Re: [CentOS] EL8 / certwatch missing
On Sun, 2020-06-07 at 23:36 +0200, Leon Fauster via CentOS wrote: > I have some scripts using certwatch from the crypto-utils package. This > rpm seems to be unshipped with EL8. Any ideas whats the "new" tool to > check pem cert files? > Hi, I have used the 'x509watch' package for several years now to see when certificates are about to expire. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mlocate-updatedb.timer not working?
On Wed, 2020-03-04 at 09:51 -0600, Frank Cox wrote: > On Mon, 2 Mar 2020 09:16:16 -0600 > Frank Cox wrote: > > > I set this computer up with Centos 8 a few days ago. > > > > "systemctl status mlocate-updatedb.timer" says "Active (waiting)". > > > > But the mlocate database hasn't been updated since the last time I ran > > updatedb manually. > > Just to follow this up, the mlocate database update started working > automatically again by magic. I didn't change anything but it's now updating > itself daily as expected. > Just going through my mail messages, and as a quick reply, if you run 'systemctl list-timers' it will show you when the timer last ran and when it is next due to run. No idea as to why yours seemed to stop then start. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Cron - log when job ends?
On Fri, 2019-11-15 at 16:32 -0500, Karl Vogel wrote: > > > On Fri, Nov 15, 2019 at 05:54:07PM +0000, John Horne wrote: > > J> In trying to resolve a problem with a cron job, we can see when the job > J> starts by looking in the /var/log/cron log file. However, I was asked if > J> when the job ends could also be logged. (It seems to be something that > J> crops up every so often over the years.) > >You could use something like this with your scripts. >It works with ksh or bash. > Sorry, I should have been more clear. I'm not looking for a 'per-script' solution. Logging when a job starts is performed by crond, so logging when it ends should also be done by crond. Despite the article I mentioned being from 2011, it seems that Debian 10 still supports the logging of when cron jobs end. Looking into this further it seems that Debian uses anacron, and then applies a patch which provides the '-L' option. I have raised this with the cronie project on github to try and see why this feature has not been implemented. (It may well be that there are good reasons for it having not happened.) A very quick look at the cronie code seems to indicate it may be possible to implement. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Cron - log when job ends?
Hello, In trying to resolve a problem with a cron job, we can see when the job starts by looking in the /var/log/cron log file. However, I was asked if when the job ends could also be logged. (It seems to be something that crops up every so often over the years.) I found on the 'net this article https://serverfault.com/questions/248915/crontab-is-there-any-log-with-begin-and-end-time which mentions a loglevel (-L) option, and by setting this to 2 it will log when a cron job ends. It sounds great, and just what we could use. The downside is that there seems to be no such option anymore. The article is several years old but the users says they are using anacron. Checking on both a CentOS 7 and Fedora 31 system, which both use cronie-anacron, I could find no mention of any loglevel. Does anyone know what happened to this option (why it was removed)? It would seem to be useful, but removed at some time. Thanks, John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Peculiar process name in /proc
On Mon, 2019-08-05 at 13:06 +0100, Giles Coochey wrote:
> On 05/08/2019 12:56, John Horne wrote:
> > Hello,
> >
> > I was looking at a process through the '/proc' file system, and came across
> > a process name which seemed to contain a hex value:
> >
> > lrwxrwxrwx. 1 xymon xymon 0 Aug 2 14:07 /proc/58032/exe ->
> > /usr/sbin/xymond;5d44410e (deleted)
> >
> > I am aware of what the 'deleted' part means, but have no idea what the
> > ';5d44410e' part means. Is this some sort of thread reference?
> > The file '/usr/sbin/xymond' does exist and is running as a daemon.
> >
> > Anyone know what the ';5d44410e' is referring to? I have tried Googling
> > about this, but found no mention of it.
> >
> >
> I am not absolutely sure, but is it saying that /usr/sbin/xymond was
> deleted, but was located at that inode reference on the disk?
>
The hex number is quite large, and too big I suspect for the number of inodes
allowed on the partition.
> I know you say it exists, but perhaps it was deleted since running and
> then re-created? or perhaps it is an self-modifying executable?
>
I was going to say no to both of these, however the RPM package ('xymon') was
itself updated at around the time mentioned on Aug 02.
The hex number is equivalent to 1564754190 in decimal which, as an epoch time,
is '2019-08-02 14:56:30'. So it might be possible that '/usr/sbin/xymond' was
replaced and the hex number just indicates the time that occurred.
The downside is that the package update was a bit earlier than 14:56 though, so
the numbers don't seem to quite match up. Secondly, the whole xymon process was
restarted, but the server itself not rebooted, so I would expect all the
processes to be using the new executables rather than an older/deleted one. (I
am a little loath to restart the service at the moment as I may well lose the
info currently in '/proc/.../exe'.)
John.
--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the
use of the recipient to whom it is addressed. If you are not the intended
recipient then copying, distribution or other use of the information contained
is strictly prohibited and you should not rely on it. If you have received this
email in error please let the sender know immediately and delete it from your
system(s). Internet emails are not necessarily secure. While we take every
care, University of Plymouth accepts no responsibility for viruses and it is
your responsibility to scan emails and their attachments. University of
Plymouth does not accept responsibility for any changes made after it was sent.
Nothing in this email or its attachments constitutes an order for goods or
services unless accompanied by an official order form.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
[CentOS] Peculiar process name in /proc
Hello, I was looking at a process through the '/proc' file system, and came across a process name which seemed to contain a hex value: lrwxrwxrwx. 1 xymon xymon 0 Aug 2 14:07 /proc/58032/exe -> /usr/sbin/xymond;5d44410e (deleted) I am aware of what the 'deleted' part means, but have no idea what the ';5d44410e' part means. Is this some sort of thread reference? The file '/usr/sbin/xymond' does exist and is running as a daemon. Anyone know what the ';5d44410e' is referring to? I have tried Googling about this, but found no mention of it. Thanks, John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DNS bind - use of /etc/named directory
On Tue, 2018-12-04 at 00:51 +, John Horne wrote: > > For many years we have modified the '/etc/named.conf' file to include local > settings. The disadvantage with this is of course that when bind is updated, > it creates an '/etc/named.conf.rpmnew' file. We then have to determine what > is new, and apply the relevant changes to our modified named.conf file. > > There is, however, an '/etc/named' directory which I assumed was for local > configuration settings. The main '/etc/named.conf' file makes no mention of > this directory, so (I suspect) any config files in '/etc/named' would, by > default, just be ignored. > > As far as I can tell we could put our local configuration settings into a > file in '/etc/named', but we would then, once again, have to modify > '/etc/named.conf' to tell it to include config files in '/etc/named'. We > would then be back at square one in that any bind update would create an > 'rpmnew' file. > > I admit I haven't actually tested this, but has anyone used the '/etc/named' > directory and not had to modify the main '/etc/named.conf' file? > I finally got round to giving this a test. Unfortunately unless you are adding new configuration sections, or zones, then it does not work. I wanted to add some extra 'options' settings and placed them into an '/etc/named/local_named.conf' file. (The '/etc/named.conf' was modified to include this file.) Upon starting bind/named though it complained with "/etc/named/local_named.conf:2: 'options' redefined near 'options'" because I had defined the 'options' section in my new config file, as well as it being present in the supplied default '/etc/named.conf'. So, in order to add extra options settings, I see no way other than modifying the supplied '/etc/named.conf' file. Note: it may well be possible to 'include' a file within the '/etc/named.conf' options section, provided that file only contained 'options' settings. In our case we also want to modify the logging section slightly, so we would need another include in the 'logging' section. Overall, we would end up modifying the '/etc/named.conf' file with include files just as much as if we just added the new options directly to it. Trying to use '/etc/named' in our case is just not worth it. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DNS bind - use of /etc/named directory
On Tue, 2018-12-04 at 08:19 +, J Martin Rushton via CentOS wrote: > The '/etc/named.conf.rpmnew' file supplied is a bare minimum to > "configure the ... server as a caching only nameserver (as a localhost > DNS resolver only)". As soon as you start adding any structure to it > things change, not just are added to. See > '/usr/share/doc/bind-*/sample/etc/named.conf' for example. Probably the > biggest "gotcha" is that as soon as you use _any_ views you MUST use > views for _all_ zones. > > If you were to move the default '/etc/named.conf.rpmnew' to > '/etc/named.conf' and add an 'include "/etc/named/*";', line as you > suggest, you would be building problems for the future. Let's say you > dropped in 'internal.conf' which had a simple 'view "internal" stanza - > then your root hints, localhost, localhost IPV6 and reverse localhosts > would disappear. Just what you wouldn't want at 00:51 ! > > What you can do safely is to include the zone definitions in a separate > file (see '/etc/named.rfc1912.zones' for example) and include that file. > Doing things this way means that your main configuration file can be > written to either use views or not, and to just include your zone > definitions in the appropriate place. See the sample file for an example. > Thanks for the reply. However, we don't use views and the local settings are not for zones. We do currently have a separate zone file, but again that requires an 'include' in the main '/etc/named.conf'. If a local settings file (in '/etc/named') could be used, then we would simply 'include' the zone file in that. Ultimately, the main named.conf file would remain untouched. John. > > On 04/12/18 00:51, John Horne wrote: > > Hello, > > > > For many years we have modified the '/etc/named.conf' file to include local > > settings. The disadvantage with this is of course that when bind is > > updated, it > > creates an '/etc/named.conf.rpmnew' file. We then have to determine what is > > new, and apply the relevant changes to our modified named.conf file. > > > > There is, however, an '/etc/named' directory which I assumed was for local > > configuration settings. The main '/etc/named.conf' file makes no mention of > > this directory, so (I suspect) any config files in '/etc/named' would, by > > default, just be ignored. > > > > As far as I can tell we could put our local configuration settings into a > > file > > in '/etc/named', but we would then, once again, have to modify > > '/etc/named.conf' to tell it to include config files in '/etc/named'. We > > would > > then be back at square one in that any bind update would create an 'rpmnew' > > file. > > > > I admit I haven't actually tested this, but has anyone used the > > '/etc/named' > > directory and not had to modify the main '/etc/named.conf' file? > > > > I suspect, if not, then this should be raised as a possible bug since it > > would > > make sense not to have to modify the main configuration file at all. > > > > > > > > > > Thanks, > > > > John. > > > > -- > > John Horne | Senior Operations Analyst | Technology and Information > > Services > > University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK > > > > [ > > http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass > > > > > > > This email and any files with it are confidential and intended solely for > > the use of the recipient to whom it is addressed. If you are not the > > intended recipient then copying, distribution or other use of the > > information contained is strictly prohibited and you should not rely on it. > > If you have received this email in error please let the sender know > > immediately and delete it from your system(s). Internet emails are not > > necessarily secure. While we take every care, University of Plymouth > > accepts no responsibility for viruses and it is your responsibility to scan > > emails and their attachments. University of Plymouth does not accept > > responsibility for any changes made after it was sent. Nothing in this > > email or its attachments constitutes an order for goods or services unless > > accompanied by an official order form. > > ___ > > CentOS mailing list > > CentOS@centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/m
[CentOS] DNS bind - use of /etc/named directory
Hello, For many years we have modified the '/etc/named.conf' file to include local settings. The disadvantage with this is of course that when bind is updated, it creates an '/etc/named.conf.rpmnew' file. We then have to determine what is new, and apply the relevant changes to our modified named.conf file. There is, however, an '/etc/named' directory which I assumed was for local configuration settings. The main '/etc/named.conf' file makes no mention of this directory, so (I suspect) any config files in '/etc/named' would, by default, just be ignored. As far as I can tell we could put our local configuration settings into a file in '/etc/named', but we would then, once again, have to modify '/etc/named.conf' to tell it to include config files in '/etc/named'. We would then be back at square one in that any bind update would create an 'rpmnew' file. I admit I haven't actually tested this, but has anyone used the '/etc/named' directory and not had to modify the main '/etc/named.conf' file? I suspect, if not, then this should be raised as a possible bug since it would make sense not to have to modify the main configuration file at all. Thanks, John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rkhunter and prelink
On Wed, 2017-08-30 at 11:15 -0400, m.r...@5-cent.us wrote: > Can't remember if I posted this before... We're getting warnings from > rkhunterWarning: Checking for prerequisites [ Warning ] >All file hash checks will be skipped because: >This system uses prelinking, but the hash function command does not > look like SHA1 or MD5. > Check in the rkhunter log file (probably /var/log/rkhunter.log). It will tell you what hash command it is using as it runs. For prelinking it must be SHA1 or MD5 (set via the HASH_CMD config option). If you set it to literally 'SHA1' or 'MD5', then RKH will look for the relevant command. John. -- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK [http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass> This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] semi-OT: rkhunter, fix broken links
On Fri, 2015-08-07 at 09:45 -0400, m.r...@5-cent.us wrote: Hi, folks, rkhunter is reporting a broken link on one of our servers. This is quite reasonable, since it's on a drive whose controller card I have declared dead the other day. I've been googling, searching in the manpage, and I've done an rkhunter --propupd, but it still finds the broken link. Anyone know how to remove the link from the rkhunter d/b? Take a look at the EXCLUDE_USER_FILEPROP_FILES_DIRS option in the config file. Set it to the link pathname, then run propupd again. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fail2Ban Centos 7 is there a trick to making it work?
On Tue, 2015-03-10 at 14:43 +0100, Andrea Dell'Amico wrote:
#= logrotate_t ==
allow logrotate_t fail2ban_client_exec_t:file { ioctl read execute
execute_no_trans open };
Looks like this was already fixed in 'selinux-policy'. See
https://bugzilla.redhat.com/show_bug.cgi?id=1114821
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 7 - not using latest installed kernel
Hello, I have just installed CentOS 7 onto two servers and applied all the current patches. There are currently two kernels installed: # rpm -q kernel kernel-3.10.0-123.el7.x86_64 kernel-3.10.0-123.9.3.el7.x86_64 However, if I reboot the servers they both start up on the older kernel: # uname -r 3.10.0-123.el7.x86_64 I would have expected them to restart using kernel 3.10.0-123.9.3. I know I can manually select the kernel to use at boot time (from the grub2 menu), but, as with CentOS 6, I would have expected the servers to reboot using the latest kernel automatically. Has anyone else noticed this? Any ideas as to why it might be happening? Thanks, John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7 - not using latest installed kernel
On Wed, 2014-12-03 at 17:15 +, Lars Hecking wrote: Has anyone else noticed this? Any ideas as to why it might be happening? /etc/sysconfig/kernel Yes and no. The above file has not been changed and states that a new kernel should be the default. It seems this problem has already been reported as a bug to CentOS and up to RedHat: https://bugs.centos.org/view.php?id=7651 John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Keepalived - spurious failovers
Hello, We are using CentOS 6.6 and keepalived 1.2.13 on two servers for failover, no load-balancing. Failover is governed by the NIC being present, and the Apache and Tomcat processes being present. Both servers are configured as 'EQUAL' (not master/backup). An initial priority of 100 is set, and if a process or NIC fails, then this is reduced by 60 - causing a lower priority to be seen and failover to take place. Generally this works well. If we stop the network or one of the processes, this is logged (to /var/log/messages) and failover happens within a few seconds. However, we have had failovers occur during the night several times. It happened last night, and the night before. Nothing was logged in the messages file about the NIC being down, or the Apache/Tomcat processes being unavailable. Nothing was logged by the Apache or Tomcat processes in their own log files. The failovers have happened at 03:56 on both nights. The most obvious suspect causing this would be some nighttime process such as log rotation or automatic updates. However, I can see nothing obvious occurring during the night that would cause the keepalived virtual interface to failover. The messages log file typically shows: On the previous master, now slave server... === Nov 12 03:56:40 bill Keepalived_vrrp[27279]: VRRP_Instance(Shib_srvrs) Transition to MASTER STATE Nov 12 03:56:43 bill Keepalived_vrrp[27279]: VRRP_Instance(Shib_srvrs) Entering MASTER STATE Nov 12 03:56:43 bill Keepalived_vrrp[27279]: VRRP_Instance(Shib_srvrs) setting protocol VIPs. Nov 12 03:56:43 bill Keepalived_vrrp[27279]: VRRP_Instance(Shib_srvrs) Sending gratuitous ARPs on eth0 for xxx.xxx.xxx.xxx Nov 12 03:56:48 bill Keepalived_vrrp[27279]: VRRP_Instance(Shib_srvrs) Sending gratuitous ARPs on eth0 for xxx.xxx.xxx.xxx Nov 12 03:56:51 bill Keepalived_vrrp[27279]: VRRP_Instance(Shib_srvrs) Received higher prio advert Nov 12 03:56:51 bill Keepalived_vrrp[27279]: VRRP_Instance(Shib_srvrs) Entering BACKUP STATE Nov 12 03:56:51 bill Keepalived_vrrp[27279]: VRRP_Instance(Shib_srvrs) removing protocol VIPs. == On the previous slave, now master server, there is nothing logged at (or around) this time at all. As the previous master log shows it 'Received higher prio advert'. But that implies that the priority on the server is lower, and no indication why. Has anyone seen this themselves? Or have any idea why it may be occurring? As said, some nighttime process seems to be the cause, but I cannot think or find anything that would cause it. Thanks, John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keepalived - spurious failovers
On Wed, 2014-11-12 at 10:27 -0500, m.r...@5-cent.us wrote: John Horne wrote: We are using CentOS 6.6 and keepalived 1.2.13 on two servers for failover, no load-balancing. Failover is governed by the NIC being present, and the Apache and Tomcat processes being present. Both servers are configured as 'EQUAL' (not master/backup). An initial priority of 100 is set, and if a process or NIC fails, then this is reduced by 60 - causing a lower priority to be seen and failover to take place. Generally this works well. If we stop the network or one of the processes, this is logged (to /var/log/messages) and failover happens within a few seconds. However, we have had failovers occur during the night several times. It happened last night, and the night before. Nothing was logged in the messages file about the NIC being down, or the Apache/Tomcat processes being unavailable. Nothing was logged by the Apache or Tomcat processes in their own log files. The failovers have happened at 03:56 on both nights. The most obvious suspect causing this would be some nighttime process such as log rotation or automatic updates. However, I can see nothing obvious occurring during the night that would cause the keepalived virtual interface to failover. snip I trust you've looked at the crontab, and /etc/cron.daily, etc. Yes. Nothing obvious that would cause a problem to apache/tomcat or the network. The other option: have you looked *outside* the systems? Do you have a cable between the two, or is it over the network? Is there a network thing going on? For example, are the servers on a UPS, and the switch they're on not on one? They are both virtual servers - so no UPS. Failover communication is over the network. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keepalived - spurious failovers
On Wed, 2014-11-12 at 11:12 -0500, m.r...@5-cent.us wrote: John Horne wrote: They are both virtual servers - so no UPS. Failover communication is over the network. Um, bingo: are the host systems on UPS's? What happens on the *host* systems at 03:56? They don't, perhaps, take snapshots of the guests then? No, no snapshots are taken. As said this is a spurious event which has happened at 03:56 for the past two nights. However, we ran for a few days before then with no problems. Before that it happened at something like 5AM. It does not happen every night, nor at the same time (usually). I have set up a couple of cronjobs to check ifconfig and ping the interface every few seconds. I also have a job that will monitor the main interface for VRRP traffic since that should show what the priority value is when a server claims to have received a higher priority from another server. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keepalived - spurious failovers
On Wed, 2014-11-12 at 15:44 +, Richard Mann wrote: +1 to your logrotate thought; I'd dig deeper there. check /var/lib/logrotate.status; see if it doesn't match up with days the failover happens, that different httpd logs are rotating. Given that failover only occurs if Apache, Tomcat or the NIC fail, I can't find anything in log rotation that could cause this effect. For failover to occur the Apache/Tomcat process must be non-existent (in our case keepalived checks for them using pgrep). We have secondary monitoring of these processes (Xymon using checks of 'ps'), and that shows no such failure. Simply logging into the servers and running ps shows that they are running. I would hope that something would be logged by either process in the appropriate log file, but nothing is seen. Of course it could be something dire that simply kills the process dead, but again we do not see that at all (ps shows they are present). So that leaves the NIC. Again, I cannot think of any process (day or night) that would cause the NIC to fail (or restart) - that would be a serious problem. Secondly, keepalived should log the fact and put itself into a FAULT state. I tested this on a test server, and it worked as described. We, however, see no such fault state or log messages on our live servers. So, I am very much stumped as to the problem. I'm hoping that if keepalived fails over tonight, then the cron jobs I have set up may give a clue. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keepalived - spurious failovers
On Wed, 2014-11-12 at 16:45 -0500, m.r...@5-cent.us wrote: John Horne wrote: snip Given that failover only occurs if Apache, Tomcat or the NIC fail, I can't find anything in log rotation that could cause this effect. For failover to occur the Apache/Tomcat process must be non-existent (in our case keepalived checks for them using pgrep). We have secondary monitoring of these processes (Xymon using checks of 'ps'), and that shows no such failure. Simply logging into the servers and running ps shows that they are running. I would hope that something would be logged snip I don't suppose there was anything in dmesg, either on the guests or the host? Nope. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] MySQL - replication - how to restore master?
Hello, We have MySQL running as a master which is replicating to a single slave server. We are, however, considering what is required when a 'disaster' of some sort happens to either server. By disaster, this could be some event which requires the entire server to be rebuilt, and which would usually include restoring from nightly backups directories such as '/var/lib/mysql' and '/var/log/mysql' (as set in our my.cnf file). It could also refer to an event which only affects the mysql service, but requires us to stop the mysql master service. This may involve reinstalling the mysql package, and, again, restoring the '/var/lib/mysql' and '/var/log/mysql' directories. In the case of losing the slave server, we have found instructions for rebuilding the slave database and restarting replication using a mysqldump backup taken from the master server. We have tested this and it works fine. However, I am having trouble finding out what to do should we lose the master server. Typically mysqldump backups of the master are done overnight, so a failure during the day would mean that the slave is ahead of the master backup. So this poses two questions: 1) If the master fails, and we perform (at that time) a mysqldump of the slave, we could import the data into the master, but what commands do we need to tell the master (and slave?) to start replication based on the imported data? As far as I can gather the master replication data is held in the '/var/log/mysql' directory (in our case) in the bin log files, and these would typically be restored after a disaster. 2) If the master fails and we import the overnight backup data, what commands do we then need to issue on the master and slave to restart replication from the imported data? In particular, on the master do we just delete the bin log files and let replication start afresh? And on the slave, which at that time would be ahead of the master, how do we sort out the replication? Do we drop the existing database and import the backup data into the slave as well, so that both the master and slave start with the same data? Thanks, John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, 2014-03-20 at 15:48 -0400, Matthew Miller wrote: Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? A very late reply - yes we use it in conjunction with iptables (on CentOS 5/6 and Fedora). Tcp_wrappers allows filtering based on DNS name, which (as far as I am aware) iptables does not. It is very easy to configure, and takes immediate effect (no restarting of processes required). And, would you care strongly if it went away (or would you just migrate to something else)? Since we use it I would obviously rather it did not go away :-) If we had to we would probably build our own from source, but initially may well just look to see if iptables could do all of what we wanted. What do you think? Do you rely on hosts.allow/hosts.deny a primary security mechanism? As defense-in-depth? Do you have policies which mandate it? No policies as such, but we include its installation as part of our standard server build process. It is part of the security used on our servers, and, as others have mentioned, multiple layers is the way to go rather than relying on just one tool. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Monitor Wireless Networks
On Thu, 2014-02-20 at 09:39 -0600, Joseph Hesse wrote: Hi, I am having interference with my neighbouring wireless networks. Is there a linux tool that enables me to monitor the ESSID, channel, power output and other information for neighbouring wireless networks? I am especially interested in the channel so I can choose a different one. Not sure about for CentOS (other than iwlist), but I recently found 'wavemon' for my Fedora 20 system: http://eden-feed.erg.abdn.ac.uk/wavemon/ John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rkhunter
On 17/01/14 21:37, m.r...@5-cent.us wrote: I updated java-1.7.0-openjdk a few hours ago - it *was* listed as a critical security update, and I don't want yelling from rkhunter. The man page tells me I can tell it rkhunter --propupd package name... but it doesn't know the name above as a package. Been googling a bit, and cannot find a good example of a package (other than the manpage's coreutil). Anyone got an example, and/or why it doesn't know this package? rkhunter will only know about the package if it is monitoring any of the package files in its (rkhunter) file properties database. By default I don't think it monitors anything that the java package provides. As such, rkhunter shouldn't issue any warnings about it. John. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] - monitoring software
On Fri, 2013-10-18 at 14:49 +0200, Paolo De Michele wrote: hi, I have a dedicated server with several services running: ssh, ftp, httpd (with several sites andactive domains), the mail server (dovecot, postfix), dns. I'd like to monitor all of these services in a graphical, easy, setting of thresholds and alerts via email. I would also like that if a customer wanted to see the graphs I could create codes read-only. Hello, We use 'Xymon' (http://sourceforge.net/projects/xymon/) http://www.xymon.com/ will show you what it looks like. It will monitor what you want, and produce graphs (see the 'trends' column). I gather it does alerts, but we do not use them ourselves. As you can see it has a graphical frontend. We use it to monitor our Centos and RHEL servers, and some Debian and Fedora devices. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] KDE login screen configuration problems
On Fri, 2012-12-07 at 14:33 -0600, Mike Watson wrote: It take it back. It worked once. It's now reverted to GDM although /etc/sysconfig/desktop still reads DISPLAYMANAGER=KDM. Hello, On our CentOS 6.3 PC we have: DESKTOP=KDE DISPLAYMANAGER=KDE in the '/etc/sysconfig/desktop' file. It works with no problems. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 - KDE login screen configuration problems
On Tue, 2012-11-20 at 18:45 +0100, Nicolas Thierry-Mieg wrote: John Horne wrote: I basically set the same settings, using the same method, as I did for my Fedora PC. As said, that works. So configuring KDE using the 'system settings' works in Fedora, but not in CentOS. well, *are* you using kdm?? what's the output of ps aux | egrep 'kdm|gdm' Fedora is using KDM, CentOS GDM. I came across this http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s2-sysconfig-desktop.html and set '/etc/sysconfig/desktop' accordingly, so now we have KDM running and most of the settings have taken effect. Still get the 30 second logout confirmation timer, but not so worried about that. I find it very odd, to say the least, that if I tell CentOS/RHEL 6 to install KDE and not Gnome, it goes ahead and uses GDM rather than KDM. With no indication either that the settings for the login screen will have no effect. Anyway, thanks for the help. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.3 - KDE login screen configuration problems
On Mon, 2012-11-19 at 21:04 -0500, Ted Miller wrote: On 11/19/2012 07:25 AM, John Horne wrote: The problem is that we would like to configure the login screen, so that it does not show the user list, that it does not allow the shutdown or reboot commands (from the login screen), and if possible to remove the 30 second confirmation timer that occurs when logout (via 'leave') is selected. I have gone into the 'System settings-Advanced-Login screen', and disabled both local and remote shutdowns and reboots. I have also disabled the showing of the user list, and disabled logout confirmations. Are you actually using KDE login? I believe that by default Centos uses the GDM Gnome login, even when you install KDE. I am running Centos6 with KDE, but I am quite certain that my login is still the default. Before upgrading this machine I was running Centos5, and I jumped through a bunch of hoops to enable the KDE login screen, KDM. I just checked, KDM is installed, but I am quite certain it is not enabled. Hello, I basically set the same settings, using the same method, as I did for my Fedora PC. As said, that works. So configuring KDE using the 'system settings' works in Fedora, but not in CentOS. Thanks for the links, I'll take a look at those tomorrow. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6.3 - KDE login screen configuration problems
Hello, We generally use CentOS for some servers, and so do not use a GUI interface. However, I have recently installed CentOS 6.3 onto a PC with KDE. I am familiar with KDE as I use it with Fedora for my work PC. The problem is that we would like to configure the login screen, so that it does not show the user list, that it does not allow the shutdown or reboot commands (from the login screen), and if possible to remove the 30 second confirmation timer that occurs when logout (via 'leave') is selected. I have gone into the 'System settings-Advanced-Login screen', and disabled both local and remote shutdowns and reboots. I have also disabled the showing of the user list, and disabled logout confirmations. However, none of this has had any effect. The login screen remains the same - showing the userlist and shutdown/reboot commands, and logging out still shows the 30 second confirmation timer. I have compared the /etc/kde/kdm/kdmrc file from the CentOS PC to my Fedora PC and they are similar. (I make the same changes to my work PC, and these take effect.) Anyone any ideas about this? Thanks, John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] iptables: recent nolonger supported in Centos 5.8?!
On Fri, 2012-11-09 at 18:10 +0100, Dennis Jacobfeuerborn wrote: On 11/09/2012 02:07 PM, Helmut Drodofsky wrote: Helo, we use recent to control ip traffic. kernel 2.6.18-308.13.1.el5 : all is OK kernel 2.6.18-308.16.1.el5 : the first recent statement causes an error. E.g.: iptables -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 iptables: Unknown error 18446744073709551615 Hello, We're using 'recent' on CentOS 5.8 with no problems. The only difference I can see with your rule above is that you specify '-p tcp', whereas we have '-m tcp -p tcp'. John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Perl - strict.pm not found
On Wed, 2012-10-10 at 11:38 +0100, John Horne wrote: the /etc/cron.daily/freshclam script runs in the early morning, I get sent an email error message: = /etc/cron.daily/freshclam: Can't locate strict.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/bin/xymon_event line 15. BEGIN failed--compilation aborted at /usr/local/bin/xymon_event line 15. = Hello, Turns out this is an SELinux issue - the audit.log file shows access to strict.pm being denied. As the problem occurs on 6.3, but not on our 5.8 systems, I have submitted it as a bug to RedHat (#865390) to see what they say. (We have both CentOS and RedHat 5.8/6.3 servers.) John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Perl - strict.pm not found
On Thu, 2012-10-11 at 11:42 -0400, Daniel J Walsh wrote:
On 10/11/2012 06:34 AM, John Horne wrote:
On Wed, 2012-10-10 at 11:38 +0100, John Horne wrote:
the /etc/cron.daily/freshclam script runs in the early morning, I get
sent an email error message:
= /etc/cron.daily/freshclam:
Can't locate strict.pm in @INC (@INC contains: /usr/local/lib64/perl5
/usr/local/share/perl5 /usr/lib64/perl5/vendor_perl
/usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at
/usr/local/bin/xymon_event line 15. BEGIN failed--compilation aborted at
/usr/local/bin/xymon_event line 15.
=
Hello,
Turns out this is an SELinux issue - the audit.log file shows access to
strict.pm being denied. As the problem occurs on 6.3, but not on our 5.8
systems, I have submitted it as a bug to RedHat (#865390) to see what they
say. (We have both CentOS and RedHat 5.8/6.3 servers.)
John.
What is the path to strict.pm? Do you see any AVC messages?
Hello,
The path is '/usr/share/perl5/strict.pm'.
The audit.log shows:
=
type=AVC msg=audit(1349922579.929:111741): avc: denied { getattr } for
pid=29296 comm=xymon_event path=/usr/share/perl5/strict.pm dev=sda1
ino=922261 scontext=system_u:system_r:freshclam_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=file
=
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
[CentOS] Perl - strict.pm not found
Hello, I installed the ClamAV package onto a CentOS 6.3 server using yum. I then modified the /etc/freshclam.conf file to run a perl script whenever the ClamAV databases were updated: OnUpdateExecute /usr/local/bin/xymon_event ... The 'xymon_event' command is used on several servers, and generally works with no problems. However, on this server when the /etc/cron.daily/freshclam script runs in the early morning, I get sent an email error message: = /etc/cron.daily/freshclam: Can't locate strict.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/bin/xymon_event line 15. BEGIN failed--compilation aborted at /usr/local/bin/xymon_event line 15. = The problem is that 'strict.pm' is located in /usr/share/perl5 (as it is on our other servers), and /usr/share/perl5 is specified in @INC. So I am a bit lost as to why perl seems to think that strict.pm cannot be found. Anyone any ideas? We run ClamAV, with the freshclam cron job and xymon_event, on other servers (albeit CentOS 5.8) with no problems. Thanks, John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Perl - strict.pm not found
On Wed, 2012-10-10 at 05:44 -0600, Warren Young wrote: On 10/10/2012 4:38 AM, John Horne wrote: The problem is that 'strict.pm' is located in /usr/share/perl5 (as it is on our other servers), and /usr/share/perl5 is specified in @INC. Perl can do this is when you've run it out of file handles, Hello, Thanks for this, but no. The program is relatively short, runs okay at other times throughout the day on this and several other servers (both CentOS 5 and 6 servers). We have other servers that are much more likely to run out of file descriptors, and they use 'xymon_event' too throughout the day with no problem. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] snmpd not working well with selinux?
On Wed, 2012-05-30 at 13:49 -0400, Daniel J Walsh wrote: restorecon -R -v /var/run I think the directory is mislabeled. Hello, It looks like it is mislabelled by default. If I set the context of '/var/run/net-snmp' to 'snmpd_var_run_t' then the use of pass_persist works fine. I'll submit this as a bug for your consideration. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] snmpd not working well with selinux?
On Thu, 2012-05-31 at 08:43 -0400, Daniel J Walsh wrote: Ok in Fedora we have /var/run/net-snmpd, is /var/run/net-snmp a standard directory for this? Hello, What I have is: Fedora 15: = ls -ldZ /var/run/net-snmp drwxr-xr-x. root root system_u:object_r:var_run_t:s0 /var/run/net-snmp rpm -qf /var/run/net-snmp net-snmp-5.6.1-7.fc15.x86_64 = RHEL 6.2/CentOS 6.2: = ls -ldZ /var/run/net-snmp drwxr-xr-x. root root system_u:object_r:var_run_t:s0 /var/run/net-snmp rpm -qf /var/run/net-snmp net-snmp-5.5-37.el6_2.1.x86_64 = So '/var/run/net-snmpd' must have come in at a later date than F15. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] snmpd not working well with selinux?
On Thu, 2012-05-31 at 09:29 -0400, Daniel J Walsh wrote: It looks like /var/run/net-snmp is correct, I will fix our policy and get it into RHEL6.4 Hello, I received a reply via Miroslav Grepl that this is already fixed. The bug report is https://bugzilla.redhat.com/show_bug.cgi?id=822480 It seems that '/var/lib/net-snmp' should be used. I have tested my use of pass_persist and it does work when using '/var/lib/net-snmp'. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] snmpd not working well with selinux?
Hello, I am trying to use SNMP on a CentOS 6.2 server, and am using the 'pass_persist' configuration command: pass_persist .1.3.6.1.4.1.141.1 /usr/local/sbin/snmp-iostat I have set the file context of 'snmpd_exec_t' on the snmp-iostat program. If I disable SELinux, then it all works fine (that is, I can then snmpget/snmpwalk for OIDs in the configured pass_persist OID, and values are returned). If I enable SELinux and start the snmpd daemon, as root, from the command line, then again it all works fine. However, if I enable SELinux, and startup the SNMP daemon using the 'service' command, as occurs at system boot, then I get no values returned. I get, for example: snmpwalk -v 2c -c public localhost enterprises.141.1.1.10 SNMPv2-SMI::enterprises.141.1.1.10 = No Such Instance currently exists at this OID (Yes I am using the enterprise number 141 which doesn't belong to us. I have applied for a site enterprise number, but heard nothing yet.) I really don't want to disable SELinux completely, but 'getsebool' shows no variables relating to SNMP so I am a bit stuck as to how I can get this to work. I also don't understand why it works with SELinux enabled when started from the command line, but not when started by the 'service' command. That seems very odd. Anyone any ideas about this? Thanks, John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] snmpd not working well with selinux?
On Wed, 2012-05-30 at 16:52 +0100, John Horne wrote: I am trying to use SNMP on a CentOS 6.2 server, and am using the 'pass_persist' configuration command: Sorry, I should have added that nothing appears to be logged in /var/log/audit/audit.log when snmpd fails to return any values. Nor is anything about this logged in /var/log/messages by the snmpd daemon. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] snmpd not working well with selinux?
On Wed, 2012-05-30 at 12:55 -0400, Daniel J Walsh wrote:
On 05/30/2012 11:58 AM, John Horne wrote:
On Wed, 2012-05-30 at 16:52 +0100, John Horne wrote:
I am trying to use SNMP on a CentOS 6.2 server, and am using the
'pass_persist' configuration command:
Sorry, I should have added that nothing appears to be logged in
/var/log/audit/audit.log when snmpd fails to return any values. Nor is
anything about this logged in /var/log/messages by the snmpd daemon.
Turn off dontaudit rules
#semodule -DB
Then run the command
#semdule -B
Will turn them back on.
Hello,
Many thanks for this. I understood that snmpd was under the control of
SELinux, but didn't know about the 'dontaudit' rules.
The 'snmp-iostat' program, which snmpd/pass_persist calls, reads data
from a temporary file. The relevant data is then output back to snmpd.
The temporary file is created via a root cronjob. (I'm not happy with
this, but at the moment haven't thought of another way to do it.) The
file is written into '/var/run/net-snmp'.
When running snmpd again (via 'service') I got the following logged in
audit.log:
=
type=AVC msg=audit(1338397396.982:718378): avc: denied { read } for
pid=3854 comm=snmp-iostat name=snmp-iostat dev=dm-0 ino=524175
scontext=unconfined_u:system_r:snmpd_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1338397396.982:718378): arch=c03e syscall=2
success=no exit=-13 a0=938ce0 a1=0 a2=1b6 a3=31bf71dba0 items=0
ppid=27824 pid=3854 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=3870 comm=snmp-iostat
exe=/usr/bin/perl subj=unconfined_u:system_r:snmpd_t:s0 key=(null)
=
So it seems that the problem is that 'snmp-iostat' (with the snmpd_t
context) does not have read access to the temporary file in
'/var/run/net-snmp'.
If I change everything to use /tmp instead of '/var/run/net-snmp', I get
the same error logged.
If I change it again to use '/etc/snmp' as the location for the
temporary file, then it works. Since this holds the SNMP config files,
snmpd would, of course, require read access to the directory.
So, using '/etc/snmp' to hold a temporary data file works, but again I'm
not happy with that as a solution! :-)
Is there any (reasonably) secure location where snmpd will have read
access, and that I could use for holding a temporary file?
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] snmpd not working well with selinux?
On Wed, 2012-05-30 at 13:49 -0400, Daniel J Walsh wrote: restorecon -R -v /var/run I think the directory is mislabeled. Hello, Made no difference I'm afraid. Both /var/run and /var/run/net-snmp were labelled as 'system_u:object_r:var_run_t:s0' before and after the restorecon. John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Request for CentOS stats
On Wed, 2012-05-30 at 17:00 -0400, Max Pyziur wrote: Yes, lol ... I know enough about mailman that it's a cinch for the list administrator to get the headline number of subscribers. Why would you want to know such numbers? John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] anyone doing automatic yum updates via yum-updatesd on production servers?
On Tue, 2012-01-17 at 14:42 -0200, Aslan Carlos wrote: Good practices is don't update any package on server directly without test before. It's because some update may not full compatible with your configuration. I do the update first on test server to ensure that update will not break my system. I didn't update directly without test this new package before, so I never get troubles on updates to my servers. I would say that to some extent it depends on what is being updated. If there is an update to the 'date' command then that could be applied automatically. But updates, for example, to postfix/sendmail/exim etc on a mail server, would not be applied by using 'exclude' in the yum.conf file. These can then be checked and applied manually. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] nic bonding
On Mon, 2011-01-17 at 14:05 +1300, Smithies, Russell wrote: I've just setup nic bonding on our server (DL585-G7 running Centos 5.5 x86_64) as detailed on the wiki: http://wiki.centos.org/TipsAndTricks/BondingInterfaces and all seems fine but from other howto's I've seen on the web, they're should be a /proc/net/bond0/info As far as I can see, I don't have one and I'm not sure if it should be there or its absence is a sign I've done something wrong. I found /proc/net/dev_snmp6/bond0 but is the same? Hello, On one of our CentOS 5.5 systems we have bonded interfaces. There is no '/proc/net/bond0' directory, but there is '/proc/net/bonding'. The dev_snmp6 file relates to IPv6 SNMP variables for the bond0 interface - not the same thing. You will find that some of the info out on the 'net relating to bonded interfaces is out of date. I suspect some of the 'howtos' you have looked at are examples of that. John. -- John Horne Tel: +44 (0)1752 587287 University of Plymouth, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apparent BIND problem doing RBL lookups for Postfix
On Wed, 2010-04-14 at 17:36 -0700, listserv.traf...@sloop.net wrote: -- Problem: Postfix is doing RBL lookups on zen.spamhaus.org. Everything goes along groovy - but then lookups start failing. Does your network interface show any abnormalities - dropped packets etc? I assume you have no local ratelimiting (via iptables etc)? John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Exim installation on CentOS
On Mon, 2010-02-08 at 11:31 +0100, Kai Schaetzl wrote: James Tanit wrote on Sun, 7 Feb 2010 13:09:11 -0800 (PST): Could someone please share some thoughts on how to set up the /etc/hosts and /etc/aliases? This is tough to set up due to the poorly written manual. If you do not know Exim and it is poorly documented (just repeating your words, I don't know if that is true) - why do you want to use it then? It's not the default MTA on CentOS. I think quite a few people would disagree about the 'poorly written manual'. Exim is cited as being one of the better MTA projects because of its extensive documentation - over 400 pages in the specification, of varying formats, as well as two (as far as I remember) printed books. John. -- John Horne Tel: +44 (0)1752 587287 University of Plymouth, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] AIDE or OSSEC on CentOS 5.4 x86_64?
On Sat, 2009-11-28 at 18:57 -0500, David McGuffey wrote: Starting with a fresh load and after I finish hardening the load following the Center for Internet Security (CIS) guidance, I'm wondering whether AIDE or OSSEC would be a better intrusion detection system. I installed AIDE and did a quick test of AIDE and after initializing the db and applying the recent cups update, I found that 1700+ files had changed. Those are a lot of changes to wade through to determine if they are legit or not. If that is all that AIDE can do, then it is not manageable. Seems to me that any IDS must be tied to the yum update process so that one is not dealing with hundreds/thousands of changes that were brought in by a yum update that I choose to apply. Is OSSEC any less noisy? More so as far as I can tell. Don't forget that prelinking will cause files to regularly change their hash value whether they have been updated or not. Aide does have a patch to cater for prelinking (as far as I know it is not in the current release so you'll have to search their archives for it). OSSEC does not know about prelinking, so will frequently report files having changed. Shameless plug: You could take a look at rootkit hunter (http://sourceforge.net/projects/rkhunter/), its file properties test knows about prelinking and can use the local RPM database to verify files, so an updated file won't be flagged as having changed unless someone has deliberately changed it. Another alternative is Samhain. As far as I remember it can handle prelinking, but will report updated files as having been changed. John. -- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] resolving names it is really slow slow with CentOS5.x using named
On Mon, 2009-05-25 at 13:21 +0200, carlopmart wrote: - Disabling query-source port and forwarders directives: [r...@thranduil data]# nslookup www.google.com ;; connection timed out; no servers could be reached Given that your resolv.conf only has 127.0.0.1 listed as a nameserver, this tends to indicate that named is either not running locally or it is responding very slowly. You might want to try running named with query-logging enabled (set the channel and log 'queries' to a separate file). This should then show you what queries it is receiving and how it is handling them. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problem detecting HP Tape Drive
On Sat, 2009-01-03 at 23:24 +0330, Mehdi Sarmadi wrote: I do have problem using Linux with an external HP tape drive. The server platform is also an HP Server; the server is an HP ML350 G4, and the Tape drive is a HP Storage Works Ultrium 448 - 1U Rack-mountable. Hi, We used to run tape decks on all our HP servers via the cciss scsi controller, but now only have one. For them we had to 'engage' the tape deck before it became visible to the system. We modified the /etc/rc.local file so that this would occur at each system boot. Below is the script we used for this, you may well need to do something similar: test -f /proc/driver/cciss/cciss2 \ echo 'engage scsi' /proc/driver/cciss/cciss2 2/dev/null John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Squid Number of hits
On Tue, 2008-10-14 at 16:54 +0530, lingu wrote: Dear all, I am running squid on centos 5.Is there is any tool to calculate number of ip's hit the server for month wise. Even any command to find out the number of hits is also ok. Calamaris can give you a summary: http://cord.de/tools/squid/calamaris/ John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Nightly yum update did an upgrade
On Thu, 2008-10-02 at 13:11 +0200, Griesbach, Lutz wrote: Hy there, i have a centos (4.?) Box with nightly yum update enabled. Last night, it did an upgrade to 4.7 leading to several problem i.e. not respawning the dhcrelay, which is needed on this box. Can I control the update policy not to upgrade to new releases in the nightly updates? I would like do to nightly updates, but make release upgrades manual (I get a new kernel, so I have to reboot anyway). Hi, Personally I enable nightly updates but disable the updating of certain packages (services) that the server provides. For this I use the 'exclude' statement in the /etc/yum.conf file. On all servers I include excluding the kernel and glibc. If these are to be upgraded, and require a reboot, then I'll do them when it is convenient to me. Other services, such as exim (MTA), freeradius (RADIUS), squid (web cache), etc are likewise disabled on the relevant servers. Again, if they are to be upgraded, then I will do them when it is convenient and without disrupting the current service. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Security Guide for CentOS/RHEL
On Thu, 2008-09-18 at 14:31 +, Josh Donovan wrote: Is there a step by step approach to securing CentOS 4X (or even RHEL 4X)? I don't mean the stuff in the docs/security guide but a working step by step guide? There used to be packages like rkhunter and tripwire but I don't know if the ones in rpmforge/kbs repo are up to date. For rkhunter, as far as I can remember, the Fedora 8/9 packages are upto date, so you could download one of those from a mirror and install it. Personally, I install rkhunter from source, but you can build an RPM from the source tarball if you want (the source includes an RPM spec file). Latest version is 1.3.2. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Security Guide for CentOS/RHEL
On Thu, 2008-09-18 at 15:31 +, Josh Donovan wrote: John Horne wrote: For rkhunter, as far as I can remember, the Fedora 8/9 packages are upto date, so you could download one of those from a mirror and install it. Personally, I install rkhunter from source, but you can build an RPM from the source tarball if you want (the source includes an RPM spec file). Latest version is 1.3.2. I haven't looked at Fedora for a long time but what is in the EPEL? EPEL=Extra Packages for Enterprise Linux http://fedoraproject.org/wiki/EPEL i.e. http://fedora.tu-chemnitz.de/pub/linux/fedora-epel/4AS/i386/ There seems to be an rkhunter updated in Sep 2008 is that for RHEL4 AS? Well it seems to be the 1.3.2 version, so I would say it is good. RKH (rkhunter) is very generic, so it should work under any (at least most!) versions of Unix and Linux (regardless of whether they are RHEL WS, ES or AS). Will the Fedora SRPMS (tripwire, rkhunter) for Fedora 8/9 rebuild without wanting a ton of stuff updated? RKH only requires a couple of basic packages - typically just a downloader like 'wget' and 'perl'. As someone has already suggested, I would use something like aide or samhain instead of tripwire. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] How to create a virtual bonded interface?
Hello,
I have a server with 4 NICS running CentOS 5.2. I have bonded the
interfaces together such that 'bond0' consists of eth0-3. This is not a
problem, and works fine.
However, I now need to create a virtual interface. In a non-bonded
server I would just create something like eth0:1, but with a bonded
interface I am a bit confused. I have created bond0:1 simple by copying
the /etc/sysconfig/network-scripts/ifcfg-bond0 file, calling it
'bond0:1' and setting the DEVICE appropriately. Then I ran 'ifup
bond0:1'. The interface came up, and seems to be working okay. I have
not tested yet if the bonding failover works with bond0:1 because I am
doing this remotely at the moment. Tomorrow I should be able to test
that.
My question is, is creating a virtual bonded interface that simple or
have I missed something? Have I done this the right way, or should I
instead have created a second bonded interface ('bond1') and made it
consist of eth0:1, eth1:1, eth2:1 and eth3:1? Admittedly this would have
involved about 8 or so interfaces in total for the server! Secondly, I
added nothing to the /etc/modprobe.conf file. Should I have added
anything like 'alias bond0:1 bonding'? I also did not add any static
routes, yet if I use 'ping' to send packets out through the virtual IP
address ping says it is doing so (so again it all seems to be working).
My concern is that while it seems to be fine at the moment, and even
after rebooting, I may have missed something that will cause it to fail
at some point.
For info, 'ifconfig' output shows:
=
bond0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:141.163.yy.a Bcast:141.163.yy.yy
Mask:255.255.255.224
inet6 addr: abcd::abcd:abcd:abcd:abcd/64
Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500
Metric:1
RX packets:88468 errors:0 dropped:0 overruns:0
frame:0
TX packets:59486 errors:0 dropped:0 overruns:0
carrier:0 collisions:0 txqueuelen:0
RX bytes:80654540 (76.9 MiB) TX bytes:5847688 (5.5
MiB)
bond0:1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:141.163.yy.b Bcast:141.163.yy.yy
Mask:255.255.255.224
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
=
The 'netstat -rn' output shows:
=
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
141.163.yy.00.0.0.0 255.255.255.224 U 0 0 0 bond0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 bond0
0.0.0.0 141.163.yy.30 0.0.0.0UG 0 0 0 bond0
=
Shouldn't 'bond0:1' appear there somewhere?
Anyone notice if I missed anything?
Thanks,
John.
--
---
John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287
E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to create a virtual bonded interface?
On Thu, 2008-09-18 at 10:36 -0700, nate wrote: John Horne wrote: Hello, I have a server with 4 NICS running CentOS 5.2. I have bonded the interfaces together such that 'bond0' consists of eth0-3. This is not a problem, and works fine. That is fine, just be sure not to have the bonding specific things in the sub interface, just have the IP/subnet/device name (bond0:1 etc). Yup. Thanks. For info, 'ifconfig' output shows: = bond0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx Somehow I doubt ifconfig reports your MAC address as xx:xx:xx.. You do realize that your MAC address is useless outside of your local layer 2 subnet right. Yeah, old habit I guess :-) John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] crontab for nobody
On Sun, 2008-07-20 at 22:04 +0100, Anne Wilson wrote: On Sunday 20 July 2008 21:23:52 Stephen Harris wrote: What does find /var/spool/cron -type f ! -size 0 show? Does that mean 'not = size 0'? Yes. I can't think of anything that explains this. I have a 6-month-old CentOS 5.2 install, with nothing out of the ordinary, as far as I can recall. Your previous message showed: -rw--- 1 root root 0 Jul 7 16:07 /var/spool/cron/nobody This will be the last modification date/time, and possibly the creation date/time if the file was not modified at all. So something around July 7 presumably caused it. If you have the old /var/log/messages files from around that date, then looking through those might show something. As might a /var/log/yum.log file which could indicate if something was automatically installed. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] crontab for nobody
On Sun, 2008-07-20 at 17:28 -0400, Stephen Harris wrote: On Sun, Jul 20, 2008 at 10:04:00PM +0100, Anne Wilson wrote: I can't think of anything that explains this. I have a 6-month-old CentOS 5.2 install, with nothing out of the ordinary, as far as I can recall. I doubt it; 5.2 hasn't been around for 6 months; the release announcement for 5.2 is dated Jun 24; http://lists.centos.org/pipermail/centos-announce/2008-June/014999.html Could have been a 5.1 install Type in 'cat /etc/issue' to see what it says. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] yum-updatesd not working on CentOS 5.2
On Fri, 2008-07-11 at 17:42 +0100, John Horne wrote: On Tue, 2008-07-08 at 12:12 +0200, Santi Saez wrote: So, appears that yum-updatesd can download, notify and install updates.. but none of this works on a fresh CentOS 5.2 :-( Well I tested this on Centos 5.1 and 5.2, as well as Fedora 9. It does seem to work. For CentOS 5.2 I simply installed the scim-docs RPM, which we do not usually have installed but it does have an update waiting. Having configured yum-updatesd to do an automatic update in 15 mins, I then just left it. After 15 mins it had applied the update. So it worked. In my case the problem is that I have configured yum-updatesd for notifications by syslog. It seems that the syslog option only works when updates are 'available'. If you ask for them to be automatically updated, or if an error occurs, then nothing is logged. (If you use the email option then you get the errors or update count as a mail message.) On my 5.1 systems, we have modified yum.conf to exclude the kernel and glibc packages from updating - we prefer to do those manually. However, this then means that when yum-updatesd runs, to update the system to centos 5.2, it gets a dependency error because of our excluded packages. As mentioned above, using syslog this is not logged at all. (Taking out the exclusions, and configuring yum-updatesd not to do updates, and I then correctly get a syslog message that 239 updates are available.) I have created a patch to the /usr/libexec/yum-updatesd-helper file which I will log in to the RedHat bugzilla tonight. (I want to check things on my F9 PC at home before submitting the bugzilla log.) The patch logs errors and the number of applied updates when using syslog. Tested, and it works fine (it was how I found out about the missing dependencies on our 5.1 server). So, perhaps not much help to the OP I'm afraid, but it sorted out what I think is a bug (with the syslog option). John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] yum-updatesd not working on CentOS 5.2
On Tue, 2008-07-08 at 12:12 +0200, Santi Saez wrote: So, appears that yum-updatesd can download, notify and install updates.. but none of this works on a fresh CentOS 5.2 :-( I will try yum-cron.. but I'm also interested in testing yum- updatesd, none is using it? there's no patch to solve this? Thanks.. Hi, We use yum-updatesd on CentOS 5.1, 5.2 and Fedora systems. I have to admit that I have a 5.1 server sitting here telling me that it has a whole load of patches to install (the 5.2 updates), and I just didn't associate it with yum-updatesd not installing them. Like you we have configured yum-updatesd to do automatic installs, although we exclude things like the kernel for manual updating. Anyway. I've currently set yum-updatesd to do a check every 15mins (900 seconds) on one server. I'll look and see if there is anything obvious as to why it doesn't do the updates. I could see nothing about this on the RedHat bugzilla (no bugs reported for yum-updatesd at all under Fedora 9). I may test that tonight at home. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How can I set NIC duplex before installation?
On Mon, 2007-06-25 at 16:51 -0700, John R Pierce wrote: John Horne wrote: Okay, that seems easy enough :-) Thanks. However, is the anaconda NIC ordering the same as those listed by the bios? For a mixed NIC server it could be important. not always.I've got some Intel SE7501WV2 based dual xeon servers which have dual intel pro1000 NICs onboard...the BIOS, MS Windows, etc think the one labled '0' on the outside is in fact the first port, but RHEL2.1 and RHEL3 at least thought that they were swapped, and that eth0 was the port labeled '1', while eth1 is the port labeled '0'. Hmm, well I guess I could use the bios ordering to set the first NIC options, and if anaconda thinks anything different then just restart the installation using whatever it (anaconda) thinks is the first NIC. A pain, but basically it's either going to be 100Mb or 1000Mb! :-) I know I could probably force the issue, instead, I just live with it. those servers have been SO reliable I've never had to dink with them. Once the installation has done, we tend to bond the interfaces together (using active-backup mode). I have found that by creating simple udev rules, the NIC ordering no longer changes over reboots. I can then correctly set the NIC options in the ifcfg-ethx files. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
