Re: [CentOS] Permission denied when updating CentOS 8 Streams
In article <8dc3d2af-a7b0-d54f-85b4-fbdbc49b3...@gmail.com>, Gordon Messmer wrote: > On 2/19/21 12:37 AM, Mathieu Baudier wrote: > >- Curl error (7): Couldn't connect to server for > > http://mirrorlist.centos.org/?release=8-stream=x86_64=AppStream=stock > > [Failed to connect to mirrorlist.centos.org port 80: Permission denied] > > > It's unusual to see EPERM on a call to connect()... The man page > suggests that this can be caused by a local firewall rule or an SELinux > policy. > > https://man7.org/linux/man-pages/man2/connect.2.html > > "yum" and "wget" should be running in an unconfined domain, so SELinux > is *probably* not the cause. I'd take a look at the output of "iptables > -L OUTPUT" first. I've tried creating local firewall rules that I'd > expect to result in EPERM, but they do not, so I'm not sure what such a > rule looks like. Of course, SELinux can be confirmed or ruled out by doing "setenforce 0" and then trying the operation again. Then "setenforce 1" again afterwards, of course. Cheers Tony -- Tony Mountifield Work: t...@softins.co.uk - http://www.softins.co.uk Play: t...@mountifield.org - http://tony.mountifield.org ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Permission denied when updating CentOS 8 Streams
On 2/19/21 12:37 AM, Mathieu Baudier wrote: - Curl error (7): Couldn't connect to server for http://mirrorlist.centos.org/?release=8-stream=x86_64=AppStream=stock [Failed to connect to mirrorlist.centos.org port 80: Permission denied] It's unusual to see EPERM on a call to connect()... The man page suggests that this can be caused by a local firewall rule or an SELinux policy. https://man7.org/linux/man-pages/man2/connect.2.html "yum" and "wget" should be running in an unconfined domain, so SELinux is *probably* not the cause. I'd take a look at the output of "iptables -L OUTPUT" first. I've tried creating local firewall rules that I'd expect to result in EPERM, but they do not, so I'm not sure what such a rule looks like. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Permission denied when updating CentOS 8 Streams
On Fri, 19 Feb 2021 at 09:47, Simon Matter wrote:
> > On Fri, 19 Feb 2021, Mathieu Baudier wrote:
> >
> >> Hello,
> >>
> >> On a remote server (in an IPv6-only infrastructure) I am getting the
> >> following error when trying to update CentOS 8 Streams x86_64:
> >>
> >> $ sudo dnf upgrade --refresh
> >> Failed to set locale, defaulting to C.UTF-8
> >> CentOS Stream 8 - AppStream
> >>
> >> 0.0 B/s | 0 B 00:16
> >> Errors during downloading metadata for repository 'appstream':
> >> - Curl error (7): Couldn't connect to server for
> >>
> http://mirrorlist.centos.org/?release=8-stream=x86_64=AppStream=stock
> >> [Failed to connect to mirrorlist.centos.org port 80: Permission denied]
> >> Error: Failed to download metadata for repo 'appstream': Cannot prepare
> >> internal mirrorlist: Curl error (7): Couldn't connect to server for
> >>
> http://mirrorlist.centos.org/?release=8-stream=x86_64=AppStream=stock
> >> [Failed to connect to mirrorlist.centos.org port 80: Permission denied]
> >
> > Try using an https:// URL.
>
> Are you sure? At least from here over IPv4, http works well but https
> doesn't work at all. Sounds strange if http would work only over IPv4 and
> https would work only over IPv6.
>
>
It wouldn't work anyway because CentOS mirrors do not have https. I tried
this from my home system
```
[ssmoogen@localhost ~]$ for i in "2001:4178:5:200::10"
"2600:1f16:c1:5e01:4180:6610:5482:c1c0" "2604:1380:2001:d00::3"
"2604:1580:fe02:2::10" "2604:1380:1001:6c00::1"; do curl -v6
"https://[${i}]/?release=8-stream=x86_64=AppStream=stock;;
done
* Trying 2001:4178:5:200::10:443...
* connect to 2001:4178:5:200::10 port 443 failed: Permission denied
* Failed to connect to 2001:4178:5:200::10 port 443: Permission denied
* Closing connection 0
curl: (7) Failed to connect to 2001:4178:5:200::10 port 443: Permission
denied
* Trying 2600:1f16:c1:5e01:4180:6610:5482:c1c0:443...
* connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443 failed:
Permission denied
* Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443:
Permission denied
* Closing connection 0
curl: (7) Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port
443: Permission denied
* Trying 2604:1380:2001:d00::3:443...
* connect to 2604:1380:2001:d00::3 port 443 failed: Permission denied
* Failed to connect to 2604:1380:2001:d00::3 port 443: Permission denied
* Closing connection 0
curl: (7) Failed to connect to 2604:1380:2001:d00::3 port 443: Permission
denied
* Trying 2604:1580:fe02:2::10:443...
* connect to 2604:1580:fe02:2::10 port 443 failed: Permission denied
* Failed to connect to 2604:1580:fe02:2::10 port 443: Permission denied
* Closing connection 0
curl: (7) Failed to connect to 2604:1580:fe02:2::10 port 443: Permission
denied
* Trying 2604:1380:1001:6c00::1:443...
* connect to 2604:1380:1001:6c00::1 port 443 failed: Permission denied
* Failed to connect to 2604:1380:1001:6c00::1 port 443: Permission denied
* Closing connection 0
curl: (7) Failed to connect to 2604:1380:1001:6c00::1 port 443: Permission
denied
```
removing the -v gives the following error:
```
[ssmoogen@localhost ~]$ for i in "2001:4178:5:200::10"
"2600:1f16:c1:5e01:4180:6610:5482:c1c0" "2604:1380:2001:d00::3"
"2604:1580:fe02:2::10" "2604:1380:1001:6c00::1"; do curl -6
"https://[${i}]/?release=8-stream=x86_64=AppStream=stock;;
done
curl: (7) Failed to connect to 2001:4178:5:200::10 port 443: Permission
denied
curl: (7) Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port
443: Permission denied
curl: (7) Failed to connect to 2604:1380:2001:d00::3 port 443: Permission
denied
curl: (7) Failed to connect to 2604:1580:fe02:2::10 port 443: Permission
denied
curl: (7) Failed to connect to 2604:1380:1001:6c00::1 port 443: Permission
denied
```
Notice that the permission denied is different from what was reported in
the original email. I am not sure why that is.
If I change that from https: to http all of the IP addresses work. So my
guess is that something is blocking the originator IP to those mirror
servers but it isn't clear what.
--
Stephen J Smoogen.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Permission denied when updating CentOS 8 Streams
> On Fri, 19 Feb 2021, Mathieu Baudier wrote: > >> Hello, >> >> On a remote server (in an IPv6-only infrastructure) I am getting the >> following error when trying to update CentOS 8 Streams x86_64: >> >> $ sudo dnf upgrade --refresh >> Failed to set locale, defaulting to C.UTF-8 >> CentOS Stream 8 - AppStream >> >> 0.0 B/s | 0 B 00:16 >> Errors during downloading metadata for repository 'appstream': >> - Curl error (7): Couldn't connect to server for >> http://mirrorlist.centos.org/?release=8-stream=x86_64=AppStream=stock >> [Failed to connect to mirrorlist.centos.org port 80: Permission denied] >> Error: Failed to download metadata for repo 'appstream': Cannot prepare >> internal mirrorlist: Curl error (7): Couldn't connect to server for >> http://mirrorlist.centos.org/?release=8-stream=x86_64=AppStream=stock >> [Failed to connect to mirrorlist.centos.org port 80: Permission denied] > > Try using an https:// URL. Are you sure? At least from here over IPv4, http works well but https doesn't work at all. Sounds strange if http would work only over IPv4 and https would work only over IPv6. Simon ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Permission denied when updating CentOS 8 Streams
On Fri, 19 Feb 2021, Mathieu Baudier wrote: Hello, On a remote server (in an IPv6-only infrastructure) I am getting the following error when trying to update CentOS 8 Streams x86_64: $ sudo dnf upgrade --refresh Failed to set locale, defaulting to C.UTF-8 CentOS Stream 8 - AppStream 0.0 B/s | 0 B 00:16 Errors during downloading metadata for repository 'appstream': - Curl error (7): Couldn't connect to server for http://mirrorlist.centos.org/?release=8-stream=x86_64=AppStream=stock [Failed to connect to mirrorlist.centos.org port 80: Permission denied] Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: Curl error (7): Couldn't connect to server for http://mirrorlist.centos.org/?release=8-stream=x86_64=AppStream=stock [Failed to connect to mirrorlist.centos.org port 80: Permission denied] Try using an https:// URL. -- Paul Heinlein heinl...@madboa.com 45°38' N, 122°6' W ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Permission denied when updating CentOS 8 Streams
Hello, On a remote server (in an IPv6-only infrastructure) I am getting the following error when trying to update CentOS 8 Streams x86_64: $ sudo dnf upgrade --refresh Failed to set locale, defaulting to C.UTF-8 CentOS Stream 8 - AppStream 0.0 B/s | 0 B 00:16 Errors during downloading metadata for repository 'appstream': - Curl error (7): Couldn't connect to server for http://mirrorlist.centos.org/?release=8-stream=x86_64=AppStream=stock [Failed to connect to mirrorlist.centos.org port 80: Permission denied] Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: Curl error (7): Couldn't connect to server for http://mirrorlist.centos.org/?release=8-stream=x86_64=AppStream=stock [Failed to connect to mirrorlist.centos.org port 80: Permission denied] Trying to retrieve the mirror list with wget gives similar errors (see log below). This is a development VM and I was playing with firewalld zones on this interface (drop, block, etc.) in order to see the most restrictive that I could use in order to update a system. But the error also appears if I switch back the zone to public. Could it be that my address has been blacklisted because of all these tests? >From my laptop, also running CentOS 8 Streams, everything is working as expected. Thank in advance for hints on how to analyze further! Mathieu ## wget log $ wget http://mirrorlist.centos.org/?release=8-stream=x86_64=AppStream=stock --2021-02-19 08:35:14-- http://mirrorlist.centos.org/?release=8-stream=x86_64=AppStream=stock Resolving mirrorlist.centos.org (mirrorlist.centos.org)... 2001:4178:5:200::10, 2600:1f16:c1:5e01:4180:6610:5482:c1c0, 2604:1380:2001:d00::3, ... Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2001:4178:5:200::10|:80... failed: Permission denied. Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2600:1f16:c1:5e01:4180:6610:5482:c1c0|:80... failed: Permission denied. Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2604:1380:2001:d00::3|:80... failed: Permission denied. Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2604:1580:fe02:2::10|:80... failed: Permission denied. Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2604:1380:1001:6c00::1|:80... failed: Permission denied. Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2a05:d012:8b5:6503:9efb:5cad:348f:e826|:80... failed: Permission denied. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
