelink child process - every so often when prelink runs (monthly) I get the content of entire directories changed, e.g. /bin, sbin, /user/bin etc.
People suggested that everytime I found any of these entries (1) to run prelink on just those files to update the DB for prelink. I even automated this with a couple of bash scripts just dumping the lines for the received email complaining about prelink changes into a txt file and then running the bash scripts on that, like sed/awk/grep/tr to clean up the lines to only have filenames and then feed those into prelink.
It got really anoying.
BYE BYE Prelink
The first thing I did is to disable prelinking in /etc/sysconfig/prelink and changed
PRELINKING=yes
to
PRELINKING=no
Then I ran the command
prelink -ufa
to remove the prelink information from the binaries and libraries. Then I ran yum to remove it:
yum remove prelink
Then I ran
aidei -i
to update aide’s database.
I ran into another problem, I received following error messages:
WARNING: AIDE detected prelinked binary objects on your system but the prelink tool (/usr/sbin/prelink) is missing!
WARNING: prelinked files will be processed without a prelink undo operation! Please install prelink to fix this.
I knew immediately what this meant, some libraries/binaries where not cleaned by prelink.
So I used my bash skills without the help from prelink nor aide to find what I had to clean.
First was to find ALL files in the system that are ELF binaries (note you path mileage will vary):
find / -type f ! -path "/cgroup/*" ! -path "/dev/*" ! -path "/etc/*" ! -path "/home/*" ! -path "/man/*" ! -path "/media/*" ! -path "/mnt/*" ! -path "/piquet.barrett.com.au/*" ! -path "/proc/*" ! -path "/root/*" ! -path "/selinux/*" ! -path "/share/*" ! -path "/snapshot/*" ! -path "/squidcache/*" ! -path "/src/*" ! -path "/srv/*" ! -path "/sys/*" ! -path "/tmp/*" ! -path "/var/*" -exec file {} \; | grep ELF | cut -f1 -d":" > /tmp/ELF_FILES
I tried to use “xargs” like so
find / type -f -print | xargs -0 file | grep ELF | cut -f1 -d":" > /tmp/ELF_FILES
but I ended up getting that dreaded “arguments too long” after I added the “-0” because at first I recevied the dreaded xargs single quotes problem … so I cut the corner and wasted CPU cycles doing it the loooooong way.
Once you have the file /tmp/ELF_FILES you run the content of the file spitting out only single file names through following command:
for f in `cat /tmp/ELF_FILES`; do
readelf -S $f | grep -q prelink
if [ $? -eq 0 ]; then echo $f >> /tmp/ELF_FILES_PRELINKED; fi
done
For the last step I needed prelink again, so I re-installed it
yum install prelink
but also made sure that I turned off prelinking in /etc/sysconfig/prelink
Then all you have to do is
for f in `cat /tmp/ELF_FILES_PRELINKED`; do
prelink -uf $f
done
and a last
yum remove prelink
Gone, for good.