[CentOS] mount.nfs: an incorrect mount option was specified
Hey guys, My NFS server has been working really well for a long time now. Both client and server run CentOS 7.2. However when I just had to remount one of my home directories on an NFS client, I'm now getting the error when I run mount -a mount.nfs: an incorrect mount option was specified This is the corresponding line I have in my fstab file on the client: nfs1.example.com:/var/nfs/home/home nfs rw 0 0 I get the same error if I try to run the mount command explicitly: mount -t nfs nfs1.example.com:/var/nfs/home /home mount.nfs: an incorrect mount option was specified This is the verbose output of that same command: mount -vvv -t nfs nfs1.example.com:/var/nfs/home /home mount.nfs: timeout set for Sun Oct 2 23:17:03 2016 mount.nfs: trying text-based options 'vers=4,addr=162.xx.xx.xx.xx,clientaddr=107.xxx.xx.xx' mount.nfs: mount(2): Invalid argument mount.nfs: an incorrect mount option was specified This is the entry I have in my /etc/exports file on the nfs server /var/nfs/home web2.jokefire.com(rw,sync,no_root_squash,no_all_squash) I get this same result if the firewall is up or down (for very microscopic slivers of time for testing purposes). With the firewall down (for testing again very quickly) I get this result from the showmount -e command: [root@web2:~] #showmount -e nfs1.example.com Export list for nfs1.example.com: /var/nfs/varnish varnish1.example.com /var/nfs/es es3.example.com,es2.example.com,logs.example.com /var/nfs/www web2.example.com,puppet.example.com,ops3.example.com, ops2.example.com,web1.example.com /var/nfs/homeansible.example.com,chef.example.com,logs3.example.com, logs2.example.com,logs1.example.com,ops.example.com,lb1.example.com, ldap1.example.com,web2.example.com,web1.lyricgem.com,nginx1.example.com, salt.example.com,puppet.example.com,nfs1.example.com,db4.example.com, db3.example.com,db2.example.com,db1.example.com,varnish2.example.com, varnish1.example.com,es3.example.com,es2.example.com,es1.example.com, repo.example.com,ops3.example.com,ops2.example.com,solr1.example.com, time1.example.com,mcollective.example.com,logs.example.com, hadoop04.example.com,hadoop03.example.com,hadoop02.example.com, hadoop01.example.com,monitor3.example.com,monitor2.example.com, monitor1.example.com,web1.example.com,activemq1.example.com With the firewall on the nfs server up (as it is all the time other than this short test), I get back this result: showmount -e nfs1.example.com clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host) This is a list of ports I have open on the NFS server: [root@nfs1:~] #firewall-cmd --list-all public (default, active) interfaces: eth0 sources: services: dhcpv6-client ssh ports: 2719/tcp 9102/tcp 52926/tcp 111/tcp 25/tcp 875/tcp 54302/tcp 4/tcp 20048/tcp 2692/tcp 55982/tcp 2049/tcp 17123/tcp 42955/tcp masquerade: no forward-ports: icmp-blocks: rich rules: rule family="ipv4" source address="xx.xx.xx.x/32" port port="5666" protocol="tcp" accept So I have two problems I need to solve. 1) How do I open the firewall ports on the nfs server so that clients can contact it? I'm using firewalld on the nfs server. And 2) why am I getting an error saying that "an incorrect mount option was specified"? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ElasticSearch Logrotate not working
ok, good advice! thanks! On Thu, Jul 28, 2016 at 2:06 PM, Thomas Eriksson < thomas.eriks...@slac.stanford.edu> wrote: > On 07/28/2016 07:40 AM, Tim Dunphy wrote: > > Hey guys, > > > > I have this log rotation script setup in my /etc/logrotate.d folder > > > > /var/log/elasticsearch/*.log { > > daily > > rotate 100 > > size 50M > > copytruncate > > compress > > delaycompress > > missingok > > notifempty > > create 644 elasticsearch elasticsearch > > } > > > > And I notice that log files are still being generated that are upwards > of 7 > > or 8 GBs. Can anyone point out to me where the script is going wrong, and > > why log files for ES are growing so incredibly big? I would think that > > having that logrotate script in place should solve that problem. > > > > Thanks, > > Tim > > > > Tim, > > First, logrotate only checks the state of the logfiles once a day, so > if your log grows to 8GB in a day, it has no chance to do anything > about it. > > Second, elasticsearch is using log4j to control its logs. It has its > own naming and rotation rules and should not need to involve logrotate > at all. See /etc/elasticsearch/logging.yml > > Third, if you generate that much logging in a day, maybe lowering the > loglevel, or perhaps there is a problem that should be fixed. > > -Thomas > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] ElasticSearch Logrotate not working
Hey guys, I have this log rotation script setup in my /etc/logrotate.d folder /var/log/elasticsearch/*.log { daily rotate 100 size 50M copytruncate compress delaycompress missingok notifempty create 644 elasticsearch elasticsearch } And I notice that log files are still being generated that are upwards of 7 or 8 GBs. Can anyone point out to me where the script is going wrong, and why log files for ES are growing so incredibly big? I would think that having that logrotate script in place should solve that problem. Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Apache/PHP Installation - opinions
Hey guys, I tend to work on small production environments for a large enterprise. Never more than 15 web servers for most sites. But most are only 3 to 5 web servers. Depends on the needs of the client.I actually like to install Apache and PHP from source and by hand. Although I know that's considered sacrilege in some shops. I do this because on RH flavored systems like CentOS the versions of Apache, php and most other software are a little behind the curve in terms of versions. And that's intentionally so! Because the versions that usually go into the various repos are tested and vetted thoroughly before going into the repos. I like to use the latest, stable versions of apache and php for my clients without having to create a custom RPM every time a new version comes out. So what I'd like to know is it better in your opinion to install from repos than to install by source as a best practice? Is it always better to use puppet, chef, ansible etc even if the environment is small? I'm sure this is a matter preference, but I would like to know what your preferences are. Thanks, Tim Sent from my iPhone ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux denies haproxy
> > setsebool -P haproxy_connect_any 1 Hey, thanks Alexander! That did the trick. for more information : > https://www.mankier.com/8/haproxy_selinux Thanks, Hossein! Very valuable info. Much appreciated. Tim On Sat, Mar 12, 2016 at 5:40 PM, Hossein Aghaie <hossein@gmail.com> wrote: > for more information : > https://www.mankier.com/8/haproxy_selinux > > On Sun, Mar 13, 2016 at 2:05 AM, Alexander Dalloz <ad+li...@uni-x.org> > wrote: > > > Am 12.03.2016 um 23:18 schrieb Tim Dunphy: > > > >> Hi all, > >> > >> I'm load balancing 4 mysql databases using HAProxy. The setup seems to > be > >> working pretty well. Except I keep seeing these messages turning up in > >> syslog: > >> > >> > >> Mar 12 22:11:31 db1 kernel: [6058125.959624] type=1400 > >> audit(1457820691.824:3029129): avc: denied { name_connect } for pid=801 > >> comm="haproxy" dest=7778 scontext=system_u:system_r:haproxy_t:s0 > >> tcontext=system_u:object_r:interwise_port_t:s0 tclass=tcp_socket > >> > >> It looks like SELinux is denying haproxy the ability to connect to the > >> database. I haven't seen any real problems on the site that uses the > >> database. But I was just wondering if this message looks familiar to > >> anyone. Or if it looks like something I should try to correct. > >> > >> I tried grepping through audit.log for haproxy and piping it to > audit2why, > >> but I don't get any useful response back: > >> > >> [root@db1:~] #grep haproxy /var/log/audit/audit.log | audit2why -M > >> haproxy > >> Nothing to do > >> > >> I'm open to your thoughts and opinions! > >> > >> Thanks, > >> Tim > >> > > > > > > setsebool -P haproxy_connect_any 1 > > > > Alexander > > > > > > > > ___ > > CentOS mailing list > > CentOS@centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] SELinux denies haproxy
Hi all, I'm load balancing 4 mysql databases using HAProxy. The setup seems to be working pretty well. Except I keep seeing these messages turning up in syslog: Mar 12 22:11:31 db1 kernel: [6058125.959624] type=1400 audit(1457820691.824:3029129): avc: denied { name_connect } for pid=801 comm="haproxy" dest=7778 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:interwise_port_t:s0 tclass=tcp_socket It looks like SELinux is denying haproxy the ability to connect to the database. I haven't seen any real problems on the site that uses the database. But I was just wondering if this message looks familiar to anyone. Or if it looks like something I should try to correct. I tried grepping through audit.log for haproxy and piping it to audit2why, but I don't get any useful response back: [root@db1:~] #grep haproxy /var/log/audit/audit.log | audit2why -M haproxy Nothing to do I'm open to your thoughts and opinions! Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] logrotate script error
Hey! That worked! /var/log/logstash/* { daily rotate 7 copytruncate compress delaycompress missingok notifempty size 100M sharedscripts postrotate /bin/kill -HUP `cat /var/run/logstash.pid 2>/dev/null` 2> /dev/null || true endscript } Thanks for the help! Tim On Sat, Mar 5, 2016 at 11:15 PM, Yamaban <foers...@lisas.de> wrote: > On Sun, 6 Mar 2016 04:34, Tim Dunphy <bluethundr@...> wrote: > > Hey guys, >> >> I'm trying to rotate a logstash log that can grow pretty large. 3.4GB last >> I saw! >> >> And that's because the logrotate script I came up with didn't work. >> >> The error I get on a syntax check is this: >> >> #logrotate -f logstash >> size: '100M': No such file >> size: '100M': No such file >> size: '100M': No such file >> size: '100M': No such file >> size: '100M': No such file >> size: '100M': No such file >> size: '100M': No such file >> size: '100M': No such file >> >> And this is the logstash rotate script: >> >> #cat /etc/logrotate.d/logstash >> /var/log/logstash/* { >>daily >>rotate 7 >>copytruncate >>compress >>delaycompress >>missingok >>notifempty >>postrotate >>size 100M >>/bin/kill -HUP `cat /var/run/logstash.pid 2>/dev/null` 2> /dev/null >> || true >>endscript >> } >> >> I can't find the error there. Can I have a suggestion as to what's wrong >> and how to correct it? >> > > Multiple errors here, first hint: "man 8 logrotate" is a good start. > > Second: wrong order of lines: > diff -U2 > [code] > --- your logstash-rotate > +++ corrected logstash-rotate > @@ -7,6 +7,7 @@ > missingok > notifempty > - postrotate > size 100M > + sharedscripts > + postrotate > /bin/kill -HUP `cat /var/run/logstash.pid 2>/dev/null` 2> > /dev/null || true > endscript > [/code] > > In short: "postrotate" line is in wrong position, add line "sharedscripts" > > - Yamaban. > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] logrotate script error
Hey guys, I'm trying to rotate a logstash log that can grow pretty large. 3.4GB last I saw! And that's because the logrotate script I came up with didn't work. The error I get on a syntax check is this: #logrotate -f logstash size: '100M': No such file size: '100M': No such file size: '100M': No such file size: '100M': No such file size: '100M': No such file size: '100M': No such file size: '100M': No such file size: '100M': No such file And this is the logstash rotate script: #cat /etc/logrotate.d/logstash /var/log/logstash/* { daily rotate 7 copytruncate compress delaycompress missingok notifempty postrotate size 100M /bin/kill -HUP `cat /var/run/logstash.pid 2>/dev/null` 2> /dev/null || true endscript } I can't find the error there. Can I have a suggestion as to what's wrong and how to correct it? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] delete directories with find and exclude other directories
Hi all, I'm attempting to delete some directories and I want to be able to exclude a directory called 'logs' from being deleted. This is my basic find operation (without the exclusion) # find . -type d |tail -10 ./d20160124-1120-df8mfb/deployments ./d20160124-1120-df8mfb/releases ./d20160131-16993-vazqg5 ./d20160131-16993-vazqg5/metadata ./d20160131-16993-vazqg5/deployments ./d20160131-16993-vazqg5/releases ./logs ./d20160203-27735-1tqbjh6 ./d20160125-1120-1yccr9p ./d20160131-16993-1yf9lnc I'm just tailing the output so that you have an idea of what's going on without taking up the whole page. :) If I try to exlclude the logs directory with the prune command I get back no results. root@ops-manager:/tmp/tmp# find . -type d -prune -o -name 'logs' -print root@ops-manager:/tmp# What am I doing wrong? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LDAP create home directories
> > Check /var/log/secure for why the directory is not able to be created. > Might be selinux, is that enabled? (sestatus) Good catch! It was indeed SELinux preventing the directory from being created. Disabling it allows that to happen. For instance I just created a new test user in LDAP: #ssh odun...@ops2.example.com odun...@ops2.example.com's password: Creating directory '/home/odunphy'. _ ____ | | ___| / _ \ _ __ ___|___ \ _ | | |_| | | | '_ \/ __| __) | | |_| | _| | |_| | |_) \__ \/ __/ \___/|_| \___/| .__/|___/_| |_| [odunphy@ops2 ~]$ And it works fine! :) Turns out the host that had directory creation working properly before had SELinux disabled. When I look at the audit log this is what I found: type=AVC msg=audit(1450562436.438:2148162): avc: denied { entrypoint } for pid=17881 comm="sshd" path="/usr/sbin/mkhomedir_helper" dev="vda1" ino=1048040 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:oddjob_mkhomedir_exec_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. So I just created the selinux module file and installed it: [root@ops2:~] #grep ssh /var/log/audit/audit.log | audit2allow -M ssh-mkdir IMPORTANT *** To make this policy package active, execute: semodule -i ssh-mkdir.pp [root@ops2:~] #semodule -i ssh-mkdir.pp And all is well with the world. Directories are created on login with LDAP now. #ssh odun...@ops2.example.com odun...@ops2.example.com's password: Creating directory '/home/odunphy'. Last login: Sat Dec 19 17:00:36 2015 from ool-4571a4a2.dyn.optonline.net _ ____ | | ___| / _ \ _ __ ___|___ \ _ | | |_| | | | '_ \/ __| __) | | |_| | _| | |_| | |_) \__ \/ __/ \___/|_| \___/| .__/|___/_| |_| [odunphy@ops2 ~]$ Thanks for your help! Tim On Sat, Dec 19, 2015 at 4:49 PM, Bill Howe <howe.b...@gmail.com> wrote: > Check /var/log/secure for why the directory is not able to be created. > > Might be selinux, is that enabled? (sestatus) > On Dec 19, 2015 15:40, "Tim Dunphy" <bluethu...@gmail.com> wrote: > > > > > > > You may also need to restart sssd or nslcd, depending upon which one is > > > running the backed ldap connection service on the clients. > > > > > > Hmm.. I got a different result after restarting nclcd. Instead of logging > > me in and just complaining that it couldn't create the home directory, it > > still complains about not creating the home directory, but now it doesn't > > let me in: > > > > #ssh tdun...@ops2.example.com > > > > tdun...@ops2.example.com's password: > > > > Creating directory '/home/tdunphy'. > > > > Unable to create and initialize directory '/home/tdunphy'. > > > > Last login: Sat Dec 19 15:29:54 2015 > > > > > > _ ____ > > > > | | ___| / _ \ _ __ ___|___ \ > > > > _ | | |_| | | | '_ \/ __| __) | > > > > | |_| | _| | |_| | |_) \__ \/ __/ > > > > \___/|_| \___/| .__/|___/_| > > > > |_| > > Connection to ops2.example.com closed. > > > > I think I preferred it when it would let me in and complain!! LOL > > > > I can still get in with my non-LDAP admin account fortunately. > > > > Ok, any other thoughts? > > > > Thanks, > > Tim > > > > On Sat, Dec 19, 2015 at 4:34 PM, Bill Howe <howe.b...@gmail.com> wrote: > > > > > You may also need to restart sssd or nslcd, depending upon which one is > > > running the backed ldap connection service on the clients. > > > On Dec 19, 2015 14:25, "Tim Dunphy" <bluethu...@gmail.com> wrote: > > > > > > > Hey guys, > > > > > > > > I've setup an LDAP server on our network. I'm using OpenLDAP. > > > > > > > > It was really easy to use the authconfig-tui to generate the > > > nsswitch.conf > > > > and ldap.conf files that would allow user authentication. > > > > > > > > But when users would log in, the system wasn't creating the home > > > > directories. > > > > > > > > I found one command that would correct that: > > > > > > > > authconfig --enablemkhomedir --update > > > > > > > > After that logging in with an LDAP user to that machine would c
[CentOS] LDAP create home directories
Hey guys, I've setup an LDAP server on our network. I'm using OpenLDAP. It was really easy to use the authconfig-tui to generate the nsswitch.conf and ldap.conf files that would allow user authentication. But when users would log in, the system wasn't creating the home directories. I found one command that would correct that: authconfig --enablemkhomedir --update After that logging in with an LDAP user to that machine would create the home directories. But that only worked on the first machine. Running the command on other machines would have no effect. Which is odd. You would think it would be consistent. Even after copying over the entire contents of /etc/pam.d from the working machine to the non-working machine and making sure that the non-working machine had the same /etc/nsswitch.conf /etc/openldap/ldap.conf as the one that worked. It still doesn't create the home directories when LDAP users log in. The non-working machine also has the required librariy file: -rwxr-xr-x. 1 root root 11176 Aug 18 10:56 /usr/lib64/security/pam_mkhomedir.so So how can I fix this? How can I get the system to create home directories for LDAP users automatically? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] LDAP create home directories
> > You may also need to restart sssd or nslcd, depending upon which one is > running the backed ldap connection service on the clients. Hmm.. I got a different result after restarting nclcd. Instead of logging me in and just complaining that it couldn't create the home directory, it still complains about not creating the home directory, but now it doesn't let me in: #ssh tdun...@ops2.example.com tdun...@ops2.example.com's password: Creating directory '/home/tdunphy'. Unable to create and initialize directory '/home/tdunphy'. Last login: Sat Dec 19 15:29:54 2015 _ ____ | | ___| / _ \ _ __ ___|___ \ _ | | |_| | | | '_ \/ __| __) | | |_| | _| | |_| | |_) \__ \/ __/ \___/|_| \___/| .__/|___/_| |_| Connection to ops2.example.com closed. I think I preferred it when it would let me in and complain!! LOL I can still get in with my non-LDAP admin account fortunately. Ok, any other thoughts? Thanks, Tim On Sat, Dec 19, 2015 at 4:34 PM, Bill Howe <howe.b...@gmail.com> wrote: > You may also need to restart sssd or nslcd, depending upon which one is > running the backed ldap connection service on the clients. > On Dec 19, 2015 14:25, "Tim Dunphy" <bluethu...@gmail.com> wrote: > > > Hey guys, > > > > I've setup an LDAP server on our network. I'm using OpenLDAP. > > > > It was really easy to use the authconfig-tui to generate the > nsswitch.conf > > and ldap.conf files that would allow user authentication. > > > > But when users would log in, the system wasn't creating the home > > directories. > > > > I found one command that would correct that: > > > > authconfig --enablemkhomedir --update > > > > After that logging in with an LDAP user to that machine would create the > > home directories. > > > > But that only worked on the first machine. Running the command on other > > machines would have no effect. Which is odd. You would think it would be > > consistent. > > > > Even after copying over the entire contents of /etc/pam.d from the > working > > machine to the non-working machine and making sure that the non-working > > machine had the same /etc/nsswitch.conf /etc/openldap/ldap.conf as the > one > > that worked. It still doesn't create the home directories when LDAP users > > log in. > > > > The non-working machine also has the required librariy file: > > > > -rwxr-xr-x. 1 root root 11176 Aug 18 10:56 > > /usr/lib64/security/pam_mkhomedir.so > > > > So how can I fix this? How can I get the system to create home > directories > > for LDAP users automatically? > > > > Thanks, > > Tim > > > > > > > > -- > > GPG me!! > > > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > > ___ > > CentOS mailing list > > CentOS@centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] prefork vs worker mpm in apache
Hey guys, We had to recompile apache 2.4.12 because we needed to disable thread safety in php (ZTS). Because for some reason when compiling php with the --disable-maintainer-zts with the worker mpm model and checking the php info page, it was saying that thread safety was still enabled. So when we recompiled apache to use the prefetch worker model instead of worker, the php info page was showing that thread safety was disabled. But after that change apache processes spiked from around 11 processes per machine to well over 250 processes at any given time. These are the tuning settings we have in apache: StartServers 10 #MinSpareServers 10 #MaxSpareServers 25 ServerLimit 250 MaxRequestWorkers 250 MaxConnectionsPerChild 1000 KeepAlive On KeepAliveTimeout 30 EnableSendfile Off So I was just wondering how this change could've cause this problem of having the number of apache processes spike. And if there are any other changes we can make to apache to bring the process count down? Also I realize that installing apache / php from source isn't standard practice on red hat variants. But at the time that these servers were setup the latest apache at that time (2.4.12) wasn't available as an RPM. So we just decided to install from source. Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] use pssh to restart a service
> > This is why it is paramount to use visudo command as opposed editing the > /etc/sudoers file directly! The visudo command will check the edited > temporary sudoers file syntax before committing to /etc! Ok! Makes sense! I'll make sure I do that from now on! Thanks!! Tim On Mon, Nov 2, 2015 at 5:25 AM, Anthony K <akcen...@anroet.com> wrote: > On 02/11/15 12:35, Tim Dunphy wrote: > >> Hey Gordon, >> >> Sorry, man my bad! Disabling the tty requirement for my sudo user does >> indeed work. I had a type-o in the sudoers file, and when I corrected it, >> my sudo command via pssh started working! >> >> This is why it is paramount to use visudo command as opposed editing the > /etc/sudoers file directly! The visudo command will check the edited > temporary sudoers file syntax before committing to /etc! > > ak. > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] use pssh to restart a service
Hey Gordon, Sorry, man my bad! Disabling the tty requirement for my sudo user does indeed work. I had a type-o in the sudoers file, and when I corrected it, my sudo command via pssh started working! #pssh -i -h es_list "/bin/sudo /bin/systemctl restart elasticsearch; sleep 10" [1] 20:31:32 [SUCCESS] bluethu...@es3.jokefire.com Stderr: sudo: sorry, you must have a tty to run sudo [2] 20:31:32 [SUCCESS] bluethu...@es2.jokefire.com [3] 20:31:32 [SUCCESS] bluethu...@es1.jokefire.com I'm still getting the 'sorry you must have a tty to run sudo' message coming from one of the nodes. But the command succeeds so it's no big deal! Odd tho that one node would be barking about that, considering my sudoers is distributed via puppet. Anyway, it's all good as far as I'm concerned. At least this works! I'll check that 3rd node and see if there's any difference to the sudoers file I guess. Thanks for your help! Tim On Sun, Nov 1, 2015 at 7:06 PM, Gordon Messmer <gordon.mess...@gmail.com> wrote: > On 10/31/2015 04:16 PM, Tim Dunphy wrote: > >> Got the same exact message! >> >> Anything else I can try? >> > > I think you need to double-check your sudoers file. Use the '-i' argument > to pssh to get more information. > > # cat /etc/sudoers.d/gordon > gordonALL=(ALL)NOPASSWD: ALL > > $ pssh -h t -i sudo echo true > [1] 16:02:12 [FAILURE] MYHOST Exited with error code 1 > Stderr: sudo: sorry, you must have a tty to run sudo > > > > # cat /etc/sudoers.d/gordon > Defaults:gordon!requiretty, visiblepw > gordonALL=(ALL)NOPASSWD: ALL > > $ pssh -h t -i sudo echo true > [1] 16:02:30 [SUCCESS] MYHOST > true > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] use pssh to restart a service
Hi all, I need to restart a service on a few elasticsearch nodes. I'm trying to do it with pssh. I'm getting this error when I try to do that: pssh -h es_list "/bin/sudo -S /bin/systemctl restart elasticsearch" [1] 17:01:50 [FAILURE] bluethu...@es2.example.com Exited with error code 1 [2] 17:01:51 [FAILURE] bluethu...@es3.example.com Exited with error code 1 [3] 17:01:51 [FAILURE] bluethu...@es1.example.com Exited with error code 1 I have to sudo up from my user account as root logins are disallowed. However a simple 'echo hello' command that doesn't require sudo works fine: #pssh -h es_list "/bin/echo hello" [1] 17:00:40 [SUCCESS] bluethu...@es1.example.com [2] 17:00:41 [SUCCESS] bluethu...@es3.example.com [3] 17:00:41 [SUCCESS] bluethu...@es2.example.com What am I doing wrong? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] use pssh to restart a service
> > Have you tried running the command from a conventional login? > sudo -S > expects a password from stdin, where is that being supplied? Yep! That works fine. #ssh -qt bluethu...@es1.example.com "/bin/sudo -S /bin/systemctl restart elasticsearch" #ssh -qt bluethu...@es1.example.com "/bin/echo $?" 0 And the user has 'NOPASSWD' access. Any ideas? Thanks, Tim On Sat, Oct 31, 2015 at 5:09 PM, Tony Schreiner <anthony.schrei...@bc.edu> wrote: > On Sat, Oct 31, 2015 at 5:04 PM, Tim Dunphy <bluethu...@gmail.com> wrote: > > > Hi all, > > > > I need to restart a service on a few elasticsearch nodes. I'm trying to > do > > it with pssh. > > > > I'm getting this error when I try to do that: > > > > pssh -h es_list "/bin/sudo -S /bin/systemctl restart elasticsearch" > > [1] 17:01:50 [FAILURE] bluethu...@es2.example.com Exited with error > code 1 > > [2] 17:01:51 [FAILURE] bluethu...@es3.example.com Exited with error > code 1 > > [3] 17:01:51 [FAILURE] bluethu...@es1.example.com Exited with error > code 1 > > > > I have to sudo up from my user account as root logins are disallowed. > > > > However a simple 'echo hello' command that doesn't require sudo works > fine: > > > > #pssh -h es_list "/bin/echo hello" > > [1] 17:00:40 [SUCCESS] bluethu...@es1.example.com > > [2] 17:00:41 [SUCCESS] bluethu...@es3.example.com > > [3] 17:00:41 [SUCCESS] bluethu...@es2.example.com > > > > What am I doing wrong? > > > > Thanks, > > Tim > > > > > Have you tried running the command from a conventional login? > > sudo -S > expects a password from stdin, where is that being supplied? > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] use pssh to restart a service
> > What does the sudo log say? This is all the secure logs say about the ssh session: [root@logs:~] #tail -f /var/log/secure Oct 31 19:15:20 logs sshd[24407]: Accepted publickey for bluethundr from 47.18.111.100 port 47469 ssh2: RSA ae:62:1f:de:54:89:af:2c:10:16:0e:fd:8d:7e:81:06 Oct 31 19:15:21 logs sshd[24407]: pam_unix(sshd:session): session opened for user bluethundr by (uid=0) Oct 31 19:15:21 logs sshd[24410]: Received disconnect from 47.18.111.100: 11: disconnected by user Oct 31 19:15:21 logs sshd[24407]: pam_unix(sshd:session): session closed for user bluethundr No change in the logs after making the suggested change to disable tty: [root@logs:~] #cat /etc/sudoers.d/bluethundr Defaults:myuser!requiretty, visiblepw Got the same exact message! Anything else I can try? Thanks On Sat, Oct 31, 2015 at 5:34 PM, Gordon Messmer <gordon.mess...@gmail.com> wrote: > On 10/31/2015 02:04 PM, Tim Dunphy wrote: > >> pssh -h es_list "/bin/sudo -S /bin/systemctl restart elasticsearch" >> > > The default configuration prohibits use if input echo can't be disabled. > That means no "-S". > > I modify that for users where necessary: > > /etc/sudoers.d/myuser: > Defaults:myuser!requiretty, visiblepw > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] disable ZTS in php
Hey guys, I'm trying to disable ZTS in php, because an application we need (AppDynamics) is not compatible with it. So I tried compiling php with the following flags: php -i | grep configure Configure Command => './configure' '--with-apxs2=/opt/apache2/bin/apxs' '--with-zlib=/usr' '--prefix=/opt/php-5.6.8' '--with-libdir=lib64' '--with-config-file-path=/etc' '--enable-mime-magic' '--enable-pcntl' '--libexecdir=/usr/libexec' '--with-bz2' '--with-curl' '--with-gd' '--with-freetype-dir=/usr' '--with-png-dir=/usr/lib64' '--enable-gd-native-ttf' '--with-iconv' '--with-jpeg-dir=/usr/lib64' '--with-zlib' '--with-ldap' '--enable-exif' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx' '--with-kerberos' '--enable-shmop' '--enable-calendar' '--with-xmlrpc' '--enable-soap' '--disable-pdo' '--with-openssl' '--with-xsl' '--enable-dbx' '--enable-mbstring' '--with-mcrypt=/usr' '--enable-bcmath' '--enable-pdo' '--with-pdo-mysql=/usr' '--with-mysql' '--with-mysqli=/usr/bin/mysql_config' '--enable-zip' '--enable-dba=shared' '--with-gettext=shared' '--with-gmp' '--enable-ftp' '--with-pspell' '--with-config-file-scan-dir=/etc/php.d'* '--disable-maintainer-zts'* And for some reason the AppD installer is claiming that ZTS is still enabled. So what I'd like to know is, did I disable ZTS correctly? If I did that means the problem is on the AppD side so we should take a look there. Appreciate any help on this! Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] disable ZTS in php
> > To leave it out i use the —without-iconv directive. Maybe give that a > shot with maintainer-zts. Hey Jeremy, I'll give that a shot. Thanks! Tim On Fri, Oct 30, 2015 at 11:10 AM, Jeremy Thompson < jer...@warehousesports.com> wrote: > on certain non-linux systems like MacOS i’ll run into a problem with the > standard version of iconv in php. To leave it out i use the —without-iconv > directive. Maybe give that a shot with maintainer-zts. > > — > > Jeremy > > > > > > > On Oct 30, 2015, at 6:44 AM, Tim Dunphy <bluethu...@gmail.com> wrote: > > > > Hey guys, > > > > I'm trying to disable ZTS in php, because an application we need > > (AppDynamics) is not compatible with it. > > > > So I tried compiling php with the following flags: > > > > php -i | grep configure > > Configure Command => './configure' '--with-apxs2=/opt/apache2/bin/apxs' > > '--with-zlib=/usr' '--prefix=/opt/php-5.6.8' '--with-libdir=lib64' > > '--with-config-file-path=/etc' '--enable-mime-magic' '--enable-pcntl' > > '--libexecdir=/usr/libexec' '--with-bz2' '--with-curl' '--with-gd' > > '--with-freetype-dir=/usr' '--with-png-dir=/usr/lib64' > > '--enable-gd-native-ttf' '--with-iconv' '--with-jpeg-dir=/usr/lib64' > > '--with-zlib' '--with-ldap' '--enable-exif' '--enable-sockets' > > '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx' > > '--with-kerberos' '--enable-shmop' '--enable-calendar' '--with-xmlrpc' > > '--enable-soap' '--disable-pdo' '--with-openssl' '--with-xsl' > > '--enable-dbx' '--enable-mbstring' '--with-mcrypt=/usr' '--enable-bcmath' > > '--enable-pdo' '--with-pdo-mysql=/usr' '--with-mysql' > > '--with-mysqli=/usr/bin/mysql_config' '--enable-zip' > '--enable-dba=shared' > > '--with-gettext=shared' '--with-gmp' '--enable-ftp' '--with-pspell' > > '--with-config-file-scan-dir=/etc/php.d'* '--disable-maintainer-zts'* > > > > > > And for some reason the AppD installer is claiming that ZTS is still > > enabled. So what I'd like to know is, did I disable ZTS correctly? If I > did > > that means the problem is on the AppD side so we should take a look > there. > > > > Appreciate any help on this! > > > > Thanks > > Tim > > > > -- > > GPG me!! > > > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > > ___ > > CentOS mailing list > > CentOS@centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] disable ZTS in php
Yeah Erro, ok you have a point. I'll do that. Thanks! On Fri, Oct 30, 2015 at 11:40 AM, Eero Volotinenwrote: > This is really wrong way to do this. Install yum-utils and use > yumdownloader --source package-name to get rhel version of package. Then > modify spec file and recompile. > > Eero > Hey guys, > > I'm trying to disable ZTS in php, because an application we need > (AppDynamics) is not compatible with it. > > So I tried compiling php with the following flags: > > php -i | grep configure > Configure Command => './configure' '--with-apxs2=/opt/apache2/bin/apxs' > '--with-zlib=/usr' '--prefix=/opt/php-5.6.8' '--with-libdir=lib64' > '--with-config-file-path=/etc' '--enable-mime-magic' '--enable-pcntl' > '--libexecdir=/usr/libexec' '--with-bz2' '--with-curl' '--with-gd' > '--with-freetype-dir=/usr' '--with-png-dir=/usr/lib64' > '--enable-gd-native-ttf' '--with-iconv' '--with-jpeg-dir=/usr/lib64' > '--with-zlib' '--with-ldap' '--enable-exif' '--enable-sockets' > '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx' > '--with-kerberos' '--enable-shmop' '--enable-calendar' '--with-xmlrpc' > '--enable-soap' '--disable-pdo' '--with-openssl' '--with-xsl' > '--enable-dbx' '--enable-mbstring' '--with-mcrypt=/usr' '--enable-bcmath' > '--enable-pdo' '--with-pdo-mysql=/usr' '--with-mysql' > '--with-mysqli=/usr/bin/mysql_config' '--enable-zip' '--enable-dba=shared' > '--with-gettext=shared' '--with-gmp' '--enable-ftp' '--with-pspell' > '--with-config-file-scan-dir=/etc/php.d'* '--disable-maintainer-zts'* > > > And for some reason the AppD installer is claiming that ZTS is still > enabled. So what I'd like to know is, did I disable ZTS correctly? If I did > that means the problem is on the AppD side so we should take a look there. > > Appreciate any help on this! > > Thanks > Tim > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] selinux commands fail on low memory box
Hey all, I have 3 web servers hosted at Digital Ocean that all have the same amount of memory at 512MB. They're all running CentOS 7. They are low powered apache servers and don't really need more than that. All they're doing is serving the web, no database on those hosts at all. On the first two hosts I seem to have no trouble running SELinux related commands. It's only on the 3rd web server where I seem to have any trouble at all running the SELinux commands I want to keep the box secure. On box #3 all SElinux commands end up the same way. For example: [root@ops3:~] #semodule -i newrelic.pp Killed And that happened when I had about 280MB free: [root@ops3:~] #free -m totalusedfree shared buff/cache available Mem:490 96 286 28 107 285 Swap: 0 0 0 Typically what I'll do is stop all the main services on this machine to free up some memory to run the command I want. But to no avail! The commands die with the same errors every time. Whereas on the other two hosts I can run the same commands with only as little as 30 or 40MB free! So would this be some inherent flaw with this box? That the only way to get around it is to scrap it and build a replacement? Not that hard to do. But before I took that measure I was wondering if there was any hocus-pocus I could try that I might not be aware of that could alleviate this scenario. Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux commands fail on low memory box
> > How about adding some swap into system? Not a bad idea, Eero! That worked. [root@ops3:~] #cat /proc/swaps FilenameTypeSizeUsed Priority /swapfile file1048572 712 -1 [root@ops3:~] #semodule -i newrelic.pp [root@ops3:~] # Thanks! Tim On Thu, Oct 15, 2015 at 12:19 AM, Eero Volotinen <eero.voloti...@iki.fi> wrote: > How about adding some swap into system? > > -- > Eero > > 2015-10-15 4:40 GMT+03:00 Tim Dunphy <bluethu...@gmail.com>: > > > Hey all, > > > > I have 3 web servers hosted at Digital Ocean that all have the same > amount > > of memory at 512MB. They're all running CentOS 7. > > > > They are low powered apache servers and don't really need more than that. > > All they're doing is serving the web, no database on those hosts at all. > > > > On the first two hosts I seem to have no trouble running SELinux related > > commands. It's only on the 3rd web server where I seem to have any > trouble > > at all running the SELinux commands I want to keep the box secure. > > > > On box #3 all SElinux commands end up the same way. For example: > > > > [root@ops3:~] #semodule -i newrelic.pp > > Killed > > > > And that happened when I had about 280MB free: > > > > [root@ops3:~] #free -m > > totalusedfree shared buff/cache > > available > > Mem:490 96 286 28 107 > > 285 > > Swap: 0 0 0 > > > > Typically what I'll do is stop all the main services on this machine to > > free up some memory to run the command I want. But to no avail! The > > commands die with the same errors every time. Whereas on the other two > > hosts I can run the same commands with only as little as 30 or 40MB free! > > > > So would this be some inherent flaw with this box? That the only way to > get > > around it is to scrap it and build a replacement? > > > > Not that hard to do. But before I took that measure I was wondering if > > there was any hocus-pocus I could try that I might not be aware of that > > could alleviate this scenario. > > > > Thanks, > > Tim > > > > -- > > GPG me!! > > > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > > ___ > > CentOS mailing list > > CentOS@centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] mount: unknown filesystem type '(null)' error
Hey guys, I'm trying to mount a disk volume on aws under CentOS 7. And when I try I get this result: [root@repo:~] #mount /dev/xvdf1 /opt/repo mount: /dev/xvdf1 is write-protected, mounting read-only mount: unknown filesystem type '(null)' The only thing I can see in dmesg that seems to relate is: [ 2481.434610] EXT4-fs (xvdf1): VFS: Can't find ext4 filesystem [ 2509.883144] EXT4-fs (xvdf1): VFS: Can't find ext4 filesystem What can I do to get around this poblem? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] python setup.py ssl error
Hey guys, I'm trying to do a source install of s3cmd onto a centos 6.5 host. Because the version in the repo is a little old. So when I go to run the installer app with the command python2.7 setup.py install, I'm getting the following error: Installed /usr/local/lib/python2.7/site-packages/s3cmd-1.6.0-py2.7.egg Processing dependencies for s3cmd==1.6.0 Searching for six>=1.5 Reading https://pypi.python.org/simple/six/ Download error on https://pypi.python.org/simple/six/: [Errno 1] _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed -- Some packages may not be found! Couldn't find index page for 'six' (maybe misspelled?) Scanning index of all packages (this may take a while) Reading https://pypi.python.org/simple/ Download error on https://pypi.python.org/simple/: [Errno 1] _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed -- Some packages may not be found! No local packages or download links found for six>=1.5 error: Could not find suitable distribution for Requirement.parse('six>=1.5') I thought this might be a proxy issue of some kind, but I have several proxy values set in my environment: [root@ushapld00050 s3cmd-1.6.0]# env | grep -i proxy http_proxy=http://proxy.mycompany.com:80 https_proxy=http://proxy.mycompany.com:80 HTTPS_PROXY=http://proxy.mycompany.com:80 no_proxy=usushaplp461.mycompany.ge.com HTTP_PROXY=http://proxy.mycompany.com:80 Can someone please give me a heads up as to how to resolve this issue? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keepalived vrrp problem
Guys, I actually found a solution to this. After much googling I was able to come up with this: vrrp_instance VI_1 { interface eth1 state MASTER virtual_router_id 51 priority 101 # 101 on master, 100 on backup *dont_track_primary* vrrp_unicast_bind 10.40.116.30 # Internal IP of this machine vrrp_unicast_peer 10.40.116.31 # Internal IP of peer virtual_ipaddress { 10.40.116.34 } The key to getting this to work was to add the entry you see in bold above to the config. dont_track_primary. I'm not sure if that's the best way to solve this problem. But I know that adding that line allowed me to do what I needed to do. After that I could ping the virtual address. Thanks for all the suggestions. Tim On Tue, Sep 29, 2015 at 4:24 PM, Marcelo Ricardo Leitner < marcelo.leit...@gmail.com> wrote: > Em 29-09-2015 15:03, Gordon Messmer escreveu: > >> On 09/29/2015 09:14 AM, Tim Dunphy wrote: >> >>> And if I do an ifconfig command I see no evidence of an eth1 existing. >>> >> >> "ifconfig -a" will show you all of your interfaces. >> > > Maybe there is a confusion here. Sounds like Tim thought keepalived would > create that eth1, like a tunnel interface, but it won't. You have to > specify an interface that actually exists so that the VIP address will be > added as a secondary address to ip to that interface. > > HTH > > Marcelo > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Keepalived vrrp problem
Hey guys, I'm trying to install keepalived 1.2.19 on a centos 6.5 machine. I did an install from source. And when I start keepalived this is what I'm seeing in the logs. It's reporting that the VRRP_Instance(VI_1) Now in FAULT state. Here's more of that log entry: Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]: VRRP Instance = VI_1 Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Using VRRPv2 Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Want State = MASTER Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Runing on device = eth1 Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Gratuitous ARP repeat = 5 Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Gratuitous ARP refresh repeat = 1 Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Virtual Router ID = 51 Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Priority = 101 Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Advert interval = 1 sec Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Accept disabled Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]:Virtual IP = 1 Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]: 10.40.116.34/32 dev eth1 scope global Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]: Using LinkWatch kernel netlink reflector... Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]: VRRP sockpool: [ifindex(3), proto(112), unicast(0), fd(10,11)] Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_healthcheckers[44942]: --< Global definitions >-- Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_healthcheckers[44942]: Router ID = USECLSNDMNRDBA Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_healthcheckers[44942]: VRRP IPv4 mcast group = 224.0.0.18 Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_healthcheckers[44942]: VRRP IPv6 mcast group = ff02::12 Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_healthcheckers[44942]: --< SSL definitions >-- Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_healthcheckers[44942]: Using autogen SSL context Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_healthcheckers[44942]: Using LinkWatch kernel netlink reflector... *Sep 29 12:06:59 USECLSNDMNRDBA Keepalived_vrrp[44943]: Kernel is reporting: interface eth1 DOWN* *Sep 29 12:06:59 USECLSNDMNRDBA Keepalived_vrrp[44943]: VRRP_Instance(VI_1) Now in FAULT state* And if I do an ifconfig command I see no evidence of an eth1 existing. Also I can't ping the virtual address that I'm trying to create: # ping -c 5 10.40.116.34 PING 10.40.116.34 (10.40.116.34) 56(84) bytes of data. >From 10.40.116.30 icmp_seq=2 Destination Host Unreachable >From 10.40.116.30 icmp_seq=3 Destination Host Unreachable >From 10.40.116.30 icmp_seq=4 Destination Host Unreachable >From 10.40.116.30 icmp_seq=5 Destination Host Unreachable --- 10.40.116.34 ping statistics --- 5 packets transmitted, 0 received, +4 errors, 100% packet loss, time 14001ms pipe 3 Here are my configs starting with the first machine: # cat keepalived.conf vrrp_instance VI_1 { interface eth1 state MASTER virtual_router_id 51 priority 101 # 101 on master, 100 on backup vrrp_unicast_bind 10.40.116.30 # Internal IP of this machine vrrp_unicast_peer 10.40.116.31 # Internal IP of peer virtual_ipaddress { 10.40.116.34 } And here's the config on the second machine: # cat /etc/keepalived/keepalived.conf vrrp_instance VI_1 { interface eth1 state MASTER virtual_router_id 51 priority 100 # 101 on master, 100 on backup vrrp_unicast_bind 10.40.116.31 # Internal IP of this machine vrrp_unicast_peer 10.40.116.30 # Internal IP of peer virtual_ipaddress { 10.40.116.34 } Does anyone have any experience in solving this kind of problem? Any suggestions on how to resolve this would be great. Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] setting up solr/tomcat gives 404 page
Hey all, I tried following a few guides and I'm struggling with trying to setup apache solr 4.10 under apache tomcat 7.0.64 along with the drupal config necessary to get that this working with drupal. The latest guide I followed was this one which seemed like it might work: http://duntuk.com/how-install-apache-solr-46-apache-tomcat-7-use-drupal I followed everything to the letter and ended up with a 404 status page when I hit http://ipaddress:8080/solr I think the answer lies in putting the renaming the 'collection1' core to the right location under the name 'drupal'. But how to do that seems to be left out of that tutorial. In the tomcat logs I just see the following: 100.116.32.93 - - [09/Sep/2015:16:52:56 -0400] "GET /solr HTTP/1.1" 404 959 Which isn't very informative!! Any chance I can get some help in getting this working? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] apache mysterious 404 error
] On Behalf Of Tim Dunphy Sent: Thursday, August 27, 2015 5:18 PM To: CentOS mailing list centos@centos.org Subject: [CentOS] apache mysterious 404 error Hey guys, Just have a question about apache. Hoping to get an opinion on this. I've just setup a site under apache 2.4. And made sure that the document root setup in the vhost for the site I'm serving has permissions for the apache user. Yet some of the files are throwing a 404 error in a browser even tho they are clearly present and accounted for on the file system. For example, I'm getting this error: (index):1 GET http://stage.theshopatmycomany.com/mycomanyStore/images*/altImg.png 404 (*Not Found) (index):1 GET http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_485x1215_R2.jpg 404* (Not Found) (index):1 GET http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_792x802_R2.jpg 404* (Not Found) (index):1 GET http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_792x413_R2.jpg 404* (Not Found) And yet as I mentioned all those files are definitely there on the file system: [root@aozwsls00019la apache2]# ls -l /var/www/mycomanystore/images/altImg.png /var/www/mycomanystore/images/Jimmy_485x1215_R2.jpg /var/www/mycomanystore/images/Jimmy_792x802_R2.jpg /var/www/mycomanystore/images/Jimmy_792x413_R2.jpg -rw-r--r--. 1 daemon daemon128 Aug 27 12:22 /var/www/mycomanystore/images/altImg.png -rw-r--r--. 1 daemon daemon 260983 Jul 16 14:03 /var/www/mycomanystore/images/Jimmy_485x1215_R2.jpg -rw-r--r--. 1 daemon daemon 126628 Jul 16 14:00 /var/www/mycomanystore/images/Jimmy_792x413_R2.jpg -rw-r--r--. 1 daemon daemon 222568 Jul 16 13:56 /var/www/mycomanystore/images/Jimmy_792x802_R2.jpg And all those files have the correct ownership for apache: [root@aozwsls00019la apache2]# egrep -i user|group conf/httpd.conf | egrep -i -v -e '#' -e log -e module User daemon Group daemon All the files are owned by daemon:daemon!! So why on earth are these files giving a 404? This is my virtual host for the site: VirtualHost * ServerAdmin timothy.dun...@mycomany.com DocumentRoot /var/www/mycomanystore ServerName stage.theshopatmycomanystudios.com ServerAlias 173.213.219.48 ErrorLog logs/store_error_log LogFormat %h %l %u %t \%r\ %s %b common CustomLog logs/store_access_log common Directory /var/www/mycomanystore DirectoryIndex index.html AddHandler cgi-script .cgi Options -Indexes +FollowSymLinks +ExecCGI +Includes AllowOverride All Require all granted /Directory ExpiresActive On ExpiresDefault access plus 30 minute RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] /VirtualHost Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] apache mysterious 404 error
Hi Robert, It's this: drwxr-xr-x. 2 daemon daemon 4096 Aug 27 12:34 /var/www/mycompanyStore/images Thanks, Tim On Fri, Aug 28, 2015 at 11:17 AM, Robert Wolfe robert.wo...@malco.com wrote: What is the absolute path on the server that /mycompanyStore/images/ is store in? -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Tim Dunphy Sent: Friday, August 28, 2015 10:12 AM To: CentOS mailing list centos@centos.org Subject: Re: [CentOS] apache mysterious 404 error Hey guys, Sorry for the failed attempts at obscuring the company I work for. My boss wouldn't take too kindly to it if I revealed that information on a mailing list. :) So anyway, I realized that capitalization might be the problem. So I renamed the directory to match what was in the URL. That didn't solve the problem. However I noticed this message turning up in the logs: [Fri Aug 28 01:27:30.057020 2015] [proxy:warn] [pid 23782:tid 139661984888576] [client 173.213.212.234:14579] AH01144: No protocol handler was valid for the URL /mycompanyStore/images/Jimmy_792x802_R2.jpg. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: http://stage.theshopatmycompanystudios.com/ [Fri Aug 28 01:27:30.057216 2015] [proxy:warn] [pid 23780:tid 139661995378432] [client 173.213.212.234:14577] AH01144: No protocol handler was valid for the URL /mycompanyStore/images/Jimmy_485x1215_R2.jpg. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: http://stage.theshopatmycompanystudios.com/ [Fri Aug 28 01:27:43.377172 2015] [proxy:warn] [pid 23890:tid 139661827540736] [client 173.213.212.234:2425] AH01144: No protocol handler was valid for the URL /mycompanyStore/images/altImg.png. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: http://stage.theshopatmycompanystudios.com/ [Fri Aug 28 01:27:43.377269 2015] [proxy:warn] [pid 23889:tid 139661942929152] [client 173.213.212.234:2426] AH01144: No protocol handler was valid for the URL /mycompanyStore/images/Jimmy_485x1215_R2.jpg. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: http://stage.theshopatmycompanystudios.com/ [Fri Aug 28 01:27:43.377384 2015] [proxy:warn] [pid 23889:tid 139661953419008] [client 173.213.212.234:2427] AH01144: No protocol handler was valid for the URL /mycompanyStore/images/Jimmy_792x802_R2.jpg. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: http://stage.theshopatmycompanystudios.com/ [Fri Aug 28 01:27:43.382079 2015] [proxy:warn] [pid 23891:tid 139662047827712] [client 173.213.212.234:2430] AH01144: No protocol handler was valid for the URL /mycompanyStore/images/Jimmy_792x413_R2.jpg. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: http://stage.theshopatmycompanystudios.com/ [Fri Aug 28 01:28:01.750944 2015] [proxy:warn] [pid 23977:tid 139661911459584] [client 173.213.212.234:6011] AH01144: No protocol handler was valid for the URL /mycompanyStore/images/altImg.png. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: http://stage.theshopatmycompanystudios.com/ [Fri Aug 28 01:28:01.751086 2015] [proxy:warn] [pid 23978:tid 139662016358144] [client 173.213.212.234:6013] AH01144: No protocol handler was valid for the URL /mycompanyStore/images/Jimmy_485x1215_R2.jpg. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: http://stage.theshopatmycompanystudios.com/ [Fri Aug 28 01:28:01.755018 2015] [proxy:warn] [pid 23977:tid 139661890479872] [client 173.213.212.234:6012] AH01144: No protocol handler was valid for the URL /mycompanyStore/images/Jimmy_792x413_R2.jpg. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: http://stage.theshopatmycompanystudios.com/ [Fri Aug 28 01:28:01.755120 2015] [proxy:warn] [pid 23978:tid 139662005868288] [client 173.213.212.234:6014] AH01144: No protocol handler was valid for the URL /mycompanyStore/images/Jimmy_792x802_R2.jpg. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: http://stage.theshopatmycompanystudios.com/ So taking the advice of that eror I tried enabling all the proxy modules in the apache config: LoadModule proxy_module modules/mod_proxy.so
Re: [CentOS] camgirl spam on the list
Hey Fabian, Here's the headers for one of the spam responses I got from the list: from:Tracy tracy12...@safeloves.comreply-to:tracy12...@safeloves.com to:Tim Dunphy bluethu...@gmail.com date:Fri, Aug 28, 2015 at 2:19 PMsubject:Re: [CentOS] apache mysterious 404 errormailed-by:safeloves.comsigned-by:safeloves.com:Important mainly because it was sent directly to you. Please let me know if that's not what you're looking for! Thanks, Tim On Fri, Aug 28, 2015 at 5:18 PM, Fabian Arrotin arr...@centos.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/08/15 22:24, John R Pierce wrote: On 8/28/2015 1:21 PM, Robert Wolfe wrote: I've been getting that intermittently during the day today. I haven't seen any since I put the sending domain with a 'DISCARD' in my /etc/mail/access database (using sendmail here) Well, is there another domain involved now ? It seems the previous spammer (using multiple VMs on DigitalOcean network) had been blocked. As nothing is sent through the mailman/centos.org server, I can't even look at logs, but if you have useful informations (like some headers), feel free to forward those to me (and not on the list). Cheers, - -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlXg0D4ACgkQnVkHo1a+xU5OnACggUMg3QikAFsgAAeHSGGGI5Q1 5MgAn2leYj3Wbflv1w8gHnNICEEOKOo3 =rEWD -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] camgirl spam on the list
Hey guys, I just noticed this recently in my latest posts to the list. But I've noticed that every time I mail the list for some advice, I get hit with spam from a camgirl site like every other message. Kinda funny actually. But also annoying!! Anyone else experience this? Maybe this is something the admins/moderators can take care of! Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] apache mysterious 404 error
Guys, We actually found the problem. The problem was actually in a javascript file. It was referring to it's parent directory as mycompanyStore. So once I noticed that, I went into that directory and created a symlink. ln -s . mycompanyStore from within that directory. That let the java script know that the directory it was in was actually the one that it wanted. Before that was done Apache was looking for the image files in /var/www/mycompanyStore/mycompanyStore/images/foo.img Once I put that symlink in place, that actually corrected the problem. So I told the developer what I'd done and she fixed the JS to end up with the same effect. So now the problem is fixed! Anyway, I really do appreciate the support you guys are always ready with on the list!! Thanks, Tim On Fri, Aug 28, 2015 at 1:06 PM, Tony Mountifield t...@softins.co.uk wrote: In article 0f55e883640c125375c75...@ritz.innovate.net, Richard lists-cen...@listmail.innovate.net wrote: Also need to see the error_log entries from the back-end httpd server that's serving from the documentroot. The proxy server's logs (whether it should be there or not) only show the proxy issues, not the issues that are causing the 404s, so aren't really relevant to the 404 issue. The back-end server's logs will indicate why the file can't be found, or generally at least pretty good hints. The first question is: are there even a separate back-end and front-end, or is it just a single server that is misconfigured and is trying to do proxy operations when it shouldn't? It sounds to me like the latter. Cheers Tony -- Tony Mountifield Work: t...@softins.co.uk - http://www.softins.co.uk Play: t...@mountifield.org - http://tony.mountifield.org ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] apache mysterious 404 error
Hey guys, Just have a question about apache. Hoping to get an opinion on this. I've just setup a site under apache 2.4. And made sure that the document root setup in the vhost for the site I'm serving has permissions for the apache user. Yet some of the files are throwing a 404 error in a browser even tho they are clearly present and accounted for on the file system. For example, I'm getting this error: (index):1 GET http://stage.theshopatmycomany.com/mycomanyStore/images*/altImg.png 404 (*Not Found) (index):1 GET http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_485x1215_R2.jpg 404* (Not Found) (index):1 GET http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_792x802_R2.jpg 404* (Not Found) (index):1 GET http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_792x413_R2.jpg 404* (Not Found) And yet as I mentioned all those files are definitely there on the file system: [root@aozwsls00019la apache2]# ls -l /var/www/mycomanystore/images/altImg.png /var/www/mycomanystore/images/Jimmy_485x1215_R2.jpg /var/www/mycomanystore/images/Jimmy_792x802_R2.jpg /var/www/mycomanystore/images/Jimmy_792x413_R2.jpg -rw-r--r--. 1 daemon daemon128 Aug 27 12:22 /var/www/mycomanystore/images/altImg.png -rw-r--r--. 1 daemon daemon 260983 Jul 16 14:03 /var/www/mycomanystore/images/Jimmy_485x1215_R2.jpg -rw-r--r--. 1 daemon daemon 126628 Jul 16 14:00 /var/www/mycomanystore/images/Jimmy_792x413_R2.jpg -rw-r--r--. 1 daemon daemon 222568 Jul 16 13:56 /var/www/mycomanystore/images/Jimmy_792x802_R2.jpg And all those files have the correct ownership for apache: [root@aozwsls00019la apache2]# egrep -i user|group conf/httpd.conf | egrep -i -v -e '#' -e log -e module User daemon Group daemon All the files are owned by daemon:daemon!! So why on earth are these files giving a 404? This is my virtual host for the site: VirtualHost * ServerAdmin timothy.dun...@mycomany.com DocumentRoot /var/www/mycomanystore ServerName stage.theshopatmycomanystudios.com ServerAlias 173.213.219.48 ErrorLog logs/store_error_log LogFormat %h %l %u %t \%r\ %s %b common CustomLog logs/store_access_log common Directory /var/www/mycomanystore DirectoryIndex index.html AddHandler cgi-script .cgi Options -Indexes +FollowSymLinks +ExecCGI +Includes AllowOverride All Require all granted /Directory ExpiresActive On ExpiresDefault access plus 30 minute RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] /VirtualHost Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] apache mysterious 404 error
Hey Rodrigo, Thanks for your reply. Well those errors are pulled from the Chrome developer tools. I notice if I do a GET on that file using both all lower case as well as the upper case that's in the URL I get the same result: [root@aozwsls00019la apache2]# GET http://stage.theshopatmycompanystudios.com/mycopmanyStore/images/altImg.png !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title404 Not Found/title /headbody h1Not Found/h1 pThe requested URL /mycompanyStore/images/altImg.png was not found on this server./p /body/html [root@aozwsls00019la apache2]# GET http://stage.theshopatmycompanystudios.com/mycompanystore/images/altImg.png !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title404 Not Found/title /headbody h1Not Found/h1 pThe requested URL /mycpmpanystore/images/altImg.png was not found on this server./p /body/html This is how that file looks on the command line. I made a symlink to account for the change in case, because I realize that's relevant: -rw-r--r--. 1 daemon daemon 128 Aug 27 12:22 /var/www/nbcstore/images/altImg.png -rw-r--r--. 1 daemon daemon 128 Aug 27 12:22 /var/www/mycompanyStore/images/altImg.png Still not sure why I'm not able to do a GET on that and those other files. Appreciate your input tho! And any other advice is certainly welcome! Tim On Thu, Aug 27, 2015 at 7:42 PM, Rodrigo Maia rod.pm...@gmail.com wrote: Hi apache on GNU/Linux is case-sensitive samples: /var/www/mycomanystore/images/altImg.png /var/www/mycomanystore/images/Jimmy_485x1215_R2.jpg /var/www/mycomanystore/images/Jimmy_792x802_R2.jpg /var/www/mycomanystore/images/Jimmy_792x413_R2.jpg on browser : (index):1 GET http://stage.theshopatmycomany.com/mycomanyStore/images*/altImg.png try : (index):1 GET http://stage.theshopatmycomany.com/mycomanystore/images/altImg.png http://stage.theshopatmycomany.com/mycomanyStore/images*/altImg.png 2015-08-27 19:18 GMT-03:00 Tim Dunphy bluethu...@gmail.com: Hey guys, Just have a question about apache. Hoping to get an opinion on this. I've just setup a site under apache 2.4. And made sure that the document root setup in the vhost for the site I'm serving has permissions for the apache user. Yet some of the files are throwing a 404 error in a browser even tho they are clearly present and accounted for on the file system. For example, I'm getting this error: (index):1 GET http://stage.theshopatmycomany.com/mycomanyStore/images*/altImg.png 404 (*Not Found) (index):1 GET http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_485x1215_R2.jpg 404* (Not Found) (index):1 GET http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_792x802_R2.jpg 404* (Not Found) (index):1 GET http://stage.theshopatmycomany.com/mycomanyStore/images*/Jimmy_792x413_R2.jpg 404* (Not Found) And yet as I mentioned all those files are definitely there on the file system: [root@aozwsls00019la apache2]# ls -l /var/www/mycomanystore/images/altImg.png /var/www/mycomanystore/images/Jimmy_485x1215_R2.jpg /var/www/mycomanystore/images/Jimmy_792x802_R2.jpg /var/www/mycomanystore/images/Jimmy_792x413_R2.jpg -rw-r--r--. 1 daemon daemon128 Aug 27 12:22 /var/www/mycomanystore/images/altImg.png -rw-r--r--. 1 daemon daemon 260983 Jul 16 14:03 /var/www/mycomanystore/images/Jimmy_485x1215_R2.jpg -rw-r--r--. 1 daemon daemon 126628 Jul 16 14:00 /var/www/mycomanystore/images/Jimmy_792x413_R2.jpg -rw-r--r--. 1 daemon daemon 222568 Jul 16 13:56 /var/www/mycomanystore/images/Jimmy_792x802_R2.jpg And all those files have the correct ownership for apache: [root@aozwsls00019la apache2]# egrep -i user|group conf/httpd.conf | egrep -i -v -e '#' -e log -e module User daemon Group daemon All the files are owned by daemon:daemon!! So why on earth are these files giving a 404? This is my virtual host for the site: VirtualHost * ServerAdmin timothy.dun...@mycomany.com DocumentRoot /var/www/mycomanystore ServerName stage.theshopatmycomanystudios.com ServerAlias 173.213.219.48 ErrorLog logs/store_error_log LogFormat %h %l %u %t \%r\ %s %b common CustomLog logs/store_access_log common Directory /var/www/mycomanystore DirectoryIndex index.html AddHandler cgi-script .cgi Options -Indexes +FollowSymLinks +ExecCGI +Includes AllowOverride All Require all granted /Directory ExpiresActive On ExpiresDefault access plus 30 minute RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] /VirtualHost Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] echo password into bash script
Hey guys, I'm trying to echo my password into some commands inside of a bash script. But I think I'm going about it incorrectly. Here's the top part of my script: #!/bin/bash pub=~/.ssh/id_rsa.pub dps_pass=my_pass ssh=/usr/bin/ssh scp=/usr/bin/scp for i in 10.10.10.2{5,6} do echo xfring key up echo $dps_pass | $scp $PUB digitalplatform@$i: And here's how it executes: #bash -x deploy_key.sh + pub='~/.ssh/id_rsa.pub' + dps_pass='nbcuV01P!' + ssh=/usr/bin/ssh + scp=/usr/bin/scp + for i in 10.10.10.2{5.6} + echo 'xfring key up' xfring key up + echo 'my_pass' + /usr/bin/scp /Users/my_user/.ssh/id_rsa.pub digitalplatform@10.10.10.25: Password: Can someone please let me know where I'm going wrong? Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] echo password into bash script
Don't try to automate your password like this for scp or other ssh-related apps. Generate and use a public/private keypair instead and your script will then be able to connect without prompting for a password. Well, look at the lines in my script that I'm showing here. That's exactly what I'm doing. Copying up my public key so that later in the script (which I didn't show, no need to I think) is to cat the public key into place and make sure there are proper permissions etc on the .ssh directory on the remote machine. But Eero and other are right.. I'll be much better off using expect to get this type of work done. It's jut that I'm more familiar with bash so I thought that there might be a good way to do it with that also. On Tue, Aug 25, 2015 at 4:04 PM, Peter pe...@pajamian.dhs.org wrote: On 08/26/2015 04:51 AM, Tim Dunphy wrote: Hey guys, I'm trying to echo my password into some commands inside of a bash script. But I think I'm going about it incorrectly. Here's the top part of my script: #!/bin/bash pub=~/.ssh/id_rsa.pub dps_pass=my_pass ssh=/usr/bin/ssh scp=/usr/bin/scp for i in 10.10.10.2{5,6} do echo xfring key up echo $dps_pass | $scp $PUB digitalplatform@$i: Don't try to automate your password like this for scp or other ssh-related apps. Generate and use a public/private keypair instead and your script will then be able to connect without prompting for a password. Peter ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] echo password into bash script
Use expect? yep! Expect should work. Thanks On Tue, Aug 25, 2015 at 12:56 PM, Eero Volotinen eero.voloti...@iki.fi wrote: Use expect? Eero 25.8.2015 7.52 ip. Tim Dunphy bluethu...@gmail.com kirjoitti: Hey guys, I'm trying to echo my password into some commands inside of a bash script. But I think I'm going about it incorrectly. Here's the top part of my script: #!/bin/bash pub=~/.ssh/id_rsa.pub dps_pass=my_pass ssh=/usr/bin/ssh scp=/usr/bin/scp for i in 10.10.10.2{5,6} do echo xfring key up echo $dps_pass | $scp $PUB digitalplatform@$i: And here's how it executes: #bash -x deploy_key.sh + pub='~/.ssh/id_rsa.pub' + dps_pass='nbcuV01P!' + ssh=/usr/bin/ssh + scp=/usr/bin/scp + for i in 10.10.10.2{5.6} + echo 'xfring key up' xfring key up + echo 'my_pass' + /usr/bin/scp /Users/my_user/.ssh/id_rsa.pub digitalplatform@10.10.10.25: Password: Can someone please let me know where I'm going wrong? Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] wordpess can't connect to DB but mediawiki can
Use that db and then issue: select * from db where Db='jfwiki' or Db='jokefire' order by Host; Well yeah. I used the mysql database before I issued that command. MariaDB [(none)] use mysql Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed Then if I run that command for some reason there's no jfwiki or jokefire entry in the db table: MariaDB [mysql] select * from db where Db='jfwiki' or Db='jokefire' order by Host; Empty set (0.00 sec) For some reason another database I imported to do bacula backups has an entry in the db table: MariaDB [mysql] select Host,Db from db; +---++ | Host | Db | +---++ | % | bacula | | localhost | bacula | +---++ 2 rows in set (0.00 sec) However I'm thinking more along the lines of my php mysql client having an issue. Although I'm still a little stuck on why the wiki works without any problem and why neither my php script nor wordpress are able to connect to the db. It's really strange how that's happening! On Sat, Aug 15, 2015 at 6:12 PM, Richard lists-cen...@listmail.innovate.net wrote: Date: Saturday, August 15, 2015 17:57:03 -0400 From: Tim Dunphy bluethu...@gmail.com [this isn't really a centos issue, even if you're using centos, which isn't obvious. that said ...] Yeah that's true. But this list tends to be rather helpful for general problems that are less specific to centos. Sometimes. :) Really seems to depend... Incidentally I am using centos on all hosts: # cat /etc/redhat-release CentOS Linux release 7.0.1406 (Core) OK now that that's out of the way, for some reason I don't seem to have an entry in my db database for either jokefire or jfwiki: MariaDB [mysql] select * from db where Db like 'jfwiki' or Db like 'jokefire'; Empty set (0.00 sec) Not sure why that would be the case. They're definitely there on this database server: MariaDB [mysql] show databases; ++ | Database | ++ | bacula | | information_schema | | jfwiki | | jokefire | | mysql | | performance_schema | ++ 6 rows in set (0.00 sec) Any other ideas? Thanks, Tim On Sat, Aug 15, 2015 at 3:07 PM, Richard wrote: Date: Saturday, August 15, 2015 13:53:28 -0400 From: Tim Dunphy bluethu...@gmail.com Hey guys, I'm running both a wordpress site as well as a mediawiki off of the same web servers. The mediawiki site works great! The wordpress site, meh. Not so much. I keep getting the common database connection error: Error establishing a database connection And as far as I can tell the settings between the mediawiki site and the wordpress site are nearly identical. ... snip ... [this isn't really a centos issue, even if you're using centos, which isn't obvious. that said ...] I would start by looking at the access control entries for the wp and mw dbs, (in the mysql.db table). Based on what you are trying here, there should be matching entries in that table for the Dbs jokefire and jfwiki (e.g., for the Host as well as the various _priv fields). select * from db where Db='jokefire' or Db='jfwiki' order by Host\g There may be something else going on, but without knowing that the access control is as it should be there's not much value in speculating. The mysql access control bits are in tables in the mysql db that's in your list above. +---+ | Tables_in_mysql | +---+ | columns_priv | | db| | event | | func | ... Use that db and then issue: select * from db where Db='jfwiki' or Db='jokefire' order by Host; ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] wordpess can't connect to DB but mediawiki can
You were doing this (looking at the mysql.db table) on your db.example.com machine, correct? db.example.com is a load balanced VIP. The VIP is being handled by keepalived and HA/Proxy. There are two DB's setup in master/master replication. The two databases and two load balancers are on AWS. The web server and varnish servers are on digital ocean. I setup a grant on db1 to allow access to the database from the load balancers. And those permissions were automatically replicated over to the second database. Once I set that up I was able to mysql into the load balanced database and the media wiki started working. But the wordpress site and the test php script still couldn't access the load balanced database. Thanks On Sat, Aug 15, 2015 at 10:26 PM, Richard lists-cen...@listmail.innovate.net wrote: You were doing this (looking at the mysql.db table) on your db.example.com machine, correct? Original Message Date: Saturday, August 15, 2015 19:32:25 -0400 From: Tim Dunphy bluethu...@gmail.com To: CentOS mailing list centos@centos.org Subject: Re: [CentOS] wordpess can't connect to DB but mediawiki can Use that db and then issue: select * from db where Db='jfwiki' or Db='jokefire' order by Host; Well yeah. I used the mysql database before I issued that command. MariaDB [(none)] use mysql Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed Then if I run that command for some reason there's no jfwiki or jokefire entry in the db table: MariaDB [mysql] select * from db where Db='jfwiki' or Db='jokefire' order by Host; Empty set (0.00 sec) For some reason another database I imported to do bacula backups has an entry in the db table: MariaDB [mysql] select Host,Db from db; +---++ | Host | Db | +---++ | % | bacula | | localhost | bacula | +---++ 2 rows in set (0.00 sec) However I'm thinking more along the lines of my php mysql client having an issue. Although I'm still a little stuck on why the wiki works without any problem and why neither my php script nor wordpress are able to connect to the db. It's really strange how that's happening! On Sat, Aug 15, 2015 at 6:12 PM, Richard lists-cen...@listmail.innovate.net wrote: Date: Saturday, August 15, 2015 17:57:03 -0400 From: Tim Dunphy bluethu...@gmail.com [this isn't really a centos issue, even if you're using centos, which isn't obvious. that said ...] Yeah that's true. But this list tends to be rather helpful for general problems that are less specific to centos. Sometimes. :) Really seems to depend... Incidentally I am using centos on all hosts: # cat /etc/redhat-release CentOS Linux release 7.0.1406 (Core) OK now that that's out of the way, for some reason I don't seem to have an entry in my db database for either jokefire or jfwiki: MariaDB [mysql] select * from db where Db like 'jfwiki' or Db like 'jokefire'; Empty set (0.00 sec) Not sure why that would be the case. They're definitely there on this database server: MariaDB [mysql] show databases; ++ | Database | ++ | bacula | | information_schema | | jfwiki | | jokefire | | mysql | | performance_schema | ++ 6 rows in set (0.00 sec) Any other ideas? Thanks, Tim On Sat, Aug 15, 2015 at 3:07 PM, Richard wrote: Date: Saturday, August 15, 2015 13:53:28 -0400 From: Tim Dunphy bluethu...@gmail.com Hey guys, I'm running both a wordpress site as well as a mediawiki off of the same web servers. The mediawiki site works great! The wordpress site, meh. Not so much. I keep getting the common database connection error: Error establishing a database connection And as far as I can tell the settings between the mediawiki site and the wordpress site are nearly identical. ... snip ... [this isn't really a centos issue, even if you're using centos, which isn't obvious. that said ...] I would start by looking at the access control entries for the wp and mw dbs, (in the mysql.db table). Based on what you are trying here, there should be matching entries in that table for the Dbs jokefire and jfwiki (e.g., for the Host as well as the various _priv fields). select * from db where Db='jokefire' or Db='jfwiki' order by Host\g There may be something else going on, but without knowing that the access control is as it should be there's not much value in speculating. The mysql access control bits are in tables in the mysql db that's in your list above
Re: [CentOS] wordpess can't connect to DB but mediawiki can
Hi Richard, I actually made some progress on this. The problem was SSL. Once I I took the SSL requirement out of the picture for the user everything worked. The test php script and the wordpress site both. Originally when I setup my wiki it NEEDED SSL. Because there was some sensitive data in it. My website, however, is just a goofball toy project of mine. And doesn't really need that. But since I have this done for my wiki I was like why not? I stumbled getting the mediawiki to connect via SSL. Once I found the setting $wgDBssl = true; for media wiki it just worked. For my wordpress site, I found the setting define('DB_SSL', true);. I set that up in wp-config.php. However for some reason that wasn't the silver bullet that the mediawiki SSL database setting was ( $wgDBssl = true; ). I can understand why my little test script couldn't work with an SSL user. But do you have any idea why that wordpress setting won't allow the site to connect to the DB? While it may not be of super high importance to have my site contact the DB via SSL, it would still be a nice thing to have. Thanks, Tim On Sat, Aug 15, 2015 at 10:45 PM, Tim Dunphy bluethu...@gmail.com wrote: You were doing this (looking at the mysql.db table) on your db.example.com machine, correct? db.example.com is a load balanced VIP. The VIP is being handled by keepalived and HA/Proxy. There are two DB's setup in master/master replication. The two databases and two load balancers are on AWS. The web server and varnish servers are on digital ocean. I setup a grant on db1 to allow access to the database from the load balancers. And those permissions were automatically replicated over to the second database. Once I set that up I was able to mysql into the load balanced database and the media wiki started working. But the wordpress site and the test php script still couldn't access the load balanced database. Thanks On Sat, Aug 15, 2015 at 10:26 PM, Richard lists-cen...@listmail.innovate.net wrote: You were doing this (looking at the mysql.db table) on your db.example.com machine, correct? Original Message Date: Saturday, August 15, 2015 19:32:25 -0400 From: Tim Dunphy bluethu...@gmail.com To: CentOS mailing list centos@centos.org Subject: Re: [CentOS] wordpess can't connect to DB but mediawiki can Use that db and then issue: select * from db where Db='jfwiki' or Db='jokefire' order by Host; Well yeah. I used the mysql database before I issued that command. MariaDB [(none)] use mysql Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed Then if I run that command for some reason there's no jfwiki or jokefire entry in the db table: MariaDB [mysql] select * from db where Db='jfwiki' or Db='jokefire' order by Host; Empty set (0.00 sec) For some reason another database I imported to do bacula backups has an entry in the db table: MariaDB [mysql] select Host,Db from db; +---++ | Host | Db | +---++ | % | bacula | | localhost | bacula | +---++ 2 rows in set (0.00 sec) However I'm thinking more along the lines of my php mysql client having an issue. Although I'm still a little stuck on why the wiki works without any problem and why neither my php script nor wordpress are able to connect to the db. It's really strange how that's happening! On Sat, Aug 15, 2015 at 6:12 PM, Richard lists-cen...@listmail.innovate.net wrote: Date: Saturday, August 15, 2015 17:57:03 -0400 From: Tim Dunphy bluethu...@gmail.com [this isn't really a centos issue, even if you're using centos, which isn't obvious. that said ...] Yeah that's true. But this list tends to be rather helpful for general problems that are less specific to centos. Sometimes. :) Really seems to depend... Incidentally I am using centos on all hosts: # cat /etc/redhat-release CentOS Linux release 7.0.1406 (Core) OK now that that's out of the way, for some reason I don't seem to have an entry in my db database for either jokefire or jfwiki: MariaDB [mysql] select * from db where Db like 'jfwiki' or Db like 'jokefire'; Empty set (0.00 sec) Not sure why that would be the case. They're definitely there on this database server: MariaDB [mysql] show databases; ++ | Database | ++ | bacula | | information_schema | | jfwiki | | jokefire | | mysql | | performance_schema | ++ 6 rows in set (0.00 sec) Any other ideas? Thanks, Tim On Sat, Aug 15, 2015 at 3:07 PM, Richard wrote: Date: Saturday, August 15, 2015 13:53:28 -0400 From: Tim Dunphy bluethu
Re: [CentOS] wordpess can't connect to DB but mediawiki can
[this isn't really a centos issue, even if you're using centos, which isn't obvious. that said ...] Yeah that's true. But this list tends to be rather helpful for general problems that are less specific to centos. Sometimes. :) Really seems to depend... Incidentally I am using centos on all hosts: #cat /etc/redhat-release CentOS Linux release 7.0.1406 (Core) OK now that that's out of the way, for some reason I don't seem to have an entry in my db database for either jokefire or jfwiki: MariaDB [mysql] select * from db where Db like 'jfwiki' or Db like 'jokefire'; Empty set (0.00 sec) Not sure why that would be the case. They're definitely there on this database server: MariaDB [mysql] show databases; ++ | Database | ++ | bacula | | information_schema | | jfwiki | | jokefire | | mysql | | performance_schema | ++ 6 rows in set (0.00 sec) Any other ideas? Thanks, Tim On Sat, Aug 15, 2015 at 3:07 PM, Richard lists-cen...@listmail.innovate.net wrote: Date: Saturday, August 15, 2015 13:53:28 -0400 From: Tim Dunphy bluethu...@gmail.com Hey guys, I'm running both a wordpress site as well as a mediawiki off of the same web servers. The mediawiki site works great! The wordpress site, meh. Not so much. I keep getting the common database connection error: Error establishing a database connection And as far as I can tell the settings between the mediawiki site and the wordpress site are nearly identical. ... snip ... [this isn't really a centos issue, even if you're using centos, which isn't obvious. that said ...] I would start by looking at the access control entries for the wp and mw dbs, (in the mysql.db table). Based on what you are trying here, there should be matching entries in that table for the Dbs jokefire and jfwiki (e.g., for the Host as well as the various _priv fields). select * from db where Db='jokefire' or Db='jfwiki' order by Host\g There may be something else going on, but without knowing that the access control is as it should be there's not much value in speculating. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] wordpess can't connect to DB but mediawiki can
Hey guys, I'm running both a wordpress site as well as a mediawiki off of the same web servers. The mediawiki site works great! The wordpress site, meh. Not so much. I keep getting the common database connection error: Error establishing a database connection And as far as I can tell the settings between the mediawiki site and the wordpress site are nearly identical. Here's the media wiki config first since that one's working: ## Database settings $wgLBFactoryConf['class'] = 'LBFactorySimple'; $wgDBtype = mysql; $wgDBservers = ''; $wgDBserver = db.example.com; $wgDBssl= true; $wgDBname = jfwiki; $wgDBuser = admin_ssl; $wgDBpassword = secret; And here's what the wordpress database connection settings look like since they are not: /** MySQL database username */ define('DB_NAME', 'jokefire'); define('DB_USER', 'admin_ssl'); /** MySQL database password */ define('DB_PASSWORD', 'secret'); /** MySQL hostname */ define('DB_HOST', 'db.example.com'); /** Database Charset to use in creating database tables. */ define('DB_CHARSET', 'utf8'); /** The Database Collate type. Don't change this if in doubt. */ define('DB_COLLATE', ''); /** Contact the database over a secure connection */ define('DB_SSL', true); I realize that they're not exactly the same. But I think you can make an easy correlation between the mediawiki settings and the settings for wordpress. And they look similar enough to think that wordpress should be working. Right? The only real other difference is the name of the database each site is using, which I guess makes sense. But the fact that medawiki works fine tells me that the user and password set for both sites has access to the database. Just for laughs I use the account settings from the wordpress config to demonstrate that I can connect to the DB on the command line. Again, it's the same account info that I have in the wik site: #mysql -uadmin_ssl -p -h db.example.com -D jokefire -e show tables | head -5 Enter password: Tables_in_jokefire wp_bp_activity wp_bp_activity_meta wp_bp_chat_channel_users wp_bp_chat_channels Also, I created a basic php script to see if it could connect to the database ?php $link = mysql_connect('db.example.com', 'admin_ssl', 'secret'); if (!$link) { die('Could not connect: ' . mysql_error()); } echo 'Connected successfully'; mysql_close($link); ? And to my surprise it can't connect! php testconnect.php Could not connect: Access denied for user 'admin_ssl'@'ec2-54-86-143-49.compute-1.amazonaws.com' (using password: YES) Why am I surprised that it can't? Because again 1) the wiki can connect to the database no problem. And 2) I can connect to the db on the command line using the same credentials. My API Client version is: Client API version mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $ There are two MySQL databases configured in a master/master setup. The database address is a VIP that is load balanced on the same two HA/Proxy nodes. The two database servers are using MariaDB version 10.0.20-1. There's 3 web servers sitting behind a VIP as well. But to troubleshoot this I just the IP address of the 1st web server into my hosts file and I'm using that as the site name. I'm not really sure how important it is to know all of that about the load balanced aspects of the site. But I wanted to get those details out into the open just in case they were important. Thanks in advance! Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] can't ssh into C7 host
Cool thanks! I'll check it out. On Sat, Jul 18, 2015 at 9:56 PM, Alexander Dalloz ad+li...@uni-x.org wrote: Am 19.07.2015 um 01:58 schrieb Tim Dunphy: hey guys, Yesterday I had no trouble loggging into this database host. But today for some reason I can't log in using my RSA key and password authentication doesn't work either. I am able to log onto the host via console. And I was able to grab the ssh config file. Here it is: [root@db1 ~]# grep -v '#' /etc/ssh/sshd_config |sed '/^\s*$/d' egrep -v '^#|^$' /etc/ssh/sshd_config would be straighter. HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key SyslogFacility AUTHPRIV AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes So I performed a verbose ssh login, and this is what I saw: #ssh -vvv bluethu...@db1.example.com OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading configuration data /Users/MyUser/.ssh/config Odd path. debug1: /Users/MyUser/.ssh/config line 4: Skipping Host block because of negated match for *.example.com debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 20: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to db1.example.com [104.131.222.29] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load /Users/MyUser/.ssh/id_rsa as a RSA1 public key What's wrong there? [ ... ] debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5 debug1: match: OpenSSH_6.7p1 Debian-5 pat OpenSSH* I don't see CentOS 7 involved here, neither local nor remote. [ ... ] debug1: Offering RSA public key: /Users/MyUser/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Trying private key: /Users/MyUser/.ssh/id_dsa debug3: no such identity: /Users/MyUser/.ssh/id_dsa: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password bluethu...@db1.example.com's password: Can anyone give me a heads up as to why this is failing? Read the syslog() logfile of the SSH daemon logging. That should give you a hint. Thanks, Tim Alexander ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] can't ssh into C7 host
hey guys, Yesterday I had no trouble loggging into this database host. But today for some reason I can't log in using my RSA key and password authentication doesn't work either. I am able to log onto the host via console. And I was able to grab the ssh config file. Here it is: [root@db1 ~]# grep -v '#' /etc/ssh/sshd_config |sed '/^\s*$/d' HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key SyslogFacility AUTHPRIV AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes So I performed a verbose ssh login, and this is what I saw: #ssh -vvv bluethu...@db1.example.com OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading configuration data /Users/MyUser/.ssh/config debug1: /Users/MyUser/.ssh/config line 4: Skipping Host block because of negated match for *.example.com debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 20: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to db1.example.com [104.131.222.29] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load /Users/MyUser/.ssh/id_rsa as a RSA1 public key debug1: identity file /Users/MyUser/.ssh/id_rsa type 1 debug1: identity file /Users/MyUser/.ssh/id_rsa-cert type -1 debug1: identity file /Users/MyUser/.ssh/id_dsa type -1 debug1: identity file /Users/MyUser/.ssh/id_dsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5 debug1: match: OpenSSH_6.7p1 Debian-5 pat OpenSSH* debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host db1.example.com from file /Users/MyUser/.ssh/known_hosts debug3: load_hostkeys: found key type RSA in file /Users/MyUser/.ssh/known_hosts:172 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-...@openssh.com, ssh-rsa-cert-...@openssh.com,ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com, ssh-rsa-cert-...@openssh.com,ssh-rsa,ssh-dss-cert-...@openssh.com, ssh-dss-cert-...@openssh.com,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-...@openssh.com,aes256-...@openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-...@openssh.com,aes256-...@openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-...@openssh.com, hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com, hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com, hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com, umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-...@openssh.com, hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com, hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com, hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com, umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha...@libssh.org ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr, aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr, aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com debug2: kex_parse_kexinit: umac-64-...@openssh.com,umac-128-...@openssh.com, hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: kex_parse_kexinit: umac-64-...@openssh.com,umac-128-...@openssh.com,
[CentOS] ssh failed only with nfs home directory
Hey all, Having a weird ssh issue I'd like some opinions on. If I have my home directory mounted on the NFS server itself, I get permission denied when I try to ssh into it. The correct permissions and ownership are on the home directory, ssh directory and the authorized_users file. Here's what a verbose ssh session looks like: #ssh -v bluethu...@nfs1.example.com OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 20: Applying options for * debug1: Connecting to nfs1.example.com [162.243.109.94] port 22. debug1: Connection established. debug1: identity file /Users/TimothyDunphy/.ssh/id_rsa type 1 debug1: identity file /Users/TimothyDunphy/.ssh/id_rsa-cert type -1 debug1: identity file /Users/TimothyDunphy/.ssh/id_dsa type -1 debug1: identity file /Users/TimothyDunphy/.ssh/id_dsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH* debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server-client aes128-ctr hmac-md5-...@openssh.com none debug1: kex: client-server aes128-ctr hmac-md5-...@openssh.com none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA f7:06:1a:56:2f:0e:1b:bd:7b:e6:de:8c:9a:88:ea:09 debug1: Host 'nfs1.example.com' is known and matches the RSA host key. debug1: Found key in /Users/TimothyDunphy/.ssh/known_hosts:19 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug1: Next authentication method: publickey debug1: Offering RSA public key: /Users/TimothyDunphy/.ssh/id_rsa debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug1: Trying private key: /Users/TimothyDunphy/.ssh/id_dsa debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic). And I see this message in the secure log: Jul 13 23:09:28 nfsdb1 sshd[15305]: Connection closed by xx.xx.xx.xx [preauth] The IP that I xxx'd out is my client IP Here's the permissions and ownership on the directories and files: #ls -ld /home/bluethundr/ /home/bluethundr/.ssh /home/bluethundr/.ssh/authorized_keys drwxr-x---. 37 bluethundr bluethundr 4096 Jul 13 20:57 /home/bluethundr/ drw---. 3 bluethundr bluethundr 4096 Jun 15 17:22 /home/bluethundr/.ssh -rw---. 1 bluethundr bluethundr 2614 Jun 15 17:22 /home/bluethundr/.ssh/authorized_keys SELinux is set to permissve: #getenforce Permissive If I unmount the nfs home directory I am able to log in: [root@nfs1:~] #umount -l /home [root@nfs1:~] # #ssh bluethu...@nfs1.example.com Last login: Mon Jul 13 23:08:35 2015 from ool-2f126f64.dyn.optonline.net -bash-4.2$ The permissions on the non-nfs home directory are the same as the NFS mounted home directory: #ls -ld /home/bluethundr/ /home/bluethundr/.ssh /home/bluethundr/.ssh/authorized_keys drwxr-x---. 37 bluethundr bluethundr 4096 Jul 13 20:57 /home/bluethundr/ drw---. 3 bluethundr bluethundr 4096 Jun 15 17:22 /home/bluethundr/.ssh -rw---. 1 bluethundr bluethundr 2614 Jun 15 17:22 /home/bluethundr/.ssh/authorized_keys As soon as I mount it back, the issue returns and I am unable to ssh in: #ssh bluethu...@nfs1.example.com Permission denied (publickey,gssapi-keyex,gssapi-with-mic). I'd really appreciate any ideas you guys may have as to why this is happening!! Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] puppet files denied by SELinux
You might want to setup an alias mv mv -Z This changes the way mv works to set the context after mv rather then maintaining the source context. Thanks! That's probably a good suggestion. However I did try doing a restorecon -R -v on the entire puppet directory. No luck in resolving that error. And it's really bugging me that SELinux has to stay off in order for puppet to do it's thing. However I was at least smart enough to keep my entire puppet directory, as well as my puppetdb directory in SVN. So in case of a need to rebuild, I can ease the process a bit. I'm heavily leaning to a rebuild at this point to resolve this. Sucks, but what can ya do! And if I do actually take that step I hope that the rebuild resolves it. And that I haven't checked anything into SVN that would muff up SELinux on the rebuilt host. On Mon, Jun 29, 2015 at 6:15 AM, Daniel J Walsh dwa...@redhat.com wrote: I have no idea of the current dependency problem. I think your original problem was caused by mv'ing files from an nfs share to /etc which maintained the context. And SELinux prevented puppet from accessing nfs_t type. If you had just run restorecon on the object it would have set it back to the correct/default context. You might want to setup an alias mv mv -Z This changes the way mv works to set the context after mv rather then maintaining the source context. On 06/21/2015 02:05 PM, Tim Dunphy wrote: Hey guys, Quick update. I grepped through the output of getsebool -a to see that related to puppet. And I found this setting: puppetagent_manage_all_files. So I tried running this command: setsebool -P puppetagent_manage_all_files 0 And did a restorecon on my modules directory: restorecon -R -v environments/production/moudles So there's good news and bad news to report! It seems that now puppet on the client isn't complaining about not having access to the cert and key files anymore! That's the good news. The bad news is, when I do puppet runs on all the hosts now, I get the following errors: Notice: /File[/var/lib/puppet/lib/facter/concat_basedir.rb]: Dependency File[/var/lib/puppet/lib] has failures: true Warning: /File[/var/lib/puppet/lib/facter/concat_basedir.rb]: Skipping because of failed dependencies Notice: /File[/var/lib/puppet/lib/facter/ssldir.rb]: Dependency File[/var/lib/puppet/lib] has failures: true Warning: /File[/var/lib/puppet/lib/facter/ssldir.rb]: Skipping because of failed dependencies Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/ensure_resource.rb]: Dependency File[/var/lib/puppet/lib] has failures: true Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/ensure_resource.rb]: Skipping because of failed dependencies Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/validate_re.rb]: Dependency File[/var/lib/puppet/lib] has failures: true Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/validate_re.rb]: Skipping because of failed dependencies Notice: /File[/var/lib/puppet/lib/puppet/reports/datadog_reports.rb]: Dependency File[/var/lib/puppet/lib] has failures: true Warning: /File[/var/lib/puppet/lib/puppet/reports/datadog_reports.rb]: Skipping because of failed dependencies Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/is_function_available.rb]: Dependency File[/var/lib/puppet/lib] has failures: true Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/is_function_available.rb]: Skipping because of failed dependencies Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/str2saltedsha512.rb]: Dependency File[/var/lib/puppet/lib] has failures: true Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/str2saltedsha512.rb]: Skipping because of failed dependencies Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/delete_undef_values.rb]: Dependency File[/var/lib/puppet/lib] has failures: true Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/delete_undef_values.rb]: Skipping because of failed dependencies Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/fqdn_rotate.rb]: Dependency File[/var/lib/puppet/lib] has failures: true Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/fqdn_rotate.rb]: Skipping because of failed dependencies Notice: /File[/var/lib/puppet/lib/facter/gemhome.rb]: Dependency File[/var/lib/puppet/lib] has failures: true Warning: /File[/var/lib/puppet/lib/facter/gemhome.rb]: Skipping because of failed dependencies Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/values_at.rb]: Dependency File[/var/lib/puppet/lib] has failures: true Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/values_at.rb]: Skipping because of failed dependencies Notice: /File[/var/lib/puppet/lib/puppet/parser/functions/getvar.rb]: Dependency File[/var/lib/puppet/lib] has failures: true Warning: /File[/var/lib/puppet/lib/puppet
Re: [CentOS] rsyncing directories - sanity check
Have you considered just resizing the volumes? That'd probably be my preference. But in my role at this company I don't have the direct access to do that. I'd probably have to open up a ticket to another department and have it done when 'they get around to it'. In say 3 or 4 weeks. On my own servers no sweat. But at work. nah. not really practical. Thanks for the suggestion anyway! On Wed, Jun 24, 2015 at 2:33 PM, Gordon Messmer gordon.mess...@gmail.com wrote: On 06/24/2015 09:42 AM, Tim Dunphy wrote: And for some reason when the servers were ordered the large local volume ended up being /usr when the ES rpm likes to store it's indexes on /var. So I'm syncing the contents of both directories to a different place, and I'm going swap the large local volume from /usr to /var. Have you considered just resizing the volumes? If you're trying to swap them with rsync, you're going to have to reboot anyway, and relabel your system. If any daemons are running, you might also corrupt their data this way. The entire /var partition is only using 549MB: rsync: write failed on /opt/var/log/lastlog: No space left on device (28) Depending on what UIDs are allocated to your users, lastlog can be an enormous sparse file. You would need to use rsync's -S flag to copy it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] rsyncing directories - sanity check
hey guys, I need to mount a different volume onto /var so we have more room to breathe. I'll be turning 3 servers into an elasticsearch cluster. And for some reason when the servers were ordered the large local volume ended up being /usr when the ES rpm likes to store it's indexes on /var. So I'm syncing the contents of both directories to a different place, and I'm going swap the large local volume from /usr to /var. It looked like /opt had more than enough space to hold both directories. /opt was 6GB and I successfully synced /usr to it. /usr was 2.5GB. Then I went to sync /var to a temp folder in /opt. Checking I see that it still has 1/6GB available after the first sync. # df -h /opt FilesystemSize Used *Avail* Use% Mounted on /dev/mapper/SysVG-OptVol 6.0G 4.1G *1.6G* 72% /opt The entire /var partition is only using 549MB: # df -h /var FilesystemSize *Used* Avail Use% Mounted on /dev/mapper/SysVG-VarVol 6.0G *549M* 5.1G 10% /var So that being the case, if I make a temp directory in /opt called /opt/var, how come I am running out of space in doing my rsync? It fails at the end and the /opt volume is filled up to 100%. Even tho I only have 549MB to sync. rsync: writefd_unbuffered failed to write 4 bytes to socket [sender]: Broken pipe (32) rsync: write failed on /opt/var/log/lastlog: No space left on device (28) rsync error: error in file IO (code 11) at receiver.c(301) [receiver=3.0.6] rsync: recv_generator: mkdir /opt/var/www/manual/developer failed: No space left on device (28) *** Skipping any contents from this failed directory *** rsync: recv_generator: mkdir /opt/var/www/manual/faq failed: No space left on device (28) *** Skipping any contents from this failed directory *** rsync: recv_generator: mkdir /opt/var/www/manual/howto failed: No space left on device (28) *** Skipping any contents from this failed directory *** rsync: recv_generator: mkdir /opt/var/www/manual/images failed: No space left on device (28) *** Skipping any contents from this failed directory *** rsync: recv_generator: mkdir /opt/var/www/manual/misc failed: No space left on device (28) *** Skipping any contents from this failed directory *** rsync: recv_generator: mkdir /opt/var/www/manual/mod failed: No space left on device (28) *** Skipping any contents from this failed directory *** rsync: connection unexpectedly closed (148727 bytes received so far) [sender] rsync error: error in rsync protocol data stream (code 12) at io.c(600) [sender=3.0.6] And if I do a df of the entire system, it looks like everything is still ok: # df -h FilesystemSize Used Avail Use% Mounted on /dev/mapper/SysVG-RootVol 2.0G 872M 1.1G 46% / tmpfs 4.0G 0 4.0G 0% /dev/shm /dev/sda1486M 87M 375M 19% /boot /dev/mapper/SysVG-HomeVol 4.0G 137M 3.7G 4% /home /dev/mapper/SysVG-OptVol 6.0G 4.3G 1.4G 76% /opt /dev/mapper/SysVG-TmpVol 2.0G 130M 1.8G 7% /tmp /dev/mapper/SysVG-UsrVol 197G 2.8G 185G 2% /usr /dev/mapper/SysVG-VarVol 6.0G 549M 5.1G 10% /var Does anyone have a good guess as to why these 'out of space' failures are occurring? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsyncing directories - sanity check
Hey Carl, Hi Tim, At first glance, I don't see anything obvious, but if it were me, I'd do the following: a) add the 'n' flag to do a dry run (no actual copying) b) increase rsync's verbosity (A single -v will give you information about what files are being transferred and a brief summary at the end. Two -v options (-vv) will give you information on what files are being skipped and slightly more information at the end. A third 'v' is insanely verbose.) c) redirect standard out to a text file that you can examine for more clues. hth regards, Good suggestions! Thanks! Tim On Wed, Jun 24, 2015 at 1:05 PM, Carl E. Hartung carlh04...@gmail.com wrote: On Wed, 24 Jun 2015 12:42:19 -0400 Tim Dunphy wrote: Does anyone have a good guess as to why these 'out of space' failures are occurring? Hi Tim, At first glance, I don't see anything obvious, but if it were me, I'd do the following: a) add the 'n' flag to do a dry run (no actual copying) b) increase rsync's verbosity (A single -v will give you information about what files are being transferred and a brief summary at the end. Two -v options (-vv) will give you information on what files are being skipped and slightly more information at the end. A third 'v' is insanely verbose.) c) redirect standard out to a text file that you can examine for more clues. hth regards, Carl ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] puppet files denied by SELinux
Hi all, Thanks for all your suggestions. Here's where I'm at with this. Can you give details about your puppetmasterd setup ? it seems that you're using Foreman as puppet ENC. Yes, I'm on foreman 1.7.4 and puppet 3.75. You are correct that I'm using foreman, sorry I hadn't thought to mention it! Foreman works fine with selinux enabled : that's what we use for the centos.org infra :-) Which version of puppet/foreman are you using ? Note that foreman has the foreman-selinux package that is used to automatically tune contexts and booleans needed for this. You can still reapply those settings with /usr/sbin/foreman-selinux-{disable,enable,relabel} There is no need to recompile a custom selinux policy for foreman/puppet those days I didn't recompile any custom selinux policies. All I did to try to resolve the issue is to consult audit2allow and install the module it suggested. I did try running /usr/sbin/foreman-selinux-enable but that didn't seem to have an effect. Knowing nothing of your scenario, look at the source and target context. Looks like you copied a crt from an nfs location and you don't have a file context defined to transition labels, maybe something like: semanage fcontext -a -t passenger_t /etc/puppet/environments(/.*)? However, I know nothing of puppets selinux infrastructure, you may need a more applicable type. In these cases, audit2allow can't possibly guess the right thing and will certainly produce a rule that is either unsafe or simply wrong. You are correct that I copied the key and cert from an NFS share! Both the puppet server and the monitor1 client share the same /home directory via NFS. Pretty cool that you picked up on that! I do suspect you're probably right that this may be causing the problem. Just on a hunch, I tried copying the certs and keys from the montior1 host over to the puppet host to the /tmp directory on the puppet server. That leaves out NFS altogether. And when I do that, my bacula puppet module WORKS!! Puppet doesn't complain at all! But if I check out another host where I copied the cert and key from the NFS home directory I still get the error: Error: /Stage[main]/Bacula::Config/File[/etc/pki/tls/private/monitor2.mydomain.com.key]: Could not evaluate: Could not retrieve information from environment production source(s) puppet:///modules/bacula/monitor2/monitor2.mydomain.com.key Error: /Stage[main]/Bacula::Config/File[/etc/pki/tls/certs/monitor2.mydomain.com.crt]: Could not evaluate: Could not retrieve information from environment production source(s) puppet:///modules/bacula/monitor2/monitor2.mydomain.com.crt Also when I try to set context using the line you suggested I get an error: #semanage fcontext -a -t passenger_t /etc/puppet/environments(/.*)? ValueError: Type passenger_t is invalid, must be a file or device type So I googled around and found what seems to be the correct syntax: semanage fcontext -a -t passenger_exec_t /etc/puppet/environments(/.*)? Because when I applied that line, I didn't get any errors or complaints. However the problem still existed on the monitor2 host which had the key pair copied from the NFS share. So in summary it appears that there is some interaction between SELinux and NFS that is causing the issue. Any thoughts? Thanks, Tim On Sun, Jun 21, 2015 at 11:09 AM, Tim Dunphy bluethu...@gmail.com wrote: Yes, you did when you used the audit2allow with the -M option argument of puppet, which is confirmed by the command you issued to try to load it semodule -i puppet.pp (which you stated in your original message). I'm okay with you asserting otherwise and not following my first suggestion -- my second is to use a totally different name, e.g., barf and thus semodule -i barf.pp. Haha!! Ok man. I get you now. Thanks. Also I meant to send this to the list.. Whoops! I'll try doing it again with something like 'my' in the front. I remember having a similar problem with Zabbix last week that I solved this way. On Sun, Jun 21, 2015 at 12:19 AM, Mark Milhollan m...@pixelgate.net wrote: On Sat, 20 Jun 2015, Tim Dunphy wrote: I wrote: That suggests there's already a module named puppet, and thus you are replacing it with the one you made which does not supply the puppet_var_lib_t type. Always prefix your own modules with something that makes them almost certain to be unique, e.g., yourdom_puppet. No, actually I didn't compile my own selinux module. :) Not sure how you got that idea, but that is not the case. Yes, you did when you used the audit2allow with the -M option argument of puppet, which is confirmed by the command you issued to try to load it semodule -i puppet.pp (which you stated in your original message). I'm okay with you asserting otherwise and not following my first suggestion -- my second is to use a totally different name, e.g., barf and thus semodule -i barf.pp. /mark -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys
Re: [CentOS] puppet files denied by SELinux
/puppet/lib] has failures: true Warning: /File[/var/lib/puppet/lib/puppet/parser/functions/validate_cmd.rb]: Skipping because of failed dependencies It's actually a long list of errors that's too long to reproduce here. It'd go on for a couple pages at least. However if I turn off SELinux on the puppet master, everything returns to normal. Goes from utter chaos to complete order in an instant! So I guess I've muffed up my SELinux config on this puppet host. I just hope it's repairable at this point! I'd hate to leave it off just so that puppet will be able to do it's job. And of all the hosts that would need SELinux protection I would think that a puppet host would be one of the most important if not 'the' most important to protect! I'm definitely open to suggestions at this point! Thanks, Tim On Sun, Jun 21, 2015 at 11:11 AM, Tim Dunphy bluethu...@gmail.com wrote: Hi all, Thanks for all your suggestions. Here's where I'm at with this. Can you give details about your puppetmasterd setup ? it seems that you're using Foreman as puppet ENC. Yes, I'm on foreman 1.7.4 and puppet 3.75. You are correct that I'm using foreman, sorry I hadn't thought to mention it! Foreman works fine with selinux enabled : that's what we use for the centos.org infra :-) Which version of puppet/foreman are you using ? Note that foreman has the foreman-selinux package that is used to automatically tune contexts and booleans needed for this. You can still reapply those settings with /usr/sbin/foreman-selinux-{disable,enable,relabel} There is no need to recompile a custom selinux policy for foreman/puppet those days I didn't recompile any custom selinux policies. All I did to try to resolve the issue is to consult audit2allow and install the module it suggested. I did try running /usr/sbin/foreman-selinux-enable but that didn't seem to have an effect. Knowing nothing of your scenario, look at the source and target context. Looks like you copied a crt from an nfs location and you don't have a file context defined to transition labels, maybe something like: semanage fcontext -a -t passenger_t /etc/puppet/environments(/.*)? However, I know nothing of puppets selinux infrastructure, you may need a more applicable type. In these cases, audit2allow can't possibly guess the right thing and will certainly produce a rule that is either unsafe or simply wrong. You are correct that I copied the key and cert from an NFS share! Both the puppet server and the monitor1 client share the same /home directory via NFS. Pretty cool that you picked up on that! I do suspect you're probably right that this may be causing the problem. Just on a hunch, I tried copying the certs and keys from the montior1 host over to the puppet host to the /tmp directory on the puppet server. That leaves out NFS altogether. And when I do that, my bacula puppet module WORKS!! Puppet doesn't complain at all! But if I check out another host where I copied the cert and key from the NFS home directory I still get the error: Error: /Stage[main]/Bacula::Config/File[/etc/pki/tls/private/monitor2.mydomain.com.key]: Could not evaluate: Could not retrieve information from environment production source(s) puppet:///modules/bacula/monitor2/monitor2.mydomain.com.key Error: /Stage[main]/Bacula::Config/File[/etc/pki/tls/certs/monitor2.mydomain.com.crt]: Could not evaluate: Could not retrieve information from environment production source(s) puppet:///modules/bacula/monitor2/monitor2.mydomain.com.crt Also when I try to set context using the line you suggested I get an error: #semanage fcontext -a -t passenger_t /etc/puppet/environments(/.*)? ValueError: Type passenger_t is invalid, must be a file or device type So I googled around and found what seems to be the correct syntax: semanage fcontext -a -t passenger_exec_t /etc/puppet/environments(/.*)? Because when I applied that line, I didn't get any errors or complaints. However the problem still existed on the monitor2 host which had the key pair copied from the NFS share. So in summary it appears that there is some interaction between SELinux and NFS that is causing the issue. Any thoughts? Thanks, Tim On Sun, Jun 21, 2015 at 11:09 AM, Tim Dunphy bluethu...@gmail.com wrote: Yes, you did when you used the audit2allow with the -M option argument of puppet, which is confirmed by the command you issued to try to load it semodule -i puppet.pp (which you stated in your original message). I'm okay with you asserting otherwise and not following my first suggestion -- my second is to use a totally different name, e.g., barf and thus semodule -i barf.pp. Haha!! Ok man. I get you now. Thanks. Also I meant to send this to the list.. Whoops! I'll try doing it again with something like 'my' in the front. I remember having a similar problem with Zabbix last week that I solved this way. On Sun, Jun 21, 2015 at 12:19 AM, Mark Milhollan m...@pixelgate.net
[CentOS] puppet files denied by SELinux
Hey folks, Ok so I'm having another issue with SELinux. However I think I'm pretty close to a solution and just need a nudge in the right directtion. I wrote a puppet module that gets systems into bacula backups. Part of the formula is to distribute key/cert pairs with permissions that allow bacula to read them so that bacula can talk to the host over TLS. It's pretty slick, I must say! However on adding some new hosts to bacula backups via puppet, I noticed that I was getting permission denied errors on the keypairs on the client hosts. In my audit logs I found this entry: type=AVC msg=audit(1434769414.956:562): avc: denied { open } for pid=3558 comm=ruby path=/etc/puppet/environments/production/modules/bacula/files/monitor1/monitor1.mydomain.com.crt dev=vda1 ino=1842005 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file And audit2allow told me this: #grep puppet /var/log/audit/audit.log | audit2allow -M puppet IMPORTANT *** To make this policy package active, execute: semodule -i puppet.pp But in installing the module I get an error I've never seen before: #semodule -i puppet.pp libsepol.print_missing_requirements: foreman's global requirements were not met: type/attribute puppet_var_lib_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! I will say that I'm getting much better at working through SELinux issues. I've come a long way from when I was taught by a senior admin I was working with to 'always disable selinux' to now making an effort to work through the issues. So I was hoping to get some advice on how to get over this hurdle! Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux allow apache log access
Sorry, I didn't put that very clearly. Could you show us the contents of myzabbix.te. No prob! Thanks for all the help! But in searching my system I don't find anything of the sort. [root@monitor2:~] #updatedb [root@monitor2:~] #locate myzabbix.te [root@monitor2:~] #find / -name myzabbix.* I also did search using 'yum provides' to find something similar. But wasn't' able to find anything. yum provides */myzabbix.* ... No matches found Maybe I'll need to install a package? Thanks, Tim On Wed, Jun 17, 2015 at 2:10 PM, Harold Toms h.t...@qmul.ac.uk wrote: On 17/06/15 17:43, Tim Dunphy wrote: What turns up in myzabbix.te? Same deal. :( #semodule -i myzabbix.te semodule: Failed on myzabbix.te! sigh... but thanks any other clues? Sorry, I didn't put that very clearly. Could you show us the contents of myzabbix.te. -- regards Harold Toms URL: http://iodine.chem.qmul.ac.uk ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux allow apache log access
Hey guys, Thanks! That worked. [root@monitor2:~] #grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix IMPORTANT *** To make this policy package active, execute: semodule -i myzabbix.pp [root@monitor2:~] #semodule -i myzabbix.pp [root@monitor2:~] #lsof -i :80 [root@monitor2:~] #systemctl start httpd [root@monitor2:~] #lsof -i :80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 18664 root4u IPv6 12477027 0t0 TCP *:http (LISTEN) httpd 18665 apache4u IPv6 12477027 0t0 TCP *:http (LISTEN) httpd 18666 apache4u IPv6 12477027 0t0 TCP *:http (LISTEN) httpd 18667 apache4u IPv6 12477027 0t0 TCP *:http (LISTEN) httpd 18668 apache4u IPv6 12477027 0t0 TCP *:http (LISTEN) httpd 18669 apache4u IPv6 12477027 0t0 TCP *:http (LISTEN) [root@monitor2:~] #getenforce Enforcing Definitely appreciate the help and sorry if there was any confusion on my part. All set at this point! Best, Tim On Wed, Jun 17, 2015 at 4:11 PM, Daniel J Walsh dwa...@redhat.com wrote: On 06/17/2015 04:03 PM, Jonathan Billings wrote: On Wed, Jun 17, 2015 at 03:30:51PM -0400, Tim Dunphy wrote: No prob! Thanks for all the help! But in searching my system I don't find anything of the sort. [root@monitor2:~] #updatedb [root@monitor2:~] #locate myzabbix.te [root@monitor2:~] #find / -name myzabbix.* I also did search using 'yum provides' to find something similar. But wasn't' able to find anything. What we're asking for is the contents of the .te file that is created when you run audit2allow. Go back to the original email and do what you were told # grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix # semodule -i myzabbix.pp You did audit2allow -M zabbix Which created zabbix.te and zabbix.pp, which is bad. It will attempt to replace the system module. If you use myzappix, it will add the allow rules. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux allow apache log access
Try something like: grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix semodule -i zabbix.pp Thanks for your response! However this is what happens when I try to install the module: [root@monitor2:~] #semodule -i zabbix.pp libsepol.print_missing_requirements: zabbix's global requirements were not met: type/attribute zabbix_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Any other thoughts? Thanks, Tim On Wed, Jun 17, 2015 at 5:32 AM, Harold Toms h.t...@qmul.ac.uk wrote: Try something like: grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix semodule -i zabbix.pp On 16/06/15 15:58, Tim Dunphy wrote: Hey guys,. I have a centos 7 machine I'm using as a zabbix server. And I noticed that apache won't start, with this complaint in the error log: (13)Permission denied: AH00091: httpd: could not open error log file /var/log/zabbix_error_log. AH00015: Unable to open logs I tried having a look at audit2allow and this is the response I get back: [root@monitor2:/etc/httpd] #grep http /var/log/audit/audit.log | audit2allow #= httpd_t == allow httpd_t zabbix_log_t:file open; How can I turn that bit of information into a rule that allows apache access to this zabbix log file? I notice that if I disable selinux using setenfor 0, apache starts up without complaint. But I would rather not leave it disabled. Thanks, Tim -- regards Harold Toms http://iodine.chem.qmul.ac.uk Priestley's works... tended to unsettle every thing, and yet settled nothing. - Samuel Johnson. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux allow apache log access
That's because there's already a zabbix module loaded (the message isn't very informative!). I forgot that the received wisdom is to insert my in front of ones own modules i.e.: grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix semodule -i myzabbix.pp Hmm no luck there either: [root@monitor2:~] #semodule -i myzabbix.pp *semodule: Failed on myzabbix.pp!* I also tried: [root@monitor2:~] #semodule -i my_zabbix semodule: Failed on my_zabbix! And [root@monitor2:~] #semodule -i my-zabbix semodule: Failed on my-zabbix! Just in case.. none of that worked. Got any other ideas? :) Tim On Wed, Jun 17, 2015 at 11:24 AM, Harold Toms h.t...@qmul.ac.uk wrote: On 17/06/15 15:27, Tim Dunphy wrote: Try something like: grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix semodule -i zabbix.pp Thanks for your response! However this is what happens when I try to install the module: [root@monitor2:~] #semodule -i zabbix.pp libsepol.print_missing_requirements: zabbix's global requirements were not met: type/attribute zabbix_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Any other thoughts? Thanks, Tim That's because there's already a zabbix module loaded (the message isn't very informative!). I forgot that the received wisdom is to insert my in front of ones own modules i.e.: grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix semodule -i myzabbix.pp -- regards Harold Toms http://iodine.chem.qmul.ac.uk Priestley's works... tended to unsettle every thing, and yet settled nothing. - Samuel Johnson. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] selinux allow apache log access
What turns up in myzabbix.te? Same deal. :( #semodule -i myzabbix.te semodule: Failed on myzabbix.te! sigh... but thanks any other clues? On Wed, Jun 17, 2015 at 11:42 AM, Harold Toms h.t...@qmul.ac.uk wrote: On 17/06/15 16:29, Tim Dunphy wrote: That's because there's already a zabbix module loaded (the message isn't very informative!). I forgot that the received wisdom is to insert my in front of ones own modules i.e.: grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix semodule -i myzabbix.pp Hmm no luck there either: [root@monitor2:~] #semodule -i myzabbix.pp *semodule: Failed on myzabbix.pp!* I also tried: [root@monitor2:~] #semodule -i my_zabbix semodule: Failed on my_zabbix! And [root@monitor2:~] #semodule -i my-zabbix semodule: Failed on my-zabbix! Just in case.. none of that worked. Got any other ideas? :) Tim What turns up in myzabbix.te? -- regards Harold Toms http://iodine.chem.qmul.ac.uk Priestley's works... tended to unsettle every thing, and yet settled nothing. - Samuel Johnson. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] selinux allow apache log access
Hey guys,. I have a centos 7 machine I'm using as a zabbix server. And I noticed that apache won't start, with this complaint in the error log: (13)Permission denied: AH00091: httpd: could not open error log file /var/log/zabbix_error_log. AH00015: Unable to open logs I tried having a look at audit2allow and this is the response I get back: [root@monitor2:/etc/httpd] #grep http /var/log/audit/audit.log | audit2allow #= httpd_t == allow httpd_t zabbix_log_t:file open; How can I turn that bit of information into a rule that allows apache access to this zabbix log file? I notice that if I disable selinux using setenfor 0, apache starts up without complaint. But I would rather not leave it disabled. Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] exclude directory from rsync
Hey guys, Thanks for your input! Both examples you gave worked, and I'll do some reading on the suggested subjects!! Just a heads up that it worked. I appreciate the clarification! Thanks, Tim On Tue, Jun 9, 2015 at 1:45 AM, Gordon Messmer gordon.mess...@gmail.com wrote: On 06/08/2015 10:12 PM, Tim Dunphy wrote: I'm trying to do an rsync of the entire /var directory, but exclude just the /var/www directory. ... rsync -avzp --exclude-from=/var/www /var/ /mnt/var/ --exclude-from takes a filename as an argument. That filename is expected to contain a list of patterns to exclude. rsync -avzp --exclude=/var/www /var/ /mnt/var/ If your exclude pattern begins with '/', then it matches a filename immediately within the transfer root. So in this case, /var/var/www. Read the FILTER RULES and INCLUDE/EXCLUDE PATTERN RULES sections of the manual. Try: rsync -avzp --exclude=/www /var/ /mnt/var/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] exclude directory from rsync
hey guys, I'm trying to do an rsync of the entire /var directory, but exclude just the /var/www directory. So far I've tried these approaches: rsync -avzp --exclude-from=/var/www /var/ /mnt/var/ rsync -avzp --exclude=/var/www /var/ /mnt/var/ But neither has worked. Can I get a suggestion on how to get this to happen? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] could not insert 'fuse' error on CentOS 7.1
Cool! Thanks Eero. I'll check this out. Best regards, Tim Sent from my iPhone On Jun 8, 2015, at 12:06 AM, Eero Volotinen eero.voloti...@iki.fi wrote: This looka good: https://github.com/juliogonzalez/s3fs-fuse-rpm Eero 7.6.2015 4.23 ip. Tim Dunphy bluethu...@gmail.com kirjoitti: Centos 7 base repo contains fuse, use it. it works. handcompiling packages to centos is *really* stupid, without proper knowledge.. Thanks, you're right. The Centos 7 package works. [root@ops ~]# lsmod | grep fuse fuse 87661 1 My final goal is to install s3fs. Funny how all the tutorials I've found out there tell you to compile both fuse and s3fs under centos ubuntu. That may be necessary for s3fs, because so far I haven't found it in any of the repositories I use. Generally Iike epel, rpmforge, remi and a few others. Anyone know of a repo that includes s3fs? Thanks, Tim On Sun, Jun 7, 2015 at 4:39 AM, Eero Volotinen eero.voloti...@iki.fi wrote: Centos 7 base repo contains fuse, use it. it works. handcompiling packages to centos is *really* stupid, without proper knowledge.. eero 2015-06-07 10:06 GMT+03:00 Александр Кириллов nevis...@infoline.su: I've tried googling this to no avail!! Have you tried The young mechanics mailing list yet? And have a look at Gentoo Linux (http://www.gentoo.org). It might suit your needs better. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] could not insert 'fuse' error on CentOS 7.1
Centos 7 base repo contains fuse, use it. it works. handcompiling packages to centos is *really* stupid, without proper knowledge.. Thanks, you're right. The Centos 7 package works. [root@ops ~]# lsmod | grep fuse fuse 87661 1 My final goal is to install s3fs. Funny how all the tutorials I've found out there tell you to compile both fuse and s3fs under centos ubuntu. That may be necessary for s3fs, because so far I haven't found it in any of the repositories I use. Generally Iike epel, rpmforge, remi and a few others. Anyone know of a repo that includes s3fs? Thanks, Tim On Sun, Jun 7, 2015 at 4:39 AM, Eero Volotinen eero.voloti...@iki.fi wrote: Centos 7 base repo contains fuse, use it. it works. handcompiling packages to centos is *really* stupid, without proper knowledge.. eero 2015-06-07 10:06 GMT+03:00 Александр Кириллов nevis...@infoline.su: I've tried googling this to no avail!! Have you tried The young mechanics mailing list yet? And have a look at Gentoo Linux (http://www.gentoo.org). It might suit your needs better. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] could not insert 'fuse' error on CentOS 7.1
Hey guys, I tried installing the latest fuse on CentOS 7.1. I downloaded the latest version (2.9.4) from sourceforge and did a source install. After rebooting the host, now when I go modprobe fuse, this is what I get! *modprobe: ERROR: could not insert 'fuse': Unknown symbol in module, or unknown parameter (see dmesg)* If I tail dmseg this is all I see, but it doesn't seem relevant: [root@ops:~] #dmesg | tail [3.342679] input: PC Speaker as /devices/platform/pcspkr/input/input4 [3.351981] piix4_smbus :00:01.3: SMBus base address uninitialized - upgrade BIOS or use force_addr=0xaddr [3.502014] ppdev: user-space parallel port driver [3.539306] AES CTR mode by8 optimization enabled [3.590103] alg: No test for __gcm-aes-aesni (__driver-gcm-aes-aesni) [3.635925] alg: No test for crc32 (crc32-pclmul) [3.659506] type=1305 audit(1433643281.958:4): audit_pid=472 old=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=1 [4.084861] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [9.575888] systemd-journald[393]: Received request to flush runtime journal from PID 1 [ 10.702056] Adjusting xen more than 11% (9436999 vs 9311354) Has anyone out there encountered this error with fuse and been able to overcome it? I've tried googling this to no avail!! Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] nginx conflicting server name ignored warning
Guys, I'm getting a strange warning whenever I do a config test or a restart of nginx 1.0.15 [root@aoadbld00032lb nginx]# nginx -t nginx: [warn] conflicting server name aoadbld00032lb.company.com on 0.0.0.0:80, ignored nginx: [warn] conflicting server name logs.pcf.company.com on 0.0.0.0:80, ignored nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful And as far as I can tell I only have one server_name directive in the whole config: [root@aoadbld00032lb nginx]# grep -r server_name * conf.d/kibana.conf:server_name aoadbld00032lb.company.com logs.pcf.company.com; fastcgi_params:fastcgi_param SERVER_NAME$server_name; scgi_params:scgi_param SERVER_NAME$server_name; uwsgi_params:uwsgi_param SERVER_NAME$server_name; It's more of an annoyance than any kind of real problem, as far as I can tell. Because the site I'm trying to put up with it appears to be working. I'm using this host as a logstash server. But does anybody have any ideas as to why this may be happening? Or of any potential problems that this may cause? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] specify port on check_memcached.pl
Hey guys, I'm trying use check_memcached.pl to monitor a couple of memcached services running on two ports. I have my command definition setup like this: # 'check_memcached' command definition define command { command_name check_memcached command_line $USER1$/check_memcached.pl -H $HOSTADDRESS$ -p $ARG1$ } And I have my service definitions setup like this: # Define a service to check memcached on web1 (just the basics for right now). define service{ use local-service ; Name of service template to use host_name web1 service_description Check Memcached 11211 contact_groups linux-admins check_command check_memcached!web1.example.com !11211 notifications_enabled 1 } # Define a service to check memcached on web1 (just the basics for right now). define service{ use local-service ; Name of service template to use host_name web1 service_description Check Memcached 11212 contact_groups linux-admins check_command check_memcached!web1.example.com !11212 notifications_enabled 1 } And if I run both checks manually they succeed: [root@monitor1:/usr/local/nagios/etc/objects/servers] #../../../libexec/ check_memcached.pl -H web1.example.com -p 11211 MEMCACHE OK: memcached 1.4.22 on web1.example.com:11211, up 22 minutes 52 seconds [root@monitor1:/usr/local/nagios/etc/objects/servers] #../../../libexec/ check_memcached.pl -H web1.example.com -p 11212 MEMCACHE OK: memcached 1.4.22 on web1.example.com:11212, up 12 minutes 2 seconds Yet, in my nagios web interface, I'm getting this error: Check Memcached 11211 https://nagios.jokefire.com/nagios/cgi-bin/extinfo.cgi?type=2host=web1service=Check+Memcached+11211 CRITICAL 05-24-2015 14:28:31 0d 0h 10m 19s 4/4 CRITICAL ERROR - Can not connect to '162.243.60.6' on port 0 Check Memcached 11212 https://nagios.jokefire.com/nagios/cgi-bin/extinfo.cgi?type=2host=web1service=Check+Memcached+11212 CRITICAL 05-24-2015 14:29:12 0d 0h 11m 8s 4/4 CRITICAL ERROR - Can not connect to '162.243.60.6' on port 0 I thought I could specify the command in the service definition like this: check_memcached!web1.example.com!11211 To reproduced the command as it's executed on the command line. How can I specify the port correctly here? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] nagios check_local_disk failing
[root@nagios plugins]# ./check_disk -w 20 -c 10 -p / -x ./check_disk: option requires an argument -- 'x' Unknown argument Usage: check_disk -w limit -c limit [-W limit] [-K limit] {-p path | -x device} [-C] [-E] [-e] [-g group ] [-k] [-l] [-M] [-m] [-R path ] [-r path ] [-t timeout] [-u unit] [-v] [-X type] [root@nagios plugins]# ./check_disk -w 20 -c 10 -p / DISK OK - free space: / 20848 MB (92% inode=97%);| /=1670MB;23711;23721;0;23731 Thanks for the tip! That worked. :-) On Thu, May 14, 2015 at 7:33 AM, Tris Hoar trish...@bgfl.org wrote: On 14/05/2015 02:42, Tim Dunphy wrote: Hey all, I have a local disk check defined which is giving me an error: Current Status: UNKNOWN (for 0d 0h 1m 38s)Status Information:Unknown argument Usage: check_disk -w limit -c limit [-W limit] [-K limit] {-p pathPerformance Data:-x device} [-C] [-E] [-e] [-f] [-g group ] [-k] [-l] [-M] [-m] [-R path ] [-r path ] [-t timeout] [-u unit] [-v] [-X type] [-N type] [-n] I have a local check setup like this in the server's config: define service{ use local-service ; Name of service template to use host_name monitor1 service_description Root Partition check_command check_local_disk!20%!10%!/ } It's attempting to do a local disk check on the nagios server itself. Not an NRPE check. This is the command definition: # 'check_local_disk' command definition define command{ command_namecheck_local_disk command_line$USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ -x $ARG4$ } Can someone please tel me where I'm going wrong? Thanks, Tim You need to remove the 4th argument if you are not using it [root@nagios plugins]# ./check_disk -w 20 -c 10 -p / -x ./check_disk: option requires an argument -- 'x' Unknown argument Usage: check_disk -w limit -c limit [-W limit] [-K limit] {-p path | -x device} [-C] [-E] [-e] [-g group ] [-k] [-l] [-M] [-m] [-R path ] [-r path ] [-t timeout] [-u unit] [-v] [-X type] [root@nagios plugins]# ./check_disk -w 20 -c 10 -p / DISK OK - free space: / 20848 MB (92% inode=97%);| /=1670MB;23711;23721;0;23731 Tris * This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmas...@bgfl.org The views expressed within this email are those of the individual, and not necessarily those of the organisation * ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] nagios check_local_disk failing
Hey all, I have a local disk check defined which is giving me an error: Current Status: UNKNOWN (for 0d 0h 1m 38s)Status Information:Unknown argument Usage: check_disk -w limit -c limit [-W limit] [-K limit] {-p pathPerformance Data:-x device} [-C] [-E] [-e] [-f] [-g group ] [-k] [-l] [-M] [-m] [-R path ] [-r path ] [-t timeout] [-u unit] [-v] [-X type] [-N type] [-n] I have a local check setup like this in the server's config: define service{ use local-service ; Name of service template to use host_name monitor1 service_description Root Partition check_command check_local_disk!20%!10%!/ } It's attempting to do a local disk check on the nagios server itself. Not an NRPE check. This is the command definition: # 'check_local_disk' command definition define command{ command_namecheck_local_disk command_line$USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ -x $ARG4$ } Can someone please tel me where I'm going wrong? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] appdynamics php agent prevented by SELinux
Hi Jason, This means SELinux is ON in a kind of testing mode. It is only reporting what would be blocked and not enforcing anything. So the messages are basically informing you that you WILL have problems IF you enable enforcing mode. Checking AppDynamic PHP agent it does not support SELinux (which is insanely poor for the license cost!) so best you can do is ignore the messages. It may be better to contact their support channels for help too rather then here if you need any more. Disabling SELinux completely should stop the messages appearing completely, though I advise against anything but enforcing mode OK thanks. That makes complete sense. I do plan on enabling SELinux enforcing mode soon! And I find it more than a little surprising that the appdynamics php agent won't support SELinux. I'll have to bring this up to them, we have a pretty big account with them. Thanks! Tim On Tue, May 12, 2015 at 1:47 AM, Jason Woods de...@jasonwoods.me.uk wrote: On 12 May 2015, at 03:39, Tim Dunphy bluethu...@gmail.com wrote: * Plugin catchall_labels (83.8 confidence) suggests ***... May 11 22:31:38 web1 python[14832]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from block_suspend access on the capability2 Unknown. Why is that odd? Well mainly because I have SELinux off at the moment. [root@web1:~] #getenforce 0 Permissive This means SELinux is ON in a kind of testing mode. It is only reporting what would be blocked and not enforcing anything. So the messages are basically informing you that you WILL have problems IF you enable enforcing mode. Checking AppDynamic PHP agent it does not support SELinux (which is insanely poor for the license cost!) so best you can do is ignore the messages. It may be better to contact their support channels for help too rather then here if you need any more. Disabling SELinux completely should stop the messages appearing completely, though I advise against anything but enforcing mode. Jason ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld trouble opening a port
Just remember that the permanent command doesn't add the rule immediately, so it doesn't take effect *until* you reload. you can also do this: # firewall-cmd --zone=home --add-port=8181/tcp # add other stuff Test that everything works right # firewall-cmd --runtime-to-permanent That way, if you screw something up, you can simply reload (or reboot) to fix it. That's a very excellent point! I'll have to remember that. I've read a few guides on how to use firewall-cmd on CentOS 7, but I haven't seem this tip mentioned anywhere! So thanks for pointing that out! On Mon, May 11, 2015 at 9:18 AM, Bowie Bailey bowie_bai...@buc.com wrote: On 5/9/2015 3:24 PM, Tim Dunphy wrote: Hi Earl, The problem is you added the rule in runtime and when you reloaded it removed the rule that you added; therefore you need to use --permanent or do not reload. Thanks! That worked. [root@appd:~] #firewall-cmd --zone=home --list-ports [root@appd:~] #firewall-cmd --zone=home --add-port=8181/tcp --permanent success [root@appd:~] #firewall-cmd --reload success [root@appd:~] #firewall-cmd --zone=home --list-ports 8181/tcp Just remember that the permanent command doesn't add the rule immediately, so it doesn't take effect *until* you reload. you can also do this: # firewall-cmd --zone=home --add-port=8181/tcp # add other stuff Test that everything works right # firewall-cmd --runtime-to-permanent That way, if you screw something up, you can simply reload (or reboot) to fix it. -- Bowie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] appdynamics php agent prevented by SELinux
That's a rather odd (personally, I think bad) place for a log (or even logfile lock) and I'm not at all surprised that selinux is keeping your application from writing there. I would check to see if there is a setup/configuration option for your application to put the log files and related in a more standard location (/var/log, /var/run), where it is less likely to run into an issue. Yeah I agree that it's an unusual place to store log files. However I'm not aware of any way to change that location since it's an RPM install. Maybe a source install is possible. I'll do some googling. This isn't really a C7-specific issue/problem. Yeah that's right. I said that poorly. I had just been dealing with an issue with systemctl priror to that which was due to it being a C7 machine. But really only because I had been using systemctl. What I'm most curious about is how Apache is reporting SELinux problems whether or not SELinux is enabled. Like I said earlier, if I have SELinux set to off, you still see those kind of messages relating to SELinux when you do a status on httpd. Odd. One thing I did try was to do a restorecon -R -v /usr/lib/appdynamics-php5/. Since it might not be easy to change paths I was hoping to find a way to solve this using SELinux.. Does anyone else have any suggestions on how to solve this? Thanks, Tim On Sun, May 10, 2015 at 10:20 PM, Richard lists-cen...@listmail.innovate.net wrote: Original Message Date: Sunday, May 10, 2015 09:02:11 PM -0400 From: Tim Dunphy bluethu...@gmail.com Hey guys, I've got another C7 problem I was hoping to solve. I installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host. It's failing to communicate with it's controller on another host. And this is the interesting part. Whether or not I have SELinux enabled, I have apache reporting SELinux problems. [root@web1:~] #getenforce Permissive May 10 20:47:56 web1 python[25735]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. That's a rather odd (personally, I think bad) place for a log (or even logfile lock) and I'm not at all surprised that selinux is keeping your application from writing there. I would check to see if there is a setup/configuration option for your application to put the log files and related in a more standard location (/var/log, /var/run), where it is less likely to run into an issue. This isn't really a C7-specific issue/problem. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] appdynamics php agent prevented by SELinux
If rpm is configured for _that_ location of log files, I would remove the repository this rpm comes from from configuration and will remember to never-never ever use that repository for anything. Just my $0.02 Yeah I completely get where you're coming from there. However it's not an RPM from a repo. I downloaded the rpm from the appdynamics site itself. While it may be easy to say well then just don't use appdynamics! That's not a luxury I have. My company uses it and I need to get up to speed on how to work with it. So that's why I'm trying out this experiment. Thanks, Tim On Mon, May 11, 2015 at 11:22 AM, Valeri Galtsev galt...@kicp.uchicago.edu wrote: On Mon, May 11, 2015 9:47 am, Tim Dunphy wrote: That's a rather odd (personally, I think bad) place for a log (or even logfile lock) and I'm not at all surprised that selinux is keeping your application from writing there. I would check to see if there is a setup/configuration option for your application to put the log files and related in a more standard location (/var/log, /var/run), where it is less likely to run into an issue. Yeah I agree that it's an unusual place to store log files. However I'm not aware of any way to change that location since it's an RPM install. If rpm is configured for _that_ location of log files, I would remove the repository this rpm comes from from configuration and will remember to never-never ever use that repository for anything. Just my $0.02 Valeri Maybe a source install is possible. I'll do some googling. This isn't really a C7-specific issue/problem. Yeah that's right. I said that poorly. I had just been dealing with an issue with systemctl priror to that which was due to it being a C7 machine. But really only because I had been using systemctl. What I'm most curious about is how Apache is reporting SELinux problems whether or not SELinux is enabled. Like I said earlier, if I have SELinux set to off, you still see those kind of messages relating to SELinux when you do a status on httpd. Odd. One thing I did try was to do a restorecon -R -v /usr/lib/appdynamics-php5/. Since it might not be easy to change paths I was hoping to find a way to solve this using SELinux.. Does anyone else have any suggestions on how to solve this? Thanks, Tim On Sun, May 10, 2015 at 10:20 PM, Richard lists-cen...@listmail.innovate.net wrote: Original Message Date: Sunday, May 10, 2015 09:02:11 PM -0400 From: Tim Dunphy bluethu...@gmail.com Hey guys, I've got another C7 problem I was hoping to solve. I installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host. It's failing to communicate with it's controller on another host. And this is the interesting part. Whether or not I have SELinux enabled, I have apache reporting SELinux problems. [root@web1:~] #getenforce Permissive May 10 20:47:56 web1 python[25735]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. That's a rather odd (personally, I think bad) place for a log (or even logfile lock) and I'm not at all surprised that selinux is keeping your application from writing there. I would check to see if there is a setup/configuration option for your application to put the log files and related in a more standard location (/var/log, /var/run), where it is less likely to run into an issue. This isn't really a C7-specific issue/problem. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] appdynamics php agent prevented by SELinux
is preventing /opt/AppDynamics/appdynamics-php-agent/proxy/jre/bin/java from setattr access on the file runProxy.template. * Plugin catchall_labels (83.8 confidence) suggests ***... May 11 22:31:40 web1 python[14832]: SELinux is preventing /usr/sbin/httpd from setattr access on the directory logging. * Plugin catchall_labels (83.8 confidence) suggests ***... May 11 22:31:43 web1 python[14832]: SELinux is preventing /opt/AppDynamics/appdynamics-php-agent/proxy/jre/bin/java from write access on the file agent.log.lck. * Plugin catchall_labels (83.8 confidence) suggests ***... May 11 22:31:43 web1 python[14832]: SELinux is preventing /usr/sbin/httpd from append access on the file agent.log. * Plugin catchall_labels (83.8 confidence) suggests ***... Why is that odd? Well mainly because I have SELinux off at the moment. [root@web1:~] #getenforce 0 Permissive I also tried a restorecon -R -v /opt/AppDynamics. But even after doing that the SELinux errors in the output of systemctl status httpd are still happening. And if I take a look at the SELinux permissions on that directory, this is what I have: [root@web1:~] #ls -lZ /opt/ | grep -i appd drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 AppDynamics [root@web1:~] #ls -lZ /opt/AppDynamics/ drwxrwxr-x. apache apache unconfined_u:object_r:usr_t:s0 appdynamics-php-agent drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0 var Anyone have any ideas on how I can beat this problem? Thanks!! Tim On Mon, May 11, 2015 at 3:08 PM, m.r...@5-cent.us wrote: Tim Dunphy wrote: If rpm is configured for _that_ location of log files, I would remove the repository this rpm comes from from configuration and will remember to never-never ever use that repository for anything. Just my $0.02 Yeah I completely get where you're coming from there. However it's not an RPM from a repo. I downloaded the rpm from the appdynamics site itself. While it may be easy to say well then just don't use appdynamics! That's not a luxury I have. My company uses it and I need to get up to speed on how to work with it. So that's why I'm trying out this experiment. No, that's called bug report, or enhancement request. mark and is done by amateurs, or 'subject matter experts', who think they know how to do the computer side ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mariadb fails to start under C7
Actually, the systemctl command is: systemctl start mysql.service from the systemctl show output it looks like this actually calls the /etc/rc.d/init.d/mysql file for start/stop/reload, which seems backwards. It appears that mariadb is trying to be a total drop-in replacement to mysql, so all the paths/files, etc., e.g., in the ps output, are mysql not mariadb -- so it's tricky to have them both installed. By the way, you can use things like: systemctl list-units (and likely more efficient approaches) to find the systemctl command naming. By gum! That seems to have done it!! Thank you very much for those tips! [root@nfsdb1 ~]# systemctl list-units | grep -i mysql mysql.service loaded active running LSB: start and stop MySQL [root@nfsdb1 ~]# systemctl start mysql.service [root@nfsdb1 ~]# lsof -i :3306 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME mysqld 839 mysql 16u IPv6 15270 0t0 TCP *:mysql (LISTEN) And then I just ran mysql_secure_install and now I can log into the DB! Thanks so much for the help! The CentOS list rocks!! Tim On Sun, May 10, 2015 at 5:11 PM, Richard lists-cen...@listmail.innovate.net wrote: Original Message Date: Sunday, May 10, 2015 01:20:34 PM -0700 From: John R Pierce pie...@hogranch.com On 5/10/2015 1:04 PM, Earl A Ramirez wrote: Did a little Googling [0] and I saw that they recommend starting it as follows: /etc/init.d/mysql start which is old school sysVinit style. my guess is, you'll need to fix up a systemd service description file, like /usr/lib/systemd/system/mariadb.service Actually, the systemctl command is: systemctl start mysql.service from the systemctl show output it looks like this actually calls the /etc/rc.d/init.d/mysql file for start/stop/reload, which seems backwards. It appears that mariadb is trying to be a total drop-in replacement to mysql, so all the paths/files, etc., e.g., in the ps output, are mysql not mariadb -- so it's tricky to have them both installed. By the way, you can use things like: systemctl list-units (and likely more efficient approaches) to find the systemctl command naming. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] appdynamics php agent prevented by SELinux
Hey guys, I've got another C7 problem I was hoping to solve. I installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host. It's failing to communicate with it's controller on another host. And this is the interesting part. Whether or not I have SELinux enabled, I have apache reporting SELinux problems. [root@web1:~] #getenforce Permissive May 10 20:47:56 web1 python[25735]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:47:56 web1 python[25735]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:47:57 web1 python[25735]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:47:58 web1 python[25735]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:48:00 web1 python[25735]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:48:01 web1 python[25735]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:49:16 web1 python[25952]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:49:17 web1 python[25952]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:53:14 web1 python[26609]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:53:15 web1 python[26609]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... So I enabled SELinux and started troubleshooting with audit2why. [root@web1:~] #setenforce 1 [root@web1:~] #getenforce Enforcing And I'm seeing messages like these: [root@web1:~] #grep appd /var/log/audit/audit.log | audit2why -w type=AVC msg=audit(1431305820.292:393420): avc: denied { write } for pid=27289 comm=java path=/usr/lib/appdynamics-php5/logs/testfile1615417693000946121.tmp dev=vda ino=965852 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. The part I am stuck on is using audit2allow to generate a loadable module that can allow this. Can anyone spare any pointers on how to do that? Thanks! Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] mariadb fails to start under C7
Hey all, I just unstalled MariaDB version 10 from the mariadb repositories under a CentOS 7 host. The install went fine! [root@nfsdb1 ~]# rpm -qa | grep -i mariadb MariaDB-common-10.0.19-1.el7.centos.x86_64 MariaDB-server-10.0.19-1.el7.centos.x86_64 MariaDB-client-10.0.19-1.el7.centos.x86_64 MariaDB-shared-10.0.19-1.el7.centos.x86_64 However, when I go to start up the service, I'm getting this error: [root@nfsdb1 ~]# systemctl start mariadb.service Failed to issue method call: Unit mariadb.service failed to load: No such file or directory. Can someone please let me know how to start this up? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mariadb fails to start under C7
Hi Earl, I think I found your problem, you do not have the correct package installed [root@c7-db1 ~]# rpm -qa | grep maria mariadb-libs-5.5.41-2.el7_0.x86_64 mariadb-server-5.5.41-2.el7_0.x86_64 mariadb-5.5.41-2.el7_0.x86_64 [root@c7-db1 ~]# Install the mariadb-x package and you should be able to start the service Thanks. While I could go with mariadb 5, the goal I had in mind was mariadb 10. They're pretty different and 10 is more advanced. Push comes to shove, however I could go with 5. And to Hal.. yeah you can use service mariadb start (assuming everything you need is there). But systemctl is the preferred method under CentOS 7. [root@nfsdb1 ~]# service mariadb start Redirecting to /bin/systemctl start mariadb.service Failed to issue method call: Unit mariadb.service failed to load: No such file or directory. I guess I'll wait to see if anyone has any ideas on getting MariaDB 10 working. I've already googled this to no avail. If nothing turns up on the list or if I can't find anything, I'll just go with MariaDB 5. Thanks, Tim On Sun, May 10, 2015 at 3:11 PM, Earl A Ramirez earlarami...@gmail.com wrote: Hello Tim, On 10 May 2015 at 14:47, Tim Dunphy bluethu...@gmail.com wrote: Hey all, I just unstalled MariaDB version 10 from the mariadb repositories under a CentOS 7 host. The install went fine! [root@nfsdb1 ~]# rpm -qa | grep -i mariadb MariaDB-common-10.0.19-1.el7.centos.x86_64 MariaDB-server-10.0.19-1.el7.centos.x86_64 MariaDB-client-10.0.19-1.el7.centos.x86_64 MariaDB-shared-10.0.19-1.el7.centos.x86_64 However, when I go to start up the service, I'm getting this error: [root@nfsdb1 ~]# systemctl start mariadb.service Failed to issue method call: Unit mariadb.service failed to load: No such file or directory. Can someone please let me know how to start this up? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I think I found your problem, you do not have the correct package installed [root@c7-db1 ~]# rpm -qa | grep maria mariadb-libs-5.5.41-2.el7_0.x86_64 mariadb-server-5.5.41-2.el7_0.x86_64 mariadb-5.5.41-2.el7_0.x86_64 [root@c7-db1 ~]# Install the mariadb-x package and you should be able to start the service -- Kind Regards Earl Ramirez ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] firewalld trouble opening a port
Hey all, I'm having a little trouble opening up a port on a C7 machine. Here's the default zone: [root@appd:~] #firewall-cmd --get-default-zone home So I try to add the port: [root@appd:~] #firewall-cmd --zone=home --add-port=8181/tcp success Then I reload firewalld: [root@appd:~] #firewall-cmd --reload success Simple! That should do it. Right? Well not quite. Cuz when I telnet to that host on that port, it's not connecting: #telnet appd.mydomain.com 8181 Trying xx.xx.xx.xx... ---obscuring the real IP telnet: connect to address xx.xx.xx.xx: Connection refused telnet: Unable to connect to remote host Yet, that port is definitely listening on the host: [root@appd:~] #lsof -i :8181 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME java13423 root 333u IPv6 3526508 0t0 TCP *:intermapper (LISTEN) And if I stop the firewall momentarily : I can telnet to that port from a remote location: #telnet appd.mydomain.com 8181 Trying xx.xx.xx.xx... Connected to appd.mydomain.com. Escape character is '^]'. Of course I bring up the firewall right away once I'm done testing: [root@appd:~] #systemctl start firewalld [root@appd:~] #systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Sat 2015-05-09 14:56:20 EDT; 7s ago Main PID: 18826 (firewalld) CGroup: /system.slice/firewalld.service └─18826 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid May 09 14:56:20 appd systemd[1]: Started firewalld - dynamic firewall daemon. Any ideas on what I'm doing wrong? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld trouble opening a port
Hi Earl, The problem is you added the rule in runtime and when you reloaded it removed the rule that you added; therefore you need to use --permanent or do not reload. Thanks! That worked. [root@appd:~] #firewall-cmd --zone=home --list-ports [root@appd:~] #firewall-cmd --zone=home --add-port=8181/tcp --permanent success [root@appd:~] #firewall-cmd --reload success [root@appd:~] #firewall-cmd --zone=home --list-ports 8181/tcp #telnet appd.mydomain.com 8181 Trying xx.xx.xx.xx... Connected to appd.mydomain.com. Escape character is '^]'. On Sat, May 9, 2015 at 3:14 PM, Earl A Ramirez earlarami...@gmail.com wrote: On 9 May 2015 at 14:57, Tim Dunphy bluethu...@gmail.com wrote: Hey all, I'm having a little trouble opening up a port on a C7 machine. Here's the default zone: [root@appd:~] #firewall-cmd --get-default-zone home So I try to add the port: [root@appd:~] #firewall-cmd --zone=home --add-port=8181/tcp success Then I reload firewalld: [root@appd:~] #firewall-cmd --reload success Simple! That should do it. Right? Well not quite. Cuz when I telnet to that host on that port, it's not connecting: #telnet appd.mydomain.com 8181 Trying xx.xx.xx.xx... ---obscuring the real IP telnet: connect to address xx.xx.xx.xx: Connection refused telnet: Unable to connect to remote host Yet, that port is definitely listening on the host: [root@appd:~] #lsof -i :8181 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME java13423 root 333u IPv6 3526508 0t0 TCP *:intermapper (LISTEN) And if I stop the firewall momentarily : I can telnet to that port from a remote location: #telnet appd.mydomain.com 8181 Trying xx.xx.xx.xx... Connected to appd.mydomain.com. Escape character is '^]'. Of course I bring up the firewall right away once I'm done testing: [root@appd:~] #systemctl start firewalld [root@appd:~] #systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Sat 2015-05-09 14:56:20 EDT; 7s ago Main PID: 18826 (firewalld) CGroup: /system.slice/firewalld.service └─18826 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid May 09 14:56:20 appd systemd[1]: Started firewalld - dynamic firewall daemon. Any ideas on what I'm doing wrong? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I saw that you are doing firewall-cmd --reload; however you did not had the following: firewall-cmd --permanent --zone=home --add-port=8181/tcp The problem is you added the rule in runtime and when you reloaded it removed the rule that you added; therefore you need to use --permanent or do not reload. Let me know if this helps. -- Kind Regards Earl Ramirez ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] can't disable tcp6 on centos 7
On Sun, May 03, 2015 at 08:25:45PM -0400, Tim Dunphy wrote: Rather than a yum install. If I install the nrpe package from yum I don't find a check_nrpe script on the system for some reason! That's because the 'check_nrpe' command isn't in the nrpe package. It's in the nagios-plugins-nrpe package. The executable is installed, along side all other nagios check commands, as /usr/lib64/nagios/plugins/check_nrpe. Got it!! Thanks Johnathan!! I'll make sure I take a note of that. I'd rather use packages on a regular basis rather than source code installs. Thanks, Tim On Mon, May 4, 2015 at 9:33 AM, Jonathan Billings billi...@negate.org wrote: On Sun, May 03, 2015 at 08:25:45PM -0400, Tim Dunphy wrote: Rather than a yum install. If I install the nrpe package from yum I don't find a check_nrpe script on the system for some reason! That's because the 'check_nrpe' command isn't in the nrpe package. It's in the nagios-plugins-nrpe package. The executable is installed, along side all other nagios check commands, as /usr/lib64/nagios/plugins/check_nrpe. -- Jonathan Billings billi...@negate.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] can't disable tcp6 on centos 7
hey all, I tried disabling tcp v6 on a C7 box this way: [root@puppet:~] #cat /etc/sysctl.conf # System default settings live in /usr/lib/sysctl.d/00-system.conf. # To override those settings, enter new settings here, or in an /etc/sysctl.d/name.conf file # # For more information, see sysctl.conf(5) and sysctl.d(5). net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 Then going: [root@puppet:~] #sysctl -p net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 Then I restarted xinetd for good measure: [root@puppet:~] #systemctl restart xinetd [root@puppet:~] # Because I'm trying to hit nrpe on this host. Yet, xinetd/nrpe still seems to be listeing on TCP v6!! [root@puppet:~] #netstat -tulpn | grep -i listen | grep xinetd tcp6 0 0 :::5666 :::*LISTEN 2915/xinetd This is a CentOS 7.1 box: [root@puppet:~] #cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) What am I doing wrong? I need to be able to disable tcpv6 completely! Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] can't disable tcp6 on centos 7
It's listening on both IPv6 and IPv4. Specifically, why is that a problem? The central problem seems to be that the monitoring host can't hit nrpe on port 5666 UDP. [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H puppet.mydomain.com CHECK_NRPE: Socket timeout after 10 seconds. It is listening on the puppet host on port 5666 [root@puppet:~] #lsof -i :5666 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME xinetd 2915 root5u IPv6 24493 0t0 TCP *:nrpe (LISTEN) And the firewall is allowing that port: [root@puppet:~] #firewall-cmd --list-ports 5666/udp But if I check the port using nmap [root@monitor1:~] #nmap -p 5666 puppet.mydomain.com Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:51 UTC Nmap scan report for puppet.jokefire.com (216.120.250.140) Host is up (0.012s latency). PORT STATESERVICE 5666/tcp filtered nrpe That port is closed despite the port being allowed on the firewall. So I thought that the problem was that xinetd was listening to port 5666 only on tcp v6. And when the monitoring host hits the puppet host using tcp v4 it can't because only tcp v6 is active on that port. You mention that it's listening on both tcp v4 and v6. But I only see v6 in that output. How are you determining that It's a problem because the port does not appear to be open from the monitoring host: [root@monitor1:~] #nmap -p 5666 puppet.mydomain.com Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:33 UTC Nmap scan report for puppet.jokefire.com (216.120.250.140) Host is up (0.011s latency). PORT STATESERVICE 5666/tcp filtered nrpe You could add ipv6.disable=1 to your kernel args. What am I doing wrong? I need to be able to disable tcpv6 completely! Worth a shot! On Sun, May 3, 2015 at 5:44 PM, Gordon Messmer gordon.mess...@gmail.com wrote: On 05/03/2015 02:18 PM, Tim Dunphy wrote: Yet, xinetd/nrpe still seems to be listeing on TCP v6!! It's listening on both IPv6 and IPv4. Specifically, why is that a problem? What am I doing wrong? I need to be able to disable tcpv6 completely! You could add ipv6.disable=1 to your kernel args. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] can't disable tcp6 on centos 7
is it working on localhost or not???!!! it could be selinux problem also, if context is not correct. It's working on localhost: [root@puppet:~] #telnet localhost 5666 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. I notice if I stop the firewall on the puppet host (for no more than 2 seconds) and hit NRPE from the monitoring host it works: [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H puppet.mydomain.com NRPE v2.15 But as soon as the firewall has been enabled on the puppet host (a microsecond later) I get this result: [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H puppet.mydomain.com connect to address 216.120.xxx.xxx port 5666: No route to host connect to host puppet.mydomain.com port 5666: No route to host And nmap from the monitoring host tells me that the port is closed: [root@monitor1:~] #nmap -p 5666 puppet.mydomain.com Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 23:20 UTC Nmap scan report for puppet.jokefire.com (216.120.250.140) Host is up (0.011s latency). PORT STATESERVICE 5666/tcp filtered nrpe Back on the puppet host I verify that the port is open for UDP: [root@puppet:~] #firewall-cmd --list-ports 5666/udp That should be right AFAIK. Can anybody tell me what I'm doing wrong ? Thanks Tim On Sun, May 3, 2015 at 6:59 PM, Eero Volotinen eero.voloti...@iki.fi wrote: is it working on localhost or not???!!! it could be selinux problem also, if context is not correct. -- Eero 2015-05-04 1:55 GMT+03:00 Tim Dunphy bluethu...@gmail.com: It's listening on both IPv6 and IPv4. Specifically, why is that a problem? The central problem seems to be that the monitoring host can't hit nrpe on port 5666 UDP. [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H puppet.mydomain.com CHECK_NRPE: Socket timeout after 10 seconds. It is listening on the puppet host on port 5666 [root@puppet:~] #lsof -i :5666 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME xinetd 2915 root5u IPv6 24493 0t0 TCP *:nrpe (LISTEN) And the firewall is allowing that port: [root@puppet:~] #firewall-cmd --list-ports 5666/udp But if I check the port using nmap [root@monitor1:~] #nmap -p 5666 puppet.mydomain.com Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:51 UTC Nmap scan report for puppet.jokefire.com (216.120.250.140) Host is up (0.012s latency). PORT STATESERVICE 5666/tcp filtered nrpe That port is closed despite the port being allowed on the firewall. So I thought that the problem was that xinetd was listening to port 5666 only on tcp v6. And when the monitoring host hits the puppet host using tcp v4 it can't because only tcp v6 is active on that port. You mention that it's listening on both tcp v4 and v6. But I only see v6 in that output. How are you determining that It's a problem because the port does not appear to be open from the monitoring host: [root@monitor1:~] #nmap -p 5666 puppet.mydomain.com Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:33 UTC Nmap scan report for puppet.jokefire.com (216.120.250.140) Host is up (0.011s latency). PORT STATESERVICE 5666/tcp filtered nrpe You could add ipv6.disable=1 to your kernel args. What am I doing wrong? I need to be able to disable tcpv6 completely! Worth a shot! On Sun, May 3, 2015 at 5:44 PM, Gordon Messmer gordon.mess...@gmail.com wrote: On 05/03/2015 02:18 PM, Tim Dunphy wrote: Yet, xinetd/nrpe still seems to be listeing on TCP v6!! It's listening on both IPv6 and IPv4. Specifically, why is that a problem? What am I doing wrong? I need to be able to disable tcpv6 completely! You could add ipv6.disable=1 to your kernel args. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] can't disable tcp6 on centos 7
Eero, where did you installed this nrpe package? is selinux running enforcing mode (getenforce command), try disabling with setenforce 0. why you are running it under xinetd as usual way is to run it as nrped daemon. For NRPE I usually do a source install with these flags: ./configure make all make install-plugin make install-daemon make install-daemon-config make install-xinetd Rather than a yum install. If I install the nrpe package from yum I don't find a check_nrpe script on the system for some reason! I demonstrate this on another system than the ones I've been working with in this thread: [root@monitor1:~] #rpm -qa | grep nrpe | grep -v mcollective nrpe-2.15-2.el7.x86_64 [root@monitor1:~] #find / -name check_nrpe [root@monitor1:~] # So I'm more comfortable with a source install. test against with check_nrpe, not using telnet. I actually solved the problem by adding the port to tcp instead of udp on the puppet host: firewall-cmd --permanent --add-port=5666/tcp Then from the monitoring host: [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H puppet.mydomain.com NRPE v2.15 So it's all good at this point. I'm not sure why the instructions I followed said to open up the port under UDP.. Had I just done what I did I would have saved a lot of trouble.. Thanks for the input guys!! I'm glad the problem is solved now. On Sun, May 3, 2015 at 7:31 PM, Eero Volotinen eero.voloti...@iki.fi wrote: Tim, where did you installed this nrpe package? is selinux running enforcing mode (getenforce command), try disabling with setenforce 0. why you are running it under xinetd as usual way is to run it as nrped daemon. test against with check_nrpe, not using telnet. -- Eero 2015-05-04 2:27 GMT+03:00 Stephen Harris li...@spuddy.org: On Sun, May 03, 2015 at 07:23:19PM -0400, Tim Dunphy wrote: [root@puppet:~] #telnet localhost 5666 This is using TCP [root@monitor1:~] #nmap -p 5666 puppet.mydomain.com ... 5666/tcp filtered nrpe This is using TCP Back on the puppet host I verify that the port is open for UDP: So why are you opening a UDP port? -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host
And I made sure the local firewall was stopped, because I am blocking ports with the security groups instead. As an aside, I wouldn't do this unless running in a VPC as there are other hosts in the general cloud and many are malicious. Hmmm... you make an excellent point! I picked up this habit from an AWS shop I used to work at. But what you just said will make me reconsider! It's only when checking from the monitoring host that nrpe fails: Check /var/log/messages to see if xinetd says anything. I tailed /var/log/messages while hitting the client with check_nrpe from the monitoring host. However, that didn't cause an entry in the messages log. Also nrpe needs to be told from where connections are allowed whether running under an inetd or self-daemonized. Yep! I've set the only_from to have only the loopback address and the IP for the monitoring host in /etc/xinetd.d/npre. Also check the NRPE reviews on exchange.nagios.org, where the issue is discussed. Cool! Thanks. I'll check it out, and see if I can find anything useful. I appreciate the input! Also I really appreciate the ongoing dialog with the community on this issue. I'm grasping at straws at this point. And all the attempts at help have been really great! I hope we can still get to the bottom of this! Tim On Sat, May 2, 2015 at 11:45 AM, Mark Milhollan m...@pixelgate.net wrote: On Fri, 1 May 2015, Tim Dunphy wrote: And I made sure the local firewall was stopped, because I am blocking ports with the security groups instead. As an aside, I wouldn't do this unless running in a VPC as there are other hosts in the general cloud and many are malicious. It's only when checking from the monitoring host that nrpe fails: Check /var/log/messages to see if xinetd says anything. Also nrpe needs to be told from where connections are allowed whether running under an inetd or self-daemonized. Also check the NRPE reviews on exchange.nagios.org, where the issue is discussed. /mark -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host
Not just /var/log/messages. Doesn't nrpe have a log file? Maybe even secure. Hmmm I don't find any log specific to nrpe. In other words I don't see /var/log/nrpe.log or whatever. :) And when I tail -f /var/log/secure or /var/log/messages I don't see any entries turning up in them when I hit the client with check_nrpe. I was checking the logs on the client itself. Also nrpe needs to be told from where connections are allowed whether running under an inetd or self-daemonized. Yep! I've set the only_from to have only the loopback address and the IP for the monitoring host in /etc/xinetd.d/npre. Not the xinetd config, the nrpe config (too). H. but the nrpe.confg file is ignored in the case of allowed hosts. From the nrpe config: # NOTE: This option is ignored if NRPE is running under either inetd or xinetd allowed_hosts=127.0.0.1 Thanks for the input tho, I genuinely appreciate it! On Sat, May 2, 2015 at 4:05 PM, Mark Milhollan m...@pixelgate.net wrote: On Sat, 2 May 2015, Tim Dunphy wrote: It's only when checking from the monitoring host that nrpe fails: Check /var/log/messages to see if xinetd says anything. I tailed /var/log/messages while hitting the client with check_nrpe from the monitoring host. However, that didn't cause an entry in the messages log. Not just /var/log/messages. Doesn't nrpe have a log file? Maybe even secure. Also nrpe needs to be told from where connections are allowed whether running under an inetd or self-daemonized. Yep! I've set the only_from to have only the loopback address and the IP for the monitoring host in /etc/xinetd.d/npre. Not the xinetd config, the nrpe config (too). /mark -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host
Hi Eric, NRPE: Error receiving data from daemon Seems as this is not a SSL Problem. Do you have a nagios user account? Cat /etc/passwd Yep! Both hosts have nagios user accounts. Demonstrating from the client: [root@ops:~] #id nagios uid=2002(nagios) gid=2002(nagios) groups=2002(nagios),2008(nagioscmd) And this is from the monitoring server: [root@monitor1:~] #id nagios uid=1001(nagios) gid=1001(nagios) groups=1001(nagios),1002(nagcmd) I do notice a slight difference in the user id and group id numbers. But I don't think that could be causing any issue. Does anyone else disagree? I might want to standardize user accounts at some point howver. Thanks! Tim On Fri, May 1, 2015 at 1:03 PM, Eric Lehmann e.lehman...@gmail.com wrote: Hi NRPE: Error receiving data from daemon Seems as this is not a SSL Problem. Do you have a nagios user account? Cat /etc/passwd Am 01.05.2015 18:45 schrieb Tim Dunphy bluethu...@gmail.com: Oh my mistake. I mean nrpe without parameters. It should say something about SSL/TLS aktiv or so. You could test nrpe without SSL. Use nrpe -n - H host This is what I see about ssl if I just run nrpe on the client without any flags: [root@ops:~] #nrpe| head -8 NRPE - Nagios Remote Plugin Executor Copyright (c) 1999-2008 Ethan Galstad (nag...@nagios.org) Version: 2.15 Last Modified: 09-06-2013 License: GPL v2 with exemptions (-l for more info) SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required TCP Wrappers Available And if I go back to the monitoring host and try to run nrpe with the -n flag, this is what I get: [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -n -H ops.jokefire.com *CHECK_NRPE: Error receiving data from daemon.* And still getting the SSL error without the -n flag: [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H ops.jokefire.com *CHECK_NRPE: Error - Could not complete SSL handshake.* Running nmap from the monitor host I can see that the nrpe port is open: [root@monitor1:~] #nmap -p 5666 ops.jokefire.com Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-01 12:38 EDT Nmap scan report for ops.jokefire.com (54.225.218.125) Host is up (0.011s latency). rDNS record for 54.225.218.125: ec2-54-225-218-125.compute-1.amazonaws.com PORT STATE SERVICE *5666/tcp open nrpe* Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds Yet if I try telnetting to it, it connects, then closes the connection immediately: [root@monitor1:~] #telnet ops.jokefire.com 5666 Trying 54.225.218.125... *Connected to ops.jokefire.com http://ops.jokefire.com.* Escape character is '^]'. *Connection closed by foreign host.* Going back to the ops host that I want to monitor, I can verify that the port is listening: [root@ops:~] #lsof -i :5666 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME xinetd 1434 root5u IPv4 4063 TCP *:nrpe (LISTEN) And I can verify that the nrpe conf is owned by the nagios user and group: [root@ops:~] #ls -l /usr/local/nagios/etc/nrpe.cfg -rw-r--r-- 1 nagios nagios 7988 May 1 00:37 /usr/local/nagios/etc/nrpe.cfg I think that covers all your suggestions. Except for Eero's suggestion to try running nrpe without xinetd. I can try to get to that later, but I may not have time for that suggestion today. But as I demonstrate above, the problem is not that nrpe isn't listening. This remains a really odd situation. Does anyone else have any clues? Thanks, Tim On Fri, May 1, 2015 at 7:43 AM, Eric Lehmann e.lehman...@gmail.com wrote: Oh my mistake. I mean nrpe without parameters. It should say something about SSL/TLS aktiv or so. You could test nrpe without SSL. Use nrpe -n - H host Am 01.05.2015 13:18 schrieb Eero Volotinen eero.voloti...@iki.fi: well. how about trying default setting and running nrped without xinetd. -- Eero 2015-05-01 14:14 GMT+03:00 Tim Dunphy bluethu...@gmail.com: This is strange... Do you have SSL aktive on both systems? Run nrpr localy without parameters (this should return some nrpe stats) and check ldd for libssl. I don't seem to have that command. [root@monitor1:~] #find / -name *nrpr 2 /dev/null [root@monitor1:~] # And that's on either system. And if I do an ldd on both, this is what I can tell: Server: [root@monitor1:~] #ldd /usr/local/nagios/libexec/check_nrpe linux-vdso.so.1 = (0x7fffd895d000) * libssl.so.10 = /lib64/libssl.so.10 (0x7fc61722a000)* *libcrypto.so.10 = /lib64/libcrypto.so.10 (0x7fc616e43000)* libnsl.so.1 = /lib64/libnsl.so.1 (0x7fc616c29000) libc.so.6 = /lib64/libc.so.6 (0x7fc616868000) libgssapi_krb5.so.2 = /lib64/libgssapi_krb5.so.2
Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host
Oh my mistake. I mean nrpe without parameters. It should say something about SSL/TLS aktiv or so. You could test nrpe without SSL. Use nrpe -n - H host This is what I see about ssl if I just run nrpe on the client without any flags: [root@ops:~] #nrpe| head -8 NRPE - Nagios Remote Plugin Executor Copyright (c) 1999-2008 Ethan Galstad (nag...@nagios.org) Version: 2.15 Last Modified: 09-06-2013 License: GPL v2 with exemptions (-l for more info) SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required TCP Wrappers Available And if I go back to the monitoring host and try to run nrpe with the -n flag, this is what I get: [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -n -H ops.jokefire.com *CHECK_NRPE: Error receiving data from daemon.* And still getting the SSL error without the -n flag: [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H ops.jokefire.com *CHECK_NRPE: Error - Could not complete SSL handshake.* Running nmap from the monitor host I can see that the nrpe port is open: [root@monitor1:~] #nmap -p 5666 ops.jokefire.com Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-01 12:38 EDT Nmap scan report for ops.jokefire.com (54.225.218.125) Host is up (0.011s latency). rDNS record for 54.225.218.125: ec2-54-225-218-125.compute-1.amazonaws.com PORT STATE SERVICE *5666/tcp open nrpe* Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds Yet if I try telnetting to it, it connects, then closes the connection immediately: [root@monitor1:~] #telnet ops.jokefire.com 5666 Trying 54.225.218.125... *Connected to ops.jokefire.com http://ops.jokefire.com.* Escape character is '^]'. *Connection closed by foreign host.* Going back to the ops host that I want to monitor, I can verify that the port is listening: [root@ops:~] #lsof -i :5666 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME xinetd 1434 root5u IPv4 4063 TCP *:nrpe (LISTEN) And I can verify that the nrpe conf is owned by the nagios user and group: [root@ops:~] #ls -l /usr/local/nagios/etc/nrpe.cfg -rw-r--r-- 1 nagios nagios 7988 May 1 00:37 /usr/local/nagios/etc/nrpe.cfg I think that covers all your suggestions. Except for Eero's suggestion to try running nrpe without xinetd. I can try to get to that later, but I may not have time for that suggestion today. But as I demonstrate above, the problem is not that nrpe isn't listening. This remains a really odd situation. Does anyone else have any clues? Thanks, Tim On Fri, May 1, 2015 at 7:43 AM, Eric Lehmann e.lehman...@gmail.com wrote: Oh my mistake. I mean nrpe without parameters. It should say something about SSL/TLS aktiv or so. You could test nrpe without SSL. Use nrpe -n - H host Am 01.05.2015 13:18 schrieb Eero Volotinen eero.voloti...@iki.fi: well. how about trying default setting and running nrped without xinetd. -- Eero 2015-05-01 14:14 GMT+03:00 Tim Dunphy bluethu...@gmail.com: This is strange... Do you have SSL aktive on both systems? Run nrpr localy without parameters (this should return some nrpe stats) and check ldd for libssl. I don't seem to have that command. [root@monitor1:~] #find / -name *nrpr 2 /dev/null [root@monitor1:~] # And that's on either system. And if I do an ldd on both, this is what I can tell: Server: [root@monitor1:~] #ldd /usr/local/nagios/libexec/check_nrpe linux-vdso.so.1 = (0x7fffd895d000) * libssl.so.10 = /lib64/libssl.so.10 (0x7fc61722a000)* *libcrypto.so.10 = /lib64/libcrypto.so.10 (0x7fc616e43000)* libnsl.so.1 = /lib64/libnsl.so.1 (0x7fc616c29000) libc.so.6 = /lib64/libc.so.6 (0x7fc616868000) libgssapi_krb5.so.2 = /lib64/libgssapi_krb5.so.2 (0x7fc61661c000) libkrb5.so.3 = /lib64/libkrb5.so.3 (0x7fc616338000) libcom_err.so.2 = /lib64/libcom_err.so.2 (0x7fc616134000) libk5crypto.so.3 = /lib64/libk5crypto.so.3 (0x7fc615f02000) libdl.so.2 = /lib64/libdl.so.2 (0x7fc615cfd000) libz.so.1 = /lib64/libz.so.1 (0x7fc615ae7000) /lib64/ld-linux-x86-64.so.2 (0x7fc6174a) libkrb5support.so.0 = /lib64/libkrb5support.so.0 (0x7fc6158d8000) libkeyutils.so.1 = /lib64/libkeyutils.so.1 (0x7fc6156d3000) libresolv.so.2 = /lib64/libresolv.so.2 (0x7fc6154b9000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7fc61529d000) libselinux.so.1 = /lib64/libselinux.so.1 (0x7fc615077000) libpcre.so.1 = /lib64/libpcre.so.1 (0x7fc614e16000) liblzma.so.5 = /lib64/liblzma.so.5 (0x7fc614bf1000) Client: [root@ops:~] #ldd /usr/local/nagios/libexec/check_nrpe * libssl.so.6 = /lib64/libssl.so.6 (0x2aaba000)* *libcrypto.so.6 = /lib64/libcrypto.so.6 (0x2ad08000)* libnsl.so.1 = /lib64/libnsl.so.1
Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host
Hi Brian, Does iptables -L show anything of note? I'm leaving iptables off in this host. Because it's an AWS EC2 host I'm managing the firewall ports using the AWS security groups. [root@ops:~] #service iptables status Firewall is stopped. But still, there's this... [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H ops.jokefire.com CHECK_NRPE: Error - Could not complete SSL handshake. Sadly :( Thanks for your input tho! On Fri, May 1, 2015 at 3:18 PM, Brian Miller cen...@fullnote.com wrote: On Fri, 2015-05-01 at 01:32 -0400, Tim Dunphy wrote: And I made sure the local firewall was stopped, because I am blocking ports with the security groups instead. [root@ops:~] #service iptables status Firewall is stopped. Does iptables -L show anything of note? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host
Hi Brian, Does 'ldd /usr/local/nagios/bin/nrpe' show any missing libs? Well, the NRPE binary looks good both on the client and the server from what I can tell: Client: [root@ops:~] #ldd /usr/local/nagios/bin/nrpe libssl.so.6 = /lib64/libssl.so.6 (0x2aaba000) libcrypto.so.6 = /lib64/libcrypto.so.6 (0x2ad08000) libnsl.so.1 = /lib64/libnsl.so.1 (0x2b05a000) libwrap.so.0 = /lib64/libwrap.so.0 (0x2b273000) libc.so.6 = /lib64/libc.so.6 (0x2b47c000) libgssapi_krb5.so.2 = /usr/lib64/libgssapi_krb5.so.2 (0x2b7d5000) libkrb5.so.3 = /usr/lib64/libkrb5.so.3 (0x2ba04000) libcom_err.so.2 = /lib64/libcom_err.so.2 (0x2bc99000) libk5crypto.so.3 = /usr/lib64/libk5crypto.so.3 (0x2be9b000) libdl.so.2 = /lib64/libdl.so.2 (0x2c0c1000) libz.so.1 = /lib64/libz.so.1 (0x2c2c5000) /lib64/ld-linux-x86-64.so.2 (0x4000) libkrb5support.so.0 = /usr/lib64/libkrb5support.so.0 (0x2c4d9000) libkeyutils.so.1 = /lib64/libkeyutils.so.1 (0x2c6e2000) libresolv.so.2 = /lib64/libresolv.so.2 (0x2c8e4000) libselinux.so.1 = /lib64/libselinux.so.1 (0x2cafa000) libsepol.so.1 = /lib64/libsepol.so.1 (0x2cd12000) And server: [root@monitor1:~] #ldd /usr/local/nagios/bin/nrpe linux-vdso.so.1 = (0x7fffd000) libssl.so.10 = /lib64/libssl.so.10 (0x7fdd5159) libcrypto.so.10 = /lib64/libcrypto.so.10 (0x7fdd511a9000) libnsl.so.1 = /lib64/libnsl.so.1 (0x7fdd50f8f000) libc.so.6 = /lib64/libc.so.6 (0x7fdd50bce000) libgssapi_krb5.so.2 = /lib64/libgssapi_krb5.so.2 (0x7fdd50982000) libkrb5.so.3 = /lib64/libkrb5.so.3 (0x7fdd5069e000) libcom_err.so.2 = /lib64/libcom_err.so.2 (0x7fdd5049a000) libk5crypto.so.3 = /lib64/libk5crypto.so.3 (0x7fdd50268000) libdl.so.2 = /lib64/libdl.so.2 (0x7fdd50063000) libz.so.1 = /lib64/libz.so.1 (0x7fdd4fe4d000) /lib64/ld-linux-x86-64.so.2 (0x7fdd51806000) libkrb5support.so.0 = /lib64/libkrb5support.so.0 (0x7fdd4fc3e000) libkeyutils.so.1 = /lib64/libkeyutils.so.1 (0x7fdd4fa39000) libresolv.so.2 = /lib64/libresolv.so.2 (0x7fdd4f81f000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7fdd4f603000) libselinux.so.1 = /lib64/libselinux.so.1 (0x7fdd4f3dd000) libpcre.so.1 = /lib64/libpcre.so.1 (0x7fdd4f17c000) liblzma.so.5 = /lib64/liblzma.so.5 (0x7fdd4ef57000) Both look completely fine! No missing libs. But thanks for the suggestion tho! Definitely not a bad idea to rule that out! Thanks, Tim On Fri, May 1, 2015 at 4:58 PM, Brian Miller cen...@fullnote.com wrote: On Fri, 2015-05-01 at 15:28 -0400, Tim Dunphy wrote: Hi Brian, Does iptables -L show anything of note? I'm leaving iptables off in this host. Because it's an AWS EC2 host I'm managing the firewall ports using the AWS security groups. [root@ops:~] #service iptables status Firewall is stopped. But still, there's this... [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H ops.jokefire.com CHECK_NRPE: Error - Could not complete SSL handshake. Sadly :( Thanks for your input tho! Does 'ldd /usr/local/nagios/bin/nrpe' show any missing libs? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host
This is strange... Do you have SSL aktive on both systems? Run nrpr localy without parameters (this should return some nrpe stats) and check ldd for libssl. I don't seem to have that command. [root@monitor1:~] #find / -name *nrpr 2 /dev/null [root@monitor1:~] # And that's on either system. And if I do an ldd on both, this is what I can tell: Server: [root@monitor1:~] #ldd /usr/local/nagios/libexec/check_nrpe linux-vdso.so.1 = (0x7fffd895d000) * libssl.so.10 = /lib64/libssl.so.10 (0x7fc61722a000)* *libcrypto.so.10 = /lib64/libcrypto.so.10 (0x7fc616e43000)* libnsl.so.1 = /lib64/libnsl.so.1 (0x7fc616c29000) libc.so.6 = /lib64/libc.so.6 (0x7fc616868000) libgssapi_krb5.so.2 = /lib64/libgssapi_krb5.so.2 (0x7fc61661c000) libkrb5.so.3 = /lib64/libkrb5.so.3 (0x7fc616338000) libcom_err.so.2 = /lib64/libcom_err.so.2 (0x7fc616134000) libk5crypto.so.3 = /lib64/libk5crypto.so.3 (0x7fc615f02000) libdl.so.2 = /lib64/libdl.so.2 (0x7fc615cfd000) libz.so.1 = /lib64/libz.so.1 (0x7fc615ae7000) /lib64/ld-linux-x86-64.so.2 (0x7fc6174a) libkrb5support.so.0 = /lib64/libkrb5support.so.0 (0x7fc6158d8000) libkeyutils.so.1 = /lib64/libkeyutils.so.1 (0x7fc6156d3000) libresolv.so.2 = /lib64/libresolv.so.2 (0x7fc6154b9000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7fc61529d000) libselinux.so.1 = /lib64/libselinux.so.1 (0x7fc615077000) libpcre.so.1 = /lib64/libpcre.so.1 (0x7fc614e16000) liblzma.so.5 = /lib64/liblzma.so.5 (0x7fc614bf1000) Client: [root@ops:~] #ldd /usr/local/nagios/libexec/check_nrpe * libssl.so.6 = /lib64/libssl.so.6 (0x2aaba000)* *libcrypto.so.6 = /lib64/libcrypto.so.6 (0x2ad08000)* libnsl.so.1 = /lib64/libnsl.so.1 (0x2b05a000) libc.so.6 = /lib64/libc.so.6 (0x2b273000) libgssapi_krb5.so.2 = /usr/lib64/libgssapi_krb5.so.2 (0x2b5cc000) libkrb5.so.3 = /usr/lib64/libkrb5.so.3 (0x2b7fa000) libcom_err.so.2 = /lib64/libcom_err.so.2 (0x2ba9) libk5crypto.so.3 = /usr/lib64/libk5crypto.so.3 (0x2bc92000) libdl.so.2 = /lib64/libdl.so.2 (0x2beb7000) libz.so.1 = /lib64/libz.so.1 (0x2c0bc000) /lib64/ld-linux-x86-64.so.2 (0x4000) libkrb5support.so.0 = /usr/lib64/libkrb5support.so.0 (0x0 0002c2d) libkeyutils.so.1 = /lib64/libkeyutils.so.1 (0x2c4d8000) libresolv.so.2 = /lib64/libresolv.so.2 (0x2c6db000) libselinux.so.1 = /lib64/libselinux.so.1 (0x2c8f) libsepol.so.1 = /lib64/libsepol.so.1 (0x2cb09000) So it looks like everything is OK from the SSL end of things. Any other ideas or suggestions? Thanks Tim On Fri, May 1, 2015 at 5:46 AM, Eric Lehmann e.lehman...@gmail.com wrote: This is strange... Do you have SSL aktive on both systems? Run nrpr localy without parameters (this should return some nrpe stats) and check ldd for libssl. Am 01.05.2015 07:32 schrieb Tim Dunphy bluethu...@gmail.com: Hi Eric, Thanks for your reply. I do have nrpe running under xinetd on the host I'm trying to monitor. And running the nrpe checl locally: [root@ops:~] #/usr/local/nagios/libexec/check_nrpe -H localhost NRPE v2.15 [root@ops:~] #grep only_from /etc/xinetd.d/nrpe only_from = 127.0.0.1 216.120.248.126 And I do have port 5666 open on the security group for this host. And I made sure the local firewall was stopped, because I am blocking ports with the security groups instead. [root@ops:~] #service iptables status Firewall is stopped. It's only when checking from the monitoring host that nrpe fails: [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H ops.jokefire.com CHECK_NRPE: Error - Could not complete SSL handshake. Really, really puzzling. This is driving me up a wall!! I hopeI can solve this soon Thanks for any and all help with this one!! Tim On Fri, May 1, 2015 at 1:02 AM, Eric Lehmann e.lehman...@gmail.com wrote: Hi Does the deamon run under xinetd? Then you have to configure the only_from in */etc/**xinetd.d**/**nrpe* to. Regards Eric Am 01.05.2015 06:46 schrieb Tim Dunphy bluethu...@gmail.com: Hello, I am trying to monitor a host in the Amazon EC2 cloud. Yet when I try to check NRPE from the monitoring host I am getting an SSL handshake error: [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H ops.jokefire.com CHECK_NRPE: Error - Could not complete SSL handshake. And if I telnet into the host on port 5666 to see if the FW port is open, the connection closes right away: [root@monitor1:~] #telnet ops.somewhere.com 5666 Trying
[CentOS] Could not complete SSL handshake to Amazon EC2 host
Hello, I am trying to monitor a host in the Amazon EC2 cloud. Yet when I try to check NRPE from the monitoring host I am getting an SSL handshake error: [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H ops.jokefire.com CHECK_NRPE: Error - Could not complete SSL handshake. And if I telnet into the host on port 5666 to see if the FW port is open, the connection closes right away: [root@monitor1:~] #telnet ops.somewhere.com 5666 Trying 54.225.218.125... Connected to ops.somewhere.com. Escape character is '^]'. Connection closed by foreign host. You can see there it connects, but then it closes immediately after the connection. I have NRPE running on the host I want to monitor: [root@ops:~] #lsof -i :5666 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME xinetd 1434 root5u IPv4 4063 TCP *:nrpe (LISTEN) And I have the IP of my nagios server listed in the xinetd conf file: [root@ops:~] #cat /etc/xinetd.d/nrpe # default: on # description: NRPE (Nagios Remote Plugin Executor) service nrpe { flags = REUSE socket_type = stream port= 5666 wait= no user= nagios group = nagios server = /usr/local/nagios/bin/nrpe server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd log_on_failure += USERID disable = no only_from = 127.0.0.1 xx.xx.xx.xx # - representing my real nagios server IP } And I have my default security group for that host open on port 5666 to the world for this experiment. I plan on locking that down again to the single IP of my monitoring host once I get this resolved. Does anyone have any suggestions on how I can get that problem solved? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host
Hi Eric, Thanks for your reply. I do have nrpe running under xinetd on the host I'm trying to monitor. And running the nrpe checl locally: [root@ops:~] #/usr/local/nagios/libexec/check_nrpe -H localhost NRPE v2.15 [root@ops:~] #grep only_from /etc/xinetd.d/nrpe only_from = 127.0.0.1 216.120.248.126 And I do have port 5666 open on the security group for this host. And I made sure the local firewall was stopped, because I am blocking ports with the security groups instead. [root@ops:~] #service iptables status Firewall is stopped. It's only when checking from the monitoring host that nrpe fails: [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H ops.jokefire.com CHECK_NRPE: Error - Could not complete SSL handshake. Really, really puzzling. This is driving me up a wall!! I hopeI can solve this soon Thanks for any and all help with this one!! Tim On Fri, May 1, 2015 at 1:02 AM, Eric Lehmann e.lehman...@gmail.com wrote: Hi Does the deamon run under xinetd? Then you have to configure the only_from in */etc/**xinetd.d**/**nrpe* to. Regards Eric Am 01.05.2015 06:46 schrieb Tim Dunphy bluethu...@gmail.com: Hello, I am trying to monitor a host in the Amazon EC2 cloud. Yet when I try to check NRPE from the monitoring host I am getting an SSL handshake error: [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H ops.jokefire.com CHECK_NRPE: Error - Could not complete SSL handshake. And if I telnet into the host on port 5666 to see if the FW port is open, the connection closes right away: [root@monitor1:~] #telnet ops.somewhere.com 5666 Trying 54.225.218.125... Connected to ops.somewhere.com. Escape character is '^]'. Connection closed by foreign host. You can see there it connects, but then it closes immediately after the connection. I have NRPE running on the host I want to monitor: [root@ops:~] #lsof -i :5666 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME xinetd 1434 root5u IPv4 4063 TCP *:nrpe (LISTEN) And I have the IP of my nagios server listed in the xinetd conf file: [root@ops:~] #cat /etc/xinetd.d/nrpe # default: on # description: NRPE (Nagios Remote Plugin Executor) service nrpe { flags = REUSE socket_type = stream port= 5666 wait= no user= nagios group = nagios server = /usr/local/nagios/bin/nrpe server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd log_on_failure += USERID disable = no only_from = 127.0.0.1 xx.xx.xx.xx # - representing my real nagios server IP } And I have my default security group for that host open on port 5666 to the world for this experiment. I plan on locking that down again to the single IP of my monitoring host once I get this resolved. Does anyone have any suggestions on how I can get that problem solved? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] can't install gd-devel on centos 7.1
Hey guys, I'm trying to instal gd-devel onto a CentOS 7 host. -- Finished Dependency Resolution Error: Package: gd-last-devel-2.1.1-2.el7.remi.x86_64 (remi) Requires: libvpx-devel(x86-64) You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest But when I try to do that I get the error you see above. These are the repos I have installed and enabled: repo id repo name status epel/x86_64 Extra Packages for Enterprise 7,718 puppetlabs-deps/x86_64 Puppet Labs Dependencies El 717 puppetlabs-products/x86_64 Puppet Labs Products El 7 - x 162 remi Les RPM de remi pour Enterpri 1,928 rhui-REGION-client-config-server-7/x86_64Red Hat Update Infrastructure 4 rhui-REGION-rhel-server-releases/7Server/x86_64 Red Hat Enterprise Linux Serv 6,851 rhui-REGION-rhel-server-rh-common/7Server/x86_64 Red Hat Enterprise Linux Serv 131 rpmforge RHEL 7Server - RPMforge.net - 245 webtatic/x86_64 Webtatic Repository EL7 - x86 519 I originally had nothing more than the base CentOS repo enabled. Along with the puppetlabs repo and epel when I first encountered this error. But then I tried adding some repos to find out if I could find the needed package in any of them. The package that it seems to be complaining about not having is called: libvpx-devel(x86-64) But when I try to instal that this is the result I get: [root@monitor1:~] #yum install libvpx-devel Loaded plugins: amazon-id, rhui-lb No package libvpx-devel available. Error: Nothing to do Does anybody have any ideas on how I can get around this problem? I only want to install gd-devel. Seems like it should be so simple! But not in this case. :( Thanks!! Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] can't install gd-devel on centos 7.1
Commercial rhel split repos weird way. so, this user might need to enable some more redhat repos using subscription-manager or similar. Hmm yeah guys. Sorry for the obvious screw up! Not much was done on this host yet. Actually it's a free tier t-2 on AWS. So I think I'll just trash it and start up an **actual** CentOS host and try again. Gotta learn to be in less of a hurry... ;) Thanks anyways! Tim On Sun, Apr 26, 2015 at 6:52 PM, Eero Volotinen eero.voloti...@iki.fi wrote: 2015-04-27 1:30 GMT+03:00 John R Pierce pie...@hogranch.com: On 4/26/2015 1:54 PM, Tim Dunphy wrote: Hey guys, I'm trying to instal gd-devel onto a CentOS 7 host. -- Finished Dependency Resolution Error: Package: gd-last-devel-2.1.1-2.el7.remi.x86_64 (remi) Requires: libvpx-devel(x86-64) You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest But when I try to do that I get the error you see above. These are the repos I have installed and enabled: repo id repo name status epel/x86_64 Extra Packages for Enterprise 7,718 puppetlabs-deps/x86_64 Puppet Labs Dependencies El 717 puppetlabs-products/x86_64 Puppet Labs Products El 7 - x 162 remi Les RPM de remi pour Enterpri 1,928 rhui-REGION-client-config-server-7/x86_64Red Hat Update Infrastructure 4 rhui-REGION-rhel-server-releases/7Server/x86_64 Red Hat Enterprise Linux Serv 6,851 rhui-REGION-rhel-server-rh-common/7Server/x86_64 Red Hat Enterprise Linux Serv 131 rpmforge RHEL 7Server - RPMforge.net - 245 webtatic/x86_64 Webtatic Repository EL7 - x86 519 I originally had nothing more than the base CentOS repo enabled. Along with the puppetlabs repo and epel when I first encountered this error. But then I tried adding some repos to find out if I could find the needed package in any of them. As others said, that RHUI stuff suggests licensed redhat subscriptions, NOT centos. here's a stock centos 7.1, that only has EPEL enabled. # cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) Commercial rhel split repos weird way. so, this user might need to enable some more redhat repos using subscription-manager or similar. -- Eero ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] bash script fails conditional test
Hey all, I wrote a very basic script to determine if cassandra db is running. I'm setting a variable called 'pid' to the output of a ps | grep like to grab the pid of the cassandra process. #!/bin/bash pid=$(ps -ef | grep cassandra | grep -v grep | grep -i -v -e grep -e screen -e s3fs|awk '{print $2}') if [[ -e $pid ]] then echo Cassandra is running with pid: $pid else echo Cassandra is DOWN!!! fi But for some reason the script doesn't realize that the pid variable has been set, and fails the condition. It then reports that Cassnadra is DOWN!!!. [root@web1:~] #sh -x ./bin/check-cass.sh ++ ps -ef ++ grep -v grep ++ grep -i -v -e grep -e screen -e s3fs ++ awk '{print $2}' ++ grep cassandra + pid=26979 + [[ -e 26979 ]] + echo 'Cassandra is DOWN!!!' Cassandra is DOWN!!! Can anybody tell me where I'm going wrong here? Because from what I can see, clearly the pid variable is being set so the script should be reporting that cassandra is up! I'd appreciate any advice you may have. Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bash script fails conditional test
-e means if file exists. You should use -n That did it!! [root@web1:~] #./bin/check-cass.sh Cassandra is running with pid: 26979 This is what the script looks like now: #!/bin/bash pid=$(ps -ef | grep cassandra | grep -v grep | grep -i -v -e grep -e screen -e s3fs|awk '{print $2}') if [[ -n $pid ]] then echo Cassandra is running with pid: $pid else echo Cassandra is DOWN!!! fi Insert an extra line after #!/bin/bash set -xv which will show helpful debug messages. Good tip! But I ran the script with sh +x . I guess that running it with sh +xv would do the same thing. But that is a useful tip to include the debug lines right in the script. I'll have to remember that for next time! Thanks! :) Tim On Sun, Apr 19, 2015 at 1:55 PM, Always Learning cen...@u64.u22.net wrote: On Sun, 2015-04-19 at 13:15 -0400, Tim Dunphy wrote: Hey all, I wrote a very basic script to determine if cassandra db is running. I'm setting a variable called 'pid' to the output of a ps | grep like to grab the pid of the cassandra process. Insert an extra line after #!/bin/bash set -xv which will show helpful debug messages. -- Regards, Paul. England, EU. Je suis Charlie. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bash script fails conditional test
It's a matter of consistency. The script began #!/bin/bash and so a direct shell invocation should _also_ use the same command. Good point. I'll try to keep that in mind. Thank you, Tim On Sun, Apr 19, 2015 at 10:04 PM, Stephen Harris li...@spuddy.org wrote: On Sun, Apr 19, 2015 at 09:00:06PM -0500, Chris Adams wrote: Once upon a time, Stephen Harris li...@spuddy.org said: You should use bash -x (bash and not sh because sh may not be bash everywhere; eg Ubuntu; -x and not +x because -x means turn on debug but +x means turn _off_ debug) Unless you have specific bashisms (which I don't think the original did, and you should mostly avoid in scripts), sh -x will be fine. It's a matter of consistency. The script began #!/bin/bash and so a direct shell invocation should _also_ use the same command. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bash script fails conditional test
You can probably replace that with a much cleaner pid=$(pidof cassandra). Good to know! I hadn't heard of pidof before. However this is what I get when I run it: [root@web1:~] #pidof cassandra [root@web1:~] # Returns nothing. However: [root@web1:~] #pidof java 27210 11418 10852 Gives me a few pids. Only one of which belongs to cassandra, as I have a few java processes running. I still find that my little script isolates exactly the pid of cassandra that I would need to shutdown. [root@web1:~] #check-cass.sh Cassandra is running with pid: 27210 I really need to turn this into an init script. Which I probably will. But this is just for a hobby project ,and I'm a little too lazy to do it this weekend. Maybe next weekend. Thanks, Tim On Sun, Apr 19, 2015 at 9:58 PM, Chris Adams li...@cmadams.net wrote: Once upon a time, Tim Dunphy bluethu...@gmail.com said: pid=$(ps -ef | grep cassandra | grep -v grep | grep -i -v -e grep -e screen -e s3fs|awk '{print $2}') You can probably replace that with a much cleaner pid=$(pidof cassandra). -- Chris Adams li...@cmadams.net ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] mounted NFS does not show in df -h
Hey guys, This is kind of odd, so I wanted to do a sanity check. I mounted an NFS share like so: [root@web1:~] #mount -t nfs nfs1.jokefire.com:/home /mnt/home Seemed to go ok. Then I took a look at the output of df -h and didn't see it! [root@web1:~] #df -h Filesystem Size Used Avail Use% Mounted on /dev/vda 40G 24G 14G 64% / devtmpfs996M 0 996M 0% /dev tmpfs 1001M 0 1001M 0% /dev/shm tmpfs 1001M 101M 901M 11% /run tmpfs 1001M 0 1001M 0% /sys/fs/cgroup s3fs256T 0 256T 0% /backup/cassandradb s3fs256T 0 256T 0% /backup/mysql nfs1.jokefire.com:/var/www 20G 3.1G 16G 17% /var/www Yet, when I do a df -h on the directory I mounted the NFS share on, I see that it's mounted via NFS as expected: [root@web1:~] #df -h /mnt/home Filesystem Size Used Avail Use% Mounted on nfs1.jokefire.com:/home 20G 3.1G 16G 17% /mnt/home So, what do you think could be happening? Why is it that I can't see the output I'm expecting just by going df -h??? Thanks!! Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos