Re: [CentOS] was, Backups solution from WinDoze to linux, is, looking at bareos [SOLVED]
No ongoing lawsuit, AFAIK. I use their upstream repos just fine. Oh, and I don't use tape. I use the File and GlusterFile storage types, which work great. Gluster's a great fit, because of how easy it is to expand your storage dedicated to backups. Just add another brick or two... On Thu, Jul 16, 2015, 5:46 PM m.r...@5-cent.us wrote: m.r...@5-cent.us wrote: I see that bareos is, actually, the descendent of bacula. I've been looking at some of the documentation, and searching, but one thing I'd like to find out, before I try to implement it, and that I haven't found yet: am I going to have to play games, to get it to back up to online storage, as opposed to tape? (I suppose I'm thinking tar, here, as no games.) Is there some default setup for this scenario? Never mind. More googling found it. Anyone know if this will ever make it into one of the std. repos, or is there a lawsuit ongoing, or? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Backups solution from WinDoze to linux
On Wed, Jul 15, 2015, 8:22 PM Valeri Galtsev galt...@kicp.uchicago.edu wrote: On Wed, July 15, 2015 7:05 pm, Michael Mol wrote: On Tue, Jul 14, 2015, 10:37 AM m.r...@5-cent.us wrote: My manager just tasked me at looking at this, for one team we're supporting. Now, he'd been thinking of bacula, but I see their Windows binaries are now not-free, so I'm looking around. IIRC, Les thinks highly of backuppc; comments on that, or other packaged solutions? We use Bareos extensively. By default, Bareos is Bacula-compatible. We use Bareos extensively. What is the story between bareos and bacula? And why you prefer bareos as opposed to bacula. Just curios: I use bacula (it is bacula 5, server is FreeBSD, clients are CentOS 5,6,7, FreeBSD 9,10, Windows 7). Thanks for your insights! Story, as I understand it, is that the developer needed an incentive to get people to pay for a license, so closed distribution of the Windows File Daemon (the program that reads files and sends them off for storage, for those unfamiliar) so that only those who pay for a subscription can use it. (This is all perfectly legal.) Naturally, this pissed off people who couldn't afford the license, but were already committed to their implementation. So...Bareos is a fork from the last open version of that code. As for why I use Bareos, I'd spent copious time studying Bacula's manual and figuring out how to apply it. I was 80% of the way through implementation, complete with offsite backup of all my Linux hosts. And then I went to back up the Windows hosts. I was not happy. Took me only a day to rebuild it with Bareos. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Backups solution from WinDoze to linux
On Tue, Jul 14, 2015, 10:37 AM m.r...@5-cent.us wrote: My manager just tasked me at looking at this, for one team we're supporting. Now, he'd been thinking of bacula, but I see their Windows binaries are now not-free, so I'm looking around. IIRC, Les thinks highly of backuppc; comments on that, or other packaged solutions? We use Bareos extensively. By default, Bareos is Bacula-compatible. We use Bareos extensively. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Disable DHCPv6 on Cent7
So, I'm seeing a bunch of DHCPv6 traffic coming from my CentOS7 machines. Basically, the machines are trying to send router solicitations, the packets are blocked at their egress firewalls, and I get to see the logs. I don't wish to disable IPv6. I don't wish to statically configure IPv6 at this time. I wish to have the machines no longer attempting to send router solicitations as part of DHCPv6. How do I do this? I tried DHCPV6C=no in ifcfg-ifacethatsnoteth0, but that seems to have had no effect. I still see lines like these: Feb 25 10:25:48 proxy-comcast-2 NetworkManager[541]: error [1424877948.384918] [rdisc/nm-lndp-rdisc.c:241] send_rs(): ([snip]): cannot send router solicitation: -1. Feb 25 10:25:48 proxy-comcast-2 kernel: OUT-world:IN= OUT=[snip] SRC=fe80:[snip] DST=ff02:::::::0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0 -- :wq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Disable DHCPv6 on Cent7
On Wed, Feb 25, 2015 at 10:27 AM, Michael Mol mike...@gmail.com wrote: So, I'm seeing a bunch of DHCPv6 traffic coming from my CentOS7 machines. Basically, the machines are trying to send router solicitations, the packets are blocked at their egress firewalls, and I get to see the logs. I don't wish to disable IPv6. I don't wish to statically configure IPv6 at this time. I wish to have the machines no longer attempting to send router solicitations as part of DHCPv6. How do I do this? I tried DHCPV6C=no in ifcfg-ifacethatsnoteth0, but that seems to have had no effect. I still see lines like these: Feb 25 10:25:48 proxy-comcast-2 NetworkManager[541]: error [1424877948.384918] [rdisc/nm-lndp-rdisc.c:241] send_rs(): ([snip]): cannot send router solicitation: -1. Feb 25 10:25:48 proxy-comcast-2 kernel: OUT-world:IN= OUT=[snip] SRC=fe80:[snip] DST=ff02:::::::0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0 So, DHCPV6C=no seems to be useless. What's needed is IPV6INIT=no. That doesn't disable IPv6 (to do that, you have to use sysctl), but it does tell NetworkManager to not try to configure it. Which is fine. -- :wq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Upgrading Perl (modules) / RequestTracker
I'm attempting to install RequestTracker on CentOS 6.5. Running make testdeps as recommended by RT's installation guide, I'm presented with lists of missing Perl modules. One of these lines reads: Encode = 2.39 ...MISSING Now, yum whatprovides '*/Encode.pm' informs me that that module is part of the core Perl distribution, and is installed on my system. Opening the file itself reveals: # $Id: Encode.pm,v 2.35 2009/07/13 00:49:38 dankogai Exp $ so I know that I have version 2.35 of that module installed, and obviously that's 2.39. So I need to get 2.39 installed. What is the correct way to do this on CentOS? The last time I had to do anything like this, it was on a Debian box, I went through the process recommended by the guys in #perl, and was left with a broken system that was a real joy to piece back together... signature.asc Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Frustrated. Java on Centos 6 doesn't give an error message when downloading from a Samsung Galaxy S3
On 05/24/2013 11:12 AM, Rock wrote: [snip] Rant Why the Android dev team removed USB file transfer for Linux users is beyond me! /Rant The reason is pretty straightforward...FAT sucks. USB Mass Storage serves up a block device in a linear layout over USB. This shows up under Linux as a raw block device. Unless you're using a disk-level filesystem such as OCFS2, or all mounts are read-only, there's no way to safely have multiple filesystem drivers independently access that disk at the same time. MTP is the workaround for that, at least on mobile devices. FWIW, Calibre uses MTP to push books and such to Android devices (including my S3 and my Xoom), and it manages it reliably. Whatever library it's using could surely be placed under a FUSE filesystem. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] unprivileged users rebooting at console
On May 5, 2013 6:39 AM, Joseph Spenner joseph85...@yahoo.com wrote: I'm curious why any user logged in at the console can issue the 'reboot' command and reboot the system. I've tested/verified this to work, and read some older posts about this. If it were a bug, I suspect it would be fixed by now. Also, if a user is logged into the console, and then logs in via ssh from another system, that user can also reboot the system from that ssh connection. It would seem that once a user authenticates on the console, and remains on the console, they can reboot from any other/new tty. Once they drop off the console, the ssh connections can no longer reboot. If this is by design, why? Thanks! Consolekit Users with physical acces have higher capabilities in software because, well, physical access is root access. Also, that configuration works better for workstation installations; imagine if a user couldn't shut down their laptop safely because they didn't have admin privileges on the system. (Sorry for brief response; sending from phone.) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuring source-specific routing
On 05/03/2013 03:24 PM, Michael H. Warfield wrote: On Wed, 2013-05-01 at 17:52 -0400, Michael Mol wrote: [snip] Curiously, at least one guy has reported success: http://sysadminsjourney.com/content/2009/04/15/doing-simple-source-policy-routing-centos/ Now, the only thing different between his setup and mine (apart from my using ethN:1 instead of ethN, as all three routers hang off the same ethernet segment) is that were his guide says: echo default table CorpNet via 10.0.0.1 /etc/sysconfig/network-scripts/route-eth1 Ok... Wow... If that's the only difference between his description and what you did, you certainly left A LOT out. He's using both rules and tables neither of which you made any mention of in your original post. I tried it both ways, honestly. I've been blasted (postfix) or ignored (samba) more than a few times in other environments for providing too much information, so I didn't think it wise doing a writeup of both approaches. Can't win. Can't even break even... At this point, having read that article, I will eat my earlier words (not the first time and certainly won't be the last time). I guess you can now do this using the standard files, it's just that I haven't done it in so long that you couldn't do it back then (my excuse and I'm sticking with it). Following his description, I could easily reproduce my old setups using ifcfg-ethN, rule-ethN, and route-ethN. I'm impressed. I don't need it any more but - nice... That makes it a lot easier than what I had to figure out. I was going to ask you how you tied in your manual script... Ok... So, I'm assuming you properly set up the rules-ethN file as well (and the proper entry in /etc/iproute2/rt_tables? You made no mention of that in your OP. That's a very crucial bit there. So, this is interesting. I'd read that you could use a command like ip route add 1.2.3.4/32 dev eth0 via 10.1.0.1 src 10.1.0.12 from 4.3.2.1/24 with the from 8.3.2.1/24 portion as part of the IP command, but that using tables was usually done because it was easier. What's bizarre is that I could have sworn I had this type of rule even working. But when I run it on my laptop, and follow up with ip rule show, the from X clause is gone. This calls into question everything else I was convinced I had working, too. But I do know my 'table CorpNet' approach worked when applied manually, but not when I tried converting it to route-ethN. I won't be able to try it again for a while, either, but I've got a hunch why it didn't work. Also, in your OP you mentioned this: On Wed, 2013-05-01 at 16:05 -0400, Michael Mol wrote: I've created a route-eth0:1 file that looks roughly like this: 10.0.0.1 dev eth0:1 \ src 10.0.0.2 \ from 10.0.0.0/29 default via 10.0.0.1 dev eth0:1 \ src 10.0.0.2 \ from 10.0.0.0/29 You're not showing table numbers or names there so it's not clear if you are using different route tables or not (which you MUST do and associate them with appropriate match rules). Yup. See above where I discover from a.b.c.d isn't a valid clause to attach to the ip command. As finicky as that command is, I'm disappointed it didn't throw an error. According to man ip-route on my router the from stanza is not valid in a route add (route-ethN files) and in a route ls is only applicable to cloned routes. What you wrote can not literally work, by my reading of the ip man pages. Yup. I just re-read through to double check, when my manual invocation on my laptop didn't work. You get the source matching from the rules not the routes. You haven't mentioned (or acknowledged) anything about them but they are crucial (as are the use of multiple tables). What did you set up for your match rules? No match rules, then only the default and local tables are going to be used. Your from specifier goes in your rules, not your routes. I hear you. I just wish I'd documented my first approach (using tables) better; I'm sure it was a silly error, and I'm getting more sure it was. I'd rather have had someone thump me over the head and point out a simple error than spend three days arguing over whether or not source-specific routing makes sense. When I look at my route tables, I see src associated with an appropriate route. I don't see any from matches because they are not in the route tables they're in the rules. You also have to look at ip rules ls. That's where your from is going to show up and then tell you what table it's going to use as its routing table. My first pass at making my code platform-idomatic effectively was: echo default via 10.0.0.1 table CorpNet /etc/sysconfig/network-scripts/route-eth1 (the table $table clause in mine was at the end of the line, following the pattern I'd read in LARTC, rather than near the beginning of the line.) Ok, so you are using the table named CorpNet which you must have added to /etc/iproute2/rt_tables in advance (his step 1
Re: [CentOS] Configuring source-specific routing
On 05/03/2013 05:06 PM, Ljubomir Ljubojevic wrote: On 05/02/2013 08:48 PM, Michael Mol wrote: [snip] Alternate source routing, firewall and netfilter marking of packets: iptables -t mangle -A PREROUTING -s 172.24.5.0/24 -j MARK --set-mark 100 # iptables -t mangle -A PREROUTING -s 192.168.150.107 -j MARK --set-mark 200 # iptables -t mangle -A PREROUTING -s 192.168.150.224 -j MARK --set-mark 100 # Local network iptables -t mangle -A PREROUTING -d 192.168.0.0/16 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -d 172.16.0.0/12 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -s PublicIP -d 192.168.0.0/16 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -s PublicIP -d 172.16.0.0/12 -j MARK --set-mark 20 And then something like: # echo 201 mail.out /etc/iproute2/rt_tables # ip rule add fwmark 1 table mail.out # /sbin/ip route add default via 195.96.98.253 dev eth0 table mail.out (http://lartc.org/howto/lartc.netfilter.html). Used firewall rules are from StarOS router OS that has simple script for policy routing so that second part with ip rule and ip route is just a pointer in right direction. I don't figure I want to use the mangle table for this. Though thanks for the example code; that will come in handy for tc. Just need how to work that in with sanewall. I think I know what I did wrong, but it's going to be a while before I can test it. (Dang, I wish I had enough spare hardware at home to set up a test lab.) signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuring source-specific routing
On 05/03/2013 06:05 PM, Rob Townley wrote: Michael, very frustrating that so much noise for a very simple request. I set up multi source routing in 5.3 or so and was astounded at all the negativity on this list and that it could not be done. It will take forever to read the noise in this thread alone. Some said you have to use DHCP i could go on. Do not trust that ping -I will work how you would think. Must specify an IP address, not eth0, not eth1. ping -I 10.0.0.1 8.8.8.8 Yup. Sans the obfuscated IP address, that's exactly what I tested. This really is just a few lines per interface. Learn by changing the /etc/sysconfig/network-scripts/ifup-route shell scripts to add logging. echo out variables. I tried adding set -x to them. :) There is no need to get iptables involved at all unless doing something very special. i did not want to setup quagga or some form of dynamic routing deamon because of security concerns. i wanted static IP addresses communicating to the ISP on static routes. It is pretty simple. Maybe i can hook up my laptop to 3G and WiFi and Cat6 and make sure i get it working. Please remember to use IP addresses, not names for ping testing. Scrutinize ping results. ping -I 10.0.0.1 8.8.8.8 Yeah, I don't see a use for quagga at this time. [snip] signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuring source-specific routing
On 05/02/2013 08:57 AM, Les Mikesell wrote: On Wed, May 1, 2013 at 4:52 PM, Michael Mol mike...@gmail.com wrote: Intent is to maintain the old, slow (but has an SLA) connection as a fallback, and migrate services to the new connection piecemeal. Meanwhile, the same DNS server on the new connection can be, e.g. ns3. The same mailserver can have a new MX on the new connection...likely prioritized to it. Note that there are more straightforward ways to do this. One is to pretend you are big enough to have a distributed server farm and actually have independent servers at the other IPs, even if they are VMs. This is fairly easy for mostly-static or database-driven web sites, fairly difficult for apllications that are more statefull but perhaps possible with a common NFS backend. Another is to have application-level proxies or load balancers like haproxy, nginx, apache configured as a reverse-proxy, or even port forwarding with an xinetd 'redirect' configuration. This loses the source ip from the application logs, although the http proxys have an option to pass them. Similarly you could use iptables to source-nat on the receiving side and forward to a backend server.These all have some disadvantages, but with separate hosts each having one default gateway to the internet and static routes for your own local ranges you have a lot less black magic involved. Actually, this is all stuff (well, except for haproxy) we have implemented. 80-90% of my servers don't even need (and, ultimately, won't have) public IP addresses. (And I still won't need NAT, thank god.) Internally, I'm not far from having things set up as a fluid private cloud with scaleable services. Ultimately, for this to work cleanly, anything which requires a public IP (be it a raw authoritative DNS server or a load balancer) will require an IP on both public subnets. The only blocker right now is getting CentOS to do source-policy routing properly. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuring source-specific routing
On 05/02/2013 01:01 AM, anax wrote: On 2013-05-01 22:05, Michael Mol wrote: I'm attempting to configure source-specific routing so that my servers can exist on multiple subnets from multiple upstream providers. A rough diagram of the network layout: ISP1 router (blackbox, routes subnet A, address on subnet A) \ ---eth0(firewall)eth1---((servers)) / ISP2 router (blackbox, routes subnet B, address on subnet B) The aim is to allow the servers to use both subnet A and subnet B. To allow this, any machine on both subnets must have source-specific routing configured, else packets originating from one ISP's AS will be directed at the other's router, and neither ISP cares for that. At the moment, I'm focusing on getting the second ISP properly added to the firewall box. The firewall box is using CentOS 6.4, and normally passes traffic back and forth via proxy_arp. None of my interfaces are NM_CONTROLLED, and NetworkManager is not installed, much less started. I've created a route-eth0:1 file that looks roughly like this: 10.0.0.1 dev eth0:1 \ src 10.0.0.2 \ from 10.0.0.0/29 default via 10.0.0.1 dev eth0:1 \ src 10.0.0.2 \ from 10.0.0.0/29 (Treat indented lines as continuations of the previous line) (No, the ISPs aren't giving me RFC1918 addresses; these are redacted.) If I run ifup eth0:1, ip route show includes the lines: 10.0.0.1 dev eth0 scope link src 10.0.0.2 10.0.0.0/29 dev eth0 proto kernel scope link src 10.0.0.2 default via 10.0.0.1 dev eth0 Note that the from 10.0.0.0/29 clause is missing. With the addition of a second default route on my firewall/gateway without any restriction on which traffic should go that way, my whole network, of course, tanks. I'm surprised it's been such a pain; I would have expected it to be a relatively common configuration. What's the proper way of doing source-specific routing on CentOS? http://www.linuxjournal.com/article/7291 http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.html might probably help you suomi Read that whole document before writing a line of code. Also of use, in case anyone else comes across this thread: Network Warrior, by Gary A. Donahue The TCP/IP Guide, by Charles M. Kozierok NIST SP 800-800-119, Guidelines for the Secure Deployment of IPv6 IPv6 Network Administration, by Niall Richard Murphy David Malone Content Delivery Networks, edited by Rajkumar Buyya, Mukaddim Pathan, Athena Vakali (In particular, see DNS-based network management) That's most of the relevant network-related stuff I've got in my library. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuring source-specific routing
On 05/02/2013 05:13 AM, James Hogarth wrote: Yeah, I've gone that deep. And a tad deeper. I had almost *everything* working by hand, and went to figure out how to convert it to idomatic CentOS network configuration scripts. And took my network down *three times* because of the script-processing stripping things out. The files to use for this in RHEL land are rule-ethX similar to how ifcfg-ethX and route-ethX get used ... Yup. And if you put a line in route-ethN like: default via 10.0.0.1 dev ethN from 10.0.0.0/24 you're in for a rude shock; running ip route show after bringing up ethN will show something like: default via 10.0.0.1 dev ethN ...having stripped the key from 10.0.0.0/24 portion. I ran into similar problems with table SomeTable. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuring source-specific routing
On 05/02/2013 01:05 PM, Les Mikesell wrote: On Thu, May 2, 2013 at 8:14 AM, Michael Mol mike...@gmail.com wrote: Ultimately, for this to work cleanly, anything which requires a public IP (be it a raw authoritative DNS server or a load balancer) will require an IP on both public subnets. No it doesn't, as long as you don't mind losing the source IP for logging or configure your http proxy to pass it. You can use separate front end proxies or load balancers on each public range, No, I really can't. And not for reasons I can change until this summer, at the earliest, nor can I discuss them without breach of NDA. with its default gateway pointing toward the ISP handling it. DNS service is simple enough to have standalone servers for each instance you need. This would also require either resources or underlying authorizations I don't have. Web browsers are actually very good at handling multiple IPs in DNS responses and doing their own failover if some of the IPs don't respond. It varies greatly by client software. And given the explosion of unreliable network connections (wifi, mobile), some of that failover logic's margin is already lost in dropped packets between the client and their local network gateway. SMTP will retry following your MX priorities. Yup. MX is a no-brainer, as are NS and SIP/SRV. For other services you might need to actively change DNS to drop IPs if you know they have become unreachable, though. Yup. That's what I was planning on doing, more or less. Start with ordering IPs by route preference, drop IPs by link state. I just wish I could drive it by snooping OSPF... The only blocker right now is getting CentOS to do source-policy routing properly. It's a black art Once you've read the docs and tried a few commands, it's pretty easy to wrap your head around it. My problem is that what I was able to get working by hand gets mangled by the processing logic for /etc/sysconfig/network-scripts/route-ethN. - I'd give up the source IP logging first and rely on the back end servers sending back to the proxy that received the request and only has the default route to that one ISP. I'm not doing any special logging. That one firewall/routing device sits between the ISP routers and _all_ my internal machines. Everything sits behind it. There are reasons for this. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuring source-specific routing
On 05/02/2013 02:02 PM, Les Mikesell wrote:
On Thu, May 2, 2013 at 12:31 PM, Michael Mol mike...@gmail.com wrote:
with its default gateway pointing toward the ISP handling it. DNS
service is simple enough to have standalone servers for each instance
you need.
This would also require either resources or underlying authorizations I
don't have.
CentOS VMs are really, really cheap
That's really, truly, seriously not the issue. I don't know if you saw
where I said I was setting up a private cloud.
And, as I said, I can't discuss the problem without breach of NDA.
Web browsers are actually very good at handling multiple IPs in DNS
responses and doing their own failover if some of the IPs don't
respond.
It varies greatly by client software. And given the explosion of
unreliable network connections (wifi, mobile), some of that failover
logic's margin is already lost in dropped packets between the client and
their local network gateway.
Yes, but typically they can deal with receiving multple IPs from the
initial DNS lookup even if some are broken better/faster than getting
one IP which subsequently breaks and then having to do another DNS
lookup to get a working target. At least the few broswers I tested a
while back did...
You missed my point, my point was that your margin is already eaten into
by unreliable networks.
For other services you might need to actively change DNS to drop IPs
if you know they have become unreachable, though.
Yup. That's what I was planning on doing, more or less. Start with
ordering IPs by route preference, drop IPs by link state. I just wish I
could drive it by snooping OSPF...
I don't think you can count on your ordering reaching the clients or
meaning anything to them if it does. And some applications won't ever
do a lookup again.
Yes, intermediate resolvers may reorder responses. That's fine and
pretty normal. If ordering responses doesn't work, I fall back to a
stochastic approach; that's actually rather a given, since an
oversaturated link qualifies as down for the purpose of new connections.
And, yes, there's a lot of client software out there (*especially web
browsers*) which cache responses and disregard TTLs. To those users, I
really can only say have you tried turning it off and back on again?
But here we are, arguing about *load balancing*, when the problem I face
is, frankly, one of taking either of a pair of *known-to-work* sequences
of invocations of ip commands and getting whatever process
/etc/sysconf/network-scripts/{ifcfg-eth*,ifcfg-route*} to maneuver the
kernel into the same resulting state.
Source-based routing frankly isn't that hard! From the perspective of an
edge node (i.e. a server):
# First subnet
ip addr add 10.0.0.2/24 dev eth0 brd 10.1.0.255
ip route add default via 10.0.0.1 dev eth0 src 10.0.0.2
# Second subnet
ip addr add 10.1.0.2/24 dev eth0 brd 10.1.0.255
ip route add default via 10.1.0.1 dev eth0 src 10.1.0.2
and from a router's perspective, it's
# Assuming proxy_arp is set on eth0 and eth1
# Sets up source-specific routing for 10.0.0.0/24
# WAN hangs off eth0. LAN hangs off eth1.
ip addr add 10.0.0.2/24 dev eth1 brd 10.0.0.255 # To LAN
ip addr add 10.0.0.2 dev eth0 # For the benefit of 'src 10.0.0.2' below
ip route add 10.0.0.1 dev eth0 src 10.0.0.2 # For 'via 10.0.0.1' below
ip route add default via 10.0.0.1 dev eth0 src 10.0.0.2 from 10.0.0.0/24
# Assuming proxy_arp is set on eth0 and eth1
# Sets up source-specific routing for 10.1.0.0/24
# WAN hangs off eth0. LAN hangs off eth1.
ip addr add 10.1.0.2 dev eth1 brd 10.1.0.255 # To LAN
ip addr add 10.1.0.2 dev eth0 # For the benefit of 'src 10.1.0.2' below
ip route add 10.1.0.1 dev eth0 src 10.1.0.2 # For 'via 10.1.0.1' below
ip route add default via 10.1.0.1 dev eth0 src 10.1.0.2 from 10.1.0.0/24
That's it! (unless I typo'd or thinko'd something coming up with these
examples.) It took me all of three or four hours yesterday to learn this
much of it. Then the rest of the day discovering the stuff I was putting
in route-ethN wasn't being honored.
My problem has been that the from 10.x.0.0/24 parameter keeps getting
stripped by whatever processes /etc/sysconfig/network-scripts/route-ethN
signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] repeat command
On 05/02/2013 05:05 PM, Matt wrote: There is a unix command called repeat. repeat 10 some_command Basically repeats some command ten times. Is it available on Centos 6 and what package provides it? # yum whatprovides *bin/repeat [snip] No Matches found HTH signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] I Know It's A Stupid Question......
On 05/02/2013 07:26 PM, Eddie G. O'Connor Jr. wrote: But I'm trying to give my son a cool-yet-kind-of-geeky 13th Birthday Present..he hinted he liked the CentOS logo, but where would I find things that are branded with it?searching the web doesn't really help me much, only because I'm not sure what I need to be looking for...any help would be greatly appreciated! Thanks in advance!! Is there someone with a 3D printer or a laser cutter in your area? Check out your local hackerspaces/makerspaces. You could make him a phone hardcase or something. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Configuring source-specific routing
I'm attempting to configure source-specific routing so that my servers can exist on multiple subnets from multiple upstream providers. A rough diagram of the network layout: ISP1 router (blackbox, routes subnet A, address on subnet A) \ ---eth0(firewall)eth1---((servers)) / ISP2 router (blackbox, routes subnet B, address on subnet B) The aim is to allow the servers to use both subnet A and subnet B. To allow this, any machine on both subnets must have source-specific routing configured, else packets originating from one ISP's AS will be directed at the other's router, and neither ISP cares for that. At the moment, I'm focusing on getting the second ISP properly added to the firewall box. The firewall box is using CentOS 6.4, and normally passes traffic back and forth via proxy_arp. None of my interfaces are NM_CONTROLLED, and NetworkManager is not installed, much less started. I've created a route-eth0:1 file that looks roughly like this: 10.0.0.1 dev eth0:1 \ src 10.0.0.2 \ from 10.0.0.0/29 default via 10.0.0.1 dev eth0:1 \ src 10.0.0.2 \ from 10.0.0.0/29 (Treat indented lines as continuations of the previous line) (No, the ISPs aren't giving me RFC1918 addresses; these are redacted.) If I run ifup eth0:1, ip route show includes the lines: 10.0.0.1 dev eth0 scope link src 10.0.0.2 10.0.0.0/29 dev eth0 proto kernel scope link src 10.0.0.2 default via 10.0.0.1 dev eth0 Note that the from 10.0.0.0/29 clause is missing. With the addition of a second default route on my firewall/gateway without any restriction on which traffic should go that way, my whole network, of course, tanks. I'm surprised it's been such a pain; I would have expected it to be a relatively common configuration. What's the proper way of doing source-specific routing on CentOS? signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Configuring source-specific routing
On 05/01/2013 05:15 PM, Michael H. Warfield wrote:
On Wed, 2013-05-01 at 16:05 -0400, Michael Mol wrote:
I'm attempting to configure source-specific routing so that my servers
can exist on multiple subnets from multiple upstream providers.
Kinda curious why you are attempting this without getting involved in
dynamic routing (BGP)... It's usually someone trying to do multihoming
or multi-link load balancing on the cheap without involving their ISPs
(which tends to be expensive as soon as you're talking with them about
redundant / backup loops, provider independent addresses, and BGP
peering). Generally equates to champagne taste on a beer budget but
there are exceptions and reasons, as I know from personal experience.
It often doesn't end well and is unreliable as network conditions
change. But that depends on your requirements and application. I'm not
one to judge - just pointing out the pitfalls.
Yup, I know.
Intent is to maintain the old, slow (but has an SLA) connection as a
fallback, and migrate services to the new connection piecemeal.
Meanwhile, the same DNS server on the new connection can be, e.g. ns3.
The same mailserver can have a new MX on the new connection...likely
prioritized to it.
Inbound services can be load-balanced fairly easily via DNS, if TTLs are
kept low, and records updated in response to link state. It's not
anycast DNS, but it also doesn't require to you get BGP peering and PI
space. (I don't even know if I could *get* IPv4 PI space at this point.
I certainly know I wouldn't be able to if I waited a year...)
I have done this a number of times in the past (mostly for VPN's and
redundant load-balancing links). You're probably going to have get real
down and dirty into policy routing rules and tables with iproute2. I
don't honestly believe you will be able to pull it off with the basic
stuff provided in the ifcfg-*, route-*, or static-route files (proviso
below).
I had to do it using completely custom files utilizing ip rule and ip
route {add|delete} table [n] subcommands to ip to build custom
matching rules and mapping them to different routing tables containing
different routes and priorities. In some cases, with OpenVPN VPNs, I
also had to incorporate iptables filtering commands to mark and match
packets and interact with the ip rule tables but I doubt you're going
that deep.
Yeah, I've gone that deep. And a tad deeper. I had almost *everything*
working by hand, and went to figure out how to convert it to idomatic
CentOS network configuration scripts. And took my network down *three
times* because of the script-processing stripping things out.
man ip-rule
--
In some circumstances we want to route packets differently depending
not only on destination addresses, but also on other packet fields:
source address, IP protocol, transport protocol ports or even packet
payload. This task is called 'policy routing'.
To solve this task, the conventional destination based routing table,
ordered according to the longest match rule, is replaced with a 'rout‐
ing policy database' (or RPDB), which selects routes by executing some
set of rules.
Yup. I went through LARTC before writing a line of code, just to be sure.
Curiously, at least one guy has reported success:
http://sysadminsjourney.com/content/2009/04/15/doing-simple-source-policy-routing-centos/
Now, the only thing different between his setup and mine (apart from my
using ethN:1 instead of ethN, as all three routers hang off the same
ethernet segment) is that were his guide says:
echo default table CorpNet via 10.0.0.1
/etc/sysconfig/network-scripts/route-eth1
My first pass at making my code platform-idomatic effectively was:
echo default via 10.0.0.1 table CorpNet
/etc/sysconfig/network-scripts/route-eth1
(the table $table clause in mine was at the end of the line, following
the pattern I'd read in LARTC, rather than near the beginning of the line.)
signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPv6
On 04/24/2013 12:46 PM, Matt wrote: I have setup a CentOS 6.3 VPS with ONLY IPv6 access simply for testing at this point. It browses the Internet with lynx fine on most major sites that are IPv6 enabled. Yum does not seem to work though. Always tries to connect to an IPv4 mirror and gives an error. Is there a way specify an IPv6 mirror to yum? Run through your mirror list, find a mirror which has a record in DNS, and specify that one explicitly? For this kind of circumstance, my first approach would be to put a squid proxy on a dual-stacked (IPv4 IPv6) host, and set http_proxy on the v6-only host such that outbound HTTP connections would pass through the squid proxy; the squid proxy will then use either IPv4 or IPv6 as appropriate for the requested destination host. (Incidentally, this is a great way to give IPv6 access to IPv4 hosts as well. I was once surprised to discover my PS3 pulling video from Netflix over IPv6 in this way.) signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problem getting mysqldump on Centos 5.x server
On 04/23/2013 09:42 PM, Clint Dilks wrote: Hi Bruce From your message I am assuming that either you installed MySQL yourself or had some do it for you? Is the mysql database currently running? If not it should be. Are you able to access the database using the command line tools ? From the machine its currently running on try mysql -p ( when prompted enter the password you believe should work) If it is running I suggest you schedule a time to shut it down and reset the root password See http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html or Google Moving the physical files associated with a MySQL Database can be made to work if you absolutely must. But getting a mysql dump is a much cleaner approach. I hope this helps :) If time is pressing, and he's not sure how to get mysqldump to function properly, I'd suggest shutting down the mysql server, taking a tarball backup of /var/lib/mysql (or wherever the database files are), compressing that (xz is nice for these purposes), and then getting the mysqldump backup. As for getting the mysql dump itself, if he's not sure what privileges are set up, I'd probably skip resetting permissions and instead taking the dump from a daemon running under --skip-grant-tables. It all depends on how much time he has before the system becomes unavailable to him. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Writing to a symlink on a read-only file system that land on a read-write file system
On 04/22/2013 08:42 AM, James Pearson wrote: We've come across a problem with 6.4 kernels that we didn't have with 6.2 kernels - which involves writing to a symlink that is on a read-only file system - but the symlink lands on a read-write file system The following shows the issue: mkdir -p /mnt/tmp mount -t tmpfs -o size=1% none /mnt/tmp rm -f /tmp/file ln -s /tmp/file /mnt/tmp/file mount -o remount,ro /mnt/tmp echo some text /mnt/tmp/file On a machine with a 6.2 kernel, the above works fine - the target of the symlink (/tmp/file) is created etc. with no error But on a machine with a 6.4 kernel, the above fails with: /mnt/tmp/file: Read-only file system. Strace'ing a process that fails gives: open(/mnt/tmp/file, O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EROFS (Read-only file system) I don't have a machine with a 6.3 kernel, so I'm not sure when the change in behaviour happened, but does anyone know as to why this change was made in the kernel? I've had a look through the kernel changelog - and the following entry mentions EROFS and read-only file systems: - [fs] vfs: prefer EEXIST to EROFS when creating on an RO filesystem (Eric Sandeen) [878091] I can't access that BZ (878091) entry - so don't know if the above is anything to do with what I'm seeing ... This sounds like it's going to be a glibc issue rather than a kernel issue; IIRC, it's glibc that's responsible for handling symlink processing, not the kernel. I wonder what happens if you, e.g. a statically-linked busybox from 6.2 on the 6.4 machine. (As for whether or not it's a bug...that's an interesting question. Having symlinks crossing r/w-r/o boundaries is an odd case. I don't know what symlink semantics technically supposed to be in those circumstances.) signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2nd NIC troubles
On 04/16/2013 01:37 PM, Jason T. Slack-Moehrle wrote: Hi All, I have 2 NICS in this system. CentOS 6.4 eth0 is the virtual IP from PFSense mapping connected to the router, works fine. eth1 is a second NIC that I have assigned a private IP to and connected it to a switch on the private network. I have many other private devices, so I know this setup works. When I connect the cable to the switch and bring up eth1 the system basically stops taking requests. I can no longer SSH in, Websites stop responding, etc. If I walk over to the server and take down eth1, everything works fine. Here is eth0: DEVICE=eth0 HWADDR=00:1b:21:cd:80:bf TYPE=Ethernet UUID=68a95912-3915-4b1a-9080-eb2017330153 ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=none IPADDR=192.168.1.27 NETMASK=255.255.255.0 DNS2=8.8.4.4 GATEWAY=192.168.1.1 DNS1=8.8.8.8 IPV6INIT=no USERCTL=no Here is eth1: DEVICE=eth1 HWADDR=00:0a:cd:17:07:7e TYPE=Ethernet UUID=b3851363-ae9e-4066-8993-caed07b9945b ONBOOT=no NM_CONTROLLED=yes BOOTPROTO=none IPADDR=10.0.254.11 NETMASK=255.255.255.0 GATEWAY=10.0.254.1 DNS1=8.8.8.8 DNS2=8.8.4.4 IPV6INIT=no USERCTL=no I have never experienced this before. Remove the GATEWAY line from eth1, unless you have another router (with its own access to the Internet) at 10.0.254.1. If eth0 points at your upstream, then this is unlikely. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] How to patch a CentOS6 kernel
So I have a couple patches supplied to me by upstream in relation to a kernel bug[1], but I can't figure out how to patch the kernel. The CentOS wiki page discusses retrieving the kernel source[2], but doesn't describe how to apply patches. Instructions I've found apply to CentOS5, and RH has changed their kernel packaging since then. I've been banging my head on this off and on for quite a while, now. I've mucked with Gentoo and Debian packaging, but kernel RPMs are a new one for me... [1] http://bugs.centos.org/view.php?id=6343 [2] http://wiki.centos.org/HowTos/I_need_the_Kernel_Source signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to patch a CentOS6 kernel
On 04/10/2013 09:45 AM, Akemi Yagi wrote: On Wed, Apr 10, 2013 at 6:38 AM, Michael Mol mike...@gmail.com wrote: So I have a couple patches supplied to me by upstream in relation to a kernel bug[1], but I can't figure out how to patch the kernel. The CentOS wiki page discusses retrieving the kernel source[2], but doesn't describe how to apply patches. Instructions I've found apply to CentOS5, and RH has changed their kernel packaging since then. I've been banging my head on this off and on for quite a while, now. I've mucked with Gentoo and Debian packaging, but kernel RPMs are a new one for me... [1] http://bugs.centos.org/view.php?id=6343 [2] http://wiki.centos.org/HowTos/I_need_the_Kernel_Source This wiki article explains how to apply patches: http://wiki.centos.org/HowTos/Custom_Kernel That looks like *exactly* what I needed. Or, you can download a source file for the centosplus kernel and see how the patches are added in there. I think I've got what I needed, thanks. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to patch a CentOS6 kernel
On 04/10/2013 10:00 AM, m.r...@5-cent.us wrote: Michael Mol wrote: So I have a couple patches supplied to me by upstream in relation to a kernel bug[1], but I can't figure out how to patch the kernel. The CentOS wiki page discusses retrieving the kernel source[2], but doesn't describe how to apply patches. Instructions I've found apply to CentOS5, and RH has changed their kernel packaging since then. I've been banging my head on this off and on for quite a while, now. I've mucked with Gentoo and Debian packaging, but kernel RPMs are a new one for me... snip Um, if you got it from upstream, meaning, I presume, that you have a license, why not call their support and ask them - that's what you're spending money for Upstream meaning kernel developers, not RH themselves. Though the kernel developer in question happens to be an RHEL employee. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to patch a CentOS6 kernel
On 04/10/2013 10:15 AM, Michael Mol wrote: On 04/10/2013 10:00 AM, m.r...@5-cent.us wrote: Michael Mol wrote: So I have a couple patches supplied to me by upstream in relation to a kernel bug[1], but I can't figure out how to patch the kernel. The CentOS wiki page discusses retrieving the kernel source[2], but doesn't describe how to apply patches. Instructions I've found apply to CentOS5, and RH has changed their kernel packaging since then. I've been banging my head on this off and on for quite a while, now. I've mucked with Gentoo and Debian packaging, but kernel RPMs are a new one for me... snip Um, if you got it from upstream, meaning, I presume, that you have a license, why not call their support and ask them - that's what you're spending money for Upstream meaning kernel developers, not RH themselves. Though the kernel developer in question happens to be an RHEL employee. RH employee. Doh. :) signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to determine 64 vs 32 bit processor
On 04/10/2013 09:58 AM, Robert Moskowitz wrote: I have been tied up with other work and Holidays. Now back to some server work that is long overdue. I lost an old server yesterday so it is crunch time. I believe my new platform is suppose to be an x86_64. The order form says 64 bit. I booted Centos 6.3 i386 liveCD to check the system out before an install. uname -i reports i386 dmidecode -t processor reports Characteristics of 64 bit capable. The processor is an AMD duo-core Opteron. I thought that in a prior thread I found that booting with an i386 live CD and using uname would confirm the processor type. It seems not. I am going to go with the various evidence and start a x86_64 install, but what is with uname? thanks uname reports the architecture that the running operating system was compiled for. Since you booted an i386-compiled OS, it will report as such. To confirm the details of the hardware, examine /proc/cpuinfo . signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
