Re: [CentOS] CentOS 7 getssl script

2021-05-31 Thread Tony Mountifield 
In article ,
Jerry Geis  wrote:
> I am using the getssl script to add a certificate to my server.
> The script is automatically adding a SANS www.myserver.com when I do not
> have a www.myserver.com - just simply the myserver.com
> 
> How can I tell getssl to "not add that SANS" entry ?

getssl creates a default getssl.cfg for the domain the first time you run it
for that domain. But on subsequent runs, it just uses what is in that file.

So look in the file .getssl/myserver.com/getssl.cfg at the line SANS=

You can remove the unwanted entries from there, or comment out the line
if you don't want any additional domains at all in the certificate.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Permission denied when updating CentOS 8 Streams

2021-02-22 Thread Tony Mountifield 
In article <8dc3d2af-a7b0-d54f-85b4-fbdbc49b3...@gmail.com>,
Gordon Messmer  wrote:
> On 2/19/21 12:37 AM, Mathieu Baudier wrote:
> >- Curl error (7): Couldn't connect to server for
> > http://mirrorlist.centos.org/?release=8-stream=x86_64=AppStream=stock
> > [Failed to connect to mirrorlist.centos.org port 80: Permission denied]
> 
> 
> It's unusual to see EPERM on a call to connect()... The man page 
> suggests that this can be caused by a local firewall rule or an SELinux 
> policy.
> 
> https://man7.org/linux/man-pages/man2/connect.2.html
> 
> "yum" and "wget" should be running in an unconfined domain, so SELinux 
> is *probably* not the cause.  I'd take a look at the output of "iptables 
> -L OUTPUT" first.  I've tried creating local firewall rules that I'd 
> expect to result in EPERM, but they do not, so I'm not sure what such a 
> rule looks like.

Of course, SELinux can be confirmed or ruled out by doing "setenforce 0"
and then trying the operation again.

Then "setenforce 1" again afterwards, of course.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] letsencrypt error

2021-02-06 Thread Tony Mountifield 
In article ,
Jerry Geis  wrote:
> Hi Tony,
> 
> Thanks for the suggestion https://github.com/srvrco/getssl was not aware of
> that.
> I got so close... It says it loaded the certificate the files are there - I
> edited /etc/httpd/conf.d/ssl.conf and set the two paths to the right file.
> restrated httpd - all seemed good - but when I goto my site it did not work.
> So I re-ran with -f option and I get:
> 
> Registering account
> Verify each domain
> Verifying rsd.layeredsolutionsinc.com
> rsd.layeredsolutionsinc.com is already validated
> Verification completed, obtaining certificate.
> Requesting Finalize Link
> Requesting Order Link
> Requesting certificate
> Full certificate saved in /root/.getssl/XX/fullchain.crt
> Certificate saved in /root/.getssl/XX/rsd.layeredsolutionsinc.com.crt
> /root/.getssl/XX/XX.crt didn't match server
> getssl: XX - rsa certificate obtained but certificate on server is
> different from the new certificate
> 
> So close...
> Any thoughts on that are appreciated.   Idid searching and those issues
> dont seem to relate to my case.

Hi Jerry, you need to explore the configuration files. They are in 
.getssl/getssl.cfg
and .getssl//getssl.cfg

First, in .getssl//getssl.cfg you need to tell it where to copy the 
certificate
and key for the web server. They should match what you have in 
/etc/httpd/conf.d/ssl.conf
Here are my entries as an example:


# Location for all your certs, these can either be on the server (full path 
name)
# or using ssh /sftp as for the ACL
DOMAIN_CERT_LOCATION="/etc/pki/tls/certs/your.domain.name.crt" # this is domain 
cert
DOMAIN_KEY_LOCATION="/etc/pki/tls/private/your.domain.name.key" # this is 
domain key
CA_CERT_LOCATION="/etc/pki/tls/certs/chain.crt" # this is CA cert


Then secondly, in the global config .getssl/getssl.cfg you need to tell it how 
to
restart the web server to pick up the new certs, which it will do before testing
whether the new certificate is served correctly:


# The command needed to reload apache / nginx or whatever you use
RELOAD_CMD="/usr/sbin/apachectl graceful"


I think these are the only changes I made from the defaults.

Cheers
Tony

-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] letsencrypt error

2021-02-05 Thread Tony Mountifield 
In article ,
Jerry Geis  wrote:
> *>>certbot-auto is no longer available.
> *>It still getting updates
> >https://github.com/certbot/certbot/blob/master/certbot-auto
> >>*   Forbidden\n\nForbidden\n *>Try opening up your page in the browser to see what's going on. You
> might not setup your nginx/apache properly
> >http://mydomain/.well-known/acme-challenge/i_fU1bFrQZzgfVI2FtWo8Ov0ITjplCcPjXdK61Fwa-w
> 
> I went there, downloaded it, and tried to run - and I get this.
> 
> Skipping bootstrap because certbot-auto is deprecated on this system.
> Your system is not supported by certbot-auto anymore.
> Certbot cannot be installed.
> Please visit https://certbot.eff.org/ to check for other alternatives.
> 
> My Centos 7 is basically out of the box.  Previously with certbot-auto - it
> worked every time.  Any one else run into this and know what the issue is ?

Try using getssl instead: https://github.com/srvrco/getssl

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 8.2: error running non-shared postrotate script for /var/log/mysql/mysqld.log

2020-12-07 Thread Tony Mountifield 
In article ,
Alexander Farber  wrote:
> Hello fellow CentOS users!
> 
> I have installed CentOS 8.2.2004 with the following packages:
> 
> mysql-common-8.0.21-1.module_el8.2.0+493+63b41e36.x86_64
> mysql-8.0.21-1.module_el8.2.0+493+63b41e36.x86_64
> mysql-errmsg-8.0.21-1.module_el8.2.0+493+63b41e36.x86_64
> mysql-server-8.0.21-1.module_el8.2.0+493+63b41e36.x86_64
> 
> Then I have run mysql_secure_installation and among other things set the
> root password for MySQL
> 
> As result I am greeted with the following anachron mail every morning:
> 
> /etc/cron.daily/logrotate:
> 
>  mysqladmin: connect to server at 'localhost' failed
> error: 'Access denied for user 'root'@'localhost' (using password: NO)'
> error: error running non-shared postrotate script for
> /var/log/mysql/mysqld.log of '/var/log/mysql/mysqld.log '
> 
> I understand that the reason is me having set the root password for MySQL.
> 
> But my question is how to provide the password to postrotate without
> disclosing it too much?

Create a file .my.cnf owned by root with permission 600, containing these lines:

[mysqladmin]
user = root
password = YourMySqlRootPassword

You need to put it in / or in /root - I usually do both, as I think logrotate
has / as it's home dir instead of /root.

Then logrotate can call mysqladmin without having to give a password.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] (C8) root on mdraid

2020-11-16 Thread Tony Mountifield 
In article <20201115123245.db62b8248e1f248afe028...@lukaszposadowski.pl>,
Lukasz Posadowski  wrote:
> 
> Hello everyone. 
> 
> I'm trying to install CentOS 8 with root and swap partitions on
> software raid. The plan is:
> - create md0 raid level 1 with 2 hard drives: /dev/sda and /dev/sdb,
> using Linux Rscue CD,
> - install CentOS 8 with Virtual Box on my laptop,
> - rsync CentOS 8 root partition on /dev/md0p1,
> - chroot in CentOS 8 root partition,
> - configure /etc/mdadm.conf, grub.cfg, initramfs, install bootloader on
> both sda and sdb drives.
> 
> I think I can do first four of the above, but my CentOS installation
> acts strange after rebooting the server. It recognizes the raid, but
> boots randomly with root on /dev/sda1 (and recognizes raid
> with /dev/sdb disk), or with root on /dev/sdb1 (and recognizes raid
> with /dev/sda disk). When booting from Linux Rescue CD, the raid with
> two disk is recognized.

I thought it was much more usual to partition both disks to give sda1,2,3
and sdb1,2,3, and then create /dev/md0 from sda1/sdb1, /dev/md1 from sda2/sdb3,
and so on.

That's the way I have always done it, and have never had any problems.
Never seen an attempt to partition an md device before. In that case,
how would the kernel and initrd be found in order to assemble the RAID?

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] certbot stopped working on CentOS 7: pyOpenSSL module missing required functionality

2020-10-05 Thread Tony Mountifield 
In article <0f27fc07-4b04-4b3b-bf3a-7a0d419d8...@mcon-group.com>,
Soeren Malchow  wrote:
> Not directly an answer to your question, but we had so many problems with the 
> certbot in different constellations, that
> we moved to
> 
> https://github.com/acmesh-official/acme.sh
> 
> which works just fine basically everywhere
> 
> cheers
> Soeren 
> 
> On 05.10.20, 15:18, "CentOS on behalf of Alexander Farber" 
>  alexander.far...@gmail.com> wrote:
> 
> Yes, I had a typo in the mail, but not in the cronjob
> 
> Still wondering how to get certbot-1.7.0-1.el7.noarch working on CentOS 7
> again.

https://github.com/srvrco/getssl also works pretty well, and just needs bash 
and openssl.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Using CentOS 7 to attempt recovery of failed disk

2020-09-28 Thread Tony Mountifield 
In article ,
Erick Perez - Quadrian Enterprises  wrote:
> @tonymountifield
> Does this still hold true?
> https://superuser.com/a/1075837

It wouldn't surprise me. What I take away from those tests is that it is indeed
important to use a bs= setting that corresponds to the disk physical block size,
which is why I said to use bs=4096.

When I used "conv=noerror,sync bs=4096" I got an image of the correct size.
That seems to correspond with what is said in the comment you linked to.

Cheers
Tony

> On Sun, Sep 27, 2020 at 7:21 AM Tony Mountifield  wrote:
> 
> > In article ,
> > Valeri Galtsev  wrote:
> > >
> > >
> > > > On Sep 26, 2020, at 8:05 AM, Jerry Geis  wrote:
> > > >
> > > > I have a disk that is flagging errors, attempting to rescue the data.
> > > >
> > > > I tried dd first - if gets about 117G of 320G disk and stops
> > incrementing
> > > > the save image any more.
> > >
> > > did you try
> > >
> > > dd conv=noerror …
> > >
> > > this flag makes dd not stop on input error. Whatever is irrecoverable is
> > irrecoverable, but this way you will get stuff
> > > beyond failure point.
> >
> > You need conv=noerror,sync so that unreadable sectors get replaced by
> > zeros instead of not being written out at all.
> > Without sync, the filesystem geometry on the destination image will be
> > wrong after the first error.
> >
> > You also need bs=4096 so that ONLY the bad sector(s) get zeroed, and not
> > the surrounding ones. If you have, say,
> > bs=1M, then you will get a megabyte of zeros if any block within that
> > megabyte is bad.
> >
> > I'm speaking from recent experience!
> >
> > Cheers
> > Tony
> >
> > --
> > Tony Mountifield
> > Work: t...@softins.co.uk - http://www.softins.co.uk
> > Play: t...@mountifield.org - http://tony.mountifield.org
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> 
> 
> -- 
> 
> -
> Erick Perez
> Quadrian Enterprises S.A. - Panama, Republica de Panama
> Skype chat: eaperezh
> WhatsApp IM: +507-6675-5083
> -
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 


-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Using CentOS 7 to attempt recovery of failed disk

2020-09-27 Thread Tony Mountifield 
In article ,
Valeri Galtsev  wrote:
> 
> 
> > On Sep 26, 2020, at 8:05 AM, Jerry Geis  wrote:
> > 
> > I have a disk that is flagging errors, attempting to rescue the data.
> > 
> > I tried dd first - if gets about 117G of 320G disk and stops incrementing
> > the save image any more.
> 
> did you try
> 
> dd conv=noerror …
> 
> this flag makes dd not stop on input error. Whatever is irrecoverable is 
> irrecoverable, but this way you will get stuff
> beyond failure point.

You need conv=noerror,sync so that unreadable sectors get replaced by zeros 
instead of not being written out at all.
Without sync, the filesystem geometry on the destination image will be wrong 
after the first error.

You also need bs=4096 so that ONLY the bad sector(s) get zeroed, and not the 
surrounding ones. If you have, say,
bs=1M, then you will get a megabyte of zeros if any block within that megabyte 
is bad.

I'm speaking from recent experience!

Cheers
Tony

-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Systemd service unit file needs to wait until a specific interface is up

2020-09-23 Thread Tony Mountifield 
In article <004e8170-e842-4e8b-9623-db3ea236d...@outlook.com>,
Carlos Lopez  wrote:
> Hi all,
> 
> 
> With SystemD, how can I make certain service dependent on certain network 
> interfaces being up?
> 
> For example, I have an 802.1ad bond interface I need to wait on for being up 
> (this interface has no ip address assigned,
> it is used to capture networks packets with a tcpdump’s script). Every time 
> this service fails because bond interface
> is not up.
> 
> 
> 
> I have configured the service as:
> 
> 
> 
> [Unit]
> 
> Description=tcpdump capture script
> 
> After=network.target
> 
> Wants=network-online.target
> 
> 
> 
> But it doesn’t work …. Any tip or trick?

Just add a line to the tcpdump script to wait for the interface.

Something like this:

until ifconfig -s | grep -q '^bond0' ; do sleep 1 ; done

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Jamulus for Centos

2020-08-20 Thread Tony Mountifield 
In article ,
Robert Moskowitz  wrote:
> Is anyone running their own Jamulus server?
> 
> I have an x86_64 system running Centos7 that I can try bringing it up 
> for my wife.  So I better get it right!
> 
> I have found rpms for 3.4.7.1 at:
> 
> https://pkgs.org/download/Jamulus
> 
> But on SourceForge I am seeing source for ver 3.5.10.  In blogs I am 
> seeing that the better client is for at least ver 3.5.1.
> 
> Are there rpms available for some 3.5 version?

I am a regular Jamulus user and have packaged the latest versions of the
headless server for CentOS 7 and 8, and Amazon Linux 2.

See http://jamulus.softins.co.uk/repo/ for details.

I haven't used the Jamulus client under Linux.

If you haven't already, you would find the two Facebook groups worthwhile:

- Jamulus (official group)
- Jamulus World Jam

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

2020-06-17 Thread Tony Mountifield 
In article ,
Paul Heinlein  wrote:
> On Tue, 16 Jun 2020, Leroy Tennison wrote:
> 
> > I have a gateway machine (currently Centos 7 with IPV4 only) with two
> > NICs.  One is connected to the internet, the other to an internal
> > network (10.0.0.0/24) of mixed hardware (windows7, android tablets,
> > android phones, linux boxes) using NAT.  I wish to block all outgoing
> > connects to any external IP address on port 22 (ssh) originating from
> > any internal machine except one (which has a known internal IP address).
> >
> > I've tried some commands using 'iptables' to accomplish this, but so
> > far have failed.  If anyone has a suggestion, I'd really appreciate
> > it.  In addition, a suitable version for 'firewalld' could be useful,
> > as an upgrade to Centos 8 is in plan.
> >
> > Examples of what I've tried, and then tested.  None of them stopped
> > an outgoing SSH from an internal system.
> >
> >   iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
> >   iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
> 
> I'm not sure it's your INPUT table that needs that rule. I don't have 
> any NAT machines for experimentation, but my initial hunch is that 
> you'd want OUTPUT rules, e.g.,
> 
> iptables -A OUTPUT -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 22 -s 10.0.0.0/24  -j REJECT

No, the OUTPUT chains apply to traffic originating within the machine
itself (the gateway machine).

But for traffic being forwarded by the gateway, it will use the FORWARD
chains rather than the INPUT chains. So probably something like this:

iptables -A FORWARD -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -s 10.0.0.0/24  -j REJECT

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] xinetd custom service - perl - remote address

2020-05-28 Thread Tony Mountifield 
In article <202005281646.34790.gary.stainb...@ringways.co.uk>,
Gary Stainburn  wrote:
> Hi all,
> 
> I can't believe that I can't find the answer to this one.  I have a perl 
> script which is called by xinetd.
> 
> I want that perl script to be able to detect the remote IP address of the 
> caller.
> 
> I presumed that it would be an environment variable but I could be wrong.  
> I've found reference to the ENV and PASSENV
> arguments for xinetd.conf but no examples, and no indication of what 
> auguments to use.
> 
> In my script I have the following code:
> 
> foreach (keys %ENV) { print "$_=$ENV{$_}\n";}
> 
> 
> but the only line I get back is:
> 
> XINETD_LANG=en_US

Works for me. Here are my details:

1. /usr/local/bin/args:

#!/usr/bin/perl

$i=1;
while(defined($_ = shift)) {
printf "ARGV[%d]=\"%s\"\n",$i++,$_;
}
foreach $env (keys %ENV) {
printf "ENV{%s}=\"%s\"\n",$env,$ENV{$env};
}

2. /etc/xinetd.d/args:

service args
{
disable = no
port = 54321
type = UNLISTED
socket_type = stream
wait= no
user= root
server  = /usr/local/bin/args
server_args = --test
log_on_failure  += USERID
}

3. Results of telnet 127.0.0.1 54321:

# telnet 127.0.0.1 54321
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
ARGV[1]="--test"
ENV{CONSOLE}="/dev/console"
ENV{PREVLEVEL}="N"
ENV{SELINUX_INIT}="YES"
ENV{LC_COLLATE}="en_US"
ENV{RUNLEVEL}="3"
ENV{LC_ALL}="en_US"
ENV{previous}="N"
ENV{LC_NUMERIC}="en_US"
ENV{PWD}="/"
ENV{LC_TIME}="en_US"
ENV{LANG}="en_US"
ENV{LC_MESSAGES}="en_US"
ENV{runlevel}="3"
ENV{INIT_VERSION}="sysvinit-2.86"
ENV{SHLVL}="3"
ENV{LC_MONETARY}="en_US"
ENV{_}="/usr/sbin/xinetd"
ENV{PATH}="/sbin:/usr/sbin:/bin:/usr/bin"
ENV{vga}="773"
ENV{REMOTE_HOST}="127.0.0.1"
ENV{TERM}="linux"
Connection closed by foreign host.

Notice the value of ENV{REMOTE_HOST}

Cheers
Tony

-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] systemctl behaves like it is being piped to less in centos 8?

2019-12-13 Thread Tony Mountifield 
In article <5c2439dc6351659900b0c7ef421ae3f1e7b84fe4.ca...@biggs.org.uk>,
Pete Biggs  wrote:
> 
> > 
> > is what is annoying me. That seems to be what I would expect if I
> > piped it to less. I checked a fedora 31 and another centos 8 box and
> > am seeing the same behaviour. Am I missing something?
> > 
> 
> The environment variable $PAGER determines what pager to use.  The
> default is 'less'. User 
> 
>   export PAGER=more 
> 
> to use 'more' instead. Or
> 
>  export PAGER=
> 
> to not pipe to a pager.

This would also affect "man". Better to use SYSTEMD_PAGER.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] systemctl behaves like it is being piped to less in centos 8?

2019-12-13 Thread Tony Mountifield 
In article ,
Mauricio Tavares  wrote:
> Comparing the output of systemctl between centos 7 and 8:
> 
> [...]
> 
> So far so good. Don't know why it is complaining about log being
> rotated but output looks readable. Now, let's grab a centos8 box:
> 
> [raub@vmhost2 ~]$ cat /etc/redhat-release
> CentOS Linux release 8.0.1905 (Core)
> [raub@vmhost2 ~]$ systemctl status firewalld
> ● firewalld.service - firewalld - dynamic firewall daemon
>Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor 
> p>
>Active: active (running) since Tue 2019-12-10 20:10:20 EST; 2 days ago
>  Docs: man:firewalld(1)
>  Main PID: 1031 (firewalld)
> Tasks: 2 (limit: 26213)
>Memory: 33.5M
>CGroup: /system.slice/firewalld.service
>└─1031 /usr/libexec/platform-python -s /usr/sbin/firewalld 
> --nofork >
> lines 1-9/9 (END)
> 
> As you can see, it is trimming the output at the end of my terminal
> window, which I do not care; there are options (-i I think) to make it
> wrap around, but the line
> 
> lines 1-9/9 (END)
> 
> is what is annoying me. That seems to be what I would expect if I
> piped it to less. I checked a fedora 31 and another centos 8 box and
> am seeing the same behaviour. Am I missing something?

See https://bugzilla.redhat.com/show_bug.cgi?id=713567 for info. It's
more of the systemd-mindset disease, and Schmidt looked to be pretty
intransigent in the face of concerted objection some years ago.

You either have to use: systemctl --no-pager status firewalld
Or you have to first do: export SYSTEMD_PAGER=

Maybe you could put the latter into a file in /etc/profile.d to make
it system-wide:

# echo 'export SYSTEMD_PAGER=' >>/etc/profile.d/systemd.sh
# echo 'setenv SYSTEMD_PAGER ""' >>/etc/profile.d/systemd.csh

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] systemd: Failed unmounting /var on reboot, should I worry about fs corruption?

2019-11-27 Thread Tony Mountifield 
In article ,
Ján Lalinský  wrote:
> Hi all,
> 
> I have Centos 8 installed on a physical machine (www6) with separate LVM
> volumes for /, /var, /var/lib/mysql etc.
> 
> System boot proceeds without a hiccup, in terminal systemctl status says
> everything is OK and running, journalctl says so as well - systemd
> mounts everything stated in fstab.
> 
> However, on reboot systemd echoes problems with filesystem on /var :
> 
> ...// unmounting all volumes
> 
> Nov 26 23:51:30 www6 systemd[1]: Unmounting /var...
> Nov 26 23:51:30 www6 umount[2118]: umount: /var: target is busy.
> Nov 26 23:51:30 www6 systemd[1]: Stopped target Swap.
> Nov 26 23:51:30 www6 systemd[1]: Deactivating swap
> /dev/disk/by-label/lv_swap...
> Nov 26 23:51:30 www6 systemd[1]: var.mount: Mount process exited,
> code=exited status=32
> Nov 26 23:51:30 www6 systemd[1]: Failed unmounting /var.
> 
> Then proceeds and reboots the machine. This occurs on every reboot.
> 
> Did anybody here encounter similar problems on reboot?
> 
> I found this bug
> 
> https://github.com/systemd/systemd/issues/867
> 
> which was closed without a definitive solution, the developer says the
> issue is hard to solve and just cosmetic since /var gets unmounted in
> the end anyway, which is strange because there is a log line about
> unmounting just about every other mountpoint and in the end of the
> journal, there are about 7 log lines about unmounting swap volume, but
> zilch about /var. If the system is getting down without proper unmount,
> data corruption can happen. I would feel much better if there were no
> such errors...

You need to un-hide and read the hidden comments on that bug. They give
a few different workarounds, but also indicate that the issue has indeed
been solved in a later version of systemd. But that was only in April of
this year; I don't know which version of upstream systemd was used in
RHEL/CentOS 8. Maybe the fixed version won't appear until 8.2? Some of
the workarounds such as lazy unmount for /var ought to work in the
meantime.

Cheers
Tony

-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] yum install fails - itertoolsmodule.so

2019-11-08 Thread Tony Mountifield 
L-3.10-11.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > pygpgme-0.3-9.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > python-cups-1.9.63-6.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > python-2.7.5-39.el7_2.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > libxml2-python-2.9.1-6.el7_2.3.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > gdb-7.6.1-80.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > python-dmidecode-3.10.13-11.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > python-perf-3.10.0-327.36.3.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > cryptsetup-python-1.6.7-1.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > pyparted-1:3.9-13.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > rpm-python-4.11.3-17.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > iscsi-initiator-utils-6.2.0.873-33.el7_2.2.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > python-pcp-3.10.6-2.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > lvm2-python-libs-7:2.02.130-5.el7_2.5.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > perf-3.10.0-327.36.3.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > m2crypto-0.21.1-17.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > python-pillow-2.0.0-19.gitd1c6db8.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > bacula-libs-5.2.13-23.1.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > bacula-storage-5.2.13-23.1.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > bacula-client-5.2.13-23.1.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > gnome-python2-canvas-2.28.1-14.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > gnome-python2-bonobo-2.28.1-14.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > gnome-python2-gnomevfs-2.28.1-14.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > gnome-python2-gnome-2.28.1-14.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > pytalloc-2.1.6-1.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > samba-libs-0:4.4.4-9.el7.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > policycoreutils-python-2.5-11.el7_3.x86_64
> > > libpython2.7.so.1.0()(64bit) is needed by (installed) 
> > > systemd-python-219-30.el7_3.8.x86_64
> > > python-libs(x86-64) = 2.7.5-39.el7_2 is needed by (installed) 
> > > python-2.7.5-39.el7_2.x86_64
> > > [root@zeppo ~]#
> > > ___
> > > CentOS mailing list
> > > CentOS@centos.org
> > > https://lists.centos.org/mailman/listinfo/centos
> > > 
> > 
> 
> 
> 
> -- 
> Gary Stainburn
> Group I.T. Manager
> Ringways Garages
> http://www.ringways.co.uk 
> https://fundraise.cancerresearchuk.org/page/gary-walks-all-over-cancer-31
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 


-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] udev on CEntOS7 - can't get a match, looking for tips...

2019-10-29 Thread Tony Mountifield 
In article <7025a0a8-1471-530d-dad0-3770e902c...@uw.edu>,
John H Nyhuis  wrote:
> The mtx binary requires my tape library to be assigned a sg# driver, but 
> the kernel periodically renumbers the sg devices.  Normally, we would 
> write a udev rule to manually assign a persistent name, but it looks 
> like things have changed as I can't seem to get a match on CEntOS7.  I'd 
> appreciate any feedback or pointers to help me get my rule working.  My 
> two attempts are below.
> 
> cat /etc/udev/rules.d/90-local.rules
> 
> KERNEL=="sg[0-9]*", SUBSYSTEM=="scsi_generic", \
> ENV{ID_SERIAL}=="1QUANTUM_D0H0112430_LLA", SYMLINK+="sg8"
> 
> SUBSYSTEM=="scsi", SUBSYSTEMS=="scsi_genric", \
> ATTRS{model}=="Scalar i40-i80  ", SYMLINK:="sg8"

You have a typo: scsi_genric instead of scsi_generic.

Don't know if that is the reason.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Gstreamer1

2019-10-15 Thread Tony Mountifield 
In article 
,
Jerry Geis  wrote:
> How do  I tell from source rpm's:
> 1) the build order of gstreamer packages
> 2) the command line args for the ./configure
> 
> For centos 7.

Look in the .spec file, specifically at the %prep, %build, and %install 
sections.

For more than you ever wanted to know, see http://ftp.rpm.org/max-rpm/
particularly chapter 13.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] SquidGuard update in EPEL

2019-10-01 Thread Tony Mountifield 
In article ,
Nicolas Kovacs  wrote:
> Le 01/10/2019 à 09:05, Liam O'Toole a écrit :
> > [...]
> > 
> > FWIW, the current release has squidguard 1.6
> > https://packages.debian.org/source/stable/squidguard
> 
> And this all begs the question: who's flying this plane?

According to that page, the maintainer is Joachim Wiedorn, joodeb...@joonet.de
I guess he could tell you!

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] audit freeing multiple contexts (when running certbot)

2019-09-17 Thread Tony Mountifield 
Apologies if it's considered off-topic, but I'm not sure in what part
of the system the issue lies. So I am giving as much info as possible,
not knowing which is most relevant.

I have two VMs hosted on ESX, running CentOS 6.10
One has kernel 2.6.32-754.11.1.el6.i686 and the other has 
2.6.32-754.18.2.el6.i686
Both have selinux, currently in permissive mode.

On both machines we have noticed messages like the following appear in 
/var/log/messages
from time to time:

Sep 17 10:32:28 merlin kernel: audit(:0): major=252 name_count=0: freeing 
multiple contexts (1)
Sep 17 10:32:28 merlin kernel: audit(:0): major=355 name_count=0: freeing 
multiple contexts (2)
Sep 17 10:32:29 merlin kernel: audit(:0): major=252 name_count=0: freeing 
multiple contexts (1)
Sep 17 10:32:29 merlin kernel: audit(:0): major=355 name_count=0: freeing 
multiple contexts (2)

On further investigation, this only happens when certbot-auto runs (under 
python 3.4),
whether or not it renews the certificate.

The above instance was created by running the following command:

[root@merlin ~]# date ; cd /opt/letsencrypt && ./certbot-auto renew ; date
Tue Sep 17 10:32:24 BST 2019
/opt/eff.org/certbot/venv/lib/python3.4/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163:
 CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported 
by the OpenSSL project, please upgrade. A future version of cryptography will 
drop support for it.
  utils.CryptographyDeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live//fullchain.pem expires on 2019-11-15 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Tue Sep 17 10:32:30 BST 2019
[root@merlin letsencrypt]#

Has anyone else seen anything similar? Is it something that can be fixed,
or should be ignored?

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] I broke "yum update" - C7

2019-08-30 Thread Tony Mountifield 
In article <201908300952.37126.gary.stainb...@ringways.co.uk>,
Gary Stainburn  wrote:
> On Thursday 29 August 2019 18:10:19 Alexander Dalloz wrote:
> > > 2019-08-29 17:23:18,117 exception: [Errno 14] curl#60 - "Peer's
> > > Certificate issuer is not recognized."
> > > 2019-08-29 17:23:18,117 retrycode (14) not in list [-1, 2, 4, 5, 6,
> > > 7], re-raising
> > 
> > [ ... ]
> > 
> > > Cannot retrieve metalink for repository: epel/x86_64. Please verify
> > > its path and try again
> > 
> > So can we check what version of the ca-certificates packages is being 
> > installed on your system?
> > 
> > And a check into a different direction: what's the date and time of that 
> > system? Does it fit or is it wrong? Time being not accurate can make SSL 
> > connections fail.
> 
> Firstly, thank you for you help with this Alexander.
> 
> I had already checked the system time. It was about 3 minutes out, but I 
> fixed it anyway.  I have checked the RPM for
> the certificates, and it matches the one on another box that works.
> 
> 
> [root@stan2 ~]# date
> Fri 30 Aug 09:45:27 BST 2019
> [root@stan2 ~]# rpm -qa|grep cert
> ca-certificates-2018.2.22-70.0.el7_5.noarch
> [root@stan2 ~]# 

Can you verify the ca-certificates package on both your systems and compare?
Here is what my C7 box shows (same version package as yours):

[root@hp3 ~]# rpm -Vv ca-certificates
./etc/pki/ca-trust
./etc/pki/ca-trust/README
.  c /etc/pki/ca-trust/ca-legacy.conf
./etc/pki/ca-trust/extracted
./etc/pki/ca-trust/extracted/README
./etc/pki/ca-trust/extracted/java
./etc/pki/ca-trust/extracted/java/README
.M...  g /etc/pki/ca-trust/extracted/java/cacerts
./etc/pki/ca-trust/extracted/openssl
./etc/pki/ca-trust/extracted/openssl/README
.M...  g /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
./etc/pki/ca-trust/extracted/pem
./etc/pki/ca-trust/extracted/pem/README
.M...  g /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
.M...  g /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
.M...  g /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
./etc/pki/ca-trust/source
./etc/pki/ca-trust/source/README
./etc/pki/ca-trust/source/anchors
./etc/pki/ca-trust/source/blacklist
.  g /etc/pki/ca-trust/source/ca-bundle.legacy.crt
./etc/pki/java
./etc/pki/java/cacerts
./etc/pki/tls
./etc/pki/tls/cert.pem
./etc/pki/tls/certs
./etc/pki/tls/certs/ca-bundle.crt
./etc/pki/tls/certs/ca-bundle.trust.crt
./etc/ssl
./etc/ssl/certs
./usr/bin/ca-legacy
./usr/bin/update-ca-trust
.  d /usr/share/doc/ca-certificates-2018.2.22/README
.  d /usr/share/man/man8/ca-legacy.8.gz
.  d /usr/share/man/man8/update-ca-trust.8.gz
./usr/share/pki
./usr/share/pki/ca-trust-legacy
./usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
./usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
./usr/share/pki/ca-trust-source
./usr/share/pki/ca-trust-source/README
./usr/share/pki/ca-trust-source/anchors
./usr/share/pki/ca-trust-source/blacklist
./usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
[root@hp3 ~]#

And you could try re-installing ca-certificates on the offending box.

# yum --disablerepo=\* --enablerepo=base --enablerepo=updates reinstall 
ca-certificates

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] browsers slowing Centos 7 installation to a crawl

2019-08-06 Thread Tony Mountifield 
In article ,
Michael Hennebry  wrote:
> 
> I'll need to do some digging to discover whether my box needs DDR2 or 
> DDR3.DDR3 
> I doubt it's DDR4.

Do:

# dmidecode | less

and look for the entries for the existing RAM you have. It will also tell
you if you have any unpopulated RAM slots ("No module installed").

It won't tell you the maximum size RAM each slot will take. For that, you
would need to look up the specs for the motherboard or system (you can find
the model number in the dmidecode output too).

Or you can go to the website for a memory vendor such as Crucial or
Kingston and enter your model number, and it will tell you what RAM is
compatible and what it costs.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] mariadb: How to delete foreign key constraint from non-existing table?

2019-04-24 Thread Tony Mountifield 
In article ,
hwilmer  wrote:
> 
> Hi,
> 
> somehow phpmyadmin messed things up when I was trying to modify a table. 
>   The table disappeared, and now it's impossible to re-create it:
> 
> 
> MariaDB [time]> create table etikettend_metainfo (userID integer(6) 
> unsigned, stationsnummer integer(4) unsigned, primary key (userID));
> ERROR 1005 (HY000): Can't create table `time`.`etikettend_metainfo` 
> (errno: 150 "Foreign key constraint is incorrectly formed")
> MariaDB [time]> show tables like 'etikettend%';
> +--+
> | Tables_in_time (etikettend%) |
> +--+
> | etikettend_etikettentypen|
> | etikettend_stationen |
> +--+
> 2 rows in set (0.001 sec)
> 
> 
> Since the table has vanished, I'm finding myself unable to remove the 
> key constraints, and trying to disable them was also unsuccessful.
> 
> It is not necessary to recover the vanished table because it had just 
> been created and was still empty anyway.
> 
> But how do I fix this?

Have a look at the troubleshooting information at:
https://mariadb.com/kb/en/library/innodb-troubleshooting-overview/

You might also find useful information in the MySQL documentation at:
https://dev.mysql.com/doc/refman/5.5/en/innodb-troubleshooting-datadict.html

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] When should I reboot?

2019-04-13 Thread Tony Mountifield 
In article ,
Kenneth Porter  wrote:
> I reboot when I yum update to a new kernel or systemd, which seems to come 
> out about once a month. Should I do it for this week's glibc? Is that 
> "core" enough to justify a reboot or should I wait for the next kernel 
> update? I know the glibc update was mainly to handle the new Japanese 
> calendar, so that shouldn't affect my usage. So my question is more about 
> how shared libraries work and whether anything bad would happen with 
> different forks of running services (mainly the mail suite with dovecot and 
> the various content scanners launched by sendmail) running different 
> versions of the library based on when they were started. 

That shouldn't matter. The running programs will have mapped the original
glibc into memory, which will create a reference to the original inode, even
though the directory entries pointing to it are gone. See the output of "lsof"
for one of those processes, and you will see the libraries tagged as (deleted).

Any program started after the glibc update will open and map the new libraries,
independently of any open instances of the old ones.

Both old and new libraries will occupy their own separate disk space until the
last reference to the old library is closed, by terminating all programs using
it, at which time the disk space occupied by the old libraries will be released.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Kernel panic after removing SW RAID1 partitions, setting up ZFS.

2019-04-09 Thread Tony Mountifield 
In article <6566355.ijnrhnp...@tesla.schoolpathways.com>,
Benjamin Smith  wrote:
> System is CentOS 6 all up to date, previously had two drives in MD RAID 
> configuration. 
> 
> md0: sda1/sdb1, 20 GB, OS / Partition
> md1: sda2/sdb2, 1 TB, data mounted as /home 
> 
> Installed kmod ZFS via yum, reboot, zpool works fine. Backed up the /home 
> data 
> 2x, then stopped the sd[ab]2 partition with: 
> 
> mdadm --stop /dev/md1; 
> mdadm --zero-superblock /dev/sd[ab]1; 

Did you mean /dev/sd[ab]2 instead?

> Removed /home in /etc/fstab. Used fdisk to set the partition type to gpt for 
> sda2 and sdb2, then built *then destroyed* a ZFS mirror pool using the two 
> partitions. 
> 
> Now the system won't boot, has a kernel panic. I'm remote, so I'll be going 
> in 
> tomorrow to see what's up. My assumption is that it has something to do with 
> mdadm/RAID not being "fully removed". 
> 
> Any idea what I might have missed? 

I think it's because you clobbered md0 when you did --zero-superblock on sd[ab]1
instead of 2.

Don't you love it when some things count from 0 and others from 1?

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Problem with mdadm, raid1 and automatically adds any disk to raid

2019-02-25 Thread Tony Mountifield 
In article <20190225050144.ga5...@button.barrett.com.au>,
Jobst Schmalenbach  wrote:
> Hi.
> 
> CENTOS 7.6.1810, fresh install - use this as a base to create/upgrade new/old 
> machines.
> 
> I was trying to setup two disks as a RAID1 array, using these lines
> 
>   mdadm --create --verbose /dev/md0 --level=0 --raid-devices=2 /dev/sdb1 
> /dev/sdc1
>   mdadm --create --verbose /dev/md1 --level=0 --raid-devices=2 /dev/sdb2 
> /dev/sdc2
>   mdadm --create --verbose /dev/md2 --level=0 --raid-devices=2 /dev/sdb3 
> /dev/sdc3
> 
> then I did a lsblk and realized that I used --level=0 instead of --level=1 
> (spelling mistake)
> The SIZE was reported double as I created a striped set by mistake, yet I 
> wanted the mirrored.
> 
> Here starts my problem, I cannot get rid of the /dev/mdX no matter what I do 
> (try to do).
> 
> I tried to delete the MDX, I removed the disks by failing them, then removing 
> each array md0, md1 and md2.
> I also did
> 
>   dd if=/dev/zero of=/dev/sdX bs=512 seek=$(($(blockdev --getsz 
> /dev/sdX)-1024)) count=1024
>   dd if=/dev/zero of=/dev/sdX bs=512 count=1024
>   mdadm --zero-superblock /dev/sdX
> 
> Then I wiped each partition of the drives using fdisk.

The superblock is a property of each partition, not just of the whole disk.

So I believe you need to do:

mdadm --zero-superblock /dev/sdb1
mdadm --zero-superblock /dev/sdb2
mdadm --zero-superblock /dev/sdb3
mdadm --zero-superblock /dev/sdc1
mdadm --zero-superblock /dev/sdc2
mdadm --zero-superblock /dev/sdc3

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Changing UID numbers

2019-02-21 Thread Tony Mountifield 
In article <2f86eabc-697f-4f57-3a0a-f2e5da13d...@nist.gov>,
Chris Schanzle via CentOS  wrote:
> My guess is you used something like
> 
>    find -uid=500 -exec chown 1000 {} \;
> 
> This will start a chown process for each file, changing only one file at a 
> time.  That's a lot of work the system has
> to do for each file!  But you probably know chown (and similar utilities) 
> can take multiple file arguments, and 'find'
> can help you take advantage grouping many arguments with the '+' operator to 
> -exec:
> 
>    find -uid=500 -exec chown 1000 {} +

Well I never knew that! Thanks. For many years I have been doing: find ... 
-print0 | xargs -0 ...

Ah, I see the newer syntax was introduced in CentOS 5. :-)

Cheers
Tony

-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] /boot partition running out of space randomly. Please help!

2019-02-13 Thread Tony Mountifield 
In article ,
Sean Son  wrote:
> Hello all
> 
> First off, I am running Oracle Linux 7.6 on a Hyper-V 2016 VM for a
> customer. I know this is not an Oracle Linux mailling list, but because
> Oracle Linux and CentOS are so similar, to an extent, I figured why not ask
> on here because someone MIGHT know the answer.. Here is the issue.  I have
> a 600MB /boot partition allocated on a UEFI system. The /boot/efi partition
> is on a separate EFI partition.  Recently, I noticed that this system has
> been crashing every few minutes and when I checked the disk space, I
> noticed that the /boot partition has zero free space available.  I removed
> all of the old kernels and left the running kernel in place, in hopes that
> will free up some space. It freed up about 50MB or so, but  then the system
> would crash again. After I would reboot the VM to bring the system back up,
> I ran a df -h /boot, and the results were reporting ZERO disk space again
> for the /boot partition.. It makes absolutely no sense how a partition
> which is generally static UNLESS you move something into it, is running out
> of space after space has been manually freed up in the partition! What
> boggles me even more is that when I do an ls -lh /boot, the file systems do
> not add up to 600M (well 594M) at all.  See below:
> 
> df -h
> Filesystem Size  Used Avail Use% Mounted on
> devtmpfs   2.8G 0  2.8G   0% /dev
> tmpfs  2.8G 0  2.8G   0% /dev/shm
> tmpfs  2.8G  8.5M  2.8G   1% /run
> tmpfs  2.8G 0  2.8G   0% /sys/fs/cgroup
> /dev/mapper/VolGroup00-LogVolRoot   30G   19G   12G  63% /
> /dev/sda2  594M  594M 0 100% /boot
> /dev/sda1  238M  9.7M  229M   5% /boot/efi
> /dev/mapper/VolGroup00-LogVolHome  3.3G  415M  2.9G  13% /home
> tmpfs  565M 0  565M   0% /run/user/54321
> tmpfs  565M 0  565M   0% /run/user/1000
> 
> ]$ ls -lh /boot
> total 92M
> -rw-r--r--  1 root root 179K Dec 12 22:52
> config-4.14.35-1844.0.7.el7uek.x86_64
> drwx--  3 root root  16K Dec 31  1969 efi
> drwx--. 2 root root   21 Feb  8 15:55 grub2
> -rw---. 1 root root  54M Aug 28 12:31
> initramfs-0-rescue-0287c4db206d4a9abe14f750b9091a01.img
> -rw---  1 root root  22M Dec 21 17:24
> initramfs-4.14.35-1844.0.7.el7uek.x86_64.img
> -rw-r--r--  1 root root 329K Dec 12 22:52
> symvers-4.14.35-1844.0.7.el7uek.x86_64.gz
> -rw-r--r--  1 root root 3.6M Dec 12 22:52
> System.map-4.14.35-1844.0.7.el7uek.x86_64
> -rwxr-xr-x. 1 root root 6.1M Aug 28 12:31
> vmlinuz-0-rescue-0287c4db206d4a9abe14f750b9091a01
> -rwxr-xr-x  1 root root 7.2M Dec 12 22:52
> vmlinuz-4.14.35-1844.0.7.el7uek.x86_64
> 
> I have no idea what is going on here and why the space keeps filling up and
> the VM crashing!  ANY and all help will be greatly appreciated! Thanks!

Firstly, to see the space taken by everything on /boot without including the
sub-mount /boot/efi, do this:

# du -axk /boot

Then if that doesn't account for all/most of the space, see if there are any
processes holding a deleted file open:

# fuser -m /boot

Like you, I don't know what might be trying to fill up /boot when you are not
installing a new kernel.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Upgrade CentOS 7.4 to 7.5 and don't want to upgrade it to 7.6

2019-01-07 Thread Tony Mountifield 
In article <68ce2ebfe8545ef4eda869657c72b9be.squir...@webmail.bi.invoca.ch>,
Simon Matter via CentOS  wrote:
> > On Mon, Jan 7, 2019 at 5:49 PM Kenneth Porter 
> > wrote:
> >
> >> On 1/6/2019 10:51 PM, Kaushal Shriyan wrote:
> >> > the product does not support the latest CentOS Linux
> >> > release 7.6.1810 (Core) version as of now.
> >>
> >> What product and what, specifically, about 7.6 does it not support?
> >> Could you not just exclude the incompatible packages? You could then
> >> provide your own repo for the incompatible packages drawn from 7.5 and
> >> backport any security fixes for those packages yourself.
> >>
> >
> > Hi Kenneth,
> >
> > I am referring to https://docs.apigee.com/release/supported-software
> 
> Interesting, looking around apigee (part of Google) website I see a lot of
> words like "Security" or "TLS" and I'm wondering how this fits with only
> supporting outdated operating systems?

Well, it's only a month since CentOS "7.6" was released, and some of that
month has been taken up with Christmas holidays.

So I would think it is probably not a case of "we won't support 7.6" but rather
that "we haven't yet finished testing it on 7.6".

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 'date' format differences between CentOS 6 and 7 using the en_GB locale ?

2018-11-15 Thread Tony Mountifield 
In article <429fd6a2-d125-c231-b066-14a398da4...@moving-picture.com>,
James Pearson  wrote:
> Just noticed that the output of 'date' is different between CentOS 6 and 
> 7 when using the 'en_GB' locale - e.g.:
> 
> CentOS 6:
> 
>   % LANG=en_GB date
>   Thu Nov 15 11:42:46 GMT 2018
>   % LANG=en_US date
>   Thu Nov 15 11:42:56 GMT 2018
> 
> CentOS 7:
> 
>   % LANG=en_GB date
>   Thu 15 Nov 11:43:07 GMT 2018
>   % LANG=en_US date
>   Thu Nov 15 11:43:11 GMT 2018
> 
> i.e. with LANG=en_GB on CentOS 7, the day and month are swapped when 
> compared with CentOS 6
> 
> Any one know why the en_GB locale has changed between CentOS 6 and 7 ?
> 
> Thanks
> 
> James Pearson

Looks like a simple oversight or bug in RHEL 6 that was fixed for 7.
The latter is correct for UK standard usage. CentOS just follows RHEL.

It is defined in the file /usr/share/i18n/locales/en_GB

CentOS 6 has:

date_fmt"/

which translates to "%a %b %e", e.g. "Thu Nov 15"

CentOS 7 has:

date_fmt"/

which translates to "%a %e %b", e.g. "Thu 15 Nov"

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Postfix, system notifications and local servers

2018-06-25 Thread Tony Mountifield 
In article <7919547a-2a23-901f-607e-5aef7300f...@microlinux.fr>,
Nicolas Kovacs  wrote:
> Hi,
> 
> I have CentOS 7 running on half a dozen public servers. For some stuff
> like automatic updates using yum-cron, I have Postfix installed with a
> relatively basic configuration. This allows me to send important
> notifications to my mail address i...@microlinux.fr. When there's a
> batch of updates, I get one mail per machine, so I can check quickly if
> everything went OK without having to connect to the server.
> 
> Now I'd also like to use this setup on machines that aren't in a
> datacenter and facing the Internet. For example, servers that have
> "dummy" hostnames like nestor.microlinux.lan or sauvegarde.scholae.lan.
> Is there a way I can setup Postfix so this machine can send an e-mail to
> i...@microlinux.fr, even if 'hostname --fqdn' returns a "dummy" hostname?

When you say "[not] facing the Internet", do those machines actually have
access to any other machines that ARE facing the internet? If not, then
you have to think "what possible route could an email take from the machine
to the email server for microlinux.fr?"

If they do have access to an internet-connected machine, then you could
set up postfix on the source machines to relay all emails via a suitable
SMTP mail relay. You do this by setting the "relayhost" option in the
config file /etc/postfix/main.cf. There are plenty of examples available
via Google.

You also need to think "What happens if an email from nestor.microlinux.lan
bounces for some reason? Where would the bounce go? If the sender address
is indeed in the .lan domain, the bounce would be undeliverable, so you
might want to investigate sender address masquerading.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Use EPEL without redirection ?

2018-05-22 Thread Tony Mountifield 
In article <3be1bec7-3d50-f8df-7012-982573d9a...@microlinux.fr>,
Nicolas Kovacs <i...@microlinux.fr> wrote:
> Hi,
> 
> Is there any way to deactivate the redirection to a mirror when using
> the third-party EPEL repository ?
> 
> Our network uses a transparent HTTP/HTTPS proxy with a local AC. We can
> create exceptions for sites like centos.org or
> download.fedoraproject.org, but whenever we want to install a package
> from EPEL, the mirror redirection causes an error due to redirection.
> 
> Any suggestions ?

Firstly in /etc/yum.repos.d/epel.repo you need to use baseurl instead
of mirrorlist. I assume you are already doing this.

So then you need to do a curl -i to the baseurl (change $basearch to either
i386 or x86_64) to see where it is redirecting you. For example:

$ curl -i http://download.fedoraproject.org/pub/epel/6/i386
HTTP/1.1 302 Found
Date: Tue, 22 May 2018 09:04:35 GMT
Server: Apache/2.4.29 (Fedora) mod_wsgi/4.5.15 Python/2.7
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Content-Length: 0
Location: 
https://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/epel/6/i386/
Content-Type: text/html; charset=UTF-8
AppTime: D=4793
AppServer: proxy14.fedoraproject.org

Then edit baseurl in epel.repo to use the URL listed in Location: instead, 
changing
the i386 or x86_64 back to $basearch

Then you can create an exception for the specific host you configured.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Vmware - Slightly off topic

2018-04-24 Thread Tony Mountifield 
In article <cabr8-b6fcngogynq66nnmkslchatqa4orl09xy6abprv4h+...@mail.gmail.com>,
Jerry Geis <jerry.g...@gmail.com> wrote:
> Hi All,
> 
> What is the correct way to provide a CentOS 7 - WMware image for ESX ?
> 
> As an amateur to VMware - I thought - great I can get VMplayer and ESX
> should be able to import my image... Wrong... I even went through the
> trouble of "converting" to VMWare workstation and thinking ESX could import
> that - Apparently still Wrong...  I cannot for the life of me understand
> how one product family is so incompatible with itself. But that is another
> story.
> 
> I just want to be able to provide a pre-built image with CentOS 7 and my
> other programs on a bootable VMware image that is easily imported into any
> VMware platform - Workstation, ESX or other.
> 
> How is that accomplished ?
> Thanks for your thoughts and experience.

Looking at the results for 
https://www.google.co.uk/search?q=how+to+export+a+vmware+image
it looks like you need to export a built, working VM as an OVF.

Not sure which VMware products can do that. Possibly Workstation? The old, free
VMware server 1.0.10 that I use doesn't appear to have that feature.

You should then be able to copy the OVF file to another VMware host an import 
it.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Mirroring centos.org

2018-01-29 Thread Tony Mountifield 
In article <canzsmmm6c_f+nupdjd+mgdexajvcfc1bdhpwdessbc2cr7d...@mail.gmail.com>,
Felipe Westfields <felipe.westfie...@gmail.com> wrote:
> Hello,
> 
> I would like to mirror the centos.org repository for an offline network. I
> don't need the ISO images, don't need any i386 stuff, and I think I
> probably don't need any of the source code rpms either. Most of the clients
> are CentOS 6.x, so I don't want to download the CentOS 7.x tree yet either
> (that will come soon, but separately from this one).
> 
> I tried using this command, but it still downloaded all of the i386
> sub-folders anyway, and I got about 15 gigs or so of stuff I didn't want.
> 
> wget -m -np --exclude-directories=i386 http://mirror.centos.org/centos-6/6/
> 
> I'm guessing there's a formatting mistake of some kind in this command. Do
> you need to specify the excluded sub-folders relative to the top directory
> you're downloading from? i.e. rather than "i386", you'd need to specify
> "/centos-6/6/updates/i386/"?

Don't use wget at all. Use rsync instead, from a mirror that supports it.
Here is what I use (in a nightly cron):

# cd /myrepo
# rsync -rltHvz --delete 
rsync://rsync.mirrorservice.org/mirror.centos.org/6/os/i386/ centos6/os/i386/
# rsync -rltHvz --delete 
rsync://rsync.mirrorservice.org/mirror.centos.org/6/updates/i386/ 
centos6/updates/i386/
# rsync -rltHvz --delete 
rsync://rsync.mirrorservice.org/mirror.centos.org/6/os/x86_64/ 
centos6/os/x86_64/
# rsync -rltHvz --delete 
rsync://rsync.mirrorservice.org/mirror.centos.org/6/updates/x86_64/ 
centos6/updates/x86_64/

Omit the ones you don't want.

There are other ideas listed at https://wiki.centos.org/HowTos/CreateLocalMirror

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Comparing directories recursively

2017-10-30 Thread Tony Mountifield 
In article <20171027175431.e265479c4f9b4658fe217...@sasktel.net>,
Frank Cox <thea...@sasktel.net> wrote:
> On Sat, 28 Oct 2017 00:47:32 +0200
> Leon Fauster wrote:
> 
> > source:
> > 
> > find . -type f -exec md5sum \{\} \; > checksum.list
> > 
> > destination:
> > 
> > md5sum -c checksum.list
> 
> Wouldn't diff be faster because it doesn't have to read to the end of every 
> file and it isn't really calculating
> anything?  Or am I looking at this in the wrong way.

If the files are the same (which is what the OP is hoping), then diff does
indeed have to read to the end of both files to be certain of this. Only
if they differ can it stop reading the files as soon as a difference
between them is found.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Bash help

2017-10-25 Thread Tony Mountifield 
In article ,
  wrote:
> Warren Young wrote:
> > On Oct 25, 2017, at 10:02 AM, Mark Haney  wrote:
> >>
> >> I have a file with two columns 'email' and 'total' like this:
> >>
> >> m...@example.com 20
> >> m...@example.com 40
> >> y...@domain.com 100
> >> y...@domain.com 30
> >>
> >> I need to get the total number of messages for each email address.
> >
> > This screams out for associative arrays.  (Also called hashes,
> > dictionaries, maps, etc.)
> >
> > That does limit you to CentOS 7+, or maybe 6+, as I recall.  CentOS 5 is
> > definitely out, as that ships Bash 3, which lacks this feature.
> 
> Associative arrays?
> 
> Awk! Awk! (No, I am not a seagull...)
> 
> sort file | awk '{ array[$1] += $2;} END { for (i in array) { print i "\t"
> array[i];}'

Why the sort? It doesn't matter in what order the lines are read.
Wouldn't this give you the same?

awk '{ array[$1] += $2;} END { for (i in array) { print i "\t" array[i];}}' 
http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] System Start-Up Issue Progress

2017-07-04 Thread Tony Mountifield 
In article <374968789.4117139.1499169677...@mail.yahoo.com>,
Chris Olson <chris_e_ol...@yahoo.com> wrote:
> My thanks to all that responded to my posting about our virtual
> machine CentOS 6 system start-up issue.  I found the alternative
> boot options to be the most helpful.  Interrupting the boot-up
> process with Alt-d or Escape allowed me to see what appears to
> be a quite normal string of start, install and mount activity.
> However, this process ends with the system hanging at the point
> below: 
> 
> Starting ipmidetectd: ipmidetectd: No nodes configured  [FAILED]
> Starting sendmail:
> 
> It is not clear to me whether the boot-up process is hanging due
> to the failed starting of ipmidetectd or sendmail, but I suspect
> that the ipmidetectd start up failure is the actual cause. It is
> not clear whether any IPMI related features were ever installed.

As another respondent said, the problem won't be ipmidetectd, as
that has successfully reported [FAILED].

So the problem is sendmail hanging during start-up.

I have in the past seen sendmail take an inordinately long time
to start up if it is unable to resolve or discover its hostname
in DNS.

You would probably find that if you waited a couple of minutes,
sendmail would eventually either start or fail, and the boot
continue.

But in the meantime, check your network configuration and the 
contents of /etc/resolv.conf. Make sure all nameservers listed
in that file do actually respond, and are able to resolve queries
for the machine's full hostname and IP address.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Low random entropy

2017-05-28 Thread Tony Mountifield 
In article <792718e8-f403-1dea-367d-977b157af...@htt-consult.com>,
Robert Moskowitz <r...@htt-consult.com> wrote:
> 
> 
> On 05/26/2017 08:35 PM, Leon Fauster wrote:
> >> Am 27.05.2017 um 01:09 schrieb Robert Moskowitz <r...@htt-consult.com>:
> >>
> >> I am use to low random entropy on my arm boards, not an intel.
> >>
> >> On my Lenovo x120e,
> >>
> >> cat /proc/sys/kernel/random/entropy_avail
> >>
> >> reports 3190 bits of entropy.
> >>
> >> On my armv7 with Centos7 I would get 130 unless I installed rng-tools and 
> >> then I get ~1300.  SSH into one and it
> drops back to 30! for a few minutes.  Sigh.
> >>
> >> Anyway on my new Zotac nano ad12 with an AMD E-1800 duo core, I am seeing 
> >> 180.
> >>
> >> I installed rng-tools and no change.  Does anyone here know how to improve 
> >> the random entropy?
> >
> > http://issihosts.com/haveged/
> >
> > EPEL: yum install haveged
> 
> WOW!!!
> 
> installed, enabled, and started.
> 
> Entropy jumped from ~130 bits to ~2000 bits
> 
> thanks
> 
> Note to anyone running a web server, or creating certs.  You need 
> entropy.  Without it your keys are weak and attackable.  Probably even 
> known already.

Interesting. I just did a quick check of the various servers I support,
and have noticed that all the CentOS 5 and 6 systems report entropy in
the low hundreds of bits, but all the CentOS 4 systems and the one old
FC3 system all report over 3000 bits.

Since they were all pretty much stock installs, what difference between
the versions might explain what I observed?

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Ignoring /run/user/X

2017-04-12 Thread Tony Mountifield 
In article <cablobcmg4irxk7cw6xyhz9g6_0jug9_lq33zvyhdqe-jaxo...@mail.gmail.com>,
Cameron Smith <came...@networkredux.com> wrote:
> We are running into an issue relating to snmpd and the temporary partitions
> created in /run/user/ so any insight by someone with magical
> net-snmp skills would be much appreciated.
> 
> Our monitoring app walks all our servers.
> We modify /etc/snmp/snmpd.conf on all our servers to just have one line:
> rocommunity ourcommnuityname monitor.ing.app.ip
> 
> This has worked just fine for almost 10 years.
> 
> Since the release of CentOS 7 we are getting alerts for partitions not
> being found during walks and these are the temporary partitions that are
> ephemeral while a user is logged in:
> /run/user/0
> /run/user/65000
> 
> Seems if the partition is there when the monitor is set or is added while
> the monitor is active the monitor will keep looking for it and these are
> meant to go away.
> 
> We thought "OK we can just ignore those" so we added a line to
> /etc/snmpd.conf :
> ignoredisk /run/user/*
> 
> but that has not helped :(
> 
> Does anybody have a recommendation on how we can stop those partitions from
> being seen on walks so we can stop being alerted about partitions for which
> we are not interested in monitoring their available space?

I had a quick play with it on a C7 VM, and found the same as you have.

It would appear that ignoredisk only allows you to specify device names
(such as /dev/sda1 or /dev/cciss/*), and not mount points. For /run and
/run/user/*, they are not mounted on devices but on tmpfs.

I tried "ignoredisk tmpfs" to see if that would work, but it didn't appear to.

It also doesn't help that the SNMP output for the mount table doesn't seem
to include a column for the device that was mounted, only for the mount point.
And all the mount points are listed as type "hrFSOther", so you can't tell
the difference between real disks, tmpfs, and so on.

You probably need to get the SRPM for net-snmp and have a look at the area
of code that process "ignoredisk".

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS-5 End of Life

2017-03-03 Thread Tony Mountifield 
In article <cagkb5vfxkjcbpqwupuzg0xp8_gtgv+55+yrzf8vdf0maio9...@mail.gmail.com>,
James Hogarth <james.hoga...@gmail.com> wrote:
> On 3 March 2017 at 11:47, James Hogarth <james.hoga...@gmail.com> wrote:
> > On 3 March 2017 at 11:34, John Hodrien <j.h.hodr...@leeds.ac.uk> wrote:
> >> On Fri, 3 Mar 2017, Tony Mountifield wrote:
> >>
> >>> You mean just thrown away, or archived somewhere? Just thrown away would
> >>> seem rather irresponsible...
> >>
> >> Mirroring EPEL makes sense well before this point, as they don't keep old
> >> versions of packages online either AFAIK.
> >>
> >> jh
> >
> > Indeed they aren't kept ... and since there hasn't been an EOL of EPEL
> > before I honestly have no idea ... I've asked on the epel-devel
> > mailing list as to whether it'll move to archive like old fedora
> > releases do.
> 
> My mistake - I forgot there was an EPEL4 in the mists of time .. so
> the last version of the repo is likely to end up here:
> 
> http://archive.fedoraproject.org/pub/epel/

Cool, thanks!

Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS-5 End of Life

2017-03-03 Thread Tony Mountifield 
In article

Re: [CentOS] IPv6 broken on Linode

2017-02-16 Thread Tony Mountifield 
In article <4cbb9dc4-f063-3434-b7a1-d4d0e6581...@domblogger.net>,
Alice Wonder <al...@domblogger.net> wrote:
> https://forum.linode.com/viewtopic.php?f=19=14570=72785
> 
> I can not figure out what I need to do.
> 
> Apparently according to linode support, the VM is trying to grab an IPv6 
> address with some privacy stuff enabled by default causing it to not 
> grab the IPv6 address that is assigned to me.

Does the accepted answer at the following link give you any useful hints?

http://superuser.com/questions/243669/how-to-avoid-exposing-my-mac-address-when-using-ipv6

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Script not running correctly as cronjob

2017-02-02 Thread Tony Mountifield 
In article <9f43c460b0374ac3951c18dd2d477...@2sic.com>,
Daniel Reich <daniel.re...@2sic.com> wrote:
> Thank you for the hints
> 
> I modified like you described.
> I also moved the permission part out of the loop (once at the end of the 
> script is enough).
> 
> Now with the "set -x" the script is working also in cron.

The "set -x" would not be not what made it work - it is a debugging aid only.

If it now works, then that is due to one of your other changes and you can
remove the "set -x" again if you wish.

Cheers
Tony

> Best regards
> Daniel
> 
> 
> 
> -Original Message-
> From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Tony Mountifield
> Sent: Wednesday, February 1, 2017 11:04 AM
> To: centos@centos.org
> Subject: Re: [CentOS] Script not running correctly as cronjob
> 
> In article <86827d81f1944333ae213f2d3f198...@2sic.com>,
> Daniel Reich <daniel.re...@2sic.com> wrote:
> > Hi
> > 
> > I have a script to resign all DNS zones every two weeks. When i run 
> > the script from bash, it works like it should. But when it is executed in 
> > cron not. Its starting normal as cronjob:
> > Feb  1 03:00:01 xxx CROND[20116]: (root) CMD (sh 
> > /opt/dnssec/resign_dnssec_zones.sh)
> > 
> > But after i get a mail that everything is finsihed, but it isn't.
> > 03:04:28 DNSSEC-Signierung abgeschlossen
> > 
> > The script deletes the old signed zones, but don't resign it. The mail is 
> > also sent.
> > Below the script.
> > 
> > Anybody an idea why it doesn't work in cron?^ I cannot find any error 
> > in any log.
> 
> After the first line, add a line saying: set -x
> 
> Then set cron to run it and examine the output that gets mailed to you.
> 
> The -x tells it to echo each command it is about to execute. That will help 
> you to see how far it is getting.
> 
> Further comments below.
> 
> Cheers
> Tony
> 
> > Best regards
> > Daniel
> > 
> > 
> > #!/bin/bash
> > KSKDIR="/etc/named/KSK"
> > ZSKDIR="/etc/named/ZSK"
> > ZONEDIR="/var/named/chroot/var/named"
> > LOG="/var/named/chroot/var/log/dnssec_resign.log"
> > MAILREC="monitor@xx"
> > 
> > #delete old signed files
> > rm -rf $ZONEDIR/*.signed
> > 
> > #delete the old log
> > rm -rf $LOG
> > 
> > #read the zonefiles
> > ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*')
> > 
> > for FILES in $ZONEFILES; do
> > #remove the .zone at the end
> > ZONE=$(echo "${FILES%.*}")
> 
> Why not just: ZONE=${FILES%.*}
> 
> > #remove the old signed zone
> > rm -rf $ZONEDIR/$ZONE.signed
> 
> You deleted them all further up.
> 
> > #Sign the zone
> > cd $ZONEDIR
> 
> Why not do this before the loop? Then you also don't need $ZONEDIR/ 
> everywhere.
> 
> > dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 
> > -f $ZONE.signed $ZONEDIR/$ZONE.zone $ZSKDIR/K$ZONE.*.key >> $LOG
> > 
> > #Set the correct permissions
> > chown named.named $ZONEDIR/*.signed
> > chmod 755 $ZONEDIR/*.signed
> > sleep 5
> > done
> > rm -rf $ZONEDIR/named.zone
> > 
> > echo $(date +"%T")"DNSSEC-Signierung abgeschlossen - Neustart des 
> > Servers" >> $LOG echo "$(cat $LOG)" | mail -s "DNSSEC-Signierung 
> > abgeschlossen auf xxx" $MAILREC
> > 
> > 
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> > 
> 
> 
> --
> Tony Mountifield
> Work: t...@softins.co.uk - http://www.softins.co.uk
> Play: t...@mountifield.org - http://tony.mountifield.org 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 


-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Script not running correctly as cronjob

2017-02-01 Thread Tony Mountifield 
In article <86827d81f1944333ae213f2d3f198...@2sic.com>,
Daniel Reich <daniel.re...@2sic.com> wrote:
> Hi
> 
> I have a script to resign all DNS zones every two weeks. When i run the 
> script from bash, it works like it should. But
> when it is executed in cron not. Its starting normal as cronjob:
> Feb  1 03:00:01 xxx CROND[20116]: (root) CMD (sh 
> /opt/dnssec/resign_dnssec_zones.sh)
> 
> But after i get a mail that everything is finsihed, but it isn't.
> 03:04:28 DNSSEC-Signierung abgeschlossen
> 
> The script deletes the old signed zones, but don't resign it. The mail is 
> also sent.
> Below the script.
> 
> Anybody an idea why it doesn't work in cron?^
> I cannot find any error in any log.

After the first line, add a line saying: set -x

Then set cron to run it and examine the output that gets mailed to you.

The -x tells it to echo each command it is about to execute. That will help
you to see how far it is getting.

Further comments below.

Cheers
Tony

> Best regards
> Daniel
> 
> 
> #!/bin/bash
> KSKDIR="/etc/named/KSK"
> ZSKDIR="/etc/named/ZSK"
> ZONEDIR="/var/named/chroot/var/named"
> LOG="/var/named/chroot/var/log/dnssec_resign.log"
> MAILREC="monitor@xx"
> 
> #delete old signed files
> rm -rf $ZONEDIR/*.signed
> 
> #delete the old log
> rm -rf $LOG
> 
> #read the zonefiles
> ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*')
> 
> for FILES in $ZONEFILES; do
> #remove the .zone at the end
> ZONE=$(echo "${FILES%.*}")

Why not just: ZONE=${FILES%.*}

> #remove the old signed zone
> rm -rf $ZONEDIR/$ZONE.signed

You deleted them all further up.

> #Sign the zone
> cd $ZONEDIR

Why not do this before the loop? Then you also don't need $ZONEDIR/ everywhere.

> dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 -f 
> $ZONE.signed $ZONEDIR/$ZONE.zone
> $ZSKDIR/K$ZONE.*.key >> $LOG
> 
> #Set the correct permissions
> chown named.named $ZONEDIR/*.signed
> chmod 755 $ZONEDIR/*.signed
> sleep 5
> done
> rm -rf $ZONEDIR/named.zone
> 
> echo $(date +"%T")"DNSSEC-Signierung abgeschlossen - Neustart des Servers" >> 
> $LOG
> echo "$(cat $LOG)" | mail -s "DNSSEC-Signierung abgeschlossen auf xxx" 
> $MAILREC
> 
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 


-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [Fwd: The CentOS list]

2017-01-31 Thread Tony Mountifield 
In article <37213.128.135.52.6.1485815997.squir...@cosmo.uchicago.edu>,
Valeri Galtsev <galt...@kicp.uchicago.edu> wrote:
> Dear All,
> 
> Mark has problem sending mail to centos@centos.org list... He has trouble
> with flash plugin on CentOS 6, please, take a look at his e-mail below.
> I'll try to see what I can do to help, but what I can do definitely is no
> match to Experts on this list.
> 
> Thanks in advance!
> 
> Valeri

Mark's original message asking about flash-plugin did eventually show up,
as I'm sure people have seen by now.

Looking at its Received headers, it appears it got stuck for 5 hours at
Mark's email provider. It was submitted to host290.hostmonster.com using
squirrelmail at 18:56 GMT, but didn't leave that machine for the next hop
(cmgw2) until 23:55 GMT.

Hope this helps!
Cheers
Tony

>  Original Message 
> Subject: The CentOS list
> From:m.r...@5-cent.us
> Date:Mon, January 30, 2017 3:11 pm
> To:  "Valeri Galtsev" <galt...@kicp.uchicago.edu>
> --
> 
> Hi, Valeri,
> 
>I've tried, twice, to post to the list today, and they neither show up,
> *nor* do I get a blocked message - they just go to /dev/null.
> 
>The second was just a test, the first was asking if anyone else was
> seeing, with CentOS 6 (updated) flash-plugin crashing every 10-15 min.
> And there's no downgrade for it.
> 
>mark

-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 install on one RAID 1 [not-so-SOLVED]

2017-01-26 Thread Tony Mountifield 
In article <5ef97952-14c0-6ad2-0803-c24691a68...@gmail.com>,
Gordon Messmer <gordon.mess...@gmail.com> wrote:
> On 01/26/2017 01:40 AM, Tony Mountifield wrote:
> > Anaconda doesn't set up the boot sector on the second drive by default,
> > so I put some grub commands in the post-install section of kickstart
> > to do so.
> 
> 
> I can't attest that it *works* (mostly since I use UEFI everywhere 
> possible) but anaconda definitely attempts to install grub on each drive 
> with a copy of /boot:
> 
> https://github.com/rhinstaller/anaconda/blob/master/pyanaconda/bootloader.py

Thanks, that's interesting to know. When I first started doing this it was on
CentOS 4, and I'm pretty sure the second drive didn't get grubbed back then,
which would be what prompted me to add the post-install grub for the second
drive at that time.

I never went back to check whether the need had been obviated in CentOS 5 or 6.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 install on one RAID 1 [not-so-SOLVED]

2017-01-26 Thread Tony Mountifield 
In article <1485416344.2047.1.ca...@biggs.org.uk>,
Pete Biggs <p...@biggs.org.uk> wrote:
> 
> > 
> > If you are using RAID 1 kernel mirroring, you can do that with /boot too,
> > and Grub finds the kernel just fine. I've done it many times:
> > 
> > 
> Hmm, OK. I wonder why anaconda doesn't do it then.
> 
> Reading various websites, it looks like grub2 can do it, but you have
> to make sure that various grub modules are installed first - i.e. do
> something like 
> 
>   grub-install --modules='biosdisk ext2 msdos raid mdraid' /dev/xxx
> 
> I don't know if they are added by default these days.

I don't know, but I've never had to do it, when using plain mirroring,
on either C4, C5 or C6.  I can imagine you would need to if /boot was
RAID 0 striped, if indeed that is even possible.

> The other gotcha is, of course, that the boot sectors aren't RAID'd -
> so if /dev/sda goes, replacing it will make the system unbootable since
> it doesn't contain the boot sectors. Hot swap will keep the system
> running but you have to remember to re-install the correct boot sector
> before reboot. If you have to bring the machine down to change the
> disk, then things could get interesting!

Yup, been there, done that. So long as you use grub to install the boot
sector on both drives, then you can always tell the BIOS to boot from
the other drive to bring the system up after replacing the first disk.

Anaconda doesn't set up the boot sector on the second drive by default,
so I put some grub commands in the post-install section of kickstart
to do so.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 install on one RAID 1 [not-so-SOLVED]

2017-01-25 Thread Tony Mountifield 
In article <1485342377.3072.6.ca...@biggs.org.uk>,
Pete Biggs <p...@biggs.org.uk> wrote:
> On Tue, 2017-01-24 at 17:14 -0500, m.r...@5-cent.us wrote:
> > So, it installed happily.
> > 
> > Then wouldn't boot. No problem, I'll bring it up with pxe, then chroot and
> > grub2-install.
> > 
> > Um, nope. I edited the device map from hd0 and hd1 being the RAID to
> > /dev/sda and /dev/sdb, then ran grup2-install. It now tells me can't
> > identify the filesystem on hd0, and can't perform a safety check, and
> > gives up.
> > 
> > What am I missing? Google is not giving me any answers
> > 
> 
> Surely, if you are using software RAID, then you should configure that
> RAID in anaconda, that will then cope with setting up the partitions to
> allow booting.  Basically it needs a small non-RAID partition to hold
> /boot on the boot disk.
> 
> Remember that the boot sequence is generally: BIOS reads MBR and
> executes it; MBR code reads kernel from /boot and executes it (yes,
> it's more complicated than that). If the MBR code doesn't know how to
> read a RAID partition, then it's going to fail, that's why you have a
> small non-RAID partition to hold /boot.
> 
> Hardware RAID is different because it interfaces at the BIOS level so
> the MBR code doesn't need to know how to specifically read it.

If you are using RAID 1 kernel mirroring, you can do that with /boot too,
and Grub finds the kernel just fine. I've done it many times:

1. Primary partition 1 type FD, size 200M. /dev/sda1 and /dev/sdb1.
2. Create /dev/md0 as RAID 1 from /dev/sda1 and /dev/sdb1.
3. Assign /dev/md0 to /boot, ext3 format (presumably ext4 would work too?)
4. Make sure to setup both drives separately in grub.

Typically I then go on to have /dev/sda2+/dev/sdb2 => /dev/md1 => swap,
and /dev/sda3+/dev/sdb3 => /dev/md2 => /

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C6: latest util-linux-ng dependency on kernel?

2016-11-21 Thread Tony Mountifield 
In article

[CentOS] C6: latest util-linux-ng dependency on kernel?

2016-11-21 Thread Tony Mountifield 
I am just applying the latest C6 updates to a couple of KVM Linodes.
It appears that the latest update of util-linux-ng has added a new
dependency on the kernel package.

On these VMs, the kernel package is not normally installed, and the VM
runs a host-supplied kernel. But now, a "yum update" wants to install for
dependencies kernel, kernel-firmware and grubby, none of which should be
necessary in this environment.

I have allowed it on one Linode and rebooted it. All seems ok and it is
still running the host-supplied kernel, but it still grates that an
unused kernel should have been required to be installed.

Is this an error in util-linux-ng, or a real new requirement?

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CVE-2016-5195 DirtyCOW: Critical Linux Kernel Flaw

2016-11-01 Thread Tony Mountifield 
In article <5818cd31.4050...@moving-picture.com>,
James Pearson <jame...@moving-picture.com> wrote:
> Leonardo Oliveira Ortiz wrote:
> > RedHat and Centos 4.x can be explored by this flaw?
> 
> See:
> 
>   https://access.redhat.com/security/cve/cve-2016-5195

In other words, no: RHEL 4 and CentOS4 are not affected by this flaw.

Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Networking/routing issue

2016-09-03 Thread Tony Mountifield 
In article <003101d205da$b35b9a20$1a12ce60$@palmettoshopper.com>,
TE Dukes <tdu...@palmettoshopper.com> wrote:
> > Hello,
> > 
> > I've been working on this for over a week. I don't think its working the
> > way it should.
> > 
> > Here's what I'm trying to do:
> > 
> > I have a Windstream dsl router with wireless > 192.168.1.100
> > |
> > |
> > Centos 6.8 server eth0  > 192.168.1.110 > gateway 192.168.1.111
> >  eth1 > 192.168.1.111 > gateway
> > 192.168.1.100
> > |
> > |
> > Switch > other computers and devices > gateway 192.168.1.110
> > 
> > I want to send all internal traffic through 192.168.1.110, all external
> > traffic through 192.168.1.111, then back through 192.168.1.110.
> > 
> [Thomas E Dukes] 
> The above needs a little clarification: all external traffic through
> 192.168.1.111 > 192.168.1.110> all other computers and devices.

Assuming your subnet mask is 255.255.255.0, you have both interfaces on the
same subnet, which won't work. You have two options:

1. Change the third number on the DSL router and on eth1, e.g. 192.168.2.100
   and 192.168.2.111

2. Change the third number on eth0 and all the other computers and devices.

Either of the above options will work. Choose whichever gives you least hassle.

You need to make sure that all of the other devices have the address of your
server's eth0 set as their default gateway. The server needs to have the
address of the router as its default gateway.

If the other devices want to get their addresses via DHCP (a good idea), you
will need to run a DHCP server on your server machine, as they will be isolated
from the router.

You will also need to make sure IP forwarding is enabled on the server.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Can't connect trough SSH to a new fresh CentOS 7 minimal server

2016-08-05 Thread Tony Mountifield 
In article <f1ccc75a-62b5-b7a5-67da-371a28127...@gmail.com>,
Monty Shinn <monty.shinn...@gmail.com> wrote:
> A few things you might try:
> 
> 1. Verify ssh is listening:
> 
> netstat -antp | grep :22 | grep -i listen

netstat -lntp | grep :22

If you give -l instead of -a, it only shows listening sockets.

Just a useful hint - it was ages before I discovered that!

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ipmitool and CentOS 7

2016-05-19 Thread Tony Mountifield 
In article <9cf631373071c5bea4449327175be454.squir...@host290.hostmonster.com>,
 <m.r...@5-cent.us> wrote:
> 
> A side note, for the person who suggested uname -s - that produces Linux.
> -n produces the FQDN.

That was I, but I wasn't suggesting $(uname -s), rather $(hostname -s)

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] google cloud compute with PEM file

2016-05-17 Thread Tony Mountifield 
In article <573b48c8.1070...@consistentstate.com>,
Dustin Kempter <dust...@consistentstate.com> wrote:
> Hi all,
>  I am using the google cloud compute engine and we have a client 
> that does not want to share their ssh keys. So I have been attempting to 
> set up a PEM file for ssh access. Both the local server I used for 
> testing and the cloud vm are centos 6.
> 
> I created a user on the cloud box, ran "ssh-keygen -t rsa" and took the 
> defaults. I then copied the id_rsa.pub file to the local centos box, 
> renamed it then made my test user the owner of the file. I then 
> attempted to connect to the user I created on the google cloud box with 
> the PEM file as shown below, but got the following error.
> 
> [test1@pgpool1 ~]$ ssh -i /home/test1/my-key.txt upload@815.677.151.45
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
> 
> Have any of you done this successfully before? Or know what the issue 
> may be?

Try adding -v to the ssh command, to get more information.

But also, on the server you are trying to log in to, the public key
needs to be copied into ~/.ssh/authorized_keys - not left in its own file.

Also make sure that the ~/.ssh/directory is owned by the user and has
permissions of 700.

Cheers
Tony

-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Systemd and VirtualBox

2016-05-17 Thread Tony Mountifield 
In article <20160517130235.ga6...@fcshome.stoneham.ma.us>,
Fred Smith <fre...@fcshome.stoneham.ma.us> wrote:
> On Tue, May 17, 2016 at 08:58:16AM +0100, John Hodrien wrote:
> > On Tue, 17 May 2016, Rob Kampen wrote:
> > 
> > >No idea where to from here, so if there is anyone that has a
> > >working systemd autostart VirtualBox setup on a headless CentOS 7
> > >server - please advise what you have done to get it working.
> > 
> > I deliberately bailed on VirtualBox when we moved to C7, as KVM offered
> > everything I needed with less hassle.
> > 
> > I take it you've considered switching?
> > 
> > jh
> 
> I don't understand the issue... I've installed Centos-7 on Virtualbox
> without hassle. it just runs.

That sounds like you mean C7 as a guest. I've done that easily too.

> what problem are you trying to solve?

It sounds like he is talking about C7 as a host. I haven't tried that.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ipmitool and CentOS 7

2016-05-17 Thread Tony Mountifield 
In article <6e52db905de447530ff164eb9130a9fc.squir...@host290.hostmonster.com>,
 <m.r...@5-cent.us> wrote:
> On Dells running CentOS 6, we could use this command
> ipmitool delloem lcd set mode userdefined "$(uname -n | sed -e 's/\..*//' )"
> to set the little LCD screen to display the system name, In the latest
> sevens, it fails, and gives me usage for the command... which displays
> exactly that syntax.
> 
> Anyone have a clue?

What do you get if you put "echo" before "ipmitool" to see the whole command
instead of executing it?

Have you tried running it with a literal name for testing?

And instead of munging the output of uname, you can just do $(hostname -s)

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Suddenly increased my hard disk

2016-04-07 Thread Tony Mountifield 
In article <cajqdrfixwbwj5o+gpxtib4t41qn9yrhe2ujta0uvntoqqcw...@mail.gmail.com>,
Chandran Manikandan <tech2m...@gmail.com> wrote:
> Hi All,
> 
> I have running Centos 6.5 32 bit machine.
> This machine is running qmailtoaster packages and mailbox size is 385 GB.
> 
> if i run the df -h command it show 385 GB out of 1TB
> 
> I have run the same command today suddenly shows 576 GB out of 1 TB.
> 
> I didn't update any bulk file and mail transaction is not very high.
> 
> How do i check this issue and fix it.
> 
> how do i find out and why suddenly showing this much of increasing the size
> of hard disk.

You can look to see what files have been created or altered in the last
day by using "find" (as root):

# find / -xdev -type f -ctime -1 -ls

For the last 2 days, change the -1 to -2

You can read "man find" to understand the options.

This will only show you files that still exist in the filesystem. If a large
file has been created and is still held open although deleted (unlinked),
it will not show up. But in that case, you can either search for it with
"lsof", or just reboot the system to reclaim the space.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] In A UEFI World, "rm -rf /" Can Brick Your System

2016-02-02 Thread Tony Mountifield 
In article <75d47fdc6a99f24f87a6465baf326d5018c50...@columba02.user.uu.se>,
Sorin Srbu <sorin.s...@orgfarm.uu.se> wrote:
> > -Original Message-
> > From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> > Behalf Of m.r...@5-cent.us
> > Sent: den 1 februari 2016 20:34
> > To: CentOS
> > Subject: [CentOS] In A UEFI World, "rm -rf /" Can Brick Your System
> > 
> > As a public service announcement, recursively removing all of your files
> > from / is no longer recommended. 
> 
> I'm not following, has it ever been recommended (on a working system)??
> 
> Or is this one of those ironic posts? 8-)

I think the point is that hitherto, if you kill a system with "rm -rf /",
you can still do a re-installation from scratch. If I understand correctly
what people are saying, killing the UEFI stuff stops you ever being able
to do a re-install on that box. Is that correct? Is there no way to do a
factory reset of the BIOS?

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NTP Service Running on Local Host does not Sync System Time

2016-01-27 Thread Tony Mountifield 
In article <56a88188.6070...@hogranch.com>,
John R Pierce <pie...@hogranch.com> wrote:
> On 1/27/2016 12:25 AM, Traiano Welcome wrote:
> > I'm tempted to stick an "ntpdate -u ..." in the crontab to force
> > time-synch, but I don't see why that's needed if ntpd service should
> > already be fulfilling that purpose.
> 
> 
> ntpd won't make drastic changes in the time, if its too far off. its 
> designed to stabilize the clock by making small changes in speeding it 
> up or slowing it down, and not 'staircase' setting it absolutely.
> 
> IMHO, ntpdate -u should be run before starting ntpd so the clock is 
> close to spot on up front, I have sometimes added this to the 
> /etc/init.d/ntp scripts.

You don't need to do that. If you have one or more ntp servers listed
in /etc/ntp/step-tickers, the startup scripts will do it for you
automatically. In C5 the ntpd script does it. In C6 you have to
do "chkconfig ntpdate on" too, as it is separate from the ntpd script.
In C7 i have no idea :-)

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Fwd: Heads up: OpenSSH users (CentOS 7+)

2016-01-14 Thread Tony Mountifield 
In article <5697cab8.6090...@wemoto.com>, Michael H <mich...@wemoto.com> wrote:
> Probably worth a read...
> 
> http://www.openssh.com/txt/release-7.1p2
> 
> > Important SSH patch coming soon.  For now, everyone on all operating
> > systems, please do the following:
> >
> > Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no"
> > to prevent upcoming #openssh client bug CVE-2016-0777. More later.
> 
> echo "UseRoaming no" >> /etc/ssh/ssh_config

It says this applies to OpenSSH 5.4 to 7.1.

So it would only affect CentOS7 and up, as C6 uses openssh-5.3.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS-6.7, kvm bridges, virtual interfaces, and routes

2016-01-08 Thread Tony Mountifield 
In article <55ae6ce7fe2cbdba1514f1072281c006.squir...@webmail.harte-lyne.ca>,
James B. Byrne <byrn...@harte-lyne.ca> wrote:
> I have been looking at this problem on and off for a considerable
> period.  Given my lack of knowledge I have been unable to resolve this
> quickly and in consequence it has been constantly shoved to the
> background as other issues arise.
> 
> Here is the situation:
> 
> An ASCII art diagram might help, or might not.
> 
> 
> 
> kvmh1g1   eth0/192.168.51.1
>   eth1/aaa.bbb.ccc.151 <-> |
>|
> kvmh1 br1/aaa.bbb.ccc.51   |
> |---> br0/192.168.51.1 |
> X  |
> kvmh2   |---> br0/192.168.52.1 |
>   br1/aaa.bbb.ccc.52   |
>|
> kvmh2g1   eth0/192.168.52.1|
>   eth1/aaa.bbb.ccc.251 <-> |
>|
> gateway   eth1/aaa.bbb.ccc.1 <---> |
> 
> 
> 

Why are you using two separate subnets, 192.168.51.0/24 and 192.168.52.0/24?
That is the core of your problem. You can't use a crossover cable between
different subnets; you would need a router. There may be an esoteric way,
but it's not a normal configuration.

But they don't need to be different subnets at all. Logically speaking, they
are the same subnet.

So give kvmh1:br0 192.168.51.1 and kvmh2:br0 192.168.51.2. Then they can
talk to each other easily, without doing anything special.

On the guests, give them 192.168.51.11 and 192.168.12 (for example).
I don't think they should use the same IP addresses as their hosts.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] fail2ban problem new installation

2015-12-19 Thread Tony Mountifield 
In article <1612557.81lQ3GSSy2@techz>,
Günther J. Niederwimmer <g...@gjn.priv.at> wrote:
> Hello,
> 
> I have a big problem with fail2ban and firewalld on my new system.
> 
> I have a server running (CentOS 7.1) and run a Update to 7.2 on this system 
> all is working ?
> 
> BUT I install a new system with CentOS 7 1511 on this systems fail2ban don't 
> work anymore. I have this error  or more, in the firewalld
> 
> 2015-12-19 08:39:55 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -t filter -I 
> INPUT_direct 1 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-
> sshd src -j REJECT --reject-with icmp-port-unreachable' failed: iptables 
> v1.4.21: Set fail2ban-sshd doesn't exist.
>   
> Try `iptables -h' or 'iptables --help' for more information.
> 
> Is on 7.2 some missing or not installed
> 
> I installed fail2ban from the epel repo.
> Thanks for a answer,

Do you have the ipset RPM installed? rpm -q ipset

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos 7 and keychain

2015-11-18 Thread Tony Mountifield 
In article <564c97ec.2090...@gmail.com>,
Pete Stieber <pstie...@gmail.com> wrote:
> On 11/17/2015 11:27 AM, PS = Pete Stieber wrote:
> PS>> Is there a centos recommended repository for
> PS>> centos 7 where I can obtain the keychain
> PS>> package?
> 
> 
> I guess building from source may be my only option if I don't hear from 
> anyone.

The first thing I would try is to get the SRPM for CentOS6, install it
in CentOS7 and see if it will rebuild: rpmbuild -bb keychain.spec
(or something like that).

If not, then I would work on updating the SRPM so that it does build.

That would be much more preferable than building directly from source
outside of the package manager.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 6: language mess with ssh

2015-10-30 Thread Tony Mountifield 
In article <56337b09.7080...@aime-toulouse.fr>,
Philippe BOURDEU d'AGUERRE <b...@aime-toulouse.fr> wrote:
> Thank you for you help.
> 
> I tried your tips but the problem remains. Example:
> 
> $ echo "SendEnv LANG LC_ALL" > ~/.ssh/config
> $ LANG=C; export LANG; LC_ALL=C; export LC_ALL
> $ ssh aa@quercy
> You are required to change your password immediately (root enforced)
> Last login: Fri Oct 30 15:02:34 2015 from quercy
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changement de mot de passe pour l'utilisateur aa.
> Nouveau mot de passe :
> MOT DE PASSE INCORRECT : BEAUCOUP trop court

Maybe you also need to put "AcceptEnv LANG" in /etc/ssh/sshd_config on
the remote system, to tell it to honour the LANG being sent?

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Semi-OT: fail2ban issue

2015-10-29 Thread Tony Mountifield 
In article <1446132814771.22...@slac.stanford.edu>,
Eriksson, Thomas <thomas.eriks...@slac.stanford.edu> wrote:
> This should probably be a bug report for the fail2ban EPEL maintainer, the 
> problem was introduced in version 0.9.3
> 
> >From the file /etc/fail2ban/action.d/iptables-common.conf
> ...
> # Option:  lockingopt
> # Notes.:  Option was introduced to iptables to prevent multiple instances 
> from
> #  running concurrently and causing irratic behavior.  -w was 
> introduced
> #  in iptables 1.4.20, so might be absent on older systems
> #  See https://github.com/fail2ban/fail2ban/issues/1122
> # Values:  STRING
> lockingopt = -w
> ...
> 
> Now, CentOS 6.7 has iptables 1.4.7 and the "wait" option does not seem to 
> have been backported by RedHat, so the EPEL package for EL6 should probably 
> not have this as the default.
> 
> My workaround was to create a file 
> /etc/fail2ban/action.d/iptables-common.local that contains
> ...
> [Init]
> lockingopt =
> ...

Looks like it has been fixed in the update fail2ban-0.9.3-1.el6.1

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] fail2ban update (epel) breaks logrotate

2015-10-18 Thread Tony Mountifield 
In article <n009u2$85v$1...@softins.softins.co.uk>,
Tony Mountifield <t...@softins.co.uk> wrote:
> Apologies, this is slightly off-topic being to do with an EPEL package,
> although it's running on CentOS6, so I thought others here might have come
> across this issue.
> 
> I have five CentOS 6 systems running fail2ban from EPEL, and this
> package was updated in the last week from 0.9.2-1.el6 to 0.9.3-1.el6.
> 
> On all these systems, I received an error from logrotate this morning.
> 

> [root@system ~]# /usr/bin/fail2ban-client flushlogs
> logs: rolled over
> Traceback (most recent call last):
>   File "/usr/bin/fail2ban-client", line 470, in 
> if client.start(sys.argv):
>   File "/usr/bin/fail2ban-client", line 440, in start
> return self.__processCommand(args)
>   File "/usr/bin/fail2ban-client", line 281, in __processCommand
> return self.__processCmd([cmd])
>   File "/usr/bin/fail2ban-client", line 185, in __processCmd
> client.close()
>   File "/usr/lib/python2.6/site-packages/fail2ban/client/csocket.py", line 
> 55, in close
> self.__csock.sendall(CSPROTO.CLOSE + CSPROTO.END)
>   File "", line 1, in sendall
> socket.error: [Errno 32] Broken pipe
> [root@system ~]#

OK, on further investigation, I found that the fail2ban service had not
been restarted by the update script.

So I restarted it, and got the same error as it was stopping, but it
started up ok. After restarting, the error no longer occurs:

[root@system ~]# ps -fC fail2ban-server
root  7528 1  0 Sep23 ?00:10:06 /usr/bin/python -Es 
/usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p 
/var/run/fail2ban/fail2ban.pid -x -b
[root@system ~]# service fail2ban restart
Stopping fail2ban: Traceback (most recent call last):
  File "/usr/bin/fail2ban-client", line 470, in 
if client.start(sys.argv):
  File "/usr/bin/fail2ban-client", line 440, in start
return self.__processCommand(args)
  File "/usr/bin/fail2ban-client", line 281, in __processCommand
return self.__processCmd([cmd])
  File "/usr/bin/fail2ban-client", line 185, in __processCmd
client.close()
  File "/usr/lib/python2.6/site-packages/fail2ban/client/csocket.py", line 55, 
in close
self.__csock.sendall(CSPROTO.CLOSE + CSPROTO.END)
  File "", line 1, in sendall
socket.error: [Errno 32] Broken pipe
   [FAILED]
Starting fail2ban: [  OK  ]
[root@system ~]# ps -fC fail2ban-server
root 11647 1  1 15:30 ?00:00:00 /usr/bin/python -Es 
/usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p 
/var/run/fail2ban/fail2ban.pid -x -b
[root@system ~]# /usr/bin/fail2ban-client flushlogs
logs: rolled over
[root@system ~]#

Hope this info is useful to others...

Cheers
Tony

-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] [OT] fail2ban update (epel) breaks logrotate

2015-10-18 Thread Tony Mountifield 
Apologies, this is slightly off-topic being to do with an EPEL package,
although it's running on CentOS6, so I thought others here might have come
across this issue.

I have five CentOS 6 systems running fail2ban from EPEL, and this
package was updated in the last week from 0.9.2-1.el6 to 0.9.3-1.el6.

On all these systems, I received an error from logrotate this morning.

It appears that something has broken the flushlogs option in fail2ban-client:

[root@system ~]# cat /etc/logrotate.d/fail2ban
#
# Gentoo:
# 
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/files/fail2ban-logrotate?view=markup
#
# Debian:
# https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.logrotate
#
# Fedora view:
#  http://pkgs.fedoraproject.org/cgit/fail2ban.git/tree/fail2ban-logrotate

/var/log/fail2ban.log {
rotate 7
missingok
compress
postrotate
  /usr/bin/fail2ban-client flushlogs  1>/dev/null || true
endscript
}
[root@system ~]# /usr/bin/fail2ban-client flushlogs
logs: rolled over
Traceback (most recent call last):
  File "/usr/bin/fail2ban-client", line 470, in 
if client.start(sys.argv):
  File "/usr/bin/fail2ban-client", line 440, in start
return self.__processCommand(args)
  File "/usr/bin/fail2ban-client", line 281, in __processCommand
return self.__processCmd([cmd])
  File "/usr/bin/fail2ban-client", line 185, in __processCmd
client.close()
  File "/usr/lib/python2.6/site-packages/fail2ban/client/csocket.py", line 55, 
in close
self.__csock.sendall(CSPROTO.CLOSE + CSPROTO.END)
  File "", line 1, in sendall
socket.error: [Errno 32] Broken pipe
[root@system ~]#

Has anyone else found this today? And even better know how to fix it?

There doesn't seem to be any current activity in epel-users, and I found
the update announcement in epel-package-announce, but didn't see anything
about this in the "IMPORTANT incompatible changes" section.

Cheers
Tony

-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS-6.7 Passing delayed shutdown via ssh command line argument?

2015-09-30 Thread Tony Mountifield 
In article <f90407e5ac62949cab27d3bda74faa74.squir...@webmail.harte-lyne.ca>,
James B. Byrne <byrn...@harte-lyne.ca> wrote:
> If I log into a host via ssh from my workstation then I can enter this:
> 
> shutdown -r +90&
> 
> and log out.  The shutdown command will continue in effect and will
> activae 90 minutes later.
> 
> However, if I do this instead:
> 
> ssh -t host.domain.tld 'shutdown -r +90&'
> 
> then the shutdown command does not remain in effect.  Why is this so
> and is there some way to achieve this?

I think shutdown receives a HUP signal when the connection is terminated,
because it still has the ssh tty as its controlling terminal.

I've just done some experimenting using sleep instead of shutdown, and
found this:
- you need to omit the -t
- you need to redirect stdin/stdout/stderr

So try:

ssh host.domain.tld 'shutdown -r +90 /dev/null 2>&1 &'

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] httpd userdir problem

2015-09-28 Thread Tony Mountifield 
In article <mu3t01$c2l$1...@ger.gmane.org>,
Timothy Murphy <gayle...@eircom.net> wrote:
> I'm running httpd-2.4.6-31.el7.centos.1.x86_64
> under CentOS-7 (kernel 3.10.0-229.14.1.el7.x86_64).
> 
> I cannot get the httpd userdir facility working;
> when I try to access localhost/Menloe I get the message
> "You don't have permission to access /Menloe on this server."
> 
> I see in /var/log/httpd/error_log
> "Symbolic link not allowed or link target not accessible:
> /var/www/html/Menloe"
> while in /var/log/httpd/access_log I see
> "GET /Menloe HTTP/1.1" 403 208
> 
> In /etc/httpd/conf.d/userdir.conf I have
> UserDir public_html
> and
> 
> AllowOverride All
> Require all granted
> Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
> Require method GET POST OPTIONS
> 
> 
> The directory ~/public_html/Menloe/ is owned by me,
> and has permissions drwxr-xr-x.

You need to include your username in the URL, otherwise it doesn't know
whose public_html directory to look for. The username must be preceded
by a tilde, for example:

http://localhost/~timothy/Menloe

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] decode http hack attempt?

2015-09-24 Thread Tony Mountifield 
In article <e4bd3a73fc95477064436043eb8a37ed.squir...@webmail.harte-lyne.ca>,
James B. Byrne <byrn...@harte-lyne.ca> wrote:
> Can anyone de-cypher the second entry for me?
> 
> - httpd Begin 
> 
> 
>  Requests with error response codes
> 403 Forbidden
>/: 9 Time(s)
>/?c=4e5e5d7364f443e28fbf0d3ae744a59a: 3 Time(s)
> 
> I have found the string via Google but have not located any explanation.

It appears to be something to do with a PHP framework called ThinkPHP.
One of the hits when searching for it is for ThinkPHP on Google Code.

Perhaps there is a vulnerability in ThinkPHP, and this access is from
a machine scanning for vulnerable sites? Just a guess.

I don't think it has a meaning - it's just a 128-bit number expressed in hex.

Cheers
Tony

-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Bug in init scripts for ipset?

2015-09-24 Thread Tony Mountifield 
I've just started experimenting with ipset under CentOS 6, and have
found what appears to be a bug (or poor design) in the init scripts
for ipset, /etc/rc.d/init.d/ipset

In stop(), save() and status(), it does lsmod to check for the
existence of the ip_set module. If the module is not found, it
exits without performing any action.

This doesn't take account of a kernel where the ip_set code is compiled
in instead of being a loadable module. An example would be my CentOS 6
virtual machine at Linode. It has a Linode-compiled kernel 4.1.0 with
no separately-loaded modules. It certainly supports ipset, as I have
successfully tried some test rules. However, I wondered why giving the
command "service ipset save" didn't result in /etc/sysconfig/ipset being
written, and discovered the cause I described above.

Surely there should be a better way of determining whether the kernel
includes ipset support than just looking for a module?

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ISC DHCP failover

2015-09-23 Thread Tony Mountifield 
In article <20150923194959.ge2...@cmadams.net>,
Chris Adams <li...@cmadams.net> wrote:
> Anybody have any experience with setting up dhcpd in failover mode
> between two servers?  I set this up on a couple of servers, and it seems
> to be working, but I don't think it is working "right".  It appears both
> servers are replying to all requests (which for renewals works okay
> because they both give the same address, but new requests get two
> different responses).  I thought that only one server would reply to a
> particular request.
> 
> Also, every DHCPACK is followed by a message like this in the log:
> 
> Sep 23 15:45:50 rad2 dhcpd: bind update on x.x.x.x from mypeer rejected: 
> incoming update is less critical than outgoing update
> 
> Any ideas?  I subscribed and asked over on the ISC-operated dhcp-users
> list but haven't had any responses.  Google finds others asking about
> the same log message, and the only responses seem to be "well, if you
> get it for every update, there's probably some configuration issue" (but
> nobody ever says what issue might lead to it).

Well it would probably help if you showed us your dhcpd.conf file from
each server.

But anyway, if it helps, here is what I have working:

SYSTEM 1 (192.168.100.3)


#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample
#   see 'man 5 dhcpd.conf'
#

authoritative;
ddns-update-style none;

failover peer "dhcp-failover" {
primary; # declare this to be the primary server
mclt 1800;  # only on primary
split 128;  # only on primary

#secondary; # declare this to be the secondary server

address 192.168.100.3;  # my address
port 647;
peer address 192.168.100.4; # peer's address
peer port 647;
max-response-delay 30;
max-unacked-updates 10;
load balance max seconds 3;
}

subnet 192.168.100.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.100.255;
option routers 192.168.100.1;
option domain-name-servers 192.168.100.1;
option domain-name "example.co.uk";
pool {
failover peer "dhcp-failover";
deny dynamic bootp clients;
range 192.168.100.100 192.168.100.149;
default-lease-time 86400;
max-lease-time 172800;
}
}

SYSTEM 2 (192.168.100.4)


#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample
#   see 'man 5 dhcpd.conf'
#

authoritative;
ddns-update-style none;

failover peer "dhcp-failover" {
#primary; # declare this to be the primary server
#mclt 1800; # only on primary
#split 128; # only on primary

secondary; # declare this to be the secondary server

address 192.168.100.4;  # my address
port 647;
peer address 192.168.100.3; # peer's address
peer port 647;
max-response-delay 30;
max-unacked-updates 10;
load balance max seconds 3;
}

subnet 192.168.100.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.100.255;
option routers 192.168.100.1;
option domain-name-servers 192.168.100.1;
option domain-name "example.co.uk";
pool {
failover peer "dhcp-failover";
deny dynamic bootp clients;
range 192.168.100.100 192.168.100.149;
default-lease-time 86400;
max-lease-time 172800;
}
}

Note the differences between the "failover peer" sections. One must say
primary, and the other secondary. You must omit mclt and split on the
secondary, and must swap the address and peer address over.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS-6 Logwatch 7.3.6 behaviour

2015-09-19 Thread Tony Mountifield 
In article <d782c236fbee71045dad24a43def.squir...@webmail.harte-lyne.ca>,
James B. Byrne <byrn...@harte-lyne.ca> wrote:
> After some experimenting I have observed that overriding settings from
> /usr/share/logwatch/default.conf/logwatch.conf in
> /etc/logwatch/conf/logwatch.conf does not produce consistent results.
> 
> 
> For example, if I replace the default detail configuration in
> etc/logwatch/conf/logwatch.conf with:
> 
> Detail = High
> 
> It does indeed change the level of detail from the default Low set in
> /usr/share/logwatch/default.conf/logwatch.conf.
> 
> However, if I comment out the line:
> 
> #Service = "-zz-sys" # Prevents execution of zz-sys service
> 
> in the overridden file then the fact that this line remains in the
> default.conf version means that the sservice cannot be enabled to run
> by default without editing
> /usr/share/logwatch/default.conf/logwatch.conf.  Of course doing that
> means that any update clobbers the local changes.

Can you just add it back in /etc/logwatch/conf/logwatch.conf with:

Service = "zz-sys"

I haven't tried it, but it looks like Service lines are cumulative.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] apache mysterious 404 error

2015-08-28 Thread Tony Mountifield 
 timothy.dun...@mycomany.com
  
   DocumentRoot /var/www/mycomanystore
  
   ServerName stage.theshopatmycomanystudios.com
  
   ServerAlias 173.213.219.48
  
   ErrorLog logs/store_error_log
  
   LogFormat %h %l %u %t \%r\ %s %b common
  
   CustomLog logs/store_access_log common
  
   Directory /var/www/mycomanystore
  
 DirectoryIndex index.html
  
 AddHandler cgi-script .cgi
  
 Options -Indexes +FollowSymLinks +ExecCGI +Includes
  
 AllowOverride All
  
 Require all granted
  
   /Directory
  
   ExpiresActive On
  
   ExpiresDefault access plus 30 minute
  
   RewriteEngine On
  
   RewriteCond %{REQUEST_METHOD} ^TRACE
  
   RewriteRule .* - [F]
  
   /VirtualHost
  
   Thanks
  
   Tim
  
  
   --
   GPG me!!
  
   gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
   ___
   CentOS mailing list
   CentOS@centos.org
   https://lists.centos.org/mailman/listinfo/centos
  
  ___
  CentOS mailing list
  CentOS@centos.org
  https://lists.centos.org/mailman/listinfo/centos
 
 
 
 
 -- 
 GPG me!!
 
 gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
 ___
 CentOS mailing list
 CentOS@centos.org
 https://lists.centos.org/mailman/listinfo/centos
 


-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] apache mysterious 404 error

2015-08-28 Thread Tony Mountifield 
In article CAOZy0enqddiPvpd+M-Ltwih9dPmA7b_ro4-_5bQ=u1gaald...@mail.gmail.com,
Tim Dunphy bluethu...@gmail.com wrote:
 Hey guys,
 
  Sorry for the failed attempts at obscuring the company I work for. My boss
 wouldn't take too kindly to it if I revealed that information on a mailing
 list. :)

It's easily deducible from the IP addresses anyway...

 So anyway, I realized that capitalization might be the problem. So I
 renamed the directory to match what was in the URL. That didn't solve the
 problem.
 
 However I noticed this message turning up in the logs:
 
 [Fri Aug 28 01:27:30.057020 2015] [proxy:warn] [pid 23782:tid
 139661984888576] [client 173.213.212.234:14579] AH01144: No protocol
 handler was valid for the URL /mycompanyStore/images/Jimmy_792x802_R2.jpg.
 If you are using a DSO version of mod_proxy, make sure the proxy submodules
 are included in the configuration using LoadModule., referer:
 http://stage.theshopatmycompanystudios.com/
 
 [...etc...]
 
 So taking the advice of that eror I tried enabling all the proxy modules in
 the apache config:
 
 
 LoadModule proxy_module modules/mod_proxy.so
 
 LoadModule proxy_connect_module modules/mod_proxy_connect.so
 
 LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
 
 LoadModule proxy_http_module modules/mod_proxy_http.so
 
 LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
 
 
 But those files are still 404ing. Not sure where to take it from here. I'd
 appreciate any help you can give!

Well if it's a single web server that you want to serve its own files, it
shouldn't be doing any proxy operations anyway. So rather than enabling
proxy modules, it would be better to understand why it is trying to do a
proxy operation.

It's hard to help further without seeing your http config files in
/etc/http/conf and /etc/http/conf.d. To save space, you can filter out all
comments and blank lines like this:

# grep '^ *[^# ]' /etc/httpd/conf/httpd.conf /etc/httpd/conf.d/*.conf 
/tmp/http-config.txt

That will output all lines that start with zero or more spaces followed by
at least one character that is not a space or a hash. It will also precede
each line with the name of the file it is in.

You can then edit /tmp/http-config.txt with some global replaces if you
want to obscure the domain name and document root names, and post the
result.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] apache mysterious 404 error

2015-08-28 Thread Tony Mountifield 
In article 0f55e883640c125375c75...@ritz.innovate.net,
Richard lists-cen...@listmail.innovate.net wrote:
 
 Also need to see the error_log entries from the back-end httpd
 server that's serving from the documentroot. The proxy server's logs
 (whether it should be there or not) only show the proxy issues, not
 the issues that are causing the 404s, so aren't really relevant to
 the 404 issue. The back-end server's logs will indicate why the file
 can't be found, or generally at least pretty good hints.

The first question is: are there even a separate back-end and front-end,
or is it just a single server that is misconfigured and is trying to do
proxy operations when it shouldn't? It sounds to me like the latter.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 recent openssl update breaks mysql SSL connection

2015-08-18 Thread Tony Mountifield 
In article 013173c7-6aec-4c2d-9eb7-84c873c89...@googlemail.com,
Leon Fauster leonfaus...@googlemail.com wrote:
 Am 18.08.2015 um 11:27 schrieb lheck...@users.sourceforge.net:
  
  Maybe so, but still a side issue. Openssl 0.9.8e was recently updated.
  Some change in this update has broken something. I would like to understand
  what, and so ought the package maintainers. C5 isn't EOL until March 2017.
  
  rpm -q --changelog openssl-0.9.8e. You weren't clear which version you
  upgraded from, but you mentioned testing against openssl-0.9.8e-27.el5_10.1
  (from March 2014, nevertheless), which works.
  
  I would hazard a guess that this is the change causing your problem.
  
  * Fri Jun 26 2015 Tomas Mraz tm...@redhat.com 0.9.8e-36
  - also change the default DH parameters in s_server to 1024 bits
  
  Here's some more info,
  
  https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
  
  RH must have backported this fix to 0.9.8e.
  
  There seem to be many reports out there that the openssl update broke mysql,
  but unfortunately, at a quick glance, they are all about RHEL6/openssl 
  1.0.1,
  so you're most likely on your own. I'm quite ignorant of mysql, but it looks
  like you may be able to get this to work again by changing the cipher in 
  mysql
  and regenerating your cert.
  
  https://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl-encryption-on-centos-5.4
  
 
 
 http://lists.centos.org/pipermail/centos/2015-July/153753.html

Cool - that looks like the answer. Just tried it successfully.

Many thanks!

Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 recent openssl update breaks mysql SSL connection

2015-08-18 Thread Tony Mountifield 
In article 55d2174f.70...@centos.org,
Johnny Hughes joh...@centos.org wrote:
 On 08/17/2015 11:19 AM, Johnny Hughes wrote:
  On 08/17/2015 10:57 AM, Tony Mountifield wrote:
  I recently applied updates to a CentOS 5 box running MySQL. I've discovered
  that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL
  connections.
 
  If I rename /lib/libssl.so.0.9.8e and replace it with the old version of
  that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next
  oldest, but it was handy), then SSL connection to MySQL works again.
 
  I then performed cross-checks using the server with new libssl and the
  client with old, and then vice versa. What I found was that it didn't
  matter whether the server was started with the old libssl or the new 
  libssl.
  In both cases, the mysql client would only connect using the old libssl,
  and not when using the new libssl.
 
  When it works with the old libssl, I can confirm that SSL is in use:
 
  mysql \s
  --
  mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using 
  readline 5.1
 
  Connection id:  2
  Current database:
  Current user:   root@localhost
  SSL:Cipher in use is DHE-RSA-AES256-SHA
 
  The error with the new libssl looks like this:
 
  [root@hostname ~]# mysql
  ERROR 2026 (HY000): SSL connection error
 
  Has anyone else come across this? Is it a bug in SSL? Or a new restriction?
  Do I need to regenerate my certificates using the new openssl?
 
  Cheers
  Tony
 
  
  You should now be using mysql55 on CentOS-5, not mysql-5.0
 
 In case you did not understand my post, here is how one is supposed to
 move from mysql-5.0 to mysql55 and why:
 
 https://rhn.redhat.com/errata/RHEA-2013-1329.html
 
 https://rhn.redhat.com/errata/RHEA-2013-1330.html

Thanks. I eventually found the more specific link at 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-Migrating_from_MySQL_5.0_to_MySQL_5.5.html

However, the only why I could find was Red Hat will not issue any more
security advisories for the MySQL 5.0 packages (mysql-5.0.* and related
packages). Security advisories will be provided only for MySQL 5.5.
Nothing to indicate that anything in 5.0 is inherently broken. Are there
any more specific reasons? It appears to be working fine.

And is the same true for C6, which comes with mysql 5.1, that one should
use mysql55 from SCL instead? Why, or why not?

Cheers
Tony

-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 recent openssl update breaks mysql SSL connection

2015-08-18 Thread Tony Mountifield 
In article 55d20981.7030...@centos.org,
Johnny Hughes joh...@centos.org wrote:
 On 08/17/2015 10:57 AM, Tony Mountifield wrote:
  I recently applied updates to a CentOS 5 box running MySQL. I've discovered
  that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL
  connections.
  
  If I rename /lib/libssl.so.0.9.8e and replace it with the old version of
  that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next
  oldest, but it was handy), then SSL connection to MySQL works again.
  
  I then performed cross-checks using the server with new libssl and the
  client with old, and then vice versa. What I found was that it didn't
  matter whether the server was started with the old libssl or the new libssl.
  In both cases, the mysql client would only connect using the old libssl,
  and not when using the new libssl.
  
  When it works with the old libssl, I can confirm that SSL is in use:
  
  mysql \s
  --
  mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using readline 
  5.1
  
  Connection id:  2
  Current database:
  Current user:   root@localhost
  SSL:Cipher in use is DHE-RSA-AES256-SHA
  
  The error with the new libssl looks like this:
  
  [root@hostname ~]# mysql
  ERROR 2026 (HY000): SSL connection error
  
  Has anyone else come across this? Is it a bug in SSL? Or a new restriction?
  Do I need to regenerate my certificates using the new openssl?
  
  Cheers
  Tony
  
 
 You should now be using mysql55 on CentOS-5, not mysql-5.0

That may well be the case, but isn't relevant to the point I'm making,
which is that something changed in openssl-0.9.8e-36 that has broken something.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 recent openssl update breaks mysql SSL connection

2015-08-18 Thread Tony Mountifield 
In article 55d2ed32.6040...@hogranch.com,
John R Pierce pie...@hogranch.com wrote:
 On 8/18/2015 1:27 AM, Tony Mountifield wrote:
  You should now be using mysql55 on CentOS-5, not mysql-5.0
  That may well be the case, but isn't relevant to the point I'm making,
  which is that something changed in openssl-0.9.8e-36 that has broken 
  something.
 
 mysql 5.0 and openssl 0.9.8 are both ancient and way past their 
 expiration date.

Maybe so, but still a side issue. Openssl 0.9.8e was recently updated.
Some change in this update has broken something. I would like to understand
what, and so ought the package maintainers. C5 isn't EOL until March 2017.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 recent openssl update breaks mysql SSL connection

2015-08-18 Thread Tony Mountifield 
In article 20150818092704.ga13...@users.sourceforge.net,
 lheck...@users.sourceforge.net wrote:
 
  Maybe so, but still a side issue. Openssl 0.9.8e was recently updated.
  Some change in this update has broken something. I would like to understand
  what, and so ought the package maintainers. C5 isn't EOL until March 2017.
 
  rpm -q --changelog openssl-0.9.8e. You weren't clear which version you
  upgraded from, but you mentioned testing against openssl-0.9.8e-27.el5_10.1
  (from March 2014, nevertheless), which works.
 
  I would hazard a guess that this is the change causing your problem.
 
 * Fri Jun 26 2015 Tomas Mraz tm...@redhat.com 0.9.8e-36
 - also change the default DH parameters in s_server to 1024 bits
 
  Here's some more info,
 
  https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
 
  RH must have backported this fix to 0.9.8e.
 
  There seem to be many reports out there that the openssl update broke mysql,
  but unfortunately, at a quick glance, they are all about RHEL6/openssl 1.0.1,
  so you're most likely on your own. I'm quite ignorant of mysql, but it looks
  like you may be able to get this to work again by changing the cipher in 
 mysql
  and regenerating your cert.
 
  
 https://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl-encryption-on-centos-5.4

Interesting... many thanks for the pointers! Something for me to experiment 
with...

Cheers
Tony

-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] wordpess can't connect to DB but mediawiki can

2015-08-17 Thread Tony Mountifield 
In article caozy0ekthwpfh29gf65ryux584nhp0km66xivn9drnig--r...@mail.gmail.com,
Tim Dunphy bluethu...@gmail.com wrote:
 Hi Richard,
 
 I actually made some progress on this. The problem was SSL. Once I I took
 the SSL requirement out of the picture for the user everything worked. The
 test php script and the wordpress site both. Originally when I setup my
 wiki it NEEDED SSL. Because there was some sensitive data in it. My
 website, however, is just a goofball toy project of mine. And doesn't
 really need that. But since I have this done for my wiki I was like why
 not? I stumbled getting the mediawiki to connect via SSL. Once I found the
 setting $wgDBssl = true; for media wiki it just worked.
 
 For my wordpress site, I found the setting define('DB_SSL', true);. I set
 that up in wp-config.php. However for some reason that wasn't the silver
 bullet that the mediawiki SSL database setting was ( $wgDBssl = true; ). I
 can understand why my little test script couldn't work with an SSL user.
 But do you have any idea why that wordpress setting won't allow the site to
 connect to the DB? While it may not be of super high importance to have my
 site contact the DB via SSL, it would still be a nice thing to have.

Did it use to work a few days ago? I have a box on which yum update installed
a new version of openssl on 14 Aug, and that broke SSL connections for mysql.
I haven't diagnosed it yet, neither by downgrading openssl again to see if it
works, nor by recreating my CA and certs using the newer openssl.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] C5 recent openssl update breaks mysql SSL connection

2015-08-17 Thread Tony Mountifield 
I recently applied updates to a CentOS 5 box running MySQL. I've discovered
that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL
connections.

If I rename /lib/libssl.so.0.9.8e and replace it with the old version of
that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next
oldest, but it was handy), then SSL connection to MySQL works again.

I then performed cross-checks using the server with new libssl and the
client with old, and then vice versa. What I found was that it didn't
matter whether the server was started with the old libssl or the new libssl.
In both cases, the mysql client would only connect using the old libssl,
and not when using the new libssl.

When it works with the old libssl, I can confirm that SSL is in use:

mysql \s
--
mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using readline 5.1

Connection id:  2
Current database:
Current user:   root@localhost
SSL:Cipher in use is DHE-RSA-AES256-SHA

The error with the new libssl looks like this:

[root@hostname ~]# mysql
ERROR 2026 (HY000): SSL connection error

Has anyone else come across this? Is it a bug in SSL? Or a new restriction?
Do I need to regenerate my certificates using the new openssl?

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] less for CentOS6 with POSIX regex?

2015-06-09 Thread Tony Mountifield 
In article 55761c28@imag.fr,
Nicolas Thierry-Mieg nicolas.thierry-m...@imag.fr wrote:
 
 
 On 06/09/2015 12:48 AM, Nicolas Thierry-Mieg wrote:
  On 06/09/2015 12:33 AM, t...@softins.co.uk (Tony Mountifield) wrote:
  In article ml1jnh$afr$1...@softins.softins.co.uk,
  Tony Mountifield t...@softins.co.uk wrote:
  When I started using CentOS 6 instead of CentOS 5, I discovered that
  less no longer understood \ and \, which I had been used to using
  since almost forever.
 
  Eventually research revealed that in the Fedora version on which
  RHEL 6 was based, less had been built with the PCRE regex library
  instead of a POSIX one. So instead of \ and \, I had to use \b.
 
 
  I'm sure there must be other people who would find the corrected RPMs
  useful,
  so my questions now are:
 
  a) Is there a contributors repo to which it would be appropriate to
  submit them?
 
  b) Is there a better way to number the release for this version?
 
  it may be better to change the package name to less-posix rather than
  change the release number, and have the new package conflict with less.
  That way once you've installed it, it won't get squashed by a yum update.
 
 you might need to have it provide less though, to avoid unmet deps eg 
 for man or gzip.

Excellent points - thanks! I'll have a play and see what I can do.

Would still like to know how/where best to contribute them.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] less for CentOS6 with POSIX regex?

2015-06-08 Thread Tony Mountifield 
In article ml1jnh$afr$1...@softins.softins.co.uk,
Tony Mountifield t...@softins.co.uk wrote:
 When I started using CentOS 6 instead of CentOS 5, I discovered that
 less no longer understood \ and \, which I had been used to using
 since almost forever.
 
 Eventually research revealed that in the Fedora version on which
 RHEL 6 was based, less had been built with the PCRE regex library
 instead of a POSIX one. So instead of \ and \, I had to use \b.
 
 I found a bugzilla entry about this, which showed that the change had
 been reverted in a later Fedora release. So I tested CentOS 7, and found
 less has been reverted to using POSIX regex, which I'm glad about.
 
 What I want to know is: do any repos have a replacement version of
 less for CentOS 6 that has been built with POSIX regex, so that
 I don't have to keep switching between the two styles when working
 on different CentOS versions?

Well, after the deafening silence in response, I assumed the answer was no,
so I downloaded the SRPMs of less for both C6 and C7, and did a comparison.
I found that it was easy to fix the C6 less to use the correct POSIX regex
engine as follows:

1. Copy less-394-search.patch from the C7 SRPM, and add it back into
   less.spec as Patch2.

2. Remove the line BuildRequires: pcre-devel.

3. Remove --with-regex=pcre from the %configure line in less.spec.

4. Change the release number. I changed 13 to 13posix, so that the resultant
   RPMS have names like less-436-13posix.el6 instead of less-436-13.el6

5. Rebuild RPMs and SRPM using rpmbuild -ba less.spec.

6. Install using yum localinstall.

The resulting build of less works wonderfully on my C6 boxes, consistently
with the versions on C4, C5 and C7.

I'm sure there must be other people who would find the corrected RPMs useful,
so my questions now are:

a) Is there a contributors repo to which it would be appropriate to submit them?

b) Is there a better way to number the release for this version?

Cheers
Tony

-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] less for CentOS6 with POSIX regex?

2015-06-07 Thread Tony Mountifield 
When I started using CentOS 6 instead of CentOS 5, I discovered that
less no longer understood \ and \, which I had been used to using
since almost forever.

Eventually research revealed that in the Fedora version on which
RHEL 6 was based, less had been built with the PCRE regex library
instead of a POSIX one. So instead of \ and \, I had to use \b.

I found a bugzilla entry about this, which showed that the change had
been reverted in a later Fedora release. So I tested CentOS 7, and found
less has been reverted to using POSIX regex, which I'm glad about.

What I want to know is: do any repos have a replacement version of
less for CentOS 6 that has been built with POSIX regex, so that
I don't have to keep switching between the two styles when working
on different CentOS versions?

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ntpdate odd behavior

2015-05-07 Thread Tony Mountifield 
In article cabr8-b7vsi_hgtz66k_xp5kpzskda-vajjjdyeyc9lgvkdn...@mail.gmail.com,
Jerry Geis ge...@pagestation.com wrote:
 I noticed this morning that my ntp time was not correct on machines.
 
 So I manually ran ntpdate time.apple.com on my clients, I got
 7 May 08:46:43 ntpdate[10550]: no server suitable for synchronization found
 
 then I ran ntpdate -d time.apple.com and it worked .
 filter offset: -163.446 -163.446 -163.446 -163.447
  0.00 0.00 0.00 0.00
 delay 0.20570, dispersion 0.00049
 offset -163.447341
  7 May 08:46:25 ntpdate[10519]: step time server 17.253.2.243 offset
 -163.447144 sec
 
 then I ran ntpdate time.apple.com again and got the above error again.
 
 Any idea what that is about? Why is ntpdate giving the error?
 
 This is on centos 6.6 x86_64 and same result on 3 machines.

Jerry, try ntpdate -u time.apple.com and have a look at the -u option
in the ntpdate man page. When you use -d, it implicitly sets -u, which
your non--d invocation didn't. That's probably the reason for the
difference.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] One-time reboot into alternate kernel?

2014-12-16 Thread Tony Mountifield 
In article 20141215113303.e0ae4a00...@mail.centos.org,
Rushton Martin jmrush...@qinetiq.com wrote:
 If you are using GRUB 0.97 (legacy GRUB), then this capability is
 provided by the default saved and fallback commands.  See sections
 4.3.1 and 4.3.2 in the manual:
 
 http://www.gnu.org/software/grub/manual/legacy/grub.html

Excellent - just what I was looking for. Thanks!

Tony

 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
 Behalf Of Tony Mountifield
 Sent: 15 December 2014 11:01
 To: centos@centos.org
 Subject: [CentOS] One-time reboot into alternate kernel?
 
 Apologies if this should be well-known, but I couldn't find anything!
 
 Situation: a system in a remote location, with no KVM, IPMI or iLO, and
 therefore no console access, only ssh. Multiple kernels listed in
 grub.conf.
 
 Is there a way to reboot temporarily into one of the other kernels
 listed in grub.conf, without changing the default= line, so that a
 subsequent reboot will default back to the original kernel?
 
 The problem I have is that having changed the default= line to select a
 kernel that doesn't boot properly, I need to have someone visit the
 console in order manually to select the working kernel again. I would
 like to avoid that situation if possible.
 
 Thanks,
 Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] One-time reboot into alternate kernel?

2014-12-15 Thread Tony Mountifield 
Apologies if this should be well-known, but I couldn't find anything!

Situation: a system in a remote location, with no KVM, IPMI or iLO, and
therefore no console access, only ssh. Multiple kernels listed in grub.conf.

Is there a way to reboot temporarily into one of the other kernels listed
in grub.conf, without changing the default= line, so that a subsequent
reboot will default back to the original kernel?

The problem I have is that having changed the default= line to select a
kernel that doesn't boot properly, I need to have someone visit the
console in order manually to select the working kernel again. I would
like to avoid that situation if possible.

Thanks,
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 7 as gateway - UDP performance is busted/awful?

2014-08-15 Thread Tony Mountifield 
In article 20140814141900.777d6f0c@tomh,
Tom Horsley horsley1...@gmail.com wrote:
  If you look inside the ICMP packet in wireshark, it will tell you
  who sent it and what MTU they said was acceptable.
 
 Well, I'm definitely drowning in network confusion here :-).
 
 Everyone's MTU is the default 1500, I checked all systems in
 the path.
 
 The wireshark display says 1516 in the Length column for the
 NFS packet that always shows up before the ICMP errors. If I
 expand the IP V4 line in the packet, it says Total Length: 1500
 for that READDIRPLUS Reply which says 1516 for the capture
 length. It also has the Don't fragment flag set.
 
 It looks like the 16 byte extra is confusing it, but I have no
 idea why that is different than the IPv4 length info.

The 1516 is the total length of the ethernet frame, and is normal
for a 1500 MTU. The 16 bytes is the link-layer header.

When looking at the ICMP Frag-needed packet in Wireshark, look
particularly at (a) its source and destination addresses, (b) the
MTU of next hop field (in expansion of ICMP), and (c) the source
and destination addresses of the packet it was complaining about.

Here's an example from one of my recent traces:

Frame 235: 72 bytes on wire (576 bits), 72 bytes captured (576 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 10.30.0.245 (10.30.0.245), Dst: 172.22.21.48 
(172.22.21.48)
(a) 
^^
Internet Control Message Protocol
Type: 3 (Destination unreachable)
Code: 4 (Fragmentation needed)
Checksum: 0x81df [correct]
MTU of next hop: 1476
(b)  
Internet Protocol Version 4, Src: 172.22.21.48 (172.22.21.48), Dst: 
172.27.60.31 (172.27.60.31)
(c)   ^^
^^
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 56199 (56199)

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 7 as gateway - UDP performance is busted/awful?

2014-08-14 Thread Tony Mountifield 
In article 20140814120002.16440e86@tomh,
Tom Horsley horsley1...@gmail.com wrote:
 I just replaced a dead system disk on my KVM host that was
 running an ancient fedora 13. Since centos 7 was available,
 I decided to go with it to get some long term stability.
 
 The problem is that NFS mounts inside the virtual machines
 don't work for spit when talking to older NFS servers that
 must speak UDP.
 
 Is there something about UDP traffic that requires tweaks
 I don't know about for centos 7 to serve as a gateway machine?
 I've got the ip forwarding settings and other sysctl stuff
 that was set in the old fedora 13 system.
 
 I've got the bridges defined that same way as the old f13
 system.
 
 I've got TCP stream connections working flawlessly, it is
 just the UDP traffic that seems to barf.
 
 Does this strike a familiar note with anyone?
 
 When I run wireshark on the KVM host machine, I see
 NFS packets retransmitting a lot and I also see ICMP
 messages about Destination Unreachable, Fragmentation
 Needed. (I don't know what any of it means though :-).

This means that either the host or one of the guests is trying to
send packets with a larger MTU than part of the path to the destination
will allow.

If you look inside the ICMP packet in wireshark, it will tell you
who sent it and what MTU they said was acceptable.

For TCP, the protocol stack is able to adapt by reducing its MSS
dynamically in response to those ICMPs and retry. I don't think
UDP is able to do that.

Also examine the MTU settings for your network interfaces on both
the host and the guests, using ifconfig -a.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rsyslog does not log on a separate partition/FS mounted on /var/log/

2014-08-06 Thread Tony Mountifield 
In article cahhm8gd+hfduyy7uah3kx2h37ca5fdbbwtjwyckv9tp3_4n...@mail.gmail.com,
Arun Khan knu...@gmail.com wrote:
 The system is an AWS Instance based on a community CentOS 6.4 AMI snapshot.
 
 The vdisk is as follows as shown below [1]
 The root LVM contains /var/log/
 
 I have attached another block device with ext4 FS.
 
 I copied the files from /var/log to this device (mounted on /mnt) and
 then changed
 /etc/fstab to mount this device on /var/log on boot.
 
 However, I do not see anything being logged in /var/log/messages.
 To test the logging, I used the 'logger' command to log some string; nothing
 appears in /var/log/messages.
 
 'service rsyslog status' reports the daemon is running.
 
 When I stop rsyslog, umount the /var/log device and then restart rsyslog, I 
 can
 see that logs are being recorded in /var/log/messages.  Using the 'logger'
 command I can see messages written in /var/log/messages.
 
 man pages of ryslog.conf and rsyslogd show nothing related to logs
 being on a separate device
 
 Any pointers to fix the problem would be much appreciated.

Probably rsyslog is being started before /var/log is mounted, and so it
is opening files within /var/log on the root device.

When the second device gets mounted on /var/log, the files within the
original /var/log are no longer visible, but rsyslog still has open handles
to them.

You need to arrange for rsyslog to get restarted or HUPed after the mounting
of /var/log.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] rsyslog does not log on a separate partition/FS mounted on /var/log/

2014-08-06 Thread Tony Mountifield 
In article 20140806165735.gd10...@frodo.gerdesas.com,
John R. Dennison j...@gerdesas.com wrote:
 
 On Wed, Aug 06, 2014 at 04:50:41PM +, Tony Mountifield wrote:
  
  Probably rsyslog is being started before /var/log is mounted, and so it
  is opening files within /var/log on the root device.
 
 rsyslog should start after local mounts are finished.

Ah, ok, thanks. I hadn't actually gone and looked...

 I suspect it's selinux; /var/log should have a var_log_t context and I
 suspect it doesn't.

Be interesting to know if that fixes it for the OP.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] C6.5 - combine two DVD isos into one tree?

2014-07-15 Thread Tony Mountifield 
I have the two DVD isos for CentOS 6.5 mounted as loopback, on the mount
points /centos6 and /centos6a, and am trying to use them for PXE/KS
installation.

The problem I have is that the packages in /centos6a/Packages are not
found by the installer.

The host is a CentOS 5 system. Is there a way for me to overlay the second
DVD on the first without having to copy all the packages from both isos
into a new directory?

Or is there a standard path I can use to mount the second DVD that the
installer will use for packages that are not found on the first?

Or any other ideas? I'm sure I can't be the first to stumble over this!

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C6.5 - combine two DVD isos into one tree?

2014-07-15 Thread Tony Mountifield 
In article 53c55690.90...@pari.edu, Lamar Owen lo...@pari.edu wrote:
 On 07/15/2014 12:15 PM, Tony Mountifield wrote:
  Or is there a standard path I can use to mount the second DVD that the
  installer will use for packages that are not found on the first?
 
  Or any other ideas? I'm sure I can't be the first to stumble over this!
 
 Use the 'mkdvdiso.sh' script found at 
 http://wiki.centos.org/TipsAndTricks/CDtoDVDMedia to join the two ISO's 
 into a single ISO, and then use that.  I've used this script for a 
 while, with CentOS 6.2, 6.3, 6.4, and 6.5 to make the 'DL' ISO for use 
 on an 8GB USB key (made with livecd-iso-to-disk).

Excellent, thank you! Just the job.

Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround

2014-04-11 Thread Tony Mountifield 
In article 1483a20e-66b7-4ecc-8c14-34de4b24b...@gmail.com,
Markus Falb wne...@gmail.com wrote:
 
  No vulnerability on the
  server can expose a private client certificate, only a vulnerability on
  the client can.
 
 With malicious server I did not meant one that was affected
 by heartbleed but a server which is run by bad people that want to exploit
 vulnerable clients.
 
 If it's easy to write a malicious client to read the server's ram, it's maybe 
 easy to
 write a malicious server that can read the client's ram? Does heartbleed work
 in both directions?
 
 Assume that the client uses a vulnerable openssl, and it connects to a 
 malicious 
 server, can the server read the ram of the client?

https://reverseheartbleed.com/

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CVE-2014-0160 CentOS 6 openssl heartbleed workaround

2014-04-08 Thread Tony Mountifield 
In article a46cca43-0ba5-43bb-9659-176311bf8...@googlemail.com,
Leon Fauster leonfaus...@googlemail.com wrote:
 Am 08.04.2014 um 15:02 schrieb James Hogarth james.hoga...@gmail.com:
  On 8 April 2014 12:08, Steven Tardy sjt5a...@gmail.com wrote:
  
  On Tue, Apr 8, 2014 at 2:56 AM, Keith Keller 
  kkel...@wombat.san-francisco.ca.us wrote:
  
  On 2014-04-08, Karanbir Singh kbsi...@centos.org wrote:
  
  is there an easy way to know which services need to be kicked?
  
  
  
  rpm -q --whatrequires openssl
  
  
  A slightly cleaner way:
  
  lsof -n | grep ssl | grep DEL
 
 lsof -n | grep -E 'libcry|libssl' | grep DEL

Actually, on CentOS it appears that DEL doesn't show you. The actual
string to grep on is 'deleted':

[root@vps1 ~]# lsof -n | grep -E 'libcry|libssl' | grep deleted
vsftpd  804root  mem   REG   0,70  
73794333 (deleted)/usr/lib64/libcrypto.so.1.0.1e (stat: No such file or 
directory)
vsftpd  804root  mem   REG   0,70  
73794353 (deleted)/usr/lib64/libssl.so.1.0.1e (stat: No such file or directory)
mysqld  996   mysql  mem   REG   0,70  
73794333 (deleted)/usr/lib64/libcrypto.so.1.0.1e (stat: No such file or 
directory)
mysqld  996   mysql  mem   REG   0,70  
73794353 (deleted)/usr/lib64/libssl.so.1.0.1e (stat: No such file or directory)
saslauthd  1042root  mem   REG   0,70  
73794333 (deleted)/usr/lib64/libcrypto.so.1.0.1e (stat: No such file or 
directory)
saslauthd  1043root  mem   REG   0,70  
73794333 (deleted)/usr/lib64/libcrypto.so.1.0.1e (stat: No such file or 
directory)
sendmail   1058root  mem   REG   0,70  
73794333 (deleted)/usr/lib64/libcrypto.so.1.0.1e (stat: No such file or 
directory)
sendmail   1058root  mem   REG   0,70  
73794353 (deleted)/usr/lib64/libssl.so.1.0.1e (stat: No such file or directory)
sendmail   1066   smmsp  mem   REG   0,70  
73794333 (deleted)/usr/lib64/libcrypto.so.1.0.1e (stat: No such file or 
directory)
sendmail   1066   smmsp  mem   REG   0,70  
73794353 (deleted)/usr/lib64/libssl.so.1.0.1e (stat: No such file or directory)
fail2ban-  1090root  mem   REG   0,70  
73794333 (deleted)/usr/lib64/libcrypto.so.1.0.1e (stat: No such file or 
directory)
fail2ban-  1090root  mem   REG   0,70  
73794353 (deleted)/usr/lib64/libssl.so.1.0.1e (stat: No such file or directory)
assp.pl1198assp  mem   REG   0,70  
73794333 (deleted)/usr/lib64/libcrypto.so.1.0.1e (stat: No such file or 
directory)
assp.pl1198assp  mem   REG   0,70  
73794353 (deleted)/usr/lib64/libssl.so.1.0.1e (stat: No such file or directory)
miniserv.  1223root  mem   REG   0,70  
73794333 (deleted)/usr/lib64/libcrypto.so.1.0.1e (stat: No such file or 
directory)
miniserv.  1223root  mem   REG   0,70  
73794353 (deleted)/usr/lib64/libssl.so.1.0.1e (stat: No such file or directory)
miniserv.  1229root  mem   REG   0,70  
73794333 (deleted)/usr/lib64/libcrypto.so.1.0.1e (stat: No such file or 
directory)
miniserv.  1229root  mem   REG   0,70  
73794353 (deleted)/usr/lib64/libssl.so.1.0.1e (stat: No such file or directory)
named 12887   named  mem   REG   0,70  
73794333 (deleted)/usr/lib64/libcrypto.so.1.0.1e (stat: No such file or 
directory)

And I notice that the new libraries after applying the update are
STILL called 1.0.1e - is that correct? Could be confusing.

[root@vps1 ~]# lsof -n | grep -E 'libcry|libssl' | grep -v deleted

httpd  7495root  mem   REG   0,701950976   
73794323 /usr/lib64/libcrypto.so.1.0.1e
httpd  7495root  mem   REG   0,70 441112   
73794344 /usr/lib64/libssl.so.1.0.1e
httpd  7495root  mem   REG   0,70 250168  
151994454 /usr/lib64/libssl3.so
httpd  7495root  mem   REG   0,70  40400   
73728467 /lib64/libcrypt-2.12.so

... now to go and reboot the server.

Cheers
Tony

-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] weird apache issue

2014-03-07 Thread Tony Mountifield 
In article caozy0en0x_wrbzkvjzupatymod7z_vtbomormukedknrwnf...@mail.gmail.com,
Tim Dunphy bluethu...@gmail.com wrote:
 Hey guys,
 
  Well it took a little while for me to be able to reproduce this. It seems
 that this problem is intermittent and sporadic.
 
 But I tried running a sh -x /etc/init.d/httpd restart command once I
 reallized I had another incident of this and this is what I saw as the
 output:
 

 + /bin/bash -c 'ulimit -S -c 0 /dev/null 21 ; /usr/sbin/httpd'
 (98)Address already in use: make_sock: could not bind to address [::]:80
 (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
 no listening sockets available, shutting down

 
 Not really sure how to interpret that, unfortunately.
 
 
 However looked for the pid file for apache and noticed that it DOESN'T
 EXIST!
 
 [root@beta:~] #ls -l /var/run/httpd/
 total 0
 
 
 Well, that would explain why the init script isn';t able to kill the
 process. Maybe puppet is doing something weird with that pid file? I don't
 really know offhand, but I guess I will have to investigate that.
 
 Thanks for all your input.

Have a look to see what process is actually doing the listening on port 80:

# netstat -natp

Look for a local address with a port of 80 and a state of LISTEN.

The final column shows you the PID and program name.

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

  1   2   3   >