[CentOS-es] CentOS 7 y Samba 4.1.1 force user no trabaja.
Buenas a todos, Tengo un problema con la configuración de Samba en smb.conf. Antes utilizaba force user = usuario pero ahora tengo que utilizar valid users = usuario, hasta aquí bien. El problema que ahora tengo, es que si pongo lo siguiente en smb.conf: valid users = usuario force group = grupo Los ficheros al compartir y dejarlos mediante ruta UNC desde una máquina Windows. Me los pone como usuario:grupo Antes lo tenia de la siguiente forma y funcionaba bien: force user = apache force group = apache Al crear archivos y directorios me los dejaba con apache:apache, ahora con esta versión de centos 7 y samba 4.1 no me deja utilizar force user = usuario solo force group. ¿Hay alguna forma de hacerlo como antes cuando utilizaba samba 3.x? Muchas gracias. Reciban un cordial saludo. ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
[CentOS-es] proxy en cluster
hola , recurro a su experiencia para consultarles si es posible hacer un cluster de servidor proxy conformado por 2 servidores proxy pero que guarden los logs de squid osea el access.log en un solo archivo que esté ubicado en un acceso compartido remoto montado en ambos servidores ¿es eso posible? gracias ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] proxy en cluster
Puedes hacerlo de tres maneras: - Cluster software con Conga o Pacemaker, usando una IP como recurso para los squid server. En ese caso vas a tener que poner los logs en NFS o en algun filesystem con cluster. - Poniendo un Load Balancer en frente de los 2 squids y poniendo los logs en NFS, remote loggin del access log o algún filesystem con cluster. - Instalar el Proxy en dos maquinas, hacer remote logging del access.log y usar un fichero de configuration de proxy para que escoja el proxy a usar. Pero de seguro estoy que algo encuentras en Google si no te convencen ninguna de mis ideas. Saludos, Julio Villarreal http://www.juliovillarreal.com 2014-08-23 13:06 GMT-05:00 César C. arvega...@hotmail.com: hola , recurro a su experiencia para consultarles si es posible hacer un cluster de servidor proxy conformado por 2 servidores proxy pero que guarden los logs de squid osea el access.log en un solo archivo que esté ubicado en un acceso compartido remoto montado en ambos servidores ¿es eso posible? gracias ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] proxy en cluster
hola gracias por responder a lo que iba es si es posible que 2 servidores puedan escribir en un mismo archivo remoto. Date: Sat, 23 Aug 2014 13:24:27 -0500 From: juliov...@gmail.com To: centos-es@centos.org Subject: Re: [CentOS-es] proxy en cluster Puedes hacerlo de tres maneras: - Cluster software con Conga o Pacemaker, usando una IP como recurso para los squid server. En ese caso vas a tener que poner los logs en NFS o en algun filesystem con cluster. - Poniendo un Load Balancer en frente de los 2 squids y poniendo los logs en NFS, remote loggin del access log o algún filesystem con cluster. - Instalar el Proxy en dos maquinas, hacer remote logging del access.log y usar un fichero de configuration de proxy para que escoja el proxy a usar. Pero de seguro estoy que algo encuentras en Google si no te convencen ninguna de mis ideas. Saludos, Julio Villarreal http://www.juliovillarreal.com 2014-08-23 13:06 GMT-05:00 César C. arvega...@hotmail.com: hola , recurro a su experiencia para consultarles si es posible hacer un cluster de servidor proxy conformado por 2 servidores proxy pero que guarden los logs de squid osea el access.log en un solo archivo que esté ubicado en un acceso compartido remoto montado en ambos servidores ¿es eso posible? gracias ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] proxy en cluster
Rsyslog El 23/08/2014 16:00, César C. arvega...@hotmail.com escribió: hola gracias por responder a lo que iba es si es posible que 2 servidores puedan escribir en un mismo archivo remoto. Date: Sat, 23 Aug 2014 13:24:27 -0500 From: juliov...@gmail.com To: centos-es@centos.org Subject: Re: [CentOS-es] proxy en cluster Puedes hacerlo de tres maneras: - Cluster software con Conga o Pacemaker, usando una IP como recurso para los squid server. En ese caso vas a tener que poner los logs en NFS o en algun filesystem con cluster. - Poniendo un Load Balancer en frente de los 2 squids y poniendo los logs en NFS, remote loggin del access log o algún filesystem con cluster. - Instalar el Proxy en dos maquinas, hacer remote logging del access.log y usar un fichero de configuration de proxy para que escoja el proxy a usar. Pero de seguro estoy que algo encuentras en Google si no te convencen ninguna de mis ideas. Saludos, Julio Villarreal http://www.juliovillarreal.com 2014-08-23 13:06 GMT-05:00 César C. arvega...@hotmail.com: hola , recurro a su experiencia para consultarles si es posible hacer un cluster de servidor proxy conformado por 2 servidores proxy pero que guarden los logs de squid osea el access.log en un solo archivo que esté ubicado en un acceso compartido remoto montado en ambos servidores ¿es eso posible? gracias ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es ___ CentOS-es mailing list CentOS-es@centos.org http://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS] php-fpm on centos 6
On 22 Aug 2014, at 21:27, Александр Кириллов nevis...@infoline.su wrote: Does it? There's mod_fastcgi in rpmforge but I don't feel quite comfortable with packages from this repo. Eero Volotinen писал 2014-08-22 22:46: Remi repo provides it? 22.8.2014 20.59 kirjoitti Александр Кириллов nevis...@infoline.su: What's the story with php-fpm on centos 6? There's a php-fpm rpm for centos 6 in epel but other essential mods like mod_fastcgi or mod_proxy_fcgi seem to be missing from the repos I'm usually using. Need a push in right direction. mod_fastcgi is extremely old and dead. If I remember it is superseded by mod_fcgid which became part of the Apache core and actively maintained (or something, sry this is from memory many years ago) mod_proxy_fcgi is also very much dead. Not updated since 2006. EPEL has mod_fcgid in it and you should absolutely use it, along with suexec, if you need fcgi process mamagement for php-cgi. When using php-fpm you do not need any of the above modules as the above modules are fpms that interact with cgi processes having fastcgi support (such as php-cgi). php-fpm IS an fpm, written by PHP team. If you want to use php-fpm as the fpm you merely need to use mod_proxy as-is since php-fpm is pretty much a stand alone server - you just proxy your php request to it with ProxyPass. For simple servers like pure PHP you may benefit greatly speed wise from Nginx, and support from PHP software (WordPress / Drupal etc) is now very wide. For huge feature sets, modules, and variety, Apache though. Hope this helps. I'd been running LAMP stacks for over 6 years and LNMP for last 2. Jason ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] php-fpm on centos 6
Sorry let me fix this. 7am is clearly too early for brain function :( Just ignore my last mess email On 23 Aug 2014, at 06:59, Jason Woods de...@jasonwoods.me.uk wrote: mod_proxy_fcgi is also very much dead. Not updated since 2006. When using php-fpm you do not need any of the above modules as the above modules are fpms that interact with cgi processes having fastcgi support (such as php-cgi). mod_fastcgi is gone. That's now fcgid. mod_proxy_fcgi is not dead. It's too new for centos 6 though. It needs apache 2.4 and centos has lower (2.2?) I think. Thus you'd need to build apache yourself or find packages in rpm forge or something as it requires apache 2.4 and this module for proxy to fcgi. You can see the module doesn't exist for 2.2 here: http://httpd.apache.org/docs/2.2/mod/ But does for 2.4: http://httpd.apache.org/docs/2.4/mod/ To summarise, what you want to do will need apache 2.4. Or just use the old school php-cgi and mod_fcgid. Other option is nginx and fastcgi_pass. Benefit here is you can use unix socket if php-fpm is local to drop the TCP overhead For simple servers like pure PHP you may benefit greatly speed wise from Nginx, and support from PHP software (WordPress / Drupal etc) is now very wide. For huge feature sets, modules, and variety, Apache though. Sorry for confusion. No more emails this early. Coffee first. Jason ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] php-fpm on centos 6
mod_fastcgi is gone. That's now fcgid. mod_proxy_fcgi is not dead. It's too new for centos 6 though. It needs apache 2.4 and centos has lower (2.2?) I think. Thus you'd need to build apache yourself or find packages in rpm forge or something as it requires apache 2.4 and this module for proxy to fcgi. You can see the module doesn't exist for 2.2 here: http://httpd.apache.org/docs/2.2/mod/ But does for 2.4: http://httpd.apache.org/docs/2.4/mod/ To summarise, what you want to do will need apache 2.4. Or just use the old school php-cgi and mod_fcgid. Other option is nginx and fastcgi_pass. Benefit here is you can use unix socket if php-fpm is local to drop the TCP overhead Thanks, Jason! I've been using php-cgi, mod_fcgid and suexec combo for years on my servers. Now I want to run php apps in UserDir with user credentials. This probably can be achieved with mod_fcgid and suexec but it seems like I'd need separate fcgi configs and cgi wrappers under suexec docroot for each user. If you know of a simpler way please share your experience. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] php-fpm on centos 6
Mihamina Rakotomandimby писал 2014-08-23 08:49: On 08/22/2014 11:27 PM, Александр Кириллов wrote: Does it? There's mod_fastcgi in rpmforge but I don't feel quite comfortable with packages from this repo. Just check the spec file from the src.rpm and see if you find something suspicious. Or, if you have a bit more spare time, check the spec file and just rebuild it. Thanks, Mihamina! That's what I did but I'm not sure I'll be using this mod on production servers. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] php-fpm on centos 6
On 23 Aug 2014, at 08:15, Александр Кириллов nevis...@infoline.su wrote: Thanks, Jason! I've been using php-cgi, mod_fcgid and suexec combo for years on my servers. Now I want to run php apps in UserDir with user credentials. This probably can be achieved with mod_fcgid and suexec but it seems like I'd need separate fcgi configs and cgi wrappers under suexec docroot for each user. If you know of a simpler way please share your experience. To be fair you'd still need separate configs for each user even with php-fpm to set the user/group for the processes and to set the sessions path. I always did it that way. Unique wrappers for each user and apache config for each user setting the suexec user group etc. I had shell scripts to generate them for me. Even with nginx you need config per user but at least you don't need any wrappers - you do need a php-fpm config per user tho so it's about the same work. I shell scripted this too. Jason ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] php-fpm on centos 6
Jason Woods писал 2014-08-23 11:44: On 23 Aug 2014, at 08:15, Александр Кириллов nevis...@infoline.su wrote: Thanks, Jason! I've been using php-cgi, mod_fcgid and suexec combo for years on my servers. Now I want to run php apps in UserDir with user credentials. This probably can be achieved with mod_fcgid and suexec but it seems like I'd need separate fcgi configs and cgi wrappers under suexec docroot for each user. If you know of a simpler way please share your experience. To be fair you'd still need separate configs for each user even with php-fpm to set the user/group for the processes and to set the sessions path. I always did it that way. Unique wrappers for each user and apache config for each user setting the suexec user group etc. I had shell scripts to generate them for me. Even with nginx you need config per user but at least you don't need any wrappers - you do need a php-fpm config per user tho so it's about the same work. I shell scripted this too. I suspected as much :( Seems like fpm isn't worth the effort after all though sharing the opcode cache by php-fpm workers might be interesting. Thanks a lot for your input! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] php-fpm on centos 6
I suspected as much :( Seems like fpm isn't worth the effort after all though sharing the opcode cache by php-fpm workers might be interesting. Thanks a lot for your input! You're welcome! I'll say though that I did see a boost in response times (can't remember how much but noticeable) when I switched to fpm. So it may still be worth considering, though on CentOS 6 Nginx will be an easier setup and more maintained than rolling ones own. With SSL and official Nginx repo you'll get things like SPDY too. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] php-fpm on centos 6
Jason Woods писал 2014-08-23 12:28: I suspected as much :( Seems like fpm isn't worth the effort after all though sharing the opcode cache by php-fpm workers might be interesting. Thanks a lot for your input! You're welcome! I'll say though that I did see a boost in response times (can't remember how much but noticeable) when I switched to fpm. So it may still be worth considering, though on CentOS 6 Nginx will be an easier setup and more maintained than rolling ones own. With SSL and official Nginx repo you'll get things like SPDY too. Yeah, maybe I should get out of the groove and try something new like many other fearless old farts on this list do :) Just kidding. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NetworkManager
On Fri, 22 Aug 2014, Les Mikesell wrote: On Fri, Aug 22, 2014 at 5:18 PM, Digimer li...@alteeve.ca wrote: More important with regards to the minimal install set it matches what Red Hat is doing. And most of us *still* don't like it mark Time is ticking on... The longer you avoid learning what is coming, the further behind your peers you will fall. Except that wasting time re-learning a new and strange way to do something that already worked - or how to disable the new thing so it doesn't break your working setup - doesn't really put you ahead of anything. I hate network mangler as much as the next guy but is it really worth all of the whining when all it takes to disable it is: systemctl disable NetworkManager systemctl enable network systemctl stop NetworkManager systemctl start network And now you are back to the old behavior. Red Hat even went to the trouble of documenting it for you at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Virtualization_Deployment_and_Administration_Guide/sect-Network_configuration-Bridged_networking_with_libvirt.html Regards, -- Tom m...@tdiehl.org Spamtrap address me...@tdiehl.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Upgrade to m7.0 retaining some existing partitions
On Friday 22 August 2014 14:00:45 you wrote: Le 19.08.2014 08:44, Tony Molloy a écrit : I want to install 7.0 replacing an existing 6.5 installation. When I choose custom partitioning I can delete the old 6.5 partitions and create new partitions 7.0 but there doesn't appear to be any way to retain an existing partition, say /home for instance, over the installation. Am I just missing something obvious or any ideas on what the magic is. Hi Tony Did you receive an answer to your question ? I didn't see anything on the list ! I'm interested too. Thank you No but I sorted it out myself. I just took a chance, it was on a test server anyway ;-) In the disk partitioning screen you will see the old 6.5 installation. Clicking on it will bring up the existing 6.5 partitions. Then select each of the existing partitions and a configuration menu comes up which allows you to reformat the partition if required. So just don't reformat the partitions you want to keep .They then become part of the new 7.0 installation. Hope this helps. Regards, Tony -- Linux nogs.tonyshome.ie 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-announce Digest, Vol 114, Issue 12
Send CentOS-announce mailing list submissions to
centos-annou...@centos.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
centos-announce-requ...@centos.org
You can reach the person managing the list at
centos-announce-ow...@centos.org
When replying, please edit your Subject line so it is more specific
than Re: Contents of CentOS-announce digest...
Today's Topics:
1. CEBA-2014:C001 CentOS 7 libguestfs BugFix Update (Johnny Hughes)
--
Message: 1
Date: Fri, 22 Aug 2014 17:27:26 +
From: Johnny Hughes joh...@centos.org
Subject: [CentOS-announce] CEBA-2014:C001 CentOS 7 libguestfs BugFix
Update
To: centos-annou...@centos.org
Message-ID: 20140822172726.ga9...@n04.lon1.karan.org
Content-Type: text/plain; charset=us-ascii
CentOS Errata and BugFix Advisory 2014:C001
Upstream details at : http://bugs.centos.org/view.php?id=7364
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
a2b5ece4065075c7b11e9ce59d6281bebc9b9b98b3076160f388f3eb1e965fc2
libguestfs-1.22.6-22.el7.centos.0.1.x86_64.rpm
6fdac768fd7cc557c32e01e49eead7c6901a609aa1b46ba91b52f16b195635f6
libguestfs-devel-1.22.6-22.el7.centos.0.1.x86_64.rpm
bb0dbe3b121fa58851f1efcf6ac77f98f4ceb93d599328231e245e5e8f7b8462
libguestfs-gobject-1.22.6-22.el7.centos.0.1.x86_64.rpm
38b332740586a141be3253621c7fdb906989e6e3888204a989ed317ae4128b16
libguestfs-gobject-devel-1.22.6-22.el7.centos.0.1.x86_64.rpm
cd1e202eaee0eefaea4c7a7b12fb8f147ba552429fd32055defa98b5f10219ce
libguestfs-gobject-doc-1.22.6-22.el7.centos.0.1.noarch.rpm
2c3081e6044ca3464770804cf24de23b6a12137b16530aee0232a646b04214fd
libguestfs-java-1.22.6-22.el7.centos.0.1.x86_64.rpm
d5e4132f8e185bffcfb5b51d910ec254e966c4b7c931b0165969b6b541ac4fd5
libguestfs-java-devel-1.22.6-22.el7.centos.0.1.x86_64.rpm
f5b1888a82a4f53d24e6a9af34bd9ab397a7ef2691da5ff7e5c51be6cac4d855
libguestfs-javadoc-1.22.6-22.el7.centos.0.1.noarch.rpm
f53dfe84dadd58c0a5abebcf6c4b8fd14c6b747c10376092555a5c501e202b30
libguestfs-man-pages-ja-1.22.6-22.el7.centos.0.1.noarch.rpm
715601b5e1e597127d3b4793ba000364f0afff4eed59f5238f88d68964bd6008
libguestfs-man-pages-uk-1.22.6-22.el7.centos.0.1.noarch.rpm
205774376743bcbb4b91dfcad5c754272de9475afc47cf161986391108d18541
libguestfs-tools-1.22.6-22.el7.centos.0.1.noarch.rpm
65347ba1c5cd9e35bacecdaca62e6b8b7f821f8dab4f965758135f3cc6346b5c
libguestfs-tools-c-1.22.6-22.el7.centos.0.1.x86_64.rpm
f8d44ca2d182e044dd065c1bcc08b061e9fb06065738b30beb1fe776d0c27169
lua-guestfs-1.22.6-22.el7.centos.0.1.x86_64.rpm
6b3b2704b73b2a2630e19f52341670b818cd14c40a3a1172e66ce30a81e1db21
ocaml-libguestfs-1.22.6-22.el7.centos.0.1.x86_64.rpm
9d91d4755184c056b8e3f4610bd25d4205a587f5b29f70f1ad17486399088f7a
ocaml-libguestfs-devel-1.22.6-22.el7.centos.0.1.x86_64.rpm
410da626e570af05b224dc513a66cad96f6d66ac280e25e44a27dece647fae9d
perl-Sys-Guestfs-1.22.6-22.el7.centos.0.1.x86_64.rpm
095f5a74533068091558bcc743ffb067b170dd805788f5ff5098b972a4b1667b
python-libguestfs-1.22.6-22.el7.centos.0.1.x86_64.rpm
47d61af9a0533ff357c45034dd26ef1d3f482c6ca1ffba12a7afb9e29941c005
ruby-libguestfs-1.22.6-22.el7.centos.0.1.x86_64.rpm
Source:
9d8b5596e405ba7a9b452adedd46a614c242bbc1a9b9e203d8b03d169c7402a5
libguestfs-1.22.6-22.el7.centos.0.1.src.rpm
NOTE: This is a rebuild of the libguestfs SRPM to fix CentOS bug 7364 ...
there is no modification to the actual source code, just needed to be built
against a new centos-release file.
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos at irc.freenode.net
--
___
CentOS-announce mailing list
centos-annou...@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
End of CentOS-announce Digest, Vol 114, Issue 12
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NetworkManager
On Sat, August 23, 2014 5:00 am, m...@tdiehl.org wrote: I hate network mangler as much as the next guy but is it really worth all of the whining when all it takes to disable it is: It would be worth whining about it if anybody of decision makers ever listened to these complaints. As some day reverting to old behavior option will be gone. But most likely no one will listen to all our whining, and all the decisions are already made at least a year ago... so you probably are 100% right: all our whining serves is just to let our own steam out. Once we realize it we start looking for alternatives, - for the servers at least. Valeri Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NetworkManager
You are whining about something FREE…don’t like it, don’t use it….if you had a PAID RHEL sub, upstream to Cent, on then bitch…..but whining about something free, well On Aug 23, 2014, at 8:38 AM, Valeri Galtsev galt...@kicp.uchicago.edu wrote: On Sat, August 23, 2014 5:00 am, m...@tdiehl.org wrote: I hate network mangler as much as the next guy but is it really worth all of the whining when all it takes to disable it is: It would be worth whining about it if anybody of decision makers ever listened to these complaints. As some day reverting to old behavior option will be gone. But most likely no one will listen to all our whining, and all the decisions are already made at least a year ago... so you probably are 100% right: all our whining serves is just to let our own steam out. Once we realize it we start looking for alternatives, - for the servers at least. Valeri Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] SELinux vs. virsh
On Friday, August 22, 2014 08:50:26 Daniel J Walsh wrote:
On 08/21/2014 10:03 AM, Bill Gee wrote:
On Thursday, August 21, 2014 12:00:03 centos-requ...@centos.org wrote:
Re: [CentOS] SELinux vs. logwatch and virsh
From: Daniel J Walsh dwa...@redhat.com
To: CentOS mailing list centos@centos.org
On 08/18/2014 02:13 PM, Bill Gee wrote:
Hi Dan -
ausearch -m avc -ts recent produces no output. If I run it as
ausearch
-f virsh then it produces output similar to this. Each day's run of
logwatch produces three of these audit log entries. The a1 and a2
values
are different for each entry, but everything else is the same.
===
time-Mon Aug 18 03:21:03 2014
type=SYSCALL msg=audit(1408350063.257:7492): arch=c03e syscall=21
success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640
items=0 ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=981 comm=bash exe=/usr/bin/bash
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1408350063.257:7492): avc: denied { read }
for pid=2816 comm=bash name=virsh dev=dm-0 ino=135911290
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file
===
I thought about using audit2allow as you suggest. The problem is then I
don't really know what change is required. What exactly will it
do? And is there a guarantee that it will work?
logwatch is executing virsh probably to communicate with libvirt to
rotate logs or something. You can look in /etc/logrotate.d for a script
with virsh to tell you what the command is trying to do.
Hi Dan -
I know EXACTLY what virsh is being called for. I wrote the script! It
has
nothing to do with logrotate. I want virsh to tell logwatch what the
status is of all virtual machines running on the host. Logwatch will
then include that in its daily summary report. SELinux is getting in the
way.
Regards - Bill Gee
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Well logrotate is calling the script, and you just need to add the allow
rules to allow logrotate to execute the script and communicate with
libvirt. Or you need to run the script in a separate cron job to
collect the data before the logrotate script runs.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Hi Dan -
Oops, I screwed up the subject line on the last posting. Hopefully corrected
with this message.
Comment - I changed my configuration so that virsh is run by a script in
cron.daily rather than being called from logwatch. It saves output to a file
in /tmp. Logwatch was changed to simply cat the file. However, this STILL
produces an SELinux violation. I am not any closer to the goal.
Question - How do I add an allow rule to SELinux? What exactly is to be
allowed and how is SELinux told to do it?
Here is what ausearch finds:
=
time-Sat Aug 23 03:06:04 2014
type=SYSCALL msg=audit(1408781164.014:1373): arch=c03e syscall=2
success=no exit=-13 a0=7fffb24e3da6 a1=0 a2=1fff a3=7fffb24e31d0
items=0
ppid=25741 pid=25742 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=127 comm=cat exe=/usr/bin/cat
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1408781164.014:1373): avc: denied { open } for pid=25742
comm=cat path=/tmp/libvirt-status dev=dm-0 ino=768471
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
=
Observation - My original idea on this is to have logwatch execute virsh
directly. I know it is possible to make that work. The same computer has two
other logwatch items that I created. One of them runs uptime and the other
runs sensors. Both work perfectly. I see that the uptime and sensors
programs are set for SELinux type=bin_t, which is not the same as what virsh
is set for. I think what I need to do is figure out how to ADD (not replace) a
new type on the virsh program.
Thanks - Bill Gee
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NetworkManager
On Sat, August 23, 2014 8:42 am, William Woods wrote: You are whining about something FREE dont like it, dont use it .if you had a PAID RHEL sub, upstream to Cent, on then bitch ..but whining about something free, well Was I that unclear that I sounded like the one who keeps whining? I tried to say that the moment we could affect anything has past a year or two ago. That was the time the systemd introduction into all Linuxes was made. It is done deal now, and the last one of the major distros - debian (and its clones) - goes systemd in next release. So, it is not RH, it is all of them built on Linux kernel... And yes, I did start using something else (FreeBSD) for servers a while ago. Also free. Also open source. Better suited for servers in my book (your mileage may differ ;-) Alas, not all of the decisions that are made in/by open source programmer (steering) teams can be affected by us. They are achieved in the battles, and there are arguments on our side that are made then. But. As I said to one of my users: KDE-3 person, who hates KDE-4, stays with KDE-3 while it lasts. Brilliant programmers who create this software need to make progress as _they_ see it. And this (making these fundamental for us changes) often is their only reward for the great programming job they are doing. Let's be grateful to them. And as we know, not all of the changes is really a progress, even if they give you very fast boot as systemd does, or pretend to give you more security as SELinux advertizes in its name. I was displeased by introduction of SELinux into mainstream kernel back then. As, it is not a good defense in a first place (can it be if you can switch it off on the fly? and after that things are as if it is not there). On the other hand it is extra dozens of thousands of lines of code in the kernel, which may have bugs with security implications. Which down the road proved to be true - search for SELinux security patch. Still, even disagreeing with something I kept living with it for quire some time. But one day the time came to switch servers to better (in my book; your mileage may be different ;-) alternative. Oh, yes, I should have mentioned SELinux competitive security solution. it was LIDS (Linux Intrusion Detection System). The name is a bit confusing. In three words: It was sort of kernel patch that after boot demotes root to user nobody. So after boot you can not administer the system at all. On the fly the system is locked. Dead locked. Makes more sense to me (security wise) than SELinux, but SELinux made it into mainstream kernel instead of LIDS... The suggestion you made to switch to commercial system [sorry I brought your suggestion one step further in the same direction, oh I'm really tricky person] is quite in line with what commercial vendors would like to happen to free (as free beer) competitive software: users, feel this free software is as nasty as our commercial alternative is. So you may look at better sides of commercial software, and come back to us. This may be strategic thought behind such events as acquisition of widest used database mysql by most famous database company oracle. Another example may be proving an opposite (I mean cups acquired by Apple, the reason here could be mere survival of cups that Apple is going to keep using themselves). So, for good or for bad, after letting all of our steam out about bad decisions in the system we love or used to love (and I was happy with Linux, - RedHat and CentOS in particular, - for much longer than decade) we can bite the bullet, realize that the life is such, and Linux from now on is such, and start continuing our life with Linux (while the enterprise life cycle lasts ;-) or with alternatives, - those of us who found them more adequate. One way or another whining of all of us who is displeased only serves to let our own steam out. Valeri On Aug 23, 2014, at 8:38 AM, Valeri Galtsev galt...@kicp.uchicago.edu wrote: On Sat, August 23, 2014 5:00 am, m...@tdiehl.org wrote: I hate network mangler as much as the next guy but is it really worth all of the whining when all it takes to disable it is: It would be worth whining about it if anybody of decision makers ever listened to these complaints. As some day reverting to old behavior option will be gone. But most likely no one will listen to all our whining, and all the decisions are already made at least a year ago... so you probably are 100% right: all our whining serves is just to let our own steam out. Once we realize it we start looking for alternatives, - for the servers at least. Valeri Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org
[CentOS] color is not known to server FOREGROUND
I asked about this a while back with no response, but now have a bit more information. Still no idea how to fix it. I am occasionally seeing the above error when running various programs. Originally, I discovered it when running the display command from ImageMagick. $display picture.jpg display: color is not known to server `FOREGROUND': No such file or directory @ error/xwindow.c/XGetPixelPacket/3064. No picture is displayed. GraphicsMagick does the same thing, but it shows the picture: $ gm display picture.jpg gm display: Unable to load font (-*-helvetica-medium-r-normal--12-*-*-*-*-*-iso8859-1) [Resource temporarily unavailable]. gm display: Color is not known to server (FOREGROUND) [No such file or directory]. gm display: Color is not known to server (BACKGROUND) [No such file or directory]. I have now discovered a tcl/tk program that appears to have the same issue: $ ./Mobi_Unpack.pyw Traceback (most recent call last): File ./Mobi_Unpack.pyw, line 211, in module sys.exit(main()) File ./Mobi_Unpack.pyw, line 202, in main root = Tkinter.Tk() File /usr/lib64/python2.7/lib-tk/Tkinter.py, line 1745, in __init__ self.tk = _tkinter.create(screenName, baseName, className, interactive, wantobjects, useTk, sync, use) _tkinter.TclError: unknown color name BACKGROUND My reading indicates that this may be due to an issue with the xorg rgbpath declaration, but I don't know how to check what xorg is actually using (since the rgbpath declaration doesn't appear in any of the files in the xorg.conf.d subdirectory). /usr/share/X11/rgb.txt is present, though. Where and how is FOREGROUND and BACKGROUND defined for this purpose? -- MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NetworkManager
On 2014-08-23, Valeri Galtsev galt...@kicp.uchicago.edu wrote: The suggestion you made to switch to commercial system [sorry I brought your suggestion one step further in the same direction, oh I'm really tricky person] is quite in line with what commercial vendors would like to happen to free (as free beer) competitive software: users, feel this free software is as nasty as our commercial alternative is. I don't think that's precisely the issue. The issue (to me anyway) is that people are complaining about free software *whose explicitly stated goal is to remain as closely as possible to the commercial upstream*. If this were a base distro like Debian or Slackware, then people could legitimately complain that Debian was moving to systemd, because the Debian maintainers made that decision. The CentOS maintainers did not! So it's not really about free vs. nonfree, it's about who the deciders are. Since I mentioned it, Slackware might be a reasonable compromise for those of you who prefer a more ''purist'' (whatever that means) environment but don't want to completely break away from linux. When I was an active Slackware user I heard the comparison that Slackware was the most *BSD-like of the linux distros. --keith -- kkel...@wombat.san-francisco.ca.us ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NetworkManager
On 08/22/2014 07:42 PM, Digimer wrote: On 22/08/14 07:07 PM, Les Mikesell wrote: On Fri, Aug 22, 2014 at 5:46 PM, Digimer li...@alteeve.ca wrote: To continue your analogy, should car companies have stopped changing after the 20s? I mean, the cars then got you were you needed to go, right? The point is to abstract an interface so you can make changes behind it without breaking the things already built around it. You can always add things without breaking anything that already worked for your community of users. If you didn't care about that yourself, you'd be recompiling a gentoo weekly instead of being here. To echo John, this is a major release. It's where, when needed, things can change and break backwards compatibility. If a change like this happened as a y-stream release, sure, I'll grab my pitch fork along with you. It's not realistic to expect backwards compatibility to last forever. The sysv init stuff had a good long run, but it was time to change. Now, you're welcome to disagree with me (and the archives are littered already with this argument), but in the end, it changed. A major version was the right place to do it, and now it is done. So this brings me back to my original point... Unless you plan to wage a war against things like Network Manager, systemd or what have you in the faint home of reverting in the next major release, you don't have a lot of viable long term options. Learn the new ways or fade from relevance. I say this without passing judgment on the merits of the new or old ways, simply as a fact of life. Even if you did hold out hope for, say, RHEL 8 to return to the old ways, you will have a hard time avoiding EL7. It will almost certainly be adopted wide-scale and that will provide inertia. NetworkManager is the window's world way of doing things for people that don't really understand what is going on. I see no use for it immediately disable it. But it pains me to have to take the time. -- Stephen Clark *NetWolves Managed Services, LLC.* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NetworkManager
On 2014-08-23, Steve Clark scl...@netwolves.com wrote: NetworkManager is the window's world way of doing things for people that don't really understand what is going on. I see no use for it immediately disable it. But it pains me to have to take the time. If you do it often enough, you should probably create a kickstart file, install image (e.g., Docker/KVM), or similar, which already has it disabled. I already do this for my OpenVZ images, which are preconfigured for my desires. And if that's too much work then it's probably not too often that you need to manually disable it. :) --keith -- kkel...@wombat.san-francisco.ca.us ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
