Re: [CentOS] vfstp and renaiming of files with ftp client

[Tris Hoar]

On 13/07/2017 14:38, Götz Reinicke - IT Koordinator wrote:

Am 13.07.17 um 14:46 schrieb Pete Biggs:

I have a vsftp server and two users for up and download.

If user Alice uploads a file, the owner is set to Alice as expected
"-rw-r--r-- alice ftpuploadgroup"

Now Bob can login to the same folder and is able to rename the uploaded
file.

Bob can also rename an uploaded folder, but can't rename a file in that
folder 

I'm confused, as I don't get why this is possible at all.


What are the permissions and ownership on the directory the uploads go
in? If its group is 'ftpuploadgroup' and has group write permissions
than any member of that group can rename files in that directory. If a
user creates a directory, then that will have rwxr-xr-x permissions so
they won't be able to rename files within that directory.


The permissions for the upload folder are drwx-wx--- and the owner is
Bob group is ftpuploadgroup

Alice is member of that group, but should only drop files in.

The files are ownd by Alice, and I'm bit iritated, taht Bob can rename
tham ... as Bob only has read permision (from the group)

The files in a subfolder have the same permissions and Bob cant change
tham...


 Thanks for your feedback . /G




He does not have read only permission from the group. He is the folder 
owner and so can change things within that folder. You need to change 
the folder to something other than Bob.

The sub dir does not have the same permissions. Alice is the owner.

What is the end goal you want. E.g. Bob and Alice and can upload, Bob 
can read files both he and Alice upload but Alice can only read her 
files. Perhaps we can suggest permissions that would do what you want?


Regards,

Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT]multi-master DNS

[Tris Hoar]

On 27/06/2017 00:49, James A. Peltier wrote:

Bind does not have a method to do multi-master replication.  All updates must 
be done via an intermediary service (database).

In our case, we've used containers and Consul for providing a highly available 
DNS service.  A container will fire up and race for the master lock.  It will 
dump the contents of the database into its named configurations and assuming it 
has the lock will assume the IP address of the master.  Others just come up as 
slaves.

If the master lock is not renewed after a given period of time another 
container can acquire the lock and become master by assuming the IP address of 
master (VRRP/VRID/KeepAliveD)



Hi James,

Do you have any more info on this setup? I'm in the middle of looking at 
changing our DNS service and was thinking of containerising them for the 
improved deployment flexibility it offers.


Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] bind update flubbed somehow? (resolved)

[Tris Hoar]

On 06/06/2017 15:07, Jason Welsh wrote:
ugh, the upgrade changed the owner from named to root on /var/named 
where my zone files are and


therefore named could not read the zone files..  How embarrassing.. ;)


Jason




That will happen every time named is restarted (it is part of the start 
up script) move your zones to something like /var/named/master/ or 
/var/named/slave depending.


Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] anaconda/kickstart: bonding device not created as expected

[Tris Hoar]

On 18/04/2017 15:54, Frank Thommen wrote:

Hi,

I am currently struggling with the right way to configure a bonding
device via kickstart (via PXE).

I am installing servers which have "eno" network interfaces.  Instead of
the expected bonding device with two active slaves (bonding mode is
balance-alb), I get a bonding device with only one active slave and an
independent, non-bonded network device.  Also the bonding device gets
its MAC address from the second instead of from the first device.

I appreciate any hint (or rtfm with the name of the correct fm ;-) on
how to achieve the desired setup through kickstart.  Please find the
used PXE and kickstart settings and resulting network configuration below.

I did this with CentOS 7.2.1511.  We cannot go further due to Infiniband
and lustre drivers which are currently only supported for this CentOS
7.x version

Cheers
frank

--

The used PXE configuration is

LABEL CentOS-7
kernel centos-7/vmlinuz
append initrd=centos-7/initrd.img ip=dhcp nameserver=xx.xx.xx.xx
ksdevice=eno1 inst.repo=http://our.mirror.server/7/os/x86_64
inst.ks.sendmac inst.ks=http://our.kickstart.server/ks.cgi


and the network settings in the kickstart file are

network --device bond0 --bondslaves=eno1,eno2
--bondopts=mode=balance-alb --bootproto=dhcp --hostname=myhost --activate


I would have expected to get a bonding device with eno1 and eno2 as
slave devices, the bonding device inheriting the MAC address from eno1
(otherwise DHCP won't work).  Instead the result is a bonding device
with eno2 as - sole - slave device and eno1 as a single active device
with the main IP address of the host:


bond0: flags=5187  mtu 1500
inet6 fe80::42f2:e9ff:fec7:b5f1  prefixlen 64  scopeid 0x20
ether 40:f2:e9:c7:b5:f1  txqueuelen 0  (Ethernet)
RX packets 29  bytes 5274 (5.1 KiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 39  bytes 3486 (3.4 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163  mtu 1500
inet xx.xx.xx.xx  netmask 255.255.255.0  broadcast xx.xx.xx.xx
inet6 fe80::42f2:e9ff:fec7:b5f0  prefixlen 64  scopeid 0x20
ether 40:f2:e9:c7:b5:f0  txqueuelen 1000  (Ethernet)
RX packets 4303  bytes 798163 (779.4 KiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 1686  bytes 481585 (470.2 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
device interrupt 16

eno2: flags=6211  mtu 1500
ether 40:f2:e9:c7:b5:f1  txqueuelen 1000  (Ethernet)
RX packets 29  bytes 5274 (5.1 KiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 39  bytes 3486 (3.4 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
device interrupt 17


The ifcfg-files look basically ok, but there are two for the eno1 device.

ifcfg of the bonding device:

$ cat ifcfg-bond0
# Generated by parse-kickstart
IPV6INIT="yes"
DHCP_HOSTNAME="myhost"
NAME="Bond connection bond0"
BONDING_MASTER="yes"
BOOTPROTO="dhcp"
BONDING_OPTS="mode=balance-alb"
DEVICE="bond0"
TYPE="Bond"
ONBOOT="yes"
UUID="35910614-4a7c-43c9-8e44-dcf44b783358"
$


ifcfg of the two slave devices

$ cat ifcfg-bond0_slave_1
# Generated by parse-kickstart
NAME="bond0 slave 1"
MASTER="35910614-4a7c-43c9-8e44-dcf44b783358"
HWADDR="40:f2:e9:c7:b5:f0"
TYPE="Ethernet"
ONBOOT="yes"
UUID="f3a0a007-861c-42b6-8264-6efba62232ce"
$


$ cat ifcfg-bond0_slave_2
# Generated by parse-kickstart
NAME="bond0 slave 2"
MASTER="35910614-4a7c-43c9-8e44-dcf44b783358"
HWADDR="40:f2:e9:c7:b5:f1"
TYPE="Ethernet"
ONBOOT="yes"
UUID="ee3f7c84-d4cb-412e-887d-6b1c753eb913"
$


ifcfg of eno1 (which physically has the MAC address 40:f2:e9:c7:b5:f0,
which is the same as ifcfg-bond0_slave_1

$ cat ifcfg-eno1
# Generated by dracut initrd
NAME="eno1"
DEVICE="eno1"
ONBOOT=yes
NETBOOT=yes
UUID="d20645a0-8093-45f3-9630-d0249f76726b"
IPV6INIT=yes
BOOTPROTO=dhcp
TYPE=Ethernet
DNS1="192.55.188.177"
$



Hi Frank,

This is from my satellite kickstart where I'm building the bond at the 
point of PXE booting, and using static (I'm working on doing this with 
DHCP and tagged VLANs but currently cant get to the hardware needed 
since messing up the BMC config :( )


LABEL linux
KERNEL boot/RedHat-7.3-x86_64-vmlinuz
APPEND initrd=boot/RedHat-7.3-x86_64-initrd.img 
ks=http://example.com/host.ks ks.device=bootif network ks.sendmac 
bond=bond0:eno1,eno2:mode=802.3ad vlan=bond0.10:bond0 
ip=10.10.0.2::10.10.0.1:255.255.255.0:host.example.com:bond0.10:none 
nameserver=10.10.0.1



Then in the KS we have
network  --bootproto=static --device=link --gateway=10.10.0.1 
--hostname=host.example.com --ip=10.10.0.2 
--nameserver=10.10.0.1,10.11.0.1 --netmask=255.255.255.0


It should be fairly simple to convert that to use DHCP as 

Re: [CentOS] How do I confirm importing repo key without user intervention?

[Tris Hoar]

On 13/03/2017 04:38, Yuri Kanivetsky wrote:

...Check out the full typescript of what happens when installing
passenger, please:
https://gist.github.com/x-yuri/1dc92db44f89253679ab44f6c3de125c

Regards,
Yuri


In my kickstart scripts I call yum with
yum -t -y -e 0

This just works for me. -t may be what you are looking for.

Tris



*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7/GNOME 3 customise top panel

[Tris Hoar]

On 14/10/2016 15:45, Toralf Lund wrote:

On 14/10/16 16:23, Tris Hoar wrote:

On 14/10/2016 13:39, Toralf Lund wrote:

Hi,

Is there any way to customise the top panel in CentOS 7 with GNOME 3
(which I recently tried for the first time)? Specifically, I want to add
"application launchers", as it will make start-up faster than the
standard alternatives. (Because you can move the mouse directly to the
right place - you don't have to carry out another action, wait for icons
or menu items to pop up, look for the right one etc first.)

People on the web talk about a "context" menu that opens if you use some
kind of weird combination of right mouse-click and Alt, Windows key,
Ctrl, left click, Alt Gr or whatever, but there seems to be no way to
make that happen on CentOS.

I found an answer of sorts in
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.centos.org_forums_viewtopic.php-3Ft-3D47957=CwICAg=KV_I7O14pmwRcmAVyJ1eg4Jwb8Y2JAxuL5YgMGHpjcQ=Q0oqxzgUp3xCCIiJDwS-RbNDndQ-KZDhj8wwveNoqU4=BxVT4fC5-ld_lFoIcV_OwlpkAWG-qCjrKVYMcYoQGzc=bnrSG3ad2veUCGecX3vTMEbjyXprqn1AGP1ok0TmLVc=
-

In straight Gnome Shell -- CentOS 7 defaults to a modified version
using extensions -- the panel *is* locked. Visit extensions.gnome.org
to see if something there is useful.

- but I don't think I quite understand it. I mean, the ability to add
extensions is nice, but if the panel is locked, isn't an "unlock"
function what I should be looking for? This doesn't quite sound like an
"extension". Or is the actual menu everyone talks about itself an
extension? If that's the case, surely isn't there some other way to make
the changes? If the standard panel allows stuff to be added, there must
be a standard way to do it, right?

Also, if I do need extensions, I'd prefer to install it via the package
manager system rather than through a special web interface...

Does anyone know more about this? Any help would be appreciated. -
Except, that is, I don't really need anyone to suggest switching to MAME
or some other alternative desktop. I might end up doing just that, but
it really bugs me that I can't get functionality that's supposed to be
there to work...

- Toralf


Hi Toralf,

Have a look at
https://urldefense.proofpoint.com/v2/url?u=https-3A__extensions.gnome.org_=CwICAg=KV_I7O14pmwRcmAVyJ1eg4Jwb8Y2JAxuL5YgMGHpjcQ=Q0oqxzgUp3xCCIiJDwS-RbNDndQ-KZDhj8wwveNoqU4=BxVT4fC5-ld_lFoIcV_OwlpkAWG-qCjrKVYMcYoQGzc=KEcKgPQYo6TSlJrKF4krI90szNC5QTVlVnIsUDdWsWU=
specificity
https://urldefense.proofpoint.com/v2/url?u=https-3A__extensions.gnome.org_extension_6_applications-2Dmenu_=CwICAg=KV_I7O14pmwRcmAVyJ1eg4Jwb8Y2JAxuL5YgMGHpjcQ=Q0oqxzgUp3xCCIiJDwS-RbNDndQ-KZDhj8wwveNoqU4=BxVT4fC5-ld_lFoIcV_OwlpkAWG-qCjrKVYMcYoQGzc=hudrg7rSGBGWTdezYPyROGgrIzPhhPRxs5YYgH2dmDg=




Maybe I should have been a bit more specific; I don't want launchers in
a menu accessed from the panel - I want the icons to appear directly in
the panel itself.



Ok, I think I understand now. Does this not work?
https://extensions.gnome.org/extension/4/panel-favorites/


also look at Gnome Tweak Tool which lets you make some other changes
to how Gnome 3 works.

I tried this earlier, but didn't find any setting related to what I want.


That application Menu I believe will work on C7 (I'm using F24 as my
desktop)

The menu is actually there already - the relevant extension seems to be
pre-installed.

In the Fedora version, what happens if you press Alt and right-click on
the panel? If the answer is "nothing", how about
"Windows"+Alt+right-click or Ctrl+Alt+right-click?


Those do nothing for me either.



- Toralf



Tris





*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7/GNOME 3 customise top panel

[Tris Hoar]

On 14/10/2016 13:39, Toralf Lund wrote:

Hi,

Is there any way to customise the top panel in CentOS 7 with GNOME 3
(which I recently tried for the first time)? Specifically, I want to add
"application launchers", as it will make start-up faster than the
standard alternatives. (Because you can move the mouse directly to the
right place - you don't have to carry out another action, wait for icons
or menu items to pop up, look for the right one etc first.)

People on the web talk about a "context" menu that opens if you use some
kind of weird combination of right mouse-click and Alt, Windows key,
Ctrl, left click, Alt Gr or whatever, but there seems to be no way to
make that happen on CentOS.

I found an answer of sorts in
https://www.centos.org/forums/viewtopic.php?t=47957 -

In straight Gnome Shell -- CentOS 7 defaults to a modified version
using extensions -- the panel *is* locked. Visit extensions.gnome.org
to see if something there is useful.

- but I don't think I quite understand it. I mean, the ability to add
extensions is nice, but if the panel is locked, isn't an "unlock"
function what I should be looking for? This doesn't quite sound like an
"extension". Or is the actual menu everyone talks about itself an
extension? If that's the case, surely isn't there some other way to make
the changes? If the standard panel allows stuff to be added, there must
be a standard way to do it, right?

Also, if I do need extensions, I'd prefer to install it via the package
manager system rather than through a special web interface...

Does anyone know more about this? Any help would be appreciated. -
Except, that is, I don't really need anyone to suggest switching to MAME
or some other alternative desktop. I might end up doing just that, but
it really bugs me that I can't get functionality that's supposed to be
there to work...

- Toralf


Hi Toralf,

Have a look at https://extensions.gnome.org/ specificity 
https://extensions.gnome.org/extension/6/applications-menu/
also look at Gnome Tweak Tool which lets you make some other changes to 
how Gnome 3 works. That application Menu I believe will work on C7 (I'm 
using F24 as my desktop)


Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] gigE -> 100Mb problems

[Tris Hoar]

On 11/10/2016 09:14, John R Pierce wrote:

On 10/10/2016 11:21 PM, Gordon Messmer wrote:

On 10/10/2016 09:31 PM, John R Pierce wrote:


oh.


Yeah, the entire "net-tools" package is deprecated.  I tend to forget
which of the two (ethtool or mii-tool) is in that set.

# Avoid using any of these:
$ rpm -ql net-tools


/bin/dnsdomainname
/bin/domainname
/bin/hostname
/bin/netstat
/bin/nisdomainname
/bin/ypdomainname
/sbin/ether-wake
/sbin/ifconfig
/sbin/ipmaddr
/sbin/iptunnel
/sbin/mii-diag
/sbin/mii-tool
/sbin/nameif
/sbin/plipconfig
/sbin/route
/sbin/slattach


ok, so the mii-* stuff is deprecated (as is route, ifconfig, netstat,
and arp? sigh).

apparently the network administrator went ahead and forced the switch
port to use gigE, so its no longer in the 'broken' state of
autonegotiating 100baseT.



Just for comparison this is a server that is set to auto negotiate

[root@sch-mwg-01 access.log]# mii-tool eth0
eth0: negotiated 100baseTx-FD, link ok
[root@sch-mwg-01 access.log]# ethtool eth0
Settings for eth0:
Supported ports: [ TP ]
Supported link modes:   10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: Symmetric
Supports auto-negotiation: Yes
Advertised link modes:  10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: Symmetric
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
MDI-X: off
Supports Wake-on: pumbg
Wake-on: g
Current message level: 0x0007 (7)
   drv probe link
Link detected: yes

Note that mii-tool is reporting incorrectly. That server is currently 
processing ~500Mbit/s.
Of the tools listed above, the only one I still extensively use is 
netstat as ss, its replacement, is IMO not very nice.


Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] RHEL 5 EOL

[Tris Hoar]

Hi List,

As an FYI Red Hat have announced the 1 year EOL notice for RHEL 5. 
Anyone still using CentOS 5 would do well to start planning on upgrading 
to 6 or 7.


Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Is there a way to detect/validate DHCP static IP assignment?

[Tris Hoar]

On 30/03/2016 18:08, David Copperfield wrote:

Hi,
  We have tens of networks(VLANs) in data center with a central Linux DHCP 
server. each network has their router to do the DHCP relay. So, the DHCP 
server's configuration files has tens 'subnet' statements.
Because PXE booting is standard in whole data center, there are also thousands 
of static MAC-IP mapping 'host' statements in dhcp configuration.
The big challenge with a central dhcp server is how to detect typo in the 
thousands of MAC-IP 'host' statements? -- a single char/digit typo here will 
fail a PXE booting or download wrong post-installation snippets.

  Is there a tool to validate all 'host' statements from another Linux box?

I tried nagios check-dhcp plugin, with a series of real MAC addresses(for hosts 
in other different networks). Surprisingly, the IP address came back were not 
the static IP addresses in 'host' statement, but dynamic addresses in the pool 
defined for this particular network (where I ran check-dhcp from).
check_dhcp was run with the following arguments:

/usr/lib64/nagios/plugins/check_dhcp --verbose --server= 
--interface=eth0 --mac= --unicast
remove --unicast doesn't help but just see more DHCP replys.
Interestingly, with a same MAC address, and the above same command, from two 
Centos boxes on different network there will be different dynamic IPs! instead 
the static IP defined with 'host' statement.

So, how can we validate static IP assignment? Thanks.
Best,David,



Hi David,

You need to use check_dhcp_relayed.pl 
(https://github.com/timb07/check_dhcp_relayed) if you wish to test for a 
reservation outside of the servers subnet, otherwise the DHCP server 
will assume you are on the local range and issue from that subnet.


Also as an FYI Forman (http://theforeman.org) can do things like 
building VM's and Physical servers and integrates with DHCP to create 
static DHCP reservations for PXE booting servers which should eliminate 
typos.


Tris





*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Pi 2 Alternatives

[Tris Hoar]

On 04/02/2016 15:33, Chris Olson wrote:

We have a requirement for a new application that will be used
fixed, portable, and mobile.  The hardware requirements drive
the need for networking as well as some general purpose and
special purpose interfaces.  The software requirements are
quite simple in comparison to many of our much larger systems
with similar hardware requirements.  We are not significantly
restricted in choice of storage peripherals or other devices
that may be needed.

We believe that a small, single board computer will meet all
requirements as long as it can run Linux.  We have identified
the need for approximately six prototyping units to support
the initial production of about 200 to 300 operational systems.
Our development and deployment time frame does not drive the
need for an extremely rapid product decision, and there are
pre-planned upgrade cycles over the next five years.

An internal group has achieved a significant head of steam in
support of using the Pi 2 Model B.  The support enthusiasm may
be partly technical and partly the hype associated with jumping
into the Pi community.  The number of suppliers does appear to
support our supply chain and sustainment requirements, however
the Linux available for the Pi 2 does not appear to be optimal.
It would be better if there were choices that include a standard
Linux distribution such as CentOS.

This certainly seems like one of those situations where a trade
of single board computer products is appropriate and achievable.
There are products similar to the Pi 2 capable of running a more
standard Linux distribution that we might consider.  Does anyone
have an experience-based single board computer recommendation?

Thanks in advance for any product recommendations.


Not sure if you are aware of this

https://wiki.centos.org/SpecialInterestGroup/AltArch/Arm32

But that might help the Pi fit your needs.

Tris



*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid as interception HTTPS proxy under CentOS 7

[Tris Hoar]

On 04/02/2016 13:24, C. L. Martinez wrote:

Hi all,

  I am trying to configure squid as a interception HTTPS proxy under CentOS 7. 
At every https request, I am receiving a certificate error.

  My current config for squid is:

# My localnet
acl localnet src 172.22.55.0/28
acl localnet src 172.22.58.0/29

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

# My custom configuration
http_port 8079
http_port 8080 intercept
https_port 8081 ssl-bump intercept generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB key=/etc/squid/custom.private 
cert=/etc/squid/custom.cert

# Anonymous proxy
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

# SSL Bump Config
always_direct allow all
ssl_bump server-first all
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER

  I have tried disabling "sslproxy_cert_error" and "sslproxy_flags" directives, 
without luck.

  Any ideas about what am I doing wrong?

  Thanks.



Do you have a copy of the Root CA you are using to re-encrypt the SSL 
stream installed in the browser?


Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ICMP outoging traffic at centos 6.7

[Tris Hoar]

On 06/01/2016 15:56, Shital Sakhare wrote:

Yes, now I am dropping packets in OUTPUT chain for type 3. Initially, I
implemented the chain to drop type 0 and 8. But it wont worked and the
packets were hitting at firewall for multiple ICMP requests. I didn't
Understand the problem. After posting here I go through all the types of
ICMP types where I understand to drop packets for "Host unreachability" .
Thanks for your help Mr. Gordon .

On Wed, Jan 6, 2016 at 8:47 PM, Gordon Messmer 
wrote:


On 01/06/2016 05:47 AM, Shital Sakhare wrote:


Thanks, Dropped the ICMP type 3 port. Now question to find the cause.



Well, based on your tcpdump output, it looks like your rules were
rejecting unrelated packets, or tcp/443 packets.  It's hard to be sure
since the ICMP was the first packet, so you didn't show the packet it was
actually replying to.

The ICMP traffic is a result of rejecting rather than dropping that
traffic.  That is, I think you're looking at the problem wrong.  The ICMP
traffic is simply the result of a choice you made.  Are you dropping type 3
in the output chain?




I assume you also have rules in the INPUT chain, and one of them reads 
something like this:


-A INPUT -j REJECT --reject-with icmp-host-prohibited

When traffic matches this rule your server will respond with an ICMP 
request. it sounds like you now have added a rule blocking your server 
from sending these responses. You should investigate what is matching 
the INPUT rule as it could be malicious activity that should be blocked 
further upstream from you (e.g. at the perimeter firewall)
and if you wish to stop your server sending these responses you should 
change the rule to DROP instead of REJECT.


Tris




*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] install rrdtools-devel / rrdtool-perl

[Tris Hoar]

On 26/11/2015 17:58, Leandro wrote:

Im very sorry.
You were right, yum install works flawlessly  for rrdtool, rrdtool-devel
and rrdtool-perl packages.
I tryed on a fresh centos7 install.
The problem is that my Os is not a centos7 instead is a redhat 7.
Since I dont have any support for this , I asked some help here. I
thought that repositories are the same for fedora,redhat and centos.
My mistake ...
I dont know what to do now.

Thankyou!!



On 26/11/15 14:20, John Hodrien wrote:

yum list rrdtool --show-duplicates


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


*
This message has been checked for viruses by the
Birmingham Grid for Learning.  For guidance on good
e-mail practice, e-mail viruses and hoaxes please visit:
http://www.bgfl.org/emailaup
*





RHEL uses RHN for system updates etc. You will need the following reops 
enabled for those files:

Red Hat Enterprise Linux 7 Server (RPMs)
Red Hat Enterprise Linux 7 Server - Optional (RPMs)

To access RHN you will need a support agreement with Red Hat. You could 
use the packages from Centos, but it would be better to just rebuild the 
server if you are going down that route.


Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] install rrdtools-devel / rrdtool-perl

[Tris Hoar]

On 26/11/2015 18:22, John R Pierce wrote:

On 11/26/2015 10:18 AM, Tris Hoar wrote:

To access RHN you will need a support agreement with Red Hat. You
could use the packages from Centos, but it would be better to just
rebuild the server if you are going down that route.


long ago, far away, I successfully converted several RHEL boxes to
CentOS by making a list of all the RPMs and replacing them with the
centos equivalents, after removing the RHN related packages and manually
installing the CentOS equivalents.   But I think it was RHEL 3 or 4 when
I last did this.



I've done the same in with RHEL5 and it worked fine, but its not 
something I'd do to a production system.


Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] getting a CentOS6 VM on VMware ESXi platform to recognize a new disk device

[Tris Hoar]

On 04/11/2015 20:59, John R Pierce wrote:

On 11/4/2015 12:52 PM, Boris Epstein wrote:

I don't get this for some reason... not even sure why. ESXi's default
behaviour seems to be to allow hotplug, that does not seem to be
deactivated. I am just not sure. Wonder if this could be the Centos 7
vs 6
- perhaps that is what I ought to test for.


what virtual SCSI controller type are you using for these VM's? Mine are
'paravirtual'.



Also, what guest OS and VM hardware version is the guest running as?

Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] EFI netboot to kickstart install

[Tris Hoar]

On 22/10/2015 03:25, Grant Street wrote:

Hello All


Up until now we have been using standard PXE boot to do kick start installs of 
centos boxes. With recent machines however they come by default as EFI boot. We 
can set them to legacy but I would like to solve this before this option goes 
away.


Just wondering if anyone has any experience setting up a net boot server that 
can be used to kickstart EFI machines?


Thanks


Grant


Hi Grant,

As a guess it is due to the partition scheme you are using in your 
kickstart (this was the issue for me at least)

Try something like

part /boot --fstype="xfs" --fsoptions="nodev,noexec,nosuid" --size=500 
--ondisk=sda

part /boot/efi --fstype="efi" --size=200 --ondisk=sda

Along with your other mount points etc.


Tris



*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Using a CentOS 6 Machine as a gateway/router/home server

[Tris Hoar]

On 29/06/2015 16:59, Max Pyziur wrote:

On Sun, 28 Jun 2015, John R Pierce wrote:


On 6/28/2015 3:49 PM, Max Pyziur wrote:

 I also seem to need to load
 iptable_nat
 nf_nat_ftp

 via rc.local

 Is this correct?


only if you're running some Linux build from the 1990s.

nothing on RHEL/CentOS should need anything in rc.local



Then what is the appropriate way to ensure that these modules are loaded?

Should they be placed in the /etc/init.d/iptables script?
IPTABLES_MODULES=iptable_nat ip_nat_ftp ip_conntrack ip_conntrack_ftp

or somewhere else?

Thanks

Max


It should do it automatically for you. Try it. Editing system init 
scripts is rarely recommended.


Tris





*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] specify port on check_memcached.pl

[Tris Hoar]

On 24/05/2015 15:36, Tim Dunphy wrote:

Hey guys,


I'm trying use check_memcached.pl to monitor a couple of memcached services
running on two ports.


I have my command definition setup like this:

# 'check_memcached' command definition

define command {

command_name check_memcached

command_line $USER1$/check_memcached.pl -H $HOSTADDRESS$ -p $ARG1$

}


And I have my service definitions setup like this:


# Define a service to check memcached on web1 (just the basics for right
now).


define service{

 use local-service ; Name of
service template to use

 host_name   web1

 service_description Check Memcached 11211

 contact_groups  linux-admins

 check_command   check_memcached!web1.example.com
!11211

 notifications_enabled   1

 }


# Define a service to check memcached on web1 (just the basics for right
now).


define service{

 use local-service ; Name of
service template to use

 host_name   web1

 service_description Check Memcached 11212

 contact_groups  linux-admins

 check_command   check_memcached!web1.example.com
!11212

 notifications_enabled   1

 }

And if I run both checks manually they succeed:

[root@monitor1:/usr/local/nagios/etc/objects/servers] #../../../libexec/
check_memcached.pl  -H web1.example.com -p 11211

MEMCACHE OK: memcached 1.4.22 on web1.example.com:11211, up 22 minutes 52
seconds

[root@monitor1:/usr/local/nagios/etc/objects/servers] #../../../libexec/
check_memcached.pl  -H web1.example.com -p 11212

MEMCACHE OK: memcached 1.4.22 on web1.example.com:11212, up 12 minutes 2
seconds

Yet, in my nagios web interface, I'm getting this error:


   Check Memcached 11211
https://nagios.jokefire.com/nagios/cgi-bin/extinfo.cgi?type=2host=web1service=Check+Memcached+11211


CRITICAL

05-24-2015 14:28:31

0d 0h 10m 19s

4/4

CRITICAL ERROR - Can not connect to '162.243.60.6' on port 0


   Check Memcached 11212
https://nagios.jokefire.com/nagios/cgi-bin/extinfo.cgi?type=2host=web1service=Check+Memcached+11212


CRITICAL

05-24-2015 14:29:12

0d 0h 11m 8s

4/4

CRITICAL ERROR - Can not connect to '162.243.60.6' on port 0


I thought I could specify the command in the service definition like this:

check_memcached!web1.example.com!11211

To reproduced the command as it's executed on the command line. How can I
specify the port correctly here?


Thanks,

Tim




Hi Tim,

Your command specification is wrong. It will get the -H attribute from 
the host_name you should not specify it on the check_command and By 
doing so what you have effectively done is write:

check_memcached.pl  -H web1.example.com -p web1.example.com 11211
if you enable debug_level=2048 you should be able to see the commands 
that Nagios is creating.


Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] I Have Multiple Ips But Can Only Telnet to One Interface. Not the subinterface. How to Fix?

[Tris Hoar]

On 20/05/2015 11:41, Mike McKoy wrote:

[root@mail1 log]# netstat -plnt |grep :25
tcp 0 0 172.30.1.113:25 0.0.0.0:* LISTEN 18800/master
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 18800/master


You are not listening on 172.30.1.65 you need to edit the postfix config 
to listen on either 0.0.0.0 or both IP's


Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nagios check_local_disk failing

[Tris Hoar]

On 14/05/2015 02:42, Tim Dunphy wrote:

Hey all,

I have a local disk check defined which is giving me an error:

Current Status:
   UNKNOWN
  (for 0d 0h 1m 38s)Status Information:Unknown argument
Usage:
check_disk -w limit -c limit [-W limit] [-K limit] {-p pathPerformance Data:-x
device} [-C] [-E] [-e] [-f] [-g group ] [-k] [-l] [-M] [-m] [-R path ] [-r
path ] [-t timeout] [-u unit] [-v] [-X type] [-N type] [-n]

  I have a local check setup like this in the server's config:

define service{
 use local-service ; Name of
service template to use
 host_name   monitor1
 service_description Root Partition
 check_command   check_local_disk!20%!10%!/
 }

It's attempting to do a local disk check on the nagios server itself. Not
an NRPE check.

This is the command definition:

# 'check_local_disk' command definition
define command{
 command_namecheck_local_disk
 command_line$USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$ -x
$ARG4$
 }

Can someone please tel me where I'm going wrong?

Thanks,
Tim



You need to remove the 4th argument if you are not using it

[root@nagios plugins]# ./check_disk -w 20 -c 10 -p / -x
./check_disk: option requires an argument -- 'x'
Unknown argument
Usage:
 check_disk -w limit -c limit [-W limit] [-K limit] {-p path | -x device}
[-C] [-E] [-e] [-g group ] [-k] [-l] [-M] [-m] [-R path ] [-r path ]
[-t timeout] [-u unit] [-v] [-X type]
[root@nagios plugins]# ./check_disk -w 20 -c 10 -p /
DISK OK - free space: / 20848 MB (92% inode=97%);| 
/=1670MB;23711;23721;0;23731


Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C7 and fstab

[Tris Hoar]

On 14/05/2015 10:16, Alessandro Baggi wrote:

Hi List,
I've installed C7.1 and today configuring fstab for another disk I get
this:

UUID=d5ff30df-9e1d-4fc8-99b6-845ffa6509db /   xfs
defaults0 0
UUID=052f75bc-0513-45e0-a01f-06c9a698469f /mnt/data   xfs
defaults0 0
UUID=732dafbd-2f14-4dd6-8513-1504b13302f1 swapswap
  defaults0 0


Fields fs_freq and fs_passno are all set to 0. This fstab was generated
by the installer and not yet modified.

To reproduce this, I've installed a minimal centos on a VM and the same
problem persists.

I don't know if this is a bug or if there is a new system that does not
require the last two field on C7 REL 1503.

Someone has the same problem?

THanks in advance.




This is the default when using the xfs filesystem

Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firefox 38 and Older TLS sites

[Tris Hoar]

On 13/05/2015 11:12, Johnny Hughes wrote:

All,

Red Hat released the source code for Firefox 38.  We have (or willbe
today) releasing this for CentOS-5, CentOS-6, and CentOS-7.

It does not, by default, connect to https sites with TLS less than 1.2.
This means it will not connect to sites on CentOS-5, for example ..
there are many others.

In any event, here is a wiki article that explains potential issues and
workarounds:

http://wiki.centos.org/TipsAndTricks/Firefox38onCentOS

Thanks,
Johnny Hughes



Hi Johnny,

My reading of https://access.redhat.com/node/1422403 is Firefox 38 will 
connect to sites using TLS 1.0 and 1.1. But ONLY if the server correctly 
negotiates the connection. This should only effect sites that close the 
initial connection due to not understanding TLS 1.2.


A quick test connecting to a RHEL5 server over HTTPS with Firefox 38 
shows it has established a TLS 1.0 connection so this should not really 
effect CentOS 5.


Tris



*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] semi-OT: t-bird mime type on .pdf attachment is wrong

[Tris Hoar]

On 22/04/2015 19:25, m.r...@5-cent.us wrote:

I was sending my manager a copy of a form, and attached it (not inline),
using -t-bird, and he complains it didn't want to open. Looking at the
message source, t-bird had decided that the mime type was all/allfiles,
though the name ended in .pdf. I've searched via the config editor, and
I've been googling, and not finding anything. (I just *adore* the current
google: I have +all/allfiles in the search terms, and in the para it
displays on a hit I see all somethingorother, with the word all
bolded)

Anyone got ideas? I've looked in
.thunderbird/blah.default/mime_types.rdf, and everything looks good in
there.

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


*
This message has been checked for viruses by the
Birmingham Grid for Learning.  For guidance on good
e-mail practice, e-mail viruses and hoaxes please visit:
http://www.bgfl.org/emailaup
*





Did you check the mime type of the file? just because it says PDF does 
not make that true.

You can use file to check it.

Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] leap second and Centos

[Tris Hoar]

On 24/03/2015 18:54, Les Mikesell wrote:

On Tue, Mar 24, 2015 at 1:26 PM, Frank Cox thea...@melvilletheatre.com wrote:

On Tue, 24 Mar 2015 12:56:27 -0500
Les Mikesell wrote:


Doesn't anyone have a list of the oldest
kernel version for each Centos version  you could be running and still
avoid known problems?


The best answer to your question is the latest version, since previous 
versions all have known issues of one kind or another.

It's not a great idea to run outdated Centos systems with known bugs of any 
kind.


I can't argue with that (then again, you were running that buggy code
before and happy with it), but having to reboot frequently is not
ideal either, particularly on machines where scheduling downtime is a
fairly involved process.   I'm looking for the compromise with the
least pain involved.


Hi Les,

https://access.redhat.com/labs/leapsecond/leap_vulnerability.sh
If you don't have a subscription then the key bits from the script are:
# RHEL 4 needs to be after -89
# RHEL 5 needs to be after -164
# RHEL 6 Affected Versions
# 6 GA: All Versions
# 6.1: Versions before -131.30.2
# 6.2: Versions before -220.25.1
# 6.3: Versions before -279.5.2

and that the tzdata should be from 2015

Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Tasks in /etc/cron.daily on CentOS 7?

[Tris Hoar]

On 11/03/2015 15:17, Niki Kovacs wrote:

Hi,

I just configured SquidAnalyzer, a nifty little network statistics tool
that I'm using mainly in school networks to monitor network usage.

I want to run the '/usr/bin/squid-analyzer' script once a day. I took a
peek in /etc/cron.daily, and the package already installed an
/etc/cron.daily/0squidanalyzer script.

I wanted to know at what time CentOS ran the cron.daily scripts, so I
typed crontab -l, but there was only no cronjobs defined for root.

Here's how things look on a public Slackware64 14.0 server I administrate:

# crontab -l
...
# Run hourly cron jobs at 47 minutes after the hour:
47 * * * * /usr/bin/run-parts /etc/cron.hourly 1 /dev/null
#
# Run daily cron jobs at 4:40 every day:
40 4 * * * /usr/bin/run-parts /etc/cron.daily 1 /dev/null
#
# Run weekly cron jobs at 4:30 on the first day of the week:
30 4 * * 0 /usr/bin/run-parts /etc/cron.weekly 1 /dev/null
#
# Run monthly cron jobs at 4:20 on the first day of the month:
20 4 1 * * /usr/bin/run-parts /etc/cron.monthly 1 /dev/null

How is this handled on CentOS 7?

Cheers,

Niki

CentOS / RHEL 7 use anacron for this

[root@server~]# cat /etc/anacrontab
# /etc/anacrontab: configuration file for anacron

# See anacron(8) and anacrontab(5) for details.

SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# the maximal random delay added to the base delay of the jobs
RANDOM_DELAY=45
# the jobs will be started during the following hours only
START_HOURS_RANGE=3-22

#period in days   delay in minutes   job-identifier   command
1   5   cron.daily  nice run-parts /etc/cron.daily
7   25  cron.weekly nice run-parts /etc/cron.weekly
@monthly 45 cron.monthlynice run-parts /etc/cron.monthly

Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Master - Slave Split DNS

[Tris Hoar]

On 18/02/2015 07:17, aditya hilman wrote:

Hi folks,

I've already configured split DNS for internal-view and external-view. Also
already configured the master - slave dns.
But i've problem with external-view zone transfer.
Based on the logs, the master notify to slave using the public ip, which is
not accessible by master to transfering the zone over public ip.
Is it possible to transfer zone over local ip for external-view ?

Thanks.



Hi Adit,

If you are not already using TSIG's in your views I suggest you look at 
this guide

http://blog.hudecof.net/posts/2014/02/07/bind9-with-views-and-tsig-axfr.html
It shows how to use TSIG's to identify the views so you can slave both 
of them to the secondary.


also you want to add to the options section on the master
also-notify { slaves-IP; };
This make it tell the slave to update its zone.

Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Zone file not written to slave DNS server

[Tris Hoar]

On 14/01/2015 03:56, Emmett Culley wrote:

On 01/13/2015 12:10 PM, Mateusz Guz wrote:

Have you found a solution?

Did u allow master dns server to update the slave in /etc/named.conf ?



-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of 
John R Pierce
Sent: Monday, January 12, 2015 7:02 AM
To: centos@centos.org
Subject: Re: [CentOS] Zone file not written to slave DNS server

On 1/11/2015 9:28 PM, Emmett Culley wrote:

I have mostly succeeded in getting master and slave DNS servers operational.  
Mostly, because the zone file is not written when a zone is updated on the 
master server when the notify and transfer process happens.

The slave DNS server gets the changes to the modified zone, but the slave zone 
file remains as before. I've found a few tutorials and lots of discussions, 
many of which talk about the slave's zone file getting written upon transfer, 
but none mention what configuration option would cause the slave's files to get 
updated.

The master is on a Cantos 6 server and the slave is on a Cantos 7 machine.


does the named service have write access to the slave directory ? chown
named.named /path-to-named/slave

oh, is your slave chrooted?  are you looking in the right directory, eg,
/var/named/chroot/var/named/slave ?



I am seeing the following in the log:

Jan 13 12:08:44 g1 named[16370]: 13-Jan-2015 12:08:44.792 general: info: zone 
mydomain.com/IN: Transfer started.
Jan 13 12:08:44 g1 named[16370]: 13-Jan-2015 12:08:44.885 xfer-in: info: 
transfer of 'mydomain.com/IN' from xx.xx.xxx.xxx#53: connected using 
66.208.208.151#40226
Jan 13 12:08:44 g1 named[16370]: 13-Jan-2015 12:08:44.948 general: info: zone 
mydomain.com/IN: transferred serial 112
Jan 13 12:08:44 g1 named[16370]: 13-Jan-2015 12:08:44.948 xfer-in: info: 
transfer of 'mydomain.com/IN' from xx.xx.xxx.xxx#53: Transfer completed: 1 
messages, 38 records, 898 bytes, 0.063 secs (14253 bytes/sec)
Jan 13 12:08:44 g1 named[16370]: 13-Jan-2015 12:08:44.949 notify: info: zone 
mydomain.com/IN: sending notifies (serial 112)

Yet the slaves/mydomain.com.db file does not get updated.  There must be an 
option I am not setting correctly.

Slave config:

Global:
options {
allow-notify { mas.ter.IPa.ddr; };
allow-transfer { mas.ter.IPa.ddr; };


Neither of these are needed on slave servers.


.
.
.
};

Per zone:
zone mydomain.com. IN {
type slave;
file slaves/mydomain.com.db;
masters { mas.ter.IPa.ddr; };
};


Master config:

Global:
options {
allow-transfer { sla.ve.IP.net/28; 127.0.0.1; };
also-notify { sla.ve.IPa.ddr; };


This is not needed on the master server, unless the slave is not listed 
in the zone, or if the salve is on a different IP to the on defined in 
the zone (e.g. if the slave is behind a NAT and DNS lists it's NAT IP)



allow-update { none; };
notify explicit;
.
.
.
};

I also tried it with allow-update set to slaves IP address, even though I was 
sure that option was about dynamic DNS, not zone transfer to a slave.  Of 
course that didn't work either.

Emmett



You should check the permissions on the slaves folder to make sure named 
can write to it, also you should check if you have SElinux enabled, and 
if so check that the slaves folder is labelled as named_cache_t


For example:
[root@ns5 ~]# ll -Zd /var/named/slaves
drwxrwx---. named named system_u:object_r:named_cache_t:s0 /var/named/slaves
[root@ns5 ~]# ll -d /var/named/slaves
drwxrwx---. 2 named named 4096 Jan 14 10:47 /var/named/slaves

Tris



*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos7 ds-389

[Tris Hoar]

On 25/11/2014 16:52, Johan Vermeulen wrote:

Hello All,

I'm looking at setting up ds-389 on both Centos6.6 en Centos7, both
minimal installs with
epel repo enabled.

When running yum search ds-389 on Centos7 I get only 3 packages,

389-ds-base
389-ds-base-devel
389-ds-base-libs

On Centos6.6 I get the whole list:

389-ds.noarch : 389 Directory, Administration, and Console Suite
389-ds-base.x86_64 : 389 Directory Server (base)
389-ds-base-devel.i686 : Development libraries for 389 Directory Server
389-ds-base-devel.x86_64 : Development libraries for 389 Directory Server
389-ds-base-libs.i686 : Core libraries for 389 Directory Server
389-ds-base-libs.x86_64 : Core libraries for 389 Directory Server
389-ds-console.noarch : 389 Directory Server Management Console
389-ds-console-doc.noarch : Web docs for 389 Directory Server Management
Console
389-dsgw.x86_64 : 389 Directory Server Gateway (dsgw)

Is this a change in policy?

I apologise if this has been answered before.
A quick google did not provide an answer.

Greetings, Johan



Half the those packages are for i686 which is not longer a supported 
architecture in 7, and many of the others are from epel


389-ds-base.x86_64   1.2.11.15-48.el6_6   rhel-x86_64-server-6
389-ds-base-devel.x86_64 1.2.11.15-48.el6_6 
rhel-x86_64-server-optional-6

389-ds-base-libs.x86_64  1.2.11.15-48.el6_6   rhel-x86_64-server-6

Is what I see on one of my RHEL6 servers.

Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] outside ssh connection from two different ISP's

[Tris Hoar]

On 11/11/2014 23:43, Les Mikesell wrote:

On Tue, Nov 11, 2014 at 5:08 PM, Chris Beattie cbeat...@geninfo.com wrote:

On 11/11/2014 2:27 PM, Steve Clark wrote:

Buy second NIC and then the original script Jack Baily provided would work.


I'm outside my area of expertise here, but is there a reason you couldn't fake 
a second network card by assigning two IP addresses to the one interface?

I recall that the OP had two routers on opposite ends of the same subnet.  If 
each router used its own subnet and everything was connected by a hub instead 
of a switch, then wouldn't the server know which way the packets needed to go 
out?  Or a switch that knows VLANs, but that might be needlessly complex.

I realize that means installing a hub instead of a second network card, so I'm 
just asking for my own edification.



There's no difference between a hub and switch with respect to
routing.  It might be possible to do something with a 2nd ip address
in the same subnet used as the target of the port-forwarding from the
other router along with policy based routing to make packets with that
source ip take the other route.  But that would introduce
complications for normal outbound traffic.   It may depend on the
point of having the 2nd connection.  Normally cable is so much faster
than dls that you would always prefer it unless it was down.  If the
dsl is just for emergency inbound use you might run a VM configured
with the other gateway as the default - maybe even set up openvpn
there for fairly transparent access to the rest of the LAN.



Surely the easiest thing would be to setup a jump host. Essentially, 1 
or 2 servers, if you want resiliency, which you can SSH on to from the 
internet, and then from there access the rest of the network. This gives 
the benefit of reducing the number of servers that have SSH exposed.


Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org


The views expressed within this email are those of the 
individual, and not necessarily those of the organisation

*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Problems when using tc.

[Tris Hoar]

On 26/03/2014 07:27, jason.z...@sumscope.com wrote:
 On 3/25/2014 11:47 PM, jason.z...@sumscope.com wrote:
 [jason@localhost network]$ sudo tc filter add dev eth0  parent 0: protocol 
 ip  u32 match ip dport 2323 0x flowid 1:0

 RTNETLINK answers: Operation not supported

 tc is extremely picky and hard to debug with such lovely specific
 errors. (= blatant sarcasm)






This is an example TC script I used to use. This has port matching included.

http://pastebin.com/4ytunLSu

It's been a few years since I looked at tc (this comes from a rhel3 server)

But IIRC it worked fine.

Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Disk space warning (gdu-notification-daemon type) for remote systems

[Tris Hoar]

On 12/03/2014 09:07, Toralf Lund wrote:
 On 11/03/14 16:16, Les Mikesell wrote:
 On Tue, Mar 11, 2014 at 9:49 AM, Toralf Lund toralf.l...@pgs.com wrote:
I think you should build a
 monitoring system (nagios, xymon, opennms, several others or perhaps
 your own if you're feeling far too adventurous) instead.  right now
 all you care about is disk space, but eventually someone will want to
 also check for certain processes, open ports, logfile entries,
 something and you could spend the time now to put in the hooks for
 more advanced things and get people in the habit of checking a
 monitoring system on a regular basis.
 In general, that might make sense, but please consider the fact that I'm
 not talking about a general server system. It's a machine dedicated to
 running a server component on one specific software package, and will
 only ever be contacted by a handful of display machines running a GUI
 component of the same piece of software.
 Then you need to look at the features of the specific GUI and its
 transport to the server to see what options it provides for popup
 messages.
 I can easily add a check to software itself. But like I said, I want to
 avoid re-inventing the wheel. So if there is something built into the
 system that will do the job for me...

   Personally, I'd still recommend something more general
 that would generate email or text message alerts to the right set of
 people.  It is fairly rare for 'users' to be interested in fixing
 system problems and even if that happens to be the case now for this
 particular box it may not always be.
 Trust me, this is a highly customised setup with very special users, and
 this won't change just like that.

 A more general system is not an entirely bad idea, but I think it would
 only make sense if implemented at a larger scale based on a system-wide
 policy (there is much else going on in the same network.) Which I'm not
 sure will happen right now...

 - Toralf





You could use the Nagios check_disk plugin to monitor the disk usage. 
This gives easy to use response codes and could be wrapped in a script 
that sends an email if if runs low on space. put in cron to run every 10 
minutes or something like that and it will do what you are looking for.
You can get the plugin from epel and it is trivial to install and use.

Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 5 + Quagga + SELinux

[Tris Hoar]

On 05/03/2014 19:11, Les Mikesell wrote:
 On Wed, Mar 5, 2014 at 9:19 AM, Daniel J Walsh dwa...@redhat.com wrote:

 man zebra_selinux
 ...
 If  you want to allow zebra daemon to write it configuration files, 
 you
 must turn on the zebra_write_config boolean. Disabled by default.

 setsebool -P zebra_write_config 1

 Is there some global registration facility for selinux context names
 or are you the only one that knows them all?


You can see all the se booleans by running
getsebool -a

Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] OT: Howto to capture taskset output command

[Tris Hoar]

On 26/02/2014 13:45, C. L. Martinez wrote:
 On Wed, Feb 26, 2014 at 1:40 PM, sjt5atra sjt5a...@gmail.com wrote:




 On Feb 26, 2014, at 8:28 AM, C. L. Martinez carlopm...@gmail.com wrote:

 On Wed, Feb 26, 2014 at 12:40 PM, Steven Tardy sjt5a...@gmail.com wrote:
 On Wed, Feb 26, 2014 at 6:57 AM, C. L. Martinez 
 carlopm...@gmail.comwrote:

 if [ $cpu_affinity == $cpu_affinity_ok ]; then

 are you comparing strings or integers?
 # man test
STRING1 = STRING2
   the strings are equal
INTEGER1 -eq INTEGER2
   INTEGER1 is equal to INTEGER2

 Thanks Steven, but it doesn't works also ..

 Using if [ $cpu_affinity -eq $cpu_affinity_ok ]; then
 ./cpu_affinitty: line 7: [: taskset -p -c 27756 | awk '{ print  }':
 integer expression expected

 Yes, since you are double quoting you are using strings. Try using a single 
 = sign instead of your original double equal sign.


 Ok, problem solved. With this compare function:

 if [[ $bro_cpu_affinity == *$cpu_affinity_ok* ]]; then

 works ok ...

 sjt5atra, using a single =, it doesn't works ...

The issues are to do with your variable expansion

[root@srvman ~]# cpu_affinity=taskset -p -c `cat /var/run/crond.pid` | 
awk '{print $6}'
[root@srvman ~]# echo $cpu_affinity
taskset -p -c 2532 | awk '{print }'

I think your script is still broken, as you are now just looking for any 
number matching $cpu_affinity_ok in $cpu_affinity. You should be able to 
do an integer comparison for your if statement.

Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Selinux TFTP question [was: (no subject)]

[Tris Hoar]

On 16/11/2013 21:46, Andrew Holway wrote:
 [root@ipa tftpboot]# semanage fcontext -l | grep tftp
 /tftpboot  directory
 system_u:object_r:tftpdir_t:s0
 /tftpboot/.*   all files
 system_u:object_r:tftpdir_t:s0
 /usr/sbin/atftpd   regular file
 system_u:object_r:tftpd_exec_t:s0
 /usr/sbin/in\.tftpdregular file
 system_u:object_r:tftpd_exec_t:s0
 /var/lib/tftpboot(/.*)?all files
 system_u:object_r:tftpdir_rw_t:s0
 /var/lib/tftpboot/etc(/.*)?all files
 system_u:object_r:cobbler_var_lib_t:s0
 /var/lib/tftpboot/grub(/.*)?   all files
 system_u:object_r:cobbler_var_lib_t:s0
 /var/lib/tftpboot/images(/.*)? all files
 system_u:object_r:cobbler_var_lib_t:s0
 /var/lib/tftpboot/memdisk  regular file
 system_u:object_r:cobbler_var_lib_t:s0
 /var/lib/tftpboot/menu\.c32regular file
 system_u:object_r:cobbler_var_lib_t:s0
 /var/lib/tftpboot/ppc(/.*)?all files
 system_u:object_r:cobbler_var_lib_t:s0
 /var/lib/tftpboot/pxelinux\.0  regular file
 system_u:object_r:cobbler_var_lib_t:s0
 /var/lib/tftpboot/pxelinux\.cfg(/.*)?  all files
 system_u:object_r:cobbler_var_lib_t:s0
 /var/lib/tftpboot/s390x(/.*)?  all files
 system_u:object_r:cobbler_var_lib_t:s0
 /var/lib/tftpboot/yaboot   regular file
 system_u:object_r:cobbler_var_lib_t:s0

 Could someone tell me why:

 /var/lib/tftpboot(/.*)? - is using (/.*)?

This covers /var/lib/tftpboot and all files under it and gives them the 
label tftpdir_rw_t


 /tftpboot/.* - is using .*

This covers all files under /tftpboot/ giving them the label tftpdir_t. 
There is a separate entry for the directory:
/tftpboot  directory 
system_u:object_r:tftpdir_t:s0
As to why the difference I've no idea as looking at other root dirs with 
semanage fcontext -l I can see most of them use (/.*)? which makes sense.


 Thanks,

 Andrew
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


Regards,

Tris

*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] IBM Storwize V3700 storage - device names

[Tris Hoar]

On 07/11/2013 21:14, Todor Petkov wrote:
 Hello,

 I have IBM Storwize V3700 storage, connected to 2 IBM x3550 M4 servers
 via fiber channel. The servers are with QLogic ISP2532-based 8Gb Fibre
 Channel to
 PCI Express HBA cards and run Centos 5.10

 When I export a volume to the servers, each of them sees the volume
 twice, i.e  /dev/sdb and /dev/sdc, with the same size.

 Previously I have installed many systems with IBM DS3500 series of
 storage and the servers see one disk per export. I am using the MPP
 drives from this package:
 http://support.netapp.com/NOW/public/apbu/oemcp/apbu_lic.cgi/public/apbu/oemcp/09.03.0C05.0652/rdac-LINUX-09.03.0C05.0652-source.tar.gz

 I came upon the IBM site, saying to configure multipath (I never did it
 for DS3500 series). When I did, a new device came, /dev/dm-7, but my
 goal is to have one /dev/sdX type of device and no device mapper. I read
 that Storwize support DMP RDAC, and DS support MPP RDAC, but does anyone
 else have experience with such setup and can give an advice/hint?

 Thanks in advance.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


I's been a while since I set this up, and this on on XIV, not v3700 
(which we also have but it only has VMware connected to it) but this is 
a RHEL 5.10 box, so is reasonably compatible.

This is, IMO, normal behaviour for a multipath device. For example on 
one of our boxes if I run:
[root@server ~]# multipath -ll
mpath0 (20017380011ea0c74) dm-2 IBM,2810XIV
[size=224G][features=1 queue_if_no_path][hwhandler=0][rw]
\_ round-robin 0 [prio=1][active]
  \_ 3:0:0:1 sdb 8:16  [active][ready]
  \_ 3:0:1:1 sdc 8:32  [active][ready]
  \_ 3:0:2:1 sdd 8:48  [active][ready]
  \_ 3:0:3:1 sde 8:64  [active][ready]
  \_ 3:0:4:1 sdf 8:80  [active][ready]
  \_ 3:0:5:1 sdg 8:96  [active][ready]
  \_ 4:0:0:1 sdh 8:112 [active][ready]
  \_ 4:0:1:1 sdi 8:128 [active][ready]
  \_ 4:0:2:1 sdj 8:144 [active][ready]
  \_ 4:0:3:1 sdk 8:160 [active][ready]
  \_ 4:0:4:1 sdl 8:176 [active][ready]
  \_ 4:0:5:1 sdm 8:192 [active][ready]

You can see there are 12 sdx devices, but that all maps to just 1 LUN.
With multipathd installed and running this all maps to a single volume 
under /dev/mpath/mpath0 which I then use LVM to manage:

   --- Physical volume ---
   PV Name   /dev/mpath/mpath0
   VG Name   vg_data
   PV Size   224.00 GB / not usable 4.00 MB
   Allocatable   yes (but full)
   PE Size (KByte)   4096
   Total PE  57343
   Free PE   0
   Allocated PE  57343
   PV UUID   GY4ekC-KuXE-LyW6-kiHB-F9g6-ivB2-BD01Ih

This all works fine and allows us to loose paths to the SAN with out 
disruption to the servers. There is no reason to be using /dev/sdx 
devices to control your underlying hardware, and is in fact coincided 
bad practice as there is no assurance that when the server next boots it 
will detect the hardware in the same order. You should really be using 
UUIDS or device labels to address your storage as that is immutable 
between boots.

Tris

*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] - problem gcc with yum

[Tris Hoar]

On 10/10/2013 12:26, Earl Ramirez wrote:
 On Thu, 2013-10-10 at 13:23 +0200, Paolo De Michele wrote:
 hi all,

 today, I have this problem:


 # yum install gcc
 Loaded plugins: fastestmirror, security
 Loading mirror speeds from cached hostfile
   * base: ftp.hosteurope.de
   * epel: mirror.de.leaseweb.net
   * extras: ftp.hosteurope.de
   * updates: ftp.hosteurope.de
 Setting up Install Process
 Resolving Dependencies
 -- Running transaction check
 --- Package gcc.x86_64 0:4.4.7-3.el6 will be installed
 -- Processing Dependency: libgomp = 4.4.7-3.el6 for package:
 gcc-4.4.7-3.el6.x86_64
 -- Processing Dependency: cpp = 4.4.7-3.el6 for package:
 gcc-4.4.7-3.el6.x86_64
 -- Processing Dependency: glibc-devel = 2.2.90-12 for package:
 gcc-4.4.7-3.el6.x86_64
 -- Processing Dependency: cloog-ppl = 0.15 for package:
 gcc-4.4.7-3.el6.x86_64
 -- Processing Dependency: libgomp.so.1()(64bit) for package:
 gcc-4.4.7-3.el6.x86_64
 -- Running transaction check
 --- Package cloog-ppl.x86_64 0:0.15.7-1.2.el6 will be installed
 -- Processing Dependency: libppl_c.so.2()(64bit) for package:
 cloog-ppl-0.15.7-1.2.el6.x86_64
 -- Processing Dependency: libppl.so.7()(64bit) for package:
 cloog-ppl-0.15.7-1.2.el6.x86_64
 --- Package cpp.x86_64 0:4.4.7-3.el6 will be installed
 -- Processing Dependency: libmpfr.so.1()(64bit) for package:
 cpp-4.4.7-3.el6.x86_64
 --- Package glibc-devel.x86_64 0:2.12-1.107.el6_4.4 will be installed
 -- Processing Dependency: glibc-headers = 2.12-1.107.el6_4.4 for package:
 glibc-devel-2.12-1.107.el6_4.4.x86_64
 -- Processing Dependency: glibc-headers for package:
 glibc-devel-2.12-1.107.el6_4.4.x86_64
 --- Package libgomp.x86_64 0:4.4.7-3.el6 will be installed
 -- Running transaction check
 --- Package glibc-headers.x86_64 0:2.12-1.107.el6_4.4 will be installed
 -- Processing Dependency: kernel-headers = 2.2.1 for package:
 glibc-headers-2.12-1.107.el6_4.4.x86_64
 -- Processing Dependency: kernel-headers for package:
 glibc-headers-2.12-1.107.el6_4.4.x86_64
 --- Package mpfr.x86_64 0:2.4.1-6.el6 will be installed
 --- Package ppl.x86_64 0:0.10.2-11.el6 will be installed
 -- Finished Dependency Resolution
 Error: Package: glibc-headers-2.12-1.107.el6_4.4.x86_64 (updates)
 Requires: kernel-headers = 2.2.1
 Error: Package: glibc-headers-2.12-1.107.el6_4.4.x86_64 (updates)
 Requires: kernel-headers
   You could try using --skip-broken to work around the problem
   You could try running: rpm -Va --nofiles --nodigest


 Do you have the kernel-headers install? If not
 yum install kernel-headers

 This should resolve the issue because it's required but missing.


 how can I fix?
 thanks in advance

As yum does the depsolving it should install the kernel-headers for you. 
It's more likely that there is something in your yum conf that is 
excluding updates to kernel-headders. I'd check your config files.

Tris


*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Wacom hotplug Xorg crash

[Tris Hoar]

On 07/12/2012 23:09, James Pearson wrote:
 We're seeing a number of Xorg crashes with CentOS 6.2 when using a Wacom 
 tablet shared between two machines (the other machine is running Windows) via 
 a KVM

 Xorg crashes after switching the KVM back to the CentOS box

 I've tried googling for this issue - and have found:

   https://access.redhat.com/knowledge/solutions/148183

 Which has a similar backtrace (although not identical) to ones we are seeing 
 (see below) - but no further info is given on that webpage - but appears to 
 indicated that more info might (?) be available if I have a Red Hat 
 Subscription login - which I don't ...

 Would it be possible for someone that does have access to let me know if 
 there is any more Red Hat Knowledge Base information about this issue?

 A sample backtrace we have seen is:

 Backtrace:
 0: /usr/bin/Xorg (xorg_backtrace+0x28) [0x4546f8]
 1: /usr/bin/Xorg (0x40+0x58429) [0x458429]
 2: /lib64/libpthread.so.0 (0x3db6a0+0xf4a0) [0x3db6a0f4a0]
 3: /usr/lib64/xorg/modules/input/wacom_drv.so (0x7fc69c2c6000+0x48e6) 
 [0x7fc69c2ca8e6]
 4: /usr/lib64/xorg/modules/input/wacom_drv.so (0x7fc69c2c6000+0x4ac9) 
 [0x7fc69c2caac9]
 5: /usr/lib64/xorg/modules/input/wacom_drv.so (0x7fc69c2c6000+0x4b2d) 
 [0x7fc69c2cab2d]
 6: /usr/bin/Xorg (0x40+0x5f077) [0x45f077]
 7: /usr/bin/Xorg (0x40+0x1158b3) [0x5158b3]
 8: /lib64/libpthread.so.0 (0x3db6a0+0xf4a0) [0x3db6a0f4a0]
 9: /lib64/libpthread.so.0 (open64+0x10) [0x3db6a0ed10]
 10: /usr/lib64/xorg/modules/input/wacom_drv.so (0x7fc69c2c6000+0x84ec) 
 [0x7fc69c2ce4ec]
 11: /usr/bin/Xorg (0x40+0x61f41) [0x461f41]
 12: /usr/lib64/xorg/modules/input/wacom_drv.so (0x7fc69c2c6000+0xd746) 
 [0x7fc69c2d3746]
 13: /usr/lib64/xorg/modules/input/wacom_drv.so (0x7fc69c2c6000+0x885b) 
 [0x7fc69c2ce85b]
 14: /usr/bin/Xorg (0x40+0x61f41) [0x461f41]
 15: /usr/bin/Xorg (0x40+0x142099) [0x542099]
 16: /usr/lib64/libhal.so.1 (0x3dc2c0+0xbc08) [0x3dc2c0bc08]
 17: /lib64/libdbus-1.so.3 (dbus_connection_dispatch+0x336) [0x3db82109d6]
 18: /lib64/libdbus-1.so.3 (0x3db820+0x10ca9) [0x3db8210ca9]
 19: /usr/bin/Xorg (0x40+0x13f84b) [0x53f84b]
 20: /usr/bin/Xorg (WakeupHandler+0x4b) [0x42421b]
 21: /usr/bin/Xorg (WaitForSomething+0x1ef) [0x452d5f]
 22: /usr/bin/Xorg (0x40+0x2ccf2) [0x42ccf2]
 23: /usr/bin/Xorg (0x40+0x21ebb) [0x421ebb]
 24: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x3db621ecdd]
 25: /usr/bin/Xorg (0x40+0x21a49) [0x421a49]
 Segmentation fault at address (nil)

 Thanks

 James Pearson




Hi James,

Redhat suggest to update the wdaemon package to version 0.17-2.el6. they 
also reverence this errata http://rhn.redhat.com/errata/RHEA-2011-1625.html

Tris

*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] DNS lookup delay with centos postfix

[Tris Hoar]

On 26/07/2012 02:40, David McGuffey wrote:
 On Jul 25, 2012, at 21:27, Joseph L. Casale jcas...@activenetwerx.com 
 wrote:

 DNS lookups default to using 53/udp, and only use 53/tcp for zone
 transfers.  could it be 53/udp is being lost/blocked between this host
 and your ns1 ?

 Unfortunately that is a common misconception.

 Tcp is used far more often than only as stated such as for size of request
 exceeding udp response size etc...

 Bottom line is both ports are needed, not just for zone xfers.

 Except that the malware guys have figured out how to abuse port 53. Security 
 recommendation is to block TCP unless you're running a DNS server. And also 
 block oversize port 53 UDP packets.

Blocking oversize UDP packets is a very bad idea. EDNS is used for a lot 
of look ups these days due to DNSSEC, and so blocking oversize UDP 
packets will force you to use TCP to get many of your DNS requests.



 Dave M

Tris

*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] php4 under Centos6

[Tris Hoar]

On 12/06/2012 21:45, Michael Kress wrote:
 Am 12.06.2012 22:39, schrieb Reindl Harald:
 Am 12.06.2012 22:19, schrieb Michael Kress:
 Hello, is there any way of getting php4 installed on Centos6? I'd like
 to install it in an apache/fastcgi environment.
 Has anybody got a link to a description/howto describing a clean install?
 I failed compiling the original php4 tar ball and failed relocating the
 php binary.
 PHP4 IS DEAD SINCE A LONG TIME

 DO NOT USE PHP4 - THROW AWAY CRAP WHICH DOES NOT
 WORK WITH PHP5 BECAUSE IT IS UNMAINTAINED AND
 UNSECURE



 oh yes, forgot the disclaimer with the above text.
 Regards
 Michael


I'm assuming that this would only be for a very specific issue that you 
have, and not externally facing. If so and I had to use something this 
old, I'd just use CentOS 3
http://vault.centos.org/3.9/

That came with php-4.3.2. the dep list that you would need to resolve to 
make the RPM work correctly on CentOS 6 is quite long.

Regards,

Tris

*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Best way to duplicate a live Centos 5 server?

[Tris Hoar]

On 08/06/2012 17:33, Emmanuel Noobadmin wrote:
 I've got a CentOS 5 server that I want to migrate over into a
 virtualized instance.
 The problem is I need to minimize downtime so was trying to figure out
 a way to live clone the original.

 Initially, I thought I could do this via exporting an iSCSI target
 from the virtual host, create a MD raid 1 array on the C5 server, wait
 for it to sync, then shutdown the physical server and switch to the
 virtual one.

 But after getting iSCSI working... I realize I could not create a md
 device on a mounted disk. Unfortunately this old C5 wasn't setup with
 md raid 1 originally so I can't just add a the iSCSI target as an
 additional member for a triplicate.

 So I remembered DRBD was supposed to be used for replication.

 But after getting things set up, running the drbd-admin create-md
 command gave me this scary warning it will destroy data on the disk.
 Apparently because drbd writes meta data to the drive. So that appears
 to be a no go too.

 Am I missing something glaringly obvious here, or is the only way I'm
 going be able to migrate is to shutdown the C5 server for a few hours
 while duping the old drives? Would greatly appreciate any pointers how
 best to do this.


You don't say what virtualisation platform you are using is, but if it's 
VMware, then you can use VMware converter to do the migration. This can, 
if you want, clone the physical computer into VMware, shut down the 
physical computer and bring up the new virtual instance. All whilst the 
physical remained up. I've used it for a few Linux boxes, where I've 
wanted a quick dev version of an existing server and its been fine.

I guess, you could try pulling it into an ESXi host, and then exporting 
that in a format whatever virtualisation program it is you use supports...

Regards,

Tris

*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Block outgoing connections for certaing uids (root, apache, nobody)

[Tris Hoar]

On 04/04/2012 10:21, Tony Mountifield wrote:
 In 
 articlecaadeywhp3mjspc-mo7aewzsxsq9phibpho2iu3bo8i0ttji...@mail.gmail.com,
 Alexander Farberalexander.far...@gmail.com  wrote:
 Good morning

 With iptables in CentOS 5 and 6 Linux - how can you please
 prevent processes running as root, apache or nobody
 from initiating outgoing connections?

 On CentOS 5 Linux I've tried putting these lines into 
 /etc/sysconfig/iptables:

 -A OUTPUT -m owner --uid-owner root -j DROP
 -A OUTPUT -m owner --uid-owner apache -j DROP
 -A OUTPUT -m owner --uid-owner nobody -j DROP

 but unfortunately get the error:

 # sudo service iptables restart
 iptables: Flushing firewall rules: [  OK  ]
 iptables: Setting chains to policy ACCEPT: filter  [  OK  ]
 iptables: Unloading modules:   [  OK  ]
 iptables: Applying firewall rules: iptables-restore v1.4.7: owner: Bad
 value for --uid-owner option: apache
 Error occurred at line: 27
 Try `iptables-restore -h' or 'iptables-restore --help' for more information.
 [FAILED]

 Perhaps it doesn't do a username lookup and only understands numeric userids?
 Try:

 -A OUTPUT -m owner --uid-owner 0 -j DROP
 -A OUTPUT -m owner --uid-owner 48 -j DROP
 -A OUTPUT -m owner --uid-owner 99 -j DROP

 (I think those values are standard on CentOS)

 Bear in mind that preventing root connections would stop you doing any
 kind of updating using yum, unless you have a previous rule allowing http.

 Cheers
 Tony

This would also stop the server being able to use DNS, and would likely 
break other things. I'd be wary of stopping root talking out of the network.

Tris

*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firefox and IronPort

[Tris Hoar]

On 21/02/2012 15:58, m.r...@5-cent.us wrote:
 A couple of weeks ago, I got an autogenerated email from the mail folks
 here, telling me they'd quarantined what they thought was spam. The last
 time I got one of these was a month or month and a half ago, and I had no
 problem.

 This time, however, I get a 500 error. When I pulled up firefox's error
 console, and clicked on the link, I got
 servername elided: server does not support RFC 5746, see CVE-2009-3555

 I'm told they're running Cisco's IronPort. It appears the patch came out a
 year and a half or so ago. However, I also found a post where someone,
 apparently running on Windows, couldn't get to a site they needed to,
 either with IE 9 or FF10.somethingorother, until they downgraded.

 The support folks report they can get there, from Windows boxes.

 I've tried Mozilla's workarounds, in about:config, but no joy. My ff is up
 to date, including both patches from last week, and as those were
 critical, I'm very loathe to downgrade.

 a) Is anyone else seeing this?
 b) Any thoughts on whether it's an IronPort issue, or whether it might be
 a bug (new or reintroduced) browser problem?

 From my experiences with IronPort (admittedly from 3 years ago) I'd say 
blame that. The software is horribly buggy at best.

Tris


   mark

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

 *
 This message has been checked for viruses by the
 Birmingham Grid for Learning.  For guidance on good
 e-mail practice, e-mail viruses and hoaxes please visit:
 http://www.bgfl.org/emailaup
 *




*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] bind slave sync takes long

[Tris Hoar]

On 22/11/2011 12:58, Götz Reinicke wrote:
 Hi,

 I do have two DNS servers running bind 9.7.3. One master, one slave.

 If I add/update a record on the master, it takes up to more or less 20
 hours until that change is transferred to the slave.

 That is a long time for me :-) May be I got some settings wrong which
 would sync much faster ... ?

 What could be wrong? What might I check?

 Thanks for any suggestion and hint!

   Regards . Götz

It sounds like the the slave is not getting notifies when the master is 
updated. I'd check the NS records first to make sure both master and 
slave are listed. Is this server providing external DNS behind a NAT?
It could be that you are trying to to zone transfers over the external 
IP to 2 servers on the same external firewall. in this case, you can add 
the also-notify { internal ip of slave}; stanza to the named.conf to 
force it to notify the slave on updates.

Tris



 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux policy remnant according to /bin/ls on CentOS 6.0 box

[Tris Hoar]

Jon,

Its worth noting in C6 that you really should avoid using RPM to 
add/remove stuff and stick with yum. Yum now supports rolling back and 
forward package changes, but this is broken if you do things with RPM.

Tris


On 20/09/2011 18:48, Jon Detert wrote:
 I installed CentOS 6.0 on 2 different x86_64 boxen.  Both originally had 
 selinux installed and enabled.  I never touched selinux other than to remove 
 as much of it as I could via rpm -e.  As far as I can tell, here are the 
 remaining packages that have something to do with it:

 # rpm -qa | grep -iE 'sel|pol'
 checkpolicy-2.0.22-1.el6.x86_64
 libselinux-2.0.94-2.el6.x86_64
 libsepol-2.0.41-3.el6.x86_64
 polkit-0.96-2.el6_0.1.x86_64
 #

 Both boxen have those packages.

 However:

 1) box1 still has files in /selinux whereas box2's /selinux is empty;
 2) ls -l on box1 shows a '.' at the end of file/directory, which means a 
 SELinux security context applies, according to 
 https://fedoraproject.org/wiki/Fedora_11_FAQ#Why_does_ls_show_a_dot_.28..29_or_a_plus_.28.2B.29_at_the_end_on_the_file_modes_for_some_files.3F

 Any idea why box1 still seems to have an selinux policy applied, and how to 
 un-apply it?

 Thanks,

 Jon
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

 *
 This message has been checked for viruses by the
 Birmingham Grid for Learning.  For guidance on good
 e-mail practice, e-mail viruses and hoaxes please visit:
 http://www.bgfl.org/emailaup
 *




*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] RHEL 5.6 is out

[Tris Hoar]

Hi List,

In case any of you are wondering when RHEL5.6 will be out our satellite 
server has just pulled down a copy (with bind97 and php53 :) so I'd 
expect an official announcement fairly soon.

Tris

*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] centos 5.5 -software updater-break in download

[Tris Hoar]

On 25/11/2010 16:44, Johan Scheepers wrote:
 Good day,

 New to centos,
 New install .
 Using - Software updater
 While updating - downloading 73 updates there was a break in the download.
 The break happened close to the end.
 Now when using software updater again will it start all over again?
 Go on where the break happened?
 Could not find on google this issue
 Kindly some advice please.
 Thanks,   Regards
 Johan

 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

 *
 This message has been checked for viruses by the
 Birmingham Grid for Learning.  For guidance on good
 e-mail practice, e-mail viruses and hoaxes please visit:
 http://www.bgfl.org/emailaup
 *



Hi Johan,

Yum should just re-download the required packages.
As Yum downloads data it stores it in /var/cache/yum/**repo** (where 
repo is a subfolder for each repository)
If you wish to remove this cache you can run something like
yum clean all.

Regards,

Tris

*
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmas...@bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos