Re: [CentOS] set default permission to deployuser:deployuser for nfs common mount point /mnt/test
On 11/9/22 2:08 AM, Kaushal Shriyan wrote: On Wed, Nov 9, 2022 at 3:26 PM Simon Matter wrote: On Mon, Nov 7, 2022 at 8:50 AM Kaushal Shriyan Thanks Emmett for the suggestion. I will keep you posted once it is done. Thanks in advance. Hi Emmett, I have a follow up question regarding permissions. I am running a php application hosted on the nginx version: nginx/1.22.0 using php74-fpm-7.4.32-1.el7.ius.x86_64 running on CentOS Linux release 7.9.2009 (Core)I have this folder /var/www/html/gsmaidp/web/sites/default/files folder which is owned by deployuser. *drwrwsrwx 25 deployuser deployuser 4096 Nov 9 08:23 files* #id deployuser uid=1001(deployuser) gid=1002(deployuser) groups=1002(deployuser),995(nginx),994(php-fpm) ps aux | grep php root 27692 0.0 0.0 473296 14648 ?Ss 09:23 0:00 php-fpm: master process (/etc/php-fpm.conf) nginx27693 0.0 0.1 475476 17980 ?S09:23 0:00 php-fpm: pool www nginx27694 0.0 0.1 475476 16440 ?S09:23 0:00 php-fpm: pool www nginx27695 0.0 0.1 475476 16412 ?S09:23 0:00 php-fpm: pool www nginx27696 0.0 0.1 475476 16420 ?S09:23 0:00 php-fpm: pool www nginx27697 0.0 0.1 475492 16428 ?S09:23 0:00 php-fpm: pool www ps aux | grep nginx root 3392 0.0 0.0 51264 1368 ?Ss Oct21 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf nginx 3393 0.0 0.0 52356 4380 ?SOct21 0:51 nginx: worker process nginx 3394 0.0 0.0 52396 4648 ?SOct21 1:45 nginx: worker process nginx 3395 0.0 0.0 52488 4648 ?SOct21 5:38 nginx: worker process nginx 3396 0.0 0.0 52500 4652 ?SOct21 8:32 nginx: worker process nginx27693 0.0 0.1 475476 17980 ?S09:23 0:00 php-fpm: pool www nginx27694 0.0 0.1 475476 16440 ?S09:23 0:00 php-fpm: pool www nginx27695 0.0 0.1 475476 16412 ?S09:23 0:00 php-fpm: pool www nginx27696 0.0 0.1 475476 16420 ?S09:23 0:00 php-fpm: pool www nginx27697 0.0 0.1 475492 16428 ?S09:23 0:00 php-fpm: pool www Whenever any new files like images or pdf files or new subfolders created inside /var/www/html/gsmaidp/web/sites/default/files folder by the php application the files or subfolders have user and group ownership of nginx user. Is there a way to have ownership of all new files and subfolders to deployuser created under /var/www/html/gsmaidp/web/sites/default/files. I set SETGID (SET Group ID) flag of chmod as per below but the file is still owned by nginx user. #cd /var/www/html/gsmaidp/web/sites/default/ #chmod g+s files also do chmod 2775 files then, create a file in files/ as user nginx, it should then be owned by nginx:deployuser I think you can not set owner this way, only the group. I also tried the ACL method but the new files and subfolders are still owned by nginx user. #setfacl -Rdm u:deployuser:rwx,g:deployuser:rwx,o::rwx files #setfacl -Rm u:deployuser:rwx,g:deployuser:rwx,o::rwx files I guess fiddling with ACLs just makes it more complicated :) Regards, Simon Thanks Simon for the email response. Is there a way to have consistent deployuser (user and group ownership) on new files and subfolders created inside files directory? cd /var/www/html/gsmaidp/web/sites/default/files/ #ls -l image15.png -rw-rw-r--+ 1 nginx deployuser 387071 Nov 9 08:27 image15.png to #ls -l image15.png -rw-rw-r--+ 1 deployuser deployuser 387071 Nov 9 08:27 image15.png Apologies for bugging. Please suggest further. Thanks in advance Best Regards, Kaushal It is not clear to me what you are asking, however I can tell you that when the GID bit is set on a directory, every new directory created in that directory will be set to the GID of that directory. So if nginx is the group assigned to a directory, then every new directory under that directory will be assigned to the nginx group. Setting the umask to 002 will cause group write permissions for any file or directory created, instead of only user write as the default umask of 022 would cause. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] set default permission to deployuser:deployuser for nfs common mount point /mnt/test
On 11/5/22 9:18 AM, Kaushal Shriyan wrote: Hi, I am running two GCP GCE VM instances running CentOS Linux release 7.9.2009 (Core) behind https load balancer. I am using https://cloud.google.com/filestore#documentation to mount the nfs server common mount point to both client servers. #mount 10.0.0.2:/vol1 /mnt/test I did chown -Rc deployuser:deployuser (user:group) /mnt/test. When the php code uploads any file to the /mnt/test folder, the file permission is owned by php-fpm:php-fpm (user:group) Please guide and let me know how to set it to the default permissions of deployuser:deployuser (user:group) for all files and folders created in nfs server common point /mnt/test. Thanks in advance. Best Regards, Kaushal Easiest (and possibly the only) way is to set GID bit on /mnt/test - chmod g+swx /mnt/test Then configure systemd to set the umask for apache and php-fpm. Create a file named umask.conf and add this to it: [Service] UMask=002 Then copy that file to: /etc/systemd/system/httpd.service.d/umask.conf /etc/systemd/system/php-fpm.service.d/umask.conf You may have to create the two .service.d directories. Then run "systemctl daemon-reload" and restart apache and php-fpm. I use the Remi repo to allow using different PHP versions and so also added that file to: /etc/systemd/system/php74-php-fpm.service.d/umask.conf /etc/systemd/system/php80-php-fpm.service.d/umask.conf Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] session-*.scope: Succeeded. messages in log
I am seeing a "Mar 10 07:20:01 avm4 systemd[1]: session-66528.scope: Succeeded." message in the log that happens once each minute, of course with different session number values". What is causing this and how can I stop them. Linux avm4.mydomain.com 4.18.0-358.el8.x86_64 #1 SMP Mon Jan 10 13:11:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux CentOS Stream 8 I could cause logwatch to ignore them, but I would like to understand why three of my server are producing these unnecessary log entries. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] kmod removal [solved]
On 5/29/21 10:08 AM, Emmett Culley via CentOS wrote: On 5/29/21 9:29 AM, Frank Cox wrote: On Sat, 29 May 2021 09:19:03 -0700 Emmett Culley via CentOS wrote: Seem there is no such package. I believe because it get built newly each time a new kernel is installed. What did you do (exactly) when you installed kmod-wl in the first place? Did the rpm have a name? What was that name? If you're not sure, the what is the output from: rpm -qa | grep kmod [root@ws1 etc]# rpm -qa | grep kmod kmod-27-3.fc33.x86_64 akmods-0.5.6-26.fc33.noarch kmod-libs-27-3.fc33.x86_64 kmodtool-1-41.fc33.noarch akmod-wl-6.30.223.271-36.fc33.x86_64 kmod-wl-5.11.19-200.fc33.x86_64-6.30.223.271-36.fc33.x86_64 kmod-wl-5.12.5-200.fc33.x86_64-6.30.223.271-36.fc33.x86_64 kmod-wl-5.12.6-200.fc33.x86_64-6.30.223.271-36.fc33.x86_64 I probably did this when installing. It has been a while. [root@ws1 etc]# dnf install kmod-wl Last metadata expiration check: 1:16:38 ago on Sat 29 May 2021 08:42:33 AM PDT. Dependencies resolved. === Package Architecture Version Repository Size === Installing: kmod-wl x86_64 6.30.223.271-36.fc33 rpmfusion-nonfree-updates 10 k Transaction Summary === Install 1 Package I see that it is installing kmod-wl for the last kernel that would be installed if I did an update. [root@ws1 etc]# dnf update --allowerasing --nobest Last metadata expiration check: 1:21:41 ago on Sat 29 May 2021 08:42:33 AM PDT. Dependencies resolved. === Package Architecture Version Repository Size === Installing: kernel x86_64 5.12.7-200.fc33 updates 51 k kernel-core x86_64 5.12.7-200.fc33 updates 34 M kernel-devel x86_64 5.12.7-200.fc33 updates 14 M kernel-modules x86_64 5.12.7-200.fc33 updates 31 M kernel-modules-extra x86_64 5.12.7-200.fc33 updates 2.0 M Removing: kernel x86_64 5.11.19-200.fc33 @updates 0 kernel-core x86_64 5.11.19-200.fc33 @updates 74 M kernel-devel x86_64 5.11.19-200.fc33 @updates 56 M kernel-modules x86_64 5.11.19-200.fc33 @updates 30 M kernel-modules-extra x86_64 5.11.19-200.fc33 @updates 1.9 M Removing dependent packages: kmod-wl-5.11.19-200.fc33.x86_64 x86_64
Re: [CentOS] kmod removal
On 5/29/21 9:29 AM, Frank Cox wrote: On Sat, 29 May 2021 09:19:03 -0700 Emmett Culley via CentOS wrote: Seem there is no such package. I believe because it get built newly each time a new kernel is installed. What did you do (exactly) when you installed kmod-wl in the first place? Did the rpm have a name? What was that name? If you're not sure, the what is the output from: rpm -qa | grep kmod [root@ws1 etc]# rpm -qa | grep kmod kmod-27-3.fc33.x86_64 akmods-0.5.6-26.fc33.noarch kmod-libs-27-3.fc33.x86_64 kmodtool-1-41.fc33.noarch akmod-wl-6.30.223.271-36.fc33.x86_64 kmod-wl-5.11.19-200.fc33.x86_64-6.30.223.271-36.fc33.x86_64 kmod-wl-5.12.5-200.fc33.x86_64-6.30.223.271-36.fc33.x86_64 kmod-wl-5.12.6-200.fc33.x86_64-6.30.223.271-36.fc33.x86_64 I probably did this when installing. It has been a while. [root@ws1 etc]# dnf install kmod-wl Last metadata expiration check: 1:16:38 ago on Sat 29 May 2021 08:42:33 AM PDT. Dependencies resolved. === PackageArchitecture Version Repository Size === Installing: kmod-wlx86_64 6.30.223.271-36.fc33 rpmfusion-nonfree-updates 10 k Transaction Summary === Install 1 Package I see that it is installing kmod-wl for the last kernel that would be installed if I did an update. [root@ws1 etc]# dnf update --allowerasing --nobest Last metadata expiration check: 1:21:41 ago on Sat 29 May 2021 08:42:33 AM PDT. Dependencies resolved. === Package Architecture Version Repository Size === Installing: kernelx86_64 5.12.7-200.fc33updates 51 k kernel-core x86_64 5.12.7-200.fc33updates 34 M kernel-devel x86_64 5.12.7-200.fc33updates 14 M kernel-modulesx86_64 5.12.7-200.fc33updates 31 M kernel-modules-extra x86_64 5.12.7-200.fc33updates 2.0 M Removing: kernelx86_64 5.11.19-200.fc33 @updates 0 kernel-core x86_64 5.11.19-200.fc33 @updates 74 M kernel-devel x86_64 5.11.19-200.fc33 @updates 56 M kernel-modulesx86_64 5.11.19-200.fc33 @updates 30 M kernel-modules-extra x86_64 5.11.19-200.fc33 @updates 1.9 M Removing dependent packages: kmod-wl-5.11.19-200.fc33.x86_64 x86_64 6.30.223.271-36.fc33 @@commandline
Re: [CentOS] kmod removal
On 5/29/21 8:06 AM, Phil Perry wrote: On 29/05/2021 15:52, Emmett Culley via CentOS wrote: Sometime ago I thought I needed kmod-wl to support a new wireless card. Turns out I didn't need to do that. Now I'd like to remove kmod entirely. But when I try I get this: [root@ws1 etc]# dnf remove kmod Error: Problem: The operation would result in removing the following protected packages: systemd-udev (try to add '--skip-broken' to skip uninstallable packages) I am sure I don't want to remove systemd-udev, so I am a loss. I did disable akmods: systemctl disable akmods But I still see that kmod-wl is built each time the kernal is updated. Any suggestions where I can find out how to remove kmod. Note that searching the internet only brings me info on removing kmod-nvidia, and mostly on ubuntu, and they are no help because mostly what they discuss is how get back to neuveau. Even docs I've found that discuss how to install kmod on CentOS say nothing about removal. Emmett Try: dnf remove kmod-wl which should do it for you. the 'kmod' package is the package that provides the underlying kmod architecture. The kmod package providing the individual driver is (probably) called kmod-wl. Hope that helps. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos I tried that before: [root@ws1 etc]# dnf remove kmod-wl No match for argument: kmod-wl No packages marked for removal. Dependencies resolved. Nothing to do. Complete! Seem there is no such package. I believe because it get built newly each time a new kernel is installed. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] kmod removal
Sometime ago I thought I needed kmod-wl to support a new wireless card. Turns out I didn't need to do that. Now I'd like to remove kmod entirely. But when I try I get this: [root@ws1 etc]# dnf remove kmod Error: Problem: The operation would result in removing the following protected packages: systemd-udev (try to add '--skip-broken' to skip uninstallable packages) I am sure I don't want to remove systemd-udev, so I am a loss. I did disable akmods: systemctl disable akmods But I still see that kmod-wl is built each time the kernal is updated. Any suggestions where I can find out how to remove kmod. Note that searching the internet only brings me info on removing kmod-nvidia, and mostly on ubuntu, and they are no help because mostly what they discuss is how get back to neuveau. Even docs I've found that discuss how to install kmod on CentOS say nothing about removal. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] pam_mysql
I am attempting to create a multiple domain email server using postfix and cyrus-imap on CentOS Stream 8. It will includes a web back end similar to cyradm. Now I am stuck on mysql or mariadb support for pam. I am not able to find a pam_mysql rpm that will install on CentOS 8. I have a previous version working on CentOS 7. On CentOS 7 I am using pam_mysql 1:0.7-0.20.rc1.fc23 and all is working and has been for a number of years. I found pam_mysql-0.8.1-0.6.fc32.x86_64.rpm, but when I attempt to install it, it says it needs libcrypt.so.1 and it appears CentOS Stream has libcrypt.so.2 Any pointers either where to find pam_mysql, or some other solutions, for CentOS Stream 8? Note that I have epel-release installed and enabled, though epel-playground is disabled, and I am using Remi's repos to install php 7.4. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache umask
On 7/21/20 12:22 PM, Emmett Culley via CentOS wrote: On 7/21/20 9:59 AM, Simon Matter wrote: On 7/19/20 10:41 PM, Simon Matter via CentOS wrote: On 7/13/20 6:40 PM, Emmett Culley via CentOS wrote: I need to set the umask for apache to 002. I've tried every idea I've found on the internet, but nothing make a difference. Most suggest that I put "umask 002" in /etc/sysconfig/httpd, but that doesn't seem to make a difference. Other's suggest adding something to the httpd.service script for systemd. And that doesn't make any difference. I had a couple sideline emails with Emmett about suexec possibly being the culprit. TL;DR: that's not it. The apache suexec utility can enforce a umask (typically 022) on CGI and SSI (server-side includes). Taking a look at the source in support/suexec.c, if compiled with AP_SUEXEC_UMASK set to some value, it will set the umask; else there is no umask change. AP_SUEXEC_UMASK is set via ./configure with --with-suexec-umask. In CentOS 8 httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.src.rpm the httpd.spec for ./configure with suexec-related configuration flags are notably absent of --with-suexec-umask. I also did a prep of the sources and no patches modify the suexec sources in this way. I may have missed something but it seems to work in my test: # grep -i umask /proc//status Umask: 0022 # cat /etc/systemd/system/httpd.service.d/override.conf [Service] UMask=0002 # systemctl edit httpd.service < enter override config > # grep -i umask /proc//status Umask: 0002 That's what you are looking for, isn't it? I didn't test to write files but at least the umask on the process is set as it seems. Regards, Simon How can I find the value for ? Emmett W£ith I meant the processes running httpd. Try this: ps faxu | grep http[d] This will give you the list of PIDs and the UID running it. First PID is usually run by root and the children are run by user apache. Regards, Simon That's what I thought, but didn't see any results. I may have had apache stopped because of system d errors. I did it just now and saw six threads and each show a umask of 0002. So it looks like the changes I made to systemd config made a difference after all. Since I am still seeing that group write is not getting set it must be the application. Thanks for helping me to see that. Emmett It turns out that apache's umask was getting set as requested via systemd. But still, files were created using 022 mask. I found that by using the same umask.conf file, suggested by other's, in the directory /etc/systemd/system/php-fpm.service.d, set the umask for php as well, and now files created by php apps have group write and setgid set if the directory it is writing is so configured. umask.conf contains: [service] UMask=002 Thanks to everyone that responed. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache umask
On 7/21/20 9:59 AM, Simon Matter wrote: On 7/19/20 10:41 PM, Simon Matter via CentOS wrote: On 7/13/20 6:40 PM, Emmett Culley via CentOS wrote: I need to set the umask for apache to 002. I've tried every idea I've found on the internet, but nothing make a difference. Most suggest that I put "umask 002" in /etc/sysconfig/httpd, but that doesn't seem to make a difference. Other's suggest adding something to the httpd.service script for systemd. And that doesn't make any difference. I had a couple sideline emails with Emmett about suexec possibly being the culprit. TL;DR: that's not it. The apache suexec utility can enforce a umask (typically 022) on CGI and SSI (server-side includes). Taking a look at the source in support/suexec.c, if compiled with AP_SUEXEC_UMASK set to some value, it will set the umask; else there is no umask change. AP_SUEXEC_UMASK is set via ./configure with --with-suexec-umask. In CentOS 8 httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.src.rpm the httpd.spec for ./configure with suexec-related configuration flags are notably absent of --with-suexec-umask. I also did a prep of the sources and no patches modify the suexec sources in this way. I may have missed something but it seems to work in my test: # grep -i umask /proc//status Umask: 0022 # cat /etc/systemd/system/httpd.service.d/override.conf [Service] UMask=0002 # systemctl edit httpd.service < enter override config > # grep -i umask /proc//status Umask: 0002 That's what you are looking for, isn't it? I didn't test to write files but at least the umask on the process is set as it seems. Regards, Simon How can I find the value for ? Emmett W£ith I meant the processes running httpd. Try this: ps faxu | grep http[d] This will give you the list of PIDs and the UID running it. First PID is usually run by root and the children are run by user apache. Regards, Simon That's what I thought, but didn't see any results. I may have had apache stopped because of system d errors. I did it just now and saw six threads and each show a umask of 0002. So it looks like the changes I made to systemd config made a difference after all. Since I am still seeing that group write is not getting set it must be the application. Thanks for helping me to see that. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache umask
On 7/19/20 10:41 PM, Simon Matter via CentOS wrote: On 7/13/20 6:40 PM, Emmett Culley via CentOS wrote: I need to set the umask for apache to 002. I've tried every idea I've found on the internet, but nothing make a difference. Most suggest that I put "umask 002" in /etc/sysconfig/httpd, but that doesn't seem to make a difference. Other's suggest adding something to the httpd.service script for systemd. And that doesn't make any difference. I had a couple sideline emails with Emmett about suexec possibly being the culprit. TL;DR: that's not it. The apache suexec utility can enforce a umask (typically 022) on CGI and SSI (server-side includes). Taking a look at the source in support/suexec.c, if compiled with AP_SUEXEC_UMASK set to some value, it will set the umask; else there is no umask change. AP_SUEXEC_UMASK is set via ./configure with --with-suexec-umask. In CentOS 8 httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.src.rpm the httpd.spec for ./configure with suexec-related configuration flags are notably absent of --with-suexec-umask. I also did a prep of the sources and no patches modify the suexec sources in this way. I may have missed something but it seems to work in my test: # grep -i umask /proc//status Umask: 0022 # cat /etc/systemd/system/httpd.service.d/override.conf [Service] UMask=0002 # systemctl edit httpd.service < enter override config > # grep -i umask /proc//status Umask: 0002 That's what you are looking for, isn't it? I didn't test to write files but at least the umask on the process is set as it seems. Regards, Simon How can I find the value for ? Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache umask
On 7/15/20 12:21 PM, Leon Fauster via CentOS wrote: Am 15.07.20 um 20:02 schrieb Emmett Culley via CentOS: On 7/15/20 2:39 AM, Gianluca Cecchi wrote: On Wed, Jul 15, 2020 at 2:39 AM Emmett Culley via CentOS mailto:centos@centos.org>> wrote: Thanks for the info. I hadn't seen that before nor many of the links. I had seen the suggested systemd fix, but have never been able got them to work. And I've tried many combinations. Still no luck. There has to be a way to get this done. Emmett Hi, what is the original need? Could it be that you can accomplish the desired effect using ACL on particular directories/files? Gianluca Might could, but that seems like overkill for my purposes, as I don't use ACLs anywhere else. I cannot be the only developer that needs apache created files to be managed by a group. The truth is some sites, like wordpress or joomla, can be better managed when a group member can read or write apache created files. Like via SFTP or local FTP. Today, I have to make all files world writable to update joomla, and that could be better managed by allowing the owning group to access those files. In the case where the client manages the site, I have to log into the server and change the permissions every time they update the site. Or even to update most plugins. This is best addressed in the application. For example in wordpress you can set define( 'FS_CHMOD_DIR', ( 0775 & ~ umask() ) ); define( 'FS_CHMOD_FILE', ( 0664 & ~ umask() ) ); Wprdpress sites are better, but even then, I still sometimes need to set and unset explicit file permissions depending on the plugins installed. All this would not be an issue if apache created files with a unask of 002. One simple adjustment to the server to allow us to use normal Linux file permissions to manage files. If I don't find a solution to this I guess I'll have to use your ACL suggestion. It is getting to be pain to manage multiple sites in the current manner. If the application is to dumpy then ACL is your solution. ACL has a default flag that allows setting permissions that gets heritaged. So that files in the future get the right permissions. Surely someone knows how to force apache to use a umask of 002, other than building from source. Not a best practice. Can you suggest why allowing apache to create a file that is group writable in a directory that has the gid bit set, and owned by a group designated by the sysadmin, would be a "bad practice"? Adding the FS_CHMOD* settings to an application is not always possible and should not be necessary given access to setting the UMASK for an application. The purpose of the UMASK is to allow server owners the ability to make that server perform best for their purposes. Since no one seems to have an answer to setting the UMASK for apache than l'll have to use ACLs as others have suggested. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache umask
On 7/15/20 2:39 AM, Gianluca Cecchi wrote: On Wed, Jul 15, 2020 at 2:39 AM Emmett Culley via CentOS mailto:centos@centos.org>> wrote: Thanks for the info. I hadn't seen that before nor many of the links. I had seen the suggested systemd fix, but have never been able got them to work. And I've tried many combinations. Still no luck. There has to be a way to get this done. Emmett Hi, what is the original need? Could it be that you can accomplish the desired effect using ACL on particular directories/files? Gianluca Might could, but that seems like overkill for my purposes, as I don't use ACLs anywhere else. I cannot be the only developer that needs apache created files to be managed by a group. The truth is some sites, like wordpress or joomla, can be better managed when a group member can read or write apache created files. Like via SFTP or local FTP. Today, I have to make all files world writable to update joomla, and that could be better managed by allowing the owning group to access those files. In the case where the client manages the site, I have to log into the server and change the permissions every time they update the site. Or even to update most plugins. Wprdpress sites are better, but even then, I still sometimes need to set and unset explicit file permissions depending on the plugins installed. All this would not be an issue if apache created files with a unask of 002. One simple adjustment to the server to allow us to use normal Linux file permissions to manage files. If I don't find a solution to this I guess I'll have to use your ACL suggestion. It is getting to be pain to manage multiple sites in the current manner. Surely someone knows how to force apache to use a umask of 002, other than building from source. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache umask
On 7/13/20 4:21 PM, Phoenix, Merka wrote: I need to set the umask for apache to 002. I've tried every idea I've found on the internet, but nothing make a difference. Most suggest that I put "umask 002" in /etc/sysconfig/httpd, but that doesn't seem to make a difference.>> Other's suggest adding something to the httpd.service script for systemd. And that doesn't make any difference. Any suggestion from this list would be appreciated. Emmett SystemD does have a directive for UMask in their "unit" scripts under the '[service]' section See: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#UMask= [ https :// www. freedesktop. org /software/systemd/man/systemd.exec.html#UMask= ] and also: https://man7.org/linux/man-pages/man5/systemd.exec.5.html [ https :// man7. org /linux/man-pages/man5/systemd.exec.5.html ] Several posts on StackExchange indicate that the name of the directive 'UMask' is case-sensitive, so it must match the first two letters as UPPERcase, the remainder lowercase. This posting at ServerFault provides the exact steps: https://serverfault.com/questions/924960/how-to-set-umask-for-apache-on-amazon-linux-2-ami [ https :// serverfault. com /questions/924960/how-to-set-umask-for-apache-on-amazon-linux-2-ami ] Depending on how Apache httpd is called (for example, if there is a wrapper script called instead of an executable), there may be other players in the mix that would influence what the process ends up with for its umask. Start first with how Apache httpd is called by SystemD, and trace it out to the binary (see if your script(s) call any other scripts). Worst case, you could go the opposite route and have the unit script call a bash script instead of the executable directly, and the bash script can set umask right before it calls the httpd binary. Cheers! Simba Engineering Thanks for the info. I hadn't seen that before nor many of the links. I had seen the suggested systemd fix, but have never been able got them to work. And I've tried many combinations. Still no luck. There has to be a way to get this done. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Apache umask
I need to set the umask for apache to 002. I've tried every idea I've found on the internet, but nothing make a difference. Most suggest that I put "umask 002" in /etc/sysconfig/httpd, but that doesn't seem to make a difference. Other's suggest adding something to the httpd.service script for systemd. And that doesn't make any difference. Any suggestion from this list would be appreciated. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] update failure
On 4/22/19 10:45 AM, Ulf Volmer wrote: On 22.04.19 18:12, Emmett Culley via CentOS wrote: On 4/21/19 10:15 AM, Ulf Volmer wrote: package-cleanup --dupes will list the duplicate packages package-cleanup --cleandupes will remove the dupes. If I remember correctly, you have to add --removenewestdupes to the second command. That didn't seem to work. It did remove duplicates, however, I get the same error when running dnf update. Should I try it without the --removenewestdupes? Is 'package-cleanup --dupes' still listing dupes? Sometimes some of them must be removed manually. Best regards Ulf ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Turns out I should not have used the --removenewestdupes. When I attempted to remove a dupe, anytime I tried to remove the newest dnf would eant to remove lots of non dupe dependances. But removing only the older packages allowed me to remove each without any dependency issues. Too bad I didn't try running it with out remove newest before removing each manually as you suggested. Then I'd know for sure :-) The upgrade succeeded after manually removing the older dupes. Thanks for your suggestions. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] update failure
On 4/21/19 10:15 AM, Ulf Volmer wrote: On 21.04.19 16:14, Emmett Culley via CentOS wrote: When I attempted to update a remote server via SSH last night the UPS on my local workstations failed, causing the SSH session to get dropped in the middle of the upgrade process. This morning I am not able to complete the update. When it failed when I tried to run it again thins morning I did the suggested things like "dnf clean all" and "rpm -rebuilddb", and I still get this after it downloads the packages again: Running transaction test The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: Transaction check error: file /usr/lib64/libz.so.1.2.7 from install of zlib-1.2.7-18.el7.x86_64 conflicts with file from package zlib-1.2.7-17.el7.x86_64 You have to cleanup duplicate packages. package-cleanup from yum-utils will do this job. Basically: package-cleanup --dupes will list the duplicate packages package-cleanup --cleandupes will remove the dupes. If I remember correctly, you have to add --removenewestdupes to the second command. Best regards Ulf ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos That didn't seem to work. It did remove duplicates, however, I get the same error when running dnf update. Should I try it without the --removenewestdupes? Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] update failure
When I attempted to update a remote server via SSH last night the UPS on my local workstations failed, causing the SSH session to get dropped in the middle of the upgrade process. This morning I am not able to complete the update. When it failed when I tried to run it again thins morning I did the suggested things like "dnf clean all" and "rpm -rebuilddb", and I still get this after it downloads the packages again: Running transaction test The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: Transaction check error: file /usr/lib64/libz.so.1.2.7 from install of zlib-1.2.7-18.el7.x86_64 conflicts with file from package zlib-1.2.7-17.el7.x86_64 file /usr/lib64/libpcre.so.1.2.0 from install of pcre-8.32-17.el7.x86_64 conflicts with file from package pcre-8.32-15.el7_2.1.x86_64 file /usr/lib64/libpcre16.so.0.2.0 from install of pcre-8.32-17.el7.x86_64 conflicts with file from package pcre-8.32-15.el7_2.1.x86_64 file /usr/lib64/libpcre32.so.0.0.0 from install of pcre-8.32-17.el7.x86_64 conflicts with file from package pcre-8.32-15.el7_2.1.x86_64 file /usr/lib64/libpcrecpp.so.0.0.0 from install of pcre-8.32-17.el7.x86_64 conflicts with file from package pcre-8.32-15.el7_2.1.x86_64 file /usr/lib64/libpcreposix.so.0.0.1 from install of pcre-8.32-17.el7.x86_64 conflicts with file from package pcre-8.32-15.el7_2.1.x86_64 file /usr/lib64/libform.so.5.9 from install of ncurses-libs-5.9-14.20130511.el7_4.x86_64 conflicts with file from package ncurses-libs-5.9-13.20130511.el7.x86_64 file /usr/lib64/libformw.so.5.9 from install of ncurses-libs-5.9-14.20130511.el7_4.x86_64 conflicts with file from package ncurses-libs-5.9-13.20130511.el7.x86_64 Plus many more lines of the same ilk. Then finally: Error Summary - and nothing else. How can I clean this up? Note that it had been a couple of months since I'd last done the update process. This server is running three VM's and so I am a bit hesitant to make another move without some advice. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld
On 12/19/2017 03:37 PM, Louis Lagendijk wrote: > On Tue, 2017-12-19 at 15:05 -0800, Emmett Culley wrote: >> I have two VMs, both with firewalld installed. One on machine It >> this in the IN_public chain: >> >> Chain IN_public (2 references) >> pkts bytes target prot opt >> in out source destination >> 81 3423 IN_public_log all >> -- * * 0.0.0.0/00.0.0.0/0 >> 81 3423 IN_public_deny all >> -- * * 0.0.0.0/00.0.0.0/0 >> 81 3423 IN_public_allow all >> -- * * 0.0.0.0/00.0.0.0/0 >> 79 3335 REJECT all >> -- * * 0.0.0.0/00.0.0.0/0reject- >> with icmp-host-prohibited >> >> On the other I see: >> >> Chain IN_public (2 references) >> pkts bytes target prot opt >> in out source destination >>101 4232 IN_public_log all >> -- * * 0.0.0.0/00.0.0.0/0 >>101 4232 IN_public_deny all >> -- * * 0.0.0.0/00.0.0.0/0 >>101 4232 IN_public_allow all >> -- * * 0.0.0.0/00.0.0.0/0 >> 184 ACCEPT icmp >> -- * * 0.0.0.0/00.0.0.0/0 >> >> As might be expected, pinging the first VM fails. That is the ping >> is rejected with: >> >> [emmett@ws1 ~]$ ping 96.92.106.4 >> PING 96.92.106.4 (96.92.106.4) 56(84) bytes of data. >> From 96.92.106.4 icmp_seq=1 Destination Host Prohibited >> From 96.92.106.4 icmp_seq=2 Destination Host Prohibited >> >> And pinging the second works as expected. >> >> I've searche the firewalld configuration files in /usr/lib/firewalld >> and /etc/firewalld and can find no reference to any icmp rule. The >> two machines were cloned originally from the same VM. Why are they >> different? >> >> How can I remove the reject-with icmp rule using firewalld. I can >> remove it using "iptables -D [IN_public | FWDO_public | FWDI_public ] >> 4" and I can then ping that machine. But of course the rule is >> returned whenever firewalld is restarted. >> >> Emmett >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > What is the output off: > firewall-cmd --list-all > on the VMs? > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > That was the clue I needed. On the first machine: target: %%REJECT%% icmp-block-inversion: no interfaces: eth0 sources: services: ftp_passiv http ssh https ftps ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: And the second: target: default icmp-block-inversion: no interfaces: eth0 sources: services: ftp_passiv http ssh https ftps ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: Changing the target to "default" instead of "%%REJECT%%" by setting the zone policy to default in firewalld-config fixed it. NOt sure whay that would be, but I am happy with the result. Thanks! ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] firewalld
I have two VMs, both with firewalld installed. One on machine It this in the IN_public chain: Chain IN_public (2 references) pkts bytes target prot opt in out source destination 81 3423 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 81 3423 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 81 3423 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 79 3335 REJECT all -- * * 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited On the other I see: Chain IN_public (2 references) pkts bytes target prot opt in out source destination 101 4232 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 101 4232 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 101 4232 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 184 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 As might be expected, pinging the first VM fails. That is the ping is rejected with: [emmett@ws1 ~]$ ping 96.92.106.4 PING 96.92.106.4 (96.92.106.4) 56(84) bytes of data. >From 96.92.106.4 icmp_seq=1 Destination Host Prohibited >From 96.92.106.4 icmp_seq=2 Destination Host Prohibited And pinging the second works as expected. I've searche the firewalld configuration files in /usr/lib/firewalld and /etc/firewalld and can find no reference to any icmp rule. The two machines were cloned originally from the same VM. Why are they different? How can I remove the reject-with icmp rule using firewalld. I can remove it using "iptables -D [IN_public | FWDO_public | FWDI_public ] 4" and I can then ping that machine. But of course the rule is returned whenever firewalld is restarted. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewall-config not functional
On 06/07/2016 01:46 PM, Jonathan Billings wrote: > On Jun 7, 2016, at 13:03, Emmett Culley <lst_man...@webengineer.com> wrote: >> >> I can see no use case for NetwortManager on our systems. All network >> connections are static. > > There are a couple reasons I still use NetworkManager on servers, but one big > one is that the 'network' service runs once, on boot. If there is no network > connection, your server's network connection will never come up until you log > in at a console to fix it or reboot. With the speed of computers these days, > our servers often boot up faster than the networking equipment after a power > cut. > > -- > Jonathan Billings As far as I know the network service, in most cases started by systemd, will not fail simply because the network an interface is connected to is not up. Unless, of course, the interface is set up to use DHCP. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewall-config not functional
On 06/07/2016 05:05 AM, James Hogarth wrote: > On 7 Jun 2016 12:44, "Emmett Culley" <lst_man...@webengineer.com> wrote: >> >> I have a number of machines (hardware and VMs) running CentOS 7. I all > cases firewall-config is not functional. >> >> First, the service check boxes are not functional. When you click on > one, it don't change to "checked", and nothing changes on the firewall. > However you do see a "Changes applied" >> >> Sometimes, f you go to permanent mode and attempt to edit a zone, the > whole desktop locks up as soon as you click on the default target dropdown. >> >> When I run firewall-config from the command line I see the following: >> >> -- >> >> org.freedesktop.DBus.Error.ServiceUnknown: The name > org.freedesktop.NetworkManager was not provided by any .service files >> >> (firewall-config:5079): Gtk-CRITICAL **: gtk_tree_view_get_path_at_pos: > assertion 'tree_view != NULL' failed >> >> -- >> with the second line repeating many times and often while attempting to > interact with the GUI. >> >> We don't use NetworkManager except on laptops, and so do not install it. > Though we do install NetworkManager-glib, if only because some packages > require it. >> >> After seeing a similar bug on the RHEL I also installed > NetworkManager-libnm, but that did not make a difference. That RHEL bug > also mentioned this problem only occurs on KDE, and not Gnome. And we only > install KDE when a GUI is required, or desired. >> > > I'd suggest you install and test with NetworkManager > > Do note that the EL7 NM is a far cry from the one that shipped with EL6 and > unless you specifically need a facility not exposed by NM it is strongly > recommended you use it. > > Take a look at my article on nmcli - it's rather lovely to use now: > > https://www.hogarthuk.com/?q=node/8 > > As for the firewall tool... don't use it ... it's horrible > > Either use firewall-cmd to configure at the CLI or switch to iptables and > configure that as you did EL6 I actually like the firewall config tool as it provides easy, out of the box, management of servers that don't require complicated iptables rules. At least it was easy when it worked. For more complicated servers, like gateways, we use shorewall. I can see no use case for NetwortManager on our systems. All network connections are static. The exception to that is a couple of laptops, and I agree that NetworkManager has gotten very handy in that single use case. Making any application dependent on NetworkManager is just plain silly. Even requiring installation of the NetworkManager libs should not be required. I suspect that this should probably be brought with the KDE group as it seems to be a problem with how some GTK apps are working within the KDE environment. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] firewall-config not functional
I have a number of machines (hardware and VMs) running CentOS 7. I all cases firewall-config is not functional. First, the service check boxes are not functional. When you click on one, it don't change to "checked", and nothing changes on the firewall. However you do see a "Changes applied" Sometimes, f you go to permanent mode and attempt to edit a zone, the whole desktop locks up as soon as you click on the default target dropdown. When I run firewall-config from the command line I see the following: -- org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.NetworkManager was not provided by any .service files (firewall-config:5079): Gtk-CRITICAL **: gtk_tree_view_get_path_at_pos: assertion 'tree_view != NULL' failed -- with the second line repeating many times and often while attempting to interact with the GUI. We don't use NetworkManager except on laptops, and so do not install it. Though we do install NetworkManager-glib, if only because some packages require it. After seeing a similar bug on the RHEL I also installed NetworkManager-libnm, but that did not make a difference. That RHEL bug also mentioned this problem only occurs on KDE, and not Gnome. And we only install KDE when a GUI is required, or desired. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Firewalld
Yesterday I noticed that I was not able to ping one of our development servers so I logged in via VNC and ran the Firewalld GUI. To my surprise, except for the interface definition for public and trusted zones, nothing seemed to be configured. That is, none of the services were checked off that we want open at the firewall. Also, this server is a gateway and masquerading and forwarding appears to be off as well. So it looks like the GUI is not correctly reading the firewalld configuration. I can find nothing in Google bout this. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewalld
These machines have only had firewalld configured. Currently firewalld version 0.3.9-14.el7 is installed, and in this particular case, the server is fully up to date. If I run iptables -nvL I see this for the first chain: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 766K 72M ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 ctstate RELATED,ESTABLISHED 75 5514 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 79630 5463K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 79630 5463K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 79630 5463K INPUT_ZONES all -- * * 0.0.0.0/00.0.0.0/0 956 78983 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0 2792 142K REJECT all -- * * 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited So firewalld was definitely used to generate the rules in iptables. And indeed systemd starts it upon reboot. It looks like only the GUI has a problem reading the configuration. Note that the GUI does show that firewalld is connected. There are other machines that have this same issue. Were there changes to config file locations, or permissions, as I know the GUI worked just find until just recently. Emmett On 01/28/2016 11:58 AM, Gordon Messmer wrote: > On 01/28/2016 11:26 AM, Emmett Culley wrote: >> To my surprise, except for the interface definition for public and trusted >> zones, nothing seemed to be configured. That is, none of the services were >> checked off that we want open at the firewall. Also, this server is a >> gateway and masquerading and forwarding appears to be off as well. > > Firewalld doesn't read the iptables state of the system, it relies on its own > representation of the desired configuration. You or another admin may have > configured the iptables rules on that host using a service other than > firewalld. For instance, you may have added rules to > /etc/sysconfig/{iptables,ip6tables} and run the "iptables" service. In that > case, firewalld would have no information about the rules that are present. > Check there first, then decide if you want to continue supporting that > configuration or migrate to firewalld. > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind fails to start after update from 7.1 to 7.2
On 01/06/2016 01:09 PM, Alexander Dalloz wrote: > Am 06.01.2016 um 00:21 schrieb Emmett Culley: >> On 01/05/2016 02:00 PM, Alexander Dalloz wrote: >>> >Am 05.01.2016 um 22:03 schrieb Emmett Culley: >>>> >>I am seeing these lines for each domain in the systemd journal: >>>> >> >>>> >>zone relationship123.com/IN: loading from master file >>>> >>relationship123.com.db failed: file not found >>>> >>zone relationship123.com/IN: not loaded due to errors. >>>> >>_default/relationship123.com./IN: file not found >>> > >>> >here: relationship123.com >> ?? >> >>> > >>>> >>If I change the zone defs to include the full path: >>>> >> >>>> >>From >>>> >> >>>> >>zone "relationships123.com." IN { >>>> >> type master; >>>> >> file "relationships123.com.db"; >>>> >>}; >>> > >>> >there: relationships123.com.db >> ?? > > > Showing faked names? > > relationship123.com != relationships123.com > > Alexander > Ah, I was just being lazy. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Bind fails to start after update from 7.1 to 7.2
I am seeing these lines for each domain in the systemd journal: zone relationship123.com/IN: loading from master file relationship123.com.db failed: file not found zone relationship123.com/IN: not loaded due to errors. _default/relationship123.com./IN: file not found If I change the zone defs to include the full path: >From zone "relationships123.com." IN { type master; file "relationships123.com.db"; }; To zone "relationships123.com." IN { type master; file "/var/named/chroot/var/named/relationships123.com.db"; }; in the config file, named starts, but then fails to provide DNS replies with the following error for each request: general: error: zone relationships123.com/IN: loading from master file /var/named/chroot/var/named/relationships123.com.db failed: file not found general: error: zone relationships123.com/IN: not loaded due to errors. Nothing was changed in the named configuration prior to updating to 7.2 As usual I am using systemctl start named-chroot to start the server. Any ideas? Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind fails to start after update from 7.1 to 7.2 [SOLVED, sort of]
On 01/05/2016 01:03 PM, Emmett Culley wrote: > I am seeing these lines for each domain in the systemd journal: > > zone relationship123.com/IN: loading from master file relationship123.com.db > failed: file not found > zone relationship123.com/IN: not loaded due to errors. > _default/relationship123.com./IN: file not found > > > If I change the zone defs to include the full path: > > From > > zone "relationships123.com." IN { > type master; > file "relationships123.com.db"; > }; > > To > > zone "relationships123.com." IN { > type master; > file "/var/named/chroot/var/named/relationships123.com.db"; > }; > > in the config file, named starts, but then fails to provide DNS replies with > the following error for each request: > > general: error: zone relationships123.com/IN: loading from master file > /var/named/chroot/var/named/relationships123.com.db failed: file not found > general: error: zone relationships123.com/IN: not loaded due to errors. > > Nothing was changed in the named configuration prior to updating to 7.2 > > As usual I am using systemctl start named-chroot to start the server. > > Any ideas? > > Emmett I was able to get named to start and resolve DNS requests by creating two named.conf files. One in /etc/named.conf, that contains zone file definitions that included the absolute path to the zone file, like this: zone "relationships123.com." IN { type master; file "/var/named/chroot/var/named/relationships123.com.db"; }; And another in /var/named/chroot/etc/named.conf that contains zone file definitions with only the zone file name (no path). Like this: zone "relationships123.com." IN { type master; file "relationships123.com.db"; }; None of this makes sense to me as the previous configuration (that worked before upgrade to 7.2) used symbolic links in /etc to the files in /var/named/chroot/etc. While trying to figure this out I found, from the documentation, that if the named.conf file does not exist in the chroot structure, a copy of the file in /etc is "copied" to be used by the running chrooted server. Now, after updating to bind 9.9.4-29.el7_2.1 (CentOS 7.2) from bind 9.9.4-29.el7 (CentOS 7.1, latest) I have to use two separate files to get bind to initialize and run. Any ideas why I seem to be the only one seeing this? Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind fails to start after update from 7.1 to 7.2
On 01/05/2016 02:00 PM, Alexander Dalloz wrote: > Am 05.01.2016 um 22:03 schrieb Emmett Culley: >> I am seeing these lines for each domain in the systemd journal: >> >> zone relationship123.com/IN: loading from master file relationship123.com.db >> failed: file not found >> zone relationship123.com/IN: not loaded due to errors. >> _default/relationship123.com./IN: file not found > > here: relationship123.com ?? > >> If I change the zone defs to include the full path: >> >> From >> >> zone "relationships123.com." IN { >> type master; >> file "relationships123.com.db"; >> }; > > there: relationships123.com.db ?? > > Looks to me like a typo in your configuration. > >> To >> >> zone "relationships123.com." IN { >> type master; >> file "/var/named/chroot/var/named/relationships123.com.db"; >> }; > > That's not valid for the chrooted named as the path is relative to the chroot > dir. Yes, I was aware of that, and I only used an absolute path to see if that would get me past initialization. Which it did. However your comment made me think of possibly using /var/named/ to prepend the file name in the zone defs. But then got the following for each domain at startup: zone relationships123.info/IN: loading from master file /var/named/relationships123.info.db failed: file not found zone relationships123.info/IN: not loaded due to errors. _default/relationships123.info./IN: file not found > >> in the config file, named starts, but then fails to provide DNS replies with >> the following error for each request: >> >> general: error: zone relationships123.com/IN: loading from master file >> /var/named/chroot/var/named/relationships123.com.db failed: file not found >> general: error: zone relationships123.com/IN: not loaded due to errors. Should have said this was sort of expected. I meant only to point out that during initialization the absolute path found the files to load, yet the server couldn't find them at runtime. I now see that even prepending the path from the /var/named/chroot directory won't allow initialization. I had a similar problem with the slave server after updating to 7.2, It would not start unless I added the absolute path to the broadcast rDNS file. Then just now saw that it also initialized as you see below. I'll leave it this way as that is less likely to cause a problem, though I am not sure. zone "255.in-addr.arpa." IN { type master; file "/var/named/named.broadcast"; allow-update { none; }; }; What changed in bind? >> >> Nothing was changed in the named configuration prior to updating to 7.2 >> >> As usual I am using systemctl start named-chroot to start the server. >> >> Any ideas? >> >> Emmett > > Alexander Thanks for the reply Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind fails to start after update from 7.1 to 7.2
On 01/05/2016 03:34 PM, David Nelson wrote: > On Jan 5, 2016, at 1:03 PM, Emmett Culley <lst_man...@webengineer.com> wrote: >> >> I am seeing these lines for each domain in the systemd journal: >> >> zone relationship123.com/IN: loading from master file relationship123.com.db >> failed: file not found >> zone relationship123.com/IN: not loaded due to errors. >> _default/relationship123.com./IN: file not found > > [snip] > > Just a thought -- Could it have something to do with bad SELinux context for > the file(s) in question? I know those kind of problems can cause errors that > make it look like there are missing files or misconfigurations. I haven’t > seen how that manifests when it comes to BIND, but it might be worth a look. > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > SELinux is disabled. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewalld
On 10/12/2015 10:17 AM, Gordon Messmer wrote: > On 10/11/2015 03:00 PM, Emmett Culley wrote: >> I just noticed that when rebooting a CentOS 7 server the firewall comes back >> up with both interfaces set to REJECT, instead of the eth1 interface set to >> ACCEPT as defined in 'permanent' firewalld configuration files. > > Rather than paraphrasing, could you show the specific rules, chains, or > policies you're talking about? A standard firewalld rule set has the INPUT > policy set to ACCEPT, with a terminal REJECT rule. An INPUT_ZONES table will > direct to an IN_public table, with log, deny, and accept rules. > > Typically, the only rule that references an interface is the one in > INPUT_ZONES that "goto"s IN_public_allow. It is neither REJECT nor ACCEPT, > so it's really hard to guess what you're seeing that you don't expect to see. > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > Contents of iptables INPUT_ZONE upon reboot --- [root@dev2 ~]# iptables -nL INPUT_ZONES Chain INPUT_ZONES (1 references) target prot opt in out source destination IN_public all -- eth0 * 0.0.0.0/0 0.0.0.0/0 IN_public all -- eth1 * 0.0.0.0/0 0.0.0.0/0 IN_public all -- + * 0.0.0.0/00.0.0.0/0 --- Contents on iptables INPUT_ZONE after running 'systemctl restrat firewalld' --- [root@dev2 ~]# iptables -nL INPUT_ZONES Chain INPUT_ZONES (1 references) target prot opt in out source destination IN_trusted all -- eth1 * 0.0.0.0/00.0.0.0/0 IN_public all -- eth0 * 0.0.0.0/00.0.0.0/0 IN_public all -- + * 0.0.0.0/00.0.0.0/0 --- I expect to see the second output upon reboot. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Firewalld
I just noticed that when rebooting a CentOS 7 server the firewall comes back up with both interfaces set to REJECT, instead of the eth1 interface set to ACCEPT as defined in 'permanent' firewalld configuration files. All servers are up to date. By "just noticed" I mean that I finally investigated why a newly rebooted VM failed to allow NFS connections. Prior to doing that. I'd been stopping the firewall to get access, then restarting the firewall after setting the eth1 interface to ACCEPT. This time I took a look at iptables and found that eth1 was set to REJECT, before I stopped the firewall. Because it was obvious that firewalld had been started by systemd by noticing the output of iptabled -nvL had the same set of rules you can see when firewalld is restarted, except that after restart interface eth1 is set to ACCEPT. I assume there must be a different set of configuration files that are accessed upon reboot than those accessed upon firewalld restart. Note that all CentoOS 7 machines (VM and hardware) in our data center have this same issue. Anyone know where and what those files are? Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] virt-install message regarding Spice and TLS
On 09/03/2015 06:53 AM, Mike - st257 wrote: > On Wed, Sep 2, 2015 at 1:59 PM, Leonard den Ottolander < > leon...@den.ottolander.nl> wrote: > >> Hello Mike, >> >> On Wed, 2015-09-02 at 13:05 -0400, Mike - st257 wrote: >>> I've been through the virt-install manpage a few times now to no avail. >>> What is wrong with my syntax here (seen below)? >> >>> ~]# virt-install --connect qemu:///system -n blahhost -r2048 --vcpus=4 >>> --arch=x86_64 --video qxl --graphics spice,port=5931 --noautoconsole >>> --os-type linux --accelerate --network=bridge:kickstart_br0 --hvm --disk >>> path=/dev/vmdisks/fedora-test2,bus=virtio --cdrom /tmp/fedora.iso >> >> > To also reply to nevis2us: > I have the Spice TLS config commented presently so it is not active (afaik). > At one point I did try switching the value from 1 to 0 when I did have it > uncommented. > > >> See if adding tlsport=0 to the --graphics option fixes your problem? >> >> --graphics spice,port=5931,tlsport=0 >> > > I did try that before (though didn't note it in my first message). > > ERRORError in graphics device parameters: TLS port must be a number > between 5900 and 65535, or -1 for auto allocation > > ~]# cat /etc/redhat-release > CentOS release 6.7 (Final) > ~]# yum info libvirt | egrep 'Name|Version|Release' > Name: libvirt > Version : 0.10.2 > Release : 54.el6 > > >> >> Compare >> http://www.spice-space.org/page/Features/Xspice#--tls-port_0_required >> > > > Any other thoughts? :-/ > I can't be the only person that wants to use Spice with out TLS for some > testing/labbing. ;-) > > Thanks! > I am also seeing this issue. I've managed it by checking auto for spice. This has the unfortunate issue that it is possible for a port to a particular VM to change from reboot to reboot. But it does allow the VM to start without problems. We don't use, or need, TLS because these VMs are accessed only form the local network. We are using CentOS seven for all VM hosts, and 90% of the guests are now on CentOS 7 as well. Emmett ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vncserver on centos 7
On 04/06/2015 04:56 AM, Jerry Geis wrote: Is there a way to make vncserver on centos 7 to be read only? I want to allow someone to connect and see the screen- but not change it of course. Thanks, jerry ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Add -AcceptPointerEvents=0 and -AcceptKeyEvents=0 to the vncserver commandline in vncserver@:#.service file, or on the Xvnc command line. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vncserver on CentOS 7
On 04/03/2015 12:11 PM, Jerry Geis wrote: Is the port opened in the firewall? I stopped firewalld with systemctl stop firewalld Jerry On Fri, Apr 3, 2015 at 2:46 PM, Jerry Geis ge...@pagestation.com wrote: I am trying to setup a centos 7.1 vncserver I cannot believe they went from a relatively easy process in 6 to the crazyness that is 7. I did the following: yum install tigervnc-server cp /lib/systemd/system/vncserver@.service /etc/systemd/system systemctl daemon-reload edit /etc/systemd.system/vncserver@.service and replace USER with myuser su - myuser run vncpassword to set password systemctl enable vncserver@. Says its enabled: systemctl list-unit-files | grep vnc vncserver@.service enabled using another machine to connect gives error about nothing there. netstat -tuln | grep 5900 gives nothing. What did I miss? Thanks, Jerry You should: cp /lib/systemd/system/vncserver@.service /lib/systemd/system/vncserver@:#.service Where # is the vnc port 590# to open. Like /lib/systemd/system/vncserver@:4.service to start a vncserver on port 5904. Then use `systemctl start vncserver@:4' to start that VNC server. Remember to edit the /lib/systemd/system/vncserver@:4.service file's USER as you did before. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] vncserver on CentOS 7
On 04/03/2015 01:39 PM, Jerry Geis wrote: You should: cp /lib/systemd/system/vncserver at .service http://lists.centos.org/mailman/listinfo/centos /lib/systemd/system/vncserver@:#.service Where # is the vnc port 590# to open. Like /lib/systemd/system/vncserver@:4.service to start a vncserver on port 5904. Then use `systemctl start vncserver@:4' to start that VNC server. Remember to edit the /lib/systemd/system/vncserver@:4.service file's USER as you did before. Emmett OK - I redid and used the name vncserver@:0.service Still not work - I then used 4 as in your example and it worked. How do I get port 5900 ? Thanks, jerry Not sure why the didn't work. I've never used 0. You could add -rfbport 5900 to the vncserver parameters, or explicitly set the display value by replacing any %1 in the .service file with the display number preceded by a colon. e.g., ':0'. Note that if you are hosting any kvm VMs, a running vm might be grabbing the 5900 port. Which could explain why the :0 file name didn't work. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Zone file not written to slave DNS server [SOLVED]
On 01/14/2015 04:46 AM, Tris Hoar wrote: On 14/01/2015 03:56, Emmett Culley wrote: On 01/13/2015 12:10 PM, Mateusz Guz wrote: Have you found a solution? Did u allow master dns server to update the slave in /etc/named.conf ? -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of John R Pierce Sent: Monday, January 12, 2015 7:02 AM To: centos@centos.org Subject: Re: [CentOS] Zone file not written to slave DNS server On 1/11/2015 9:28 PM, Emmett Culley wrote: I have mostly succeeded in getting master and slave DNS servers operational. Mostly, because the zone file is not written when a zone is updated on the master server when the notify and transfer process happens. The slave DNS server gets the changes to the modified zone, but the slave zone file remains as before. I've found a few tutorials and lots of discussions, many of which talk about the slave's zone file getting written upon transfer, but none mention what configuration option would cause the slave's files to get updated. The master is on a Cantos 6 server and the slave is on a Cantos 7 machine. does the named service have write access to the slave directory ? chown named.named /path-to-named/slave oh, is your slave chrooted? are you looking in the right directory, eg, /var/named/chroot/var/named/slave ? I am seeing the following in the log: Jan 13 12:08:44 g1 named[16370]: 13-Jan-2015 12:08:44.792 general: info: zone mydomain.com/IN: Transfer started. Jan 13 12:08:44 g1 named[16370]: 13-Jan-2015 12:08:44.885 xfer-in: info: transfer of 'mydomain.com/IN' from xx.xx.xxx.xxx#53: connected using 66.208.208.151#40226 Jan 13 12:08:44 g1 named[16370]: 13-Jan-2015 12:08:44.948 general: info: zone mydomain.com/IN: transferred serial 112 Jan 13 12:08:44 g1 named[16370]: 13-Jan-2015 12:08:44.948 xfer-in: info: transfer of 'mydomain.com/IN' from xx.xx.xxx.xxx#53: Transfer completed: 1 messages, 38 records, 898 bytes, 0.063 secs (14253 bytes/sec) Jan 13 12:08:44 g1 named[16370]: 13-Jan-2015 12:08:44.949 notify: info: zone mydomain.com/IN: sending notifies (serial 112) Yet the slaves/mydomain.com.db file does not get updated. There must be an option I am not setting correctly. Slave config: Global: options { allow-notify { mas.ter.IPa.ddr; }; allow-transfer { mas.ter.IPa.ddr; }; Neither of these are needed on slave servers. . . . }; Per zone: zone mydomain.com. IN { type slave; file slaves/mydomain.com.db; masters { mas.ter.IPa.ddr; }; }; Master config: Global: options { allow-transfer { sla.ve.IP.net/28; 127.0.0.1; }; also-notify { sla.ve.IPa.ddr; }; This is not needed on the master server, unless the slave is not listed in the zone, or if the salve is on a different IP to the on defined in the zone (e.g. if the slave is behind a NAT and DNS lists it's NAT IP) allow-update { none; }; notify explicit; . . . }; I also tried it with allow-update set to slaves IP address, even though I was sure that option was about dynamic DNS, not zone transfer to a slave. Of course that didn't work either. Emmett You should check the permissions on the slaves folder to make sure named can write to it, also you should check if you have SElinux enabled, and if so check that the slaves folder is labelled as named_cache_t For example: [root@ns5 ~]# ll -Zd /var/named/slaves drwxrwx---. named named system_u:object_r:named_cache_t:s0 /var/named/slaves [root@ns5 ~]# ll -d /var/named/slaves drwxrwx---. 2 named named 4096 Jan 14 10:47 /var/named/slaves Tris Turns out I was working in, and expecting updates to, directories under /var/named/chroot, but was starting named.service instead of named-chroot.service. After starting named-chroot.service I see that the slave files are getting updated as expected. I also removed the allow-notify and allow-transfer options from the slave configuration (thanks Tris). Now to work on DNSSEC. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Zone file not written to slave DNS server
On 01/13/2015 12:10 PM, Mateusz Guz wrote: Have you found a solution? Did u allow master dns server to update the slave in /etc/named.conf ? -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of John R Pierce Sent: Monday, January 12, 2015 7:02 AM To: centos@centos.org Subject: Re: [CentOS] Zone file not written to slave DNS server On 1/11/2015 9:28 PM, Emmett Culley wrote: I have mostly succeeded in getting master and slave DNS servers operational. Mostly, because the zone file is not written when a zone is updated on the master server when the notify and transfer process happens. The slave DNS server gets the changes to the modified zone, but the slave zone file remains as before. I've found a few tutorials and lots of discussions, many of which talk about the slave's zone file getting written upon transfer, but none mention what configuration option would cause the slave's files to get updated. The master is on a Cantos 6 server and the slave is on a Cantos 7 machine. does the named service have write access to the slave directory ? chown named.named /path-to-named/slave oh, is your slave chrooted? are you looking in the right directory, eg, /var/named/chroot/var/named/slave ? I am seeing the following in the log: Jan 13 12:08:44 g1 named[16370]: 13-Jan-2015 12:08:44.792 general: info: zone mydomain.com/IN: Transfer started. Jan 13 12:08:44 g1 named[16370]: 13-Jan-2015 12:08:44.885 xfer-in: info: transfer of 'mydomain.com/IN' from xx.xx.xxx.xxx#53: connected using 66.208.208.151#40226 Jan 13 12:08:44 g1 named[16370]: 13-Jan-2015 12:08:44.948 general: info: zone mydomain.com/IN: transferred serial 112 Jan 13 12:08:44 g1 named[16370]: 13-Jan-2015 12:08:44.948 xfer-in: info: transfer of 'mydomain.com/IN' from xx.xx.xxx.xxx#53: Transfer completed: 1 messages, 38 records, 898 bytes, 0.063 secs (14253 bytes/sec) Jan 13 12:08:44 g1 named[16370]: 13-Jan-2015 12:08:44.949 notify: info: zone mydomain.com/IN: sending notifies (serial 112) Yet the slaves/mydomain.com.db file does not get updated. There must be an option I am not setting correctly. Slave config: Global: options { allow-notify { mas.ter.IPa.ddr; }; allow-transfer { mas.ter.IPa.ddr; }; . . . }; Per zone: zone mydomain.com. IN { type slave; file slaves/mydomain.com.db; masters { mas.ter.IPa.ddr; }; }; Master config: Global: options { allow-transfer { sla.ve.IP.net/28; 127.0.0.1; }; also-notify { sla.ve.IPa.ddr; }; allow-update { none; }; notify explicit; . . . }; I also tried it with allow-update set to slaves IP address, even though I was sure that option was about dynamic DNS, not zone transfer to a slave. Of course that didn't work either. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Zone file not written to slave DNS server
I have mostly succeeded in getting master and slave DNS servers operational. Mostly, because the zone file is not written when a zone is updated on the master server when the notify and transfer process happens. The slave DNS server gets the changes to the modified zone, but the slave zone file remains as before. I've found a few tutorials and lots of discussions, many of which talk about the slave's zone file getting written upon transfer, but none mention what configuration option would cause the slave's files to get updated. The master is on a Cantos 6 server and the slave is on a Cantos 7 machine. Any ideas? Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] VNCServer Startup Config
On 10/01/2014 02:17 PM, Igal @ getRailo.org wrote: hi all, I've inherited a server with CentOS 6.4 the VNC Server starts up with the OS and its screen resolution is set to 800x600. I found that I can set the resolution by specifying the -geometry switch, but I can't find where the call to start the vncserver is set in order to change it. I know that it's not in /etc/xinetd.d (the only file there is rsync) here are the contents of ~/.vnc/xstartup #!/bin/sh [ -r /etc/sysconfig/i18n ] . /etc/sysconfig/i18n export LANG export SYSFONT vncconfig -iconic unset SESSION_MANAGER unset DBUS_SESSION_BUS_ADDRESS OS=`uname -s` if [ $OS = 'Linux' ]; then case $WINDOWMANAGER in *gnome*) if [ -e /etc/SuSE-release ]; then PATH=$PATH:/opt/gnome/bin export PATH fi ;; esac fi if [ -x /etc/X11/xinit/xinitrc ]; then exec /etc/X11/xinit/xinitrc fi if [ -f /etc/X11/xinit/xinitrc ]; then exec sh /etc/X11/xinit/xinitrc fi [ -r $HOME/.Xresources ] xrdb $HOME/.Xresources xsetroot -solid grey xterm -geometry 80x24+10+10 -ls -title $VNCDESKTOP Desktop twm any thoughts? TIA Look in /etc/sysconfig for vncservers. That file contains vnc server startup definitions. Once you have modified /etc/sysconfig/vncservers you can start and stop your vnc server(s) using ]# service vncserver start. To make it start automatically upon reboot, run ]# chkconfig vncserver on. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] clamav
On 05/30/2014 02:59 PM, Les Mikesell wrote: On Fri, May 30, 2014 at 4:14 PM, Emmett Culley lst_man...@webengineer.com wrote: So I removed it all again and reinstalled from RPMforge. Now it all works as expected. I never should have switch from RPMforge to EPEL for these programs. actually, IMHO, you should have switched. EPEL is much better maintained than RPMforge these days. the catch is, to do that switch cleanly, you woudl have had to completely uninstall the rpmforge version, disable rpmforge, THEN install the epel version I did that, and still clam failed to filter mail. I do admin that I didn't delete all related files before installing from EPEL, ANsd I do also feel that EPEL is the better choice, so I guess I'll do it all over again. I don't think just installing the package makes it filter mail. If you want to really start from scratch you might try mimedefang to drive all your scanning/filtering, especially if you are running sendmail and can write some perl snippets to control it. Sorry, I quit trying to get sendmail to do what I needed many years ago. I've found postfix to be much easier to configure and extend. I've put my system back to using rpmforge repo for clamd and amavisd-new and my email system is back to running flawlessly, We'll see what happens next time there is an update. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] clamav
On 05/30/2014 04:41 PM, S.Tindall wrote: On Fri, 2014-05-30 at 14:14 -0700, Emmett Culley wrote: On 05/30/2014 10:46 AM, John R Pierce wrote: On 5/30/2014 8:27 AM, Emmett Culley wrote: So I removed it all again and reinstalled from RPMforge. Now it all works as expected. I never should have switch from RPMforge to EPEL for these programs. actually, IMHO, you should have switched. EPEL is much better maintained than RPMforge these days. the catch is, to do that switch cleanly, you woudl have had to completely uninstall the rpmforge version, disable rpmforge, THEN install the epel version I did that, and still clam failed to filter mail. I do admin that I didn't delete all related files before installing from EPEL, ANsd I do also feel that EPEL is the better choice, so I guess I'll do it all over again. Emmett Way up in this thread, you mentioned updating amavisd-new from epel plus clam\* from epel. In addition to the user clamav vs clam issue, epel amavisd uses service clamd.amavisd, whereas the rpmforge amavisd uses service clamd. # rpm -q amavisd-new clamd postgrey amavisd-new-2.8.0-8.el6.noarch clamd-0.98.3-1.el6.i686 postgrey-1.34-1.el6.noarch # service clamd status clamd is stopped # service clamd.amavisd status clamd.amavisd (pid 2860) is running... The use of clamd.amavisd actually simplifies the setup since you don't need to add group amavis to clam. # id clam uid=493(clam) gid=493(clam) groups=493(clam) Looking through my rpmforge epel conversion notes, the other significant issue was to find folders/files with owner:group clamav:clamav and chown to clam:clam. I think you already corrected that problem. There are also several differences in the default rpmforge vs epel amavisd.conf, but I don't think any would stop it from working. I converted 3 mail servers to epel amavisd/clam\* about a year ago and I think all conversion issues have been resolved, but you never know. :-) Steve ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Hmm. Since EPEL provided and installed clamd and amavisd-new packages without error, I assumed they were the correct packages. I'll leave my system to use RPMforge, at least until the next time I update those packages. Thanks for all the input. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] clamav
On 05/30/2014 01:56 AM, Ljubomir Ljubojevic wrote: On 05/30/2014 10:04 AM, Filip Bartmann wrote: On Thu, 29 May 2014 21:53:53 -0700 Emmett Culley lst_man...@webengineer.com wrote: Every time I update my system with clamav, it doesn't restart and freshclam no longer works, because of a permission issue on the log directory. Each time I update clamav I have to search the Internet to figure out what there is to do. That NEVER helps so I try different combinations on user and group in amavis-new and clamav configuratio files, until I eventually get them both to work. I am getting clamav and amavisd update from the epel repo. What can I do to prevent this from happening? I have same issue, and i have after each update change permissions of /var/log/clamav and /var/lib/clamav to amavis.amavis. Filip Bartmann ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos It turns out that the EPEL version uses user 'clam' while the RPMforge version uses user clamav. and Now - i've removed all instances of Clam and any trace from /etc /var including users and groups and added the EPEL version afresh. from: https://bugzilla.redhat.com/show_bug.cgi?id=794945 Internet search engines ARE your friend! I first tried removing all of clamav and amavisd and reinstalling again from EPEL. That turned out to be worse as I could never get the permissions right for the /var/share/amavis/tmp directory. So I removed it all again and reinstalled from RPMforge. Now it all works as expected. I never should have switch from RPMforge to EPEL for these programs. Thanks for the bug report. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] clamav
On 05/30/2014 01:56 AM, Ljubomir Ljubojevic wrote: On 05/30/2014 10:04 AM, Filip Bartmann wrote: On Thu, 29 May 2014 21:53:53 -0700 Emmett Culley lst_man...@webengineer.com wrote: Every time I update my system with clamav, it doesn't restart and freshclam no longer works, because of a permission issue on the log directory. Each time I update clamav I have to search the Internet to figure out what there is to do. That NEVER helps so I try different combinations on user and group in amavis-new and clamav configuratio files, until I eventually get them both to work. I am getting clamav and amavisd update from the epel repo. What can I do to prevent this from happening? I have same issue, and i have after each update change permissions of /var/log/clamav and /var/lib/clamav to amavis.amavis. Filip Bartmann ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos It turns out that the EPEL version uses user 'clam' while the RPMforge version uses user clamav. and Now - i've removed all instances of Clam and any trace from /etc /var including users and groups and added the EPEL version afresh. from: https://bugzilla.redhat.com/show_bug.cgi?id=794945 Internet search engines ARE your friend! I've been looking for that bug report for at least a couple of years. Thanks! I removed clamd, clamd and amavisd-new and all their parts, then re-installed from EPEL, then added some special rules from the old amavisd.conf file to the new. Now it all works as expected. And yes, clamd, clamav and amavisd-new were all originally installed from RPMforge. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] clamav
On 05/30/2014 10:46 AM, John R Pierce wrote: On 5/30/2014 8:27 AM, Emmett Culley wrote: So I removed it all again and reinstalled from RPMforge. Now it all works as expected. I never should have switch from RPMforge to EPEL for these programs. actually, IMHO, you should have switched. EPEL is much better maintained than RPMforge these days. the catch is, to do that switch cleanly, you woudl have had to completely uninstall the rpmforge version, disable rpmforge, THEN install the epel version I did that, and still clam failed to filter mail. I do admin that I didn't delete all related files before installing from EPEL, ANsd I do also feel that EPEL is the better choice, so I guess I'll do it all over again. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] clamav
Every time I update my system with clamav, it doesn't restart and freshclam no longer works, because of a permission issue on the log directory. Each time I update clamav I have to search the Internet to figure out what there is to do. That NEVER helps so I try different combinations on user and group in amavis-new and clamav configuratio files, until I eventually get them both to work. I am getting clamav and amavisd update from the epel repo. What can I do to prevent this from happening? Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Policy kit issue on new install of 6.4
Twice I've done a fresh install of a Development machine. In both cases pkexec as a normal user always returns Error executing command as another user: No authentication agent was found. This keeps me from getting a root command line and prevents yumex from starting from the launcher. I've googled and found nothing accept some references to installing virtual box. Checking the man pages for polkit was no help either. Since this only happens when I install the Development group I must assume that some package is missing, and I am at a loss as to where to look. Any clues? Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Policy kit issue on new install of 6.4
On 03/19/2013 07:25 AM, m.r...@5-cent.us wrote: Emmett Culley wrote: Twice I've done a fresh install of a Development machine. In both cases pkexec as a normal user always returns Error executing command as another user: No authentication agent was found. This keeps me from getting a root command line and prevents yumex from starting from the launcher. I've googled and found nothing accept some references to installing virtual box. Checking the man pages for polkit was no help either. Since this only happens when I install the Development group I must assume that some package is missing, and I am at a loss as to where to look. Any clues? Completely unfamiliar with pkexec, but it sounds as though no authentication agent is running. Is something like ssh-agent running, and have you added credentials (e.g. ssh-add)? mark Kwallet is running and working as I get prompted, as expected, for my private key passwords when appropriate. I didn't know anything about pkexec either, until now. I only found out about it by googling for the error quoted above. I have, in the past, run into issues starting a root terminal from the launcher (KDE), but it has always returned to normal after a restart or re-login. This is the first time it has been persistent and consistent. All the searches seem to indicate that the polkit daemon is not configured correctly, but in no case is there any suggestions on how to configure it. I'll keep looking for documentation. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Policy kit issue on new install of 6.4
On 03/19/2013 07:48 AM, m.r...@5-cent.us wrote: Emmett Culley wrote: On 03/19/2013 07:25 AM, m.r...@5-cent.us wrote: Emmett Culley wrote: Twice I've done a fresh install of a Development machine. In both cases pkexec as a normal user always returns Error executing command as another user: No authentication agent was found. This keeps me from getting a root command line and prevents yumex from starting from the launcher. I've googled and found nothing accept some references to installing virtual box. Checking the man pages for polkit was no help either. Since this only happens when I install the Development group I must assume that some package is missing, and I am at a loss as to where to look. Any clues? Completely unfamiliar with pkexec, but it sounds as though no authentication agent is running. Is something like ssh-agent running, and have you added credentials (e.g. ssh-add)? Kwallet is running and working as I get prompted, as expected, for my private key passwords when appropriate. I didn't know anything about pkexec either, until now. I only found out about it by googling for the error quoted above. I have, in the past, run into issues starting a root terminal from the launcher (KDE), but it has always returned to normal after a restart or re-login. This is the first time it has been persistent and consistent. All the searches seem to indicate that the polkit daemon is not configured correctly, but in no case is there any suggestions on how to configure it. I'll keep looking for documentation. Have you read the man page? I just did, and I've got a really good guess as to why it says that: it appears to want to work like sudo - someotheruser mark It turns out that every machine I've updated to 6.4 works like this. Most of the others I only log into occasionally, and as root. I suppose it is possible that they were like this before I upgraded to 6.4. I'll have to build a 6.3 machine and find out. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kernel panic after update to 6.4
On 03/14/2013 08:03 AM, Emmett Culley wrote: On 03/12/2013 05:08 PM, Emmett Culley wrote: On 03/12/2013 04:23 PM, lists-centos wrote: Original Message Date: Tuesday, March 12, 2013 04:05:28 PM -0700 From: Emmett Culley emm...@webengineer.com To: centos@centos.org Cc: Subject: Re: [CentOS] Kernel panic after update to 6.4 On 03/12/2013 01:48 PM, Akemi Yagi wrote: On Tue, Mar 12, 2013 at 1:41 PM, Emmett Culley emm...@webengineer.com wrote: After successfully updating three CentOS 6.3 VM guests to 6.4 I decided to update the host as well. And it failed to boot. Kernel panic - Not syncing: Attempted to kill init! Pid: 1, comm: init not tainted: 2.6.32-358.2.1.el6.x86_64 #1 At the time of this writing, CentOS kernel 2.6.32-358.2.1.el6 is not out yet. Where did you get this one from ??? Did you build it yourself? I figured out that in both failure cases the yum update was never completed as I had to run yum-complete-transaction on both. And doing that and re-installing the 358.0.1 had the same boot failures. Yesterday I did another update which installed the 358.2.1 kernel, which booted. So I guess I'll attempt to update the host machine. I don't know what happened, but it seems to be resolved. Emmett Yesterday I upgraded all of the guests (4) and the host to the 358.2.1 kernel. All of the VMs restarted fine, but the host has the same boot failure. But I have some new information that might make a difference. First: When I first saw this issue on two machines, I had updated the machines to 6.4 while logged via VNC. Since both of the failures also had incomplete updates and required me to run yum-complete-transaction, I assumed that those yum update session failures were the reason for the boot failure. Because I assume the update caused the vncserver to reset, interrupting the yum update session. So this time I ran the updates via ssh. All went well, all updates completed, but the host fails to boot on the 358.2.1 kernel. Here is the new information. When the host boots on the previous good kernel I see the simplified plymouth trail (the tri-color tape that runs along the bottom of the screen during boot). But when it boots from the bad kernels I see the fancy centos splash, with the spinning circle under the CentOS logo. In all cases, the VM guests all boot with the simplified splash. So I suppose that means the the new kernel installation is incorrectly detecting my video hardware. Can anybody suggest some changes I can make to the kernel parameters that could mitigate that mid-detection? Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kernel panic after update to 6.4
On 03/12/2013 05:08 PM, Emmett Culley wrote: On 03/12/2013 04:23 PM, lists-centos wrote: Original Message Date: Tuesday, March 12, 2013 04:05:28 PM -0700 From: Emmett Culley emm...@webengineer.com To: centos@centos.org Cc: Subject: Re: [CentOS] Kernel panic after update to 6.4 On 03/12/2013 01:48 PM, Akemi Yagi wrote: On Tue, Mar 12, 2013 at 1:41 PM, Emmett Culley emm...@webengineer.com wrote: After successfully updating three CentOS 6.3 VM guests to 6.4 I decided to update the host as well. And it failed to boot. Kernel panic - Not syncing: Attempted to kill init! Pid: 1, comm: init not tainted: 2.6.32-358.2.1.el6.x86_64 #1 At the time of this writing, CentOS kernel 2.6.32-358.2.1.el6 is not out yet. Where did you get this one from ??? Did you build it yourself? I figured out that in both failure cases the yum update was never completed as I had to run yum-complete-transaction on both. And doing that and re-installing the 358.0.1 had the same boot failures. Yesterday I did another update which installed the 358.2.1 kernel, which booted. So I guess I'll attempt to update the host machine. I don't know what happened, but it seems to be resolved. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Kernel panic after update to 6.4
After successfully updating three CentOS 6.3 VM guests to 6.4 I decided to update the host as well. And it failed to boot. Kernel panic - Not syncing: Attempted to kill init! Pid: 1, comm: init not tainted: 2.6.32-358.2.1.el6.x86_64 #1 Plus a call trace I couldn't see Luckily I was able to boot from the previous kernel and get my system back up. After booting to the previous kernel I removed the 358 kernel and all of it's related module and devel packages using yum remove, then did yum update again, as I could only guess that the install somehow didn't complete. But it still fails to boot. Now the kernel panic has happened to a 6.3 VM guest I upgraded, now it isn't just the host hardware that is a problem. Has anyone else seen this? Any ideas where to start troubleshooting? Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kernel panic after update to 6.4
On 03/12/2013 01:48 PM, Akemi Yagi wrote: On Tue, Mar 12, 2013 at 1:41 PM, Emmett Culley emm...@webengineer.com wrote: After successfully updating three CentOS 6.3 VM guests to 6.4 I decided to update the host as well. And it failed to boot. Kernel panic - Not syncing: Attempted to kill init! Pid: 1, comm: init not tainted: 2.6.32-358.2.1.el6.x86_64 #1 At the time of this writing, CentOS kernel 2.6.32-358.2.1.el6 is not out yet. Where did you get this one from ??? Did you build it yourself? Akemi I did yum update --enablerepo=epel. I just checked and it appears that kernel was from the updates repo: [~]# yum list kernel Installed Packages kernel.x86_64 2.6.32-279.9.1.el6 @updates kernel.x86_64 2.6.32-279.14.1.el6 @updates kernel.x86_64 2.6.32-279.19.1.el6 @updates kernel.x86_64 2.6.32-279.22.1.el6 @updates kernel.x86_64 2.6.32-358.0.1.el6 @updates [~]# rpm -qa |grep kernel abrt-addon-kerneloops-2.0.8-15.el6.centos.x86_64 kernel-2.6.32-279.19.1.el6.x86_64 dracut-kernel-004-303.el6.noarch kernel-devel-2.6.32-279.14.1.el6.x86_64 kernel-2.6.32-279.14.1.el6.x86_64 kernel-devel-2.6.32-279.22.1.el6.x86_64 kernel-headers-2.6.32-358.0.1.el6.x86_64 kernel-firmware-2.6.32-358.0.1.el6.noarch kernel-2.6.32-358.0.1.el6.x86_64 kernel-devel-2.6.32-279.19.1.el6.x86_64 kernel-devel-2.6.32-358.0.1.el6.x86_64 kernel-2.6.32-279.9.1.el6.x86_64 libreport-plugin-kerneloops-2.0.9-15.el6.centos.x86_64 kernel-2.6.32-279.22.1.el6.x86_64 kernel-devel-2.6.32-279.9.1.el6.x86_64 This is from a VM that succeeded with the update to the 359 kernel. There are three more like that. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Kernel panic after update to 6.4
On 03/12/2013 04:23 PM, lists-centos wrote: Original Message Date: Tuesday, March 12, 2013 04:05:28 PM -0700 From: Emmett Culley emm...@webengineer.com To: centos@centos.org Cc: Subject: Re: [CentOS] Kernel panic after update to 6.4 On 03/12/2013 01:48 PM, Akemi Yagi wrote: On Tue, Mar 12, 2013 at 1:41 PM, Emmett Culley emm...@webengineer.com wrote: After successfully updating three CentOS 6.3 VM guests to 6.4 I decided to update the host as well. And it failed to boot. Kernel panic - Not syncing: Attempted to kill init! Pid: 1, comm: init not tainted: 2.6.32-358.2.1.el6.x86_64 #1 At the time of this writing, CentOS kernel 2.6.32-358.2.1.el6 is not out yet. Where did you get this one from ??? Did you build it yourself? Akemi I did yum update --enablerepo=epel. I just checked and it appears that kernel was from the updates repo: [~]# yum list kernel Installed Packages kernel.x86_64 2.6.32-279.9.1.el6 @updates kernel.x86_64 2.6.32-279.14.1.el6 @updates kernel.x86_64 2.6.32-279.19.1.el6 @updates kernel.x86_64 2.6.32-279.22.1.el6 @updates kernel.x86_64 2.6.32-358.0.1.el6 @updates [~]# rpm -qa |grep kernel abrt-addon-kerneloops-2.0.8-15.el6.centos.x86_64 kernel-2.6.32-279.19.1.el6.x86_64 dracut-kernel-004-303.el6.noarch kernel-devel-2.6.32-279.14.1.el6.x86_64 kernel-2.6.32-279.14.1.el6.x86_64 kernel-devel-2.6.32-279.22.1.el6.x86_64 kernel-headers-2.6.32-358.0.1.el6.x86_64 kernel-firmware-2.6.32-358.0.1.el6.noarch kernel-2.6.32-358.0.1.el6.x86_64 kernel-devel-2.6.32-279.19.1.el6.x86_64 kernel-devel-2.6.32-358.0.1.el6.x86_64 kernel-2.6.32-279.9.1.el6.x86_64 libreport-plugin-kerneloops-2.0.9-15.el6.centos.x86_64 kernel-2.6.32-279.22.1.el6.x86_64 kernel-devel-2.6.32-279.9.1.el6.x86_64 This is from a VM that succeeded with the update to the 359 kernel. There are three more like that. Emmett You are giving conflicting information. You indicated that the kernel that you are getting the panic on is: Kernel panic - Not syncing: Attempted to kill init! Pid: 1, comm: init not tainted: 2.6.32-358.2.1.el6.x86_64 #1 i.e., ...358.2.1 What you are showing as available from @updates and installed in the VM that is working is: kernel.x86_64 2.6.32-358.0.1.el6 @updates kernel-2.6.32-358.0.1.el6.x86_64 i.e., ...358.0.1 RedHat released ...358.2.1 earlier today, but I haven't seen centos announce its release yet, and it's not available from the centos repositories as of a few moments ago. So, the VM that is ok is using ...358.0.1, the centos released kernel. The one that is panic would appear to have come from elsewhere. Also note, it's the 358, not 359 kernel: This is from a VM that succeeded with the update to the 359 kernel. There are three more like that. Yes, kernel 358. the 359 was a typo. And... the kernel panic lines were transcribed for a photo I took of the screen after the failed boot. On second look I see that the version is 2.6.32-358.0.1.el6.x86_64. So let's start again. Kernel panic - Not syncing: Attempted to kill init! Pid: 1, comm: init not tainted: 2.6.32-358.0.1.el6.x86_64 #1 After yum upgrade --enablerepo=epel on two of five machines, one of which is the host for the three VM's that succeeded and the one that failed, just as the host. I have a screen shot of that VM's boot failure, but I don't know the proper way to include it in a post. I've uninstalled that kernel and ran yum upgrade again, it still fails on that kernel, on both the host and the VM. I suppose the good thing is that it happened on a VM guest that is not critical, so I don't have to experiment with the host that has four important guests running on it. Any ideas? Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Eclipse (again)...
On 02/18/2013 06:58 AM, Toralf Lund wrote: Hi Just thought I might ask my recent question about Eclipse again, only in a slightly different way: Is anyone here using the Eclipse version supplied with the CentOS 6 distro (as opposed to a build downloaded from www.eclipse.org)? Does it work for you? Are you able to install additional components via the built-in software setup mechanism? Thanks, - Toralf This e-mail, including any attachments and response string, may contain proprietary information which is confidential and may be legally privileged. It is for the intended recipient only. If you are not the intended recipient or transmission error has misdirected this e-mail, please notify the author by return e-mail and delete this message and any attachment immediately. If you are not the intended recipient you must not use, disclose, distribute, forward, copy, print or rely on this e-mail in any way except as permitted by the author. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I am using Eclipse for a C project on CentOS 6. Eclipse was installed using YUM and only from the CentOS repositories. Except that I cannot seem to enable global variables in debug mode all is working well. I haven't added any plugins or components except via YUM. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sysctl -p at startup?
On 01/08/2013 12:39 PM, Leon Fauster wrote: Am 08.01.2013 um 20:25 schrieb Emmett Culley: On 01/08/2013 02:58 AM, Michael Simpson wrote: On 2 January 2013 17:54, Emmett Culley emm...@webengineer.com wrote: I understand that the contents of /etc/sysctl.conf should be read and executed at system startup. However that never happens and I have to run sysctl -p after every reboot to get the settings I want. This is happening on every CentOS machine and VM I have. I can see in the startup scripts that sysctl -e -p /etc/sysctl.conf /dev/null 21 is run at start up by the apply_sysctl function, yet the settings are never correct unless I run sysctl -p on the command line. Anybody know why that would be? It depends on whether the changes you are making using sysctl are being affected by other processes later on in the startup sequence I have to run sysctl -p manually in order to stop kernel messages being printed to the console as even though i have them configured off in my sysctl this is overridden at some other point and i get to find out all about SoftMAC and its scanning ways https://bugzilla.redhat.com/show_bug.cgi?id=760497 mike I ended up putting sysctl -p in to /etc/rc.local, which fixed the problem. I thought I'd read the rc.local is deprecated, so I resisted using it. Oh well... for sysctl configs i suggest the /etc/sysctl.d directory (create it if ...) for example: $ cat /etc/sysctl.d/vpn.conf net.ipv4.ip_forward = 1 -- LF There was no /etc/sysctl.d directory, so I created one and added a file with sysctl -p on the first line, still no change to my requested settings after a reboot. So I changed the file to look like: #!/bin/bash sysctl -p and made it executable (just in case :-) and of course that didn't work either. I've noted that there was a bug reported for RHEL5 that stated this would be fixed in 6. I guess that didn't happen. And I am not even certain that it isn't working as expected. In the mean time I will stick to using /etc/rc.local. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sysctl -p at startup?
On 01/09/2013 08:34 AM, Leon Fauster wrote: Am 09.01.2013 um 17:13 schrieb Emmett Culley: On 01/08/2013 12:39 PM, Leon Fauster wrote: for sysctl configs i suggest the /etc/sysctl.d directory (create it if ...) for example: $ cat /etc/sysctl.d/vpn.conf net.ipv4.ip_forward = 1 There was no /etc/sysctl.d directory, so I created one and added a file with sysctl -p on the first line, still no change to my requested settings after a reboot. So I changed the file to look like: #!/bin/bash sysctl -p and made it executable (just in case :-) and of course that didn't work either. I've noted that there was a bug reported for RHEL5 that stated this would be fixed in 6. I guess that didn't happen. And I am not even certain that it isn't working as expected. In the mean time I will stick to using /etc/rc.local. The files (/etc/sysctl.d/*.conf) must have the format of e.g. net.ipv4.ip_forward = 1 like /etc/sysctl.conf That files (/etc/sysctl.d/*.conf) are read by the start script rc.sysinit (function apply_sysctl) after /etc/sysctl.conf was read. -- LF Yes, that is what I tried first. I just made it executable after that failed as it was quicker to do that than to google or ask the list. As for apply_sysctl... That calls sysctl -e -p /etc/sysctl.conf. At least that is what I would expect. However if it is getting called, the changes aren't sticking. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sysctl -p at startup?
On 01/08/2013 02:58 AM, Michael Simpson wrote: On 2 January 2013 17:54, Emmett Culley emm...@webengineer.com wrote: I understand that the contents of /etc/sysctl.conf should be read and executed at system startup. However that never happens and I have to run sysctl -p after every reboot to get the settings I want. This is happening on every CentOS machine and VM I have. I can see in the startup scripts that sysctl -e -p /etc/sysctl.conf /dev/null 21 is run at start up by the apply_sysctl function, yet the settings are never correct unless I run sysctl -p on the command line. Anybody know why that would be? It depends on whether the changes you are making using sysctl are being affected by other processes later on in the startup sequence I have to run sysctl -p manually in order to stop kernel messages being printed to the console as even though i have them configured off in my sysctl this is overridden at some other point and i get to find out all about SoftMAC and its scanning ways https://bugzilla.redhat.com/show_bug.cgi?id=760497 mike I ended up putting sysctl -p in to /etc/rc.local, which fixed the problem. I thought I'd read the rc.local is deprecated, so I resisted using it. Oh well... Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Disk error
For some time I have been seeing disk errors in the syslog every seven days. Until today it always happens Sunday morning at 8:13 AM, plus or minus a minute or two. Yesterday it happened at 1:13 AM. Here are the pertinent log entries for the latest occurrence: Jan 6 01:12:29 g2 kernel: ata9.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0 Jan 6 01:12:29 g2 kernel: ata9.00: BMDMA stat 0x64 Jan 6 01:12:29 g2 kernel: ata9.00: failed command: READ DMA EXT Jan 6 01:12:29 g2 kernel: ata9.00: cmd 25/00:00:00:fe:d5/00:02:04:00:00/e0 tag 0 dma 262144 in Jan 6 01:12:29 g2 kernel: res 51/40:00:19:ff:d5/40:00:04:00:00/00 Emask 0x9 (media error) Jan 6 01:12:29 g2 kernel: ata9.00: status: { DRDY ERR } Jan 6 01:12:29 g2 kernel: ata9.00: error: { UNC } Jan 6 01:12:29 g2 kernel: ata9.00: configured for UDMA/33 Jan 6 01:12:29 g2 kernel: ata9.01: configured for UDMA/33 Jan 6 01:12:29 g2 kernel: ata9: EH complete Jan 6 01:12:33 g2 kernel: ata9.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0 Jan 6 01:12:33 g2 kernel: ata9.00: BMDMA stat 0x64 Jan 6 01:12:33 g2 kernel: ata9.00: failed command: READ DMA EXT Jan 6 01:12:33 g2 kernel: ata9.00: cmd 25/00:00:00:fe:d5/00:02:04:00:00/e0 tag 0 dma 262144 in Jan 6 01:12:33 g2 kernel: res 51/40:00:7c:ff:d5/40:00:04:00:00/00 Emask 0x9 (media error) Jan 6 01:12:33 g2 kernel: ata9.00: status: { DRDY ERR } Jan 6 01:12:33 g2 kernel: ata9.00: error: { UNC } Jan 6 01:12:33 g2 kernel: ata9.00: configured for UDMA/33 Jan 6 01:12:33 g2 kernel: ata9.01: configured for UDMA/33 Jan 6 01:12:33 g2 kernel: ata9: EH complete Jan 6 01:13:06 g2 kernel: ata9.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0 Jan 6 01:13:06 g2 kernel: ata9.00: BMDMA stat 0x64 Jan 6 01:13:06 g2 kernel: ata9.00: failed command: READ DMA EXT Jan 6 01:13:06 g2 kernel: ata9.00: cmd 25/00:00:00:bf:d6/00:02:04:00:00/e0 tag 0 dma 262144 in Jan 6 01:13:06 g2 kernel: res 51/40:00:db:bf:d6/40:00:04:00:00/00 Emask 0x9 (media error) Jan 6 01:13:06 g2 kernel: ata9.00: status: { DRDY ERR } Jan 6 01:13:06 g2 kernel: ata9.00: error: { UNC } Jan 6 01:13:07 g2 kernel: ata9.00: configured for UDMA/33 Jan 6 01:13:07 g2 kernel: ata9.01: configured for UDMA/33 Jan 6 01:13:07 g2 kernel: ata9: EH complete Jan 6 01:13:10 g2 kernel: ata9.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0 Jan 6 01:13:10 g2 kernel: ata9.00: BMDMA stat 0x64 Jan 6 01:13:10 g2 kernel: ata9.00: failed command: READ DMA EXT Jan 6 01:13:10 g2 kernel: ata9.00: cmd 25/00:00:00:bf:d6/00:02:04:00:00/e0 tag 0 dma 262144 in Jan 6 01:13:10 g2 kernel: res 51/40:00:db:bf:d6/40:00:04:00:00/00 Emask 0x9 (media error) Jan 6 01:13:10 g2 kernel: ata9.00: status: { DRDY ERR } Jan 6 01:13:10 g2 kernel: ata9.00: error: { UNC } Jan 6 01:13:10 g2 kernel: ata9.00: configured for UDMA/33 Jan 6 01:13:10 g2 kernel: ata9.01: configured for UDMA/33 Jan 6 01:13:10 g2 kernel: ata9: EH complete Jan 6 01:13:14 g2 kernel: ata9.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0 Jan 6 01:13:14 g2 kernel: ata9.00: BMDMA stat 0x64 Jan 6 01:13:14 g2 kernel: ata9.00: failed command: READ DMA EXT Jan 6 01:13:14 g2 kernel: ata9.00: cmd 25/00:00:00:bf:d6/00:02:04:00:00/e0 tag 0 dma 262144 in Jan 6 01:13:14 g2 kernel: res 51/40:00:db:bf:d6/40:00:04:00:00/00 Emask 0x9 (media error) Jan 6 01:13:14 g2 kernel: ata9.00: status: { DRDY ERR } Jan 6 01:13:14 g2 kernel: ata9.00: error: { UNC } Jan 6 01:13:14 g2 kernel: ata9.00: configured for UDMA/33 Jan 6 01:13:14 g2 kernel: ata9.01: configured for UDMA/33 Jan 6 01:13:14 g2 kernel: ata9: EH complete Jan 6 01:13:17 g2 kernel: ata9.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0 Jan 6 01:13:17 g2 kernel: ata9.00: BMDMA stat 0x64 Jan 6 01:13:17 g2 kernel: ata9.00: failed command: READ DMA EXT Jan 6 01:13:17 g2 kernel: ata9.00: cmd 25/00:00:00:bf:d6/00:02:04:00:00/e0 tag 0 dma 262144 in Jan 6 01:13:17 g2 kernel: res 51/40:00:db:bf:d6/40:00:04:00:00/00 Emask 0x9 (media error) Jan 6 01:13:17 g2 kernel: ata9.00: status: { DRDY ERR } Jan 6 01:13:17 g2 kernel: ata9.00: error: { UNC } Jan 6 01:13:18 g2 kernel: ata9.00: configured for UDMA/33 Jan 6 01:13:18 g2 kernel: ata9.01: configured for UDMA/33 Jan 6 01:13:18 g2 kernel: ata9: EH complete Jan 6 01:13:21 g2 kernel: ata9.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0 Jan 6 01:13:21 g2 kernel: ata9.00: BMDMA stat 0x64 Jan 6 01:13:21 g2 kernel: ata9.00: failed command: READ DMA EXT Jan 6 01:13:21 g2 kernel: ata9.00: cmd 25/00:00:00:bf:d6/00:02:04:00:00/e0 tag 0 dma 262144 in Jan 6 01:13:21 g2 kernel: res 51/40:00:db:bf:d6/40:00:04:00:00/00 Emask 0x9 (media error) Jan 6 01:13:21 g2 kernel: ata9.00: status: { DRDY ERR } Jan 6 01:13:21 g2 kernel: ata9.00: error: { UNC } Jan 6 01:13:21 g2 kernel: ata9.00: configured for UDMA/33 Jan 6 01:13:21 g2 kernel: ata9.01: configured for UDMA/33 Jan 6 01:13:21 g2 kernel: ata9: EH complete Jan 6 01:13:25 g2 kernel:
Re: [CentOS] Disk error
On 01/07/2013 03:43 PM, Mark LaPierre wrote: On 01/07/2013 06:24 PM, Brian Mathis wrote: On Mon, Jan 7, 2013 at 5:58 PM, Emmett Culleyemm...@webengineer.com wrote: For some time I have been seeing disk errors in the syslog every seven days. Until today it always happens Sunday morning at 8:13 AM, plus or minus a minute or two. Yesterday it happened at 1:13 AM. Here are the pertinent log entries for the latest occurrence: [...] Jan 6 01:13:25 g2 kernel: res 51/40:00:db:bf:d6/40:00:04:00:00/00 Emask 0x9 (media error) [...] Jan 6 01:13:25 g2 kernel: sd 8:0:0:0: [sdg] Add. Sense: Unrecovered read error - auto reallocate failed [...] There is nothing in /etc/cron.weekly, nor are there any root crontab entries. Any suggestions for investigating this issue would be much appreciated. Emmett Based on this I'd say your disk is going bad, and has run out of spare sectors: Jan 6 01:13:25 g2 kernel: sd 8:0:0:0: [sdg] Add. Sense: Unrecovered read error - auto reallocate failed You can use smartctl to get some information from the SMART tables, but I've never been able to get a conclusive test out of the testing options. It would be a good idea to run 'badblocks' against the drive as well, as it will definitely tell you if there are bad sectors. Disks are so cheap it's usually not worth too much effort or delay once you've found out that it's bad. ❧ Brian Mathis How do you explain the regular timing of the errors? Is there a process, maybe a backup or something, that runs at this time every Sunday morning Mr. Mathis? I Just looked a the backup process and noticed that an incremental backup started at 1:00 AM. However none of the other backups listed for this machine correlate in any way to the times that the disk errors re reported. As this is a host for multiple VMs it might be a good idea to look on each VM for cron jobs running at the time of the disk errors. I'll look there next. The drive the error reports concern is mounted via mdadm as /boot, so I was able to unmount it, stop the raid and run bad blocks via e2fsck. That reports: Checking for bad blocks (read-only test): done /dev/sdg1: Updating bad block inode. Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information /dev/sdg1: * FILE SYSTEM WAS MODIFIED * /dev/sdg1: 67/128016 files (7.5% non-contiguous), 165468/511988 blocks So Ill wait until to see it it happens next Sunday. Emmett Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Disk error
On 01/07/2013 04:19 PM, John R Pierce wrote: On 1/7/2013 3:43 PM, Mark LaPierre wrote: How do you explain the regular timing of the errors? Is there a process, maybe a backup or something, that runs at this time every Sunday morning Mr. Mathis? is this disk part of an mdraid mirror by any chance? /etc/cron.weekly/99raid-check does a synccheck of each md metadevice. It is a raid drive and there a read-check file in /etc/cron.d. It is set to run raid-check at 1:00 AM on Sunday. So I ran raid-check on the commend line, and sure enough the disk errors show up in syslog. I'll replace the drive, then run some long tests on it out of the system. Thanks for the suggestions! Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] sysctl -p at startup?
I understand that the contents of /etc/sysctl.conf should be read and executed at system startup. However that never happens and I have to run sysctl -p after every reboot to get the settings I want. This is happening on every CentOS machine and VM I have. I can see in the startup scripts that sysctl -e -p /etc/sysctl.conf /dev/null 21 is run at start up by the apply_sysctl function, yet the settings are never correct unless I run sysctl -p on the command line. Anybody know why that would be? I am running the latest updates on CentOS 6.3 Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] BackupPC and rsync
On 09/26/2012 11:05 AM, Les Mikesell wrote: On Tue, Sep 25, 2012 at 10:33 PM, Emmett Culley emm...@webengineer.com wrote: I have been using BackupPC via rsync daemons on the target machines and all has been working well. At least until about the time rsync went to version 3.0.6. Since then backups have been failing for some targets. The failure is a TCP ZeroWindow issue. It looks like the server rsync process cannot empty it's buffer soon enough and eventually the process fails. I really do not know if it is rsync version related, because I never looked at the packet stream until I started having failures. BackupPC was running on a VM host and the failing machine was one of the guest VMs. I tried upgrading rsync to 3.0.9 and that didn't help. So I moved the BackupPC set up to a different server (no VM). Not all backups are working. though I still see some ZeroWindow packets along with a few retransmision packets. But the backup completes on all machines, including the VM that was failing before. I've googled rsync zerowindow and found some references, but none seemed to apply to my situation. Anybody else having a similar experience? I found an old mention of turning off TCP window scaling solving a problem with rsync (not involving backuppc). Seems unlikely but might be worth a try: sysctl -w net.ipv4.tcp_window_scaling=0. I tried that on the target VM and it didn't make any difference. Then I tried it on the BackupPC server and that didn't make any difference either. Thanks for the suggestion anyway. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] BackupPC and rsync
I have been using BackupPC via rsync daemons on the target machines and all has been working well. At least until about the time rsync went to version 3.0.6. Since then backups have been failing for some targets. The failure is a TCP ZeroWindow issue. It looks like the server rsync process cannot empty it's buffer soon enough and eventually the process fails. I really do not know if it is rsync version related, because I never looked at the packet stream until I started having failures. BackupPC was running on a VM host and the failing machine was one of the guest VMs. I tried upgrading rsync to 3.0.9 and that didn't help. So I moved the BackupPC set up to a different server (no VM). Not all backups are working. though I still see some ZeroWindow packets along with a few retransmision packets. But the backup completes on all machines, including the VM that was failing before. I've googled rsync zerowindow and found some references, but none seemed to apply to my situation. Anybody else having a similar experience? Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to handel smtp to public servers - done
For the last five years I have been running a captive portal gateway I developed at a number of airports to manage free wireless. There are more that 25K connection each day, and port 25 is blocked for every one of them. Yes we get complaints, but not often, one every two or three months or so. Before we blocked port 25 we had to go to spamhaus.org once a month, or so, to request removal of one of more of the gateway's IP addresses from their black lists. Emmett On 06/27/2012 09:04 PM, Emmanuel Noobadmin wrote: On 6/27/12, Götz Reinicke goetz.reini...@filmakademie.de wrote: Long story short: I advised the use of port 587 two hours ago. FYI since than I had 169 outgoing connections to port 20 and 1 to 587. :) Seriously, just force them. I got so tired of one particular app/mail server that keep getting blacklisted because of lazy client admin and users, I sent them a notice that for emergency security reasons, emails will only be accepted on port 587. Gave them one hour, then closed 25. Understandably people screamed for about another hour or so but all of them ended up on 587 by the end of the day ;) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Software RAID1 with CentOS-6.2
On 02/28/2012 04:27 PM, Kahlil Hodgson wrote: Hello, Having a problem with software RAID that is driving me crazy. Here's the details: 1. CentOS 6.2 x86_64 install from the minimal iso (via pxeboot). 2. Reasonably good PC hardware (i.e. not budget, but not server grade either) with a pair of 1TB Western Digital SATA3 Drives. 3. Drives are plugged into the SATA3 ports on the mainboard (both drives and cables say they can do 6Gb/s). 4. During the install I set up software RAID1 for the two drives with two raid partitions: md0 - 500M for /boot md1 - the rest for a physical volume 5. Setup LVM on md1 in the standard slash, swap, home layout Install goes fine (actually really fast) and I reboot into CentoS 6.2. Next I ran yum update, added a few minor packages and performed some basic configuration. Now I start to get I/O errors on printed on the console. Run 'mdadm -D /dev/md1' and see the array is degraded and /dev/sdb2 has been marked as faulty. Okay, fair enough, I've got at least one bad drive. I boot the system from a live usb and run the short and long SMART tests on both drive. No problems reported but I know that can be misleading, so I'm going to have to gather some evidence before I try to return these drives. I run badblocks in destructive mode on both drives as follows badblocks -w -b 4096 -c 98304 -s /dev/sda badblocks -w -b 4096 -c 98304 -s /dev/sdb Come back the next day and see that no errors are reported. Er thats odd. I check the SMART data in case badblocks activity has triggered something. Nope. Maybe I screwed up the install somehow? So I start again and repeat the install process very carefully. This time I check the raid array straight after boot. mdadm -D /dev/md0 - all is fine. mdadm -D /dev/md1 - the two drives are resyncing. Okay, that is odd. The RAID1 array was created at the start of the install process, before any software was installed. Surely it should be in sync already? Googled a bit and found a post were someone else had seen same thing happen. The advice was to just wait until the drives sync so the 'blocks match exactly' but I'm not really happy with the explanation. At this rate its going to take a whole day to do a single minimal install and I'm sure I would have heard others complaining about the process. Anyway, I leave the system to sync for the rest of the day. When I get back to it I see the same (similar) I/O errors on the console and mdadm shows the RAID array is degraded, /dev/sdb2 has been marked as faulty. This time I notice that the I/O errors all refer to /dev/sda. Have to reboot because the fs is now readonly. When the system comes back up, its trying to resync the drive again. Eh? Any ideas what is going on here? If its bad drives, I really need some confirmation independent of the software raid failing. I thought SMART or badblocks give me that. Perhaps it has nothing to do with the drives. Could a problem with the mainboard or the memory cause this issue? Is it a SATA3 issue? Should I try it on the 3Gb/s channels since there's probably little speed difference with non-SSDs? Cheers, Kal ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I just had a very similar problem with a raid 10 array with four new 1TB drives. It turned out to be the SATA cable. I first tried a new drive and even replaced the five disk hot plug carrier. It was always the same logical drive (/dev/sdb). I then tried using an additional SATA adapter card. That cinched it, as the only thing common to all the above was the SATA cable. All has been well for a week now. I should have tired replacing the cable first :-) Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] QEMU configuration not persistent
Since switching from CentOS 5.7 to CentOS 6.x I find that one of the VMs will not restart upon system reboot. I finally figured out that the video is always set to vmvga after rebooting. In addition the VM's storage always reverts back to IDE from virtio and is set to use the wrong image. It may be related to the fact that I moved the XML files that defined the VMs from the old (CentOS 5.7) /etc/libvirt/qemu directory to the new (CentOS 6.2) /etc/libvirt/qemu directory. The images are stored is the same LVM partitions as they were on the CentOS 5.7 Any ideas why a VM would revert back? I've checked the XML file before rebooting and it always has the correct info in it, until after the reboot. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] QEMU configuration not persistent
On 02/13/2012 03:49 PM, Paul Heinlein wrote: On Mon, 13 Feb 2012, Emmett Culley wrote: Since switching from CentOS 5.7 to CentOS 6.x I find that one of the VMs will not restart upon system reboot. I finally figured out that the video is always set to vmvga after rebooting. In addition the VM's storage always reverts back to IDE from virtio and is set to use the wrong image. It may be related to the fact that I moved the XML files that defined the VMs from the old (CentOS 5.7) /etc/libvirt/qemu directory to the new (CentOS 6.2) /etc/libvirt/qemu directory. The images are stored is the same LVM partitions as they were on the CentOS 5.7 Any ideas why a VM would revert back? I've checked the XML file before rebooting and it always has the correct info in it, until after the reboot. Did you copy the XML file from the 5.7 host to 6.3 host as-is or did you edit it at all during the migration? I've found that I need either to run virsh define $DOM.xml and then start the new domain or run virsh create $DOM.xml and then, once it's running, make a trivial change (usually adding an XML comment) to the configuration via virsh edit $DOM to get things to stick. I did copy the XML files to the 6.2 machine. Then when I found that the VMs would not start because they were set to vmvga video, which doesn't seem to be supported anymore, I changed the XML files to cirrus. Then I tried editing the VM using virsh, but still it doesn't persist. Hmm. There is only one of the VMs that doesn't persist so I'll try using virsh edit again on that one and make a change as you suggest, just in case I never really changed anything for that VM using virsh edit. Thanks, Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] QEMU configuration not persistent
On 02/13/2012 04:24 PM, Emmett Culley wrote: On 02/13/2012 03:49 PM, Paul Heinlein wrote: On Mon, 13 Feb 2012, Emmett Culley wrote: Since switching from CentOS 5.7 to CentOS 6.x I find that one of the VMs will not restart upon system reboot. I finally figured out that the video is always set to vmvga after rebooting. In addition the VM's storage always reverts back to IDE from virtio and is set to use the wrong image. It may be related to the fact that I moved the XML files that defined the VMs from the old (CentOS 5.7) /etc/libvirt/qemu directory to the new (CentOS 6.2) /etc/libvirt/qemu directory. The images are stored is the same LVM partitions as they were on the CentOS 5.7 Any ideas why a VM would revert back? I've checked the XML file before rebooting and it always has the correct info in it, until after the reboot. Did you copy the XML file from the 5.7 host to 6.3 host as-is or did you edit it at all during the migration? I've found that I need either to run virsh define $DOM.xml and then start the new domain or run virsh create $DOM.xml and then, once it's running, make a trivial change (usually adding an XML comment) to the configuration via virsh edit $DOM to get things to stick. I did copy the XML files to the 6.2 machine. Then when I found that the VMs would not start because they were set to vmvga video, which doesn't seem to be supported anymore, I changed the XML files to cirrus. Then I tried editing the VM using virsh, but still it doesn't persist. Hmm. There is only one of the VMs that doesn't persist so I'll try using virsh edit again on that one and make a change as you suggest, just in case I never really changed anything for that VM using virsh edit. Thanks, Emmett Still doesn't persist. Each time I reboot I have to use virt-manager to change video to cirrus from vmvga, then remove the IDE driver that points to the wrong storage location and add a new virtio storage device pointing to the correct image (an LVM partiiton). After I make the changes I close virt-manager and restart it, then look at the configuration for the non-persistent VM, and my changes are still there and I can run the VM. I did a grep vmvga on the entire /etc/libvirt directory tree and found no references to vmvga. Where can libvirt be getting info to change the xml to vmvga, or the IDE to the wrong location? Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] KVM guests failed to start after 6.2 upgrade
I tore my hair out for a while after rebooting into 6.2 because none of the VM guests would start. After trying lots of things, like down grading qemu-kvm (which fixed it when I upgraded via the CR repository and didn't this time), cloning a VM, and even beginning to create new VM to restore from backup. Luckily I discovered that there is a log for each VM and found in each case it failed because vmvga is not compiled into KVM. So I changed them all to cirrus via virt-manager and they all work again. The host machine is all up to date and all of the guest start and operate as usual. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] qemu-kvm failed after update from CR repo
On 11/29/2011 01:47 AM, Lars Hecking wrote: kernel-2.6.32-131.17.1.el6.x86_64 (after update and currently) Maybe you're running into this issue? http://lists.centos.org/pipermail/centos-virt/2011-November/002713.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I doubt that. All VMs are booting now with the latest CR kernel (2.6.32-131.17.1). And it appears that bug is about xen not qemu. I will clone the host and experiment some to narrow down the problem to a specific package. Right now none of the CR repo libvirt or qemu packages are installed on the host. So I really do not know for sure which is the bad guy. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] qemu-kvm failed after update from CR repo
I finally decided to install the CR repo on one of my CentOS 6 machines that I use as a host for some VMs (also running CentOS 6). Before updating the host I updated a VM that was not critical to test the process and was able to boot that VM, so I went ahead with updating the host and the two VMs that were in use. When I rebooted the host none of the VM would start. Once I figured out that it had to be the host I started downgrading the virtual packages. I was finally able to get the VMs to boot after dwongrading qemu-kvm. Has anyone else seen this? Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] qemu-kvm failed after update from CR repo
On 11/28/2011 02:48 PM, Akemi Yagi wrote: On Mon, Nov 28, 2011 at 10:38 AM, Emmett Culleyemm...@webengineer.com wrote: I finally decided to install the CR repo on one of my CentOS 6 machines that I use as a host for some VMs (also running CentOS 6). Before updating the host I updated a VM that was not critical to test the process and was able to boot that VM, so I went ahead with updating the host and the two VMs that were in use. When I rebooted the host none of the VM would start. Once I figured out that it had to be the host I started downgrading the virtual packages. I was finally able to get the VMs to boot after dwongrading qemu-kvm. Has anyone else seen this? You might want to provide more detailed info. What is the version of qemu-kvm that worked/failed ? What is the kernel version? When the VM guests failed to start, did you see any error message? Also, VM-related questions may be better discussed on the cent-virt mailing list. Akemi ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos kernel-2.6.32-131.17.1.el6.x86_64 (after update and currently) After update: qemu-kvm-0.12.1.2-2.160.el6_1.8.x86_64 After downgrade: qemu-kvm-0.12.1.2-2.113.el6_0.8.x86_64 Prior to installing the CR repo the host was up to date with the CentOS base and updates repos (not many packages different from the release ISO). After, it was up to date with the CR repo and the VM would not start. The host is now up to date with the CR repo except that libvirt* pyton-libvirt and qemu-kvm have all been downgraded to what was up to date for the CentOS base and updates repos. By won't boot I mean that running a VM via virt-manager showed only a black screen with the CPU usage graphic in virt-manager at a steady state. No error messages, only a black screen. If no one else has seen this I will look to the cent-virt mailing list as suggested. I am assuming however, that this is a CR repo issue. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] KVM on CentOS 6
On 09/08/2011 10:34 AM, m.r...@5-cent.us wrote: Emmett Culley wrote: On 09/08/2011 09:07 AM, m.r...@5-cent.us wrote: Emmett Culley wrote: On 09/08/2011 02:25 AM, Nick wrote: On 08/09/11 07:23, Emmett Culley wrote: Today I suddenly have two VMs that have read only file systems. The host is CentOS 6, as are the two VMs with this problem. snip the one that is still available. The last lines of syslog (/var/log/messages) are: snip Sep 7 21:59:23 dev kernel: ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen Sep 7 21:59:23 dev kernel: ata1.00: failed command: WRITE DMA Sep 7 21:59:23 dev kernel: ata1.00: cmd ca/00:08:a0:02:31/00:00:00:00:00/e3 tag 0 dma 4096 out Sep 7 21:59:23 dev kernel: res 40/00:01:00:00:00/00:00:00:00:00/a0 Emask 0x4 (timeout) Sep 7 21:59:23 dev kernel: ata1.00: status: { DRDY } Sep 7 21:59:23 dev kernel: ata1: soft resetting link Sep 7 21:59:23 dev kernel: ata1.00: configured for MWDMA2 Sep 7 21:59:23 dev kernel: ata1.00: device reported invalid CHS sector 0 Sep 7 21:59:23 dev kernel: ata1: EH complete snip Bad news, IMO: I think you have a hardware problem - looks like sector 0 of your h/d has gone bad. Got backups? Got spare drive? Except that this hardware is on the guest and so is virtual. The image is actually a LVM logical volume. So, it must be either a kvm/qemu or a kernel bug. I am working on getting a bug reported, as soon as I figure out where to report it. Are you sure that the host o/s isn't passing a real error up? Are there errors in the host's logfile? mark Turns out you were correct. I did see the same error on the host, though with an hour earlier time stamp. I replaced that drive and all seems well now. Thanks for your insight. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] KVM on CentOS 6
On 09/08/2011 02:25 AM, Nick wrote: On 08/09/11 07:23, Emmett Culley wrote: Today I suddenly have two VMs that have read only file systems. The host is CentOS 6, as are the two VMs with this problem. Disclaimer: I can't claim this matches your circumstance exactly, but it is something you might check. I have seen problems with LVM partitions in KVM guests being unwritable, despite being mounted read-write, on CentOS5.6 (host and guest). Specifically, I was booting a guest from the CentOS live CD in order to fix /etc/fstab on the root partition, which was LVM, but I could not save my changes. Executing 'vgscan' resolved my problem; I'm not clear exactly why, but I could then remount and write successfully. You might also try 'vgchange -ay' if that doesn't work. Perhaps: - boot with liveCD .iso in a virtual CD drive - check whether VolGroup-lv_root is mounted and writeable (use mount, lvdisplay, touch etc.) - if not, unmount it, run vgscan - remount it, and check for writability again N I will give that a try. However I remembered something about both failed VMs from my investigations yesterday and checked it out this morning on the one that is still available. The last lines of syslog (/var/log/messages) are: Sep 6 19:42:49 dev squid[2885]: Ready to serve requests. Sep 6 19:42:50 dev squid[2885]: storeLateRelease: released 0 objects Sep 7 00:16:55 dev fail2ban.actions: WARNING [apache-pma] Ban 82.165.150.194 Sep 7 15:47:06 dev mountd[1658]: authenticated unmount request from 192.168.6.12:603 for /web (/web) Sep 7 15:49:33 dev mountd[1658]: authenticated mount request from 192.168.6.12:699 for /web (/web) Sep 7 15:49:34 dev mountd[1658]: authenticated mount request from 192.168.6.12:863 for /web (/web) Sep 7 21:19:59 dev init: tty (/dev/tty1) main process ended, respawning Sep 7 21:59:23 dev kernel: ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen Sep 7 21:59:23 dev kernel: ata1.00: failed command: WRITE DMA Sep 7 21:59:23 dev kernel: ata1.00: cmd ca/00:08:a0:02:31/00:00:00:00:00/e3 tag 0 dma 4096 out Sep 7 21:59:23 dev kernel: res 40/00:01:00:00:00/00:00:00:00:00/a0 Emask 0x4 (timeout) Sep 7 21:59:23 dev kernel: ata1.00: status: { DRDY } Sep 7 21:59:23 dev kernel: ata1: soft resetting link Sep 7 21:59:23 dev kernel: ata1.00: configured for MWDMA2 Sep 7 21:59:23 dev kernel: ata1.00: device reported invalid CHS sector 0 Sep 7 21:59:23 dev kernel: ata1: EH complete So it looks like there is a bug I can report. But where to report it? I don't see how it can be a CentOS 6 bug. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] KVM on CentOS 6
On 09/08/2011 09:07 AM, m.r...@5-cent.us wrote: Emmett Culley wrote: On 09/08/2011 02:25 AM, Nick wrote: On 08/09/11 07:23, Emmett Culley wrote: Today I suddenly have two VMs that have read only file systems. The host is CentOS 6, as are the two VMs with this problem. Disclaimer: I can't claim this matches your circumstance exactly, but it is something you might check. snip I will give that a try. However I remembered something about both failed VMs from my investigations yesterday and checked it out this morning on the one that is still available. The last lines of syslog (/var/log/messages) are: snip Sep 7 21:59:23 dev kernel: ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen Sep 7 21:59:23 dev kernel: ata1.00: failed command: WRITE DMA Sep 7 21:59:23 dev kernel: ata1.00: cmd ca/00:08:a0:02:31/00:00:00:00:00/e3 tag 0 dma 4096 out Sep 7 21:59:23 dev kernel: res 40/00:01:00:00:00/00:00:00:00:00/a0 Emask 0x4 (timeout) Sep 7 21:59:23 dev kernel: ata1.00: status: { DRDY } Sep 7 21:59:23 dev kernel: ata1: soft resetting link Sep 7 21:59:23 dev kernel: ata1.00: configured for MWDMA2 Sep 7 21:59:23 dev kernel: ata1.00: device reported invalid CHS sector 0 Sep 7 21:59:23 dev kernel: ata1: EH complete snip Bad news, IMO: I think you have a hardware problem - looks like sector 0 of your h/d has gone bad. Got backups? Got spare drive? mark Except that this hardware is on the guest and so is virtual. The image is actually a LVM logical volume. So, it must be either a kvm/qemu or a kernel bug. I am working on getting a bug reported, as soon as I figure out where to report it. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] KVM on CentOS 6
Today I suddenly have two VMs that have read only file systems. The host is CentOS 6, as are the two VMs with this problem. The first symptom was on a new VM I installed ISPConfig onto. I got through the entire process with only a dependency issue between php-pecl_apc and php-accelerator. After completing the installation I noticed some funny things, but I assumed it might be the addition of quotas and remounting with quotas on. so I didn't think much of it and rebooted the VM. It failed to reboot because the file system should not be switched to read-write. Since it was a new VM and installing ISPConfig was an experiment, I just wiped it with the intention of starting over. While I was creating another clone of a CentOS 6 image on the host, I looked into one of the other VMs running on that host, which has been up and running for 47 days. Same problem, without rebooting. For example running yum give this: [root@dev log]# yum update Loaded plugins: fastestmirror, presto Cannot open logfile /var/log/yum.log Could not create lock at /var/run/yum.pid: [Errno 30] Read-only file system: '/var/run/yum.pid' Another app is currently holding the yum lock; waiting for it to exit... Traceback (most recent call last): File /usr/bin/yum, line 29, in module yummain.user_main(sys.argv[1:], exit_code=True) File /usr/share/yum-cli/yummain.py, line 254, in user_main errcode = main(args) File /usr/share/yum-cli/yummain.py, line 103, in main show_lock_owner(e.pid, logger) File /usr/share/yum-cli/utils.py, line 106, in show_lock_owner ps = get_process_info(pid) File /usr/share/yum-cli/utils.py, line 61, in get_process_info if (not os.path.exists(/proc/%d/status % pid) or TypeError: %d format: a number is required, not str And running mount gives this: [root@dev log]# mount /dev/mapper/VolGroup-lv_root on / type ext4 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) tmpfs on /dev/shm type tmpfs (rw) /dev/sda1 on /boot type ext4 (rw) /web on /NFS/web type none (rw,bind) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) nfsd on /proc/fs/nfsd type nfsd (rw) /etc/named on /var/named/chroot/etc/named type none (rw,bind) /etc/named.rfc1912.zones on /var/named/chroot/etc/named.rfc1912.zones type none (rw,bind) /usr/lib64/bind on /var/named/chroot/usr/lib64/bind type none (rw,bind) /etc/named.iscdlv.key on /var/named/chroot/etc/named.iscdlv.key type none (rw,bind) /etc/named on /var/named/chroot/etc/named type none (rw,bind) /usr/lib64/bind on /var/named/chroot/usr/lib64/bind type none (rw,bind) mount: warning: /etc/mtab is not writable (e.g. read-only filesystem). It's possible that information reported by mount(8) is not up to date. For actual information about system mount points check the /proc/mounts file. --- The VM is running, serving web pages and responding to DNS queries, but it is clear, given my earlier experience with the ISPConfig machine, that I won't be able to reboot it until I figure out the problem. Now that I am looking at the output from the mount command I wonder where all those named related mounts came from. Could it be webmin. Both VMs have webmin installed. Mostly to allow be to configure bind, since system-config-bind is no more. Anybody have any idea what happened, or better yet, any ideas on how to fix this? Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] New wireless controller
On 09/01/2011 10:10 PM, Barry Brimer wrote: I just installed an Asus PCE-n13 wireless card into one of my CentOS 5.6 systems. It uses the RaLink 2680 chip set and I was able to get the driver loaded using modprobe rt2x00pci.ko. I saw no error and now see that the module is loaded along with mac80211 and other dependencies. Now I need to know how to create the wlan0 device. I can find nothing via Google searches on how to create that device. I assumed the driver would do that upon loading, but now I expect some ioctl to the driver command may be required. I created an ifcfg-wlan0 file, but of course ifup wlan0 always returns device not found. Can somebody tell me where to start on getting the wlan0 device created? What is the output of iwconfig? What is the output of ifconfig -a ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos [root@sbbusx ~]# iwconfig lono wireless extensions. eth0 no wireless extensions. eth1 no wireless extensions. ppp0 no wireless extensions. [root@sbbusx ~]# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:25:90:33:11:80 inet addr:192.168.6.99 Bcast:192.168.6.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:544 errors:0 dropped:0 overruns:0 frame:0 TX packets:618 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:61246 (59.8 KiB) TX bytes:149248 (145.7 KiB) Interrupt:177 Memory:feae-feb0 eth1 Link encap:Ethernet HWaddr 00:25:90:33:11:81 inet addr:172.19.255.254 Bcast:172.19.255.255 Mask:255.255.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:169 Memory:febe-fec0 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1532 errors:0 dropped:0 overruns:0 frame:0 TX packets:1532 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:297812 (290.8 KiB) TX bytes:297812 (290.8 KiB) ppp0 Link encap:Point-to-Point Protocol inet addr:xxx.yyy.z.qq P-t-P:xx.y.z.qqq Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:231 errors:0 dropped:0 overruns:0 frame:0 TX packets:232 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:28657 (27.9 KiB) TX bytes:21865 (21.3 KiB) Also, in the syslog I see this when I run modprobe rt2x00pci.ko: Sep 2 09:25:08 bus kernel: cfg80211: Calling CRDA to update world regulatory domain Sep 2 09:25:08 bus kernel: cfg80211: World regulatory domain updated: Sep 2 09:25:08 bus kernel: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) Sep 2 09:25:08 bus kernel: (2402000 KHz - 2472000 KHz @ 4 KHz), (300 mBi, 2000 mBm) Sep 2 09:25:08 bus kernel: (2457000 KHz - 2482000 KHz @ 2 KHz), (300 mBi, 2000 mBm) Sep 2 09:25:08 bus kernel: (2474000 KHz - 2494000 KHz @ 2 KHz), (300 mBi, 2000 mBm) Sep 2 09:25:08 bus kernel: (517 KHz - 525 KHz @ 4 KHz), (300 mBi, 2000 mBm) Sep 2 09:25:08 bus kernel: (5735000 KHz - 5835000 KHz @ 4 KHz), (300 mBi, 2000 mBm) Now I am thinking that perhaps the driver doesn't see the new hardware. I'll try it with the adapter removed. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] New wireless controller
On 09/02/2011 09:46 AM, Ned Slider wrote: On 02/09/11 04:54, Emmett Culley wrote: I just installed an Asus PCE-n13 wireless card into one of my CentOS 5.6 systems. It uses the RaLink 2680 chip set and I was able to get the driver loaded using modprobe rt2x00pci.ko. I saw no error and now see that the module is loaded along with mac80211 and other dependencies. Now I need to know how to create the wlan0 device. I can find nothing via Google searches on how to create that device. I assumed the driver would do that upon loading, but now I expect some ioctl to the driver command may be required. I created an ifcfg-wlan0 file, but of course ifup wlan0 always returns device not found. Can somebody tell me where to start on getting the wlan0 device created? Emmett Hi Emmett, Are you sure that's the right driver? My guess is you might want the Ralink rt2860sta driver if it's a 2680 chipset. See here: http://elrepo.org/tiki/kmod-rt2860sta Anyway, to know for sure, please post the output from the following command (all one line): for BUSID in $(/sbin/lspci | awk '{ IGNORECASE=1 } /net/ { print $1 }'); do /sbin/lspci -s $BUSID -m; /sbin/lspci -s $BUSID -n; done Also, those Ralink wireless network drivers tend to be built with support for NetworkManager so you should generally enable the NetworkManager service (and disable network and wpa_supplicant services) and let NetworkManager control the device. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Yup, looks like I am trying to load the wrong driver. I assumed that if the driver loaded it found the hardware. [root@bus ~]# for BUSID in $(/sbin/lspci | awk '{ IGNORECASE=1 } /net/ { print $1 }'); do /sbin/lspci -s $BUSID -m; /sbin/lspci -s $BUSID -n; done 01:00.0 Network controller RaLink RT2860 ASUSTeK Computer Inc. Device 130f 01:00.0 0280: 1814:0781 02:00.0 Ethernet controller Intel Corporation 82574L Gigabit Network Connection Super Micro Computer Inc Device 10d3 02:00.0 0200: 8086:10d3 03:00.0 Ethernet controller Intel Corporation 82574L Gigabit Network Connection Super Micro Computer Inc Device 10d3 03:00.0 0200: 8086:10d3 I'll get the correct driver. Also, this is a specialized server, so network manager is not an option. Plus, the wireless card will be configured as an access point and I don't believe NM will allow me ot configure it that way. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] New wireless controller
I just installed an Asus PCE-n13 wireless card into one of my CentOS 5.6 systems. It uses the RaLink 2680 chip set and I was able to get the driver loaded using modprobe rt2x00pci.ko. I saw no error and now see that the module is loaded along with mac80211 and other dependencies. Now I need to know how to create the wlan0 device. I can find nothing via Google searches on how to create that device. I assumed the driver would do that upon loading, but now I expect some ioctl to the driver command may be required. I created an ifcfg-wlan0 file, but of course ifup wlan0 always returns device not found. Can somebody tell me where to start on getting the wlan0 device created? Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] If you are using CentOS 6 and KDE....
I am sure Anne is referring to the fact that CentOS 6 has KDE 4, which has a distinctly different desktop paradigm from KDE 3 in CentOS 5. If you are used to only CentOS 5, and haven't been running any other distributions with KDE 4, it might come as a shock. Emmett On 08/28/2011 05:35 AM, Karanbir Singh wrote: On 08/28/2011 10:28 AM, Anne Wilson wrote: The desktop will look strange and behave differently. If you need any help in getting used to it, either join the kde user list, https://mail.kde.org/mailman/listinfo/kde , the kde forum, http://forum.kde.org/ , or mail me personally. you forgot to mention what the issues really are ? Once again I will turn off receipt from this list. The attitude of several posters is unacceptable to me. is it not easier to just turn off emails from them getting to you via mail filters ? - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: headless fanless silent 2 HDs micro server/pc...
On 08/11/2011 03:38 AM, John Doe wrote: From: Digimerli...@alteeve.com http://h10010.www1.hp.com/wwpc/us/en/sm/WF06a/15351-15351-4237916-4237918-4237917-4248009.html It looks quite nice, although a tiny bit too big for me (no real need the room for 4 HDs + 1 HD or DVD). Saw that one guy was able to install a Smart Array P410 with 512MB BBC too (too bad the drives are not hot-plug). And there is a remote management optional card (if it fits along the P410) which is great since I have no monitor at home. Just wondering how noisy 23dbs are... I tend to be very sensitive to noise, especially at night. From: Emmett Culleyemm...@webengineer.com Check out the Supermicro X7SPA and X7SPE motherboards. http://www.supermicro.com/products/motherboard/ATOM/ICH9/X7SPA-H-D525.cfm I am running CentOS 5.6 and CentOS 6 x86_64 on them. The fake raid says RAID 0, 1, 5, 10 support (Windows Only)... did you install a RAID card? Did you find a nice low profile/noise case for it? Thx, JD I use Linux software raid, and never hardware raid :-) I use this case for most of our deployments: http://www.casetronic.com/product_d.php?id=78 Though I am testing with this one now, as it supports two hard drives and has room inside for an and-in card. http://www.casetronic.com/product_d.php?id=71 Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: headless fanless silent 2 HDs micro server/pc...
On 08/09/2011 07:57 AM, John Doe wrote: Hey, A bit out of topic but I am looking for a micro server/pc if anyone knows a descent one... I found many nice NAS but I would like to have full access to the OS (install CentOS, etc). Dream one would be - Very quiet (fanless) since it will sit in my bedroom. - Headless - Small. - 2/3 HDs (2.5 are ok) for RAID1 (hardware RAID would be nice, and with BBC even more).- 1 or 2 GB NICs - USB3 or ESATA would be nice... - Price would not be much of a problem (maybe no more than $1000 though). Random thoughts: - a shuttle PC with 2 HDs and a real RAID card (if it fits inside), but maybe too noisy, no headless. - a mac mini server looks very nice (but max budget, need another Mac to install, not sure if easy/possible to install CentOS). - some NAS were I could easily replace the OS (not on a flash chip). So if you know a nice one... Thx, JD Check out the Supermicro X7SPA and X7SPE motherboards. http://www.supermicro.com/products/motherboard/ATOM/ICH9/X7SPA-H-D525.cfm I am running CentOS 5.6 and CentOS 6 x86_64 on them. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: headless fanless silent 2 HDs micro server/pc...
On 08/09/2011 09:01 AM, Always Learning wrote: On Tue, 2011-08-09 at 08:58 -0700, Emmett Culley wrote: Check out the Supermicro X7SPA and X7SPE motherboards. http://www.supermicro.com/products/motherboard/ATOM/ICH9/X7SPA-H-D525.cfm I am running CentOS 5.6 and CentOS 6 x86_64 on them. Is there sufficient 'guts' on the Intel Atom to do useful work ? What type of tasks are you running ? We use it as a captive portal, caching proxy, content filer, content server, and for remote system monitoring/management. So far it seems to have guts similar to the dual core AMD gateways we use in stationary locations managing up to 200 simultaneous connections. I haven't tested it in a 200 connection situation, but I expect it could handle the traffic. For now it will be used to manage less than 50 simultaneous connections, in a limited bandwidth (cellular 3G and 4G) connection to the Internet application. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 - VM network bridge issue (SOLVED)
On 07/20/2011 01:24 AM, James Hogarth wrote: Initial thought is a routing issue particularly with multiple NICs. What does 'ip r s' reveal? That was it! ip r s showed that I had the local facing NIC (eth1) as the gateway, which caused all outgoing packets to be routed to the local network DUH!. Yup been there before. So long as the local NIC doesn't need to hit any other internal subnets you'll be fine... otherwise don't forget to add the appropriate RFC1918 static routes to go out that interface with the default being the external one Also another thing to watch out for is asymmetric routing. If it is possible to get to a destination via either interface and due to routing issues elsewhere the packet does not return to the same interface through the same gateway you can get odd behaviour In which case you would need to set up policy routing rules to ensure stuff enters/leaves the right way... but dont' worry about that for now - just remember it for later if you get odd network behaviour Thanks James, I keep it in mind, but by the time it happens I'll need Google again to find this thread :-) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 - VM network bridge issue (SOLVED)
On 07/19/2011 12:14 AM, James Hogarth wrote: I built a CentOS 6 machine to host several CentOS 6 guest servers. As all guests will be Internet facing I set up the host with two bridged NICs and assigned an Internet facing IP address to br0 and a local IP address to br1. Each guest was installed using br0 and br1 with virtio drivers. On each I assigned an Internet facing IP address to eth0 and a local IP address on eth1. So far so good. I can access the guest servers from either IP address as expected. That is HTTP, SSH and SMTP servers on them are accessible and do what they are supposed to do. Except... Except from any location outside of my Comcast Cable Modem. To be clear, from any machine inside the modem to any address on the guests, all works perfectly. But outside the modem the guest apps either don't receive packets or for some reason don't respond, and I've tired it from four different locations. Using Wireshark on the guests I can see the packets arrive from the outside sources, but no response is seen. On accesses from inside I can see both incoming and outgoing packets, as expected. I can ping the outside sources from the guests, yet pings from the outside sources get no response from the guests. All the outside sources get responses when pinging the host. I can ping the guests from any inside machine. Initial thought is a routing issue particularly with multiple NICs. What does 'ip r s' reveal? That was it! ip r s showed that I had the local facing NIC (eth1) as the gateway, which caused all outgoing packets to be routed to the local network DUH!. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6 - VM network bridge issue
I built a CentOS 6 machine to host several CentOS 6 guest servers. As all guests will be Internet facing I set up the host with two bridged NICs and assigned an Internet facing IP address to br0 and a local IP address to br1. Each guest was installed using br0 and br1 with virtio drivers. On each I assigned an Internet facing IP address to eth0 and a local IP address on eth1. So far so good. I can access the guest servers from either IP address as expected. That is HTTP, SSH and SMTP servers on them are accessible and do what they are supposed to do. Except... Except from any location outside of my Comcast Cable Modem. To be clear, from any machine inside the modem to any address on the guests, all works perfectly. But outside the modem the guest apps either don't receive packets or for some reason don't respond, and I've tired it from four different locations. Using Wireshark on the guests I can see the packets arrive from the outside sources, but no response is seen. On accesses from inside I can see both incoming and outgoing packets, as expected. I can ping the outside sources from the guests, yet pings from the outside sources get no response from the guests. All the outside sources get responses when pinging the host. I can ping the guests from any inside machine. I've tried it with and without firewalls, both on the guests and the host. Including with the following iptables rule: iptables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT and the following sysctl adjustments: net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 Both of the guest servers I've built have have same issue. Any ideas? I am at loss as to how to proceed and am about to reconsider the idea of multiple guests as servers. All packages are from the CentOS repo and I am using kvm-qemu via libvirtd and virt-manager. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 system-config-bind missing?
On 07/12/2011 08:46 PM, John R Pierce wrote: On 07/12/11 8:19 PM, Emmett Culley wrote: It is NOT trivial to create and manage DNS records with a text editor. yes it is. No, it isn't. At least it isn't trivial for those of us that only occasionally need to modify their DNS server(s). I had a few gripes about system-config-bind, but on the whole it did make it easy for me to manage our DNS servers without having to study the docs each time I needed to make a change. Now I suppose my only choice is to install webmin, or compile system-config-bind from source. I cannot understand the reasoning behind dropping system-config-bind from CentOS/RHEL 6. Then leaving it in Fedora. Since when is less tools better? Especially since there doesn't seem to be a reasonable replacement for this useful tool. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 system-config-bind missing?
On 07/13/2011 12:15 PM, Les Mikesell wrote: On 7/13/2011 1:50 PM, John Hinton wrote: But my use cases are related to a prodduction environment, maintaining several hundred zone files, with lots of adds, changes, and deletes. The s-c-bind GUI tool was useless, compared to TUI edits (certain legacy systems) and scripts to do the backups, accuracy audit, and creation of all files including the PTR record files So, aren't computer programs supposed to be able to deal with complicated cases, or just not free computer programs? Or is the input syntax just too weird? While s-c-bind may not have been the right answer, it just seems odd as a missing piece in the distribution and epel-provided packages. Almost as odd as not having a network-aware authentication mechanism working as a server out of the box on your initial install - as though it would be unusual to have more than one computer and want those initial users to be able to log into the others you'd add later. I would have to guess that UpStream decided it was not to be. They most likely had very good reasons for this. I 'barely' looked at it as it could not do what I need to do and that was some years back. Is/Was it capable of doing IPV6? That would be a good reason to put it to bed... given IPV6 will likely become widespread during the lifespan of CentOS 6. Various SPF/SenderID/DomainKeys things also ride on bind these days. It could be that UpStream decided that was a good reason to put it to bed? Either way, CentOS is a nearly exact clone of UpStream, so really you need to go complain at UpStream, not on this list. CentOS has exactly matched their goal of providing the same packages available under UpStream. There is no point to complaining here. It's not so much a complaint and certainly not directed at CentOS, as pointing out a curious situation that pretty much everyone has to work around. Russ may be of the opinion that everyone should memorize bazillion-page books of details about each quirky service or hire someone who did, but I think the point of using computers should be to make things easier. And I'm surprised that there isn't a common tool to make it easy at least in the usual 3rd party repos. Yes, certainly NOT a complaint with CentOS. system-config-bind was a very useful too for us. It wasn't perfect and there were a few features it could have benefited from, but it did a good enough job for we needed it to do. I had been thinking recently that we needed to start looking for a different way to manage the DNS servers on our gateways, and had even begun to build initial bind configuration for production systems into the configuration scripts. I guess I am unhappy because someone else made the decision about when to stop using system-config-bind for me :-) And for no good reason that I can figure. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6 system-config-bind missing?
First system-config-network is not part of CentOS/RHEL 6, now I don't see system-config-bind either. Is there an alternative (GUI) way to manage the bind DNS server? Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 system-config-bind missing?
On 07/12/2011 06:44 PM, William Hooper wrote: On Tue, Jul 12, 2011 at 8:28 PM, Emmett Culleyemm...@webengineer.com wrote: First system-config-network is not part of CentOS/RHEL 6, now I don't see system-config-bind either. Is there an alternative (GUI) way to manage the bind DNS server? It looks like there is no GUI way. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Migration_Planning_Guide/chap-Migration_Guide-Package_Changes.html#sect-Migration_Guide-Package_Changes-System_Configuration_Tools (watch for line wrapping) The system-config-bind tool has been deprecated and removed without replacement. Editing the name server configuration manually via the named.conf file is recommended in Red Hat Enterprise Linux 6. I don't get this. Both system-config-network and system-config-bind are in Fedora 15. I can sort of get why they would deprecate system-config-network in favor of NetworkManager (barely), but how are we to manage the DNS server? It is NOT trivial to create and manage DNS records with a text editor. For me Webmin is a little too bloated to install, just to manage bind. Is it time to for me (or the community) to create these useful tools? Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6 system-config-network missing
The network configuration GUI is not to be found on any of the CentOS repos or on EPEL. I am not interested in having NetworkManager installed on a server. Is there an application that takes the place of system-config-network? Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 system-config-network missing
On 07/11/2011 03:26 PM, b.j. mcclure wrote: On Mon, 2011-07-11 at 14:35 -0700, Emmett Culley wrote: The network configuration GUI is not to be found on any of the CentOS repos or on EPEL. I am not interested in having NetworkManager installed on a server. Is there an application that takes the place of system-config-network? Emmett There was much discussion about this on the RHEL 6 beta list several months ago. Many complaints but nothing came of it as far as I know. I just edit the config files in /etc/sysconfig/network-scripts/. B.J. RHEL 6.0, Linux 2.6.32-131.2.1.el6.x86_64 I guess I'll have to do that as well. I couldn't manage bridge network via the GUI anyway. I might try installing NetworkManager and disabling NM control for the bridged devices, but for now it seems easier to just edit the files in /etc/sysconfig/network-scripts. After all, they shouldn't be changing all that often on servers anyway... Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] script question
On 03/31/2011 05:25 AM, Jerry Geis wrote: I can do simply search and replace with sed. However, I want to setup httpd.conf from a script that changes the default / which is presently: Directory / Options FollowSymLinks AllowOverride None /Directory and change it to the following: Directory / Order Deny,Allow Deny from all AllowOverride None /Directory How do you do that with scripts? Basically substitute everything between the two Directory tags. Thanks, Jerry ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Try: sed -i /Directory \//,/\/Directory/ s|Options FollowSymLinks|Order Deny,Allow\n Deny from all| /etc/httpd/conf/httpd.conf ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ifcfg-rh: error: Unknown connection type 'Bridge'
On 01/13/2011 08:26 AM, James B. Byrne wrote: CentOS-5.5 # uname -a Linux inet05.hamilton.harte-lyne.ca 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:52:25 EST 2011 x86_64 x86_64 x86_64 GNU/Linux Can anyone tell me why I am seeing these error message? Specifically, why is TYPE=Bridge giving Unknown connection type 'Bridge'? Jan 13 08:25:31 inet05 nm-system-settings: Loaded plugin ifcfg-rh: (c) 2007 - 2008 Red Hat, Inc. To report bugs please use the NetworkManager mailing list. Jan 13 08:25:32 inet05 nm-system-settings:ifcfg-rh: parsing /etc/sysconfig/network-scripts/ifcfg-lo ... Jan 13 08:25:32 inet05 nm-system-settings:ifcfg-rh: parsing /etc/sysconfig/network-scripts/ifcfg-bridge0 ... Jan 13 08:25:32 inet05 nm-system-settings:ifcfg-rh: error: Unknown connection type 'Bridge' Jan 13 08:25:32 inet05 nm-system-settings:ifcfg-rh: parsing /etc/sysconfig/network-scripts/ifcfg-eth0 ... Jan 13 08:25:32 inet05 nm-system-settings:ifcfg-rh: read connection 'System eth0' Jan 13 08:25:32 inet05 nm-system-settings:ifcfg-rh: Ignoring connection 'System eth0' and its device because NM_CONTROLLED was false. Jan 13 08:25:32 inet05 gconfd (byrnejb-5832): Resolved address xml:readwrite:/home/byrnejb/.gconf to a writable configuration source at position 0 Jan 13 08:25:34 inet05 pcscd: winscard.c:304:SCardConnect() Reader E-Gate 0 0 Not Found Jan 13 08:25:35 inet05 nm-system-settings: Adding default connection 'Auto eth0' for /org/freedesktop/Hal/devices/net_00_1c_c0_d2_ef_82 My script files look like this: #bridge0 DEVICE=bridge0 TYPE=Bridge BOOTPROTO=static IPADDR=216.185.71.25 NETMASK=255.255.255.0 GATEWAY=216.185.71.1 ONBOOT=yes #eth0 DEVICE=eth0 ONBOOT=yes BRIDGE=bridge0 NM_CONTROLLED=no I saw something similar and it turned out the bridge-utils package was not installed. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] heartbeat configuration for lb
On 12/11/2010 07:26 PM, bluethundr wrote: Sorry I forgot to finish the story!!! :) And the interface doesn't appear to be sharing the address: [r...@virtcent01:~]#ip addr sh eth0 2: eth0:BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:16:36:22:92:70 brd ff:ff:ff:ff:ff:ff inet 192.168.1.23/24 brd 192.168.1.255 scope global eth0 inet6 fe80::216:36ff:fe22:9270/64 scope link valid_lft forever preferred_lft forever And I can't ping the virtual address I had tried to setup using heartbeat: [r...@virtcent01:~]#ping 192.168.1.200 PING 192.168.1.200 (192.168.1.200) 56(84) bytes of data. From 192.168.1.23 icmp_seq=1 Destination Host Unreachable From 192.168.1.23 icmp_seq=2 Destination Host Unreachable From 192.168.1.23 icmp_seq=3 Destination Host Unreachable thanks again!!! On Sat, Dec 11, 2010 at 10:13 PM, bluethundrbluethu...@gmail.com wrote: hello list! I am attempting to setup haproxy using a shared up I am trying to setup using the heartbeat package that I currently have installed: [r...@virtcent01:~]#rpm -qa | grep heartbeat | grep -v -e stonith -e pils heartbeat-2.1.4-11.el5 heartbeat-2.1.4-11.el5 I have /etc/ha/.d authkeys setup this way: # auth 2 #1 crc 2 sha1 {SHA}secret I have /etc/ha.d/resources setup like this: VIRTCENT01.summitnjhome.com 192.168.1.23 And I have /etc/ha.cf setup like this: # What UDP port to use for udp or ppp-udp communication? # udpport694 bcast eth0 mcast eth0 225.0.0.1 694 1 0 ucast eth0 192.168.1.200 # What interfaces to heartbeat over? udp eth0 # # Facility to use for syslog()/logger (alternative to log/debugfile) # logfacility local0 # # Tell what machines are in the cluster # nodenodename ...-- must match uname -n nodelb1.summitnjhome.com nodelb2.summitnjhome.com The service seems to start ok: [r...@virtcent01:~]#service heartbeat restart Stopping High-Availability services: [ OK ] Waiting to allow resource takeover to complete: [ OK ] Starting High-Availability services: 2010/12/11_22:03:55 INFO: Resource is stopped [ OK ] (tho I am unsure of that the INFO notice is of the resource being stopped). And I have verified that it is running with ps: [r...@virtcent01:~]#ps auxwww | grep heartbeat root 3646 0.1 4.6 12260 12256 ?SLs 22:03 0:00 heartbeat: master control process nobody3648 0.0 2.1 5664 5660 ?SL 22:03 0:00 heartbeat: FIFO reader nobody3649 0.0 2.1 5660 5656 ?SL 22:03 0:00 heartbeat: write: bcast eth0 nobody3650 0.0 2.1 5660 5656 ?SL 22:03 0:00 heartbeat: read: bcast eth0 root 3653 0.0 0.2 61180 736 pts/1S+ 22:04 0:00 grep heartbeat And verified that the box is listening on port 694 (the port that I have set for heartbeat): [r...@virtcent01:~]#netstat -tulpn | grep heartbeat udp0 0 0.0.0.0:694 0.0.0.0:* 3649/heartbeat: wri udp0 0 0.0.0.0:50550 0.0.0.0:* 3649/heartbeat: wri However although I have the port enabled in iptables: -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 694 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT An nmap scan does not see anything active on 694: bluethu...@bluethundr-laptop:~$ sudo nmap -sT -A virt1 Starting Nmap 5.00 ( http://nmap.org ) at 2010-12-11 22:07 EST Warning: Traceroute does not support idle or connect scan, disabling... Interesting ports on 192.168.1.23: Not shown: 997 filtered ports PORTSTATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.6 (protocol 2.0) | ssh-hostkey: 1024 b0:gu:s (DSA) |_ 2048 b0:gu:s (RSA) 80/tcp closed http 631/tcp closed ipp MAC Address: 00:16:36:22:92:70 (Quanta Computer) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.15 - 2.6.26 Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.27 seconds I am enclosing an archive of my /etc/ha.d directory in case this is of use to anyone. I would certainly appreciate any help anyone could provide! Thanks!! -- GPG me!! gpg --keyserver pgp.mit.edu --recv-keys F186197B The message you are seeing when you start heartbeat doesn't make any sense to me either, but it does indicate that it started correctly. The line: VIRTCENT01.summitnjhome.com 192.168.1.23 should be: VIRTCENT01.summitnjhome.com 192.168.1.200 To cause that IP address to be available upon taking control.
Re: [CentOS] IP forwarding and OpenVPN
On 11/04/2010 07:50 AM, Bart Schaefer wrote: On Thu, Nov 4, 2010 at 5:49 AM, Les Mikeselllesmikes...@gmail.com wrote: Quick check is a traceroute from the remote server to a 192.168.144.x address. If it doesn't go into the tunnel interface you need to add a route for the range via the remote tunnel ip. Hrm. When I try to add such a route on one of the machines I want to reach, I get SIOCADDRT: Network is unreachable. Maybe the simplest thing is to change the question: How can I cause packets forwarded from my LAN to avoid the VPN and go out via the regular default route? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos You can ad a line like: push route 192.168.144.0 255.255.255.0 to the server's configuration file. This will cause a route to be entered into the clients routing table upon connection. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] should vsftpd be disabled in favour of sftp for security reasons?
On 09/17/2010 02:51 AM, Robert P. J. Day wrote: (another in an ongoing list of things i just want to clarify for the sake of future courses taught on centos.) from this RHEL doc page: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-openssh-server-config.html the reader is advised to, for the sake of security, remove/disable vsftpd, ostensibly in favour of sftp/sftp-server. really? i can obviously see disallowing stuff like telnet and rsh and rlogin, that's a no-brainer. but advising against vsftpd for the sake of security? i'm not sure i see the logic in that. thoughts? rday We use vsftpd as an FTPS only server in CHROOT mode. The only reason we don't user sftp instead is because it cannot (easily?) CHROOT users. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] question on modprobe.conf
On 07/06/2010 11:54 AM, Jerry Geis wrote: I download the RHEL 6b2 and noticed the modprobe.conf was no longer present. I used modprobe.conf to place options for ethernet drivers like which order to install the drivers. e1000e before forcedeth - things like that. Anyway - seems like that file is no longer present. what is the future way to handle driver options? Thanks Jerry ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Create a new file in /etc/modprobe.d, with the options you normally put in /etc/modprobe.conf. Any file in that directory is loaded just as /etc/modprobe.conf was. Emmett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos