Re: [CentOS] Latest firefox upgrade crashes

[Kenneth Porter]

On 1/18/2024 10:06 AM, Simon Matter wrote:

Attached is the console output of when running Firefox.


BTW, for big logs and similar data, I recommend using a pastebin.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ssh keys hostname VS fqdn - offends?

[Kenneth Porter]

--On Monday, January 01, 2024 1:01 PM +0100 lejeczek via CentOS 
 wrote:



-> $ ssh box5.proxmox.mine hostname -i
10.3.1.78

-> $ ssh box5 hostname -i
Warning: the RSA host key for 'box5' differs from the key for the IP
address '10.3.1.78'
Offending key for IP in /root/.ssh/known_hosts:2
Matching host key in /etc/ssh/ssh_known_hosts:2
Are you sure you want to continue connecting (yes/no)? yes
10.3.1.78

This is same one host I _ssh_ to.
Is this purely _ssh_ and way to fix it would be 'configuration' or
perhaps (ssh &) something else?
I don't quite get what exactly is happening here.


When you create a new ssh host (ie. run sshd) for the first time, a host 
key is created that uniquely identifies the host. When a client connects to 
that host for the first time, it caches that key in its ssh_known_hosts 
file. It's just a line of text with the host name (or IP address if no 
name)and its key. If the client later connects and discovers a different 
key, that's a clue that someone is trying to scam you and pretend to be 
that trusted host. If you know the host is ok, then something changed its 
key. The simple fix for that is to remove any lines in ssh_known_hosts for 
that host and let the client re-learn the new key. But be sure you're 
really connecting to the host you think you're connecting to. On a 
corporate network, an evil machine might be using ARP spoofing to pretend 
to be the IP you want.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux blocks rsync client in systemd service

[Kenneth Porter]

I'm trying to slurp a CentOS 7's filesystem to another CentOS 7 system 
using rsyncd on the supplying side and rsync running as a client in a timer 
unit on the client side. My backup script on the backup system runs fine 
from the command line. When run from a systemd timer unit, rsync sends 
nothing to the systemd log and I see a denial in the audit log for a Unix 
domain socket in init_t context. I'm guessing it's trying to write to 
stdout which is getting redirected to systemd's log. The service unit file 
has StandardOutput=syslog in order to capture the list of files backed up.


The following selinux rule seems to fix this:

allow rsync_t init_t:unix_stream_socket { getattr read write };

I also found it necessary to add --no-devices and --no-specials to my 
backup script, but I can live with that. A few devices show up in chroots 
and postfix has some sockets in its package. Those are easily recreated if 
I need to do a restore.


So is this selinux rule an oversight? Should there be an rsync bool for it? 
Or was this fixed in a more recent version of systemd?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] old website keep reappering in /var/www/html

[Kenneth Porter]

On 9/7/2023 11:19 AM, Marco Fioretti wrote:
It's as if there were some hidden cron job somewhere that runs hugo on 
the OLD source files, but I can't find it. All the standard methods 
one can find by googling "how to list all cron jobs" don't show 
anything that may be the reason.


Also check for systemd timer units in all the systemd unit directories.

Check the system log files when this happens ("ls -lt /var/log | head") 
to see if something's running at that moment.


Run top as it happens to see what jumps to the top of the process list.

Use chattr to mark the files immutable and see what complains when it 
fails to change the content.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] kernel: net_ratelimit: 18 callbacks suppressed

[Kenneth Porter]

CentOS 7.9 system. My 2 servers at home have been spewing this error 
message every few minutes to /var/log/messages. But there's no preceding 
message to tell me what's being suppressed. From googling for this, I 
understand that the failure to log the real message is a bug in the v3 
series kernels and v4 fixes that.


2 servers at the office and another on a VPS with 7.9 do NOT issue this 
message. So I'm guessing something on my home LAN is causing it. Running 
tcpdump, I don't see any correlation between LAN traffic and ratelimit 
messages, though.


Any suggestions on how to diagnose this?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Current RHEL fragmentation landscape

[Kenneth Porter]

On 7/21/2023 1:57 AM, Ian B wrote:

We just have 5 servers, and don't want any personal support. We'd be fine
to pay what we'd consider a reasonable fee I think. I contacted Redhat to
ask about their licensing and if we could fit somehow into it (i.e the
personal support & 16 machine type license), but they could never give us a
straight answer, so the implication was we couldn't be certain we weren't
breaking any t I also thought maybe they'd make an offer or something,
but never did. The costs are just too high for some people for what they
are offering.


I have about the same number of CentOS 7 servers and have never felt the 
need to call RH for help. At most, I'd check online for a solution and 
find it's maybe behind RH's paywall. If anything, I work the problem on 
my own (maybe using a specific package's own support list) and supply 
the fix to Bugzilla (as well as upstream). Now I'm feeling reluctant to 
do that.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Compare directories and files including files content from both node1 and node2

[Kenneth Porter]

On 2/9/2023 8:43 AM, Harshal Lakare wrote:

2) Use rsync to compare files between two node , if there is any difference
between source and destination then rsync will sync differential file.


Use --dry-run to do this non-destructively, with the verbose flag to 
list the differences.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Looking for a RAID1 box

[Kenneth Porter]

--On Wednesday, January 04, 2023 7:47 PM +0100 Michael Schumacher 
 wrote:



my old home server needed to much energy (~80VA) permanently, so I went
for an https://www.hardkernel.com/shop/odroid-h3-plus/ The manufacturer
is located in Korea and has dealers around the world. Put it in one of
their cases https://www.hardkernel.com/shop/odroid-h3-case-type-1/ add
two drives and you will have a system that consumes less than 20VA under
load, less than 15VA idle. My new system is just doing its job, the whole
thing will be below 250USD excluding drives.


That has 2x 2.5 Gbps ports, which would be nice for a simple home router. 
Is there a 3x or 4x 1 Gbps version? I was considering a Firewalla with 4x 
2.5 Gbps ports, as I have two ISPs for redundancy. (One is 1 Gbps 
symmetric.) But they're about 2.5x that price. Review:




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] LibreOffice on CentOS 7

[Kenneth Porter]

--On Wednesday, November 02, 2022 3:53 PM + jefflp...@twc.com wrote:


 A general dislike of anything that gets between the operating system
and an application potentially introducing its own complications.


Such problems are inevitable when you choose the long-term stability of an 
old operating system like RHEL. There will always be a tug-of-war between 
the needs of bleeding-edge apps and the aging OS. Apps want to use features 
in the latest libraries. So they're either crippled when run on the older 
OS or they carry more recent copies of those libraries with them, solely 
for their own use.


I'm a fan of sandboxing for security. I've installed web applications (like 
NodeRED and WordPress) in their own user directories to protect the OS. The 
trendy solution is containers. I'm worried about how easy it is to back 
those up. Do I back up the contents, or the whole container file? Ideally 
I'd just need to incrementally back up the locally-changing part, the 
configuration and data, since the installer has everything else. The other 
solution is OS-independent packaging, like those you named. I wasn't 
familiary with them so I looked them up:




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Microsoft deprecation of basic authentication centos 7

[Kenneth Porter]

--On Friday, October 14, 2022 1:33 PM -0400 mario juliano grande-balletta 
 wrote:



Trust me, I loathe anything microsoft, ugh.


OAuth is an open standard. MS (along with several other tech giants) is 
using it instead of a proprietary solution.






___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Measure Linux process system metrics.

[Kenneth Porter]

--On Monday, October 10, 2022 12:42 AM +0530 Kaushal Shriyan 
 wrote:



Is there a way to check which process consumed network throughput, memory,
cpu load, cpu usage, disk io on CentOS Linux release 7.9.2009 (Core) on a
specific date on Sept 28, 2022?


Take a look at Cacti:





___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT:: Multiple PHP versions

[Kenneth Porter]

--On Monday, August 15, 2022 1:03 PM -0400 H  wrote:


While I would prefer to install php 7.4 from SCL, both IUS and Remi's
repositories do carry it. Do you see a reason to choose one over the
other bearing in mind I need to have multiple versions installed used by
different web apps?


I'm a minor PHP user and 7.3 has been adequate for running WordPress. So I 
haven't felt pressured to investigate the IUS and Remi offerings.


I'd suggest downloading both and querying the packages to compare. Use "rpm 
-qplv" to list the files included, and "rpm -qp --scripts" to see what 
other modifications they'll make to your system. I always do that on 
"alien" packages to make sure they won't do anything unexpected to my 
system. (I so wish Windows packaging was this simple!)




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT:: Multiple PHP versions

[Kenneth Porter]

On 8/14/2022 12:36 PM, H wrote:

I do not see SCL having php 7.4, only php 7.3, or did I miss it?


I don't see it, either. I suggest getting the source for 7.2 or 7.3 and 
updating it to 7.4. Your contribution to the community would be welcome!



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to wild-card autofs mount - ?

[Kenneth Porter]

On 7/15/2022 11:36 AM, lejeczek via CentOS wrote:


any autofs wizadm reading this and can tell how to "wild-card" this:

/home/e23/U: -fstype=nfs4,acl 10.3.3.1:/USER-HOME/e23

I tried $USER in obvious place but it did not mount. 


This article has some suggestions:

https://www.learnitguide.net/2016/01/automount-home-directories-over-nfs-linux.html

Also try "man 5 autofs" to see its man page.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Mailing list archives pretty but need to be wider

[Kenneth Porter]

The CSS for the list archives should specify a slightly larger width for 
the message text.


Archives for this list: 

I looked up a useful reply in the archives for sharing elsewhere and found 
that they're nicely-formatted but the message display is a little narrow so 
the normal email wrapping column is wider than allowed by the archive 
page's CSS, resulting in text lines getting truncated unpleasantly. I'm 
guessing it's wrapping at 72 columns instead of 80 but I'm not enough of a 
CSS wizard to find how the element width is set but adding about 10% would 
probably fix it.


Here's an example where the last 2-3 words of each line get wrapped to the 
next line:




(It's not as obvious in posts quoting a config file because those tend to 
be narrow and don't overflow the narrowed right margin. Looking up this 
message in the archives should show the problem, though.)


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] IPv6 token with /60 and prefix delegation

[Kenneth Porter]

--On Monday, May 09, 2022 12:16 PM -0500 Ian Pilcher  
wrote:



So right now, you're assigning a /60 address to your LAN interface?  If
so, you almost certainly shouldn't do that.  Instead, you should (as you
say) pick a /64 from within the delegated /60 and use that subnet.  (The
other /64 subnets within the /60 can be used for other VLANs.)


Agreed. So should I just hard-code all 128 bits of the public address? 
That's not a terrible thing, since I have to update the DNS anyway if the 
prefix changes.


It sounds like the real problem is simply that this /64 requirement isn't 
documented anywhere in using "ip token" or the other automatic address 
modes. I had to find it in the source code to find out why it wasn't 
working. There's a line to log when the prefix isn't 64, but it's only 
printed when that line is explicitly enabled to log for debugging, so 
nobody would see it in normal operation and realize what was wrong.



The details of doing this are going to be dependent on what software
you're using to manage the network - NetworkManager, ISC DHCP client,
etc.


Right now it's a CentOS 8 system running NetworkManager. The LAN side is 
going to run the Kea DHCP server but for now I'm just trying to get the WAN 
side going.


It seems there's not much machinery for automatically delegating and I'll 
have to hard-code it all in NetworkManager and Kea. Did I miss any magic 
for making a gateway work without lots of manual configuration?



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] IPv6 token with /60 and prefix delegation

[Kenneth Porter]

I'm trying to figure out how to assign a "static" address that 
automatically sets the prefix to what the ISP delegates. It seemed like the 
token system would accomplish that, but reading the kernel source code, 
I've discovered that tokens only work with a /64 delegation. My ISP offers 
a /60, so the token is ignored and I get a random address, instead.


Is there some way to use prefix delegation to pick a /64 from the /60 and 
loop it back onto the same interface to make it use the token? Or is this 
/64 restriction actually a kernel bug?


See line 2788 here, where the token is ignored if the prefix isn't /64:



Am I reading the code wrong? It looks like all the autoconf stuff that 
computes interface addresses breaks with smaller prefixes.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Raspberry Pi 4 and C++ 17

[Kenneth Porter]

Have you built RPMs from their source SRPMs before? I'd suggest getting one 
of the SRPMs from SCL and building it on the Pi. You'll probably have to 
incrementally build the whole tool chain, just as those in scl were built.


It's possible you could get the person who built the scl versions for 
x86_64 to add armv7hl to their list of build architectures and it would 
build and appear automatically. (I'm not familiar enough with the process 
to know just how automated that is.)



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Raspberry Pi 4 and C++ 17

[Kenneth Porter]

--On Monday, April 25, 2022 4:30 PM -0400 Will  wrote:


I sure did try that.  I also tried to install devtools (no luck there).

[root@localhost source]# yum list installed binutils* gcc-c++* libc-devel*


I'd suggest checking Software Collections or COPR for newer devtools built 
for CentOS 7. They'd install to /opt and you'd use the scripts to set your 
path to use the alternate tools.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Two labels, one mount point

[Kenneth Porter]

I have a systemd mount unit that mounts an external drive by label. What 
happens if I plug in two USB external drives formatted with the same label? 
Does the last one discovered mount on top?


I'm rotating backup drives and the backup software assumes the drive to be 
at a particular directory. Normally I'd stop the service, umount the drive 
(via systemd stop), unplug, plug the other one in, then start the service. 
(An automount unit will mount the replacement drive when the service 
touches the mount point.)


But I'm wondering what happens if someone isn't careful and plugs in the 
2nd drive before shutting down the service and removing the first one.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux relabeling for a diffeerernt mount point

[Kenneth Porter]

I'm preparing a disk mounted at /mnt/tmp to later be mounted at 
/var/lib/BackupPC. Is there some magic invocation to get the selinux labels 
for the structure I create to assume the final mount point, so that I don't 
have to relabel it when it's finally mounted at its target location? Or is 
there an argument to restorecon that will do the equivalent of chroot so 
that restorecon assumes the final location?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Updating a package to one from a different repository

[Kenneth Porter]

At some point I updated fail2ban from a copr repo to get the latest 
release. That repo no longer exists but a newer version is available in 
EPEL. Is there a direct way to get yum to update using the different repo? 
Or do I need to save my config and DB, erase the old version, and install 
the new one from EPEL?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any downside to mount -o noatime?

[Kenneth Porter]

--On Thursday, February 10, 2022 11:08 PM -0500 Jon LaBadie 
 wrote:



Are you reading that as "atime gets updated every 24 hrs"?  If so you
are missing "if needed".  I.e. if the file's data blocks have been read.

Checking time-stamps and sizes are not operations that cause atime
updates.  Those are inode operations, not data reads.


That I got. I was concerned with the case where rsync does a checksum to 
verify that the file's contents didn't change without changing the 
timestamp.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any downside to mount -o noatime?

[Kenneth Porter]

--On Thursday, February 10, 2022 8:15 PM -0600 Chris Adams 
 wrote:



Unless you never write to the disk, that will still be lost in the noise
of writes.


Consider a weekly backup of /usr with checksumming of the contents. A 
partition that only changes with updates, so in principle it could be 
mounted read-only except when I yum update. Although of course since it's 
not SUPPOSED to change, an incremental backup should only be done after 
that yum update. The main value I can see with atime on /usr is to identify 
trash that I'm not using and that should be uninstalled.



But if it still bothers you, use rsync --open-noatime.


That would be handy if I actually needed atime! I hadn't noticed that one. 
Although I'm reading that the containing directory's atime does get updated.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any downside to mount -o noatime?

[Kenneth Porter]

--On Thursday, February 10, 2022 8:49 PM -0500 Jon LaBadie  
wrote:



atime updates that occur when {m,c}time are updated add
no additional burden.


Understood. If that's the only time it happened, I would be happy with that.


So you are concerned about a single "possible" inode update
once a day?


I'm using BackupPC to do rsync-based backups of all my systems. The 
"incremental" backups look only at size and timestamp changes. The 
less-frequent "full" backups checksum all my files. That means an extra 
write for every file that gets checked.


I'd love to have a version of relatime that only did the first kind of 
update, when ctime or mtime changed but not when 24 hours had passed.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any downside to mount -o noatime?

[Kenneth Porter]

--On Thursday, February 10, 2022 8:03 PM -0500 Matthew Miller 
 wrote:



relatime has been the default for a long time -- that only updates atime
once per some reasonable timeperiod. The wear and tear from that is
negligible and you can still get a basic idea of when files where
accessed.


According to the man page for mount, relatime updates atime whenever mtime 
or ctime are updated, or if neither has been updated in the last 24 hours. 
Which is still prohibitive if you're doing an incremental (rsync) backup 
and checking file contents on the "full" backup weekly or monthly.


The only apps I've found that need atime are tmpwatch and biff, neither of 
which I use.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Any downside to mount -o noatime?

[Kenneth Porter]

Also, is there a way to make noatime the default for all mounts? Or will 
I need to add it to everything in /etc/fstab and 
/etc/systemd/system/*.mount?



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Any downside to mount -o noatime?

[Kenneth Porter]

I'd like to reduce the wear-and-tear on my SSDs and eliminate the 
unnecessary metadata writes on my backup media that only slow down the 
backup process. So I want to add noatime to all my mounts. Is there any 
downside to this?


At one time I remember atime being useful for tmpwatch, which removes files 
in /tmp that haven't been accessed in a week or two. But I can live without 
that feature.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Kernel live patching on CentOS Stream 9

[Kenneth Porter]

--On Thursday, January 13, 2022 2:10 PM -0500 Valeri Galtsev 
 wrote:



We never had it in CentOS in the past, but I'm just curious: is live
patching proprietary piece of RHEL? I know there are several solutions,
way back there was paid one called splice, my Boss's son was one of the
developers of that. Just curious, as, if it is paid, it is stripped off
as part of CentOS composition, but if it is not paid, open source, then
it would "just work", or not?


Indeed, we're talking the software versus the organization. I never 
expected CentOS the organization to provide anything more than repackaging 
(rebuilding and mirroring).


For kernel patching, there's the matter of rebuilding and distributing the 
patches, and then whether the software can do anything with that. If it's 
proprietary, the issue is moot.


But maybe it's like the update classification and differentiation, which 
was never implemented for CentOS, because of the extra effort the 
organization would have to provide.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Kernel live patching on CentOS Stream 9

[Kenneth Porter]

On 1/7/2022 10:07 AM, Brian Stinson wrote:

- We do not provide patch files in CentOS Stream (or previously in
CentOS Linux, for that matter). We've always recommended RHEL as a
better fit for folks that have hard requirements on this sort of
workflow.


If Stream is to be the next RHEL, wouldn't you want to test this kind of 
thing so the RHEL subscribers don't have to?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to clear out /var/cache?

[Kenneth Porter]

--On Friday, December 31, 2021 11:15 PM -0500 Fred  
wrote:



among the remains, the only other big one remaining is:

2.3G abrt-di

which I won't mess with for now.


That directory is owned by the abrt-addon-ccpp package, which is involved 
with crash dump analysis. So I'd guess it's full of dumps from programs 
that crashed.





___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to clear out /var/cache?

[Kenneth Porter]

On 12/30/2021 6:39 PM, Fred wrote:

but I still don't know the proper way to clear out a lot of this stuff. I
certainly don't want to hose my system.


My next step, on finding a candidate pig, would be to use "rpm -qf" to 
identify which package owns the pig, and then look at how to clean that 
package's junk and reduce its growth.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to clear out /var/cache?

[Kenneth Porter]

--On Thursday, December 30, 2021 6:20 PM -0500 Fred  
wrote:



Mine has hit over 3 gigs, making it one of the larger directories in /,
which is running low on space. I've hit all the low-hanging fruit I can
find and now I come to things like /var/cache, and I don't know what to do
about such.


Have you run KDirStat to find the disk pigs? I regularly use its Windows 
derivative, WinDirStat.





I wish there was a web-based version for headless servers without X 
libraries.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld: removing rich-rules based on its own list fails

[Kenneth Porter]

--On Wednesday, December 22, 2021 8:03 PM +0100 Patrick via CentOS 
 wrote:



Error: INVALID_RULE: internal error in _lexer(): rule family="ipv4"
source NOT address="46.23.XX.0/24" forward-port port="53" protocol="udp"
to-port="60053" to-addr="46.23.XX.53"


If you don't get help here, you might try one of the firewalld mailing 
lists or other support resources here:




I'm curious to hear what you discover. (This might be a bug that warrants a 
patch for the CentOS package.)




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT:: Multiple PHP versions

[Kenneth Porter]

On 12/14/2021 1:15 PM, Markus Falb wrote:

The only php SCL on that page that isn't EOL yet is php 7.3
Supported multi php installations seems difficult with that (maybe
there is more behind yourwww.softwarecollections.org  link?), although
it would be possible to have the original non SCL php 5.4 in addition
to the SCL php 7.3.


The general concept is to install the 3rd party package to /opt and use 
environment variables like path to drive a service to use the custom 
location for your desired version.


You might find that someone has packaged the version you desire in the 
COPR system. I used that for BackupPC 4 before it was available in EPEL.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT:: Multiple PHP versions

[Kenneth Porter]

On 12/14/2021 9:38 AM, TE Dukes wrote:

Been trying to get multiple versions of PHP on a CentOS 7 machine, off and
on for the past couple months. I have followed 5 or 6 different howtos but
none work. They are very similar and they seems to be done on a fresh
install as most do an apache install is the steps. I setup two virtualhosts
one for PHP5.6 and one for PHP 7.4. When I create a file with phpinfo, it
reports back 5.6.xxx on both sites.


You should be using Software Collections to install additional versions:

https://www.softwarecollections.org/en/about/

Instead of running PHP within the Apache binary, use a proxy. I suggest 
learning how to use fcgi. Your VirtualHost could include a directive 
like this:


SetHandler "proxy:fcgi://127.0.0.1:9000

Install rh-php73-php-fpm (for example) with yum to run the proxy service.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] UID/GID migration vom C6 to C8

[Kenneth Porter]

On 11/15/2021 6:48 AM, Simon Matter wrote:

I've created a script which uses `chown' to recursively change UIDs and
GIDs. I don't remember exactly but I think I made it run for every user in
parallel and it finished quite fast considering the fact that it had to
traverse the whole storage consisting of millions of files.
I could then later just rsync everything to the new box without ant
UID/GID conversion.


rsync by default copies by name, not UID/GID. So you can let the new 
system assign numbers based on the new limits and let rsync do the 
conversion.


You could also just keep the old numbers. AFAIK, no numbers in the 
500-999 range have been globally registered. Create your users with 
their old IDs on a minimal system before installing any optional 
packages that might try to allocate a system UID from the same range. 
Then the optional packages will allocate from any "holes" in that range.


Other UID ranges you want to dodge are listed here:

https://en.wikipedia.org/wiki/User_identifier


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] IPv6 mailing list?

[Kenneth Porter]

On 10/27/2021 9:24 AM, Benson Muite wrote:
There being no end-user IPv6 mailing list, it seems possible to set 
one up. 


I'd hoped that DSLReports would have a dedicated sub-forum but no luck. 
But I did discover that Reddit has one:


https://www.reddit.com/r/ipv6/

Meanwhile, I found the right search expression for what I want. IPv6 
redundant routing. Further refined by searching for "first hop". I doubt 
the ISP gateway has any support but it's something to ask for.


https://en.wikipedia.org/wiki/Virtual_Router_Redundancy_Protocol

And a related article that turned up in my search:

https://packetlife.net/blog/2011/apr/18/ipv6-neighbor-discovery-high-availability/


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] IPv6 mailing list?

[Kenneth Porter]

Can anyone recommend an end-user IPv6 mailing list? (A web forum would also 
be acceptable.)


I've been looking at available lists and they all seem targeted at backbone 
players and ISPs. I'm looking for something where we can report and resolve 
problems with our ISPs.


For example, I just got an AT business connection and the Edgemark fiber 
gateway doesn't provide RA or prefix delegation. It assumes the customer 
equipment is all leaf nodes that are statically-configured. It doesn't 
recognize RA from the customer, either. So I'm using ndppd (added to EPEL7 
this morning!) to proxy neighbor announcements through my CentOS7 
gateway/firewall.


I have a backup/secondary C7 gateway and it got confused when the primary 
sent RA for the LAN-side subnet upstream to the common WAN link (via the 
radvd package) and the secondary added a default routing table entry 
pointing to the primary gateway instead of using its own 
statically-configured default gateway setting. That was a head-scratcher 
until I noticed my firewall logs on the main gateway showing dropped DNS 
packets from the secondary that should have been going to the ISP gateway. 
IPv6 DNS was failing on the secondary with timeouts (10 seconds!) and I 
couldn't figure out what was eating the packets.


So I'm wondering how multiple gateways sharing a link are supposed to 
cooperate and inform each other without confusing each other about the 
desired topology.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] IPv6 routing preference with multiple default gateways

[Kenneth Porter]

Ugh. It looks like I need to read through the neighbor discovery RFC to 
understand how this works:


https://datatracker.ietf.org/doc/html/rfc4861

I did discover that the radvd.conf page includes an entry for 
AdvDefaultPreference low|medium|high so I can at least set the preference 
of the backup C7 box to low.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] IPv6 routing preference with multiple default gateways

[Kenneth Porter]

I've got a primary and backup CentOS 7 gateway, each with two interfaces, 
connected to my LAN and my fiber gateway. The default gateway (the fiber 
box) is set explicitly in ifcfg-eno2 with IPV6_DEFAULTGW. Using "ip -6 
route show" I see two defaults, the static one and the one advertised from 
my other CentOS7 box via the internal interface (eno1), both with metric 
1024 and preference medium.


default via 2001:1890:1837:5b00::1 dev eno2 metric 1024 pref medium
default via fe80::100 dev eno1 proto ra metric 1024 expires 293sec hoplimit 
64 pref medium


How do I set the IPv6 router advertisements on the LAN side to advertise a 
higher metric or lower preference so there's never ambiguity that the fiber 
box has precedence? I can't find a setting in the man page for radvd to set 
the metric or preference for the LAN route that's announced.


Additionally, I think I need to announce a route on the WAN interface 
(eno2) of lower precedence than the static route so the fiber box knows 
that the two CentOS7 boxes are proxies for my LAN, but the two boxes don't 
try to route to each other?


This is for C8 but it's useful for the concepts, like that a lower metric 
has a higher precedence:




Some radvd examples that lack an example of how to set metric or preference.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unexpected /etc/resolv.conf updates on CentOS 7

[Kenneth Porter]

On 10/13/2021 10:24 AM, Toralf Lund wrote:
Does here anyone know exactly when NetworkManager creates or is 
supposed to create /etc/resolv.conf for a network connection? Is there 
a way I can control it, or alternatively, is there a good way to debug 
the functionality? 


Take a look at change_resolve_conf in 
/etc/sysconfig/network-scripts/network-functions. This is invoked in a 
few places in that directory, like in ifup-post.


I'm curious to hear what you find.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to display/create DUID?

[Kenneth Porter]

--On Wednesday, September 29, 2021 11:59 PM +0200 hw  wrote:


Is that my lack of understanding or are these DUIDs really a rather
stupid  idea?

And how are we actually supposed to set up static leases with DHCPv6?


I recommend asking over on the ISC DHCP lists where you're likely to find 
much more expertise on the subject in these dark corners of the standards.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to display/create DUID?

[Kenneth Porter]

--On Sunday, September 19, 2021 3:02 PM +0200 hw  wrote:


None of this is working because the server isn't running a DHCPv6 server,
and there seems to be no file in /var/lib/NetworkManager that would seem
to be helpful.

Isn't there a tool that creates the DUID and prints it?  This can't be
too difficult ...


I found this thread that suggests that NetworkManager computes it every 
time unless it's manually overridden:




Based on that, nmtui-connect might do what you want.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to display/create DUID?

[Kenneth Porter]

--On Sunday, September 19, 2021 2:10 AM +0200 hw  wrote:


So how/where do find I this DUID on my server?






My desktop has it in /var/lib/NetworkManager. I haven't yet figured out 
what generates it or how it gets set on a server, as my servers don't have 
one (that I can find). My suspicion is that it gets generated from the UUID 
setting for the interface in /etc/sysconfig/network-scripts/ifcfg-*.





___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to display/create DUID?

[Kenneth Porter]

--On Sunday, September 19, 2021 2:10 AM +0200 hw  wrote:


I would like to assign an ipv6 address through the DHCPv6 server of
pfsense.  To configure a static address, I need to tell the DHCPv6 server
a DUID.

Apparently DUIDs belong to a particular machine and aren't supposed to
ever change unless you re-install the operating system.  I guess every
network card would need it's DUID because devices can have multiple
network adapters, though ... and what happens when you change out the
card?

IIUC, the DUID is required to ask for/get ipv6 addresses from a DHCPv6
server.  So there must be a way to create one, and perhaps it has already
been created.  Does networkmanager do that?

So how/where do find I this DUID on my server?


Good question. I'm trying to do the same for my OpenWRT router to force my 
ISP to give me a new allocation. (It's stuck on a /64 and a Reddit thread 
suggests that changing the DUID will "kick" the DHCPv6 server into honoring 
my /60 request.) The DUID does the same for IPv6 that the MAC address does 
for IPv4. It's the key for the lease in the DHCP database.


I'm reading that DUIDs can get recomputed when containers are started, and 
this causes headaches for VM operators who are seeing "new" assignments 
appear extremely frequently.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Find out which process consumed Network bandwidth

[Kenneth Porter]

Take a look at Cacti, which is available in the EPEL repo:

https://www.cacti.net/

It's not just for network accounting. It polls multiple hosts for all 
kinds of data and keeps RRD tables for display. Cacti provides a web 
interface that can display the data in charts. You'll need to install 
plugins for iptables to do the actual data collection.


I've used this to track per-host Internet usage on my LAN by adding an 
iptables chain with one do-nothing rule per LAN host, just to maintain a 
counter for Cacti to poll.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] systemd | Requires statement with an instantiated service

[Kenneth Porter]

--On Wednesday, September 01, 2021 6:36 PM +0200 Leon Fauster via CentOS 
 wrote:



How to apply a "Requires" with an instantiated service.

Example:

a@.service
b.service

a@.service is started as a@host1.service and b.service must be started
after a@host1.service but the unit will be differently parameterized
(depended of the region). So I want to generalize the requires statement.

My dropin file in ./b.service.d/dep.conf looks like

[Unit]
Requires="a@*.service"

This just produces following error:
'Failed to add dependency on "a@*.service", ignoring: Invalid argument'


I use also a Before=b.service statement for a@.service but that is not
enough.


You might also ask on the systemd list:



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] hosts.deny, fail2ban etc.

[Kenneth Porter]

On 7/28/2021 1:57 PM, Scott Techlist wrote:

Is that an improvement?  I'm still running Centos7 so I'm not familiar with it.


https://ungleich.ch/en-us/cms/blog/2018/08/18/iptables-vs-nftables/


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] local privilege escalation in kernel and systemd

[Kenneth Porter]

Two related bugs involve mounting a very long path. The kernel bug requires 
passing a 1 GB path string, while the systemd bug involves an 8 MB path 
that overflows its stack.


Technical details here:





___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Warning: No matches found for: clamav on CentOS Linux release 7.9.2009 (Core)

[Kenneth Porter]

On 7/19/2021 1:11 PM, Frank Cox wrote:

ul 20 00:01:57 testdeveloperportal clamd: ERROR: Can't open/parse the

config file /etc/clamd.d/server.conf


Exactly. Instructions on defining a new clamd service can be found here:

/usr/share/doc/clamd-0.103.3/README


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Warning: No matches found for: clamav on CentOS Linux release 7.9.2009 (Core)

[Kenneth Porter]

--On Monday, July 19, 2021 12:14 PM +0200 Simon Matter 
 wrote:



I think after installing epel-release, you have to enable the repositories
you want in the /etc/yum.repos.d/epel.repo file.


It came enabled on my system. (rpm -Vf on that file reports no changes.)

Here's the matches I get:

clamav-filesystem.noarch : Filesystem structure for clamav
clamav-unofficial-sigs.noarch : Scripts to download unofficial clamav 
signatures

clamav.x86_64 : End-user tools for the Clam Antivirus scanner
clamav-data.noarch : Virus signature data for the Clam Antivirus scanner
clamav-devel.x86_64 : Header files and libraries for the Clam Antivirus 
scanner

clamav-lib.x86_64 : Dynamic libraries for the Clam Antivirus scanner
clamav-milter.x86_64 : Milter module for the Clam Antivirus scanner
clamav-update.x86_64 : Auto-updater for the Clam Antivirus scanner 
data-files


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Tracking down application sending mail in CentOS 7

[Kenneth Porter]

--On Thursday, June 24, 2021 10:59 PM -0400 H  wrote:


There are plenty of messages, basically every few minutes, see the e-mail
I just posted.


Open a couple shell windows. Run top in one and "tail -f /var/log/messages" 
in the other and watch for a program to jump to the top of the process list 
when that message shows up in the log.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Tracking down application sending mail in CentOS 7

[Kenneth Porter]

--On Wednesday, June 23, 2021 10:54 PM -0400 H  
wrote:



Viewing /var/log/maillog I get some information but cannot see which
application generated that e-mail, nor the content of it which would
likely allow me to see where it comes from.

Can anyone suggest how to track down the app so I can reconfigure the
mail address?


Hold all delivery so you can examine the mystery message in the queue. I 
found this article on how to hold mail with Postfix:




This requires creating the file /etc/postfix/hold with a static hold rule 
and "compiling" it with the postmap command. Add a line to main.cf to use 
the new map.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] systemd alias for SMTP provider (and other services supplied by alternative providers)

[Kenneth Porter]

I just finished adding a custom service to send an email on system 
shutdown/startup:




I ended up coding an After for postfix.service on CentOS 8 so the mail 
would get delivered before the system shut down. (I think I might need a 
delay, too, to allow the message to finish shipping to the monitoring 
server across the network.) I'd like to be able to use the same unit file 
on older systems that use sendmail, and I know there are other packages 
that provide SMTP and local mail. So it would be desirable to have an Alias 
for those services. I'm using CentOS 8 on my latest system and 7 on older 
systems. Is this perhaps already present in a newer systemd commit? Is 
there a registry for well-known aliases for package writers? With 
CentOS/RHEL/Fedora allowing multiple options for several packages through 
its alternatives system, this seems like a natural need.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] RH portal shows more when logged out

[Kenneth Porter]

I was looking into the system's sync/shutdown/halt user accounts and found 
this page:




I wanted to reply to the comments I found there so I logged in. Now I can't 
see the comments or otherwise interact with the page. I'm using Chrome on 
Win10-x64 and disabled my ad blocker (uBlock Origin). I tried opening the 
page in an incognito window, and again I can see the comments while logged 
out. The same thing happens with Firefox.


(This looks like a handy way to allow those with physical access to 
shutdown my system in an emergency. The next problem is how to restrict 
such logins to the console, and not allow them via ssh.)


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Fwd: Pre-announcement of an ISC DHCP security issue scheduled for disclosure 26 May 2021

[Kenneth Porter]

 Forwarded Message 
Subject: 	Pre-announcement of an ISC DHCP security issue scheduled for 
disclosure 26 May 2021

Date:   Fri, 21 May 2021 11:44:19 -0800
From:   Michael McNally 
To: dhcp-annou...@lists.isc.org



Hello, dhcp-announce list subscribers,

It has been a while since our last post to this list.

Since the last time we posted news of a new release of ISC DHCP,
Internet Systems Consortium has adopted a practice of pre-announcing
expected security disclosures in order to give operators who use our
products a little advance warning and planning time.

For that reason, I am writing you today to let you know that a vulnerability
in ISC DHCP will be publicly announced next week on Wednesday, 26 May 2021.

Further details about that vulnerability will be publicly disclosed next
week, and new releases of ISC DHCP that correct the vulnerability will be
made available at that time. It is our hope that this pre-announcement will
aid DHCP operators in preparing for that disclosure when it occurs.

Yours sincerely,

Michael McNally
(writing for ISC Security Officer)
___
dhcp-announce mailing list
dhcp-annou...@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-announce

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] NetworkManager: Remove one of two DHCP leases

[Kenneth Porter]

I forgot to release the DHCP IPv4 lease on a PC before I deployed it at the 
customer site. So now the box has two leases for a couple days, when the 
old lease expires. What's the proper way to force the unwanted additional 
lease to expire immediately? It's mucking up my resolv.conf with the old 
DNS search order and servers added to the customer's.


I checked the /var/lib/NetworkManager/dhclient6-*.lease file and see my own 
IPv6 configuration and nothing from the customer, which explains why I 
can't connect to resolved IPv6 addresses. How can I flush that? (There are 
two identical lease6 records but both are to my home LAN. Why are there two 
copies?)


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to organize your VMs

[Kenneth Porter]

--On Tuesday, April 13, 2021 1:15 AM -0400 Steven Tardy 
 wrote:



IMO each VM should have a singular use/purpose/app. VMs are effectively
free. And also prevents unintended negative upgrade interactions.

Think through this to the logical end as each process is it's own
environment/container/(docker) or each user execution is a unique instance
(serverless).


My sense is that all the mail apps that touch the same data on disk should 
share a VM. But RoundCubeMail is really an MUA so it can be in a separate 
VM. One VM can hold a caching DNS and the rest can resolve to it. Each web 
server/domain/app should be in its own VM to sandbox it from other domains.


The tricky part with DNS is that outside caching servers (like Google) 
handle short-lived (low TTL) records better (some records have lifetimes of 
seconds!) but mail block lists refuse access from Google because they 
charge for large users, so small mail servers need their own caching DNS. 
Hence, one might split DNS into two servers, one just for mail and one for 
everything else.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Missing /etc/ld.so.conf.d/kernel-3.10.0-1127.19.1.el7.x86_64.conf

[Kenneth Porter]

--On Monday, April 12, 2021 9:34 AM -0500 Johnny Hughes  
wrote:



As to how you got the error .. it seems there is an issue with the
kernel-3.10.0-1127.19.1.el7.x86_64 install on your machine, it is at
least missing that file.  If you are using that kernel .. you might want
to re-install it instead to make sure all the files are there.  There is
a newer kernel released for EL7.


My yum update installed 1160.24, so I'm up to date now. "rpm -V kernel" for 
5 installed kernels is silent. I'd guess 1127.19 (from August) was somehow 
damaged.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Missing /etc/ld.so.conf.d/kernel-3.10.0-1127.19.1.el7.x86_64.conf

[Kenneth Porter]

I'm yum updating some CentOS 7 systems today and got this error. Two 
systems (so far) seem to have rebooted fine. Should I worry?


error: file /etc/ld.so.conf.d/kernel-3.10.0-1127.19.1.el7.x86_64.conf: No 
such file or directory


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Automatic clean /tmp folder

[Kenneth Porter]

--On Wednesday, April 07, 2021 9:00 AM + Gestió Servidors 
 wrote:



With these files I supposed that a file with more than 10 days in /tmp
would be automatically deleted, but today I have found some files/folders
with more than 10 days.

What I have done wrong?


The test is on access time, not modification. Have they been read in the 
last 10 days?




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] bash: return status of an assignment

[Kenneth Porter]

In the sqm-scripts package for managing network traffic shaping is this 
line for finding a program suitable for loading the kernel shaping modules:


[ -z "$INSMOD" ] && INSMOD=$(which modprobe) || INSMOD=$(which insmod)

It seems to set INSMOD to /usr/sbin/insmod, even though /usr/sbin/modprobe 
is available. (Both are symlinks to ../bin/kmod.)


According to this article, the return value of the first assignment should 
be success and it shouldn't take the fallback statement:




Also working the issue here:



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Dual WAN on EL8 desktop.

[Kenneth Porter]

--On Tuesday, February 16, 2021 12:00 PM +0530 Thomas Stephen Lee 
 wrote:



The solution should be a software one without acquiring new hardware.
What is ideal is the bandwidth of two connections and half bandwidth
when one link is down.


The search term you're looking for is "NIC bonding". Here's the first hit I 
get from Google:




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Changing command line version of php for apache

[Kenneth Porter]

--On Sunday, February 14, 2021 1:52 PM -0500 H  
wrote:



Apart from what you described above, is it in general possible to force a
non-shell user to use a specific version of software when multiple
versions are installed on a machine, be it php, python or something else?


As I said, use the path. The path environment variable isn't part of a 
shell, but shells provide nice ways to manipulate it. The scripts provided 
with Software Collections modify the path and possibly other variables 
before invoking a shell or a program. Environment variables are part of a 
process' state and are inherited when a process spawns a child. A shell is 
just a special kind of process that provides interactive support and may 
provide a programming API.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Changing command line version of php for apache

[Kenneth Porter]

--On Saturday, February 13, 2021 9:59 PM -0500 H  
wrote:



But my question is also a more general one: short of ridding the system
of the old, default php 5 binary, how should I configure a user without a
shell such as apache to default to the newer php binary? As mentioned
previously, apache itself runs the new php just fine (except for the imap
issue above which could also be some other bug...).


CentOS 7 runs apache from systemd. Apache finds programs using the path. So 
you need to customize the systemd unit file for Apache to run it from 
within  a script that first prefixes the path with the location of your 
custom PHP binary. Software Collections provides a script for this.


See the systemd documentation for how to customize a unit file. You 
probably just need a "drop-in" in /etc/systemd/system that replaces the 
ExecStart value in httpd.service.


Another approach is to run php-fpm for your custom PHP (package 
rh-php72-php-fpm) and have Apache connect to this via the SetHandler 
directive. Use SetHandler instead of ProxyPass because the latter doesn't 
play well with FilesMatch.


   # send PHP requests to PHP 7.2 via php-fpm service
   
   SetHandler "proxy:fcgi://127.0.0.1:9000"
   

This will sandbox PHP into its own process.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Filesystem choice for BackupPC extrenal drive

[Kenneth Porter]

I'm setting up a CentOS 7 box as a BackupPC 4 server to back up Windows 
boxes on my LAN. I'm using an external 1.5 TB USB drive for the "pool". 
BackupPC deduplicates by saving all files in a pool, a directory hiearchy 
with each file named for the checksum of the file, and the directories 
acting as a hash tree to reach each pool file. A backup for a specific 
workstation is a directory tree of checksums and metadata that point into 
the pool for the actual file data. Incremental backups are reverse deltas 
from periodic "filled" backups of all files. I'm using rsyncd to pull 
changed files from the workstations.


I'm deciding which filesystem to use for my external drive. I'm thinking 
the main candidates are ext4 and xfs. What's the best filesystem for this 
application?




Repo for CentOS 7 users:




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to query which yum package groups a particular package is member of

[Kenneth Porter]

--On Thursday, January 28, 2021 7:22 AM -0700 James Szinger 
 wrote:



I'm guessing that means it was a dependency for something back then.
Is there a way to discover what? Using "yum history info 1" I see
that this was the original Anaconda install from 2014. Could dnsmasq
be in the original minimal disk installer?


Or one can also run `rpm -q --whatrequires dnsmasq`.


That I tried at the beginning but it turned up nothing, which is why I was 
mystified. I suspect whatever depended on it before has lost the dependency 
in a later version, or I removed it long ago.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to query which yum package groups a particular package is member of

[Kenneth Porter]

--On Wednesday, January 27, 2021 11:35 PM + Jamie Burchell 
 wrote:



How about using yum history to find when and why the package was
installed?

yum history summary dnsmasq
yum history package-list dnsmasq


Very nice!

The oldest record of the second command:

1 | Dep-Install| dnsmasq-2.66-12.el7.x86_64

I'm guessing that means it was a dependency for something back then. Is 
there a way to discover what? Using "yum history info 1" I see that this 
was the original Anaconda install from 2014. Could dnsmasq be in the 
original minimal disk installer?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to query which yum package groups a particular package is member of

[Kenneth Porter]

--On Wednesday, January 27, 2021 3:31 PM -0500 Stephen John Smoogen 
 wrote:



or one can look for the comps file in /var/cache/yum

network-tools has dnsmasq listed as a package

repoquery says the following on my rhel box
NetworkManager-1:1.4.0-20.el7_3.x86_64
libvirt-daemon-driver-network-0:4.5.0-36.el7_9.3.x86_64


Aha! It's actually in network-server ("Network Infrastructure Server") 
group. network-tools is the next one in the comps.xml file. The group name 
sounds like something I might have wanted for my application, but the 
contents are really for a lightweight server like one finds in a consumer 
router.


But, except for dhcp and radvd, none of the other packages in that group 
are installed, so I still don't see how I got dnsmasq on my system. Here's 
the network-server package list:


 dhcp
 dnsmasq
 freeradius
 quagga
 radvd
 rsyslog-gnutls
 rsyslog-gssapi
 rsyslog-kafka
 rsyslog-mysql
 rsyslog-pgsql
 rsyslog-relp
 syslinux
 syslinux-tftpboot
 tang
 tftp-server


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] How to query which yum package groups a particular package is member of

[Kenneth Porter]

--On Wednesday, January 27, 2021 8:07 PM + J Martin Rushton via CentOS 
 wrote:



Here's how to find the package for a particular file:


That one's easy and I use this all the time:

rpm -qf full-file-name

I'm looking for how to get the yum group for a package. (I'm guessing a 
package might even be in more than one group?) That would help explain how 
the dnsmasq package got installed on my system. (It was never enabled by 
systemd and isn't required by any other package. So I went ahead and erased 
it to free the space and reduce my attack surface.)




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] How to query which yum package groups a particular package is member of

[Kenneth Porter]

I'm trying to find out how dnsmasq got on my CentOS 7 system, since I use 
BIND for DNS. I'm guessing it was part of a base group that Anaconda 
installs for all systems.


Red Hat has this answered on this page but the answer is only available to 
subscribers. I'm guessing this kind of content will be available to us once 
the new free subscription thing starts.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Reboot/shutdown without login

[Kenneth Porter]

On 1/11/2021 11:37 AM, Valeri Galtsev wrote:
In old times I always was disabling CNTRL-ALT-DEL, and adding to level 
"S" /usr/bin/login which effectively required password when one 
reboots machine into single user mode. And boot from anything but 
system drive was disabled in BIOS, and BIOS was password protected. 
Not that I disagree with "nothing can stop a guy with the 
screwdriver". But disabling easy way to tamper with the system adds to 
one's ability to notice the system had been tampered with (and when). 
Not doing it anymore... 


That makes perfect sense in a company data room. My situation is a 
roommate that wants to power if off to sleep and I've left for an 
emergency and didn't have time to power it down myself.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Reboot/shutdown without login

[Kenneth Porter]

On 1/11/2021 10:32 AM, Frank Cox wrote:

How do you want the person to shut it down without logging in?  Some computers have a 
"smart" power switch pushbutton that you can program to do a shutdown or a 
reboot depending on how long you hold the button down.  Otherwise you'll need at least a 
keyboard, or possibly something like a joystick or a mouse button?


Keyboard. i don't have a mouse hooked up since it's currently running 
without a GUI.


I wasn't sure if the power switch on the R720xd is monitored that way so 
that hitting the front panel button would shut the system down or maybe 
bring up the DRAC screen.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Reboot/shutdown without login

[Kenneth Porter]

I installed CentOS 8 on a Dell server and it's been running fine as a 
headless system, admin'd remotely by ssh. Now I'd like to allow someone to 
shut it down at the console without logging in. Is there a way to do that? 
Or do I need to get the GUI working?


I tried switching it into graphical mode ("systemctl isolate graphical") 
and the console freezes with nothing but a non-blinking text cursor at top 
left. The usual virtual console switching hotkeys (ctrl-alt F1-F7) don't do 
anything when it's hung like this. The system is still responsive in my ssh 
session. It doesn't recover if I switch back to multi-user target so I have 
to reboot it to make the console useful again. I'm guessing I'm lacking a 
good video driver. (It's an R720xd I inherited and the latest drivers on 
Dell's site are for RHEL 7.)


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] dovecot option PROFILE=SYSTEM

[Kenneth Porter]

--On Wednesday, January 06, 2021 7:08 AM -0800 david  wrote:


If only there had been a comment in the file
/etc/dovecot/conf.d/10-ssl.conf


I suggest opening an enhancement request on Bugzilla.





___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] dovecot option PROFILE=SYSTEM

[Kenneth Porter]

--On Tuesday, January 05, 2021 7:40 PM -0800 david  wrote:


In examining the file
  /etc/dovecot/conf.d/10-ssl.conf
I see the text line:
  ssl_cipher_list = PROFILE=SYSTEM

Yet, I cannot find any documentation that explains what that causes,
where the values are stored.  I ask because I don't see that text line in
other installations of Dovecot 2.3 on other distros.  Can anyone point me
to an explanation?


The value of ssl_cipher_list is passed directly to OpenSSL's 
SSL_CTX_set_cipher_list():




See here for the meaning of PROFILE=SYSTEM:




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Replacing SW RAID-1 with SSD RAID-1

[Kenneth Porter]

--On Monday, November 23, 2020 4:46 PM +0100 Simon Matter 
 wrote:



I suggest to "mdadm --fail" one drive, then "mdadm --remove" it. After
replacing the drive you can "mdadm --add" it.


Does it make sense to dd or ddrescue from the removed drive to the 
replacement? My md RAID set is on primary partitions, not raw drives, so 
I'm assuming the replacement drive needs at least the boot sector from the 
old drive to copy the partition data.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] server rebooted email

[Kenneth Porter]

I used to put a line in rc.local to email root that my server rebooted. 
Does anyone have a nice systemd unit file to do the same?


Also useful would be a shutdown email with the output of uptime. (I usually 
do that manually when rebooting for a kernel update.)


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] dnsmasq centos 7

[Kenneth Porter]

On 10/31/2020 6:17 AM, Jerry Geis wrote:

I tested with "host laptop.w530" and I get unresolved (expected).
If I add "nameserver 192.168.1.8" (my computer) to top of /etc/resolv.conf
and do "host laptop.w530" I get 192.168.1.105 - so seems to be working.


The canonical DNS testing tool is dig. It displays the outbound query 
packet and the reply, in great detail. You'll find it in the bind-utils 
package.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Run as root on reboot

[Kenneth Porter]

--On Wednesday, October 28, 2020 5:34 PM -0700 david  wrote:


During initial setup, I'd like to avoid the manual actions of logging on
as root and executing a command, but instead have that command run
without intervention.


"During initial setup" is vague. Lots of stuff happens during startup. With 
systemd, you can control what triggers your script to run. Does it need the 
filesystems up? Does it need networking? This will be a part of your 
systemd unit file.



The output of the command would still show up on the terminal that
initiated the reboot.


This one might be hard. Is there a way to know where a reboot command came 
from? Does the kernel or systemd save this somewhere?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 7 + PHP7.2 - variables_order not working

[Kenneth Porter]

--On Tuesday, October 27, 2020 12:54 PM + Gary Stainburn 
 wrote:



I've just moved my site onto a new box and I'm having a real problem 
with $_REQUEST.  The variables_order  and request_order values are not
being respected.


I glanced at the documentation for that directive and there seems to be a 
lot of fine print and gotchas that affect how it's used:





___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] UID/GID CentOS 6 to CentOS 7

[Kenneth Porter]

On 10/22/2020 6:06 AM, Simon Matter wrote:

In the end I decided to rearrange all users to new UIDs/GIDs and converted
all storage with a script.


I'm rsyncing to an RH8 box for backup (it will eventually become the 
production box), and rsync maintains usernames even when the numeric IDs 
are different. So I cobbled together some Python scripts to migrate the 
users and groups from my RH7 boxes (which still has some IDs below 1000) 
to my RH8 box. I decided to export all the passwd files into json and 
then import them with a second script on the new box. I'm new to Python 
so this gave me motivation to learn a bit of it. Patches welcome.


https://github.com/SpareSimian/user-group-migration


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ::1 in /var/log/httpd/access_log on CentOS 7

[Kenneth Porter]

On 10/13/2020 8:48 AM, Jerry Geis wrote:

I see "MANY" of these
::1 - - [13/Oct/2020:10:46:08 -0500] "OPTIONS * HTTP/1.0" 200 - "-"
"Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 (internal dummy
connection)"

in the log file.   This is not me connecting as ::1 is localhost.

What is this - how might I stop it ?


This might help:

https://knackforge.com/blog/sivaji/mitigating-apache-internal-dummy-connection-issue

https://serverfault.com/questions/333267/apache-internal-dummy-connections


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Mail server troubles

[Kenneth Porter]

--On Friday, October 09, 2020 6:29 PM +1300 Rob Kampen 
 wrote:



If this reject is due to their spam filtering process, it is actually the
email author's problem - how they make up their sentences, key words etc.
and thus the problem will travel with them, to whatever email provider
they choose.

Suggest they get educated in how to write an appropriate email that
doesn't raise alarms, or they could use mailchimp (e.g. only) for their
large group emails.


Good point. Feed all your outbound mail to SpamAssassin and set it to 
retain the report in the output, directed to a local email account so you 
can review it via Dovecot. You could also direct it to an external mail 
account (eg. on a VPS) so you can see what it looks like to the outside 
world.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Mail server troubles

[Kenneth Porter]

--On Friday, October 09, 2020 12:49 AM +0200 Nicolas Kovacs 
 wrote:



This is probably a bit OT, but here goes.


I suggest subscribing to the Mailop list and then looking at the archives. 
Very low traffic, comparable to the CentOS users list.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Viewing changelog for packages to be updated

[Kenneth Porter]

On 10/6/2020 4:41 AM, Simon Matter wrote:

Therefore I've made 'pkgchangelog' which generates changelogs like the one
shown below. It's available here:

http://www.invoca.ch/pub/packages/pkgmonitor/public/pkgchangelog


Very nice! I think I'll integrate this into my daily yum job that 
downloads and reports any updates.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Drive failed in 4-drive md RAID 10

[Kenneth Porter]

--On Friday, September 18, 2020 10:53 PM +0200 Simon Matter 
 wrote:



mdadm --remove /dev/md127 /dev/sdf1

and then the same with --add should hotremove and add dev device again.

If it rebuilds fine it may again work for a long time.


This worked like a charm. When I added it back, it told me it was 
"re-adding" the drive, so it recognized the drive I'd just removed. I 
checked /proc/mdstat and it showed rebuilding. It took about 90 minutes to 
finish and is now running fine.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Drive failed in 4-drive md RAID 10

[Kenneth Porter]

--On Friday, September 18, 2020 10:53 PM +0200 Simon Matter 
 wrote:



mdadm --remove /dev/md127 /dev/sdf1

and then the same with --add should hotremove and add dev device again.

If it rebuilds fine it may again work for a long time.


Thanks. That reminds me: If I need to replace it, is there some easy way to 
figure out which drive bay is sdf? It's an old Supermicro rack chassis with 
6 drive bays. Perhaps a way to blink the drive light?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Drive failed in 4-drive md RAID 10

[Kenneth Porter]

I got the email that a drive in my 4-drive RAID10 setup failed. What are my 
options?


Drives are WD1000FYPS (Western Digital 1 TB 3.5" SATA).

mdadm.conf:

# mdadm.conf written out by anaconda
MAILADDR root
AUTO +imsm +1.x -all
ARRAY /dev/md/root level=raid10 num-devices=4 
UUID=942f512e:2db8dc6c:71667abc:daf408c3


/proc/mdstat:
Personalities : [raid10]
md127 : active raid10 sdf1[2](F) sdg1[3] sde1[1] sdd1[0]
 1949480960 blocks super 1.2 512K chunks 2 near-copies [4/3] [UU_U]
 bitmap: 15/15 pages [60KB], 65536KB chunk

smartctl reports this for sdf:
197 Current_Pending_Sector  0x0012   200   200   000Old_age   Always 
-   1
198 Offline_Uncorrectable   0x0010   200   200   000Old_age   Offline 
-   6


So it's got 6 bad blocks, 1 pending for remapping.

Can I clear the error and rebuild? (It's not clear what commands would do 
that.) Or should I buy a replacement drive? I'm considering a WDS100T1R0A 
(2.5" 1TB red drive), which Amazon has for $135, plus the 3.5" adapter.


The system serves primarily as a home mail server (it fetchmails from an 
outside VPS serving as my domain's MX) and archival file server.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Conversion from Centos 5 to Centos 7 & mailx changes

[Kenneth Porter]

--On Friday, September 04, 2020 3:58 PM -0500 "Gregory P. Ennis" 
 wrote:



On Centos 7 the headers contain 'Content-Transfer-Encoding: base64' and
when the client gets the e-mail they are unable to open it up.


That sounds like a broken client that needs to be updated. What kind of 
client?




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Viewing changelog for packages to be updated

[Kenneth Porter]

Is there some way to see the RPM changelog entries for a prospective yum 
update? Ideally I'd like to see just the entries that are newer than the 
version of the package I already have.


I saw a new kernel in today's yum-cron email and I'd like to know what it's 
about and how urgent the issue is for me.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Fixing grub/shim issue Centos 7

[Kenneth Porter]

On 8/6/2020 7:25 AM, Simon Matter via CentOS wrote:

The only real solution I can think of to prevent this would be to make
preview versions of updates available to the public so that a lot of
people can test them on their hardware, hopefully spare hardware, and give
feedback.


A practical equivalent is simply to avoid applying updates for a week to 
see if someone else gets burned by them. I'm already waiting for a 
weekend so I don't disrupt work in case a catastrophe happens, and I 
wait at least a week and watch this list for any reports of disaster. So 
I haven't experienced this one. Let the impatient do your testing for you.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 7 shim fix failed

[Kenneth Porter]

On 8/4/2020 11:20 AM, Jonathan Billings wrote:

Running transaction
   Installing : kernel-3.10.0-1127.el7.x86_64 1/1

at which point the process appeared to hang.  No further output happened for
five minutes.  I opened a different terminal and entered "shutdown -r now".
The result is an unbootable system.


What did I do wrong?  I must admit that there are multiple copies of advice
on the mailing list, so perhaps I followed the wrong one?

Your system was most likely rebuilding the initrd, and you interrupted
it leaving you with a broken initrd.


Is there some way we could get the initrd rebuild to be more verbose, so 
that it doesn't appear to hang? It would be nice to get feedback that 
something is happening, especially on an older, slower system that takes 
a long time for this step.


I run into the same problem with the kernel-devel package, just because 
of the sheer number of files involved. I've learned to be patient and 
expect a kernel upgrade on my oldest system to take a very long time. (I 
need the -devel package to rebuild an ancient 3rd party driver no longer 
provided by RHEL.)



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Boot failed on latest CentOS 7 update

[Kenneth Porter]

Another ZDNet story on the issue:

https://www.zdnet.com/article/red-hat-enterprise-linux-runs-into-boothole-patch-trouble/


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Iptables rules not working

[Kenneth Porter]

--On Friday, July 17, 2020 6:43 AM +0530 Kaushal Shriyan 
 wrote:



Please refer to my pastebin link https://paste.centos.org/view/cd55a9a6.
Basically I want to allow the below mentioned ruleset on the server
(CentOS Linux release 8.2.2004 (Core)) and drop the rest of the network
traffic from 0.0.0.0/0


Your default input policy is accept. Change it to drop.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Iptables rules not working

[Kenneth Porter]

--On Thursday, July 16, 2020 10:41 PM +0530 Kaushal Shriyan 
 wrote:



I have run the below command but I am still able to connect from the
internet. Do I need to add any drop traffic policy using nft?


A single rule doesn't tell us enough. Dump the entire firewall to a 
pastebin and post the link here.




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] USB-serial adapter for CentOS 7

[Kenneth Porter]

Check the voltages on your adapter. I use such adapters in the machine shop 
so machinists can share the CNC programs they write on a PC with their CNC 
controllers. The CNC controllers can be fussy about voltages, and some 
cheap RS232-USB adapters only generate +/-5vdc. It's within the RS232 spec 
and newer RS232 chips are happy with that, but older systems might want 12v 
or more.


Another issue is handshake lines. Not all adapters provide all the 
handshake lines. Some are "3-wire" data-only with only ground, transmit, 
and receive connected. Some devices will want 5 or 7 wire connections, with 
RTS/CTS and DTR/DSR signals included. Check that the adapter you buy 
provides all the signals your device needs.


Which service are you using to manage your UPS? Nut? Something else? They 
probaby have a mailing list, website, or wiki where you can find out what 
adapters work well with which UPS units. (Be sure to post back here when 
you get an answer.)

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request (solved)

[Kenneth Porter]

--On Tuesday, June 16, 2020 5:20 PM -0700 david  wrote:


If someone can suggest a firewall-cmd equivalent, it would be nice.


Alas, firewalld is targeted at end nodes and doesn't really provide much 
facility for routers. Its big advantage there is in setting up a reasonable 
default firewall for the gateway itself. The only real gateway support is 
to enable masquerade on the external interface.


I use firewalld direct rules for controlling the forwarded packets. They 
look like iptables rules and get injected into firewalld's own subchains. 
Use "iptables -L -v -n" to dump the whole mess into a file for examination.


In /etc/firewalld/direct.xml, you could add an XML passthrough node like 
this:


-I FWDI_internal_deny 1 -p tcp --dport 22 -j 
DROP


This assumes your internal zone is named internal. Change the chain name to 
match your zone name. You don't need to specify the interface name here 
because the FWDI_internal chain is only invoked if the inbound interface 
matches an interface in that zone.


Also note that the -I option takes a chain name and a number indicating 
where to insert a rule. I use 1 to put the rule at the start of any rules 
that firewalld has already inserted. So if you need a LOG rule, you'll want 
to put the nodes in reverse order in the XML file so they get inserted 
backwards, last rule first. Ie. insert the DROP rule, then the LOG rule.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[Kenneth Porter]

The rule is in the wrong chain. The INPUT chain affects packets that 
terminate at the same machine. You want to block packets that will be 
passed on to the Internet, so your rule needs to be in the FORWARD chain. 
(The OUTPUT chain affects packets that originate at your machine.)


Here's a nice collection of diagrams showing how packets flow through the 
system:




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos