[CentOS] mount.nfs: an incorrect mount option was specified

[Tim Dunphy]

Hey guys,

 My NFS server has been working really well for a long time now. Both
client and server run CentOS 7.2.

 However when I just had to remount one of my home directories on an NFS
client, I'm now getting the error when I run mount -a

mount.nfs: an incorrect mount option was specified


This is the corresponding line I have in my fstab file on the client:

nfs1.example.com:/var/nfs/home/home  nfs
 rw   0 0


I get the same error if I try to run the mount command explicitly:

mount -t nfs nfs1.example.com:/var/nfs/home /home
mount.nfs: an incorrect mount option was specified

This is the verbose output of that same command:

mount -vvv -t nfs nfs1.example.com:/var/nfs/home /home
mount.nfs: timeout set for Sun Oct  2 23:17:03 2016
mount.nfs: trying text-based options
'vers=4,addr=162.xx.xx.xx.xx,clientaddr=107.xxx.xx.xx'
mount.nfs: mount(2): Invalid argument
mount.nfs: an incorrect mount option was specified

This is the entry I have in my /etc/exports file on the nfs server

/var/nfs/home web2.jokefire.com(rw,sync,no_root_squash,no_all_squash)

I get this same result if the firewall is up or down (for very microscopic
slivers of time for testing purposes).

With the firewall down (for testing again very quickly) I get this result
from the showmount -e command:

[root@web2:~] #showmount -e nfs1.example.com

Export list for nfs1.example.com:

/var/nfs/varnish varnish1.example.com

/var/nfs/es  es3.example.com,es2.example.com,logs.example.com

/var/nfs/www web2.example.com,puppet.example.com,ops3.example.com,
ops2.example.com,web1.example.com

/var/nfs/homeansible.example.com,chef.example.com,logs3.example.com,
logs2.example.com,logs1.example.com,ops.example.com,lb1.example.com,
ldap1.example.com,web2.example.com,web1.lyricgem.com,nginx1.example.com,
salt.example.com,puppet.example.com,nfs1.example.com,db4.example.com,
db3.example.com,db2.example.com,db1.example.com,varnish2.example.com,
varnish1.example.com,es3.example.com,es2.example.com,es1.example.com,
repo.example.com,ops3.example.com,ops2.example.com,solr1.example.com,
time1.example.com,mcollective.example.com,logs.example.com,
hadoop04.example.com,hadoop03.example.com,hadoop02.example.com,
hadoop01.example.com,monitor3.example.com,monitor2.example.com,
monitor1.example.com,web1.example.com,activemq1.example.com

With the firewall on the nfs server up (as it is all the time other than
this short test), I get back this result:

showmount -e nfs1.example.com

clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No
route to host)

This is a list of ports I have open on the NFS server:

[root@nfs1:~] #firewall-cmd --list-all

public (default, active)

  interfaces: eth0

  sources:

  services: dhcpv6-client ssh

  ports: 2719/tcp 9102/tcp 52926/tcp 111/tcp 25/tcp 875/tcp 54302/tcp
4/tcp 20048/tcp 2692/tcp 55982/tcp 2049/tcp 17123/tcp 42955/tcp

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

rule family="ipv4" source address="xx.xx.xx.x/32" port port="5666"
protocol="tcp" accept

So I have two problems I need to solve. 1) How do I open the firewall ports
on the nfs server so that clients can contact it? I'm using firewalld on
the nfs server. And 2) why am I getting an error saying that "an incorrect
mount option was specified"?

Thanks,

Tim





-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ElasticSearch Logrotate not working

[Tim Dunphy]

ok, good advice! thanks!

On Thu, Jul 28, 2016 at 2:06 PM, Thomas Eriksson <
thomas.eriks...@slac.stanford.edu> wrote:

> On 07/28/2016 07:40 AM, Tim Dunphy wrote:
> > Hey guys,
> >
> >  I have this log rotation script setup in my /etc/logrotate.d folder
> >
> > /var/log/elasticsearch/*.log {
> > daily
> > rotate 100
> > size 50M
> > copytruncate
> > compress
> > delaycompress
> > missingok
> > notifempty
> > create 644 elasticsearch elasticsearch
> > }
> >
> > And I notice that log files are still being generated that are upwards
> of 7
> > or 8 GBs. Can anyone point out to me where the script is going wrong, and
> > why log files for ES are growing so incredibly big? I would think that
> > having that logrotate script in place should solve that problem.
> >
> > Thanks,
> > Tim
> >
>
> Tim,
>
> First, logrotate only checks the state of the logfiles once a day, so
> if your log grows to 8GB in a day, it has no chance to do anything
> about it.
>
> Second, elasticsearch is using log4j to control its logs. It has its
> own naming and rotation rules and should not need to involve logrotate
> at all. See /etc/elasticsearch/logging.yml
>
> Third, if you generate that much logging in a day, maybe lowering the
> loglevel, or perhaps there is a problem that should be fixed.
>
> -Thomas
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] ElasticSearch Logrotate not working

[Tim Dunphy]

Hey guys,

 I have this log rotation script setup in my /etc/logrotate.d folder

/var/log/elasticsearch/*.log {
daily
rotate 100
size 50M
copytruncate
compress
delaycompress
missingok
notifempty
create 644 elasticsearch elasticsearch
}

And I notice that log files are still being generated that are upwards of 7
or 8 GBs. Can anyone point out to me where the script is going wrong, and
why log files for ES are growing so incredibly big? I would think that
having that logrotate script in place should solve that problem.

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Apache/PHP Installation - opinions

[Tim Dunphy]

Hey guys,

I tend to work on small production environments for a large enterprise.

Never more than 15 web servers for most sites.

But most are only 3 to 5 web servers. Depends on the needs of the
client.I actually like to install Apache and PHP from source and by
hand. Although I know that's considered sacrilege in some shops.

I do this because on RH flavored systems like CentOS the versions of
Apache, php and most other software are a little behind the curve in
terms of versions.

And that's intentionally so! Because the versions that usually go into
the various repos are tested and vetted thoroughly before going into
the repos.

I like to use the latest, stable versions of apache and php for my
clients without having to create a custom RPM every time a new version
comes out.

So what I'd like to know is it better in your opinion to install from
repos than to install by source as a best practice? Is it always
better to use puppet, chef, ansible etc even if the environment is
small? I'm sure this is a matter preference, but I would like to know
what your preferences are.

Thanks,
Tim

Sent from my iPhone
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SELinux denies haproxy

[Tim Dunphy]

>
> setsebool -P haproxy_connect_any 1


Hey, thanks Alexander! That did the trick.

for more information :
> https://www.mankier.com/8/haproxy_selinux


Thanks, Hossein! Very valuable info. Much appreciated.

Tim

On Sat, Mar 12, 2016 at 5:40 PM, Hossein Aghaie <hossein@gmail.com>
wrote:

> for more information :
> https://www.mankier.com/8/haproxy_selinux
>
> On Sun, Mar 13, 2016 at 2:05 AM, Alexander Dalloz <ad+li...@uni-x.org>
> wrote:
>
> > Am 12.03.2016 um 23:18 schrieb Tim Dunphy:
> >
> >> Hi all,
> >>
> >> I'm load balancing 4 mysql databases using HAProxy. The setup seems to
> be
> >> working pretty well. Except I keep seeing these messages turning up in
> >> syslog:
> >>
> >>
> >> Mar 12 22:11:31 db1 kernel: [6058125.959624] type=1400
> >> audit(1457820691.824:3029129): avc: denied { name_connect } for pid=801
> >> comm="haproxy" dest=7778 scontext=system_u:system_r:haproxy_t:s0
> >> tcontext=system_u:object_r:interwise_port_t:s0 tclass=tcp_socket
> >>
> >> It looks like SELinux is denying haproxy the ability to connect to the
> >> database. I haven't seen any real problems on the site that uses the
> >> database. But I was just wondering if this message looks familiar to
> >> anyone. Or if it looks like something I should try to correct.
> >>
> >> I tried grepping through audit.log for haproxy and piping it to
> audit2why,
> >> but I don't get any useful response back:
> >>
> >> [root@db1:~] #grep haproxy /var/log/audit/audit.log | audit2why -M
> >> haproxy
> >> Nothing to do
> >>
> >> I'm open to your thoughts and opinions!
> >>
> >> Thanks,
> >> Tim
> >>
> >
> >
> > setsebool -P haproxy_connect_any 1
> >
> > Alexander
> >
> >
> >
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] SELinux denies haproxy

[Tim Dunphy]

Hi all,

I'm load balancing 4 mysql databases using HAProxy. The setup seems to be
working pretty well. Except I keep seeing these messages turning up in
syslog:


Mar 12 22:11:31 db1 kernel: [6058125.959624] type=1400
audit(1457820691.824:3029129): avc: denied { name_connect } for pid=801
comm="haproxy" dest=7778 scontext=system_u:system_r:haproxy_t:s0
tcontext=system_u:object_r:interwise_port_t:s0 tclass=tcp_socket

It looks like SELinux is denying haproxy the ability to connect to the
database. I haven't seen any real problems on the site that uses the
database. But I was just wondering if this message looks familiar to
anyone. Or if it looks like something I should try to correct.

I tried grepping through audit.log for haproxy and piping it to audit2why,
but I don't get any useful response back:

[root@db1:~] #grep haproxy /var/log/audit/audit.log | audit2why -M haproxy
Nothing to do

I'm open to your thoughts and opinions!

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] logrotate script error

[Tim Dunphy]

Hey!


That worked!

/var/log/logstash/* {
daily
rotate 7
copytruncate
compress
delaycompress
missingok
notifempty
size 100M
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/logstash.pid 2>/dev/null` 2> /dev/null
|| true
endscript
}

Thanks for the help!

Tim

On Sat, Mar 5, 2016 at 11:15 PM, Yamaban <foers...@lisas.de> wrote:

> On Sun, 6 Mar 2016 04:34, Tim Dunphy <bluethundr@...> wrote:
>
> Hey guys,
>>
>> I'm trying to rotate a logstash log that can grow pretty large. 3.4GB last
>> I saw!
>>
>> And that's because the logrotate script I came up with didn't work.
>>
>> The error I get on a syntax check is this:
>>
>> #logrotate -f logstash
>> size: '100M': No such file
>> size: '100M': No such file
>> size: '100M': No such file
>> size: '100M': No such file
>> size: '100M': No such file
>> size: '100M': No such file
>> size: '100M': No such file
>> size: '100M': No such file
>>
>> And this is the logstash rotate script:
>>
>> #cat /etc/logrotate.d/logstash
>> /var/log/logstash/* {
>>daily
>>rotate 7
>>copytruncate
>>compress
>>delaycompress
>>missingok
>>notifempty
>>postrotate
>>size 100M
>>/bin/kill -HUP `cat /var/run/logstash.pid 2>/dev/null` 2> /dev/null
>> || true
>>endscript
>> }
>>
>> I can't find the error there. Can I have a suggestion as to what's wrong
>> and how to correct it?
>>
>
> Multiple errors here, first hint: "man 8 logrotate" is a good start.
>
> Second: wrong order of lines:
> diff -U2
> [code]
> --- your logstash-rotate
> +++ corrected logstash-rotate
> @@ -7,6 +7,7 @@
> missingok
> notifempty
> -   postrotate
> size 100M
> +   sharedscripts
> +   postrotate
> /bin/kill -HUP `cat /var/run/logstash.pid 2>/dev/null` 2>
> /dev/null || true
> endscript
> [/code]
>
> In short: "postrotate" line is in wrong position, add line "sharedscripts"
>
>  - Yamaban.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] logrotate script error

[Tim Dunphy]

Hey guys,

 I'm trying to rotate a logstash log that can grow pretty large. 3.4GB last
I saw!

 And that's because the logrotate script I came up with didn't work.

 The error I get on a syntax check is this:

#logrotate -f logstash
size: '100M': No such file
size: '100M': No such file
size: '100M': No such file
size: '100M': No such file
size: '100M': No such file
size: '100M': No such file
size: '100M': No such file
size: '100M': No such file

And this is the logstash rotate script:

#cat /etc/logrotate.d/logstash
/var/log/logstash/* {
daily
rotate 7
copytruncate
compress
delaycompress
missingok
notifempty
postrotate
size 100M
/bin/kill -HUP `cat /var/run/logstash.pid 2>/dev/null` 2> /dev/null
|| true
endscript
}

I can't find the error there. Can I have a suggestion as to what's wrong
and how to correct it?

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] delete directories with find and exclude other directories

[Tim Dunphy]

Hi all,

I'm attempting to delete some directories and I want to be able to exclude
a directory called 'logs' from being deleted.

This is my basic find operation (without the exclusion)

# find . -type d  |tail -10
./d20160124-1120-df8mfb/deployments
./d20160124-1120-df8mfb/releases
./d20160131-16993-vazqg5
./d20160131-16993-vazqg5/metadata
./d20160131-16993-vazqg5/deployments
./d20160131-16993-vazqg5/releases
./logs
./d20160203-27735-1tqbjh6
./d20160125-1120-1yccr9p
./d20160131-16993-1yf9lnc

I'm just tailing the output so that you have an idea of what's going on
without taking up the whole page. :)

If I try to exlclude the logs directory with the prune command I get back
no results.

root@ops-manager:/tmp/tmp# find . -type d  -prune -o -name 'logs' -print
root@ops-manager:/tmp#

What am I doing wrong?

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] LDAP create home directories

[Tim Dunphy]

>
> Check /var/log/secure for why the directory is not able to be created.
> Might be selinux, is that enabled? (sestatus)


Good catch! It was indeed SELinux preventing the directory from being
created. Disabling it allows that to happen. For instance I just created a
new test user in LDAP:

 #ssh odun...@ops2.example.com

odun...@ops2.example.com's password:

Creating directory '/home/odunphy'.


 _ ____

| |  ___|  / _ \ _ __  ___|___ \

 _  | | |_| | | | '_ \/ __| __) |

| |_| |  _|   | |_| | |_) \__ \/ __/

 \___/|_|  \___/| .__/|___/_|

|_|
[odunphy@ops2 ~]$


And it works fine! :) Turns out the host that had directory creation
working properly before had SELinux disabled.

When I look at the audit log this is what I found:

type=AVC msg=audit(1450562436.438:2148162): avc:  denied  { entrypoint }
for  pid=17881 comm="sshd" path="/usr/sbin/mkhomedir_helper" dev="vda1"
ino=1048040 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to
allow this access.


So I just created the selinux module file and installed it:

[root@ops2:~] #grep ssh /var/log/audit/audit.log | audit2allow -M ssh-mkdir
 IMPORTANT ***
To make this policy package active, execute:

semodule -i ssh-mkdir.pp

[root@ops2:~] #semodule -i ssh-mkdir.pp

And all is well with the world. Directories are created on login with LDAP
now.

#ssh odun...@ops2.example.com

odun...@ops2.example.com's password:

Creating directory '/home/odunphy'.

Last login: Sat Dec 19 17:00:36 2015 from ool-4571a4a2.dyn.optonline.net


 _ ____

| |  ___|  / _ \ _ __  ___|___ \

 _  | | |_| | | | '_ \/ __| __) |

| |_| |  _|   | |_| | |_) \__ \/ __/

 \___/|_|  \___/| .__/|___/_|

|_|

[odunphy@ops2 ~]$


Thanks for your help!

Tim

On Sat, Dec 19, 2015 at 4:49 PM, Bill Howe <howe.b...@gmail.com> wrote:

> Check /var/log/secure for why the directory is not able to be created.
>
> Might be selinux, is that enabled? (sestatus)
> On Dec 19, 2015 15:40, "Tim Dunphy" <bluethu...@gmail.com> wrote:
>
> > >
> > > You may also need to restart sssd or nslcd, depending upon which one is
> > > running the backed ldap connection service on the clients.
> >
> >
> > Hmm.. I got a different result after restarting nclcd. Instead of logging
> > me in and just complaining that it couldn't create the home directory, it
> > still complains about not creating the home directory, but now it doesn't
> > let me in:
> >
> > #ssh tdun...@ops2.example.com
> >
> > tdun...@ops2.example.com's password:
> >
> > Creating directory '/home/tdunphy'.
> >
> > Unable to create and initialize directory '/home/tdunphy'.
> >
> > Last login: Sat Dec 19 15:29:54 2015
> >
> >
> >  _ ____
> >
> > | |  ___|  / _ \ _ __  ___|___ \
> >
> >  _  | | |_| | | | '_ \/ __| __) |
> >
> > | |_| |  _|   | |_| | |_) \__ \/ __/
> >
> >  \___/|_|  \___/| .__/|___/_|
> >
> > |_|
> > Connection to ops2.example.com closed.
> >
> >  I think I preferred it when it would let me in and complain!! LOL
> >
> > I can still get in with my non-LDAP admin account fortunately.
> >
> > Ok, any other thoughts?
> >
> > Thanks,
> > Tim
> >
> > On Sat, Dec 19, 2015 at 4:34 PM, Bill Howe <howe.b...@gmail.com> wrote:
> >
> > > You may also need to restart sssd or nslcd, depending upon which one is
> > > running the backed ldap connection service on the clients.
> > > On Dec 19, 2015 14:25, "Tim Dunphy" <bluethu...@gmail.com> wrote:
> > >
> > > > Hey guys,
> > > >
> > > >  I've setup an LDAP server on our network. I'm using OpenLDAP.
> > > >
> > > >  It was really easy to use the authconfig-tui to generate the
> > > nsswitch.conf
> > > > and ldap.conf files that would allow user authentication.
> > > >
> > > >  But when users would log in, the system wasn't creating the home
> > > > directories.
> > > >
> > > >  I found one command that would correct that:
> > > >
> > > >  authconfig --enablemkhomedir --update
> > > >
> > > > After that logging in with an LDAP user to that machine would c

[CentOS] LDAP create home directories

[Tim Dunphy]

Hey guys,

 I've setup an LDAP server on our network. I'm using OpenLDAP.

 It was really easy to use the authconfig-tui to generate the nsswitch.conf
and ldap.conf files that would allow user authentication.

 But when users would log in, the system wasn't creating the home
directories.

 I found one command that would correct that:

 authconfig --enablemkhomedir --update

After that logging in with an LDAP user to that machine would create the
home directories.

But that only worked on the first machine. Running the command on other
machines would have no effect. Which is odd. You would think it would be
consistent.

Even after copying over the entire contents of /etc/pam.d from the working
machine to the non-working machine and making sure that the non-working
machine had the same /etc/nsswitch.conf /etc/openldap/ldap.conf as the one
that worked. It still doesn't create the home directories when LDAP users
log in.

The non-working machine also has the required librariy file:

-rwxr-xr-x. 1 root root 11176 Aug 18 10:56
/usr/lib64/security/pam_mkhomedir.so

So how can I fix this? How can I get the system to create home directories
for LDAP users automatically?

Thanks,
Tim



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] LDAP create home directories

[Tim Dunphy]

>
> You may also need to restart sssd or nslcd, depending upon which one is
> running the backed ldap connection service on the clients.


Hmm.. I got a different result after restarting nclcd. Instead of logging
me in and just complaining that it couldn't create the home directory, it
still complains about not creating the home directory, but now it doesn't
let me in:

#ssh tdun...@ops2.example.com

tdun...@ops2.example.com's password:

Creating directory '/home/tdunphy'.

Unable to create and initialize directory '/home/tdunphy'.

Last login: Sat Dec 19 15:29:54 2015


 _ ____

| |  ___|  / _ \ _ __  ___|___ \

 _  | | |_| | | | '_ \/ __| __) |

| |_| |  _|   | |_| | |_) \__ \/ __/

 \___/|_|  \___/| .__/|___/_|

|_|
Connection to ops2.example.com closed.

 I think I preferred it when it would let me in and complain!! LOL

I can still get in with my non-LDAP admin account fortunately.

Ok, any other thoughts?

Thanks,
Tim

On Sat, Dec 19, 2015 at 4:34 PM, Bill Howe <howe.b...@gmail.com> wrote:

> You may also need to restart sssd or nslcd, depending upon which one is
> running the backed ldap connection service on the clients.
> On Dec 19, 2015 14:25, "Tim Dunphy" <bluethu...@gmail.com> wrote:
>
> > Hey guys,
> >
> >  I've setup an LDAP server on our network. I'm using OpenLDAP.
> >
> >  It was really easy to use the authconfig-tui to generate the
> nsswitch.conf
> > and ldap.conf files that would allow user authentication.
> >
> >  But when users would log in, the system wasn't creating the home
> > directories.
> >
> >  I found one command that would correct that:
> >
> >  authconfig --enablemkhomedir --update
> >
> > After that logging in with an LDAP user to that machine would create the
> > home directories.
> >
> > But that only worked on the first machine. Running the command on other
> > machines would have no effect. Which is odd. You would think it would be
> > consistent.
> >
> > Even after copying over the entire contents of /etc/pam.d from the
> working
> > machine to the non-working machine and making sure that the non-working
> > machine had the same /etc/nsswitch.conf /etc/openldap/ldap.conf as the
> one
> > that worked. It still doesn't create the home directories when LDAP users
> > log in.
> >
> > The non-working machine also has the required librariy file:
> >
> > -rwxr-xr-x. 1 root root 11176 Aug 18 10:56
> > /usr/lib64/security/pam_mkhomedir.so
> >
> > So how can I fix this? How can I get the system to create home
> directories
> > for LDAP users automatically?
> >
> > Thanks,
> > Tim
> >
> >
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] prefork vs worker mpm in apache

[Tim Dunphy]

Hey guys,

We had to recompile apache 2.4.12 because we needed to disable thread
safety in php (ZTS).  Because for some reason when compiling php with the
--disable-maintainer-zts with the worker mpm model and checking the php
info page, it was saying that thread safety was still enabled.

So when we recompiled apache to use the prefetch worker model instead of
worker, the php info page was showing that  thread safety was disabled.

But after that change apache processes spiked from around 11 processes per
machine to well over 250 processes at any given time.

These are the tuning settings we have in apache:

StartServers 10

#MinSpareServers 10

#MaxSpareServers 25

ServerLimit 250

MaxRequestWorkers 250

MaxConnectionsPerChild 1000

KeepAlive On

KeepAliveTimeout 30

EnableSendfile Off


So I was just wondering how this change could've cause this problem of
having the number of apache processes spike. And if there are any other
changes we can make to apache to bring the process count down?

Also I realize that installing apache / php from source isn't standard
practice on red hat variants. But at the time that these servers were setup
the latest apache at that time (2.4.12) wasn't available as an RPM. So we
just decided to install from source.

Thanks

Tim



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] use pssh to restart a service

[Tim Dunphy]

>
> This is why it is paramount to use visudo command as opposed editing the
> /etc/sudoers file directly!  The visudo command will check the edited
> temporary sudoers file syntax before committing to /etc!


Ok! Makes sense! I'll make sure I do that from now on!

Thanks!!

Tim

On Mon, Nov 2, 2015 at 5:25 AM, Anthony K <akcen...@anroet.com> wrote:

> On 02/11/15 12:35, Tim Dunphy wrote:
>
>> Hey Gordon,
>>
>>   Sorry, man my bad! Disabling the tty requirement for my sudo user does
>> indeed work. I had a type-o in the sudoers file, and when I corrected it,
>> my sudo command via pssh started working!
>>
>> This is why it is paramount to use visudo command as opposed editing the
> /etc/sudoers file directly!  The visudo command will check the edited
> temporary sudoers file syntax before committing to /etc!
>
> ak.
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] use pssh to restart a service

[Tim Dunphy]

Hey Gordon,

 Sorry, man my bad! Disabling the tty requirement for my sudo user does
indeed work. I had a type-o in the sudoers file, and when I corrected it,
my sudo command via pssh started working!

#pssh -i -h es_list "/bin/sudo  /bin/systemctl restart elasticsearch; sleep
10"
[1] 20:31:32 [SUCCESS] bluethu...@es3.jokefire.com
Stderr: sudo: sorry, you must have a tty to run sudo
[2] 20:31:32 [SUCCESS] bluethu...@es2.jokefire.com
[3] 20:31:32 [SUCCESS] bluethu...@es1.jokefire.com

I'm still getting the 'sorry you must have a tty to run sudo' message
coming from one of the nodes. But the command succeeds so it's no big deal!
Odd tho that one node would be barking about that, considering my
sudoers is distributed via puppet.

Anyway, it's all good as far as I'm concerned. At least this works! I'll
check that 3rd node and see if there's any difference to the sudoers file I
guess.

Thanks for your help!
Tim

On Sun, Nov 1, 2015 at 7:06 PM, Gordon Messmer <gordon.mess...@gmail.com>
wrote:

> On 10/31/2015 04:16 PM, Tim Dunphy wrote:
>
>> Got the same exact message!
>>
>> Anything else I can try?
>>
>
> I think you need to double-check your sudoers file.  Use the '-i' argument
> to pssh to get more information.
>
> # cat /etc/sudoers.d/gordon
> gordonALL=(ALL)NOPASSWD: ALL
>
> $ pssh -h t -i sudo echo true
> [1] 16:02:12 [FAILURE] MYHOST Exited with error code 1
> Stderr: sudo: sorry, you must have a tty to run sudo
>
>
>
> # cat /etc/sudoers.d/gordon
> Defaults:gordon!requiretty, visiblepw
> gordonALL=(ALL)NOPASSWD: ALL
>
> $ pssh -h t -i sudo echo true
> [1] 16:02:30 [SUCCESS] MYHOST
> true
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] use pssh to restart a service

[Tim Dunphy]

Hi all,

 I need to restart a service on a few elasticsearch nodes. I'm trying to do
it with pssh.

 I'm getting this error when I try to do that:

pssh -h es_list   "/bin/sudo -S /bin/systemctl restart elasticsearch"
[1] 17:01:50 [FAILURE] bluethu...@es2.example.com Exited with error code 1
[2] 17:01:51 [FAILURE] bluethu...@es3.example.com Exited with error code 1
[3] 17:01:51 [FAILURE] bluethu...@es1.example.com Exited with error code 1

I have to sudo up from my user account as root logins are disallowed.

However a simple 'echo hello' command that doesn't require sudo works fine:

#pssh -h es_list   "/bin/echo hello"
[1] 17:00:40 [SUCCESS] bluethu...@es1.example.com
[2] 17:00:41 [SUCCESS] bluethu...@es3.example.com
[3] 17:00:41 [SUCCESS] bluethu...@es2.example.com

What am I doing wrong?

Thanks,
Tim


-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] use pssh to restart a service

[Tim Dunphy]

>
> Have you tried running the command from a conventional login?
> sudo -S
> expects a password from stdin, where is that being supplied?


Yep! That works fine.

#ssh -qt  bluethu...@es1.example.com "/bin/sudo -S /bin/systemctl restart
elasticsearch"
#ssh -qt  bluethu...@es1.example.com "/bin/echo $?"
0

And the user has 'NOPASSWD' access.

Any ideas?

Thanks,
Tim

On Sat, Oct 31, 2015 at 5:09 PM, Tony Schreiner <anthony.schrei...@bc.edu>
wrote:

> On Sat, Oct 31, 2015 at 5:04 PM, Tim Dunphy <bluethu...@gmail.com> wrote:
>
> > Hi all,
> >
> >  I need to restart a service on a few elasticsearch nodes. I'm trying to
> do
> > it with pssh.
> >
> >  I'm getting this error when I try to do that:
> >
> > pssh -h es_list   "/bin/sudo -S /bin/systemctl restart elasticsearch"
> > [1] 17:01:50 [FAILURE] bluethu...@es2.example.com Exited with error
> code 1
> > [2] 17:01:51 [FAILURE] bluethu...@es3.example.com Exited with error
> code 1
> > [3] 17:01:51 [FAILURE] bluethu...@es1.example.com Exited with error
> code 1
> >
> > I have to sudo up from my user account as root logins are disallowed.
> >
> > However a simple 'echo hello' command that doesn't require sudo works
> fine:
> >
> > #pssh -h es_list   "/bin/echo hello"
> > [1] 17:00:40 [SUCCESS] bluethu...@es1.example.com
> > [2] 17:00:41 [SUCCESS] bluethu...@es3.example.com
> > [3] 17:00:41 [SUCCESS] bluethu...@es2.example.com
> >
> > What am I doing wrong?
> >
> > Thanks,
> > Tim
> >
> >
> Have you tried running the command from a conventional login?
>
> sudo -S
> expects a password from stdin, where is that being supplied?
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] use pssh to restart a service

[Tim Dunphy]

>
> What does the sudo log say?


This is all the secure logs say about the ssh session:

[root@logs:~] #tail -f /var/log/secure
Oct 31 19:15:20 logs sshd[24407]: Accepted publickey for bluethundr from
47.18.111.100 port 47469 ssh2: RSA
ae:62:1f:de:54:89:af:2c:10:16:0e:fd:8d:7e:81:06
Oct 31 19:15:21 logs sshd[24407]: pam_unix(sshd:session): session opened
for user bluethundr by (uid=0)
Oct 31 19:15:21 logs sshd[24410]: Received disconnect from 47.18.111.100:
11: disconnected by user
Oct 31 19:15:21 logs sshd[24407]: pam_unix(sshd:session): session closed
for user bluethundr

No change in the logs after making the suggested change to disable tty:

[root@logs:~] #cat /etc/sudoers.d/bluethundr
Defaults:myuser!requiretty, visiblepw

Got the same exact message!

Anything else I can try?

Thanks

On Sat, Oct 31, 2015 at 5:34 PM, Gordon Messmer <gordon.mess...@gmail.com>
wrote:

> On 10/31/2015 02:04 PM, Tim Dunphy wrote:
>
>> pssh -h es_list   "/bin/sudo -S /bin/systemctl restart elasticsearch"
>>
>
> The default configuration prohibits use if input echo can't be disabled.
> That means no "-S".
>
> I modify that for users where necessary:
>
> /etc/sudoers.d/myuser:
> Defaults:myuser!requiretty, visiblepw
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] disable ZTS in php

[Tim Dunphy]

Hey guys,

 I'm trying to disable ZTS in php, because an application we need
(AppDynamics) is not compatible with it.

So I tried compiling php with the following flags:

php -i | grep configure
Configure Command =>  './configure'  '--with-apxs2=/opt/apache2/bin/apxs'
'--with-zlib=/usr' '--prefix=/opt/php-5.6.8' '--with-libdir=lib64'
'--with-config-file-path=/etc' '--enable-mime-magic' '--enable-pcntl'
'--libexecdir=/usr/libexec' '--with-bz2' '--with-curl' '--with-gd'
'--with-freetype-dir=/usr' '--with-png-dir=/usr/lib64'
'--enable-gd-native-ttf' '--with-iconv' '--with-jpeg-dir=/usr/lib64'
'--with-zlib' '--with-ldap' '--enable-exif' '--enable-sockets'
'--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx'
'--with-kerberos' '--enable-shmop' '--enable-calendar' '--with-xmlrpc'
'--enable-soap' '--disable-pdo' '--with-openssl' '--with-xsl'
'--enable-dbx' '--enable-mbstring' '--with-mcrypt=/usr' '--enable-bcmath'
'--enable-pdo' '--with-pdo-mysql=/usr' '--with-mysql'
'--with-mysqli=/usr/bin/mysql_config' '--enable-zip' '--enable-dba=shared'
'--with-gettext=shared' '--with-gmp' '--enable-ftp' '--with-pspell'
'--with-config-file-scan-dir=/etc/php.d'* '--disable-maintainer-zts'*


And for some reason the AppD installer is claiming that ZTS is still
enabled. So what I'd like to know is, did I disable ZTS correctly? If I did
that means the problem is on the AppD side so we should take a look there.

Appreciate any help on this!

Thanks
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] disable ZTS in php

[Tim Dunphy]

>
> To leave it out i use the —without-iconv directive.  Maybe give that a
> shot with maintainer-zts.


Hey Jeremy,

I'll give that a shot. Thanks!

Tim

On Fri, Oct 30, 2015 at 11:10 AM, Jeremy Thompson <
jer...@warehousesports.com> wrote:

> on certain non-linux systems like MacOS i’ll run into a problem with the
> standard version of iconv in php.  To leave it out i use the —without-iconv
> directive.  Maybe give that a shot with maintainer-zts.
>
> —
>
> Jeremy
>
>
>
>
>
> > On Oct 30, 2015, at 6:44 AM, Tim Dunphy <bluethu...@gmail.com> wrote:
> >
> > Hey guys,
> >
> > I'm trying to disable ZTS in php, because an application we need
> > (AppDynamics) is not compatible with it.
> >
> > So I tried compiling php with the following flags:
> >
> > php -i | grep configure
> > Configure Command =>  './configure'  '--with-apxs2=/opt/apache2/bin/apxs'
> > '--with-zlib=/usr' '--prefix=/opt/php-5.6.8' '--with-libdir=lib64'
> > '--with-config-file-path=/etc' '--enable-mime-magic' '--enable-pcntl'
> > '--libexecdir=/usr/libexec' '--with-bz2' '--with-curl' '--with-gd'
> > '--with-freetype-dir=/usr' '--with-png-dir=/usr/lib64'
> > '--enable-gd-native-ttf' '--with-iconv' '--with-jpeg-dir=/usr/lib64'
> > '--with-zlib' '--with-ldap' '--enable-exif' '--enable-sockets'
> > '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx'
> > '--with-kerberos' '--enable-shmop' '--enable-calendar' '--with-xmlrpc'
> > '--enable-soap' '--disable-pdo' '--with-openssl' '--with-xsl'
> > '--enable-dbx' '--enable-mbstring' '--with-mcrypt=/usr' '--enable-bcmath'
> > '--enable-pdo' '--with-pdo-mysql=/usr' '--with-mysql'
> > '--with-mysqli=/usr/bin/mysql_config' '--enable-zip'
> '--enable-dba=shared'
> > '--with-gettext=shared' '--with-gmp' '--enable-ftp' '--with-pspell'
> > '--with-config-file-scan-dir=/etc/php.d'* '--disable-maintainer-zts'*
> >
> >
> > And for some reason the AppD installer is claiming that ZTS is still
> > enabled. So what I'd like to know is, did I disable ZTS correctly? If I
> did
> > that means the problem is on the AppD side so we should take a look
> there.
> >
> > Appreciate any help on this!
> >
> > Thanks
> > Tim
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
>


-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] disable ZTS in php

[Tim Dunphy]

Yeah Erro, ok you have a point. I'll do that. Thanks!

On Fri, Oct 30, 2015 at 11:40 AM, Eero Volotinen 
wrote:

> This is really wrong way to do this. Install yum-utils and use
> yumdownloader --source package-name to get rhel version of package. Then
> modify spec file and recompile.
>
> Eero
> Hey guys,
>
>  I'm trying to disable ZTS in php, because an application we need
> (AppDynamics) is not compatible with it.
>
> So I tried compiling php with the following flags:
>
> php -i | grep configure
> Configure Command =>  './configure'  '--with-apxs2=/opt/apache2/bin/apxs'
> '--with-zlib=/usr' '--prefix=/opt/php-5.6.8' '--with-libdir=lib64'
> '--with-config-file-path=/etc' '--enable-mime-magic' '--enable-pcntl'
> '--libexecdir=/usr/libexec' '--with-bz2' '--with-curl' '--with-gd'
> '--with-freetype-dir=/usr' '--with-png-dir=/usr/lib64'
> '--enable-gd-native-ttf' '--with-iconv' '--with-jpeg-dir=/usr/lib64'
> '--with-zlib' '--with-ldap' '--enable-exif' '--enable-sockets'
> '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx'
> '--with-kerberos' '--enable-shmop' '--enable-calendar' '--with-xmlrpc'
> '--enable-soap' '--disable-pdo' '--with-openssl' '--with-xsl'
> '--enable-dbx' '--enable-mbstring' '--with-mcrypt=/usr' '--enable-bcmath'
> '--enable-pdo' '--with-pdo-mysql=/usr' '--with-mysql'
> '--with-mysqli=/usr/bin/mysql_config' '--enable-zip' '--enable-dba=shared'
> '--with-gettext=shared' '--with-gmp' '--enable-ftp' '--with-pspell'
> '--with-config-file-scan-dir=/etc/php.d'* '--disable-maintainer-zts'*
>
>
> And for some reason the AppD installer is claiming that ZTS is still
> enabled. So what I'd like to know is, did I disable ZTS correctly? If I did
> that means the problem is on the AppD side so we should take a look there.
>
> Appreciate any help on this!
>
> Thanks
> Tim
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux commands fail on low memory box

[Tim Dunphy]

Hey all,

 I have 3 web servers hosted at Digital Ocean that all have the same amount
of memory at 512MB.  They're all running CentOS 7.

They are low powered apache servers and don't really need more than that.
All they're doing is serving the web, no database on those hosts at all.

On the first two hosts I seem to have no trouble running SELinux related
commands. It's only on the 3rd web server where I seem to have any trouble
at all running the SELinux commands I want to keep the box secure.

On box #3 all SElinux commands end up the same way. For example:

[root@ops3:~] #semodule -i newrelic.pp
Killed

And that happened when I had about 280MB free:

[root@ops3:~] #free -m
  totalusedfree  shared  buff/cache
available
Mem:490  96 286  28 107
285
Swap: 0   0   0

Typically what I'll do is stop all the main services on this machine to
free up some memory to run the command I want. But to no avail! The
commands die with the same errors every time. Whereas on the other two
hosts I can run the same commands with only as little as 30 or 40MB free!

So would this be some inherent flaw with this box? That the only way to get
around it is to scrap it and build a replacement?

Not that hard to do. But before I took that measure I was wondering if
there was any hocus-pocus I could try that I might not be aware of that
could alleviate this scenario.

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux commands fail on low memory box

[Tim Dunphy]

>
> How about adding some swap into system?


Not a bad idea, Eero! That worked.

[root@ops3:~] #cat /proc/swaps
FilenameTypeSizeUsed
 Priority
/swapfile   file1048572 712 -1

[root@ops3:~] #semodule -i newrelic.pp
[root@ops3:~] #

Thanks!
Tim

On Thu, Oct 15, 2015 at 12:19 AM, Eero Volotinen <eero.voloti...@iki.fi>
wrote:

> How about adding some swap into system?
>
> --
> Eero
>
> 2015-10-15 4:40 GMT+03:00 Tim Dunphy <bluethu...@gmail.com>:
>
> > Hey all,
> >
> >  I have 3 web servers hosted at Digital Ocean that all have the same
> amount
> > of memory at 512MB.  They're all running CentOS 7.
> >
> > They are low powered apache servers and don't really need more than that.
> > All they're doing is serving the web, no database on those hosts at all.
> >
> > On the first two hosts I seem to have no trouble running SELinux related
> > commands. It's only on the 3rd web server where I seem to have any
> trouble
> > at all running the SELinux commands I want to keep the box secure.
> >
> > On box #3 all SElinux commands end up the same way. For example:
> >
> > [root@ops3:~] #semodule -i newrelic.pp
> > Killed
> >
> > And that happened when I had about 280MB free:
> >
> > [root@ops3:~] #free -m
> >   totalusedfree  shared  buff/cache
> > available
> > Mem:490  96 286  28 107
> > 285
> > Swap: 0   0   0
> >
> > Typically what I'll do is stop all the main services on this machine to
> > free up some memory to run the command I want. But to no avail! The
> > commands die with the same errors every time. Whereas on the other two
> > hosts I can run the same commands with only as little as 30 or 40MB free!
> >
> > So would this be some inherent flaw with this box? That the only way to
> get
> > around it is to scrap it and build a replacement?
> >
> > Not that hard to do. But before I took that measure I was wondering if
> > there was any hocus-pocus I could try that I might not be aware of that
> > could alleviate this scenario.
> >
> > Thanks,
> > Tim
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] mount: unknown filesystem type '(null)' error

[Tim Dunphy]

Hey guys,

 I'm trying to mount a disk volume on aws under CentOS 7. And when I try I
get this result:

[root@repo:~] #mount /dev/xvdf1 /opt/repo
mount: /dev/xvdf1 is write-protected, mounting read-only
mount: unknown filesystem type '(null)'

The only thing I can see in dmesg that seems to relate is:


[ 2481.434610] EXT4-fs (xvdf1): VFS: Can't find ext4 filesystem
[ 2509.883144] EXT4-fs (xvdf1): VFS: Can't find ext4 filesystem


What can I do to get around this poblem?

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] python setup.py ssl error

[Tim Dunphy]

Hey guys,

I'm trying to do a source install of s3cmd onto a centos 6.5 host. Because
the version in the repo is a little old.

So when I go to run the installer app with the command python2.7 setup.py
install, I'm getting the following error:

Installed /usr/local/lib/python2.7/site-packages/s3cmd-1.6.0-py2.7.egg
Processing dependencies for s3cmd==1.6.0
Searching for six>=1.5
Reading https://pypi.python.org/simple/six/
Download error on https://pypi.python.org/simple/six/: [Errno 1]
_ssl.c:499: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed -- Some
packages may not be found!
Couldn't find index page for 'six' (maybe misspelled?)
Scanning index of all packages (this may take a while)
Reading https://pypi.python.org/simple/
Download error on https://pypi.python.org/simple/: [Errno 1] _ssl.c:499:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed -- Some packages may not be found!
No local packages or download links found for six>=1.5
error: Could not find suitable distribution for
Requirement.parse('six>=1.5')


I thought this might be a proxy issue of some kind, but I have several
proxy values set in my environment:


[root@ushapld00050 s3cmd-1.6.0]# env | grep -i proxy
http_proxy=http://proxy.mycompany.com:80
https_proxy=http://proxy.mycompany.com:80
HTTPS_PROXY=http://proxy.mycompany.com:80
no_proxy=usushaplp461.mycompany.ge.com
HTTP_PROXY=http://proxy.mycompany.com:80

Can someone please give me a heads up as to how to resolve this issue?

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Keepalived vrrp problem

[Tim Dunphy]

Guys,

 I actually found a solution to this. After much googling I was able to
come up with this:

vrrp_instance VI_1 {
interface eth1
state MASTER
virtual_router_id 51
priority 101   # 101 on master, 100 on backup
*dont_track_primary*
vrrp_unicast_bind 10.40.116.30   # Internal IP of this machine
vrrp_unicast_peer 10.40.116.31   # Internal IP of peer
virtual_ipaddress {
 10.40.116.34
 }

The key to getting this to work was to add the entry you see in bold above
to the config. dont_track_primary. I'm not sure if that's the best way to
solve this problem. But I know that adding that line allowed me to do what
I needed to do.  After that I could ping the virtual address.

Thanks for all the suggestions.

Tim

On Tue, Sep 29, 2015 at 4:24 PM, Marcelo Ricardo Leitner <
marcelo.leit...@gmail.com> wrote:

> Em 29-09-2015 15:03, Gordon Messmer escreveu:
>
>> On 09/29/2015 09:14 AM, Tim Dunphy wrote:
>>
>>> And if I do an ifconfig command I see no evidence of an eth1 existing.
>>>
>>
>> "ifconfig -a" will show you all of your interfaces.
>>
>
> Maybe there is a confusion here. Sounds like Tim thought keepalived would
> create that eth1, like a tunnel interface, but it won't. You have to
> specify an interface that actually exists so that the VIP address will be
> added as a secondary address to ip to that interface.
>
> HTH
>
>   Marcelo
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Keepalived vrrp problem

[Tim Dunphy]

Hey guys,

 I'm trying to install keepalived 1.2.19 on a centos 6.5 machine. I did an
install from source.

And when I start keepalived this is what I'm seeing in the logs. It's
reporting that the VRRP_Instance(VI_1) Now in FAULT state.

Here's more of that log entry:

Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:  VRRP Instance = VI_1
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Using VRRPv2
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Want State =
MASTER
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Runing on device
= eth1
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Gratuitous ARP
repeat = 5
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Gratuitous ARP
refresh repeat = 1
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Virtual Router ID
= 51
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Priority = 101
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Advert interval =
1 sec
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Accept disabled
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Virtual IP = 1
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:  10.40.116.34/32
dev eth1 scope global
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]: Using LinkWatch
kernel netlink reflector...
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]: VRRP sockpool:
[ifindex(3), proto(112), unicast(0), fd(10,11)]
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_healthcheckers[44942]: --<
Global definitions >--
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_healthcheckers[44942]:  Router ID
= USECLSNDMNRDBA
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_healthcheckers[44942]:  VRRP IPv4
mcast group = 224.0.0.18
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_healthcheckers[44942]:  VRRP IPv6
mcast group = ff02::12
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_healthcheckers[44942]: --<
SSL definitions >--
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_healthcheckers[44942]:  Using
autogen SSL context
Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_healthcheckers[44942]: Using
LinkWatch kernel netlink reflector...
*Sep 29 12:06:59 USECLSNDMNRDBA Keepalived_vrrp[44943]: Kernel is
reporting: interface eth1 DOWN*
*Sep 29 12:06:59 USECLSNDMNRDBA Keepalived_vrrp[44943]: VRRP_Instance(VI_1)
Now in FAULT state*


And if I do an ifconfig command I see no evidence of an eth1 existing. Also
I can't ping the virtual address that I'm trying to create:

# ping -c 5 10.40.116.34
PING 10.40.116.34 (10.40.116.34) 56(84) bytes of data.
>From 10.40.116.30 icmp_seq=2 Destination Host Unreachable
>From 10.40.116.30 icmp_seq=3 Destination Host Unreachable
>From 10.40.116.30 icmp_seq=4 Destination Host Unreachable
>From 10.40.116.30 icmp_seq=5 Destination Host Unreachable

--- 10.40.116.34 ping statistics ---
5 packets transmitted, 0 received, +4 errors, 100% packet loss, time 14001ms
pipe 3

Here are my configs starting with the first machine:

# cat keepalived.conf
vrrp_instance VI_1 {
interface eth1
state MASTER
virtual_router_id 51
priority 101   # 101 on master, 100 on backup

vrrp_unicast_bind 10.40.116.30   # Internal IP of this machine
vrrp_unicast_peer 10.40.116.31   # Internal IP of peer
virtual_ipaddress {
 10.40.116.34
}

And here's the config on the second machine:

# cat /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
interface eth1
state MASTER
virtual_router_id 51
priority 100   # 101 on master, 100 on backup
vrrp_unicast_bind 10.40.116.31   # Internal IP of this machine
vrrp_unicast_peer 10.40.116.30   # Internal IP of peer
virtual_ipaddress {
 10.40.116.34
}


Does anyone have any experience in solving this kind of problem? Any
suggestions on how to resolve this would be great.

Thanks,
Tim
-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] setting up solr/tomcat gives 404 page

[Tim Dunphy]

Hey all,

 I tried following a few guides and I'm struggling with trying to setup
apache solr 4.10 under apache tomcat 7.0.64 along with the drupal config
necessary to get that this working with drupal.

The latest guide I followed was this one which seemed like it might work:

http://duntuk.com/how-install-apache-solr-46-apache-tomcat-7-use-drupal

I followed everything to the letter and ended up with a 404 status page
when I hit http://ipaddress:8080/solr

I think the answer lies in putting the renaming the 'collection1' core to
the right location under the name 'drupal'. But how to do that seems to be
left out of that tutorial.

In the tomcat logs I just see the following:

100.116.32.93 - - [09/Sep/2015:16:52:56 -0400] "GET /solr HTTP/1.1" 404 959

Which isn't very informative!!

Any chance I can get some help in getting this working?

Thanks,
Tim


-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] apache mysterious 404 error

[Tim Dunphy]

] On
 Behalf Of Tim Dunphy
 Sent: Thursday, August 27, 2015 5:18 PM
 To: CentOS mailing list centos@centos.org
 Subject: [CentOS] apache mysterious 404 error

 Hey guys,

  Just have a question about apache. Hoping to get an opinion on this.

  I've just setup a site under apache 2.4.

  And made sure that the document root setup in the vhost for the site I'm
 serving has permissions for the apache user. Yet some of the files are
 throwing a 404 error in a browser even tho they are clearly present and
 accounted for on the file system.

 For example, I'm getting this error:

 (index):1 GET
 http://stage.theshopatmycomany.com/mycomanyStore/images*/altImg.png
 404 (*Not Found)

 (index):1 GET
 http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_485x1215_R2.jpg
 404* (Not Found)

 (index):1 GET
 http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_792x802_R2.jpg
 404* (Not Found)

 (index):1 GET
 http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_792x413_R2.jpg
 404* (Not Found)
 And yet as I mentioned all those files are definitely there on the file
 system:

 [root@aozwsls00019la apache2]# ls -l
 /var/www/mycomanystore/images/altImg.png
 /var/www/mycomanystore/images/Jimmy_485x1215_R2.jpg
 /var/www/mycomanystore/images/Jimmy_792x802_R2.jpg
 /var/www/mycomanystore/images/Jimmy_792x413_R2.jpg

 -rw-r--r--. 1 daemon daemon128 Aug 27 12:22
 /var/www/mycomanystore/images/altImg.png

 -rw-r--r--. 1 daemon daemon 260983 Jul 16 14:03
 /var/www/mycomanystore/images/Jimmy_485x1215_R2.jpg

 -rw-r--r--. 1 daemon daemon 126628 Jul 16 14:00
 /var/www/mycomanystore/images/Jimmy_792x413_R2.jpg

 -rw-r--r--. 1 daemon daemon 222568 Jul 16 13:56
 /var/www/mycomanystore/images/Jimmy_792x802_R2.jpg

 And all those files have the correct ownership for apache:

 [root@aozwsls00019la apache2]# egrep -i user|group conf/httpd.conf |
 egrep -i -v -e '#' -e log -e module

 User daemon

 Group daemon

 All the files are owned by daemon:daemon!! So why on earth are these files
 giving a 404?

 This is my virtual host for the site:


 VirtualHost *

 ServerAdmin timothy.dun...@mycomany.com

 DocumentRoot /var/www/mycomanystore

 ServerName stage.theshopatmycomanystudios.com

 ServerAlias 173.213.219.48

 ErrorLog logs/store_error_log

 LogFormat %h %l %u %t \%r\ %s %b common

 CustomLog logs/store_access_log common

 Directory /var/www/mycomanystore

   DirectoryIndex index.html

   AddHandler cgi-script .cgi

   Options -Indexes +FollowSymLinks +ExecCGI +Includes

   AllowOverride All

   Require all granted

 /Directory

 ExpiresActive On

 ExpiresDefault access plus 30 minute

 RewriteEngine On

 RewriteCond %{REQUEST_METHOD} ^TRACE

 RewriteRule .* - [F]

 /VirtualHost

 Thanks

 Tim


 --
 GPG me!!

 gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
 ___
 CentOS mailing list
 CentOS@centos.org
 https://lists.centos.org/mailman/listinfo/centos
 ___
 CentOS mailing list
 CentOS@centos.org
 https://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] apache mysterious 404 error

[Tim Dunphy]

Hi Robert,

It's this:

drwxr-xr-x. 2 daemon daemon 4096 Aug 27 12:34 /var/www/mycompanyStore/images


Thanks,

Tim

On Fri, Aug 28, 2015 at 11:17 AM, Robert Wolfe robert.wo...@malco.com
wrote:

 What is the absolute path on the server that /mycompanyStore/images/ is
 store in?

 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
 Behalf Of Tim Dunphy
 Sent: Friday, August 28, 2015 10:12 AM
 To: CentOS mailing list centos@centos.org
 Subject: Re: [CentOS] apache mysterious 404 error

 Hey guys,

  Sorry for the failed attempts at obscuring the company I work for. My
 boss wouldn't take too kindly to it if I revealed that information on a
 mailing list. :)

 So anyway, I realized that capitalization might be the problem. So I
 renamed the directory to match what was in the URL. That didn't solve the
 problem.

 However I noticed this message turning up in the logs:

 [Fri Aug 28 01:27:30.057020 2015] [proxy:warn] [pid 23782:tid
 139661984888576] [client 173.213.212.234:14579] AH01144: No protocol
 handler was valid for the URL /mycompanyStore/images/Jimmy_792x802_R2.jpg.
 If you are using a DSO version of mod_proxy, make sure the proxy
 submodules are included in the configuration using LoadModule., referer:
 http://stage.theshopatmycompanystudios.com/

 [Fri Aug 28 01:27:30.057216 2015] [proxy:warn] [pid 23780:tid
 139661995378432] [client 173.213.212.234:14577] AH01144: No protocol
 handler was valid for the URL /mycompanyStore/images/Jimmy_485x1215_R2.jpg.
 If you are using a DSO version of mod_proxy, make sure the proxy
 submodules are included in the configuration using LoadModule., referer:
 http://stage.theshopatmycompanystudios.com/

 [Fri Aug 28 01:27:43.377172 2015] [proxy:warn] [pid 23890:tid
 139661827540736] [client 173.213.212.234:2425] AH01144: No protocol
 handler was valid for the URL /mycompanyStore/images/altImg.png. If you are
 using a DSO version of mod_proxy, make sure the proxy submodules are
 included in the configuration using LoadModule., referer:
 http://stage.theshopatmycompanystudios.com/

 [Fri Aug 28 01:27:43.377269 2015] [proxy:warn] [pid 23889:tid
 139661942929152] [client 173.213.212.234:2426] AH01144: No protocol
 handler was valid for the URL /mycompanyStore/images/Jimmy_485x1215_R2.jpg.
 If you are using a DSO version of mod_proxy, make sure the proxy submodules
 are included in the configuration using LoadModule., referer:
 http://stage.theshopatmycompanystudios.com/

 [Fri Aug 28 01:27:43.377384 2015] [proxy:warn] [pid 23889:tid
 139661953419008] [client 173.213.212.234:2427] AH01144: No protocol
 handler was valid for the URL /mycompanyStore/images/Jimmy_792x802_R2.jpg.
 If you are using a DSO version of mod_proxy, make sure the proxy submodules
 are included in the configuration using LoadModule., referer:
 http://stage.theshopatmycompanystudios.com/

 [Fri Aug 28 01:27:43.382079 2015] [proxy:warn] [pid 23891:tid
 139662047827712] [client 173.213.212.234:2430] AH01144: No protocol
 handler was valid for the URL /mycompanyStore/images/Jimmy_792x413_R2.jpg.
 If you are using a DSO version of mod_proxy, make sure the proxy submodules
 are included in the configuration using LoadModule., referer:
 http://stage.theshopatmycompanystudios.com/

 [Fri Aug 28 01:28:01.750944 2015] [proxy:warn] [pid 23977:tid
 139661911459584] [client 173.213.212.234:6011] AH01144: No protocol
 handler was valid for the URL /mycompanyStore/images/altImg.png. If you are
 using a DSO version of mod_proxy, make sure the proxy submodules are
 included in the configuration using LoadModule., referer:
 http://stage.theshopatmycompanystudios.com/

 [Fri Aug 28 01:28:01.751086 2015] [proxy:warn] [pid 23978:tid
 139662016358144] [client 173.213.212.234:6013] AH01144: No protocol
 handler was valid for the URL /mycompanyStore/images/Jimmy_485x1215_R2.jpg.
 If you are using a DSO version of mod_proxy, make sure the proxy submodules
 are included in the configuration using LoadModule., referer:
 http://stage.theshopatmycompanystudios.com/

 [Fri Aug 28 01:28:01.755018 2015] [proxy:warn] [pid 23977:tid
 139661890479872] [client 173.213.212.234:6012] AH01144: No protocol
 handler was valid for the URL /mycompanyStore/images/Jimmy_792x413_R2.jpg.
 If you are using a DSO version of mod_proxy, make sure the proxy submodules
 are included in the configuration using LoadModule., referer:
 http://stage.theshopatmycompanystudios.com/

 [Fri Aug 28 01:28:01.755120 2015] [proxy:warn] [pid 23978:tid
 139662005868288] [client 173.213.212.234:6014] AH01144: No protocol
 handler was valid for the URL /mycompanyStore/images/Jimmy_792x802_R2.jpg.
 If you are using a DSO version of mod_proxy, make sure the proxy submodules
 are included in the configuration using LoadModule., referer:
 http://stage.theshopatmycompanystudios.com/


 So taking the advice of that eror I tried enabling all the proxy modules
 in the apache config:


 LoadModule proxy_module modules/mod_proxy.so

Re: [CentOS] camgirl spam on the list

[Tim Dunphy]

Hey Fabian,

Here's the headers for one of the spam responses I got from the list:

from:Tracy tracy12...@safeloves.comreply-to:tracy12...@safeloves.com
to:Tim Dunphy bluethu...@gmail.com
date:Fri, Aug 28, 2015 at 2:19 PMsubject:Re: [CentOS] apache mysterious 404
errormailed-by:safeloves.comsigned-by:safeloves.com:Important mainly
because it was sent directly to you.

Please let me know if that's not what you're looking for!

Thanks,
Tim

On Fri, Aug 28, 2015 at 5:18 PM, Fabian Arrotin arr...@centos.org wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 28/08/15 22:24, John R Pierce wrote:
  On 8/28/2015 1:21 PM, Robert Wolfe wrote:
  I've been getting that intermittently during the day today.
 
  I haven't seen any since I put the sending domain with a 'DISCARD'
  in my /etc/mail/access database (using sendmail here)
 

 Well, is there another domain involved now ? It seems the previous
 spammer (using multiple VMs on DigitalOcean network) had been blocked.
 As nothing is sent through the mailman/centos.org server, I can't even
 look at logs, but if you have useful informations (like some headers),
 feel free to forward those to me (and not on the list).

 Cheers,

 - --
 Fabian Arrotin
 The CentOS Project | http://www.centos.org
 gpg key: 56BEC54E | twitter: @arrfab
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.22 (GNU/Linux)

 iEYEARECAAYFAlXg0D4ACgkQnVkHo1a+xU5OnACggUMg3QikAFsgAAeHSGGGI5Q1
 5MgAn2leYj3Wbflv1w8gHnNICEEOKOo3
 =rEWD
 -END PGP SIGNATURE-
 ___
 CentOS mailing list
 CentOS@centos.org
 https://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] camgirl spam on the list

[Tim Dunphy]

Hey guys,

 I just noticed this recently in my latest posts to the list. But I've
noticed that every time I mail the list for some advice, I get hit with
spam from a camgirl site like every other message. Kinda funny actually.
But also annoying!! Anyone else experience this?

Maybe this is something the admins/moderators can take care of!

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] apache mysterious 404 error

[Tim Dunphy]

Guys,

We actually found the problem. The problem was actually in a javascript
file. It was referring to it's parent directory as mycompanyStore. So once
I noticed that, I went into that directory and created a symlink.

ln -s . mycompanyStore from within that directory. That let the java script
know that the directory it was in was actually the one that it wanted.
Before that was done Apache was looking for the image files in
/var/www/mycompanyStore/mycompanyStore/images/foo.img

Once I put that symlink in place, that actually corrected the problem. So I
told the developer what I'd done and she fixed the JS to end up with the
same effect. So now the problem is fixed!

Anyway, I really do appreciate the support you guys are always ready with
on the list!!

Thanks,
Tim

On Fri, Aug 28, 2015 at 1:06 PM, Tony Mountifield t...@softins.co.uk
wrote:

 In article 0f55e883640c125375c75...@ritz.innovate.net,
 Richard lists-cen...@listmail.innovate.net wrote:
 
  Also need to see the error_log entries from the back-end httpd
  server that's serving from the documentroot. The proxy server's logs
  (whether it should be there or not) only show the proxy issues, not
  the issues that are causing the 404s, so aren't really relevant to
  the 404 issue. The back-end server's logs will indicate why the file
  can't be found, or generally at least pretty good hints.

 The first question is: are there even a separate back-end and front-end,
 or is it just a single server that is misconfigured and is trying to do
 proxy operations when it shouldn't? It sounds to me like the latter.

 Cheers
 Tony
 --
 Tony Mountifield
 Work: t...@softins.co.uk - http://www.softins.co.uk
 Play: t...@mountifield.org - http://tony.mountifield.org
 ___
 CentOS mailing list
 CentOS@centos.org
 https://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] apache mysterious 404 error

[Tim Dunphy]

Hey guys,

 Just have a question about apache. Hoping to get an opinion on this.

 I've just setup a site under apache 2.4.

 And made sure that the document root setup in the vhost for the site I'm
serving has permissions for the apache user. Yet some of the files are
throwing a 404 error in a browser even tho they are clearly present and
accounted for on the file system.

For example, I'm getting this error:

(index):1 GET 
http://stage.theshopatmycomany.com/mycomanyStore/images*/altImg.png
404 (*Not Found)

(index):1 GET 
http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_485x1215_R2.jpg
404* (Not Found)

(index):1 GET 
http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_792x802_R2.jpg
404* (Not Found)

(index):1 GET 
http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_792x413_R2.jpg
404* (Not Found)
And yet as I mentioned all those files are definitely there on the file
system:

[root@aozwsls00019la apache2]# ls -l
/var/www/mycomanystore/images/altImg.png
/var/www/mycomanystore/images/Jimmy_485x1215_R2.jpg
/var/www/mycomanystore/images/Jimmy_792x802_R2.jpg
/var/www/mycomanystore/images/Jimmy_792x413_R2.jpg

-rw-r--r--. 1 daemon daemon128 Aug 27 12:22
/var/www/mycomanystore/images/altImg.png

-rw-r--r--. 1 daemon daemon 260983 Jul 16 14:03
/var/www/mycomanystore/images/Jimmy_485x1215_R2.jpg

-rw-r--r--. 1 daemon daemon 126628 Jul 16 14:00
/var/www/mycomanystore/images/Jimmy_792x413_R2.jpg

-rw-r--r--. 1 daemon daemon 222568 Jul 16 13:56
/var/www/mycomanystore/images/Jimmy_792x802_R2.jpg

And all those files have the correct ownership for apache:

[root@aozwsls00019la apache2]# egrep -i user|group conf/httpd.conf |
egrep -i -v -e '#' -e log -e module

User daemon

Group daemon

All the files are owned by daemon:daemon!! So why on earth are these files
giving a 404?

This is my virtual host for the site:


VirtualHost *

ServerAdmin timothy.dun...@mycomany.com

DocumentRoot /var/www/mycomanystore

ServerName stage.theshopatmycomanystudios.com

ServerAlias 173.213.219.48

ErrorLog logs/store_error_log

LogFormat %h %l %u %t \%r\ %s %b common

CustomLog logs/store_access_log common

Directory /var/www/mycomanystore

  DirectoryIndex index.html

  AddHandler cgi-script .cgi

  Options -Indexes +FollowSymLinks +ExecCGI +Includes

  AllowOverride All

  Require all granted

/Directory

ExpiresActive On

ExpiresDefault access plus 30 minute

RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^TRACE

RewriteRule .* - [F]

/VirtualHost

Thanks

Tim


-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] apache mysterious 404 error

[Tim Dunphy]

Hey Rodrigo,

Thanks for your reply.

Well those errors are pulled from the Chrome developer tools.

 I notice if I do a GET on that file using both all lower case as well as
the upper case that's in the URL I get the same result:

[root@aozwsls00019la apache2]# GET
http://stage.theshopatmycompanystudios.com/mycopmanyStore/images/altImg.png
!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN
htmlhead
title404 Not Found/title
/headbody
h1Not Found/h1
pThe requested URL /mycompanyStore/images/altImg.png was not found on
this server./p
/body/html

[root@aozwsls00019la apache2]# GET
http://stage.theshopatmycompanystudios.com/mycompanystore/images/altImg.png
!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN
htmlhead
title404 Not Found/title
/headbody
h1Not Found/h1
pThe requested URL /mycpmpanystore/images/altImg.png was not found on
this server./p
/body/html

This is how that file looks on the command line. I made a symlink to
account for the change in case, because I realize that's relevant:

-rw-r--r--. 1 daemon daemon 128 Aug 27 12:22
/var/www/nbcstore/images/altImg.png

-rw-r--r--. 1 daemon daemon 128 Aug 27 12:22
/var/www/mycompanyStore/images/altImg.png

Still not sure why I'm not able to do a GET on that and those other files.
Appreciate your input tho! And any other advice is certainly welcome!

Tim

On Thu, Aug 27, 2015 at 7:42 PM, Rodrigo Maia rod.pm...@gmail.com wrote:

 Hi apache on GNU/Linux  is case-sensitive samples:


 /var/www/mycomanystore/images/altImg.png
 /var/www/mycomanystore/images/Jimmy_485x1215_R2.jpg
 /var/www/mycomanystore/images/Jimmy_792x802_R2.jpg
 /var/www/mycomanystore/images/Jimmy_792x413_R2.jpg

 on  browser :


 (index):1 GET
 http://stage.theshopatmycomany.com/mycomanyStore/images*/altImg.png

 try :


 (index):1 GET
 http://stage.theshopatmycomany.com/mycomanystore/images/altImg.png
 http://stage.theshopatmycomany.com/mycomanyStore/images*/altImg.png



 2015-08-27 19:18 GMT-03:00 Tim Dunphy bluethu...@gmail.com:

  Hey guys,
 
   Just have a question about apache. Hoping to get an opinion on this.
 
   I've just setup a site under apache 2.4.
 
   And made sure that the document root setup in the vhost for the site I'm
  serving has permissions for the apache user. Yet some of the files are
  throwing a 404 error in a browser even tho they are clearly present and
  accounted for on the file system.
 
  For example, I'm getting this error:
 
  (index):1 GET
  http://stage.theshopatmycomany.com/mycomanyStore/images*/altImg.png
  404 (*Not Found)
 
  (index):1 GET
 
 http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_485x1215_R2.jpg
  404* (Not Found)
 
  (index):1 GET
 
 http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_792x802_R2.jpg
  404* (Not Found)
 
  (index):1 GET
 
 http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_792x413_R2.jpg
  404* (Not Found)
  And yet as I mentioned all those files are definitely there on the file
  system:
 
  [root@aozwsls00019la apache2]# ls -l
  /var/www/mycomanystore/images/altImg.png
  /var/www/mycomanystore/images/Jimmy_485x1215_R2.jpg
  /var/www/mycomanystore/images/Jimmy_792x802_R2.jpg
  /var/www/mycomanystore/images/Jimmy_792x413_R2.jpg
 
  -rw-r--r--. 1 daemon daemon128 Aug 27 12:22
  /var/www/mycomanystore/images/altImg.png
 
  -rw-r--r--. 1 daemon daemon 260983 Jul 16 14:03
  /var/www/mycomanystore/images/Jimmy_485x1215_R2.jpg
 
  -rw-r--r--. 1 daemon daemon 126628 Jul 16 14:00
  /var/www/mycomanystore/images/Jimmy_792x413_R2.jpg
 
  -rw-r--r--. 1 daemon daemon 222568 Jul 16 13:56
  /var/www/mycomanystore/images/Jimmy_792x802_R2.jpg
 
  And all those files have the correct ownership for apache:
 
  [root@aozwsls00019la apache2]# egrep -i user|group conf/httpd.conf |
  egrep -i -v -e '#' -e log -e module
 
  User daemon
 
  Group daemon
 
  All the files are owned by daemon:daemon!! So why on earth are these
 files
  giving a 404?
 
  This is my virtual host for the site:
 
 
  VirtualHost *
 
  ServerAdmin timothy.dun...@mycomany.com
 
  DocumentRoot /var/www/mycomanystore
 
  ServerName stage.theshopatmycomanystudios.com
 
  ServerAlias 173.213.219.48
 
  ErrorLog logs/store_error_log
 
  LogFormat %h %l %u %t \%r\ %s %b common
 
  CustomLog logs/store_access_log common
 
  Directory /var/www/mycomanystore
 
DirectoryIndex index.html
 
AddHandler cgi-script .cgi
 
Options -Indexes +FollowSymLinks +ExecCGI +Includes
 
AllowOverride All
 
Require all granted
 
  /Directory
 
  ExpiresActive On
 
  ExpiresDefault access plus 30 minute
 
  RewriteEngine On
 
  RewriteCond %{REQUEST_METHOD} ^TRACE
 
  RewriteRule .* - [F]
 
  /VirtualHost
 
  Thanks
 
  Tim
 
 
  --
  GPG me!!
 
  gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
  ___
  CentOS mailing list
  CentOS@centos.org
  https://lists.centos.org/mailman/listinfo/centos

[CentOS] echo password into bash script

[Tim Dunphy]

Hey guys,

 I'm trying to echo my password into some commands inside of a bash script.
But I think I'm going about it incorrectly.

Here's the top part of my script:

#!/bin/bash
pub=~/.ssh/id_rsa.pub
dps_pass=my_pass
ssh=/usr/bin/ssh
scp=/usr/bin/scp
for i in 10.10.10.2{5,6}
do
echo xfring key up
echo $dps_pass |  $scp $PUB  digitalplatform@$i:


And here's how it executes:

 #bash -x deploy_key.sh
+ pub='~/.ssh/id_rsa.pub'
+ dps_pass='nbcuV01P!'
+ ssh=/usr/bin/ssh
+ scp=/usr/bin/scp
+ for i in 10.10.10.2{5.6}
+ echo 'xfring key up'
xfring key up
+ echo 'my_pass'
+ /usr/bin/scp /Users/my_user/.ssh/id_rsa.pub digitalplatform@10.10.10.25:
Password:

Can someone please let me know where I'm going wrong?

Thanks
Tim
-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] echo password into bash script

[Tim Dunphy]

 Don't try to automate your password like this for scp or other
 ssh-related apps.  Generate and use a public/private keypair instead and
 your script will then be able to connect without prompting for a password.


Well, look at the lines in my script that I'm showing here. That's exactly
what I'm doing. Copying up my public key so that later in the script (which
I didn't show, no need to I think) is to cat the public key into place and
make sure there are proper permissions etc on the .ssh directory on the
remote machine.

But Eero and other are right.. I'll be much better off using expect to get
this type of work done. It's jut that I'm more familiar with bash so I
thought that there might be a good way to do it with that also.


On Tue, Aug 25, 2015 at 4:04 PM, Peter pe...@pajamian.dhs.org wrote:

 On 08/26/2015 04:51 AM, Tim Dunphy wrote:
  Hey guys,
 
   I'm trying to echo my password into some commands inside of a bash
 script.
  But I think I'm going about it incorrectly.
 
  Here's the top part of my script:
 
  #!/bin/bash
  pub=~/.ssh/id_rsa.pub
  dps_pass=my_pass
  ssh=/usr/bin/ssh
  scp=/usr/bin/scp
  for i in 10.10.10.2{5,6}
  do
  echo xfring key up
  echo $dps_pass |  $scp $PUB  digitalplatform@$i:

 Don't try to automate your password like this for scp or other
 ssh-related apps.  Generate and use a public/private keypair instead and
 your script will then be able to connect without prompting for a password.


 Peter
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] echo password into bash script

[Tim Dunphy]

 Use expect?


yep! Expect should work.

Thanks

On Tue, Aug 25, 2015 at 12:56 PM, Eero Volotinen eero.voloti...@iki.fi
wrote:

 Use expect?

 Eero
 25.8.2015 7.52 ip. Tim Dunphy bluethu...@gmail.com kirjoitti:

  Hey guys,
 
   I'm trying to echo my password into some commands inside of a bash
 script.
  But I think I'm going about it incorrectly.
 
  Here's the top part of my script:
 
  #!/bin/bash
  pub=~/.ssh/id_rsa.pub
  dps_pass=my_pass
  ssh=/usr/bin/ssh
  scp=/usr/bin/scp
  for i in 10.10.10.2{5,6}
  do
  echo xfring key up
  echo $dps_pass |  $scp $PUB  digitalplatform@$i:
 
 
  And here's how it executes:
 
   #bash -x deploy_key.sh
  + pub='~/.ssh/id_rsa.pub'
  + dps_pass='nbcuV01P!'
  + ssh=/usr/bin/ssh
  + scp=/usr/bin/scp
  + for i in 10.10.10.2{5.6}
  + echo 'xfring key up'
  xfring key up
  + echo 'my_pass'
  + /usr/bin/scp /Users/my_user/.ssh/id_rsa.pub
 digitalplatform@10.10.10.25:
  Password:
 
  Can someone please let me know where I'm going wrong?
 
  Thanks
  Tim
  --
  GPG me!!
 
  gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
  ___
  CentOS mailing list
  CentOS@centos.org
  http://lists.centos.org/mailman/listinfo/centos
 
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] wordpess can't connect to DB but mediawiki can

[Tim Dunphy]

 Use that db and then issue:
  select * from db where Db='jfwiki' or Db='jokefire' order by Host;


Well yeah. I used the mysql database before I issued that command.


 MariaDB [(none)] use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

Then if I run that command for some reason there's no jfwiki or
jokefire entry in the db table:

MariaDB [mysql]  select * from db where Db='jfwiki' or Db='jokefire' order
by Host;
Empty set (0.00 sec)


For some reason another database I imported to do bacula backups has an
entry in the db table:

MariaDB [mysql] select Host,Db from db;
+---++
| Host  | Db |
+---++
| % | bacula |
| localhost | bacula |
+---++
2 rows in set (0.00 sec)

However I'm thinking more along the lines of my php mysql client having an
issue. Although I'm still a little stuck on why the wiki works without any
problem and why neither my php script nor wordpress are able to connect to
the db. It's really strange how that's happening!


On Sat, Aug 15, 2015 at 6:12 PM, Richard lists-cen...@listmail.innovate.net
 wrote:


  Date: Saturday, August 15, 2015 17:57:03 -0400
  From: Tim Dunphy bluethu...@gmail.com

 
  [this isn't really a centos issue, even if you're using centos,
  which isn't obvious. that said ...]
 
 
  Yeah that's true. But this list tends to be rather helpful for
  general problems that are less specific to centos. Sometimes. :)
  Really seems to depend...
 
  Incidentally I am using centos on all hosts:
 
 # cat /etc/redhat-release
  CentOS Linux release 7.0.1406 (Core)
 
  OK now that that's out of the way, for some reason I don't seem to
  have an entry in my db database for either jokefire or jfwiki:
 
  MariaDB [mysql] select * from db  where Db like 'jfwiki' or Db
  like 'jokefire';
  Empty set (0.00 sec)
 
  Not sure why that would be the case. They're definitely there on
  this database server:
 
  MariaDB [mysql] show databases;
  ++
 | Database   |
  ++
 | bacula |
 | information_schema |
 | jfwiki |
 | jokefire   |
 | mysql  |
 | performance_schema |
  ++
  6 rows in set (0.00 sec)
 
  Any other ideas?
 
  Thanks,
  Tim
 
  On Sat, Aug 15, 2015 at 3:07 PM, Richard wrote:
 
 
 
   Date: Saturday, August 15, 2015 13:53:28 -0400
   From: Tim Dunphy bluethu...@gmail.com
  
   Hey guys,
  
   I'm running both a wordpress site as well as a mediawiki off of
   the same web servers. The mediawiki site works great! The
   wordpress site, meh. Not so much. I keep getting the common
   database connection error:
  
   Error establishing a database connection
  
   And as far as I can tell the settings between the mediawiki site
   and the wordpress site are nearly identical.
 
 ... snip ... 
 
  [this isn't really a centos issue, even if you're using centos,
  which isn't obvious. that said ...]
 
  I would start by looking at the access control entries for the wp
  and mw dbs, (in the mysql.db table). Based on what you are trying
  here, there should be matching entries in that table for the Dbs
  jokefire and jfwiki (e.g., for the Host as well as the various
  _priv fields).
 
   select * from db where Db='jokefire' or Db='jfwiki' order by
   Host\g
 
  There may be something else going on, but without knowing that the
  access control is as it should be there's not much value in
  speculating.
 

 The mysql access control bits are in tables in the mysql db that's
 in your list above.

   +---+
   | Tables_in_mysql   |
   +---+
   | columns_priv  |
   | db|
   | event |
   | func  |
   ...

 Use that db and then issue:

  select * from db where Db='jfwiki' or Db='jokefire' order by Host;


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] wordpess can't connect to DB but mediawiki can

[Tim Dunphy]

 You were doing this (looking at the mysql.db table) on your
 db.example.com machine, correct?


db.example.com is a load balanced VIP. The VIP is being handled by
keepalived and HA/Proxy. There are two DB's setup in master/master
replication. The two databases and two load balancers are on AWS. The web
server and varnish servers are on digital ocean.

I setup a grant on db1 to allow access to the database from the load
balancers. And those permissions were automatically replicated over to the
second database. Once I set that up I was able to mysql into the load
balanced database and the media wiki started working. But the wordpress
site and the test php script still couldn't access the load balanced
database.

Thanks

On Sat, Aug 15, 2015 at 10:26 PM, Richard 
lists-cen...@listmail.innovate.net wrote:

 You were doing this (looking at the mysql.db table) on your
 db.example.com machine, correct?


  Original Message 
  Date: Saturday, August 15, 2015 19:32:25 -0400
  From: Tim Dunphy bluethu...@gmail.com
  To: CentOS mailing list centos@centos.org
  Subject: Re: [CentOS] wordpess can't connect to DB but mediawiki
 can
 
 
  Use that db and then issue:
   select * from db where Db='jfwiki' or Db='jokefire' order by
   Host;
 
 
  Well yeah. I used the mysql database before I issued that command.
 
 
   MariaDB [(none)] use mysql
  Reading table information for completion of table and column names
  You can turn off this feature to get a quicker startup with -A
 
  Database changed
 
  Then if I run that command for some reason there's no jfwiki or
  jokefire entry in the db table:
 
  MariaDB [mysql]  select * from db where Db='jfwiki' or
  Db='jokefire' order by Host;
  Empty set (0.00 sec)
 
 
  For some reason another database I imported to do bacula backups
  has an entry in the db table:
 
  MariaDB [mysql] select Host,Db from db;
  +---++
 | Host  | Db |
  +---++
 | % | bacula |
 | localhost | bacula |
  +---++
  2 rows in set (0.00 sec)
 
  However I'm thinking more along the lines of my php mysql client
  having an issue. Although I'm still a little stuck on why the wiki
  works without any problem and why neither my php script nor
  wordpress are able to connect to the db. It's really strange how
  that's happening!
 
 
  On Sat, Aug 15, 2015 at 6:12 PM, Richard
  lists-cen...@listmail.innovate.net
  wrote:
 
 
   Date: Saturday, August 15, 2015 17:57:03 -0400
   From: Tim Dunphy bluethu...@gmail.com
 
  
   [this isn't really a centos issue, even if you're using centos,
   which isn't obvious. that said ...]
  
  
   Yeah that's true. But this list tends to be rather helpful for
   general problems that are less specific to centos. Sometimes. :)
   Really seems to depend...
  
   Incidentally I am using centos on all hosts:
  
  # cat /etc/redhat-release
   CentOS Linux release 7.0.1406 (Core)
  
   OK now that that's out of the way, for some reason I don't seem
   to have an entry in my db database for either jokefire or
   jfwiki:
  
   MariaDB [mysql] select * from db  where Db like 'jfwiki' or Db
   like 'jokefire';
   Empty set (0.00 sec)
  
   Not sure why that would be the case. They're definitely there on
   this database server:
  
   MariaDB [mysql] show databases;
   ++
  | Database   |
   ++
  | bacula |
  | information_schema |
  | jfwiki |
  | jokefire   |
  | mysql  |
  | performance_schema |
   ++
   6 rows in set (0.00 sec)
  
   Any other ideas?
  
   Thanks,
   Tim
  
   On Sat, Aug 15, 2015 at 3:07 PM, Richard wrote:
  
  
  
Date: Saturday, August 15, 2015 13:53:28 -0400
From: Tim Dunphy bluethu...@gmail.com
   
Hey guys,
   
I'm running both a wordpress site as well as a mediawiki off
of the same web servers. The mediawiki site works great! The
wordpress site, meh. Not so much. I keep getting the common
database connection error:
   
Error establishing a database connection
   
And as far as I can tell the settings between the mediawiki
site and the wordpress site are nearly identical.
  
  ... snip ... 
  
   [this isn't really a centos issue, even if you're using centos,
   which isn't obvious. that said ...]
  
   I would start by looking at the access control entries for the
   wp and mw dbs, (in the mysql.db table). Based on what you are
   trying here, there should be matching entries in that table
   for the Dbs jokefire and jfwiki (e.g., for the Host as
   well as the various _priv fields).
  
select * from db where Db='jokefire' or Db='jfwiki' order by
Host\g
  
   There may be something else going on, but without knowing that
   the access control is as it should be there's not much value in
   speculating.
  
 
  The mysql access control bits are in tables in the mysql db that's
  in your list above

Re: [CentOS] wordpess can't connect to DB but mediawiki can

[Tim Dunphy]

Hi Richard,

I actually made some progress on this. The problem was SSL. Once I I took
the SSL requirement out of the picture for the user everything worked. The
test php script and the wordpress site both. Originally when I setup my
wiki it NEEDED SSL. Because there was some sensitive data in it. My
website, however, is just a goofball toy project of mine. And doesn't
really need that. But since I have this done for my wiki I was like why
not? I stumbled getting the mediawiki to connect via SSL. Once I found the
setting $wgDBssl = true; for media wiki it just worked.

For my wordpress site, I found the setting define('DB_SSL', true);. I set
that up in wp-config.php. However for some reason that wasn't the silver
bullet that the mediawiki SSL database setting was ( $wgDBssl = true; ). I
can understand why my little test script couldn't work with an SSL user.
But do you have any idea why that wordpress setting won't allow the site to
connect to the DB? While it may not be of super high importance to have my
site contact the DB via SSL, it would still be a nice thing to have.

Thanks,
Tim

On Sat, Aug 15, 2015 at 10:45 PM, Tim Dunphy bluethu...@gmail.com wrote:

 You were doing this (looking at the mysql.db table) on your
 db.example.com machine, correct?


 db.example.com is a load balanced VIP. The VIP is being handled by
 keepalived and HA/Proxy. There are two DB's setup in master/master
 replication. The two databases and two load balancers are on AWS. The web
 server and varnish servers are on digital ocean.

 I setup a grant on db1 to allow access to the database from the load
 balancers. And those permissions were automatically replicated over to the
 second database. Once I set that up I was able to mysql into the load
 balanced database and the media wiki started working. But the wordpress
 site and the test php script still couldn't access the load balanced
 database.

 Thanks

 On Sat, Aug 15, 2015 at 10:26 PM, Richard 
 lists-cen...@listmail.innovate.net wrote:

 You were doing this (looking at the mysql.db table) on your
 db.example.com machine, correct?


  Original Message 
  Date: Saturday, August 15, 2015 19:32:25 -0400
  From: Tim Dunphy bluethu...@gmail.com
  To: CentOS mailing list centos@centos.org
  Subject: Re: [CentOS] wordpess can't connect to DB but mediawiki
 can
 
 
  Use that db and then issue:
   select * from db where Db='jfwiki' or Db='jokefire' order by
   Host;
 
 
  Well yeah. I used the mysql database before I issued that command.
 
 
   MariaDB [(none)] use mysql
  Reading table information for completion of table and column names
  You can turn off this feature to get a quicker startup with -A
 
  Database changed
 
  Then if I run that command for some reason there's no jfwiki or
  jokefire entry in the db table:
 
  MariaDB [mysql]  select * from db where Db='jfwiki' or
  Db='jokefire' order by Host;
  Empty set (0.00 sec)
 
 
  For some reason another database I imported to do bacula backups
  has an entry in the db table:
 
  MariaDB [mysql] select Host,Db from db;
  +---++
 | Host  | Db |
  +---++
 | % | bacula |
 | localhost | bacula |
  +---++
  2 rows in set (0.00 sec)
 
  However I'm thinking more along the lines of my php mysql client
  having an issue. Although I'm still a little stuck on why the wiki
  works without any problem and why neither my php script nor
  wordpress are able to connect to the db. It's really strange how
  that's happening!
 
 
  On Sat, Aug 15, 2015 at 6:12 PM, Richard
  lists-cen...@listmail.innovate.net
  wrote:
 
 
   Date: Saturday, August 15, 2015 17:57:03 -0400
   From: Tim Dunphy bluethu...@gmail.com
 
  
   [this isn't really a centos issue, even if you're using centos,
   which isn't obvious. that said ...]
  
  
   Yeah that's true. But this list tends to be rather helpful for
   general problems that are less specific to centos. Sometimes. :)
   Really seems to depend...
  
   Incidentally I am using centos on all hosts:
  
  # cat /etc/redhat-release
   CentOS Linux release 7.0.1406 (Core)
  
   OK now that that's out of the way, for some reason I don't seem
   to have an entry in my db database for either jokefire or
   jfwiki:
  
   MariaDB [mysql] select * from db  where Db like 'jfwiki' or Db
   like 'jokefire';
   Empty set (0.00 sec)
  
   Not sure why that would be the case. They're definitely there on
   this database server:
  
   MariaDB [mysql] show databases;
   ++
  | Database   |
   ++
  | bacula |
  | information_schema |
  | jfwiki |
  | jokefire   |
  | mysql  |
  | performance_schema |
   ++
   6 rows in set (0.00 sec)
  
   Any other ideas?
  
   Thanks,
   Tim
  
   On Sat, Aug 15, 2015 at 3:07 PM, Richard wrote:
  
  
  
Date: Saturday, August 15, 2015 13:53:28 -0400
From: Tim Dunphy bluethu

Re: [CentOS] wordpess can't connect to DB but mediawiki can

[Tim Dunphy]

 [this isn't really a centos issue, even if you're using centos,
 which isn't obvious. that said ...]


Yeah that's true. But this list tends to be rather helpful for general
problems that are less specific to centos. Sometimes. :) Really seems to
depend...

Incidentally I am using centos on all hosts:

#cat /etc/redhat-release
CentOS Linux release 7.0.1406 (Core)

OK now that that's out of the way, for some reason I don't seem to have an
entry in my db database for either jokefire or jfwiki:

MariaDB [mysql] select * from db  where Db like 'jfwiki' or Db like
'jokefire';
Empty set (0.00 sec)

Not sure why that would be the case. They're definitely there on this
database server:

MariaDB [mysql] show databases;
++
| Database   |
++
| bacula |
| information_schema |
| jfwiki |
| jokefire   |
| mysql  |
| performance_schema |
++
6 rows in set (0.00 sec)

Any other ideas?

Thanks,
Tim

On Sat, Aug 15, 2015 at 3:07 PM, Richard lists-cen...@listmail.innovate.net
 wrote:



  Date: Saturday, August 15, 2015 13:53:28 -0400
  From: Tim Dunphy bluethu...@gmail.com
 
  Hey guys,
 
  I'm running both a wordpress site as well as a mediawiki off of
  the same web servers. The mediawiki site works great! The
  wordpress site, meh. Not so much. I keep getting the common
  database connection error:
 
  Error establishing a database connection
 
  And as far as I can tell the settings between the mediawiki site
  and the wordpress site are nearly identical.

... snip ... 

 [this isn't really a centos issue, even if you're using centos,
 which isn't obvious. that said ...]

 I would start by looking at the access control entries for the wp
 and mw dbs, (in the mysql.db table). Based on what you are trying
 here, there should be matching entries in that table for the Dbs
 jokefire and jfwiki (e.g., for the Host as well as the various
 _priv fields).

  select * from db where Db='jokefire' or Db='jfwiki' order by Host\g

 There may be something else going on, but without knowing that the
 access control is as it should be there's not much value in
 speculating.

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] wordpess can't connect to DB but mediawiki can

[Tim Dunphy]

Hey guys,

I'm running both a wordpress site as well as a mediawiki off of the same
web servers. The mediawiki site works great! The wordpress site, meh. Not
so much. I keep getting the common database connection error:

Error establishing a database connection

And as far as I can tell the settings between the mediawiki site and the
wordpress site are nearly identical.

Here's the media wiki config first since that one's working:

## Database settings
$wgLBFactoryConf['class'] = 'LBFactorySimple';
$wgDBtype = mysql;
$wgDBservers = '';
$wgDBserver = db.example.com;
$wgDBssl=  true;
$wgDBname = jfwiki;
$wgDBuser = admin_ssl;
$wgDBpassword = secret;

And here's what the wordpress database connection settings look like since
they are not:

/** MySQL database username */
define('DB_NAME', 'jokefire');

define('DB_USER', 'admin_ssl');

/** MySQL database password */
define('DB_PASSWORD', 'secret');

/** MySQL hostname */
define('DB_HOST', 'db.example.com');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/** Contact the database over a secure connection */
define('DB_SSL', true);

I realize that they're not exactly the same. But I think you can make an
easy correlation between the mediawiki settings and the settings for
wordpress. And they look similar enough to think that wordpress should be
working. Right?

The only real other difference is the name of the database each site is
using, which I guess makes sense.

But the fact that medawiki works fine tells me that the user and password
set for both sites has access to the database.

Just for laughs I use the account settings from the wordpress config to
demonstrate that I can connect to the DB on the command line. Again, it's
the same account info that I have in the wik site:

#mysql -uadmin_ssl -p -h db.example.com -D jokefire  -e show tables | head -5
Enter password:
Tables_in_jokefire
wp_bp_activity
wp_bp_activity_meta
wp_bp_chat_channel_users
wp_bp_chat_channels


Also, I created a basic php script to see if it could connect to the
database

?php
$link = mysql_connect('db.example.com', 'admin_ssl', 'secret');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_close($link);
?

And to my surprise it can't connect!

php testconnect.php
Could not connect: Access denied for user
'admin_ssl'@'ec2-54-86-143-49.compute-1.amazonaws.com' (using
password: YES)

Why am I surprised that it can't? Because again 1) the wiki can connect to
the database no problem. And 2) I can connect to the db on the command line
using the same credentials.

My API Client version is:

Client API version mysqlnd 5.0.10 - 20111026 - $Id:
c85105d7c6f7d70d609bb4c000257868a40840ab $

There are two MySQL databases configured in a master/master setup. The
database address is a VIP that is load balanced on the same two HA/Proxy
nodes. The two database servers are using MariaDB version 10.0.20-1.

There's 3 web servers sitting behind a VIP as well. But to troubleshoot
this I just the IP address of the 1st web server into my hosts file and I'm
using that as the site name.

I'm not really sure how important it is to know all of that about the load
balanced aspects of the site. But I wanted to get those details out into
the open just in case they were important.
Thanks in advance!

Tim
-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] can't ssh into C7 host

[Tim Dunphy]

Cool thanks! I'll check it out.

On Sat, Jul 18, 2015 at 9:56 PM, Alexander Dalloz ad+li...@uni-x.org
wrote:

 Am 19.07.2015 um 01:58 schrieb Tim Dunphy:

 hey guys,

 Yesterday I had no trouble loggging into this database host. But today for
 some reason I can't log in using my RSA key and password authentication
 doesn't work either.

 I am able to log onto the host via console. And I was able to grab the ssh
 config file. Here it is:

 [root@db1 ~]# grep -v '#' /etc/ssh/sshd_config  |sed '/^\s*$/d'


 egrep -v '^#|^$' /etc/ssh/sshd_config

 would be straighter.

  HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 SyslogFacility AUTHPRIV
 AuthorizedKeysFile .ssh/authorized_keys
 PasswordAuthentication yes
 ChallengeResponseAuthentication no
 GSSAPIAuthentication yes
 GSSAPICleanupCredentials yes

 So I performed a verbose ssh login, and this is what I saw:


 #ssh -vvv bluethu...@db1.example.com

 OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011

 debug1: Reading configuration data /Users/MyUser/.ssh/config


 Odd path.

  debug1: /Users/MyUser/.ssh/config line 4: Skipping Host block because of
 negated match for *.example.com

 debug1: Reading configuration data /etc/ssh_config

 debug1: /etc/ssh_config line 20: Applying options for *

 debug2: ssh_connect: needpriv 0

 debug1: Connecting to db1.example.com [104.131.222.29] port 22.

 debug1: Connection established.

 debug3: Incorrect RSA1 identifier

 debug3: Could not load /Users/MyUser/.ssh/id_rsa as a RSA1 public key


 What's wrong there?

 [ ... ]

  debug1: Local version string SSH-2.0-OpenSSH_6.2

 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1
 Debian-5

 debug1: match: OpenSSH_6.7p1 Debian-5 pat OpenSSH*


 I don't see CentOS 7 involved here, neither local nor remote.

 [ ... ]

  debug1: Offering RSA public key: /Users/MyUser/.ssh/id_rsa

 debug3: send_pubkey_test

 debug2: we sent a publickey packet, wait for reply

 debug1: Authentications that can continue: publickey,password

 debug1: Trying private key: /Users/MyUser/.ssh/id_dsa

 debug3: no such identity: /Users/MyUser/.ssh/id_dsa: No such file or
 directory

 debug2: we did not send a packet, disable method

 debug3: authmethod_lookup password

 debug3: remaining preferred: ,password

 debug3: authmethod_is_enabled password

 debug1: Next authentication method: password

 bluethu...@db1.example.com's password:


 Can anyone give me a heads up as to why this is failing?


 Read the syslog() logfile of the SSH daemon logging. That should give you
 a hint.

  Thanks,

 Tim


 Alexander



 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] can't ssh into C7 host

[Tim Dunphy]

hey guys,

Yesterday I had no trouble loggging into this database host. But today for
some reason I can't log in using my RSA key and password authentication
doesn't work either.

I am able to log onto the host via console. And I was able to grab the ssh
config file. Here it is:

[root@db1 ~]# grep -v '#' /etc/ssh/sshd_config  |sed '/^\s*$/d'
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

So I performed a verbose ssh login, and this is what I saw:


#ssh -vvv bluethu...@db1.example.com

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011

debug1: Reading configuration data /Users/MyUser/.ssh/config

debug1: /Users/MyUser/.ssh/config line 4: Skipping Host block because of
negated match for *.example.com

debug1: Reading configuration data /etc/ssh_config

debug1: /etc/ssh_config line 20: Applying options for *

debug2: ssh_connect: needpriv 0

debug1: Connecting to db1.example.com [104.131.222.29] port 22.

debug1: Connection established.

debug3: Incorrect RSA1 identifier

debug3: Could not load /Users/MyUser/.ssh/id_rsa as a RSA1 public key

debug1: identity file /Users/MyUser/.ssh/id_rsa type 1

debug1: identity file /Users/MyUser/.ssh/id_rsa-cert type -1

debug1: identity file /Users/MyUser/.ssh/id_dsa type -1

debug1: identity file /Users/MyUser/.ssh/id_dsa-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.2

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1
Debian-5

debug1: match: OpenSSH_6.7p1 Debian-5 pat OpenSSH*

debug2: fd 3 setting O_NONBLOCK

debug3: load_hostkeys: loading entries for host db1.example.com from file
/Users/MyUser/.ssh/known_hosts

debug3: load_hostkeys: found key type RSA in file
/Users/MyUser/.ssh/known_hosts:172

debug3: load_hostkeys: loaded 1 keys

debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-...@openssh.com,
ssh-rsa-cert-...@openssh.com,ssh-rsa

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com,
ssh-rsa-cert-...@openssh.com,ssh-rsa,ssh-dss-cert-...@openssh.com,
ssh-dss-cert-...@openssh.com,ssh-dss

debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-...@openssh.com,aes256-...@openssh.com
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-...@lysator.liu.se

debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-...@openssh.com,aes256-...@openssh.com
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-...@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,
hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,
hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,
hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,
umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,
hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,
hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,
hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,
umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,z...@openssh.com,zlib

debug2: kex_parse_kexinit: none,z...@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: curve25519-sha...@libssh.org
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,
aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,
aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com

debug2: kex_parse_kexinit: umac-64-...@openssh.com,umac-128-...@openssh.com,
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,
hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: umac-64-...@openssh.com,umac-128-...@openssh.com,

[CentOS] ssh failed only with nfs home directory

[Tim Dunphy]

Hey all,

 Having a weird ssh issue I'd like some opinions on.

 If I have my home directory mounted on the NFS server itself, I get
permission denied when I try to ssh into it. The correct permissions and
ownership are on the home directory, ssh directory and the authorized_users
file.

Here's what a verbose ssh session looks like:

#ssh -v bluethu...@nfs1.example.com
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to nfs1.example.com [162.243.109.94] port 22.
debug1: Connection established.
debug1: identity file /Users/TimothyDunphy/.ssh/id_rsa type 1
debug1: identity file /Users/TimothyDunphy/.ssh/id_rsa-cert type -1
debug1: identity file /Users/TimothyDunphy/.ssh/id_dsa type -1
debug1: identity file /Users/TimothyDunphy/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server-client aes128-ctr hmac-md5-...@openssh.com none
debug1: kex: client-server aes128-ctr hmac-md5-...@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA f7:06:1a:56:2f:0e:1b:bd:7b:e6:de:8c:9a:88:ea:09
debug1: Host 'nfs1.example.com' is known and matches the RSA host key.
debug1: Found key in /Users/TimothyDunphy/.ssh/known_hosts:19
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/TimothyDunphy/.ssh/id_rsa
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /Users/TimothyDunphy/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

And I see this message in the secure log:

Jul 13 23:09:28 nfsdb1 sshd[15305]: Connection closed by xx.xx.xx.xx
 [preauth]

The IP that I xxx'd out  is my client IP

Here's the permissions and ownership on the directories and files:

#ls -ld /home/bluethundr/ /home/bluethundr/.ssh
/home/bluethundr/.ssh/authorized_keys

drwxr-x---. 37 bluethundr bluethundr 4096 Jul 13 20:57 /home/bluethundr/

drw---.  3 bluethundr bluethundr 4096 Jun 15 17:22 /home/bluethundr/.ssh

-rw---.  1 bluethundr bluethundr 2614 Jun 15 17:22
/home/bluethundr/.ssh/authorized_keys

SELinux is set to permissve:

#getenforce
Permissive

If I unmount the nfs home directory I am able to log in:

[root@nfs1:~] #umount -l /home
[root@nfs1:~] #

#ssh bluethu...@nfs1.example.com
Last login: Mon Jul 13 23:08:35 2015 from ool-2f126f64.dyn.optonline.net
-bash-4.2$

The permissions on the non-nfs home directory are the same as the NFS
mounted home directory:

#ls -ld /home/bluethundr/ /home/bluethundr/.ssh
/home/bluethundr/.ssh/authorized_keys
drwxr-x---. 37 bluethundr bluethundr 4096 Jul 13 20:57 /home/bluethundr/
drw---.  3 bluethundr bluethundr 4096 Jun 15 17:22 /home/bluethundr/.ssh
-rw---.  1 bluethundr bluethundr 2614 Jun 15 17:22
/home/bluethundr/.ssh/authorized_keys

As soon as I mount it back, the issue returns and I am unable to ssh in:

#ssh bluethu...@nfs1.example.com
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).


I'd really appreciate any ideas you guys may have as to why this is
happening!!

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] puppet files denied by SELinux

[Tim Dunphy]

 You might want to setup an alias mv mv -Z
 This changes the way mv works to set the context after mv rather then
 maintaining the source context.


Thanks! That's probably a good suggestion. However I did try doing a
restorecon -R -v on the entire puppet directory. No luck in resolving that
error. And it's really bugging me that SELinux has to stay off in order for
puppet to do it's thing.

However I was at least smart enough to keep my entire puppet directory, as
well as my puppetdb directory in SVN. So in case of a need to rebuild, I
can ease the process a bit. I'm heavily leaning to a rebuild at this point
to resolve this. Sucks, but what can ya do!

And if I do actually take that step I hope that the rebuild resolves it.
And that I haven't checked anything into SVN that would muff up SELinux on
the rebuilt host.

On Mon, Jun 29, 2015 at 6:15 AM, Daniel J Walsh dwa...@redhat.com wrote:

 I have no idea of the current dependency problem.  I think your original
 problem was caused by mv'ing files from an nfs share to /etc which
 maintained the context.  And SELinux prevented puppet from accessing
 nfs_t type.  If you had just run restorecon on the object it would have
 set it back to the correct/default context.

 You might want to setup an alias mv mv -Z

 This changes the way mv works to set the context after mv rather then
 maintaining the source context.

 On 06/21/2015 02:05 PM, Tim Dunphy wrote:
  Hey guys,
 
   Quick update. I grepped through the output of getsebool -a to see that
  related to puppet. And I found this setting:
 puppetagent_manage_all_files.
 
   So I tried running this command: setsebool -P
 puppetagent_manage_all_files
  0
 
   And did a restorecon on my modules directory: restorecon -R -v
  environments/production/moudles
 
   So there's good news and bad news to report! It seems that now puppet on
  the client isn't complaining about not having access to the cert and key
  files anymore! That's the good news. The bad news is, when I do puppet
 runs
  on all the hosts now, I get the following errors:
 
  Notice: /File[/var/lib/puppet/lib/facter/concat_basedir.rb]: Dependency
  File[/var/lib/puppet/lib] has failures: true
  Warning: /File[/var/lib/puppet/lib/facter/concat_basedir.rb]: Skipping
  because of failed dependencies
  Notice: /File[/var/lib/puppet/lib/facter/ssldir.rb]: Dependency
  File[/var/lib/puppet/lib] has failures: true
  Warning: /File[/var/lib/puppet/lib/facter/ssldir.rb]: Skipping because of
  failed dependencies
  Notice:
  /File[/var/lib/puppet/lib/puppet/parser/functions/ensure_resource.rb]:
  Dependency File[/var/lib/puppet/lib] has failures: true
  Warning:
  /File[/var/lib/puppet/lib/puppet/parser/functions/ensure_resource.rb]:
  Skipping because of failed dependencies
  Notice:
 /File[/var/lib/puppet/lib/puppet/parser/functions/validate_re.rb]:
  Dependency File[/var/lib/puppet/lib] has failures: true
  Warning:
 /File[/var/lib/puppet/lib/puppet/parser/functions/validate_re.rb]:
  Skipping because of failed dependencies
  Notice: /File[/var/lib/puppet/lib/puppet/reports/datadog_reports.rb]:
  Dependency File[/var/lib/puppet/lib] has failures: true
  Warning: /File[/var/lib/puppet/lib/puppet/reports/datadog_reports.rb]:
  Skipping because of failed dependencies
  Notice:
 
 /File[/var/lib/puppet/lib/puppet/parser/functions/is_function_available.rb]:
  Dependency File[/var/lib/puppet/lib] has failures: true
  Warning:
 
 /File[/var/lib/puppet/lib/puppet/parser/functions/is_function_available.rb]:
  Skipping because of failed dependencies
  Notice:
  /File[/var/lib/puppet/lib/puppet/parser/functions/str2saltedsha512.rb]:
  Dependency File[/var/lib/puppet/lib] has failures: true
  Warning:
  /File[/var/lib/puppet/lib/puppet/parser/functions/str2saltedsha512.rb]:
  Skipping because of failed dependencies
  Notice:
 
 /File[/var/lib/puppet/lib/puppet/parser/functions/delete_undef_values.rb]:
  Dependency File[/var/lib/puppet/lib] has failures: true
  Warning:
 
 /File[/var/lib/puppet/lib/puppet/parser/functions/delete_undef_values.rb]:
  Skipping because of failed dependencies
  Notice:
 /File[/var/lib/puppet/lib/puppet/parser/functions/fqdn_rotate.rb]:
  Dependency File[/var/lib/puppet/lib] has failures: true
  Warning:
 /File[/var/lib/puppet/lib/puppet/parser/functions/fqdn_rotate.rb]:
  Skipping because of failed dependencies
  Notice: /File[/var/lib/puppet/lib/facter/gemhome.rb]: Dependency
  File[/var/lib/puppet/lib] has failures: true
  Warning: /File[/var/lib/puppet/lib/facter/gemhome.rb]: Skipping because
 of
  failed dependencies
  Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/values_at.rb]:
  Dependency File[/var/lib/puppet/lib] has failures: true
  Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/values_at.rb]:
  Skipping because of failed dependencies
  Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/getvar.rb]:
  Dependency File[/var/lib/puppet/lib] has failures: true
  Warning: /File[/var/lib/puppet/lib/puppet

Re: [CentOS] rsyncing directories - sanity check

[Tim Dunphy]

 Have you considered just resizing the volumes?


That'd probably be my preference. But in my role at this company I don't
have the direct access to do that. I'd probably have to open up a ticket to
another department and have it done when 'they get around to it'. In say 3
or 4 weeks. On my own servers no sweat. But at work. nah. not really
practical.

Thanks for the suggestion anyway!

On Wed, Jun 24, 2015 at 2:33 PM, Gordon Messmer gordon.mess...@gmail.com
wrote:

 On 06/24/2015 09:42 AM, Tim Dunphy wrote:

 And for
 some reason when the servers were ordered the large local volume ended up
 being /usr when the ES rpm likes to store it's indexes on /var.

 So I'm syncing the contents of both directories to a different place, and
 I'm going swap the large local volume from /usr to /var.


 Have you considered just resizing the volumes?  If you're trying to swap
 them with rsync, you're going to have to reboot anyway, and relabel your
 system.  If any daemons are running, you might also corrupt their data this
 way.

  The entire /var partition is only using 549MB:

 rsync: write failed on /opt/var/log/lastlog: No space left on device
 (28)


 Depending on what UIDs are allocated to your users, lastlog can be an
 enormous sparse file.  You would need to use rsync's -S flag to copy it.


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] rsyncing directories - sanity check

[Tim Dunphy]

hey guys,

 I need to mount a different volume onto /var so we have more room to
breathe. I'll be turning 3 servers into an elasticsearch cluster. And for
some reason when the servers were ordered the large local volume ended up
being /usr when the ES rpm likes to store it's indexes on /var.

So I'm syncing the contents of both directories to a different place, and
I'm going swap the large local volume from /usr to /var.

It looked like /opt had more than enough space to hold both directories.
/opt was 6GB and I successfully synced /usr to it. /usr was 2.5GB.

Then I went to sync /var to a temp folder in /opt. Checking I see that it
still has 1/6GB available after the first sync.

# df -h /opt
FilesystemSize  Used *Avail* Use% Mounted on
/dev/mapper/SysVG-OptVol
 6.0G  4.1G  *1.6G*  72% /opt


The entire /var partition is only using 549MB:

# df -h /var
FilesystemSize  *Used* Avail Use% Mounted on
/dev/mapper/SysVG-VarVol
   6.0G   *549M*  5.1G  10% /var

So that being the case, if I make a temp directory in /opt called /opt/var,
how come I am running out of space in doing my rsync? It fails at the end
and the /opt volume is filled up to 100%. Even tho I only have 549MB to
sync.

rsync: writefd_unbuffered failed to write 4 bytes to socket [sender]:
Broken pipe (32)
rsync: write failed on /opt/var/log/lastlog: No space left on device (28)
rsync error: error in file IO (code 11) at receiver.c(301) [receiver=3.0.6]
rsync: recv_generator: mkdir /opt/var/www/manual/developer failed: No
space left on device (28)
*** Skipping any contents from this failed directory ***
rsync: recv_generator: mkdir /opt/var/www/manual/faq failed: No space
left on device (28)
*** Skipping any contents from this failed directory ***
rsync: recv_generator: mkdir /opt/var/www/manual/howto failed: No space
left on device (28)
*** Skipping any contents from this failed directory ***
rsync: recv_generator: mkdir /opt/var/www/manual/images failed: No space
left on device (28)
*** Skipping any contents from this failed directory ***
rsync: recv_generator: mkdir /opt/var/www/manual/misc failed: No space
left on device (28)
*** Skipping any contents from this failed directory ***
rsync: recv_generator: mkdir /opt/var/www/manual/mod failed: No space
left on device (28)
*** Skipping any contents from this failed directory ***
rsync: connection unexpectedly closed (148727 bytes received so far)
[sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(600)
[sender=3.0.6]


And if I do a df of the entire system, it looks like everything is still ok:

# df -h
FilesystemSize  Used Avail Use% Mounted on
/dev/mapper/SysVG-RootVol
   2.0G  872M  1.1G  46% /
tmpfs  4.0G 0  4.0G   0% /dev/shm
/dev/sda1486M   87M  375M  19% /boot
/dev/mapper/SysVG-HomeVol
4.0G  137M  3.7G   4% /home
/dev/mapper/SysVG-OptVol
   6.0G  4.3G  1.4G  76% /opt
/dev/mapper/SysVG-TmpVol
2.0G  130M  1.8G   7% /tmp
/dev/mapper/SysVG-UsrVol
  197G  2.8G  185G   2% /usr
/dev/mapper/SysVG-VarVol
   6.0G  549M  5.1G  10% /var

Does anyone have a good guess as to why these 'out of space' failures are
occurring?

Thanks,
Tim



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rsyncing directories - sanity check

[Tim Dunphy]

Hey Carl,

 Hi Tim,
 At first glance, I don't see anything obvious, but if it were me, I'd
 do the following:
 a) add the 'n' flag to do a dry run (no actual copying)
 b) increase rsync's verbosity
(A single -v will give you information about what files are being
transferred and a brief summary at the end. Two -v options (-vv)
will give you information on what files are being skipped and
slightly more information at the end. A third 'v' is insanely
verbose.)
 c) redirect standard out to a text file that you can examine for more
clues.
 hth  regards,



Good suggestions! Thanks!

Tim



On Wed, Jun 24, 2015 at 1:05 PM, Carl E. Hartung carlh04...@gmail.com
wrote:

 On Wed, 24 Jun 2015 12:42:19 -0400
 Tim Dunphy wrote:

  Does anyone have a good guess as to why these 'out of space' failures
  are occurring?

 Hi Tim,

 At first glance, I don't see anything obvious, but if it were me, I'd
 do the following:

 a) add the 'n' flag to do a dry run (no actual copying)

 b) increase rsync's verbosity
(A single -v will give you information about what files are being
transferred and a brief summary at the end. Two -v options (-vv)
will give you information on what files are being skipped and
slightly more information at the end. A third 'v' is insanely
verbose.)

 c) redirect standard out to a text file that you can examine for more
clues.

 hth  regards,

 Carl
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] puppet files denied by SELinux

[Tim Dunphy]

Hi all,

Thanks for all your suggestions. Here's where I'm at with this.

Can you give details about your puppetmasterd setup ? it seems that
 you're using Foreman as puppet ENC.


Yes, I'm on foreman 1.7.4 and puppet 3.75. You are correct that I'm using
foreman, sorry I hadn't thought to mention it!


 Foreman works fine with selinux enabled : that's what we use for the
 centos.org infra :-)
 Which version of puppet/foreman are you using ? Note that foreman has
 the foreman-selinux package that is used to automatically tune
 contexts and booleans needed for this.
 You can still reapply those settings with
 /usr/sbin/foreman-selinux-{disable,enable,relabel}
 There is no need to recompile a custom selinux policy for
 foreman/puppet those days


I didn't recompile any custom selinux policies. All I did to try to resolve
the issue is to consult audit2allow and install the module it suggested.
I did try running /usr/sbin/foreman-selinux-enable but that didn't seem to
have an effect.

Knowing nothing of your scenario, look at the source and target context.

 Looks like you copied a crt from an nfs location and you don't have a
 file context defined to transition labels, maybe something like:

 semanage fcontext -a -t passenger_t /etc/puppet/environments(/.*)?

 However, I know nothing of puppets selinux infrastructure, you may need
 a more applicable  type.

 In these cases, audit2allow can't possibly guess the right thing and will
 certainly produce a rule that is either unsafe or simply wrong.


You are correct that I copied the key and cert from an NFS share! Both the
puppet server and the monitor1 client share the same /home directory via
NFS. Pretty cool that you picked up on that! I do suspect you're probably
right that this may be causing the problem. Just on a hunch, I tried
copying the certs and keys from the montior1 host over to the puppet host
to the /tmp directory on the puppet server. That leaves out NFS altogether.
And when I do that, my bacula puppet module WORKS!! Puppet doesn't complain
at all!

But if I check out another host where I copied the cert and key from the
NFS home directory I still get the error:

Error:
/Stage[main]/Bacula::Config/File[/etc/pki/tls/private/monitor2.mydomain.com.key]:
Could not evaluate: Could not retrieve information from environment
production source(s)
puppet:///modules/bacula/monitor2/monitor2.mydomain.com.key
Error:
/Stage[main]/Bacula::Config/File[/etc/pki/tls/certs/monitor2.mydomain.com.crt]:
Could not evaluate: Could not retrieve information from environment
production source(s)
puppet:///modules/bacula/monitor2/monitor2.mydomain.com.crt

Also when I try to set context using the line you suggested I get an error:

#semanage fcontext -a -t passenger_t /etc/puppet/environments(/.*)?
ValueError: Type passenger_t is invalid, must be a file or device type

So I googled around and found what seems to be the correct syntax:

semanage fcontext -a -t passenger_exec_t /etc/puppet/environments(/.*)?

Because when I applied that line, I didn't get any errors or complaints.
However the problem still existed on the monitor2 host which had the key
pair copied from the NFS share.

So in summary it appears that there is some interaction between SELinux and
NFS that is causing the issue.

Any thoughts?

Thanks,
Tim

On Sun, Jun 21, 2015 at 11:09 AM, Tim Dunphy bluethu...@gmail.com wrote:

 Yes, you did when you used the audit2allow with the -M option argument
 of puppet, which is confirmed by the command you issued to try to load
 it semodule -i puppet.pp (which you stated in your original message).
 I'm okay with you asserting otherwise and not following my first
 suggestion -- my second is to use a totally different name, e.g., barf
 and thus semodule -i barf.pp.


 Haha!! Ok man. I get you now. Thanks. Also I meant to send this to the
 list.. Whoops! I'll try doing it again with something like 'my' in the
 front. I remember having a similar problem with Zabbix last week that I
 solved this way.

 On Sun, Jun 21, 2015 at 12:19 AM, Mark Milhollan m...@pixelgate.net
 wrote:

 On Sat, 20 Jun 2015, Tim Dunphy wrote:
 I wrote:

  That suggests there's already a module named puppet, and thus you are
  replacing it with the one you made which does not supply the
  puppet_var_lib_t type.  Always prefix your own modules with something
  that makes them almost certain to be unique, e.g., yourdom_puppet.
 
 
 No, actually I didn't compile my own selinux module. :) Not sure how you
 got that idea, but that is not the case.

 Yes, you did when you used the audit2allow with the -M option argument
 of puppet, which is confirmed by the command you issued to try to load
 it semodule -i puppet.pp (which you stated in your original message).
 I'm okay with you asserting otherwise and not following my first
 suggestion -- my second is to use a totally different name, e.g., barf
 and thus semodule -i barf.pp.


 /mark




 --
 GPG me!!

 gpg --keyserver pool.sks-keyservers.net --recv-keys

Re: [CentOS] puppet files denied by SELinux

[Tim Dunphy]

/puppet/lib] has failures: true
Warning:
/File[/var/lib/puppet/lib/puppet/parser/functions/validate_cmd.rb]:
Skipping because of failed dependencies

It's actually a long list of errors that's too long to reproduce here. It'd
go on for a couple pages at least.

However if I turn off SELinux on the puppet master, everything returns to
normal. Goes from utter chaos to complete order in an instant!

So I guess I've muffed up my SELinux config on this puppet host. I just
hope it's repairable at this point! I'd hate to leave it off just so that
puppet will be able to do it's job. And of all the hosts that would need
SELinux protection I would think that a puppet host would be one of the
most important if not 'the' most important to protect!

I'm definitely open to suggestions at this point!

Thanks,
Tim

On Sun, Jun 21, 2015 at 11:11 AM, Tim Dunphy bluethu...@gmail.com wrote:

 Hi all,

 Thanks for all your suggestions. Here's where I'm at with this.

 Can you give details about your puppetmasterd setup ? it seems that
 you're using Foreman as puppet ENC.


 Yes, I'm on foreman 1.7.4 and puppet 3.75. You are correct that I'm using
 foreman, sorry I hadn't thought to mention it!


 Foreman works fine with selinux enabled : that's what we use for the
 centos.org infra :-)
 Which version of puppet/foreman are you using ? Note that foreman has
 the foreman-selinux package that is used to automatically tune
 contexts and booleans needed for this.
 You can still reapply those settings with
 /usr/sbin/foreman-selinux-{disable,enable,relabel}
 There is no need to recompile a custom selinux policy for
 foreman/puppet those days


 I didn't recompile any custom selinux policies. All I did to try to
 resolve the issue is to consult audit2allow and install the module it
 suggested.
 I did try running /usr/sbin/foreman-selinux-enable but that didn't seem
 to have an effect.

 Knowing nothing of your scenario, look at the source and target context.

 Looks like you copied a crt from an nfs location and you don't have a
 file context defined to transition labels, maybe something like:

 semanage fcontext -a -t passenger_t /etc/puppet/environments(/.*)?

 However, I know nothing of puppets selinux infrastructure, you may need
 a more applicable  type.

 In these cases, audit2allow can't possibly guess the right thing and will
 certainly produce a rule that is either unsafe or simply wrong.


 You are correct that I copied the key and cert from an NFS share! Both the
 puppet server and the monitor1 client share the same /home directory via
 NFS. Pretty cool that you picked up on that! I do suspect you're probably
 right that this may be causing the problem. Just on a hunch, I tried
 copying the certs and keys from the montior1 host over to the puppet host
 to the /tmp directory on the puppet server. That leaves out NFS altogether.
 And when I do that, my bacula puppet module WORKS!! Puppet doesn't complain
 at all!

 But if I check out another host where I copied the cert and key from the
 NFS home directory I still get the error:

 Error:
 /Stage[main]/Bacula::Config/File[/etc/pki/tls/private/monitor2.mydomain.com.key]:
 Could not evaluate: Could not retrieve information from environment
 production source(s)
 puppet:///modules/bacula/monitor2/monitor2.mydomain.com.key
 Error:
 /Stage[main]/Bacula::Config/File[/etc/pki/tls/certs/monitor2.mydomain.com.crt]:
 Could not evaluate: Could not retrieve information from environment
 production source(s)
 puppet:///modules/bacula/monitor2/monitor2.mydomain.com.crt

 Also when I try to set context using the line you suggested I get an
 error:

 #semanage fcontext -a -t passenger_t /etc/puppet/environments(/.*)?
 ValueError: Type passenger_t is invalid, must be a file or device type

 So I googled around and found what seems to be the correct syntax:

 semanage fcontext -a -t passenger_exec_t /etc/puppet/environments(/.*)?

 Because when I applied that line, I didn't get any errors or complaints.
 However the problem still existed on the monitor2 host which had the key
 pair copied from the NFS share.

 So in summary it appears that there is some interaction between SELinux
 and NFS that is causing the issue.

 Any thoughts?

 Thanks,
 Tim

 On Sun, Jun 21, 2015 at 11:09 AM, Tim Dunphy bluethu...@gmail.com wrote:

 Yes, you did when you used the audit2allow with the -M option argument
 of puppet, which is confirmed by the command you issued to try to load
 it semodule -i puppet.pp (which you stated in your original message).
 I'm okay with you asserting otherwise and not following my first
 suggestion -- my second is to use a totally different name, e.g., barf
 and thus semodule -i barf.pp.


 Haha!! Ok man. I get you now. Thanks. Also I meant to send this to the
 list.. Whoops! I'll try doing it again with something like 'my' in the
 front. I remember having a similar problem with Zabbix last week that I
 solved this way.

 On Sun, Jun 21, 2015 at 12:19 AM, Mark Milhollan m...@pixelgate.net

[CentOS] puppet files denied by SELinux

[Tim Dunphy]

Hey folks,

 Ok so I'm having another issue with SELinux. However I think I'm pretty
close to a solution and just need a nudge in the right directtion.

I wrote a puppet module that gets systems into bacula backups. Part of the
formula is to distribute key/cert pairs with permissions that allow bacula
to read them so that bacula can talk to the host over TLS. It's pretty
slick, I must say!

However on adding some new hosts to bacula backups via puppet, I noticed
that I was getting permission denied errors on the keypairs on the client
hosts.

In my audit logs I found this entry:

type=AVC msg=audit(1434769414.956:562): avc:  denied  { open } for
 pid=3558 comm=ruby
path=/etc/puppet/environments/production/modules/bacula/files/monitor1/monitor1.mydomain.com.crt
dev=vda1 ino=1842005 scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file

And audit2allow told me this:

#grep puppet /var/log/audit/audit.log | audit2allow -M puppet
 IMPORTANT ***
To make this policy package active, execute:

semodule -i puppet.pp

But in installing the module I get an error I've never seen before:

#semodule -i puppet.pp
libsepol.print_missing_requirements: foreman's global requirements were not
met: type/attribute puppet_var_lib_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule:  Failed!

I will say that I'm getting much better at working through SELinux issues.
I've come a long way from when I was taught by a senior admin I was working
with to 'always disable selinux' to now making an effort to work through
the issues.

So I was hoping to get some advice on how to get over this hurdle!

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux allow apache log access

[Tim Dunphy]

 Sorry, I didn't put that very clearly. Could you show us the contents of
 myzabbix.te.


No prob! Thanks for all the help! But in searching my system I don't find
anything of the sort.

[root@monitor2:~] #updatedb
[root@monitor2:~] #locate myzabbix.te
[root@monitor2:~] #find / -name myzabbix.*

I also did search using 'yum provides' to find something similar. But
wasn't' able to find anything.

yum provides */myzabbix.*
...
No matches found

Maybe I'll need to install a package?

Thanks,
Tim

On Wed, Jun 17, 2015 at 2:10 PM, Harold Toms h.t...@qmul.ac.uk wrote:

 On 17/06/15 17:43, Tim Dunphy wrote:

 What turns up in myzabbix.te?


 Same deal. :(

 #semodule -i myzabbix.te
 semodule:  Failed on myzabbix.te!


 sigh... but thanks any other clues?


 Sorry, I didn't put that very clearly. Could you show us the contents of
 myzabbix.te.


 --
 regards

 Harold Toms
 URL: http://iodine.chem.qmul.ac.uk


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux allow apache log access

[Tim Dunphy]

Hey guys,

 Thanks! That worked.

[root@monitor2:~] #grep zabbix /var/log/audit/audit.log  | audit2allow -M
myzabbix
 IMPORTANT ***
To make this policy package active, execute:

semodule -i myzabbix.pp

[root@monitor2:~] #semodule -i myzabbix.pp
[root@monitor2:~] #lsof -i :80
[root@monitor2:~] #systemctl start httpd
[root@monitor2:~] #lsof -i :80
COMMAND   PID   USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
httpd   18664   root4u  IPv6 12477027  0t0  TCP *:http (LISTEN)
httpd   18665 apache4u  IPv6 12477027  0t0  TCP *:http (LISTEN)
httpd   18666 apache4u  IPv6 12477027  0t0  TCP *:http (LISTEN)
httpd   18667 apache4u  IPv6 12477027  0t0  TCP *:http (LISTEN)
httpd   18668 apache4u  IPv6 12477027  0t0  TCP *:http (LISTEN)
httpd   18669 apache4u  IPv6 12477027  0t0  TCP *:http (LISTEN)
[root@monitor2:~] #getenforce
Enforcing

Definitely appreciate the help and sorry if there was any confusion on my
part. All set at this point!

Best,
Tim

On Wed, Jun 17, 2015 at 4:11 PM, Daniel J Walsh dwa...@redhat.com wrote:



 On 06/17/2015 04:03 PM, Jonathan Billings wrote:
  On Wed, Jun 17, 2015 at 03:30:51PM -0400, Tim Dunphy wrote:
  No prob! Thanks for all the help! But in searching my system I don't
 find
  anything of the sort.
 
  [root@monitor2:~] #updatedb
  [root@monitor2:~] #locate myzabbix.te
  [root@monitor2:~] #find / -name myzabbix.*
 
  I also did search using 'yum provides' to find something similar. But
  wasn't' able to find anything.
  What we're asking for is the contents of the .te file that is created
  when you run audit2allow.
 
 Go back to the original email and do what you were told

 # grep zabbix /var/log/audit/audit.log  | audit2allow -M myzabbix
 # semodule -i myzabbix.pp

 You did audit2allow -M zabbix

 Which created zabbix.te and zabbix.pp, which is bad.  It will attempt to
 replace the system module.

 If you use myzappix, it will add the allow rules.

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux allow apache log access

[Tim Dunphy]

 Try something like:
 grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix
 semodule -i zabbix.pp



Thanks for your response! However this is what happens when I try to
install the module:

 [root@monitor2:~] #semodule -i zabbix.pp
libsepol.print_missing_requirements: zabbix's global requirements were not
met: type/attribute zabbix_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule:  Failed!


Any other thoughts?

Thanks,
Tim

On Wed, Jun 17, 2015 at 5:32 AM, Harold Toms h.t...@qmul.ac.uk wrote:

 Try something like:

 grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix
 semodule -i zabbix.pp


 On 16/06/15 15:58, Tim Dunphy wrote:

 Hey guys,.

   I have a centos 7 machine I'm using as a zabbix server. And I noticed
 that
 apache won't start, with this complaint in the error log:

 (13)Permission denied: AH00091: httpd: could not open error log file
 /var/log/zabbix_error_log.
 AH00015: Unable to open logs


 I tried having a look at audit2allow and this is the response I get back:

 [root@monitor2:/etc/httpd] #grep http /var/log/audit/audit.log |
 audit2allow


 #= httpd_t ==
 allow httpd_t zabbix_log_t:file open;

 How can I turn that bit of information into a rule that allows apache
 access to this zabbix log file?

 I notice that if I disable selinux using setenfor 0, apache starts up
 without complaint. But I would rather not leave it disabled.

 Thanks,
 Tim



 --
 regards

 Harold Toms
 http://iodine.chem.qmul.ac.uk
 Priestley's works... tended to unsettle every thing, and yet settled
 nothing.
 - Samuel Johnson.

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux allow apache log access

[Tim Dunphy]

 That's because there's already a zabbix module loaded (the message isn't
 very informative!). I forgot that the received wisdom is to insert my in
 front of ones own modules i.e.:
 grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix
 semodule -i myzabbix.pp



Hmm no luck there either:

[root@monitor2:~] #semodule -i myzabbix.pp
*semodule:  Failed on myzabbix.pp!*

I also tried:

[root@monitor2:~] #semodule -i my_zabbix
semodule:  Failed on my_zabbix!

And

[root@monitor2:~] #semodule -i my-zabbix
semodule:  Failed on my-zabbix!

Just in case.. none of that worked.


Got any other ideas? :)

Tim


On Wed, Jun 17, 2015 at 11:24 AM, Harold Toms h.t...@qmul.ac.uk wrote:

 On 17/06/15 15:27, Tim Dunphy wrote:

 Try something like:
 grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix
 semodule -i zabbix.pp



 Thanks for your response! However this is what happens when I try to
 install the module:

   [root@monitor2:~] #semodule -i zabbix.pp
 libsepol.print_missing_requirements: zabbix's global requirements were not
 met: type/attribute zabbix_t (No such file or directory).
 libsemanage.semanage_link_sandbox: Link packages failed (No such file or
 directory).
 semodule:  Failed!


 Any other thoughts?

 Thanks,
 Tim



 That's because there's already a zabbix module loaded (the message isn't
 very informative!). I forgot that the received wisdom is to insert my in
 front of ones own modules i.e.:

 grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix
 semodule -i myzabbix.pp



 --
 regards

 Harold Toms
 http://iodine.chem.qmul.ac.uk
 Priestley's works... tended to unsettle every thing, and yet settled
 nothing.
 - Samuel Johnson.

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux allow apache log access

[Tim Dunphy]

 What turns up in myzabbix.te?


Same deal. :(

#semodule -i myzabbix.te
semodule:  Failed on myzabbix.te!


sigh... but thanks any other clues?

On Wed, Jun 17, 2015 at 11:42 AM, Harold Toms h.t...@qmul.ac.uk wrote:

 On 17/06/15 16:29, Tim Dunphy wrote:

 That's because there's already a zabbix module loaded (the message isn't
 very informative!). I forgot that the received wisdom is to insert my
 in
 front of ones own modules i.e.:
 grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix
 semodule -i myzabbix.pp



 Hmm no luck there either:

 [root@monitor2:~] #semodule -i myzabbix.pp
 *semodule:  Failed on myzabbix.pp!*

 I also tried:

 [root@monitor2:~] #semodule -i my_zabbix
 semodule:  Failed on my_zabbix!

 And

 [root@monitor2:~] #semodule -i my-zabbix
 semodule:  Failed on my-zabbix!

 Just in case.. none of that worked.


 Got any other ideas? :)

 Tim


  What turns up in myzabbix.te?


 --
 regards

 Harold Toms
 http://iodine.chem.qmul.ac.uk
 Priestley's works... tended to unsettle every thing, and yet settled
 nothing.
 - Samuel Johnson.

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] selinux allow apache log access

[Tim Dunphy]

Hey guys,.

 I have a centos 7 machine I'm using as a zabbix server. And I noticed that
apache won't start, with this complaint in the error log:

(13)Permission denied: AH00091: httpd: could not open error log file
/var/log/zabbix_error_log.
AH00015: Unable to open logs


I tried having a look at audit2allow and this is the response I get back:

[root@monitor2:/etc/httpd] #grep http /var/log/audit/audit.log | audit2allow


#= httpd_t ==
allow httpd_t zabbix_log_t:file open;

How can I turn that bit of information into a rule that allows apache
access to this zabbix log file?

I notice that if I disable selinux using setenfor 0, apache starts up
without complaint. But I would rather not leave it disabled.

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] exclude directory from rsync

[Tim Dunphy]

Hey guys,

 Thanks for your input! Both examples you gave worked, and I'll do some
reading on the suggested subjects!! Just a heads up that it worked. I
appreciate the clarification!

Thanks,
Tim

On Tue, Jun 9, 2015 at 1:45 AM, Gordon Messmer gordon.mess...@gmail.com
wrote:

 On 06/08/2015 10:12 PM, Tim Dunphy wrote:

 I'm trying to do an rsync of the entire /var directory, but exclude just
 the /var/www directory.

 ...

 rsync -avzp --exclude-from=/var/www /var/ /mnt/var/


 --exclude-from takes a filename as an argument.  That filename is expected
 to contain a list of patterns to exclude.

  rsync -avzp --exclude=/var/www /var/ /mnt/var/


 If your exclude pattern begins with '/', then it matches a filename
 immediately within the transfer root.  So in this case, /var/var/www.

 Read the FILTER RULES and INCLUDE/EXCLUDE PATTERN RULES sections of
 the manual.

 Try:

 rsync -avzp --exclude=/www /var/ /mnt/var/


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] exclude directory from rsync

[Tim Dunphy]

hey guys,

I'm trying to do an rsync of the entire /var directory, but exclude just
the /var/www directory.

 So far I've tried these approaches:

rsync -avzp --exclude-from=/var/www /var/ /mnt/var/

rsync -avzp --exclude=/var/www /var/ /mnt/var/

But neither has worked. Can I get a suggestion on how to get this to happen?

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] could not insert 'fuse' error on CentOS 7.1

[Tim Dunphy]

Cool! Thanks Eero. I'll check this out.

Best regards,
Tim

Sent from my iPhone

 On Jun 8, 2015, at 12:06 AM, Eero Volotinen eero.voloti...@iki.fi wrote:
 
 This looka good: https://github.com/juliogonzalez/s3fs-fuse-rpm
 
 Eero
 7.6.2015 4.23 ip. Tim Dunphy bluethu...@gmail.com kirjoitti:
 
 
 Centos 7 base repo contains fuse, use it. it works. handcompiling
 packages
 to centos is *really* stupid, without proper knowledge..
 
 
 Thanks, you're right. The Centos 7 package works.
 
 [root@ops ~]# lsmod | grep fuse
 fuse   87661  1
 
 My final goal is to install s3fs. Funny how all the tutorials I've found
 out there tell you to compile both fuse and s3fs under centos  ubuntu.
 That may be necessary for s3fs, because so far I haven't found it in any of
 the repositories I use. Generally Iike epel, rpmforge, remi and a few
 others.
 
 Anyone know of a repo that includes s3fs?
 
 Thanks,
 Tim
 
 On Sun, Jun 7, 2015 at 4:39 AM, Eero Volotinen eero.voloti...@iki.fi
 wrote:
 
 Centos 7 base repo contains fuse, use it. it works. handcompiling
 packages
 to centos is *really* stupid, without proper knowledge..
 
 eero
 
 2015-06-07 10:06 GMT+03:00 Александр Кириллов nevis...@infoline.su:
 
 I've tried googling this to no avail!!
 
 
 Have you tried The young mechanics mailing list yet?
 And have a look at Gentoo Linux (http://www.gentoo.org). It might suit
 your needs better.
 
 
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
 
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
 
 
 
 
 --
 GPG me!!
 
 gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
 
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] could not insert 'fuse' error on CentOS 7.1

[Tim Dunphy]

 Centos 7 base repo contains fuse, use it. it works. handcompiling packages
 to centos is *really* stupid, without proper knowledge..


Thanks, you're right. The Centos 7 package works.

[root@ops ~]# lsmod | grep fuse
fuse   87661  1

My final goal is to install s3fs. Funny how all the tutorials I've found
out there tell you to compile both fuse and s3fs under centos  ubuntu.
That may be necessary for s3fs, because so far I haven't found it in any of
the repositories I use. Generally Iike epel, rpmforge, remi and a few
others.

Anyone know of a repo that includes s3fs?

Thanks,
Tim

On Sun, Jun 7, 2015 at 4:39 AM, Eero Volotinen eero.voloti...@iki.fi
wrote:

 Centos 7 base repo contains fuse, use it. it works. handcompiling packages
 to centos is *really* stupid, without proper knowledge..

 eero

 2015-06-07 10:06 GMT+03:00 Александр Кириллов nevis...@infoline.su:

  I've tried googling this to no avail!!
 
 
  Have you tried The young mechanics mailing list yet?
  And have a look at Gentoo Linux (http://www.gentoo.org). It might suit
  your needs better.
 
 
  ___
  CentOS mailing list
  CentOS@centos.org
  http://lists.centos.org/mailman/listinfo/centos
 
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] could not insert 'fuse' error on CentOS 7.1

[Tim Dunphy]

Hey guys,

 I tried installing the latest fuse on CentOS 7.1. I downloaded the latest
version (2.9.4) from sourceforge and did a source install. After rebooting
the host, now when I go modprobe fuse, this is what I get!

*modprobe: ERROR: could not insert 'fuse': Unknown symbol in module, or
unknown parameter (see dmesg)*

If I tail dmseg this is all I see, but it doesn't seem relevant:

[root@ops:~] #dmesg | tail
[3.342679] input: PC Speaker as /devices/platform/pcspkr/input/input4
[3.351981] piix4_smbus :00:01.3: SMBus base address uninitialized -
upgrade BIOS or use force_addr=0xaddr
[3.502014] ppdev: user-space parallel port driver
[3.539306] AES CTR mode by8 optimization enabled
[3.590103] alg: No test for __gcm-aes-aesni (__driver-gcm-aes-aesni)
[3.635925] alg: No test for crc32 (crc32-pclmul)
[3.659506] type=1305 audit(1433643281.958:4): audit_pid=472 old=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
[4.084861] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[9.575888] systemd-journald[393]: Received request to flush runtime
journal from PID 1
[   10.702056] Adjusting xen more than 11% (9436999 vs 9311354)

Has anyone out there encountered this error with fuse and been able to
overcome it?

I've tried googling this to no avail!!

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] nginx conflicting server name ignored warning

[Tim Dunphy]

Guys,

 I'm getting a strange warning whenever I do a config test or a restart of
nginx 1.0.15

[root@aoadbld00032lb nginx]# nginx -t
nginx: [warn] conflicting server name aoadbld00032lb.company.com on
0.0.0.0:80, ignored
nginx: [warn] conflicting server name logs.pcf.company.com on 0.0.0.0:80,
ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

And as far as I can tell I only have one server_name directive in the whole
config:

[root@aoadbld00032lb nginx]# grep -r server_name *
conf.d/kibana.conf:server_name   aoadbld00032lb.company.com
logs.pcf.company.com;
fastcgi_params:fastcgi_param  SERVER_NAME$server_name;
scgi_params:scgi_param  SERVER_NAME$server_name;
uwsgi_params:uwsgi_param  SERVER_NAME$server_name;

It's more of an annoyance than any kind of real problem, as far as I can
tell. Because the site I'm trying to put up with it appears to be working.
I'm using this host as a logstash server.

But does anybody have any ideas as to why this may be happening? Or of any
potential problems that this may cause?

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] specify port on check_memcached.pl

[Tim Dunphy]

Hey guys,


I'm trying use check_memcached.pl to monitor a couple of memcached services
running on two ports.


I have my command definition setup like this:

# 'check_memcached' command definition

define command {

command_name check_memcached

command_line $USER1$/check_memcached.pl -H $HOSTADDRESS$ -p $ARG1$

}


And I have my service definitions setup like this:


# Define a service to check memcached on web1 (just the basics for right
now).


define service{

use local-service ; Name of
service template to use

host_name   web1

service_description Check Memcached 11211

contact_groups  linux-admins

check_command   check_memcached!web1.example.com
!11211

notifications_enabled   1

}


# Define a service to check memcached on web1 (just the basics for right
now).


define service{

use local-service ; Name of
service template to use

host_name   web1

service_description Check Memcached 11212

contact_groups  linux-admins

check_command   check_memcached!web1.example.com
!11212

notifications_enabled   1

}

And if I run both checks manually they succeed:

[root@monitor1:/usr/local/nagios/etc/objects/servers] #../../../libexec/
check_memcached.pl  -H web1.example.com -p 11211

MEMCACHE OK: memcached 1.4.22 on web1.example.com:11211, up 22 minutes 52
seconds

[root@monitor1:/usr/local/nagios/etc/objects/servers] #../../../libexec/
check_memcached.pl  -H web1.example.com -p 11212

MEMCACHE OK: memcached 1.4.22 on web1.example.com:11212, up 12 minutes 2
seconds

Yet, in my nagios web interface, I'm getting this error:


  Check Memcached 11211
https://nagios.jokefire.com/nagios/cgi-bin/extinfo.cgi?type=2host=web1service=Check+Memcached+11211


   CRITICAL

05-24-2015 14:28:31

0d 0h 10m 19s

4/4

CRITICAL ERROR - Can not connect to '162.243.60.6' on port 0


  Check Memcached 11212
https://nagios.jokefire.com/nagios/cgi-bin/extinfo.cgi?type=2host=web1service=Check+Memcached+11212


   CRITICAL

05-24-2015 14:29:12

0d 0h 11m 8s

4/4

CRITICAL ERROR - Can not connect to '162.243.60.6' on port 0


I thought I could specify the command in the service definition like this:

check_memcached!web1.example.com!11211

To reproduced the command as it's executed on the command line. How can I
specify the port correctly here?


Thanks,

Tim


-- 

GPG me!!


gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nagios check_local_disk failing

[Tim Dunphy]

 [root@nagios plugins]# ./check_disk -w 20 -c 10 -p / -x
 ./check_disk: option requires an argument -- 'x'
 Unknown argument
 Usage:
  check_disk -w limit -c limit [-W limit] [-K limit] {-p path | -x device}
 [-C] [-E] [-e] [-g group ] [-k] [-l] [-M] [-m] [-R path ] [-r path ]
 [-t timeout] [-u unit] [-v] [-X type]
 [root@nagios plugins]# ./check_disk -w 20 -c 10 -p /
 DISK OK - free space: / 20848 MB (92% inode=97%);|
 /=1670MB;23711;23721;0;23731


Thanks for the tip! That worked. :-)

On Thu, May 14, 2015 at 7:33 AM, Tris Hoar trish...@bgfl.org wrote:

 On 14/05/2015 02:42, Tim Dunphy wrote:

 Hey all,

 I have a local disk check defined which is giving me an error:

 Current Status:
UNKNOWN
   (for 0d 0h 1m 38s)Status Information:Unknown argument
 Usage:
 check_disk -w limit -c limit [-W limit] [-K limit] {-p pathPerformance
 Data:-x
 device} [-C] [-E] [-e] [-f] [-g group ] [-k] [-l] [-M] [-m] [-R path ] [-r
 path ] [-t timeout] [-u unit] [-v] [-X type] [-N type] [-n]

   I have a local check setup like this in the server's config:

 define service{
  use local-service ; Name of
 service template to use
  host_name   monitor1
  service_description Root Partition
  check_command   check_local_disk!20%!10%!/
  }

 It's attempting to do a local disk check on the nagios server itself. Not
 an NRPE check.

 This is the command definition:

 # 'check_local_disk' command definition
 define command{
  command_namecheck_local_disk
  command_line$USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
 -x
 $ARG4$
  }

 Can someone please tel me where I'm going wrong?

 Thanks,
 Tim


 You need to remove the 4th argument if you are not using it

 [root@nagios plugins]# ./check_disk -w 20 -c 10 -p / -x
 ./check_disk: option requires an argument -- 'x'
 Unknown argument
 Usage:
  check_disk -w limit -c limit [-W limit] [-K limit] {-p path | -x device}
 [-C] [-E] [-e] [-g group ] [-k] [-l] [-M] [-m] [-R path ] [-r path ]
 [-t timeout] [-u unit] [-v] [-X type]
 [root@nagios plugins]# ./check_disk -w 20 -c 10 -p /
 DISK OK - free space: / 20848 MB (92% inode=97%);|
 /=1670MB;23711;23721;0;23731

 Tris


 *
 This email and any files transmitted with it are confidential
 and intended solely for the use of the individual or entity to whom they
 are addressed. If you have received this email in error please notify
 postmas...@bgfl.org

 The views expressed within this email are those of the individual, and not
 necessarily those of the organisation
 *

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] nagios check_local_disk failing

[Tim Dunphy]

Hey all,

I have a local disk check defined which is giving me an error:

Current Status:
  UNKNOWN
 (for 0d 0h 1m 38s)Status Information:Unknown argument
Usage:
check_disk -w limit -c limit [-W limit] [-K limit] {-p pathPerformance Data:-x
device} [-C] [-E] [-e] [-f] [-g group ] [-k] [-l] [-M] [-m] [-R path ] [-r
path ] [-t timeout] [-u unit] [-v] [-X type] [-N type] [-n]

 I have a local check setup like this in the server's config:

define service{
use local-service ; Name of
service template to use
host_name   monitor1
service_description Root Partition
check_command   check_local_disk!20%!10%!/
}

It's attempting to do a local disk check on the nagios server itself. Not
an NRPE check.

This is the command definition:

# 'check_local_disk' command definition
define command{
command_namecheck_local_disk
command_line$USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ -x
$ARG4$
}

Can someone please tel me where I'm going wrong?

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] appdynamics php agent prevented by SELinux

[Tim Dunphy]

Hi Jason,


 This means SELinux is ON in a kind of testing mode. It is only reporting
 what would be blocked and not enforcing anything. So the messages are
 basically informing you that you WILL have problems IF you enable enforcing
 mode.
 Checking AppDynamic PHP agent it does not support SELinux (which is
 insanely poor for the license cost!) so best you can do is ignore the
 messages. It may be better to contact their support channels for help too
 rather then here if you need any more.
 Disabling SELinux completely should stop the messages appearing
 completely, though I advise against anything but enforcing mode



OK thanks. That makes complete sense. I do plan on enabling SELinux
enforcing mode soon! And I find it more than a little surprising that the
appdynamics php agent won't support SELinux. I'll have to bring this up to
them, we have a pretty big account with them.

Thanks!
Tim

On Tue, May 12, 2015 at 1:47 AM, Jason Woods de...@jasonwoods.me.uk wrote:


  On 12 May 2015, at 03:39, Tim Dunphy bluethu...@gmail.com wrote:
 *  Plugin catchall_labels (83.8
  confidence) suggests   ***...
  May 11 22:31:38 web1 python[14832]: SELinux is preventing
  /usr/lib/appdynamics-php5/proxy/jre/bin/java from block_suspend access on
  the capability2 Unknown.

  Why is that odd? Well mainly because I have SELinux off at the moment.
 
  [root@web1:~] #getenforce 0
  Permissive

 This means SELinux is ON in a kind of testing mode. It is only reporting
 what would be blocked and not enforcing anything. So the messages are
 basically informing you that you WILL have problems IF you enable enforcing
 mode.

 Checking AppDynamic PHP agent it does not support SELinux (which is
 insanely poor for the license cost!) so best you can do is ignore the
 messages. It may be better to contact their support channels for help too
 rather then here if you need any more.

 Disabling SELinux completely should stop the messages appearing
 completely, though I advise against anything but enforcing mode.

 Jason
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld trouble opening a port

[Tim Dunphy]

 Just remember that the permanent command doesn't add the rule immediately,
 so it doesn't take effect *until* you reload.
 you can also do this:
 # firewall-cmd --zone=home --add-port=8181/tcp
 # add other stuff
 Test that everything works right
 # firewall-cmd --runtime-to-permanent
 That way, if you screw something up, you can simply reload (or reboot) to
 fix it.



That's a very excellent point! I'll have to remember that. I've read a few
guides on how to use firewall-cmd on CentOS 7, but I haven't seem this tip
mentioned anywhere!

So thanks for pointing that out!

On Mon, May 11, 2015 at 9:18 AM, Bowie Bailey bowie_bai...@buc.com wrote:

 On 5/9/2015 3:24 PM, Tim Dunphy wrote:

 Hi Earl,

  The problem is you added the rule in runtime and when you reloaded it
 removed the rule that you added; therefore you need to use --permanent
 or
 do not reload.

 Thanks! That worked.

 [root@appd:~] #firewall-cmd --zone=home --list-ports
 [root@appd:~] #firewall-cmd --zone=home --add-port=8181/tcp --permanent
 success
 [root@appd:~] #firewall-cmd --reload
 success
 [root@appd:~] #firewall-cmd --zone=home --list-ports
 8181/tcp


 Just remember that the permanent command doesn't add the rule immediately,
 so it doesn't take effect *until* you reload.

 you can also do this:

 # firewall-cmd --zone=home --add-port=8181/tcp
 # add other stuff
 Test that everything works right
 # firewall-cmd --runtime-to-permanent

 That way, if you screw something up, you can simply reload (or reboot) to
 fix it.

 --
 Bowie

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] appdynamics php agent prevented by SELinux

[Tim Dunphy]

 That's a rather odd (personally, I think bad) place for a log (or
 even logfile lock) and I'm not at all surprised that selinux is
 keeping your application from writing there. I would check to see if
 there is a setup/configuration option for your application to put
 the log files and related in a more standard location (/var/log,
 /var/run), where it is less likely to run into an issue.


Yeah I agree that it's an unusual place to store log files. However I'm not
aware of any way to change that location since it's an RPM install. Maybe a
source install is possible. I'll do some googling.



 This isn't really a C7-specific issue/problem.


Yeah that's right. I said that poorly. I had just been dealing with an
issue with systemctl priror to that which was due to it being a C7 machine.
But really only because I had been using systemctl.

What I'm most curious about is how Apache is reporting SELinux problems
whether or not SELinux is enabled. Like I said earlier, if I have SELinux
set to off, you still see those kind of messages relating to SELinux when
you do a status on httpd.

Odd.  One thing I did try was to do a restorecon -R -v
/usr/lib/appdynamics-php5/.

Since it might not be easy to change paths I was hoping to find a way to
solve this using SELinux.. Does anyone else have any suggestions on how to
solve this?

Thanks,
Tim

On Sun, May 10, 2015 at 10:20 PM, Richard 
lists-cen...@listmail.innovate.net wrote:



  Original Message 
  Date: Sunday, May 10, 2015 09:02:11 PM -0400
  From: Tim Dunphy bluethu...@gmail.com
 
  Hey guys,
 
  I've got another C7 problem I was hoping to solve. I
  installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host.
 
  It's failing to communicate with it's controller on another host.
  And this is the interesting part. Whether or not I have SELinux
  enabled, I have apache reporting SELinux problems.
 
  [root@web1:~] #getenforce
  Permissive
 
  May 10 20:47:56 web1 python[25735]: SELinux is preventing
  /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on
  the file /usr/lib/appdynamics-php5/logs/agent.log.lck.
 
  *  Plugin catchall (100.

 That's a rather odd (personally, I think bad) place for a log (or
 even logfile lock) and I'm not at all surprised that selinux is
 keeping your application from writing there. I would check to see if
 there is a setup/configuration option for your application to put
 the log files and related in a more standard location (/var/log,
 /var/run), where it is less likely to run into an issue.

 This isn't really a C7-specific issue/problem.


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] appdynamics php agent prevented by SELinux

[Tim Dunphy]

 If rpm is configured for _that_ location of log files, I would remove the
 repository this rpm comes from from configuration and will remember to
 never-never ever use that repository for anything.

 Just my $0.02


Yeah I completely get where you're coming from there. However it's not an
RPM from a repo. I downloaded the rpm from the appdynamics site itself.
While it may be easy to say well then just don't use appdynamics!  That's
not a luxury I have. My company uses it and I need to get up to speed on
how to work with it. So that's why I'm trying out this experiment.

Thanks,
Tim

On Mon, May 11, 2015 at 11:22 AM, Valeri Galtsev galt...@kicp.uchicago.edu
wrote:


 On Mon, May 11, 2015 9:47 am, Tim Dunphy wrote:
 
  That's a rather odd (personally, I think bad) place for a log (or
  even logfile lock) and I'm not at all surprised that selinux is
  keeping your application from writing there. I would check to see if
  there is a setup/configuration option for your application to put
  the log files and related in a more standard location (/var/log,
  /var/run), where it is less likely to run into an issue.
 
 
  Yeah I agree that it's an unusual place to store log files. However I'm
  not
  aware of any way to change that location since it's an RPM install.

 If rpm is configured for _that_ location of log files, I would remove the
 repository this rpm comes from from configuration and will remember to
 never-never ever use that repository for anything.

 Just my $0.02

 Valeri

  Maybe
  a
  source install is possible. I'll do some googling.
 
 
 
  This isn't really a C7-specific issue/problem.
 
 
  Yeah that's right. I said that poorly. I had just been dealing with an
  issue with systemctl priror to that which was due to it being a C7
  machine.
  But really only because I had been using systemctl.
 
  What I'm most curious about is how Apache is reporting SELinux problems
  whether or not SELinux is enabled. Like I said earlier, if I have SELinux
  set to off, you still see those kind of messages relating to SELinux when
  you do a status on httpd.
 
  Odd.  One thing I did try was to do a restorecon -R -v
  /usr/lib/appdynamics-php5/.
 
  Since it might not be easy to change paths I was hoping to find a way to
  solve this using SELinux.. Does anyone else have any suggestions on how
 to
  solve this?
 
  Thanks,
  Tim
 
  On Sun, May 10, 2015 at 10:20 PM, Richard 
  lists-cen...@listmail.innovate.net wrote:
 
 
 
   Original Message 
   Date: Sunday, May 10, 2015 09:02:11 PM -0400
   From: Tim Dunphy bluethu...@gmail.com
  
   Hey guys,
  
   I've got another C7 problem I was hoping to solve. I
   installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host.
  
   It's failing to communicate with it's controller on another host.
   And this is the interesting part. Whether or not I have SELinux
   enabled, I have apache reporting SELinux problems.
  
   [root@web1:~] #getenforce
   Permissive
  
   May 10 20:47:56 web1 python[25735]: SELinux is preventing
   /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on
   the file /usr/lib/appdynamics-php5/logs/agent.log.lck.
  
   *  Plugin catchall (100.
 
  That's a rather odd (personally, I think bad) place for a log (or
  even logfile lock) and I'm not at all surprised that selinux is
  keeping your application from writing there. I would check to see if
  there is a setup/configuration option for your application to put
  the log files and related in a more standard location (/var/log,
  /var/run), where it is less likely to run into an issue.
 
  This isn't really a C7-specific issue/problem.
 
 
  ___
  CentOS mailing list
  CentOS@centos.org
  http://lists.centos.org/mailman/listinfo/centos
 
 
 
 
  --
  GPG me!!
 
  gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
  ___
  CentOS mailing list
  CentOS@centos.org
  http://lists.centos.org/mailman/listinfo/centos
 


 
 Valeri Galtsev
 Sr System Administrator
 Department of Astronomy and Astrophysics
 Kavli Institute for Cosmological Physics
 University of Chicago
 Phone: 773-702-4247
 
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] appdynamics php agent prevented by SELinux

[Tim Dunphy]

 is preventing
/opt/AppDynamics/appdynamics-php-agent/proxy/jre/bin/java from setattr
access on the file runProxy.template.

*  Plugin catchall_labels (83.8
confidence) suggests   ***...
May 11 22:31:40 web1 python[14832]: SELinux is preventing /usr/sbin/httpd
from setattr access on the directory logging.

*  Plugin catchall_labels (83.8
confidence) suggests   ***...
May 11 22:31:43 web1 python[14832]: SELinux is preventing
/opt/AppDynamics/appdynamics-php-agent/proxy/jre/bin/java from write access
on the file agent.log.lck.

*  Plugin catchall_labels (83.8
confidence) suggests   ***...
May 11 22:31:43 web1 python[14832]: SELinux is preventing /usr/sbin/httpd
from append access on the file agent.log.

*  Plugin catchall_labels (83.8
confidence) suggests   ***...

Why is that odd? Well mainly because I have SELinux off at the moment.

[root@web1:~] #getenforce 0
Permissive

I also tried a restorecon -R -v /opt/AppDynamics. But even after doing that
the SELinux errors in the output of systemctl status httpd are still
happening.

And if I take a look at the SELinux permissions on that directory, this is
what I have:

[root@web1:~] #ls -lZ /opt/ | grep -i appd
drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   AppDynamics

[root@web1:~] #ls -lZ /opt/AppDynamics/
drwxrwxr-x. apache apache unconfined_u:object_r:usr_t:s0
appdynamics-php-agent
drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   var

Anyone have any ideas on how I can beat this problem?

Thanks!!
Tim

On Mon, May 11, 2015 at 3:08 PM, m.r...@5-cent.us wrote:

 Tim Dunphy wrote:
 
  If rpm is configured for _that_ location of log files, I would remove
  the
  repository this rpm comes from from configuration and will remember to
  never-never ever use that repository for anything.
 
  Just my $0.02
 
  Yeah I completely get where you're coming from there. However it's not an
  RPM from a repo. I downloaded the rpm from the appdynamics site itself.
  While it may be easy to say well then just don't use appdynamics!
  That's not a luxury I have. My company uses it and I need to get up to
 speed on
  how to work with it. So that's why I'm trying out this experiment.

 No, that's called bug report, or enhancement request.

   mark and is done by amateurs, or 'subject matter experts', who
  think they know how to do the computer side

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] mariadb fails to start under C7

[Tim Dunphy]

Actually, the systemctl command is:

   systemctl start mysql.service

from the systemctl show output it looks like this actually calls
the /etc/rc.d/init.d/mysql file for start/stop/reload, which seems
backwards.

It appears that mariadb is trying to be a total drop-in replacement
to mysql, so all the paths/files, etc., e.g., in the ps output, are
mysql not mariadb -- so it's tricky to have them both installed.

By the way, you can use things like:

   systemctl list-units

(and likely more efficient approaches) to find the systemctl command

 naming.





By gum! That seems to have done it!! Thank you very much for those tips!

[root@nfsdb1 ~]# systemctl list-units | grep -i mysql
mysql.service
loaded active running   LSB: start and stop MySQL

[root@nfsdb1 ~]#  systemctl start mysql.service

[root@nfsdb1 ~]# lsof -i :3306
COMMAND PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
mysqld  839 mysql   16u  IPv6  15270  0t0  TCP *:mysql (LISTEN)

And then I just ran mysql_secure_install and now I can log into the DB!

Thanks so much for the help! The CentOS list rocks!!

Tim


On Sun, May 10, 2015 at 5:11 PM, Richard lists-cen...@listmail.innovate.net
 wrote:



  Original Message 
  Date: Sunday, May 10, 2015 01:20:34 PM -0700
  From: John R Pierce pie...@hogranch.com
 
  On 5/10/2015 1:04 PM, Earl A Ramirez wrote:
  Did a little Googling [0] and I saw that they recommend starting
  it as follows:
 
  /etc/init.d/mysql start
 
  which is old school sysVinit style.
 
  my guess is, you'll need to fix up a systemd service description
  file, like /usr/lib/systemd/system/mariadb.service

 Actually, the systemctl command is:

systemctl start mysql.service

 from the systemctl show output it looks like this actually calls
 the /etc/rc.d/init.d/mysql file for start/stop/reload, which seems
 backwards.

 It appears that mariadb is trying to be a total drop-in replacement
 to mysql, so all the paths/files, etc., e.g., in the ps output, are
 mysql not mariadb -- so it's tricky to have them both installed.

 By the way, you can use things like:

systemctl list-units

 (and likely more efficient approaches) to find the systemctl command
 naming.


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] appdynamics php agent prevented by SELinux

[Tim Dunphy]

Hey guys,

I've got another C7 problem I was hoping to solve. I
installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host.

It's failing to communicate with it's controller on another host. And this
is the interesting part. Whether or not I have SELinux enabled, I have
apache reporting SELinux problems.

[root@web1:~] #getenforce
Permissive

May 10 20:47:56 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

*  Plugin catchall (100.
confidence) suggests   **...
May 10 20:47:56 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

*  Plugin catchall (100.
confidence) suggests   **...
May 10 20:47:57 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

*  Plugin catchall (100.
confidence) suggests   **...
May 10 20:47:58 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

*  Plugin catchall (100.
confidence) suggests   **...
May 10 20:48:00 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

*  Plugin catchall (100.
confidence) suggests   **...
May 10 20:48:01 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

*  Plugin catchall (100.
confidence) suggests   **...
May 10 20:49:16 web1 python[25952]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

*  Plugin catchall (100.
confidence) suggests   **...
May 10 20:49:17 web1 python[25952]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

*  Plugin catchall (100.
confidence) suggests   **...
May 10 20:53:14 web1 python[26609]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

*  Plugin catchall (100.
confidence) suggests   **...
May 10 20:53:15 web1 python[26609]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

*  Plugin catchall (100.
confidence) suggests   **...

So I enabled SELinux and started troubleshooting with audit2why.

[root@web1:~] #setenforce 1
[root@web1:~] #getenforce
Enforcing

And I'm seeing messages like these:

[root@web1:~] #grep appd /var/log/audit/audit.log | audit2why -w

type=AVC msg=audit(1431305820.292:393420): avc:  denied  { write } for
 pid=27289 comm=java
path=/usr/lib/appdynamics-php5/logs/testfile1615417693000946121.tmp
dev=vda ino=965852 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to
allow this access.

The part I am stuck on is using audit2allow to generate a loadable module
that can allow this.

Can anyone spare any pointers on how to do that?

Thanks!
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] mariadb fails to start under C7

[Tim Dunphy]

Hey all,

 I just unstalled MariaDB version 10 from the mariadb repositories under a
CentOS 7 host.

 The install went fine!

[root@nfsdb1 ~]# rpm -qa | grep -i mariadb
MariaDB-common-10.0.19-1.el7.centos.x86_64
MariaDB-server-10.0.19-1.el7.centos.x86_64
MariaDB-client-10.0.19-1.el7.centos.x86_64
MariaDB-shared-10.0.19-1.el7.centos.x86_64

However, when I go to start up the service, I'm getting this error:

[root@nfsdb1 ~]# systemctl start mariadb.service
Failed to issue method call: Unit mariadb.service failed to load: No such
file or directory.

Can someone please let me know how to start this up?

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] mariadb fails to start under C7

[Tim Dunphy]

Hi Earl,

I think I found your problem, you do not have the correct package installed

[root@c7-db1 ~]# rpm -qa | grep maria
mariadb-libs-5.5.41-2.el7_0.x86_64
mariadb-server-5.5.41-2.el7_0.x86_64
mariadb-5.5.41-2.el7_0.x86_64
[root@c7-db1 ~]#

Install the mariadb-x package and you should be able to start the service

Thanks. While I could go with mariadb 5, the goal I had in mind was mariadb
10. They're pretty different and 10 is more advanced. Push comes to shove,
however I could go with 5.

And to Hal.. yeah you can use service mariadb start (assuming everything
you need is there). But systemctl is the preferred method under CentOS 7.

[root@nfsdb1 ~]# service mariadb start
Redirecting to /bin/systemctl start  mariadb.service
Failed to issue method call: Unit mariadb.service failed to load: No such
file or directory.

I guess I'll wait to see if anyone has any ideas on getting MariaDB 10
working. I've already googled this to no avail. If nothing turns up on the
list or if I can't find anything, I'll just go with MariaDB 5.

Thanks,
Tim

On Sun, May 10, 2015 at 3:11 PM, Earl A Ramirez earlarami...@gmail.com
wrote:

 Hello Tim,

 On 10 May 2015 at 14:47, Tim Dunphy bluethu...@gmail.com wrote:

  Hey all,
 
   I just unstalled MariaDB version 10 from the mariadb repositories under
 a
  CentOS 7 host.
 
   The install went fine!
 
  [root@nfsdb1 ~]# rpm -qa | grep -i mariadb
  MariaDB-common-10.0.19-1.el7.centos.x86_64
  MariaDB-server-10.0.19-1.el7.centos.x86_64
  MariaDB-client-10.0.19-1.el7.centos.x86_64
  MariaDB-shared-10.0.19-1.el7.centos.x86_64
 
  However, when I go to start up the service, I'm getting this error:
 
  [root@nfsdb1 ~]# systemctl start mariadb.service
  Failed to issue method call: Unit mariadb.service failed to load: No such
  file or directory.
 
  Can someone please let me know how to start this up?
 
  Thanks,
  Tim
 
  --
  GPG me!!
 
  gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
  ___
  CentOS mailing list
  CentOS@centos.org
  http://lists.centos.org/mailman/listinfo/centos
 


 I think I found your problem, you do not have the correct package installed

 [root@c7-db1 ~]# rpm -qa | grep maria
 mariadb-libs-5.5.41-2.el7_0.x86_64
 mariadb-server-5.5.41-2.el7_0.x86_64
 mariadb-5.5.41-2.el7_0.x86_64
 [root@c7-db1 ~]#

 Install the mariadb-x package and you should be able to start the service

 --
 Kind Regards
 Earl Ramirez
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] firewalld trouble opening a port

[Tim Dunphy]

Hey all,

 I'm having a little trouble opening up a port on a C7 machine.

 Here's the default zone:

[root@appd:~] #firewall-cmd --get-default-zone
home

So I try to add the port:

[root@appd:~] #firewall-cmd --zone=home --add-port=8181/tcp
success

Then I reload firewalld:

[root@appd:~] #firewall-cmd --reload
success

Simple! That should do it. Right? Well not quite.

Cuz when I telnet to that host on that port, it's not connecting:

#telnet appd.mydomain.com 8181
Trying xx.xx.xx.xx... ---obscuring the real IP
telnet: connect to address xx.xx.xx.xx: Connection refused
telnet: Unable to connect to remote host

Yet, that port is definitely listening on the host:

[root@appd:~] #lsof -i :8181
COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
java13423 root  333u  IPv6 3526508  0t0  TCP *:intermapper (LISTEN)


And if I stop the firewall momentarily :

I can telnet to that port from a remote location:

#telnet appd.mydomain.com 8181
Trying xx.xx.xx.xx...
Connected to appd.mydomain.com.
Escape character is '^]'.

Of course I bring up the firewall right away once I'm done testing:

[root@appd:~] #systemctl start firewalld
[root@appd:~] #systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Sat 2015-05-09 14:56:20 EDT; 7s ago
 Main PID: 18826 (firewalld)
   CGroup: /system.slice/firewalld.service
   └─18826 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

May 09 14:56:20 appd systemd[1]: Started firewalld - dynamic firewall
daemon.

Any ideas on what I'm doing wrong?

Thanks,
Tim
-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld trouble opening a port

[Tim Dunphy]

Hi Earl,

The problem is you added the rule in runtime and when you reloaded it
removed the rule that you added; therefore you need to use --permanent or
do not reload.

Thanks! That worked.

[root@appd:~] #firewall-cmd --zone=home --list-ports
[root@appd:~] #firewall-cmd --zone=home --add-port=8181/tcp --permanent
success
[root@appd:~] #firewall-cmd --reload
success
[root@appd:~] #firewall-cmd --zone=home --list-ports
8181/tcp

#telnet appd.mydomain.com 8181
Trying xx.xx.xx.xx...
Connected to appd.mydomain.com.
Escape character is '^]'.

On Sat, May 9, 2015 at 3:14 PM, Earl A Ramirez earlarami...@gmail.com
wrote:

 On 9 May 2015 at 14:57, Tim Dunphy bluethu...@gmail.com wrote:

  Hey all,
 
   I'm having a little trouble opening up a port on a C7 machine.
 
   Here's the default zone:
 
  [root@appd:~] #firewall-cmd --get-default-zone
  home
 
  So I try to add the port:
 
  [root@appd:~] #firewall-cmd --zone=home --add-port=8181/tcp
  success
 
  Then I reload firewalld:
 
  [root@appd:~] #firewall-cmd --reload
  success
 
  Simple! That should do it. Right? Well not quite.
 
  Cuz when I telnet to that host on that port, it's not connecting:
 
  #telnet appd.mydomain.com 8181
  Trying xx.xx.xx.xx... ---obscuring the real IP
  telnet: connect to address xx.xx.xx.xx: Connection refused
  telnet: Unable to connect to remote host
 
  Yet, that port is definitely listening on the host:
 
  [root@appd:~] #lsof -i :8181
  COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
  java13423 root  333u  IPv6 3526508  0t0  TCP *:intermapper
 (LISTEN)
 
 
  And if I stop the firewall momentarily :
 
  I can telnet to that port from a remote location:
 
  #telnet appd.mydomain.com 8181
  Trying xx.xx.xx.xx...
  Connected to appd.mydomain.com.
  Escape character is '^]'.
 
  Of course I bring up the firewall right away once I'm done testing:
 
  [root@appd:~] #systemctl start firewalld
  [root@appd:~] #systemctl status firewalld
  firewalld.service - firewalld - dynamic firewall daemon
 Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
 Active: active (running) since Sat 2015-05-09 14:56:20 EDT; 7s ago
   Main PID: 18826 (firewalld)
 CGroup: /system.slice/firewalld.service
 └─18826 /usr/bin/python -Es /usr/sbin/firewalld --nofork
 --nopid
 
  May 09 14:56:20 appd systemd[1]: Started firewalld - dynamic firewall
  daemon.
 
  Any ideas on what I'm doing wrong?
 
  Thanks,
  Tim
  --
  GPG me!!
 
  gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
  ___
  CentOS mailing list
  CentOS@centos.org
  http://lists.centos.org/mailman/listinfo/centos
 

 I saw that you are doing firewall-cmd --reload; however you did not had the
 following:

 firewall-cmd --permanent --zone=home --add-port=8181/tcp

 The problem is you added the rule in runtime and when you reloaded it
 removed the rule that you added; therefore you need to use --permanent or
 do not reload.

 Let me know if this helps.


 --
 Kind Regards
 Earl Ramirez
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] can't disable tcp6 on centos 7

[Tim Dunphy]

 On Sun, May 03, 2015 at 08:25:45PM -0400, Tim Dunphy wrote:

  Rather than a yum install. If I install the nrpe package from yum I don't
  find a check_nrpe script on the system for some reason!
 That's because the 'check_nrpe' command isn't in the nrpe package.
 It's in the nagios-plugins-nrpe package.  The executable is installed,
 along side all other nagios check commands, as
 /usr/lib64/nagios/plugins/check_nrpe.



Got it!! Thanks Johnathan!! I'll make sure I take a note of that. I'd
rather use packages on a regular basis rather than source code installs.

Thanks,
Tim

On Mon, May 4, 2015 at 9:33 AM, Jonathan Billings billi...@negate.org
wrote:

 On Sun, May 03, 2015 at 08:25:45PM -0400, Tim Dunphy wrote:
  Rather than a yum install. If I install the nrpe package from yum I don't
  find a check_nrpe script on the system for some reason!

 That's because the 'check_nrpe' command isn't in the nrpe package.
 It's in the nagios-plugins-nrpe package.  The executable is installed,
 along side all other nagios check commands, as
 /usr/lib64/nagios/plugins/check_nrpe.

 --
 Jonathan Billings billi...@negate.org
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] can't disable tcp6 on centos 7

[Tim Dunphy]

hey all,

 I tried disabling tcp v6 on a C7 box this way:

[root@puppet:~] #cat /etc/sysctl.conf
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an
/etc/sysctl.d/name.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1


Then going:

 [root@puppet:~] #sysctl -p
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1


Then I restarted xinetd for good measure:

[root@puppet:~] #systemctl restart xinetd
[root@puppet:~] #

Because I'm trying to hit nrpe on this host.

Yet, xinetd/nrpe still seems to be listeing on TCP v6!!

[root@puppet:~] #netstat -tulpn | grep -i listen | grep xinetd
tcp6   0  0 :::5666 :::*LISTEN
 2915/xinetd

This is a CentOS 7.1 box:

[root@puppet:~] #cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)

What am I doing wrong? I need to be able to disable tcpv6 completely!

Thanks
Tim



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] can't disable tcp6 on centos 7

[Tim Dunphy]

 It's listening on both IPv6 and IPv4.  Specifically, why is that a problem?


The central problem seems to be that the monitoring host can't hit nrpe on
port 5666 UDP.

[root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
puppet.mydomain.com
CHECK_NRPE: Socket timeout after 10 seconds.

It is listening on the puppet host on port 5666

[root@puppet:~] #lsof -i :5666
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
xinetd  2915 root5u  IPv6  24493  0t0  TCP *:nrpe (LISTEN)

And the firewall is allowing that port:

[root@puppet:~] #firewall-cmd --list-ports
5666/udp

But if I check the port using nmap

[root@monitor1:~] #nmap -p 5666 puppet.mydomain.com

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:51 UTC
Nmap scan report for puppet.jokefire.com (216.120.250.140)
Host is up (0.012s latency).
PORT STATESERVICE
5666/tcp filtered nrpe

That port is closed despite the port being allowed on the firewall.

So I thought that the problem was that xinetd was listening to port 5666
only on tcp v6. And when the monitoring host hits the puppet host using tcp
v4 it can't because only tcp v6 is active on that port.

You mention that it's listening on both tcp v4 and v6. But I only see v6 in
that output. How are you determining that

It's a problem because the port does not appear to be open from the
monitoring host:

[root@monitor1:~] #nmap -p 5666 puppet.mydomain.com

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:33 UTC
Nmap scan report for puppet.jokefire.com (216.120.250.140)
Host is up (0.011s latency).
PORT STATESERVICE
5666/tcp filtered nrpe



 You could add ipv6.disable=1 to your kernel args.

What am I doing wrong? I need to be able to disable tcpv6 completely!


Worth a shot!

On Sun, May 3, 2015 at 5:44 PM, Gordon Messmer gordon.mess...@gmail.com
wrote:

 On 05/03/2015 02:18 PM, Tim Dunphy wrote:

 Yet, xinetd/nrpe still seems to be listeing on TCP v6!!


 It's listening on both IPv6 and IPv4.  Specifically, why is that a problem?

  What am I doing wrong? I need to be able to disable tcpv6 completely!


 You could add ipv6.disable=1 to your kernel args.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] can't disable tcp6 on centos 7

[Tim Dunphy]

 is it working on localhost or not???!!! it could be selinux problem also,
 if context is not correct.


It's working on localhost:

[root@puppet:~] #telnet localhost 5666
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

I notice if I stop the firewall on the puppet host (for no more than 2
seconds) and hit NRPE from the monitoring host it works:

[root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
puppet.mydomain.com
NRPE v2.15

But as soon as the firewall has been enabled on the puppet host (a
microsecond later) I get this result:

[root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
puppet.mydomain.com
connect to address 216.120.xxx.xxx port 5666: No route to host
connect to host puppet.mydomain.com port 5666: No route to host

And nmap from the monitoring host tells me that the port is closed:

[root@monitor1:~] #nmap -p 5666 puppet.mydomain.com

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 23:20 UTC
Nmap scan report for puppet.jokefire.com (216.120.250.140)
Host is up (0.011s latency).
PORT STATESERVICE
5666/tcp filtered nrpe

Back on the puppet host I verify that the port is open for UDP:

[root@puppet:~] #firewall-cmd --list-ports
5666/udp

That should be right AFAIK.

 Can anybody tell me what I'm doing wrong ?

Thanks
Tim







On Sun, May 3, 2015 at 6:59 PM, Eero Volotinen eero.voloti...@iki.fi
wrote:

 is it working on localhost or not???!!! it could be selinux problem also,
 if context is not correct.

 --
 Eero

 2015-05-04 1:55 GMT+03:00 Tim Dunphy bluethu...@gmail.com:

  
   It's listening on both IPv6 and IPv4.  Specifically, why is that a
  problem?
 
 
  The central problem seems to be that the monitoring host can't hit nrpe
 on
  port 5666 UDP.
 
  [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
  puppet.mydomain.com
  CHECK_NRPE: Socket timeout after 10 seconds.
 
  It is listening on the puppet host on port 5666
 
  [root@puppet:~] #lsof -i :5666
  COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
  xinetd  2915 root5u  IPv6  24493  0t0  TCP *:nrpe (LISTEN)
 
  And the firewall is allowing that port:
 
  [root@puppet:~] #firewall-cmd --list-ports
  5666/udp
 
  But if I check the port using nmap
 
  [root@monitor1:~] #nmap -p 5666 puppet.mydomain.com
 
  Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:51 UTC
  Nmap scan report for puppet.jokefire.com (216.120.250.140)
  Host is up (0.012s latency).
  PORT STATESERVICE
  5666/tcp filtered nrpe
 
  That port is closed despite the port being allowed on the firewall.
 
  So I thought that the problem was that xinetd was listening to port 5666
  only on tcp v6. And when the monitoring host hits the puppet host using
 tcp
  v4 it can't because only tcp v6 is active on that port.
 
  You mention that it's listening on both tcp v4 and v6. But I only see v6
 in
  that output. How are you determining that
 
  It's a problem because the port does not appear to be open from the
  monitoring host:
 
  [root@monitor1:~] #nmap -p 5666 puppet.mydomain.com
 
  Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:33 UTC
  Nmap scan report for puppet.jokefire.com (216.120.250.140)
  Host is up (0.011s latency).
  PORT STATESERVICE
  5666/tcp filtered nrpe
 
  
  
   You could add ipv6.disable=1 to your kernel args.
 
  What am I doing wrong? I need to be able to disable tcpv6 completely!
  
 
  Worth a shot!
 
  On Sun, May 3, 2015 at 5:44 PM, Gordon Messmer gordon.mess...@gmail.com
 
  wrote:
 
   On 05/03/2015 02:18 PM, Tim Dunphy wrote:
  
   Yet, xinetd/nrpe still seems to be listeing on TCP v6!!
  
  
   It's listening on both IPv6 and IPv4.  Specifically, why is that a
  problem?
  
What am I doing wrong? I need to be able to disable tcpv6 completely!
  
  
   You could add ipv6.disable=1 to your kernel args.
   ___
   CentOS mailing list
   CentOS@centos.org
   http://lists.centos.org/mailman/listinfo/centos
  
 
 
 
  --
  GPG me!!
 
  gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
  ___
  CentOS mailing list
  CentOS@centos.org
  http://lists.centos.org/mailman/listinfo/centos
 
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] can't disable tcp6 on centos 7

[Tim Dunphy]

Eero,

where did you installed this nrpe package? is selinux running enforcing
 mode (getenforce command), try disabling with setenforce 0. why you are
 running it under xinetd as usual way is to run it as nrped daemon.


For NRPE I usually do a source install with these flags:

./configure
make all
make install-plugin
make install-daemon
make install-daemon-config
make install-xinetd

Rather than a yum install. If I install the nrpe package from yum I don't
find a check_nrpe script on the system for some reason!

I demonstrate this on another system than the ones I've been working with
in this thread:

[root@monitor1:~] #rpm -qa | grep nrpe | grep -v mcollective
nrpe-2.15-2.el7.x86_64

[root@monitor1:~] #find / -name check_nrpe
[root@monitor1:~] #


So I'm more comfortable with a source install.

test against with check_nrpe, not using telnet.


I actually solved the problem by adding the port to tcp instead of udp on
the puppet host:

firewall-cmd --permanent  --add-port=5666/tcp

Then from the monitoring host:

[root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
puppet.mydomain.com
NRPE v2.15

 So it's all good at this point. I'm not sure why the instructions I
followed said to open up the port under UDP.. Had I just done what I did I
would have saved a lot of trouble..

Thanks for the input guys!! I'm glad the problem is solved now.

On Sun, May 3, 2015 at 7:31 PM, Eero Volotinen eero.voloti...@iki.fi
wrote:

 Tim,

 where did you installed this nrpe package? is selinux running enforcing
 mode (getenforce command), try disabling with setenforce 0. why you are
 running it under xinetd as usual way is to run it as nrped daemon.

 test against with check_nrpe, not using telnet.

 --
 Eero

 2015-05-04 2:27 GMT+03:00 Stephen Harris li...@spuddy.org:

  On Sun, May 03, 2015 at 07:23:19PM -0400, Tim Dunphy wrote:
   [root@puppet:~] #telnet localhost 5666
 
  This is using TCP
 
   [root@monitor1:~] #nmap -p 5666 puppet.mydomain.com
  ...
   5666/tcp filtered nrpe
 
  This is using TCP
 
   Back on the puppet host I verify that the port is open for UDP:
 
  So why are you opening a UDP port?
 
  --
 
  rgds
  Stephen
  ___
  CentOS mailing list
  CentOS@centos.org
  http://lists.centos.org/mailman/listinfo/centos
 
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host

[Tim Dunphy]

 And I made sure the local firewall was stopped, because I am blocking
 ports
 with the security groups instead.


 As an aside, I wouldn't do this unless running in a VPC as there are
 other hosts in the general cloud and many are malicious.


Hmmm... you make an excellent point! I picked up this habit from an AWS
shop I used to work at. But what you just said will make me reconsider!



 It's only when checking from the monitoring host that nrpe fails:


 Check /var/log/messages to see if xinetd says anything.


I tailed /var/log/messages while hitting the client with check_nrpe from
the monitoring host. However, that didn't cause an entry in the messages
log.


 Also nrpe needs
 to be told from where connections are allowed whether running under an
 inetd or self-daemonized.


Yep! I've set the only_from to have only the loopback address and the IP
for the monitoring host in /etc/xinetd.d/npre.



 Also check the NRPE reviews on exchange.nagios.org, where the issue is
 discussed.


Cool! Thanks. I'll check it out, and see if I can find anything useful.

I appreciate the input!

Also I really appreciate the ongoing dialog with the community on this
issue. I'm grasping at straws at this point. And all the attempts at help
have been really great! I hope we can still get to the bottom of this!

Tim

On Sat, May 2, 2015 at 11:45 AM, Mark Milhollan m...@pixelgate.net wrote:

 On Fri, 1 May 2015, Tim Dunphy wrote:

 And I made sure the local firewall was stopped, because I am blocking
 ports
 with the security groups instead.

 As an aside, I wouldn't do this unless running in a VPC as there are
 other hosts in the general cloud and many are malicious.

 It's only when checking from the monitoring host that nrpe fails:

 Check /var/log/messages to see if xinetd says anything.  Also nrpe needs
 to be told from where connections are allowed whether running under an
 inetd or self-daemonized.

 Also check the NRPE reviews on exchange.nagios.org, where the issue is
 discussed.


 /mark




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host

[Tim Dunphy]

 Not just /var/log/messages.  Doesn't nrpe have a log file?  Maybe even
 secure.


Hmmm I don't find any log specific to nrpe. In other words I don't see
/var/log/nrpe.log or whatever. :)

And when I tail -f /var/log/secure or /var/log/messages I don't see any
entries turning up in them when I hit the client with check_nrpe. I was
checking the logs on the client itself.



  Also nrpe needs to be told from where connections are allowed whether
  running under an inetd or self-daemonized.
 
 Yep! I've set the only_from to have only the loopback address and the IP
 for the monitoring host in /etc/xinetd.d/npre.




 Not the xinetd config, the nrpe config (too).


H. but the nrpe.confg file is ignored in the case of allowed hosts.
From the nrpe config:

# NOTE: This option is ignored if NRPE is running under either inetd or
xinetd

allowed_hosts=127.0.0.1

Thanks for the input tho, I genuinely appreciate it!

On Sat, May 2, 2015 at 4:05 PM, Mark Milhollan m...@pixelgate.net wrote:

 On Sat, 2 May 2015, Tim Dunphy wrote:

 It's only when checking from the monitoring host that nrpe fails:
 Check /var/log/messages to see if xinetd says anything.
 
 I tailed /var/log/messages while hitting the client with check_nrpe from
 the monitoring host. However, that didn't cause an entry in the messages
 log.

 Not just /var/log/messages.  Doesn't nrpe have a log file?  Maybe even
 secure.

  Also nrpe needs to be told from where connections are allowed whether
  running under an inetd or self-daemonized.
 
 Yep! I've set the only_from to have only the loopback address and the IP
 for the monitoring host in /etc/xinetd.d/npre.

 Not the xinetd config, the nrpe config (too).


 /mark




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host

[Tim Dunphy]

Hi Eric,


 NRPE: Error receiving data from daemon
 Seems as this is not a SSL Problem. Do you have a nagios user account? Cat
 /etc/passwd




Yep! Both hosts have nagios user accounts.


Demonstrating from the client:

[root@ops:~] #id nagios
uid=2002(nagios) gid=2002(nagios) groups=2002(nagios),2008(nagioscmd)


And this is from the monitoring server:

[root@monitor1:~] #id nagios
uid=1001(nagios) gid=1001(nagios) groups=1001(nagios),1002(nagcmd)

I do notice a slight difference in the user id and group id numbers.  But I
don't think that could be causing any issue. Does anyone else disagree?

I might want to standardize user accounts at some point howver.

Thanks!
Tim


On Fri, May 1, 2015 at 1:03 PM, Eric Lehmann e.lehman...@gmail.com wrote:

 Hi

 NRPE: Error receiving data from daemon

 Seems as this is not a SSL Problem. Do you have a nagios user account? Cat
 /etc/passwd
 Am 01.05.2015 18:45 schrieb Tim Dunphy bluethu...@gmail.com:

  
   Oh my mistake. I mean nrpe without parameters. It should say something
   about SSL/TLS aktiv or so.
   You could test nrpe without SSL. Use nrpe -n - H host
 
 
 
  This is what I see about ssl if I just run nrpe on the client without any
  flags:
 
  [root@ops:~] #nrpe| head -8
 
  NRPE - Nagios Remote Plugin Executor
  Copyright (c) 1999-2008 Ethan Galstad (nag...@nagios.org)
  Version: 2.15
  Last Modified: 09-06-2013
  License: GPL v2 with exemptions (-l for more info)
  SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
  TCP Wrappers Available
 
  And if I go back to the monitoring host and try to run nrpe with the -n
  flag, this is what I get:
 
  [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -n -H
  ops.jokefire.com
  *CHECK_NRPE: Error receiving data from daemon.*
 
  And still getting the SSL error without the -n flag:
 
  [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
  ops.jokefire.com
  *CHECK_NRPE: Error - Could not complete SSL handshake.*
 
  Running nmap from the monitor host I can see that the nrpe port is open:
 
  [root@monitor1:~] #nmap -p 5666 ops.jokefire.com
 
  Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-01 12:38 EDT
  Nmap scan report for ops.jokefire.com (54.225.218.125)
  Host is up (0.011s latency).
  rDNS record for 54.225.218.125:
 ec2-54-225-218-125.compute-1.amazonaws.com
  PORT STATE SERVICE
  *5666/tcp open  nrpe*
 
  Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
 
  Yet if I try telnetting to it, it connects, then closes the connection
  immediately:
 
  [root@monitor1:~] #telnet ops.jokefire.com 5666
  Trying 54.225.218.125...
  *Connected to ops.jokefire.com http://ops.jokefire.com.*
  Escape character is '^]'.
  *Connection closed by foreign host.*
 
  Going back to the ops host that I want to monitor, I can verify that the
  port is listening:
 
  [root@ops:~] #lsof -i :5666
  COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
  xinetd  1434 root5u  IPv4   4063   TCP *:nrpe (LISTEN)
 
 
  And I can verify that the nrpe conf is owned by the nagios user and
 group:
 
  [root@ops:~] #ls -l /usr/local/nagios/etc/nrpe.cfg
  -rw-r--r-- 1 nagios nagios 7988 May  1 00:37
 /usr/local/nagios/etc/nrpe.cfg
 
  I think that covers all your suggestions. Except for Eero's suggestion to
  try running nrpe without xinetd. I can try to get to that later, but I
 may
  not have time for that suggestion today. But as I demonstrate above, the
  problem is not that nrpe isn't listening.
 
  This remains a really odd situation. Does anyone else have any clues?
 
  Thanks,
  Tim
 
 
 
  On Fri, May 1, 2015 at 7:43 AM, Eric Lehmann e.lehman...@gmail.com
  wrote:
 
   Oh my mistake. I mean nrpe without parameters. It should say something
   about SSL/TLS aktiv or so.
   You could test nrpe without SSL. Use nrpe -n - H host
   Am 01.05.2015 13:18 schrieb Eero Volotinen eero.voloti...@iki.fi:
  
well. how about trying default setting and running nrped without
  xinetd.
   
--
Eero
   
2015-05-01 14:14 GMT+03:00 Tim Dunphy bluethu...@gmail.com:
   
  This is strange...
  Do you have SSL aktive on both systems? Run nrpr localy without
 parameters
  (this should return some nrpe stats) and check ldd for libssl.


 I don't seem to have that command.


 [root@monitor1:~] #find / -name *nrpr 2 /dev/null
 [root@monitor1:~] #

 And that's on either system.

  And if I do an ldd on both, this is what I can tell:

 Server:

 [root@monitor1:~] #ldd /usr/local/nagios/libexec/check_nrpe
 linux-vdso.so.1 =  (0x7fffd895d000)
* libssl.so.10 = /lib64/libssl.so.10 (0x7fc61722a000)*
 *libcrypto.so.10 = /lib64/libcrypto.so.10
   (0x7fc616e43000)*
 libnsl.so.1 = /lib64/libnsl.so.1 (0x7fc616c29000)
 libc.so.6 = /lib64/libc.so.6 (0x7fc616868000)
 libgssapi_krb5.so.2 = /lib64/libgssapi_krb5.so.2

Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host

[Tim Dunphy]

 Oh my mistake. I mean nrpe without parameters. It should say something
 about SSL/TLS aktiv or so.
 You could test nrpe without SSL. Use nrpe -n - H host



This is what I see about ssl if I just run nrpe on the client without any
flags:

[root@ops:~] #nrpe| head -8

NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad (nag...@nagios.org)
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
TCP Wrappers Available

And if I go back to the monitoring host and try to run nrpe with the -n
flag, this is what I get:

[root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -n -H
ops.jokefire.com
*CHECK_NRPE: Error receiving data from daemon.*

And still getting the SSL error without the -n flag:

[root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H ops.jokefire.com
*CHECK_NRPE: Error - Could not complete SSL handshake.*

Running nmap from the monitor host I can see that the nrpe port is open:

[root@monitor1:~] #nmap -p 5666 ops.jokefire.com

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-01 12:38 EDT
Nmap scan report for ops.jokefire.com (54.225.218.125)
Host is up (0.011s latency).
rDNS record for 54.225.218.125: ec2-54-225-218-125.compute-1.amazonaws.com
PORT STATE SERVICE
*5666/tcp open  nrpe*

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

Yet if I try telnetting to it, it connects, then closes the connection
immediately:

[root@monitor1:~] #telnet ops.jokefire.com 5666
Trying 54.225.218.125...
*Connected to ops.jokefire.com http://ops.jokefire.com.*
Escape character is '^]'.
*Connection closed by foreign host.*

Going back to the ops host that I want to monitor, I can verify that the
port is listening:

[root@ops:~] #lsof -i :5666
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
xinetd  1434 root5u  IPv4   4063   TCP *:nrpe (LISTEN)


And I can verify that the nrpe conf is owned by the nagios user and group:

[root@ops:~] #ls -l /usr/local/nagios/etc/nrpe.cfg
-rw-r--r-- 1 nagios nagios 7988 May  1 00:37 /usr/local/nagios/etc/nrpe.cfg

I think that covers all your suggestions. Except for Eero's suggestion to
try running nrpe without xinetd. I can try to get to that later, but I may
not have time for that suggestion today. But as I demonstrate above, the
problem is not that nrpe isn't listening.

This remains a really odd situation. Does anyone else have any clues?

Thanks,
Tim



On Fri, May 1, 2015 at 7:43 AM, Eric Lehmann e.lehman...@gmail.com wrote:

 Oh my mistake. I mean nrpe without parameters. It should say something
 about SSL/TLS aktiv or so.
 You could test nrpe without SSL. Use nrpe -n - H host
 Am 01.05.2015 13:18 schrieb Eero Volotinen eero.voloti...@iki.fi:

  well. how about trying default setting and running nrped without xinetd.
 
  --
  Eero
 
  2015-05-01 14:14 GMT+03:00 Tim Dunphy bluethu...@gmail.com:
 
This is strange...
Do you have SSL aktive on both systems? Run nrpr localy without
   parameters
(this should return some nrpe stats) and check ldd for libssl.
  
  
   I don't seem to have that command.
  
  
   [root@monitor1:~] #find / -name *nrpr 2 /dev/null
   [root@monitor1:~] #
  
   And that's on either system.
  
And if I do an ldd on both, this is what I can tell:
  
   Server:
  
   [root@monitor1:~] #ldd /usr/local/nagios/libexec/check_nrpe
   linux-vdso.so.1 =  (0x7fffd895d000)
  * libssl.so.10 = /lib64/libssl.so.10 (0x7fc61722a000)*
   *libcrypto.so.10 = /lib64/libcrypto.so.10
 (0x7fc616e43000)*
   libnsl.so.1 = /lib64/libnsl.so.1 (0x7fc616c29000)
   libc.so.6 = /lib64/libc.so.6 (0x7fc616868000)
   libgssapi_krb5.so.2 = /lib64/libgssapi_krb5.so.2
   (0x7fc61661c000)
   libkrb5.so.3 = /lib64/libkrb5.so.3 (0x7fc616338000)
   libcom_err.so.2 = /lib64/libcom_err.so.2 (0x7fc616134000)
   libk5crypto.so.3 = /lib64/libk5crypto.so.3
 (0x7fc615f02000)
   libdl.so.2 = /lib64/libdl.so.2 (0x7fc615cfd000)
   libz.so.1 = /lib64/libz.so.1 (0x7fc615ae7000)
   /lib64/ld-linux-x86-64.so.2 (0x7fc6174a)
   libkrb5support.so.0 = /lib64/libkrb5support.so.0
   (0x7fc6158d8000)
   libkeyutils.so.1 = /lib64/libkeyutils.so.1
 (0x7fc6156d3000)
   libresolv.so.2 = /lib64/libresolv.so.2 (0x7fc6154b9000)
   libpthread.so.0 = /lib64/libpthread.so.0 (0x7fc61529d000)
   libselinux.so.1 = /lib64/libselinux.so.1 (0x7fc615077000)
   libpcre.so.1 = /lib64/libpcre.so.1 (0x7fc614e16000)
   liblzma.so.5 = /lib64/liblzma.so.5 (0x7fc614bf1000)
  
  
   Client:
  
   [root@ops:~] #ldd /usr/local/nagios/libexec/check_nrpe
  * libssl.so.6 = /lib64/libssl.so.6 (0x2aaba000)*
   *libcrypto.so.6 = /lib64/libcrypto.so.6 (0x2ad08000)*
   libnsl.so.1 = /lib64/libnsl.so.1

Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host

[Tim Dunphy]

Hi Brian,

Does iptables -L show anything of note?


 I'm leaving iptables off in this host. Because it's an AWS EC2 host I'm
managing the firewall ports using the AWS security groups.

[root@ops:~] #service iptables status
Firewall is stopped.

But still, there's this...

[root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H ops.jokefire.com
CHECK_NRPE: Error - Could not complete SSL handshake.

Sadly :(

Thanks for your input tho!

On Fri, May 1, 2015 at 3:18 PM, Brian Miller cen...@fullnote.com wrote:

 On Fri, 2015-05-01 at 01:32 -0400, Tim Dunphy wrote:
  And I made sure the local firewall was stopped, because I am blocking
  ports
  with the security groups instead.
 
  [root@ops:~] #service iptables status
  Firewall is stopped.

 Does iptables -L show anything of note?

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host

[Tim Dunphy]

Hi Brian,

Does 'ldd /usr/local/nagios/bin/nrpe' show any missing libs?


Well, the NRPE binary looks good both on the client and the server from
what I can tell:


Client:

[root@ops:~] #ldd /usr/local/nagios/bin/nrpe
libssl.so.6 = /lib64/libssl.so.6 (0x2aaba000)
libcrypto.so.6 = /lib64/libcrypto.so.6 (0x2ad08000)
libnsl.so.1 = /lib64/libnsl.so.1 (0x2b05a000)
libwrap.so.0 = /lib64/libwrap.so.0 (0x2b273000)
libc.so.6 = /lib64/libc.so.6 (0x2b47c000)
libgssapi_krb5.so.2 = /usr/lib64/libgssapi_krb5.so.2
(0x2b7d5000)
libkrb5.so.3 = /usr/lib64/libkrb5.so.3 (0x2ba04000)
libcom_err.so.2 = /lib64/libcom_err.so.2 (0x2bc99000)
libk5crypto.so.3 = /usr/lib64/libk5crypto.so.3 (0x2be9b000)
libdl.so.2 = /lib64/libdl.so.2 (0x2c0c1000)
libz.so.1 = /lib64/libz.so.1 (0x2c2c5000)
/lib64/ld-linux-x86-64.so.2 (0x4000)
libkrb5support.so.0 = /usr/lib64/libkrb5support.so.0
(0x2c4d9000)
libkeyutils.so.1 = /lib64/libkeyutils.so.1 (0x2c6e2000)
libresolv.so.2 = /lib64/libresolv.so.2 (0x2c8e4000)
libselinux.so.1 = /lib64/libselinux.so.1 (0x2cafa000)
libsepol.so.1 = /lib64/libsepol.so.1 (0x2cd12000)


And server:

[root@monitor1:~] #ldd /usr/local/nagios/bin/nrpe
linux-vdso.so.1 =  (0x7fffd000)
libssl.so.10 = /lib64/libssl.so.10 (0x7fdd5159)
libcrypto.so.10 = /lib64/libcrypto.so.10 (0x7fdd511a9000)
libnsl.so.1 = /lib64/libnsl.so.1 (0x7fdd50f8f000)
libc.so.6 = /lib64/libc.so.6 (0x7fdd50bce000)
libgssapi_krb5.so.2 = /lib64/libgssapi_krb5.so.2
(0x7fdd50982000)
libkrb5.so.3 = /lib64/libkrb5.so.3 (0x7fdd5069e000)
libcom_err.so.2 = /lib64/libcom_err.so.2 (0x7fdd5049a000)
libk5crypto.so.3 = /lib64/libk5crypto.so.3 (0x7fdd50268000)
libdl.so.2 = /lib64/libdl.so.2 (0x7fdd50063000)
libz.so.1 = /lib64/libz.so.1 (0x7fdd4fe4d000)
/lib64/ld-linux-x86-64.so.2 (0x7fdd51806000)
libkrb5support.so.0 = /lib64/libkrb5support.so.0
(0x7fdd4fc3e000)
libkeyutils.so.1 = /lib64/libkeyutils.so.1 (0x7fdd4fa39000)
libresolv.so.2 = /lib64/libresolv.so.2 (0x7fdd4f81f000)
libpthread.so.0 = /lib64/libpthread.so.0 (0x7fdd4f603000)
libselinux.so.1 = /lib64/libselinux.so.1 (0x7fdd4f3dd000)
libpcre.so.1 = /lib64/libpcre.so.1 (0x7fdd4f17c000)
liblzma.so.5 = /lib64/liblzma.so.5 (0x7fdd4ef57000)

Both look completely fine! No missing libs. But thanks for the suggestion
tho! Definitely not a bad idea to rule that out!


Thanks,
Tim

On Fri, May 1, 2015 at 4:58 PM, Brian Miller cen...@fullnote.com wrote:

 On Fri, 2015-05-01 at 15:28 -0400, Tim Dunphy wrote:
  Hi Brian,
 
  Does iptables -L show anything of note?
 
 
   I'm leaving iptables off in this host. Because it's an AWS EC2 host I'm
  managing the firewall ports using the AWS security groups.
 
  [root@ops:~] #service iptables status
  Firewall is stopped.
 
  But still, there's this...
 
  [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
 ops.jokefire.com
  CHECK_NRPE: Error - Could not complete SSL handshake.
 
  Sadly :(
 
  Thanks for your input tho!

 Does 'ldd /usr/local/nagios/bin/nrpe' show any missing libs?


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host

[Tim Dunphy]

 This is strange...
 Do you have SSL aktive on both systems? Run nrpr localy without parameters
 (this should return some nrpe stats) and check ldd for libssl.


I don't seem to have that command.


[root@monitor1:~] #find / -name *nrpr 2 /dev/null
[root@monitor1:~] #

And that's on either system.

 And if I do an ldd on both, this is what I can tell:

Server:

[root@monitor1:~] #ldd /usr/local/nagios/libexec/check_nrpe
linux-vdso.so.1 =  (0x7fffd895d000)
   * libssl.so.10 = /lib64/libssl.so.10 (0x7fc61722a000)*
*libcrypto.so.10 = /lib64/libcrypto.so.10 (0x7fc616e43000)*
libnsl.so.1 = /lib64/libnsl.so.1 (0x7fc616c29000)
libc.so.6 = /lib64/libc.so.6 (0x7fc616868000)
libgssapi_krb5.so.2 = /lib64/libgssapi_krb5.so.2
(0x7fc61661c000)
libkrb5.so.3 = /lib64/libkrb5.so.3 (0x7fc616338000)
libcom_err.so.2 = /lib64/libcom_err.so.2 (0x7fc616134000)
libk5crypto.so.3 = /lib64/libk5crypto.so.3 (0x7fc615f02000)
libdl.so.2 = /lib64/libdl.so.2 (0x7fc615cfd000)
libz.so.1 = /lib64/libz.so.1 (0x7fc615ae7000)
/lib64/ld-linux-x86-64.so.2 (0x7fc6174a)
libkrb5support.so.0 = /lib64/libkrb5support.so.0
(0x7fc6158d8000)
libkeyutils.so.1 = /lib64/libkeyutils.so.1 (0x7fc6156d3000)
libresolv.so.2 = /lib64/libresolv.so.2 (0x7fc6154b9000)
libpthread.so.0 = /lib64/libpthread.so.0 (0x7fc61529d000)
libselinux.so.1 = /lib64/libselinux.so.1 (0x7fc615077000)
libpcre.so.1 = /lib64/libpcre.so.1 (0x7fc614e16000)
liblzma.so.5 = /lib64/liblzma.so.5 (0x7fc614bf1000)


Client:

[root@ops:~] #ldd /usr/local/nagios/libexec/check_nrpe
   * libssl.so.6 = /lib64/libssl.so.6 (0x2aaba000)*
*libcrypto.so.6 = /lib64/libcrypto.so.6 (0x2ad08000)*
libnsl.so.1 = /lib64/libnsl.so.1 (0x2b05a000)
libc.so.6 = /lib64/libc.so.6 (0x2b273000)
libgssapi_krb5.so.2 = /usr/lib64/libgssapi_krb5.so.2
(0x2b5cc000)
libkrb5.so.3 = /usr/lib64/libkrb5.so.3 (0x2b7fa000)
libcom_err.so.2 = /lib64/libcom_err.so.2 (0x2ba9)
libk5crypto.so.3 = /usr/lib64/libk5crypto.so.3 (0x2bc92000)
libdl.so.2 = /lib64/libdl.so.2 (0x2beb7000)
libz.so.1 = /lib64/libz.so.1 (0x2c0bc000)
/lib64/ld-linux-x86-64.so.2 (0x4000)
libkrb5support.so.0 = /usr/lib64/libkrb5support.so.0 (0x0
0002c2d)
libkeyutils.so.1 = /lib64/libkeyutils.so.1 (0x2c4d8000)
libresolv.so.2 = /lib64/libresolv.so.2 (0x2c6db000)
libselinux.so.1 = /lib64/libselinux.so.1 (0x2c8f)
libsepol.so.1 = /lib64/libsepol.so.1 (0x2cb09000)


So it looks like everything is OK from the SSL end of things. Any other
ideas or suggestions?

Thanks
Tim

On Fri, May 1, 2015 at 5:46 AM, Eric Lehmann e.lehman...@gmail.com wrote:

 This is strange...
 Do you have SSL aktive on both systems? Run nrpr localy without parameters
 (this should return some nrpe stats) and check ldd for libssl.
 Am 01.05.2015 07:32 schrieb Tim Dunphy bluethu...@gmail.com:

  Hi Eric,
 
   Thanks for your reply. I do have nrpe running under xinetd on the host
 I'm
  trying to monitor.
 
   And running the nrpe checl locally:
 
  [root@ops:~] #/usr/local/nagios/libexec/check_nrpe -H localhost
  NRPE v2.15
 
  [root@ops:~] #grep only_from /etc/xinetd.d/nrpe
  only_from   = 127.0.0.1 216.120.248.126
 
  And I do have port 5666 open on the security group for this host.
 
  And I made sure the local firewall was stopped, because I am blocking
 ports
  with the security groups instead.
 
  [root@ops:~] #service iptables status
  Firewall is stopped.
 
  It's only when checking from the monitoring host that nrpe fails:
 
  [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
  ops.jokefire.com
  CHECK_NRPE: Error - Could not complete SSL handshake.
 
  Really, really puzzling. This is driving me up a wall!! I hopeI can solve
  this soon
 
  Thanks for any and all help with this one!!
  Tim
 
  On Fri, May 1, 2015 at 1:02 AM, Eric Lehmann e.lehman...@gmail.com
  wrote:
 
   Hi
   Does the deamon run under xinetd? Then  you have to configure the
  only_from
   in  */etc/**xinetd.d**/**nrpe* to.
  
   Regards
   Eric
   Am 01.05.2015 06:46 schrieb Tim Dunphy bluethu...@gmail.com:
  
Hello,
   
 I am trying to monitor a host in the Amazon EC2 cloud.
   
Yet when I try to check NRPE from the monitoring host I am getting an
  SSL
handshake error:
   
[root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
ops.jokefire.com
CHECK_NRPE: Error - Could not complete SSL handshake.
   
And if I telnet into the host on port 5666 to see if the FW port is
  open,
the connection closes right away:
   
[root@monitor1:~] #telnet ops.somewhere.com 5666
Trying

[CentOS] Could not complete SSL handshake to Amazon EC2 host

[Tim Dunphy]

Hello,

 I am trying to monitor a host in the Amazon EC2 cloud.

Yet when I try to check NRPE from the monitoring host I am getting an SSL
handshake error:

[root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H ops.jokefire.com
CHECK_NRPE: Error - Could not complete SSL handshake.

And if I telnet into the host on port 5666 to see if the FW port is open,
the connection closes right away:

[root@monitor1:~] #telnet ops.somewhere.com 5666
Trying 54.225.218.125...
Connected to ops.somewhere.com.
Escape character is '^]'.
Connection closed by foreign host.

You can see there it connects, but then it closes immediately after the
connection.

 I have NRPE running on the host I want to monitor:

[root@ops:~] #lsof -i :5666
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
xinetd  1434 root5u  IPv4   4063   TCP *:nrpe (LISTEN)

And I have the IP of my nagios server listed in the xinetd conf file:

[root@ops:~] #cat /etc/xinetd.d/nrpe
# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
flags   = REUSE
socket_type = stream
port= 5666
wait= no
user= nagios
group   = nagios
server  = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_failure  += USERID
disable = no
only_from   = 127.0.0.1 xx.xx.xx.xx   # - representing my real
nagios server IP
}



And I have my default security group for that host open on port 5666 to the
world for this experiment.  I plan on locking that down again to the single
IP of my monitoring host once I get this resolved.

Does anyone have any suggestions on how I can get that problem solved?

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host

[Tim Dunphy]

Hi Eric,

 Thanks for your reply. I do have nrpe running under xinetd on the host I'm
trying to monitor.

 And running the nrpe checl locally:

[root@ops:~] #/usr/local/nagios/libexec/check_nrpe -H localhost
NRPE v2.15

[root@ops:~] #grep only_from /etc/xinetd.d/nrpe
only_from   = 127.0.0.1 216.120.248.126

And I do have port 5666 open on the security group for this host.

And I made sure the local firewall was stopped, because I am blocking ports
with the security groups instead.

[root@ops:~] #service iptables status
Firewall is stopped.

It's only when checking from the monitoring host that nrpe fails:

[root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H ops.jokefire.com
CHECK_NRPE: Error - Could not complete SSL handshake.

Really, really puzzling. This is driving me up a wall!! I hopeI can solve
this soon

Thanks for any and all help with this one!!
Tim

On Fri, May 1, 2015 at 1:02 AM, Eric Lehmann e.lehman...@gmail.com wrote:

 Hi
 Does the deamon run under xinetd? Then  you have to configure the only_from
 in  */etc/**xinetd.d**/**nrpe* to.

 Regards
 Eric
 Am 01.05.2015 06:46 schrieb Tim Dunphy bluethu...@gmail.com:

  Hello,
 
   I am trying to monitor a host in the Amazon EC2 cloud.
 
  Yet when I try to check NRPE from the monitoring host I am getting an SSL
  handshake error:
 
  [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
  ops.jokefire.com
  CHECK_NRPE: Error - Could not complete SSL handshake.
 
  And if I telnet into the host on port 5666 to see if the FW port is open,
  the connection closes right away:
 
  [root@monitor1:~] #telnet ops.somewhere.com 5666
  Trying 54.225.218.125...
  Connected to ops.somewhere.com.
  Escape character is '^]'.
  Connection closed by foreign host.
 
  You can see there it connects, but then it closes immediately after the
  connection.
 
   I have NRPE running on the host I want to monitor:
 
  [root@ops:~] #lsof -i :5666
  COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
  xinetd  1434 root5u  IPv4   4063   TCP *:nrpe (LISTEN)
 
  And I have the IP of my nagios server listed in the xinetd conf file:
 
  [root@ops:~] #cat /etc/xinetd.d/nrpe
  # default: on
  # description: NRPE (Nagios Remote Plugin Executor)
  service nrpe
  {
  flags   = REUSE
  socket_type = stream
  port= 5666
  wait= no
  user= nagios
  group   = nagios
  server  = /usr/local/nagios/bin/nrpe
  server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
  log_on_failure  += USERID
  disable = no
  only_from   = 127.0.0.1 xx.xx.xx.xx   # - representing my
 real
  nagios server IP
  }
 
 
 
  And I have my default security group for that host open on port 5666 to
 the
  world for this experiment.  I plan on locking that down again to the
 single
  IP of my monitoring host once I get this resolved.
 
  Does anyone have any suggestions on how I can get that problem solved?
 
  Thanks,
  Tim
 
  --
  GPG me!!
 
  gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
  ___
  CentOS mailing list
  CentOS@centos.org
  http://lists.centos.org/mailman/listinfo/centos
 
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] can't install gd-devel on centos 7.1

[Tim Dunphy]

Hey guys,


I'm trying to instal gd-devel onto a CentOS 7 host.

-- Finished Dependency Resolution
Error: Package: gd-last-devel-2.1.1-2.el7.remi.x86_64 (remi)
   Requires: libvpx-devel(x86-64)
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

But when I try to do that I get the error you see above.

These are the repos I have installed and enabled:

repo id  repo name
status
epel/x86_64  Extra Packages for
Enterprise 7,718
puppetlabs-deps/x86_64   Puppet Labs Dependencies
El 717
puppetlabs-products/x86_64   Puppet Labs Products El 7
- x   162
remi Les RPM de remi pour
Enterpri 1,928
rhui-REGION-client-config-server-7/x86_64Red Hat Update
Infrastructure 4
rhui-REGION-rhel-server-releases/7Server/x86_64  Red Hat Enterprise Linux
Serv 6,851
rhui-REGION-rhel-server-rh-common/7Server/x86_64 Red Hat Enterprise Linux
Serv   131
rpmforge RHEL 7Server -
RPMforge.net -   245
webtatic/x86_64  Webtatic Repository EL7 -
x86   519

I originally had nothing more than the base CentOS repo enabled. Along with
the puppetlabs repo and epel when I first encountered this error. But then
I tried adding some repos to find out if I could find the needed package in
any of them.

The package that it seems to be complaining about not having  is
called: libvpx-devel(x86-64)

But when I try to instal that this is the result I get:

[root@monitor1:~] #yum install libvpx-devel
Loaded plugins: amazon-id, rhui-lb
No package libvpx-devel available.
Error: Nothing to do

Does anybody have any ideas on how I can get around this problem? I only
want to install gd-devel. Seems like it should be so simple! But not in
this case. :(

Thanks!!
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] can't install gd-devel on centos 7.1

[Tim Dunphy]

 Commercial rhel split repos weird way. so, this user might need to enable
 some more redhat repos using subscription-manager or similar.


Hmm yeah guys. Sorry for the obvious screw up! Not much was done on this
host yet. Actually it's a free tier t-2 on AWS. So I think I'll just trash
it and start up an **actual** CentOS host and try again.

Gotta learn to be in less of a hurry... ;)

Thanks anyways!

Tim

On Sun, Apr 26, 2015 at 6:52 PM, Eero Volotinen eero.voloti...@iki.fi
wrote:

 2015-04-27 1:30 GMT+03:00 John R Pierce pie...@hogranch.com:

  On 4/26/2015 1:54 PM, Tim Dunphy wrote:
 
  Hey guys,
 
 
  I'm trying to instal gd-devel onto a CentOS 7 host.
 
  -- Finished Dependency Resolution
  Error: Package: gd-last-devel-2.1.1-2.el7.remi.x86_64 (remi)
  Requires: libvpx-devel(x86-64)
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
 
  But when I try to do that I get the error you see above.
 
  These are the repos I have installed and enabled:
 
  repo id  repo name
   status
  epel/x86_64  Extra Packages for
  Enterprise 7,718
  puppetlabs-deps/x86_64   Puppet Labs
 Dependencies
  El 717
  puppetlabs-products/x86_64   Puppet Labs Products
 El 7
  - x   162
  remi Les RPM de remi pour
  Enterpri 1,928
  rhui-REGION-client-config-server-7/x86_64Red Hat Update
  Infrastructure 4
  rhui-REGION-rhel-server-releases/7Server/x86_64  Red Hat Enterprise
 Linux
  Serv 6,851
  rhui-REGION-rhel-server-rh-common/7Server/x86_64 Red Hat Enterprise
 Linux
  Serv   131
  rpmforge RHEL 7Server -
  RPMforge.net -   245
  webtatic/x86_64  Webtatic Repository
 EL7 -
  x86   519
 
  I originally had nothing more than the base CentOS repo enabled. Along
  with
  the puppetlabs repo and epel when I first encountered this error. But
 then
  I tried adding some repos to find out if I could find the needed package
  in
  any of them.
 
 
  As others said, that RHUI stuff suggests licensed redhat subscriptions,
  NOT centos.
 
  here's a stock centos 7.1, that only has EPEL enabled.
 
  # cat /etc/redhat-release
  CentOS Linux release 7.1.1503 (Core)
 

 Commercial rhel split repos weird way. so, this user might need to enable
 some more redhat repos using subscription-manager or similar.

 --
 Eero
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] bash script fails conditional test

[Tim Dunphy]

Hey all,

 I wrote a very basic script to determine if cassandra db is running. I'm
setting a variable called 'pid' to the output of a ps | grep like to grab
the pid of the cassandra process.

#!/bin/bash
pid=$(ps -ef | grep cassandra | grep -v grep | grep -i -v -e grep -e screen
-e s3fs|awk '{print $2}')

if [[ -e $pid ]]
then
  echo Cassandra is running with pid: $pid
else
  echo Cassandra is DOWN!!!
fi

But for some reason the script doesn't realize that the pid variable has
been set, and fails the condition. It then reports that Cassnadra is
DOWN!!!.

[root@web1:~] #sh -x ./bin/check-cass.sh
++ ps -ef
++ grep -v grep
++ grep -i -v -e grep -e screen -e s3fs
++ awk '{print $2}'
++ grep cassandra
+ pid=26979
+ [[ -e 26979 ]]
+ echo 'Cassandra is DOWN!!!'
Cassandra is DOWN!!!

Can anybody tell me where I'm going wrong here? Because from what I can
see, clearly the pid variable is being set so the script should be
reporting that cassandra is up!

I'd appreciate any advice you may have.


Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] bash script fails conditional test

[Tim Dunphy]

 -e means if file exists.  You should use -n


That did it!!

[root@web1:~] #./bin/check-cass.sh
Cassandra is running with pid: 26979

This is what the script looks like now:

#!/bin/bash
pid=$(ps -ef | grep cassandra | grep -v grep | grep -i -v -e grep -e screen
-e s3fs|awk '{print $2}')

if [[ -n $pid ]]
then
  echo Cassandra is running with pid: $pid
else
  echo Cassandra is DOWN!!!
fi

Insert an extra line after #!/bin/bash
 set -xv
 which will show helpful debug messages.


Good tip! But I ran the script with sh +x . I guess that running it with sh
+xv would do the same thing. But that is a useful tip to include the debug
lines right in the script. I'll have to remember that for next time!

Thanks! :)

Tim


On Sun, Apr 19, 2015 at 1:55 PM, Always Learning cen...@u64.u22.net wrote:


 On Sun, 2015-04-19 at 13:15 -0400, Tim Dunphy wrote:
  Hey all,
 
   I wrote a very basic script to determine if cassandra db is running. I'm
  setting a variable called 'pid' to the output of a ps | grep like to grab
  the pid of the cassandra process.

 Insert an extra line after #!/bin/bash

 set -xv

 which will show helpful debug messages.


 --
 Regards,

 Paul.
 England, EU.  Je suis Charlie.


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] bash script fails conditional test

[Tim Dunphy]

 It's a matter of consistency.  The script began #!/bin/bash and so a
 direct shell invocation should _also_ use the same command.


Good point. I'll try to keep that in mind.

Thank you,
Tim

On Sun, Apr 19, 2015 at 10:04 PM, Stephen Harris li...@spuddy.org wrote:

 On Sun, Apr 19, 2015 at 09:00:06PM -0500, Chris Adams wrote:
  Once upon a time, Stephen Harris li...@spuddy.org said:

   You should use bash -x  (bash and not sh because sh may not be
 bash
   everywhere; eg Ubuntu; -x and not +x because -x means turn on
 debug
   but +x means turn _off_ debug)
 
  Unless you have specific bashisms (which I don't think the original did,
  and you should mostly avoid in scripts), sh -x will be fine.

 It's a matter of consistency.  The script began #!/bin/bash and so a
 direct shell invocation should _also_ use the same command.

 --

 rgds
 Stephen
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] bash script fails conditional test

[Tim Dunphy]

 You can probably replace that with a much cleaner pid=$(pidof cassandra).


Good to know! I hadn't heard of pidof before. However this is what I get
when I run it:

[root@web1:~] #pidof cassandra
[root@web1:~] #

Returns nothing. However:

[root@web1:~] #pidof java
27210 11418 10852

Gives me a few pids. Only one of which belongs to cassandra, as I have a
few java processes running.

I still find that my little script isolates exactly the pid of cassandra
that I would need to shutdown.

[root@web1:~] #check-cass.sh
Cassandra is running with pid: 27210

I really need to turn this into an init script. Which I probably will. But
this is just for a hobby project ,and I'm a little too lazy to do it this
weekend. Maybe next weekend.

Thanks,
Tim

On Sun, Apr 19, 2015 at 9:58 PM, Chris Adams li...@cmadams.net wrote:

 Once upon a time, Tim Dunphy bluethu...@gmail.com said:
  pid=$(ps -ef | grep cassandra | grep -v grep | grep -i -v -e grep -e
 screen
  -e s3fs|awk '{print $2}')

 You can probably replace that with a much cleaner pid=$(pidof cassandra).

 --
 Chris Adams li...@cmadams.net
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] mounted NFS does not show in df -h

[Tim Dunphy]

Hey guys,

 This is kind of odd, so I wanted to do a sanity check.

 I mounted an NFS share like so:

[root@web1:~] #mount -t nfs nfs1.jokefire.com:/home /mnt/home

Seemed to go ok. Then I took a look at the output of df -h and didn't see
it!


[root@web1:~] #df -h
Filesystem  Size  Used Avail Use% Mounted on
/dev/vda 40G   24G   14G  64% /
devtmpfs996M 0  996M   0% /dev
tmpfs  1001M 0 1001M   0% /dev/shm
tmpfs  1001M  101M  901M  11% /run
tmpfs  1001M 0 1001M   0% /sys/fs/cgroup
s3fs256T 0  256T   0% /backup/cassandradb
s3fs256T 0  256T   0% /backup/mysql
nfs1.jokefire.com:/var/www   20G  3.1G   16G  17% /var/www


Yet, when I do a df -h on the directory I mounted the NFS share on, I see
that it's mounted via NFS as expected:

[root@web1:~] #df -h /mnt/home
Filesystem   Size  Used Avail Use% Mounted on
nfs1.jokefire.com:/home   20G  3.1G   16G  17% /mnt/home

So, what do you think could be happening? Why is it that I can't see the
output I'm expecting just by going df -h???

Thanks!!
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos