Prelink is a PITA

Prelink is a PITA. I removed it, read how and why I did this.

Aide and Prelink

I am using AIDE, prelink and AIDE do not like each other. I did some research on the Internet to find out whether prelink helps saving time starting up programs. There are many articles on the net including stackoverflow, blogs and other articles – just search “prelink [good|helpful|useful]” and you will find many articles to educate yourself.

I found this and I made up my mind – the servers in question ALL have multiple CPU’s, hardware RAID, fast hard drives (including SSD’s), loads of ram, server boards, non user based (most are sendmail/httpd/samba/etc) – so prelink does not make a lot of difference.

When I heard that later Linux Kernels allow sharing of libraries in memory the days of prelink where counted, I just had to find some time.

The problems (amongst others) I had running aide are these:

  1. /usr/sbin/prelink: /SOME_PATH/SOME_FILE: at least one of file’s dependencies has changed since prelinking
    Error on exit of prelink child process
  2. every so often when prelink runs (monthly) I get the content of entire directories changed, e.g. /bin, sbin, /user/bin etc.

People suggested that everytime I found any of these entries (1) to run prelink on just those files to update the DB for prelink. I even automated this with a couple of bash scripts just dumping the lines for the received email complaining about prelink changes into a txt file and then running the bash scripts on that, like sed/awk/grep/tr to clean up the lines to only have filenames and then feed those into prelink.

It got really anoying.

BYE BYE Prelink

The first thing I did is to disable prelinking in /etc/sysconfig/prelink and changed

PRELINKING=yes

to

PRELINKING=no

Then I ran the command

prelink -ufa

to remove the prelink information from the binaries and libraries. Then I ran yum to remove it:

yum remove prelink

Then I ran

aidei -i

to update aide’s database.

I ran into another problem, I received following error messages:


WARNING: AIDE detected prelinked binary objects on your system but the prelink tool (/usr/sbin/prelink) is missing!
WARNING: prelinked files will be processed without a prelink undo operation! Please install prelink to fix this.

I knew immediately what this meant, some libraries/binaries where not cleaned by prelink.

So I used my bash skills without the help from prelink nor aide to find what I had to clean.
First was to find ALL files in the system that are ELF binaries (note you path mileage will vary):

find / -type f ! -path "/cgroup/*" ! -path "/dev/*" ! -path "/etc/*" ! -path "/home/*" ! -path "/man/*" ! -path "/media/*" ! -path "/mnt/*" ! -path "/piquet.barrett.com.au/*" ! -path "/proc/*" ! -path "/root/*" ! -path "/selinux/*" ! -path "/share/*" ! -path "/snapshot/*" ! -path "/squidcache/*" ! -path "/src/*" ! -path "/srv/*" ! -path "/sys/*" ! -path "/tmp/*" ! -path "/var/*" -exec file {} \; | grep ELF | cut -f1 -d":" > /tmp/ELF_FILES

I tried to use “xargs” like so

find / type -f -print | xargs -0 file | grep ELF | cut -f1 -d":" > /tmp/ELF_FILES

but I ended up getting that dreaded “arguments too long” after I added the “-0” because at first I recevied the dreaded xargs single quotes problem … so I cut the corner and wasted CPU cycles doing it the loooooong way.

Once you have the file /tmp/ELF_FILES you run the content of the file spitting out only single file names through following command:


for f in `cat /tmp/ELF_FILES`; do
  readelf -S $f | grep -q prelink
  if [ $? -eq 0 ]; then echo $f >> /tmp/ELF_FILES_PRELINKED; fi
done

For the last step I needed prelink again, so I re-installed it

yum install prelink

but also made sure that I turned off prelinking in /etc/sysconfig/prelink

Then all you have to do is

for f in `cat /tmp/ELF_FILES_PRELINKED`; do
  prelink -uf $f
done

and a last

yum remove prelink

Gone, for good.

 

Leave a Comment

Your email address will not be published. Required fields are marked *

You must tick the checkbox for 'I am not a robot' before you can submit your comment!