Re: [CentOS] KVM HA

[Barak Korren]

>
> My question is: Is this even possible? All the documentation for HA that I've 
> found appears to not
> do this. Am I missing something?

You can use oVirt for that (www.ovirt.org).
For that small number of hosts, you would probably want to use the
"hosted engine" architecture to co-locate the management engine on the
same hypervisor hosts.
It is included by the CentOS virtualization SIG, so on CentOS it is
just a couple of 'yum install's away...

HTH,

-- 
Barak Korren
bkor...@redhat.com
RHEV-CI Team
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] KVM HA

[Digimer]

On 22/06/16 01:01 AM, Tom Robinson wrote:
> Hi,
> 
> I have two KVM hosts (CentOS 7) and would like them to operate as High 
> Availability servers,
> automatically migrating guests when one of the hosts goes down.
> 
> My question is: Is this even possible? All the documentation for HA that I've 
> found appears to not
> do this. Am I missing something?

Very possible. It's all I've done for years now.

https://alteeve.ca/w/AN!Cluster_Tutorial_2

That's for EL 6, but the basic concepts port perfectly. In EL7, just
change out cman + rgmanager for pacemaker. The commands change, but the
concepts don't. Also, we use DRBD but you can conceptually swap that for
"SAN" and the logic is the same (though I would argue that a SAN is less
reliable).

There is an active mailing list for HA clustering, too:

http://clusterlabs.org/mailman/listinfo/users

> My configuration so fare includes:
> 
>  * SAN Storage Volumes for raw device mappings for guest vms (single volume 
> per guest).
>  * multipathing of iSCSI and Infiniband paths to raw devices
>  * live migration of guests works
>  * a cluster configuration (pcs, corosync, pacemaker)
> 
> Currently when I migrate a guest, I can all too easily start it up on both 
> hosts! There must be some
> way to fence these off but I'm just not sure how to do this.

Fencing, exactly.

What we do is create a small /shared/definitions (on gfs2) to host the
VM XML definitions and then undefine the VMs from the nodes. This makes
the servers disappear on non-cluster aware tools, like
virsh/virt-manager. Pacemaker can still start the servers just fine and
pacemaker, with fencing, makes sure that the server is only ever running
on one node at a time.

> Any help is appreciated.
> 
> Kind regards,
> Tom

We also have an active freenode IRC channel; #clusterlabs. Stop on by
and say hello. :)

-- 
Digimer
Papers and Projects: https://alteeve.ca/w/
What if the cure for cancer is trapped in the mind of a person without
access to education?
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] KVM HA

[Tom Robinson]

Hi,

I have two KVM hosts (CentOS 7) and would like them to operate as High 
Availability servers,
automatically migrating guests when one of the hosts goes down.

My question is: Is this even possible? All the documentation for HA that I've 
found appears to not
do this. Am I missing something?

My configuration so fare includes:

 * SAN Storage Volumes for raw device mappings for guest vms (single volume per 
guest).
 * multipathing of iSCSI and Infiniband paths to raw devices
 * live migration of guests works
 * a cluster configuration (pcs, corosync, pacemaker)

Currently when I migrate a guest, I can all too easily start it up on both 
hosts! There must be some
way to fence these off but I'm just not sure how to do this.

Any help is appreciated.

Kind regards,
Tom


-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051
E: tom.robin...@motec.com.au



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-es] Samba 4 Domain Controller

[Fausto Disla]

Muchas gracias los leere a ver que tal. Muchas gracias.
On Jun 21, 2016 8:38 PM, "Juan Carlos Lara Quintana" 
wrote:

> Saludos.
>
> De la lista de correo de Centos me informaban que solicitaba ud. ayuda
> para iniciarse en los controladores de dominio (Active Directory en este
> caso) con samba4.
> Debo aclarar un par de cosas: las pruebas que hice fueron hechas en Centos
> 6; no he usado aún Centos 7. Además, siempre hago una instalación mínima.
>
> Dicho eso, lecturas recomendadas (asumiendo que sabe inglés):
> https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ
>
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
> https://wiki.samba.org/index.php/Time_syncronisation
> https://wiki.samba.org/index.php/DNS_Configuration_Windows
> https://wiki.samba.org/index.php/Joining_a_Windows_host_to_a_domain
>
> Los artículos dan en general conceptos necesarios para entender lo que se
> está haciendo, en especial el primero que habla sobre los DNSs y NetBIOS
> pues son la base del funcionamiento de los controladores de dominio en
> general.
> Se sugiere leerlos en el orden mencionado.
> Después de eso, los otros artículos describen bien en general cómo
> proceder con la instalación desde cero.
>
> Asumiendo que ya conoce ud. lo básico de Centos (versión 7 en su caso)
> como iniciar/detener servicios, etc., algunas sugerencias adicionales
> incluirían (mencionadas en orden):
>
> --Antes que nada, en /etc/sysconfig/network-scripts/ifcfg-(dispositivo)
> asegure al menos estos cambios:
> cambiar el valor de NM_CONTROLLED=yes a 'no'; eliminar líneas DNS1=... y
> agregar línea PEERDNS=no.
> Reiniciar el servicio network.
> --Descrito en el segundo artículo, pero sólo como recordatorio no instalar
> samba4 del repositorio de Centos. Usar Sernet
> https://portal.enterprisesamba.com/
> --El paso que habla sobre el PATH no me fue necesario, pero de nuevo, no
> sé en Centos 7.
> --Una vez con el repositorio correcto instalado, instalar samba
> yum --enablerepo=sernet-samba-4.2 install python-crypto krb5-workstation
> ntp sernet-samba-ad
> (yo uso la opción enablerepo porque no me gusta dejar habilitado el
> repositorio de samba por default; yo lo deshabilito).
> --Deshabilitar al inicio del sistema Selinux y el firewall (iptables).
> --Archivo Kerberos generado por samba: /var/lib/samba/private/krb5.conf
> --A la hora de configurar NTP (3er artículo), directorio ntp_signd para
> NTP y para ntpsigndsocket: /var/lib/samba/ntp_signd/
> --Al especificar la dirección de dónde obtener la hora, el artículo pone
> de ejemplo 0.pool.ntp.org. El ntp.conf instalado en Centos viene con *4
> direcciones*. Usarlas, y también restringirlas para que sólo den la hora
> (ver artículo).
> --Iniciar ntpd: systemctl enable ntpd, systemctl start ntpd
> --Inicializar samba:
>   sed -i 's/SAMBA_START_MODE="none"/SAMBA_START_MODE="ad"/'
> /etc/default/sernet-samba
>   Iniciar servicio sernet-samba-ad y deshabilitar al inicio del sistema
> servicios sernet-samba-nmbd, sernet-samba-smbd, y sernet-samba-winbindd.
> --Usar samba-tool -h para comenzar a familiarizarse con las herramientas
> de administración de samba.
> --Artículos 4to y 5to parecen ya más directos de entender.
>
> Finalmente, un dato adicional que tal vez le sirva (pues suele suceder).
> Cuando una computadora cliente está unida a un dominio, a veces pasa que
> tarda *mucho* en iniciar sesión, pero cierra sesión normal y sin problemas.
> O viceversa también. Ahí normalmente es que los DNSs precisamente están mal
> configurados (/etc/resolv.conf para el servidor samba y/o 4to artículo para
> el cliente windows).
>
> Ojalá le sirva. Saludos.
>
___
CentOS-es mailing list
CentOS-es@centos.org
https://lists.centos.org/mailman/listinfo/centos-es

Re: [CentOS] Any further developments on CentOS7 for i386?

[Johnny Hughes]

On 06/21/2016 05:22 PM, Kay Schenk wrote:
> 
> On 10/07/2015 01:05 PM, Johnny Hughes wrote:
>> On 10/07/2015 11:12 AM, Kay Schenk wrote:
>>> On Wed, Oct 7, 2015 at 6:21 AM, Johnny Hughes  wrote:
>>>
 On 10/06/2015 05:30 PM, Kay Schenk wrote:
> Well I haven't tested out the CentOS 7 for i386 yet as sent in the
> message of 06/02--
>
> https://lists.centos.org/pipermail/centos-devel/2015-June/013426.html
>
> Nor have I seen any additional information. So how is this going?
> I'm almost ready to jump in as I would really prefer to be on 
> Gnome 3.
>

 We have moved it into place here, which is where it is going to live
 permanently:

 http://mirror.centos.org/altarch/7/os/i386/

>>>
>>> ​Ok, thanks. I may install this soonish...
> 
> Well I have not gotten to this. Since this is a "community" distro, are
> patches and updates provided in the same timeframe as they would be for
> CentOS 7 64-bit?
> 
> I don't readily see anything like a SIG mailing list or I'd ask there.
> 
> Thanks.
> 

Yes, I build the 32 bit updates at the same time I build the 64 bit
updates, as there are MultiLib packages required for the x86_64 tree.

These almost always get pushed at exactly the same time (certainly on
the same day) as the 64 bit updates.

The one exception to this is the kernel as there are some major
differences in kernels.  See this to see the diff:

http://bit.ly/28LHcgw

So kernel updates may take a day or two to build and test.

But the good news is, that Gnome bug is now completely gone, so no
action required for that any longer.

Thanks,
Johnny Hughes



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Install C7 VM on C6 Host

[Earl A Ramirez]

On 22 Jun 2016 08:02, "Boris Epstein"  wrote:
>
> I would think the same as Gordon that as long as your 64-bit VM
> virtualization is running properly there should be no problem running C7
on
> a VM running under C6. May I ask what the initial doubt was based upon?
Has
> anybody out there had such an issue before?
>
> Cheers,
>
> Boris.
>
I have over 20 C7 VMs on C6 hosts and never had any issues or challenges.

>
> On Tue, Jun 21, 2016 at 7:30 PM, Gordon Messmer 
> wrote:
>
> > On 06/21/2016 04:06 PM, Mark LaPierre wrote:
> >
> >> Before I waste myself a bunch of time trying the impossible I figured I
> >> would ask if I can install an instance of C7 in a KVM based VM on a C6
> >> host.
> >>
> >
> >
> > Yes.
> >
> >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Install C7 VM on C6 Host

[Boris Epstein]

I would think the same as Gordon that as long as your 64-bit VM
virtualization is running properly there should be no problem running C7 on
a VM running under C6. May I ask what the initial doubt was based upon? Has
anybody out there had such an issue before?

Cheers,

Boris.


On Tue, Jun 21, 2016 at 7:30 PM, Gordon Messmer 
wrote:

> On 06/21/2016 04:06 PM, Mark LaPierre wrote:
>
>> Before I waste myself a bunch of time trying the impossible I figured I
>> would ask if I can install an instance of C7 in a KVM based VM on a C6
>> host.
>>
>
>
> Yes.
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS-es] Puerto 4567

[Eliud Cardenas]

Hola a todos,

Tengo una duda, alguno de ustedes han tendido esto:

4567/tcp open  tram

Tengo un centos 7 y veo este puerto abierto pero no veo quien lo abre ni 
porque esta ahi.


Saludos!

___
CentOS-es mailing list
CentOS-es@centos.org
https://lists.centos.org/mailman/listinfo/centos-es

Re: [CentOS] Install C7 VM on C6 Host

[Gordon Messmer]

On 06/21/2016 04:06 PM, Mark LaPierre wrote:

Before I waste myself a bunch of time trying the impossible I figured I
would ask if I can install an instance of C7 in a KVM based VM on a C6 host.



Yes.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Install C7 VM on C6 Host

[Mark LaPierre]

Hey all,

Before I waste myself a bunch of time trying the impossible I figured I
would ask if I can install an instance of C7 in a KVM based VM on a C6 host.

-- 
_
   °v°
  /(_)\
   ^ ^  Mark LaPierre
Registered Linux user No #267004
https://linuxcounter.net/

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any further developments on CentOS7 for i386?

[Kay Schenk]

On 10/07/2015 01:05 PM, Johnny Hughes wrote:

On 10/07/2015 11:12 AM, Kay Schenk wrote:

On Wed, Oct 7, 2015 at 6:21 AM, Johnny Hughes  wrote:


On 10/06/2015 05:30 PM, Kay Schenk wrote:

Well I haven't tested out the CentOS 7 for i386 yet as sent in the
message of 06/02--

https://lists.centos.org/pipermail/centos-devel/2015-June/013426.html

Nor have I seen any additional information. So how is this going?
I'm almost ready to jump in as I would really prefer to be on  Gnome 3.



We have moved it into place here, which is where it is going to live
permanently:

http://mirror.centos.org/altarch/7/os/i386/



​Ok, thanks. I may install this soonish...


Well I have not gotten to this. Since this is a "community" distro, are 
patches and updates provided in the same timeframe as they would be for 
CentOS 7 64-bit?


I don't readily see anything like a SIG mailing list or I'd ask there.

Thanks.


​




I am working on a wiki page now and we are still doing some testing, but
the 32 bit arch should be completely usable right now and installable
(in its final form) from these isos:

http://mirror.centos.org/altarch/7/isos/i386/

The 2 bugs listed in the link above are still there:

1.  If installing on a QEMU (kvm) i386 VM, you must modify the VM cpu to
use "copy host cpu"

http://bugs.centos.org/view.php?id=8748

2.  The gnome desktop will not exit or log out from the menu.

  http://bugs.centos.org/view.php?id=8834

Both have workarounds listed.



​um...hmmm...the non-logout from Gnome would certainly be a hassle for me,
but not the shutdown as I don't shutdown from GUI. OK, I will look further
into this before changing over.



The GUI logout works fine once you:

gsettings set org.gnome.SessionManager logout-prompt false







___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



--

MzK

"Time spent with cats is never wasted."
   -- Sigmund Freud



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS-announce] CEBA-2016:1266 CentOS 5 tzdata BugFix Update

[Johnny Hughes]

CentOS Errata and Bugfix Advisory 2016:1266 

Upstream details at : https://rhn.redhat.com/errata/RHBA-2016-1266.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
980470351aa45a505738913c6b98e22543d182acb91410d9d23adcd5ce22efa4  
tzdata-2016e-1.el5.i386.rpm
f1ab933aec64ab8335388d2dc170670e6842c1828da3d9e6761d6ea4653bb729  
tzdata-java-2016e-1.el5.i386.rpm

x86_64:
14eea96779590f3a0a341ac8e144377cc2f5327c6e3df6d2757daf0e6a753123  
tzdata-2016e-1.el5.x86_64.rpm
27051668651683bf9255059ca73b75ad2a42dee0b97c38065f073feee90fdd25  
tzdata-java-2016e-1.el5.x86_64.rpm

Source:
2be0737a89567aab8fa13639cfd0f98a04e6f2b337d5604e470ca5d44740f557  
tzdata-2016e-1.el5.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
Twitter: JohnnyCentOS

___
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2016:1267 Important CentOS 6 setroubleshoot Security Update

[Johnny Hughes]

CentOS Errata and Security Advisory 2016:1267 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-1267.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
6162d2040eee1d468be25455dff5505b881b0e843848a0d770b47f8f7b6de9fe  
setroubleshoot-3.0.47-12.el6_8.i686.rpm
711deca2ead9d099e1ca7f7a951902a3c7380ba0afa701870a280d23a7cbce89  
setroubleshoot-doc-3.0.47-12.el6_8.i686.rpm
856cbc9cbfd54ebc46934f28aff9b56779aabc387ca4ecd5ebb0457572cf056e  
setroubleshoot-server-3.0.47-12.el6_8.i686.rpm

x86_64:
f108837ced085b3b45952528799c88f53bd1203d7e2f46e65c21a2ef9baa44ed  
setroubleshoot-3.0.47-12.el6_8.x86_64.rpm
0a76b22ee3f5d8bdcec67c3def7496f7c276c77db4bf23ac6cd5a208ed066260  
setroubleshoot-doc-3.0.47-12.el6_8.x86_64.rpm
8a91304bb9f4f120a78858f5e18555b43027997923b0a3a73bdaa2b3c5ecabb4  
setroubleshoot-server-3.0.47-12.el6_8.x86_64.rpm

Source:
64dea800d736c50ce5d72c06dad0cfb36857a46254d84f01131bd2a09da549d5  
setroubleshoot-3.0.47-12.el6_8.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
Twitter: @JohnnyCentOS

___
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEBA-2016:1266 CentOS 7 tzdata BugFix Update

[Johnny Hughes]

CentOS Errata and Bugfix Advisory 2016:1266 

Upstream details at : https://rhn.redhat.com/errata/RHBA-2016-1266.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
35e627912852d34e84ea76e5cbcadf233c7945185320fc0a8b2fa7e5e4ee2099  
tzdata-2016e-1.el7.noarch.rpm
688596a9be955e0f481845db5b41da2232ef701d56967971e2fe382be32fdad4  
tzdata-java-2016e-1.el7.noarch.rpm

Source:
32bbb097ae98767d8b45e3b38f03ae1c205eecaef6d1bcd58912fd6f5443a5fb  
tzdata-2016e-1.el7.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
Twitter: @JohnnyCentOS

___
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEBA-2016:1266 CentOS 6 tzdata BugFix Update

[Johnny Hughes]

CentOS Errata and Bugfix Advisory 2016:1266 

Upstream details at : https://rhn.redhat.com/errata/RHBA-2016-1266.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
27275c88c15db6a83722068e6f998d74ccc00bafbb2a80cb4590b47b6ed9e5a2  
tzdata-2016e-1.el6.noarch.rpm
df6503b270368fa7f3b9147637e423ca6db45485f03072e9d5e273409d782007  
tzdata-java-2016e-1.el6.noarch.rpm

x86_64:
27275c88c15db6a83722068e6f998d74ccc00bafbb2a80cb4590b47b6ed9e5a2  
tzdata-2016e-1.el6.noarch.rpm
df6503b270368fa7f3b9147637e423ca6db45485f03072e9d5e273409d782007  
tzdata-java-2016e-1.el6.noarch.rpm

Source:
65814adef78cc1939847dc32f5ffbce8db34fc58acd8f1a002e002f5917ea638  
tzdata-2016e-1.el6.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
Twitter: @JohnnyCentOS

___
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

Re: [CentOS] Package NetworkManager-libreswan-0.9.8.0-5.el7.x86_64.rpm is not signed

[m . roth]

John R Pierce wrote:
> On 6/21/2016 10:57 AM, Jules Bashizi wrote:
>> How to inst that Network manager please
>
> where is that unsigned package from?its not part of the standard
> repository, the standard network manager is...
>
> NetworkManager-1.0.6-29.el7_2.x86_64.rpm
>
I think perhaps Jules is confused. Assuming you're speaking of CentOS 7,
NetworkManager is installed by default. The *separate* packages of
NetworkManager-libreswan.x86_64 need to be installed separately.

yum list \*libreswan\*
1.0.6-3.el7  base
NetworkManager-libreswan-gnome.x86_64  1.0.6-3.el7  base
kde-plasma-networkmanagement-libreswan.x86_64  1:0.9.0.9-7.el7  base

 mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Package NetworkManager-libreswan-0.9.8.0-5.el7.x86_64.rpm is not signed

[Johnny Hughes]

On 06/21/2016 01:01 PM, John R Pierce wrote:
> On 6/21/2016 10:57 AM, Jules Bashizi wrote:
>> How to inst that Network manager please
> 
> where is that unsigned package from?its not part of the standard
> repository, the standard network manager is...
> 
> NetworkManager-1.0.6-29.el7_2.x86_64.rpm
> 
> 
> 

That version was from 7.0.1406 (our initial release) .. but it was
signed there:

[jhughes@T520 ~]$ rpm -qpi
NetworkManager-libreswan-0.9.8.0-5.el7.x86_64.rpm
Name: NetworkManager-libreswan
Version : 0.9.8.0
Release : 5.el7
Architecture: x86_64
Install Date: (not installed)
Group   : System Environment/Base
Size: 274122
License : GPLv2+
Signature   : RSA/SHA256, Thu 03 Jul 2014 10:56:46 PM CDT, Key ID
24c6a8a7f4a80eb5
Source RPM  : NetworkManager-libreswan-0.9.8.0-5.el7.src.rpm
Build Date  : Mon 09 Jun 2014 03:18:57 PM CDT
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager: CentOS BuildSystem 
Vendor  : CentOS
URL :
http://ftp.gnome.org/pub/GNOME/sources/NetworkManager-openswan/0.9/
Summary : NetworkManager VPN plug-in for libreswan
Description :
This package contains software for integrating the libreswan VPN software
with NetworkManager and the GNOME desktop



To anwer the OP's original question.  You install NetworkManager or
NetworkManger-libreswan with yum ..

yum install NetworkManager-libreswan

You COULD find unsigned packages on our buildlogs server if you really
tried .. that one is here:

http://buildlogs.centos.org/c7.00.02/NetworkManager-libreswan/20140529191754/0.9.8.0-5.el7.x86_64/

In any event, that is a very old package and what you (OP) are trying to
accomplish is not at all clear.



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Package NetworkManager-libreswan-0.9.8.0-5.el7.x86_64.rpm is not signed

[John R Pierce]

On 6/21/2016 10:57 AM, Jules Bashizi wrote:

How to inst that Network manager please


where is that unsigned package from?its not part of the standard 
repository, the standard network manager is...


NetworkManager-1.0.6-29.el7_2.x86_64.rpm



--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Package NetworkManager-libreswan-0.9.8.0-5.el7.x86_64.rpm is not signed

[Jules Bashizi]

How to inst that Network manager please


Worthy agent of Light


Jules Irenge
MSc Student
University of Liverpool
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?

[Alexander Farber]

I think I have finally figured it out -

http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html

says that "-j REDIRECT" is just a shortcut for "-j DNAT" with destination
address being the one of the interface:

"There is a specialized case of Destination NAT called redirection: it is a
simple convenience which is exactly equivalent to doing DNAT to the address
of the incoming interface."

And in my case that just can not work, because my CentOS 7 server has 4 IP
addresses.

(I am sorry, that I haven't mentioned it, because I didn't think it would
matter).

At "eth0" port 80 I have Apache+WordPress (which can drop root rights).

And at "eth0:1" port 8080 I run Jetty (which can not drop root rights). But
I need Jetty at port 80 (so that websockets work for corporate users behind
proxies) and I want it to run as user "nobody".

So I have created a custom systemd service file
/etc/systemd/system/websocket-handler.service to start Jetty:

[Unit]
Description=WebSocket Handler Service
After=network-online.target

[Service]
Type=simple
User=nobody
Group=nobody
ExecStart=/usr/bin/java -classpath '/usr/share/java/jetty/*'
de.afarber.MyHandler 144.76.184.151:8080
ExecStop=/bin/kill ${MAINPID}
SuccessExitStatus=143

[Install]
WantedBy=multi-user.target

And now I have figured out, how to redirect the incoming requests with
net.ipv4.ip_forward=1 in /etc/sysctl.conf and with the following
/etc/sysconfig/iptables:

*filter
:INPUT DROP
:OUTPUT ACCEPT
:FORWARD DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 25,80,443,8080
-j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 22 --tcp-flags FIN,SYN,RST,ACK
SYN -m limit --limit 2/min --limit-burst 1 -j ACCEPT
-A FORWARD -p tcp --dst 144.76.184.154 --dport 8080 -j ACCEPT
COMMIT

*nat
:INPUT ACCEPT
:OUTPUT ACCEPT
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -p tcp --dst 144.76.184.154 --dport 80 -j DNAT
--to-destination 144.76.184.154:8080
COMMIT

The only thing that I don't understand is if

:INPUT ACCEPT
:OUTPUT ACCEPT
:PREROUTING ACCEPT
:POSTROUTING ACCEPT

is ok (and what it means here) or if I should use DROP.

I have tried few combinations... but I am not sure

Thank you
Alex
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Pulling in broadwell support for cent6u5

[jsl6uy js16uy]

Thanks very much all for the responses
Apologies for delayed had a back injury keeping afk
Definitely have some food for thought

thanks all again

On Sat, Jun 18, 2016 at 10:51 PM, Anthony K  wrote:

> On 16/06/16 13:18, Johnny Hughes wrote:
>
>>
>>   .. the actual definition of a
>> 'CRITICAL' update from Red Hat's perspective is:
>>
>> "This rating is given to flaws that could be easily*exploited by a remote
>> unauthenticated attacker and lead to system compromise (arbitrary code
>> execution) without requiring user interaction*. These are the types
>> of vulnerabilities that can be exploited by worms. Flaws that require an
>> authenticated remote user, a local user, or an unlikely configuration
>> are not classed as Critical impact."
>>
>> Taken from:
>> https://access.redhat.com/security/updates/classification
>>
>
> I think it's time to add a another link to the mailman suffix.
>
> That bold section should scare anyone storing public data on their servers
> without keeping up with security updates whether critical or not!  I'd say
> that whole paragraph needs to be added to the Wiki somewhere and the email
> suffix modified to include a link to it.  This would give us a place to
> point people to - such as - *S**ee link at bottom of signature, you  what you feel necessary here>*.
>
>
> ak.
>
>
> PS: Here's what my suggestion might look like:
> 
> --
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> Latest CentOS Release - 7.v.wxyz -
> https://wiki.centos.org/read-this-if-centos-version-not-at-7.v.wxyz
> 
>
> And just as Johnny said - but what the heck do I know?
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-es] OT Migración llaves publicas Fedora

[César Martinez]

Gracias Ricardo logré solucionar les paso como lo hice para que alguien 
más pueda solucionar si le pasa esto.


No es problema de permisos o usuarios, al parecer al respaldar la llaves 
la id_rsa y id_rsa.pub es como que se protege al copiar estos archivos 
via sftp por Filezilla u otro  que no sea consola, una vez que esta 
copiado a la carpeta /home/misuario/Docuemntos/respaldos desde aquí lo 
mando por ssh y ahí si funciona no pide clave al conectarse a 
cualesquiera de mis servidores, esto lo probé igual con la sugerencia 
que mencionaba Ernesto de crear el archivo config, es decir que con o 
sin este archivo de la forma que probé se conecta, voy ahora a probar 
con la generación de llaves circulares que igual Ernesto mencionaba por 
si alguien le interese aquí esta como hacerlo 
http://www.server-world.info/en/note?os=Fedora_23=ssh=4


--
Saludos Cordiales

|César Martínez M. | Ingeniero de Sistemas | SERVICOM
|Tel: (593-2)554-271 2221-386 | Ext 4501
|Celular: 0999374317 |Skype servicomecuador
|Web www.servicomecuador.com Síguenos en:
|Twitter: @servicomecuador |Facebook: servicomec
|Zona Clientes: www.servicomecuador.com/billing
|Blog: http://servicomecuador.com/blog
|Dir. Av. 10 de Agosto N29-140 Entre
|Acuña y  Cuero y Caicedo
|Quito - Ecuador - Sudamérica

El 21/06/16 a las 10:17, Ricardo J. Barberis escribió:

El Martes 21/06/2016, Cc3a9sar Martinez escribió:

Gracias Epe, sabes que estaba haciendo unas pruebas con una máquina
virtual con Fedora 24 y tengo estas novedades

1.- Cuando copio las llaves via ssh hacia el directorio .ssh/ de la
máquina virtual Fedora 24, y desde aquí me conecto a uno de mis
servidores acepta las llaves y no pide contraseña

2.- Cuando copio las llaves a una carpeta de mi equipo (como respaldo)
me conecto por ftp sftp o ssh, desde aquí copio hacia el directorio
.ssh/ de la máquina virtual Fedora 24, y desde aquí me conecto a uno de
mis servidores me pide contraseña.

En cualesquiera de los dos casos agregue el archivo config y su
contenido de acuerdo a las indicaciones de Ernesto, voy a seguir
investigando y googleando porque esto me tiene parado con la migración a
Fedora 24 pero no quiero perder los accesos a los servidores via llaves,
si alguien más de pronto quiere aportar con algo adicional gracias

Chequea que te hayan quedado bien los permisos en el destino (~/.ssh: 0700,
~/.ssh/id_rsa: 0600) y hazle un restorecon (restorecon -R -v ~/.ssh) ya que
el problema puede ser que el ssh de tu equipo no este seteando los permisos
de SELinux correctamente en el destino.

Sino fijate en /var/log/secure a ver si te da una pista de porque no te acepta
el login con llaves.

Saludos,


___
CentOS-es mailing list
CentOS-es@centos.org
https://lists.centos.org/mailman/listinfo/centos-es

Re: [CentOS] https and self signed

[James B. Byrne]

On Mon, June 20, 2016 13:16, Gordon Messmer wrote:
> On 06/20/2016 07:47 AM, James B. Byrne wrote:
>> On Sat, June 18, 2016 18:39, Gordon Messmer wrote:
>>
>>> I'm not interested in turning this in to a discussion on
>>> epistemology.
>>> This is based on the experience (the evidence) of some of the
>>> world's foremost experts in the field (Akamai, Cisco, EFF,
>>> Mozilla, etc).

I would rather look to Bruce Schneier and Noam Chomsky for guidance
before I would take security advice from organisations that have
already shown to be compromised in the matters of their clients'
security -- the EFF being the sole exception in the list provided.  Or
so I presently believe.

>> Really? Then why did you forward your reply a private message to a
>> public mailing list if not to do exactly what you claim you wish to
>> avoid?
>
> Accidents happen.  I didn't intentionally mail you off-list,
> and when I noticed that I had, seconds later, I re-sent the
> message to the list, expecting that you'd notice and understand
> that I intended to keep the conversation on the list.
>

Except that I get the list as a digest.  Which means that your
assumptions were wrong.  Funny that think you not?

> ..which isn't relevant to the question of what you consider "evidence"
> of security practice implications.
>
> Look, go to https://www.google.com/ right now and tell me what you
> see.

A snoop that self-signs its own certificates?

> Do you suddenly distrust the internet's single largest domain?  Do you
> think they implement poor security practices?
>

My distrust of Google developed over many years.  There was nothing
sudden about it.  But it is deep now.

>>> For someone who wants "evidence" you make a lot of unsupported
>>> assertions.  You do see the irony, don't you?

I assert my opinions if that is what you are referring to.  I do not
claim them to be fact.  I believe them to be true but I admit readily
that I may be wrong.  Indeed I most certainly must be wrong in some of
them.  My difficulty begin determining which ones.

However, I have formed my opinions on the basis of a long term
exposure to security matters both pre and post Internet.  And I have
seen before the same thoughtless enthusiasms for things shiny and
different in the security community. Things adopted and put into
practice without even the most cursory of trials and evaluations for
effectiveness and efficacy -- not to mention lawfulness on some
occasions --.  Sometimes I have had to deal with the consequences of
those choices at the pointy end of the stick.  Thus if I am to adopt a
different point of view then I require something in the way of
supporting measurable evidence to show that I am wrong and that others
are right.

>> The difference is that I state this is my opinion and I do not claim
>> it as a fact.  Your statement claimed a factual basis.  I was
>> naturally curious to see what evidence supported your claim.
>
> Citation required.
>
> Allow me an example.  To quote you:
> "The usual way a private key gets compromised is by theft or by
> tampering with its generation.  Putting yourself on a hamster wheel of
> constant certificate generation and distribution simply increases the
> opportunities for key theft and tampering."
>
> Now, when you asked "what possible benefit accrues from changing
> secured device keys on a frequent basis?" I pointed you to
> letsencrypt's documentation, which describes the benefits of
> 90-day certificates.

Having actual software in the possession of users rendered unusable by
a policy decision implemented in the name of security is not
beneficial. Referring to others self-justification of measures they
have already implemented is not evidence. It is argument.  Which has
its place providing that one accepts the fundamental postulates of the
positions being argued. These, in this case, require evidence.
Assertions that these measures solve certain perceived flaws without
addressing the costs of those measures is a one-side argument and not
very convincing in my opinion.

Refusing to deal with that is simply ignoring the elephant in the room.


>
> So, please describe how I am "claiming a factual basis" while you are
> not.
>
>> Automated security is BS.  It has always been BS and it always will
>> be BS.  That is my OPINION.  It may not be a fact for I lack
>> empirical evidence to support it.  However, it has long been my
>> observation that when people place excessive trust in automation
>> they are are eventually and inevitably betrayed by it.  Often at
>> enormous cost.
>
> This is what I consider "enormous cost":
> https://en.wikipedia.org/wiki/Heartbleed#Certificate_renewal_and_revocation
>
> After a major security bug which exposed private keys, hundreds of
> thousands of servers did not take the required action to secure their
> services, and the vast majority of those that took *some* action did
> it incorrectly and did not resolve the problem.
>
> Had those sites been using letsencrypt and renewing 

Re: [CentOS-es] OT Migración llaves publicas Fedora

[Ricardo J. Barberis]

El Martes 21/06/2016, Cc3a9sar Martinez escribió:
> Gracias Epe, sabes que estaba haciendo unas pruebas con una máquina
> virtual con Fedora 24 y tengo estas novedades
>
> 1.- Cuando copio las llaves via ssh hacia el directorio .ssh/ de la
> máquina virtual Fedora 24, y desde aquí me conecto a uno de mis
> servidores acepta las llaves y no pide contraseña
>
> 2.- Cuando copio las llaves a una carpeta de mi equipo (como respaldo)
> me conecto por ftp sftp o ssh, desde aquí copio hacia el directorio
> .ssh/ de la máquina virtual Fedora 24, y desde aquí me conecto a uno de
> mis servidores me pide contraseña.
>
> En cualesquiera de los dos casos agregue el archivo config y su
> contenido de acuerdo a las indicaciones de Ernesto, voy a seguir
> investigando y googleando porque esto me tiene parado con la migración a
> Fedora 24 pero no quiero perder los accesos a los servidores via llaves,
> si alguien más de pronto quiere aportar con algo adicional gracias

Chequea que te hayan quedado bien los permisos en el destino (~/.ssh: 0700, 
~/.ssh/id_rsa: 0600) y hazle un restorecon (restorecon -R -v ~/.ssh) ya que 
el problema puede ser que el ssh de tu equipo no este seteando los permisos 
de SELinux correctamente en el destino.

Sino fijate en /var/log/secure a ver si te da una pista de porque no te acepta 
el login con llaves.

Saludos,
-- 
Ricardo J. Barberis
Usuario Linux Nº 250625: http://counter.li.org/
Usuario LFS Nº 5121: http://www.linuxfromscratch.org/
Senior SysAdmin / IT Architect - www.DonWeb.com
___
CentOS-es mailing list
CentOS-es@centos.org
https://lists.centos.org/mailman/listinfo/centos-es

Re: [CentOS] Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?

[Alexander Dalloz]

Am 2016-06-21 16:58, schrieb Always Learning:

On Tue, 2016-06-21 at 15:46 +0100, Always Learning wrote:


On Tue, 2016-06-21 at 16:24 +0200, Alexander Farber wrote:

> *nat
> :INPUT ACCEPT
> :OUTPUT ACCEPT
> :PREROUTING ACCEPT
> :POSTROUTING ACCEPT
> -A PREROUTING -p tcp --dst 144.76.184.154 --dport 8080 -j REDIRECT
> --to-port 80

http://www.karlrupp.net/en/computer/nat_tutorial

# IMPORTANT: Activate IP-forwarding in the kernel!

   # Disabled by default!
   $> echo "1" > /proc/sys/net/ipv4/ip_forward

~~~

Is that a solution ?


and this ?


# TCP packets from 192.168.1.2, port 12345 to 12356
# to 123.123.123.123, Port 22
# (a backslash indicates contination at the next line)

iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.2 \
 --sport 12345:12356 -d 123.123.123.123 --dport 22 [...]


Both hints are irrelevant in his case.

He needs port redirection by letting iptables rewrite the TCP header 
destination port. There is no IP forwarding of the kernel involved. 
Neither does he need to do full DNAT (or whatever the incomplete cited 
rule should do; it lacks a target directive).


Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?

[Always Learning]

On Tue, 2016-06-21 at 15:46 +0100, Always Learning wrote:

> On Tue, 2016-06-21 at 16:24 +0200, Alexander Farber wrote:
> 
> > *nat
> > :INPUT ACCEPT
> > :OUTPUT ACCEPT
> > :PREROUTING ACCEPT
> > :POSTROUTING ACCEPT
> > -A PREROUTING -p tcp --dst 144.76.184.154 --dport 8080 -j REDIRECT
> > --to-port 80
> 
> http://www.karlrupp.net/en/computer/nat_tutorial
> 
> # IMPORTANT: Activate IP-forwarding in the kernel!
> 
># Disabled by default!
>$> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> ~~~
> 
> Is that a solution ?

and this ?


# TCP packets from 192.168.1.2, port 12345 to 12356
# to 123.123.123.123, Port 22
# (a backslash indicates contination at the next line)

iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.2 \
 --sport 12345:12356 -d 123.123.123.123 --dport 22 [...]


-- 
Regards,

Paul.
England, EU.  England's place is in the European Union.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-es] OT Migración llaves publicas Fedora

[César Martinez]

Gracias Epe, sabes que estaba haciendo unas pruebas con una máquina 
virtual con Fedora 24 y tengo estas novedades


1.- Cuando copio las llaves via ssh hacia el directorio .ssh/ de la 
máquina virtual Fedora 24, y desde aquí me conecto a uno de mis 
servidores acepta las llaves y no pide contraseña


2.- Cuando copio las llaves a una carpeta de mi equipo (como respaldo)  
me conecto por ftp sftp o ssh, desde aquí copio hacia el directorio 
.ssh/ de la máquina virtual Fedora 24, y desde aquí me conecto a uno de 
mis servidores me pide contraseña.


En cualesquiera de los dos casos agregue el archivo config y su 
contenido de acuerdo a las indicaciones de Ernesto, voy a seguir 
investigando y googleando porque esto me tiene parado con la migración a 
Fedora 24 pero no quiero perder los accesos a los servidores via llaves, 
si alguien más de pronto quiere aportar con algo adicional gracias



--
Saludos Cordiales

|César Martínez M. | Ingeniero de Sistemas | SERVICOM
|Tel: (593-2)554-271 2221-386 | Ext 4501
|Celular: 0999374317 |Skype servicomecuador
|Web www.servicomecuador.com Síguenos en:
|Twitter: @servicomecuador |Facebook: servicomec
|Zona Clientes: www.servicomecuador.com/billing
|Blog: http://servicomecuador.com/blog
|Dir. Av. 10 de Agosto N29-140 Entre
|Acuña y  Cuero y Caicedo
|Quito - Ecuador - Sudamérica

El 18/06/16 a las 22:33, Ernesto Pérez Estévez escribió:

On 18/06/16 19:21, César Martinez wrote:

Gracias Epe, estaré al pendiente


en el archivo .ssh/config (si no existe le creas) agregas:

 PubkeyAcceptedKeyTypes +ssh-dss


y listo.

http://forums.fedoraforum.org/showthread.php?t=307406

Quizá debas planificar crearte una clave tipo EC (ecdsa) y dejes lo más
pronto posible dsa



___
CentOS-es mailing list
CentOS-es@centos.org
https://lists.centos.org/mailman/listinfo/centos-es

Re: [CentOS] Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?

[Always Learning]

On Tue, 2016-06-21 at 16:24 +0200, Alexander Farber wrote:

> *nat
> :INPUT ACCEPT
> :OUTPUT ACCEPT
> :PREROUTING ACCEPT
> :POSTROUTING ACCEPT
> -A PREROUTING -p tcp --dst 144.76.184.154 --dport 8080 -j REDIRECT
> --to-port 80

http://www.karlrupp.net/en/computer/nat_tutorial

# IMPORTANT: Activate IP-forwarding in the kernel!

   # Disabled by default!
   $> echo "1" > /proc/sys/net/ipv4/ip_forward

~~~

Is that a solution ?



-- 
Regards,

Paul.
England, EU.  England's place is in the European Union.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?

[Alexander Dalloz]

Am 2016-06-21 16:24, schrieb Alexander Farber:

Hello Gordon and others


[ ... ]


here the problem description again:

I have Jetty running as user "nobody" at the port 8080.

I need to redirect incoming HTTP requests to port 80 to the above port.

(So I don't think I have ports backwards).

Here is my current /etc/sysconfig/iptables:

*filter
:INPUT ACCEPT
:OUTPUT ACCEPT
:FORWARD ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state NEW -m multiport --dports
25,80,443,8080 -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state NEW --dport 22 --tcp-flags
FIN,SYN,RST,ACK SYN -m limit --limit 2/min --limit-burst 1 -j ACCEPT
-A FORWARD -p tcp -m tcp --dst 144.76.184.154 --dport 8080 -j ACCEPT
COMMIT

*nat
:INPUT ACCEPT
:OUTPUT ACCEPT
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -p tcp --dst 144.76.184.154 --dport 8080 -j REDIRECT
--to-port 80


That's not what you want and described above. What you are doing here is 
redirect traffic to destination address 144.76.184.154 on destination 
port 8080 to port 80. Instead you want to achieve that traffic destined 
to port 80 is redirected locally to port 8080 where jetty is listening.



COMMIT


[ ... ]


Please help
Alex


Regards

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?

[John Hodrien]

On Tue, 21 Jun 2016, Alexander Farber wrote:


Please help


Are you sure you want this as a PREROUTING rule, and not simply an INPUT rule?

jh
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?

[Alexander Farber]

Hello Gordon and others

On Tue, Jun 21, 2016 at 4:13 PM, Gordon Messmer 
wrote:

> On 06/21/2016 02:30 AM, Alexander Farber wrote:
>
>> -A PREROUTING -p tcp -m tcp -d 144.76.184.154/32 --dport 80 -j REDIRECT
>> --to-ports 8080
>>
>
>
> I think you have the ports backward, here.
>

here the problem description again:

I have Jetty running as user "nobody" at the port 8080.

I need to redirect incoming HTTP requests to port 80 to the above port.

(So I don't think I have ports backwards).

Here is my current /etc/sysconfig/iptables:

*filter
:INPUT ACCEPT
:OUTPUT ACCEPT
:FORWARD ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state NEW -m multiport --dports
25,80,443,8080 -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state NEW --dport 22 --tcp-flags
FIN,SYN,RST,ACK SYN -m limit --limit 2/min --limit-burst 1 -j ACCEPT
-A FORWARD -p tcp -m tcp --dst 144.76.184.154 --dport 8080 -j ACCEPT
COMMIT

*nat
:INPUT ACCEPT
:OUTPUT ACCEPT
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
-A PREROUTING -p tcp --dst 144.76.184.154 --dport 8080 -j REDIRECT
--to-port 80
COMMIT

And here is my /etc/sysctl.conf:

net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

Unfortunately, the redirect does not work:

When I browse to my site port 8080, I see Jetty.

When I browse to my site port 80, connection is refused.

Here I print the tables:

#  iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source   destination
ACCEPT all  --  anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all  --  anywhere anywhere
ACCEPT icmp --  anywhere anywhere icmp any
ACCEPT tcp  --  anywhere anywhere tcp state NEW
multiport dports smtp,http,https,webcache
ACCEPT tcp  --  anywhere anywhere tcp dpt:ssh
flags:FIN,SYN,RST,ACK/SYN state NEW limit: avg 2/min burst 1

Chain FORWARD (policy ACCEPT)
target prot opt source   destination
ACCEPT tcp  --  anywhere afarber.de   tcp
dpt:webcache

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source   destination
REDIRECT   tcp  --  anywhere afarber.de   tcp
dpt:webcache redir ports 80

Chain INPUT (policy ACCEPT)
target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source   destination

Please help
Alex
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?

[Gordon Messmer]

On 06/21/2016 02:30 AM, Alexander Farber wrote:

-A PREROUTING -p tcp -m tcp -d 144.76.184.154/32 --dport 80 -j REDIRECT
--to-ports 8080



I think you have the ports backward, here.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6 + nux-dextop: GIMP vs. GIMP 2.8 ?

[Nicolas Kovacs]

Le 21/06/2016 à 14:33, Nicolas Thierry-Mieg a écrit :
> This is strange.
> "yum install gimp" should install gimp and its deps, not gimp28.
> "yum remove gimp28" should remove gimp28 and anyone depending on it, not
> gimp or "gimp stuff" (assuming you are not talking about "gimp stuff"
> from nux's repo that actually requires gimp 2.8).
> 
> What exactly is this gimp stuff you're talking about? Can you list those
> packages?

First of all, thank you everybody for your quick response.

I just found out why gimp28 has been installed alongside gimp. That's
because 'yum search gimp' lists all packages: those from [base] as well
as those from [nux-dextop]. Now if I install an additional plugin like
ufraw-plugin that depends on gimp28, the latter gets also installed.

The solution I found was to simply add this to nux-dextop.repo:

exclude=*gimp*

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] bad iscsi performance after upgrade to CentOS 7.2

[Steven Tardy]

> On Jun 20, 2016, at 5:15 AM, Ulrich Leodolter  
> wrote:
> 
> has anyone an idea why iSCSI read performance degraded in CentOS 7.2 ?

I'm not sure about those versions of centos, but iSCSI throughput being TCP is 
dependent on TCP receive window and packet loss. Tcpdump to see if the TCP 
window changed between those versions of centos.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6 + nux-dextop: GIMP vs. GIMP 2.8 ?

[Nicolas Thierry-Mieg]

On 06/21/2016 02:48 PM, Johnny Hughes wrote:

On 06/21/2016 07:33 AM, Nicolas Thierry-Mieg wrote:

On 06/21/2016 01:50 PM, Nicolas Kovacs wrote:

Hi,

I just setup a CentOS 6 desktop with the nux-dextop repository activated.

When installing GIMP (yum install gimp), I get a gimp package as well as
a gimp28 package. I understand this is the Nux-Dextop GIMP 2.8 package.
Unfortunately this doesn't work so well with my system. It's not
localized (menus appear in english, though the system is in French), the
main GTK theme (Murrina Gilouche) is not managed and the application has
that ugly east german look like in the good old GTK1 days, and there are
two redundant menu entries, one of which is not responsive.

I'd like to be able to install the plain "official" GIMP 2.6 application
on my system, but when I try to 'yum remove gimp28', it takes the whole
GIMP stuff down the drain with it.

Note: I'm already using the Yum Priorities plugin. Official repos (base,
updates and extra) are configured with a priority of 1, the other stuff
(epel, adobe, nux-dextop) has a priority of 10.


This is strange.
"yum install gimp" should install gimp and its deps, not gimp28.
"yum remove gimp28" should remove gimp28 and anyone depending on it, not
gimp or "gimp stuff" (assuming you are not talking about "gimp stuff"
from nux's repo that actually requires gimp 2.8).

What exactly is this gimp stuff you're talking about? Can you list those
packages?


That depneds on how hhey wrote the spec file .. if they obsolete gimp,
and also provide it, they can replace the standard install.  I don't
have any c6 desktops to test that.


I actually did test it on a C6 desktop.

$ rpm -qa | grep gimp
gimp-data-extras-2.0.2-3.1.el6.noarch
gimp-help-2.4.2-5.1.el6.noarch
gimp-libs-2.6.9-8.el6_6.x86_64
gimp-2.6.9-8.el6_6.x86_64
gimp-help-browser-2.6.9-8.el6_6.x86_64

$ sudo yum install gimp28
Loaded plugins: fastestmirror, kabi, presto, priorities, 
refresh-packagekit, security

Loading support for CentOS kernel ABI
Setting up Install Process
Loading mirror speeds from cached hostfile
 * base: ftp.rezopole.net
 * elrepo: mirrors.ircam.fr
 * epel: mirror.ibcp.fr
 * nux-dextop: mirror.li.nux.ro
 * updates: mirror.in2p3.fr
440 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package gimp28.x86_64 0:2.8.10-1.el6.nux.nuxref will be installed
--> Processing Dependency: aalib for package: 
gimp28-2.8.10-1.el6.nux.nuxref.x86_64

--> Running transaction check
---> Package aalib.x86_64 0:1.4.0-0.18.rc5.el6.1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==
 Package ArchVersion 
 Repository   Size

==
Installing:
 gimp28  x86_64  2.8.10-1.el6.nux.nuxref 
 nux-dextop   53 M

Installing for dependencies:
 aalib   x86_64  1.4.0-0.18.rc5.el6.1 
 epel 16 k


Transaction Summary
==
Install   2 Package(s)
[]
Complete!


[nthierry@timc-bcm-07 ~]$ rpm -qa | grep gimp
gimp28-2.8.10-1.el6.nux.nuxref.x86_64
gimp-data-extras-2.0.2-3.1.el6.noarch
gimp-help-2.4.2-5.1.el6.noarch
gimp-libs-2.6.9-8.el6_6.x86_64
gimp-2.6.9-8.el6_6.x86_64
gimp-help-browser-2.6.9-8.el6_6.x86_64
[nthierry@timc-bcm-07 ~]$ sudo yum remove gimp28
Loaded plugins: fastestmirror, kabi, presto, priorities, 
refresh-packagekit, security

Loading support for CentOS kernel ABI
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package gimp28.x86_64 0:2.8.10-1.el6.nux.nuxref will be erased
--> Finished Dependency Resolution

Dependencies Resolved

===
 Package Arch 
VersionRepository 
 Size

===
Removing:
 gimp28  x86_64 
2.8.10-1.el6.nux.nuxref@nux-dextop 
235 M


Transaction Summary
===
Remove1 Package(s)

Installed size: 235 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Erasing: 

Re: [CentOS] CentOS 6 + nux-dextop: GIMP vs. GIMP 2.8 ?

[Johnny Hughes]

On 06/21/2016 07:33 AM, Nicolas Thierry-Mieg wrote:
> On 06/21/2016 01:50 PM, Nicolas Kovacs wrote:
>> Hi,
>>
>> I just setup a CentOS 6 desktop with the nux-dextop repository activated.
>>
>> When installing GIMP (yum install gimp), I get a gimp package as well as
>> a gimp28 package. I understand this is the Nux-Dextop GIMP 2.8 package.
>> Unfortunately this doesn't work so well with my system. It's not
>> localized (menus appear in english, though the system is in French), the
>> main GTK theme (Murrina Gilouche) is not managed and the application has
>> that ugly east german look like in the good old GTK1 days, and there are
>> two redundant menu entries, one of which is not responsive.
>>
>> I'd like to be able to install the plain "official" GIMP 2.6 application
>> on my system, but when I try to 'yum remove gimp28', it takes the whole
>> GIMP stuff down the drain with it.
>>
>> Note: I'm already using the Yum Priorities plugin. Official repos (base,
>> updates and extra) are configured with a priority of 1, the other stuff
>> (epel, adobe, nux-dextop) has a priority of 10.
> 
> This is strange.
> "yum install gimp" should install gimp and its deps, not gimp28.
> "yum remove gimp28" should remove gimp28 and anyone depending on it, not
> gimp or "gimp stuff" (assuming you are not talking about "gimp stuff"
> from nux's repo that actually requires gimp 2.8).
> 
> What exactly is this gimp stuff you're talking about? Can you list those
> packages?

That depneds on how hhey wrote the spec file .. if they obsolete gimp,
and also provide it, they can replace the standard install.  I don't
have any c6 desktops to test that.






signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6 + nux-dextop: GIMP vs. GIMP 2.8 ?

[Nicolas Thierry-Mieg]

On 06/21/2016 01:50 PM, Nicolas Kovacs wrote:

Hi,

I just setup a CentOS 6 desktop with the nux-dextop repository activated.

When installing GIMP (yum install gimp), I get a gimp package as well as
a gimp28 package. I understand this is the Nux-Dextop GIMP 2.8 package.
Unfortunately this doesn't work so well with my system. It's not
localized (menus appear in english, though the system is in French), the
main GTK theme (Murrina Gilouche) is not managed and the application has
that ugly east german look like in the good old GTK1 days, and there are
two redundant menu entries, one of which is not responsive.

I'd like to be able to install the plain "official" GIMP 2.6 application
on my system, but when I try to 'yum remove gimp28', it takes the whole
GIMP stuff down the drain with it.

Note: I'm already using the Yum Priorities plugin. Official repos (base,
updates and extra) are configured with a priority of 1, the other stuff
(epel, adobe, nux-dextop) has a priority of 10.


This is strange.
"yum install gimp" should install gimp and its deps, not gimp28.
"yum remove gimp28" should remove gimp28 and anyone depending on it, not 
gimp or "gimp stuff" (assuming you are not talking about "gimp stuff" 
from nux's repo that actually requires gimp 2.8).


What exactly is this gimp stuff you're talking about? Can you list those 
packages?

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6 + nux-dextop: GIMP vs. GIMP 2.8 ?

[Johnny Hughes]

On 06/21/2016 06:50 AM, Nicolas Kovacs wrote:
> Hi,
> 
> I just setup a CentOS 6 desktop with the nux-dextop repository activated.
> 
> When installing GIMP (yum install gimp), I get a gimp package as well as
> a gimp28 package. I understand this is the Nux-Dextop GIMP 2.8 package.
> Unfortunately this doesn't work so well with my system. It's not
> localized (menus appear in english, though the system is in French), the
> main GTK theme (Murrina Gilouche) is not managed and the application has
> that ugly east german look like in the good old GTK1 days, and there are
> two redundant menu entries, one of which is not responsive.
> 
> I'd like to be able to install the plain "official" GIMP 2.6 application
> on my system, but when I try to 'yum remove gimp28', it takes the whole
> GIMP stuff down the drain with it.
> 
> Note: I'm already using the Yum Priorities plugin. Official repos (base,
> updates and extra) are configured with a priority of 1, the other stuff
> (epel, adobe, nux-dextop) has a priority of 10.
> 
> Any suggestions?

You will need to add an:

exclude=gimp28*

in the /etc/yum.repo.d/*.repo file for nux.

You may also have to exclude other files from there as well (if there
are dependancies specifc to gimp28 that conflict with regular gimp.  It
will be trial and error (yum remove gimp .. add in the first exclude,
yum clean all ... yum install gimp .. if necessary exclude more stuff ..
repeat until it installs.






signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS 6 + nux-dextop: GIMP vs. GIMP 2.8 ?

[Nicolas Kovacs]

Hi,

I just setup a CentOS 6 desktop with the nux-dextop repository activated.

When installing GIMP (yum install gimp), I get a gimp package as well as
a gimp28 package. I understand this is the Nux-Dextop GIMP 2.8 package.
Unfortunately this doesn't work so well with my system. It's not
localized (menus appear in english, though the system is in French), the
main GTK theme (Murrina Gilouche) is not managed and the application has
that ugly east german look like in the good old GTK1 days, and there are
two redundant menu entries, one of which is not responsive.

I'd like to be able to install the plain "official" GIMP 2.6 application
on my system, but when I try to 'yum remove gimp28', it takes the whole
GIMP stuff down the drain with it.

Note: I'm already using the Yum Priorities plugin. Official repos (base,
updates and extra) are configured with a priority of 1, the other stuff
(epel, adobe, nux-dextop) has a priority of 10.

Any suggestions?

Cheers from the sunny South of France,

Niki Kovacs
-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-docs] [DISCUSS] Wiki page for centos atomic registry

[Karanbir Singh]

On 20/06/16 14:13, Mohammed Ahmed wrote:
>   I think that should be for the container pipeline itself, not atomic
> registry. Correct me if I am wrong.
> Also, I should probably consider requesting write access to the
> container pipeline page as well at
> some point.


yes, I agree. The Atomic registry has nothing to do with the container
pipeline, so the two should not be confused into the same namespace. we
should document howto use the registry in the same way as we do howto's
for apps etc.



-- 
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc
___
CentOS-docs mailing list
CentOS-docs@centos.org
https://lists.centos.org/mailman/listinfo/centos-docs

Re: [CentOS] Redirecting port 8080 to port 80 - how to add in /etc/sysconfig/iptables file?

[Alexander Farber]

Hello again,

unfortunately the following /etc/sysconfig/iptables file does not work:

*nat
:INPUT ACCEPT
:OUTPUT ACCEPT
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
#-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -p tcp -m tcp -d 144.76.184.154/32 --dport 80 -j REDIRECT
--to-ports 8080
COMMIT

*filter
:INPUT DROP
:OUTPUT ACCEPT
:FORWARD DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state NEW -m multiport --dports
25,80,443,8080 -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state NEW --dport 22 --tcp-flags
FIN,SYN,RST,ACK SYN -m limit --limit 2/min --limit-burst 1 -j ACCEPT
COMMIT

I need incoming HTTP-connections to 144.76.184.154:80
to be redirected to 144.76.184.154:8080 (where Jetty is listening
as user "nobody"), but for some reason this does not happen.

When I browse to http://144.76.184.154:8080 then I see Jetty response.

But when I browse to http://144.76.184.154 nothing is returned.

Can anybody please spot the error for me?

Thank you
Alex
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[Walter H.]

On Wed, June 15, 2016 16:17, Warren Young wrote:
> On Jun 15, 2016, at 7:57 AM, Александр Кириллов 
> wrote:
>>
>> Nowadays it's quite easy to get normal ssl certificates for free. E.g.
>>
>> http://www.startssl.com
>> http://buy.wosign.com/free
>
> Today, I would prefer Let’s Encrypt:
>
>   https://letsencrypt.org/

here is the better alternative for lazy people

https://www.startssl.com/StartEncrypt

its based on the root certificates of StartSSL and automatic as Let's
encrypt;

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] https and self signed

[Walter H.]

On Mon, June 20, 2016 19:16, Gordon Messmer wrote:
> On 06/20/2016 07:47 AM, James B. Byrne wrote:

>> Exactly what mindless person or committee of bike-shedders decided
>> that software should be distributed so that copies of it expire?
>
> Expiration is a fundamental aspect of x509 certificates.  Do you
> understand x509 at all?

with all its problems; look just a little bit into the future;
when I sign a document today, the certificate I sign this document maybe
valid till the end of next year (end of the year 2017);
let us think this is an important document; and let us think you were a
young boy now;
in case the software still exists in the next 50 years, the diagnosis if
the document has been modified is easy, but ...
how would you be able to verify that this document hasn't been signed by a
certificate that had been revoked when you are an old man?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos