Re: [CentOS] Disabling Firewall/iptables on CentOS 7??
On Mar 22, 2017, at 7:56 PM, James Piferwrote: > In a nutshell I've tried the following commands, in many different ways and > orders, but when the system restarts it still seems to end up with some form > of default rules. It even has a couple rules specifying 192.168.122.0 and I > can't figure out where it's coming from. libvirtd? That network is the range it tends to use for routing private networking. Also, you should look into using ‘systemctl mask unitname’ to make it not run, rather than just deleting a symlink. -- Jonathan Billings ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Disabling Firewall/iptables on CentOS 7??
I apologize if this has been asked and answered, but I googled and attempted things for several hours today without success. I have a freshly installed CentOS 7 system that I'd like to disable the firewall and all iptables rules. Basically the equivalent of doing iptables -F In a nutshell I've tried the following commands, in many different ways and orders, but when the system restarts it still seems to end up with some form of default rules. It even has a couple rules specifying 192.168.122.0 and I can't figure out where it's coming from. #Disable Firewall systemctl stop firewalld systemctl disable firewalld rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service' rm '/etc/systemd/system/basic.target.wants/firewalld.service' systemctl disable firewalld systemctl stop firewalld iptables --flush iptables --list iptables -L yum install iptables-services service iptables save systemctl enable iptables service iptables save Any help is appreciated. Thanks James ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] kerberized-nfs - any experts out there?
On 03/22/2017 03:26 PM, Matt Garman wrote: > Is anyone on the list using kerberized-nfs on any kind of scale? Not for a good many years. Are you using v3 or v4 NFS? Also, you can probably stuff the rpc.gss* and idmapd services into verbose mode, which may give you a better ideas as to whats going on. And yes, the kernel does some kerberos caching. I think 10 to 15 minutes. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEL 6.9 is out
On 22/03/17 05:31 PM, Johnny Hughes wrote: > On 03/22/2017 08:27 AM, Phelps, Matthew wrote: >> On Wed, Mar 22, 2017 at 9:16 AM, Valeri Galtsev>> wrote: >> >>> >>> On Wed, March 22, 2017 7:46 am, Phelps, Matthew wrote: Red Hat released RHEL 6.9 yesterday. Why isn't CentOS 6.9 out yet? :) >>> Somebody has to do a hard work, I'm sure. Thanks, guys for the great work >>> you are doing! >>> >>> Or you as sysadmin know that and just being ironic? >>> >>> Valeri >>> >> >> To be clear, I was being ironic. Hence the smiley face. >> >> I just wanted to start a thread for future updates to appear in. >> > > There are 270 SRPMs that need to be built .. of those 18 require > modification for branding. All the mods have been applied and a build > consisting of those 270 SRPMs has been queued. > > As of right now (time of writing this mail), we are still building in > pass 1 .. so far 236 of the 270 SRPMs have tried to build, 15 have had > some sort of failure and the rest have built fine. > > Working right now to figure out the failures and will resubmit those > once the first pass of all 270 completes. > > Thanks, > Johnny Hughes Sending a digital $drink... :) -- Digimer Papers and Projects: https://alteeve.com/w/ "I am, somehow, less interested in the weight and convolutions of Einstein’s brain than in the near certainty that people of equal talent have lived and died in cotton fields and sweatshops." - Stephen Jay Gould ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEL 6.9 is out
On 03/22/2017 08:27 AM, Phelps, Matthew wrote: > On Wed, Mar 22, 2017 at 9:16 AM, Valeri Galtsev> wrote: > >> >> On Wed, March 22, 2017 7:46 am, Phelps, Matthew wrote: >>> Red Hat released RHEL 6.9 yesterday. >>> >>> Why isn't CentOS 6.9 out yet? :) >>> >> Somebody has to do a hard work, I'm sure. Thanks, guys for the great work >> you are doing! >> >> Or you as sysadmin know that and just being ironic? >> >> Valeri >> > > To be clear, I was being ironic. Hence the smiley face. > > I just wanted to start a thread for future updates to appear in. > There are 270 SRPMs that need to be built .. of those 18 require modification for branding. All the mods have been applied and a build consisting of those 270 SRPMs has been queued. As of right now (time of writing this mail), we are still building in pass 1 .. so far 236 of the 270 SRPMs have tried to build, 15 have had some sort of failure and the rest have built fine. Working right now to figure out the failures and will resubmit those once the first pass of all 270 completes. Thanks, Johnny Hughes signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] kerberized-nfs - any experts out there?
Feel free to contact me offline if you wish. I'll just go on record as saying that it's a bear - On 22 Mar, 2017, at 12:26, Matt Garman matthew.gar...@gmail.com wrote: | Is anyone on the list using kerberized-nfs on any kind of scale? | | I've been fighting with this for years. In general, when we have | issues with this system, they are random and/or not repeatable. I've | had very little luck with community support. I hope I don't offend by | saying that! Rather, my belief is that these problems are very | niche/esoteric, and so beyond the scope of typical community support. | But I'd be delighted to be proven wrong! | | So this is more of a "meta" question: anyone out there have any | general recommendations for how to get support on what I presume are | niche problems specific to our environment? How is paid upstream | support? | | Just to give a little insight into our issues: we have an | in-house-developed compute job dispatching system. Say a user has | 100s of analysis jobs he wants to run, he submits them to a central | master process, which in turn dispatches them to a "farm" of >100 | compute nodes. All these nodes have two different krb5p NFS mounts, | to which the jobs will read and write. So while the users can | technically log in directly to the compute nodes, in practice they | never do. The logins are only "implicit" when the job dispatching | system does a behind-the-scenes ssh to kick off these processes. | | Just to give some "flavor" to the kinds of issues we're facing, what | tends to crop up are one of three things: | |(1) Random crashes. These are full-on kernel trace dumps followed | by an automatic reboot. This was really bad under CentOS 5. A random | kernel upgrade magically fixed it. It happens almost never under | CentOS 6. But happens fairly frequently under CentOS 7. (We're | completely off CentOS 5 now, BTW.) | |(2) Permission denied issues. I have user Kerberos tickets | configured for 70 days. But there is clearly some kind of | undocumented kernel caching going on. Looking at the Kerberos server | logs, it looks like it "could" be a performance issue, as I see 100s | of ticket requests within the same second when someone tries to launch | a lot of jobs. Many of these will fail with "permission denied" but | if they immediately re-try, it works. Related to this, I have been | unable to figure out what creates and deletes the | /tmp/krb5cc_uid_random files. | |(3) Kerberized NFS shares getting "stuck" for one or more users. | We have another monitoring app (in-house developed) that, among other | things, makes periodic checks of these NFS mounts. It does so by | forking and doing a simple "ls" command. This is to ensure that these | mounts are alive and well. Sometimes, the "ls" command gets stuck to | the point where it can't even be killed via "kill -9". Only a reboot | fixes it. But the mount is only stuck for the user running the | monitoring app. Or sometimes the monitoring app is fine, but an | actual user's processes will get stuck in "D" state (in top, means | waiting on IO), but everyone else's jobs (and access to the kerberizes | nfs shares) are OK. | | This is actually blocking us from upgrading to CentOS 7. But my | colleagues and I are at a loss how to solve this. So this post is | really more of a semi-desperate plea for any kind of advice. What | other resources might we consider? Paid support is not out of the | question (within reason). Are there any "super specialist" | consultants out there who deal in Kerberized NFS? | | Thanks! | Matt | ___ | CentOS mailing list | CentOS@centos.org | https://lists.centos.org/mailman/listinfo/centos -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 604-365-6432 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices Twitter : @sfu_rcg Powering Engagement Through Technology ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS-es] Postfix o Exim ?
Y cuando tuve uno problema de seguridad fue por permitir el RALAY al localhost. Una vez eliminado esto se resolvieron muchos problemas. Saludos, David El día 22 de marzo de 2017, 17:49, David González Romeroescribió: >> Uno de los dolores de cabeza mas grandes en mi proceso como Sysadmin de >> Postfix es que no existe la forma de limitar el numero de relays permitidos >> por usuario, vaya, que por ejemplo "micue...@micorreo.com" solo pueda sacar >> un maximo de 1,000 (un mil) correos diarios, de esta forma prevengo ataques >> de spam desde dentro de mi servidor hacia fuera. *si existe la mera, >> diganme porque jamas la encontre :S* > > Si existe y puedes limitar la cantidad de correos por envío... al día > es más complejo... el tema principal de evitar SPAM tiene dos > variantes: > 1- Una buena configuración donde lo primero es SACAR del relay al > localhost... si al localhost. > 2- Hay que afinar muy bien las configuraciones con amavis-new si es > que usas u otro analaizador que trabaje con SPAMASSASIN. > >> Por otro lado, tambien he tenido detalles con la parte del maillog, tuve >> que hacer una interface peque~a web para tener una mejor referencia del uso >> del MTA, ams que nada para detectar posibles ataques a las cuentas de mis >> usuarios y tambien detectar alza de usos indebidos del SMTP por cuentas de >> correo internas. > > En este aspecto hay dos formas también una la seguridad del server (ya > te dije anteriormente) y otra seguridad en el cliente en este caso un > software que valga la pena (Thunderbir por ejemplo) y con Antivirus > actualizado. > >> Leyendo el manual oficial de Exim encuentro que este MTA si contiene mas >> directrices de seguridad que permiten a un sysadmin un mejor control del >> servidor de correo y uso del mismo, pero hasta aqui he llegado (simple >> lectura). > Te puedo asegurar que no... Ya yo viví esto pues EXIM es el MTA por > defecto que se instala con CPANEL y tengo dos o tres clientes con > problemas de seguridad con EXIM y ojo es EXIM no es el CPanel... Con > Postfix no he tenido NUNCA estos problemas de envío a cuentas > inexistentes. > > >> Me gustaria saber su opinion ya que el par de servidores que tengo usan >> postfix, uno como SMTP y el otro como Relay. > > Consejo 1 metele más seguridad a tu configuración TLS/SSL, DKIM, > Maildir antes de Mbox, usuario NO REALES del sistema. Y como última > variante un buen fail2ban que te pueda ayudar. > > Ahora si deseas migrar a EXIM y te encuentras con los mismos problemas > que harás... pasar a Sendmail o Qmail?? > > Yo uso Postfix + Dovecot hace AÑOS tengo servidores instalados desde > 2009 que funcionan con esta combinación y NUNCA he tenido un problema > de seguridad. > > Saludos, > David ___ CentOS-es mailing list CentOS-es@centos.org https://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] Postfix o Exim ?
> Uno de los dolores de cabeza mas grandes en mi proceso como Sysadmin de > Postfix es que no existe la forma de limitar el numero de relays permitidos > por usuario, vaya, que por ejemplo "micue...@micorreo.com" solo pueda sacar > un maximo de 1,000 (un mil) correos diarios, de esta forma prevengo ataques > de spam desde dentro de mi servidor hacia fuera. *si existe la mera, > diganme porque jamas la encontre :S* Si existe y puedes limitar la cantidad de correos por envío... al día es más complejo... el tema principal de evitar SPAM tiene dos variantes: 1- Una buena configuración donde lo primero es SACAR del relay al localhost... si al localhost. 2- Hay que afinar muy bien las configuraciones con amavis-new si es que usas u otro analaizador que trabaje con SPAMASSASIN. > Por otro lado, tambien he tenido detalles con la parte del maillog, tuve > que hacer una interface peque~a web para tener una mejor referencia del uso > del MTA, ams que nada para detectar posibles ataques a las cuentas de mis > usuarios y tambien detectar alza de usos indebidos del SMTP por cuentas de > correo internas. En este aspecto hay dos formas también una la seguridad del server (ya te dije anteriormente) y otra seguridad en el cliente en este caso un software que valga la pena (Thunderbir por ejemplo) y con Antivirus actualizado. > Leyendo el manual oficial de Exim encuentro que este MTA si contiene mas > directrices de seguridad que permiten a un sysadmin un mejor control del > servidor de correo y uso del mismo, pero hasta aqui he llegado (simple > lectura). Te puedo asegurar que no... Ya yo viví esto pues EXIM es el MTA por defecto que se instala con CPANEL y tengo dos o tres clientes con problemas de seguridad con EXIM y ojo es EXIM no es el CPanel... Con Postfix no he tenido NUNCA estos problemas de envío a cuentas inexistentes. > Me gustaria saber su opinion ya que el par de servidores que tengo usan > postfix, uno como SMTP y el otro como Relay. Consejo 1 metele más seguridad a tu configuración TLS/SSL, DKIM, Maildir antes de Mbox, usuario NO REALES del sistema. Y como última variante un buen fail2ban que te pueda ayudar. Ahora si deseas migrar a EXIM y te encuentras con los mismos problemas que harás... pasar a Sendmail o Qmail?? Yo uso Postfix + Dovecot hace AÑOS tengo servidores instalados desde 2009 que funcionan con esta combinación y NUNCA he tenido un problema de seguridad. Saludos, David ___ CentOS-es mailing list CentOS-es@centos.org https://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS] kerberized-nfs - any experts out there?
Matt Garman wrote: > Is anyone on the list using kerberized-nfs on any kind of scale? > We use it here. I don't think I'm an expert - my manager is - but let me think about your issues. > Just to give a little insight into our issues: we have an > in-house-developed compute job dispatching system. Say a user has > 100s of analysis jobs he wants to run, he submits them to a central > master process, which in turn dispatches them to a "farm" of >100 > compute nodes. All these nodes have two different krb5p NFS mounts, > to which the jobs will read and write. So while the users can > technically log in directly to the compute nodes, in practice they > never do. The logins are only "implicit" when the job dispatching > system does a behind-the-scenes ssh to kick off these processes. I would strongly recommend that you look into slurm. It's being used here in both large and small scale, and is explicitly for that purpose. > > Just to give some "flavor" to the kinds of issues we're facing, what > tends to crop up are one of three things: > > (1) Random crashes. These are full-on kernel trace dumps followed > by an automatic reboot. This was really bad under CentOS 5. A random > kernel upgrade magically fixed it. It happens almost never under > CentOS 6. But happens fairly frequently under CentOS 7. (We're > completely off CentOS 5 now, BTW.) This may possibly be another issue. > > (2) Permission denied issues. I have user Kerberos tickets > configured for 70 days. But there is clearly some kind of > undocumented kernel caching going on. Looking at the Kerberos server > logs, it looks like it "could" be a performance issue, as I see 100s > of ticket requests within the same second when someone tries to launch > a lot of jobs. Many of these will fail with "permission denied" but > if they immediately re-try, it works. Related to this, I have been > unable to figure out what creates and deletes the > /tmp/krb5cc_uid_random files. Are they asking for *new* credentials each time? They should only be doing one kinit. > > (3) Kerberized NFS shares getting "stuck" for one or more users. > We have another monitoring app (in-house developed) that, among other > things, makes periodic checks of these NFS mounts. It does so by > forking and doing a simple "ls" command. This is to ensure that these > mounts are alive and well. Sometimes, the "ls" command gets stuck to > the point where it can't even be killed via "kill -9". Only a reboot > fixes it. But the mount is only stuck for the user running the > monitoring app. Or sometimes the monitoring app is fine, but an > actual user's processes will get stuck in "D" state (in top, means > waiting on IO), but everyone else's jobs (and access to the kerberizes > nfs shares) are OK. And there's nothing in the logs, correct? Have you tried attaching strace to one of those, and see if you can get a clue as to what's happening? mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] kerberized-nfs - any experts out there?
Is anyone on the list using kerberized-nfs on any kind of scale? I've been fighting with this for years. In general, when we have issues with this system, they are random and/or not repeatable. I've had very little luck with community support. I hope I don't offend by saying that! Rather, my belief is that these problems are very niche/esoteric, and so beyond the scope of typical community support. But I'd be delighted to be proven wrong! So this is more of a "meta" question: anyone out there have any general recommendations for how to get support on what I presume are niche problems specific to our environment? How is paid upstream support? Just to give a little insight into our issues: we have an in-house-developed compute job dispatching system. Say a user has 100s of analysis jobs he wants to run, he submits them to a central master process, which in turn dispatches them to a "farm" of >100 compute nodes. All these nodes have two different krb5p NFS mounts, to which the jobs will read and write. So while the users can technically log in directly to the compute nodes, in practice they never do. The logins are only "implicit" when the job dispatching system does a behind-the-scenes ssh to kick off these processes. Just to give some "flavor" to the kinds of issues we're facing, what tends to crop up are one of three things: (1) Random crashes. These are full-on kernel trace dumps followed by an automatic reboot. This was really bad under CentOS 5. A random kernel upgrade magically fixed it. It happens almost never under CentOS 6. But happens fairly frequently under CentOS 7. (We're completely off CentOS 5 now, BTW.) (2) Permission denied issues. I have user Kerberos tickets configured for 70 days. But there is clearly some kind of undocumented kernel caching going on. Looking at the Kerberos server logs, it looks like it "could" be a performance issue, as I see 100s of ticket requests within the same second when someone tries to launch a lot of jobs. Many of these will fail with "permission denied" but if they immediately re-try, it works. Related to this, I have been unable to figure out what creates and deletes the /tmp/krb5cc_uid_random files. (3) Kerberized NFS shares getting "stuck" for one or more users. We have another monitoring app (in-house developed) that, among other things, makes periodic checks of these NFS mounts. It does so by forking and doing a simple "ls" command. This is to ensure that these mounts are alive and well. Sometimes, the "ls" command gets stuck to the point where it can't even be killed via "kill -9". Only a reboot fixes it. But the mount is only stuck for the user running the monitoring app. Or sometimes the monitoring app is fine, but an actual user's processes will get stuck in "D" state (in top, means waiting on IO), but everyone else's jobs (and access to the kerberizes nfs shares) are OK. This is actually blocking us from upgrading to CentOS 7. But my colleagues and I are at a loss how to solve this. So this post is really more of a semi-desperate plea for any kind of advice. What other resources might we consider? Paid support is not out of the question (within reason). Are there any "super specialist" consultants out there who deal in Kerberized NFS? Thanks! Matt ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] KVM guest fails to boot cleanly
James B. Byrne wrote: > Looking at transaction 367 more closely we see that the kernel was > updated to 2.6.32-642.15.1.el6.x86_64 on March 10 but that a number or > errors, whose nature I do not comprehend, were also reported. > > # yum history info 367 > Loaded plugins: etckeeper, fastestmirror, priorities, > refresh-packagekit, security > Transaction ID : 367 > Begin time : Fri Mar 10 16:42:32 2017 > Begin rpmdb: 1489:fd0eb9a01b1667f826b8fead9bc0a05e5bc43efd > End time :16:43:59 2017 (87 seconds) > End rpmdb : 1461:cac690d6280fa97910ccb59d0d1f6d43990dfd0a > User : root > Return-Code: Success > Transaction performed with: > Installed rpm-4.8.0-55.el6.x86_64 @base > Installed yum-3.2.29-75.el6.centos.noarch @updates > Installed yum-metadata-parser-1.1.2-16.el6.x86_64 > @anaconda-CentOS-201207061011.x86_64/6.3 > Installed yum-plugin-fastestmirror-1.1.30-37.el6.noarch @base > Installed yum-utils-1.1.30-37.el6.noarch@base > Packages Altered: > Updated firefox-45.7.0-1.el6.centos.x86_64@updates > Update 45.7.0-2.el6.centos.x86_64@updates > Updated gnome-settings-daemon-2.28.2-35.el6.x86_64@base > Update2.28.2-35.el6_8.2.x86_64@updates > Erase initscripts-9.03.53-1.el6.centos.1.x86_64 @updates > Erase kernel-2.6.32-642.4.2.el6.x86_64 @updates > Erase kernel-firmware-2.6.32-642.13.1.el6.noarch@updates > Updated kernel-headers-2.6.32-642.13.1.el6.x86_64 @updates > Update 2.6.32-642.15.1.el6.x86_64 @updates > Updated kexec-tools-2.0.0-300.el6_8.1.x86_64 @updates > Update 2.0.0-300.el6_8.2.x86_64 @updates > Erase libbasicobjects-0.1.1-11.el6.x86_64 @base > Erase libblkid-2.17.2-12.24.el6_8.1.x86_64 @updates > Erase libcollection-0.6.2-11.el6.x86_64 @base > Erase libdhash-0.4.3-11.el6.x86_64 @base > Erase libini_config-1.1.0-11.el6.x86_64 @base > Erase libipa_hbac-1.13.3-22.el6_8.4.x86_64 @updates > Erase libpath_utils-0.2.1-11.el6.x86_64 @base > Erase libref_array-0.1.4-11.el6.x86_64 @base > Erase libsss_idmap-1.13.3-22.el6_8.4.x86_64 @updates > Erase libuuid-2.17.2-12.24.el6_8.1.x86_64 @updates > Updated openssl-1.0.1e-48.el6_8.3.i686@updates > Erase openssl-1.0.1e-48.el6_8.3.x86_64 @updates > Update openssl-1.0.1e-48.el6_8.4.i686@updates > Updated openssl-devel-1.0.1e-48.el6_8.3.x86_64@updates > Update1.0.1e-48.el6_8.4.x86_64@updates > Updated python-libipa_hbac-1.13.3-22.el6_8.4.x86_64 @updates > Update 1.13.3-22.el6_8.6.x86_64 @updates > Erase python-sssdconfig-1.13.3-22.el6_8.4.noarch@updates > Erase selinux-policy-3.7.19-292.el6_8.2.noarch @updates > Erase selinux-policy-targeted-3.7.19-292.el6_8.2.noarch @updates > Erase sssd-1.13.3-22.el6_8.4.x86_64 @updates > Erase sssd-ad-1.13.3-22.el6_8.4.x86_64 @updates > Erase sssd-client-1.13.3-22.el6_8.4.x86_64 @updates > Erase sssd-common-1.13.3-22.el6_8.4.x86_64 @updates > Erase sssd-common-pac-1.13.3-22.el6_8.4.x86_64 @updates > Erase sssd-ipa-1.13.3-22.el6_8.4.x86_64 @updates > Erase sssd-krb5-1.13.3-22.el6_8.4.x86_64@updates > Erase sssd-krb5-common-1.13.3-22.el6_8.4.x86_64 @updates > Erase sssd-ldap-1.13.3-22.el6_8.4.x86_64@updates > Erase sssd-proxy-1.13.3-22.el6_8.4.x86_64 @updates > Erase util-linux-ng-2.17.2-12.24.el6_8.1.x86_64 @updates > Scriptlet output: >1 warning:erase unlink of > /lib/modules/2.6.32-642.4.2.el6.x86_64/weak-updates failed: No such > file or directory >2 warning:erase unlink of > /lib/modules/2.6.32-642.4.2.el6.x86_64/modules.order failed: No > such file or directory >3 warning:erase unlink of > /lib/modules/2.6.32-642.4.2.el6.x86_64/modules.networking failed: > No such file or directory >4 warning:erase unlink of > /lib/modules/2.6.32-642.4.2.el6.x86_64/modules.modesetting failed: > No such file or directory >5 warning:erase unlink of > /lib/modules/2.6.32-642.4.2.el6.x86_64/modules.drm failed: No such > file or directory >6 warning:erase unlink of > /lib/modules/2.6.32-642.4.2.el6.x86_64/modules.block failed: No > such file or directory > > Reviewing grub.conf I note that the initrd entry is missing from the >
Re: [CentOS] Centos 7.3.1611 - NetworkManager + dhcp + ipv6
Hi Patrick, I did not disabled on grub or module because of Centos 7 FAQ tips "Upstream employee Daniel Walsh recommends not disabling the ipv6 module, as that can cause issues with SELinux and other components, but adding the following to /etc/sysctl.conf" So I used only sysctl, but the dhcp client or NM or systemd overwrite sysctl settings. About using NM I can't because the VM it's deployed from OVA template, can't connect to disable ipv6 until I get the ipv4 address. If there's on NM conf to disable ipv6 on all NEW interfaces/connections will help me, so I can edit the OVA file. De: CentOSem nome de Patrick Laimbock Enviado: quarta-feira, 22 de março de 2017 08:01:49 Para: centos@centos.org Assunto: Re: [CentOS] Centos 7.3.1611 - NetworkManager + dhcp + ipv6 On 21-03-17 20:51, Diaulas Castro wrote: > Used steps on sysctl from Centos7 FAQ (https://wiki.centos.org/FAQ/CentOS7) > and some gathered on internet > > # cat /etc/sysctl.d/90-disable_ipv6.conf > net.ipv6.conf.all.disable_ipv6=1 > net.ipv6.conf.default.disable_ipv6=1 > net.ipv6.conf.eth0.disable_ipv6=1 > net.ipv6.conf.eth1.disable_ipv6=1 > net.ipv6.conf.all.use_tempaddr=0 > net.ipv6.conf.all.autoconf=0 > net.ipv6.conf.all.accept_ra=0 > net.ipv6.conf.default.autoconf=0 > net.ipv6.conf.default.accept_ra=0 > net.ipv6.conf.eth0.autoconf=0 > net.ipv6.conf.eth1.autoconf=0 > > > But with dhcp, NetworkManager (or something) reenables ipv6 on interfaces. > > #sysctl -a | grep ipv6 | grep disable > net.ipv6.conf.all.disable_ipv6 = 1 > net.ipv6.conf.default.disable_ipv6 = 1 > net.ipv6.conf.eth0.disable_ipv6 = 0 > net.ipv6.conf.eth1.disable_ipv6 = 1 > net.ipv6.conf.lo.disable_ipv6 = 1 > > And the interface gets the ipv4 but still have temporary ipv6 on it (our dhcp > doesnt support ipv6) > > # ip a s eth0 > 2: eth0: mtu 1500 qdisc mq state UP qlen > 1000 > link/ether 00:0c:29:31:5a:9d brd ff:ff:ff:ff:ff:ff > inet 10.10.216.247/24 brd 10.10.216.255 scope global dynamic eth0 > valid_lft 451sec preferred_lft 451sec > inet6 fe80::20c:29ff:fe31:5a9d/64 scope link > valid_lft forever preferred_lft forever > > And this bugs my use for ovftool with the option "--X:waitForIp" because > it's returns (mostly of times) the ipv6 addr > > It's a bug, missing documentation or my IIRC you can disable IPv6 in NetworkManager with: # nmcli connection modify eth0 ipv6.method ignore # systemctl restart NetworkManager or you can disable IPv6 entirely with: # vi /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 " # grub-mkconfig -o /boot/grub2/grub.cfg # reboot HTH, Patrick ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] I want to connect to a l2tp server from centos.
Thanks! Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Gordon Messmer Sent: Monday, September 21, 2015 9:46 PM To: CentOS mailing listSubject: Re: [CentOS] I want to connect to a l2tp server from centos. On 09/20/2015 05:50 PM, Eliezer Croitoru wrote: > I do not have any security issue in this network. > I need to connect to a remote network on a secure network. > The options are pptp or l2tp(no ipsec encryption) so I do want to use > l2tp like in (lac\lns) and I am looking for a client for CentOS. The client is "xl2tpd", and you can find it in EPEL. Client setup is described here: http://www.xinotes.net/notes/note/1524/ ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] KVM guest fails to boot cleanly
I have a KVM vm running CentOS-6.8 on a host also running CentOS-6.8. This instance is used for occasional development projects which require segregation. Thus it is seldom accessed. At some point in the recent past this guest developed an issue with starting. Specifically these messages were found in the system log files: /var/log/messages-20170312:Mar 10 16:31:06 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_cm_xnet245.harte-lyne.ca_00' [31.25 GiB] inherit /var/log/messages-20170312:Mar 10 16:31:06 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_vm_xnet241.harte-lyne.ca_00' [32.00 GiB] inherit /var/log/messages-20170312:Mar 10 16:31:06 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_vm_xnet241.harte-lyne.ca_01' [32.00 GiB] inherit /var/log/messages-20170312:Mar 10 16:31:06 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_vm_xnet241.harte-lyne.ca_02' [32.00 GiB] inherit /var/log/messages-20170312:Mar 10 16:31:06 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_vm_xnet242.harte-lyne.ca_00' [31.25 GiB] inherit /var/log/messages-20170312:Mar 10 16:31:06 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_vm_xnet243.harte-lyne.ca_00' [31.25 GiB] inherit /var/log/messages-20170312:Mar 10 16:31:06 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_vm_xnet244.harte-lyne.ca_00' [31.25 GiB] inherit /var/log/messages-20170312:Mar 10 16:31:06 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_vm_xnet245.harte-lyne.ca_00' [31.25 GiB] inherit /var/log/messages:Mar 20 08:52:10 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_cm_xnet245.harte-lyne.ca_00' [31.25 GiB] inherit /var/log/messages:Mar 20 08:52:10 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_vm_xnet241.harte-lyne.ca_00' [32.00 GiB] inherit /var/log/messages:Mar 20 08:52:10 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_vm_xnet241.harte-lyne.ca_01' [32.00 GiB] inherit /var/log/messages:Mar 20 08:52:10 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_vm_xnet241.harte-lyne.ca_02' [32.00 GiB] inherit /var/log/messages:Mar 20 08:52:10 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_vm_xnet242.harte-lyne.ca_00' [31.25 GiB] inherit /var/log/messages:Mar 20 08:52:10 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_vm_xnet243.harte-lyne.ca_00' [31.25 GiB] inherit /var/log/messages:Mar 20 08:52:10 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_vm_xnet244.harte-lyne.ca_00' [31.25 GiB] inherit /var/log/messages:Mar 20 08:52:10 vhost04 kernel: dracut: inactive '/dev/vg_vhost04/lv_vm_xnet245.harte-lyne.ca_00' [31.25 GiB] inherit It appears that this issue was first encountered on March 10 as our log files go back much further than that and have no earlier record. The symptom presented on the guest console during boot is: Error 13: Invalid or unsupported executable format Press any key to continue... Pressing enter brings up the following text display GNU GRUB version 0.97 (615K lower / 3668980K upper memory) CentOS (2.6.32-641.15.1.el6.x86_64) CentOS (2.6.32-641.13.1.el6.x86_64) CentOS (2.6.32-641.11.1.el6.x86_64) CentOS (2.6.32-641.2.1.el6.x86_64) Use the and keys to select which entry is highlighted Press enter to boot the selected OS, 'e' to edit . . . The first choice repeats the Error. The second choice boots cleanly. Looking at yum history I see this: yum history Loaded plugins: etckeeper, fastestmirror, priorities, refresh-packagekit, security ID | Login user | Date and time| Action(s) | Altered - . . . 368 | root | 2017-03-10 16:46 | Update |4 367 | root | 2017-03-10 16:42 | E, U | 35 EE . . . Looking at transaction 367 more closely we see that the kernel was updated to 2.6.32-642.15.1.el6.x86_64 on March 10 but that a number or errors, whose nature I do not comprehend, were also reported. # yum history info 367 Loaded plugins: etckeeper, fastestmirror, priorities, refresh-packagekit, security Transaction ID : 367 Begin time : Fri Mar 10 16:42:32 2017 Begin rpmdb: 1489:fd0eb9a01b1667f826b8fead9bc0a05e5bc43efd End time :16:43:59 2017 (87 seconds) End rpmdb : 1461:cac690d6280fa97910ccb59d0d1f6d43990dfd0a User : root Return-Code: Success Transaction performed with: Installed rpm-4.8.0-55.el6.x86_64 @base Installed yum-3.2.29-75.el6.centos.noarch @updates Installed yum-metadata-parser-1.1.2-16.el6.x86_64 @anaconda-CentOS-201207061011.x86_64/6.3 Installed yum-plugin-fastestmirror-1.1.30-37.el6.noarch @base Installed yum-utils-1.1.30-37.el6.noarch@base Packages Altered: Updated firefox-45.7.0-1.el6.centos.x86_64@updates Update 45.7.0-2.el6.centos.x86_64@updates Updated gnome-settings-daemon-2.28.2-35.el6.x86_64
Re: [CentOS-es] Problema Puertos Firewalld e Iptables.
Listo el programa que escuchaba por el puerto no estaba activo, Slds, El 22 de marzo de 2017, 10:09, Wilmer Arambulaescribió: > Gracias por tu respuesta si efectivamente ya habia hecho lo que me > comentastes, de hech he podido abrir puertos sin problemas usando > servicios, y funcionan correctamente, el problema es cuando intento hacerlo > por rango de puertos: > > $ sudo firewall-cmd --zone=external --list-all > external (active) > target: default > icmp-block-inversion: no > interfaces: venet0:0 > sources: > services: dhcpv6-client http https imaps smtp smtps ssh webmin > ports: 35500-36000/tcp 35500-36000/udp > protocols: > masquerade: yes > forward-ports: > sourceports: > icmp-blocks: echo-reply echo-request > rich rules: > rule family="ipv4" source address="200.20.245.102/32" port > port="3306" protocol="tcp" accept > > > > Como puedes ver esta correctamente pero no me funcioan y no lo entiendo, > > Saludos, > > > > > El 22 de marzo de 2017, 9:03, Arturo Diaz D. > escribió: > >> Wilmer >> >> Tienes una confusion, firewalld e iptables son servicios de seguridad >> diferentes y es mas, no deben convivir juntos. >> >> Debes parar y hacer un mask del servicio iptables para que firewalld >> funcione correctamente. >> >> Este link puede orientarte >> >> https://www.unixmen.com/iptables-vs-firewalld/ >> >> >> >> Saludos cordiales >> >> >> - >> *Arturo Diaz D.* >> *RHCE /RHCSA* >> *Skype arturodiaz.d* >> *Linkedin *https://cl.linkedin.com/in/arturodiazdiaz >> >> >> >> El 22 de marzo de 2017, 9:53, Wilmer Arambula < >> tecnologiaterab...@gmail.com> >> escribió: >> >> > Buenos dias estoy tratando de abrir un rango de puertos por Firewalld >> > (Iptables) pero no logro abrirlos: >> > >> > Comando: >> > >> > sudo firewall-cmd --permanent --zone=external --add-port=35500-36000/tcp >> > sudo firewall-cmd --permanent --zone=external --add-port=35500-36000/udp >> > sudo firewall-cmd -reload >> > Sudo ipatables -L >> > >> > Chain IN_external_allow (1 references) >> > target prot opt source destination >> > ACCEPT tcp -- anywhere anywhere tcp >> > dpts:35500:36000 ctstate NEW >> > ACCEPT udp -- anywhere anywhere udp >> > dpts:35500:36000 ctstate NEW >> > >> > pero cuando chequeo los puertos estan cerrados, alguna idea, incluzo los >> > coloque en zona dms y nada. >> > >> > >> > -- >> > *Wilmer Arambula. * >> > ___ >> > CentOS-es mailing list >> > CentOS-es@centos.org >> > https://lists.centos.org/mailman/listinfo/centos-es >> > >> ___ >> CentOS-es mailing list >> CentOS-es@centos.org >> https://lists.centos.org/mailman/listinfo/centos-es >> > > > > > ___ CentOS-es mailing list CentOS-es@centos.org https://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-virt] grub-bootxen.sh
I actually move the default *.repo files and replace them with "". The thing is that Katello turns all the downloaded yum content into a single redhat.repo file and I don't have to install any more *-release-* rpms any more. I would argue that I should not need to install any *-release-* rpms at all to get all the required software. On 03/22/2017 09:34 AM, -=X.L.O.R.D=- wrote: Maybe you just don't need to remove anything at all but just move them to another folder that does the same goal. For *-release-*.rpm, again it is explained itself. Xlord -Original Message- From: CentOS-virt [mailto:centos-virt-boun...@centos.org] On Behalf Of Alvin Starr Sent: Tuesday, March 21, 2017 1:45 AM To: centos-virt@centos.org Subject: [CentOS-virt] grub-bootxen.sh This is not abit issue just a minor annoyance. I use Foreman to provision my systems and to keep control I remove all the default *.repo files andkeep away from installing more *.repo files so I can control the content via the foreman(katello) provided redhat.repo. I would argue that the *-release-*.rpm should not contain any setup code but just the stuff in /etc/yum.repos.d. -- Alvin Starr || voice: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 al...@netvel.net || ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS] RHEL 6.9 is out
On Wed, Mar 22, 2017 at 9:16 AM, Valeri Galtsevwrote: > > On Wed, March 22, 2017 7:46 am, Phelps, Matthew wrote: > > Red Hat released RHEL 6.9 yesterday. > > > > Why isn't CentOS 6.9 out yet? :) > > > Somebody has to do a hard work, I'm sure. Thanks, guys for the great work > you are doing! > > Or you as sysadmin know that and just being ironic? > > Valeri > To be clear, I was being ironic. Hence the smiley face. I just wanted to start a thread for future updates to appear in. -- Matt Phelps System Administrator, Computation Facility Harvard - Smithsonian Center for Astrophysics mphe...@cfa.harvard.edu, http://www.cfa.harvard.edu ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEL 6.9 is out
On Wed, March 22, 2017 7:46 am, Phelps, Matthew wrote: > Red Hat released RHEL 6.9 yesterday. > > Why isn't CentOS 6.9 out yet? :) > Somebody has to do a hard work, I'm sure. Thanks, guys for the great work you are doing! Or you as sysadmin know that and just being ironic? Valeri > > > -- > Matt Phelps > System Administrator, Computation Facility > Harvard - Smithsonian Center for Astrophysics > mphe...@cfa.harvard.edu, http://www.cfa.harvard.edu > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS-es] Problema Puertos Firewalld e Iptables.
Y tu selinux esta activo? Estoy seguro que selinux esta bloqueando lo que quieres hacer. PD: firewalld e iptables son distintos. pero puedes deshabilitar firewalld he instalar iptables Saludos *Pablo Flores AravenaIngeniero Informátic*o Sysadmin, Centro de Tecnología de la Información CTI-FAVET Facultad de Cs. Veterinarias y Pecuarias - Universidad de Chile Tel: +56 (02) 2978 56 31 - +56 (02) 2978 55 46 El 22 de marzo de 2017, 10:03, Arturo Diaz D.escribió: > Wilmer > > Tienes una confusion, firewalld e iptables son servicios de seguridad > diferentes y es mas, no deben convivir juntos. > > Debes parar y hacer un mask del servicio iptables para que firewalld > funcione correctamente. > > Este link puede orientarte > > https://www.unixmen.com/iptables-vs-firewalld/ > > > > Saludos cordiales > > > - > *Arturo Diaz D.* > *RHCE /RHCSA* > *Skype arturodiaz.d* > *Linkedin *https://cl.linkedin.com/in/arturodiazdiaz > > > > El 22 de marzo de 2017, 9:53, Wilmer Arambula < > tecnologiaterab...@gmail.com> > escribió: > > > Buenos dias estoy tratando de abrir un rango de puertos por Firewalld > > (Iptables) pero no logro abrirlos: > > > > Comando: > > > > sudo firewall-cmd --permanent --zone=external --add-port=35500-36000/tcp > > sudo firewall-cmd --permanent --zone=external --add-port=35500-36000/udp > > sudo firewall-cmd -reload > > Sudo ipatables -L > > > > Chain IN_external_allow (1 references) > > target prot opt source destination > > ACCEPT tcp -- anywhere anywhere tcp > > dpts:35500:36000 ctstate NEW > > ACCEPT udp -- anywhere anywhere udp > > dpts:35500:36000 ctstate NEW > > > > pero cuando chequeo los puertos estan cerrados, alguna idea, incluzo los > > coloque en zona dms y nada. > > > > > > -- > > *Wilmer Arambula. * > > ___ > > CentOS-es mailing list > > CentOS-es@centos.org > > https://lists.centos.org/mailman/listinfo/centos-es > > > ___ > CentOS-es mailing list > CentOS-es@centos.org > https://lists.centos.org/mailman/listinfo/centos-es > ___ CentOS-es mailing list CentOS-es@centos.org https://lists.centos.org/mailman/listinfo/centos-es
Re: [CentOS-es] Problema Puertos Firewalld e Iptables.
Wilmer Tienes una confusion, firewalld e iptables son servicios de seguridad diferentes y es mas, no deben convivir juntos. Debes parar y hacer un mask del servicio iptables para que firewalld funcione correctamente. Este link puede orientarte https://www.unixmen.com/iptables-vs-firewalld/ Saludos cordiales - *Arturo Diaz D.* *RHCE /RHCSA* *Skype arturodiaz.d* *Linkedin *https://cl.linkedin.com/in/arturodiazdiaz El 22 de marzo de 2017, 9:53, Wilmer Arambulaescribió: > Buenos dias estoy tratando de abrir un rango de puertos por Firewalld > (Iptables) pero no logro abrirlos: > > Comando: > > sudo firewall-cmd --permanent --zone=external --add-port=35500-36000/tcp > sudo firewall-cmd --permanent --zone=external --add-port=35500-36000/udp > sudo firewall-cmd -reload > Sudo ipatables -L > > Chain IN_external_allow (1 references) > target prot opt source destination > ACCEPT tcp -- anywhere anywhere tcp > dpts:35500:36000 ctstate NEW > ACCEPT udp -- anywhere anywhere udp > dpts:35500:36000 ctstate NEW > > pero cuando chequeo los puertos estan cerrados, alguna idea, incluzo los > coloque en zona dms y nada. > > > -- > *Wilmer Arambula. * > ___ > CentOS-es mailing list > CentOS-es@centos.org > https://lists.centos.org/mailman/listinfo/centos-es > ___ CentOS-es mailing list CentOS-es@centos.org https://lists.centos.org/mailman/listinfo/centos-es
[CentOS-es] Problema Puertos Firewalld e Iptables.
Buenos dias estoy tratando de abrir un rango de puertos por Firewalld (Iptables) pero no logro abrirlos: Comando: sudo firewall-cmd --permanent --zone=external --add-port=35500-36000/tcp sudo firewall-cmd --permanent --zone=external --add-port=35500-36000/udp sudo firewall-cmd -reload Sudo ipatables -L Chain IN_external_allow (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpts:35500:36000 ctstate NEW ACCEPT udp -- anywhere anywhere udp dpts:35500:36000 ctstate NEW pero cuando chequeo los puertos estan cerrados, alguna idea, incluzo los coloque en zona dms y nada. -- *Wilmer Arambula. * ___ CentOS-es mailing list CentOS-es@centos.org https://lists.centos.org/mailman/listinfo/centos-es
[CentOS] RHEL 6.9 is out
Red Hat released RHEL 6.9 yesterday. Why isn't CentOS 6.9 out yet? :) -- Matt Phelps System Administrator, Computation Facility Harvard - Smithsonian Center for Astrophysics mphe...@cfa.harvard.edu, http://www.cfa.harvard.edu ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS-virt] Xen C6 kernel 4.9.13 and testing 4.9.15 only reboots.
The last few lines are NMI watchdog: disabled CPU0 hardware events not enabled NMI watchdog: shutting down hard lockup detector on all CPUS installing Xen timer for CPU1 installing Xen timer for CPU2 installing Xen timer for CPU3 installing Xen timer for CPU4 installing Xen timer for CPU5 installing Xen timer for CPU6 Here is the screen shot: https://goo.gl/photos/yNQqaQY9bJBWQ84X8 It stops at CPU6. This is a dual socket server with 2x 6core L5639 CPUs (HT disabled). I'm surprised to see it stop at 6. Thanks PJ On Tue, Mar 21, 2017 at 1:39 PM, Kevin Stangewrote: > On 03/21/2017 07:48 AM, PJ Welsh wrote: > > On Mon, Mar 20, 2017 at 5:21 PM, Ricardo J. Barberis > > > wrote: > > > > El Lunes 20/03/2017, PJ Welsh escribió: > > > Still just starts the kernel and wihtin 4 seconds reboots with > 4.9.16-24. > > > Thanks > > > PJ > > > > Edit grub's entry and add "noreboot" to your xen parameters, maybe > > when the > > kernel panicks xen detects it and automatically reboots it. > > > > > > > > "noreboot" grub.conf option still produced nothing other than a flashing > > cursor on the top left. Also, neither num-lock nor caps-lock respond at > > this time... I seem no closer with helpful information other than, "it's > > broken" :( > > Here is the grub.conf stanza for the kernel: > > title CentOS (4.9.16-24.el6.centos.plus.x86_64) > > root (hd0,1) > > kernel /boot/xen.gz dom0_mem=3G,max:3G cpuinfo com1=115200,8n1 > > console=com1,tty loglvl=all gue > > st_loglvl=all noreboot > > module /boot/vmlinuz-4.9.16-24.el6.centos.plus.x86_64 ro > > root=UUID=bc0727e1-882c-4fbc-a4d9-e4c > > f754d72b7 rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD > > SYSFONT=latarcyrheb-sun16 crashkernel=auto K > > EYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet reboot=pci max_loop=64 > > module /boot/initramfs-4.9.16-24.el6.centos.plus.x86_64.img > > Try removing "rhgb" and "quiet" from your boot options as well. > > -- > Kevin Stange > Chief Technology Officer > Steadfast | Managed Infrastructure, Datacenter and Cloud Services > 800 S Wells, Suite 190 | Chicago, IL 60607 > 312.602.2689 X203 | Fax: 312.602.2688 > ke...@steadfast.net | www.steadfast.net > ___ > CentOS-virt mailing list > CentOS-virt@centos.org > https://lists.centos.org/mailman/listinfo/centos-virt > ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS] Centos 7.3.1611 - NetworkManager + dhcp + ipv6
On 21-03-17 20:51, Diaulas Castro wrote: Used steps on sysctl from Centos7 FAQ (https://wiki.centos.org/FAQ/CentOS7) and some gathered on internet # cat /etc/sysctl.d/90-disable_ipv6.conf net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.eth0.disable_ipv6=1 net.ipv6.conf.eth1.disable_ipv6=1 net.ipv6.conf.all.use_tempaddr=0 net.ipv6.conf.all.autoconf=0 net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.autoconf=0 net.ipv6.conf.default.accept_ra=0 net.ipv6.conf.eth0.autoconf=0 net.ipv6.conf.eth1.autoconf=0 But with dhcp, NetworkManager (or something) reenables ipv6 on interfaces. #sysctl -a | grep ipv6 | grep disable net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.eth0.disable_ipv6 = 0 net.ipv6.conf.eth1.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 And the interface gets the ipv4 but still have temporary ipv6 on it (our dhcp doesnt support ipv6) # ip a s eth0 2: eth0:mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:0c:29:31:5a:9d brd ff:ff:ff:ff:ff:ff inet 10.10.216.247/24 brd 10.10.216.255 scope global dynamic eth0 valid_lft 451sec preferred_lft 451sec inet6 fe80::20c:29ff:fe31:5a9d/64 scope link valid_lft forever preferred_lft forever And this bugs my use for ovftool with the option "--X:waitForIp" because it's returns (mostly of times) the ipv6 addr It's a bug, missing documentation or my IIRC you can disable IPv6 in NetworkManager with: # nmcli connection modify eth0 ipv6.method ignore # systemctl restart NetworkManager or you can disable IPv6 entirely with: # vi /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 " # grub-mkconfig -o /boot/grub2/grub.cfg # reboot HTH, Patrick ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos