Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host

[Eric Lehmann]

Hi

Some more points:
Does the user nagios have rights to nrpe binary and config file?
Check nrpe.cfg for nrpe_user=nagios and nrpe_group=nagios.

To activate logging:
As default, nrpe log to syslog BUT you have to add daemon.debug to
/etc/rsyslog.conf :
**.info;mail.none;authpriv.none;cron.none;daemon.debug
/var/log/messages*
And set debug=1 in nrpe.cfg
service rsyslog restart
service nrpe restart

Regards,
Eric



2015-05-03 6:37 GMT+02:00 Jonathan Billings :

> On Sat, May 02, 2015 at 06:26:47PM -0400, Tim Dunphy wrote:
> > >
> > > Not just /var/log/messages.  Doesn't nrpe have a log file?  Maybe even
> > > secure.
> >
> >
> > Hmmm I don't find any log specific to nrpe. In other words I don't see
> > /var/log/nrpe.log or whatever. :)
> >
> > And when I tail -f /var/log/secure or /var/log/messages I don't see any
> > entries turning up in them when I hit the client with check_nrpe. I was
> > checking the logs on the client itself.
>
> Are xinetd log entries written when you connect from localhost?
> --
> Jonathan Billings 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS 7, NFS 4, and a non ext4 fs (like zfs)

[tballin]

Hello,

we want to migrate to CentOS 7(.1) , Server, Client etc ...

Right now we need to suspend that because we have some serious issues 
with NFS4 shared ZFS ( kernel module - zfs on linux project ) Volumes 
and CentOS 7 clients.


Our current server are CentOS6.5, if we share a zfs volume and do the 
following on this share: client A reads/access file "z.txt". Now client 
B replaces (copy, move, unlink+link ) files "z.txt" with a new different 
version and now client A reads/access the file "z.txt" ( and only the 
file - do not do anything which does a "stat" on the file e.g. "cat 
z.txt") the old version/content is read. As long as you do something 
that issues a "stat" for the file/dir.


This is really a problem because a soon you are not browsing through the 
dirs e.g. updating some scripts or anything automated the changes are 
not recognized by the client.


This does not happen with a ext4 share. This also happen with a 
centos7.0 NFS Server and ZFS/XFS. We permute pretty much every nfs 
mount/share option - it always happens. Nothing does help. This does not 
happen with a Centos7.1 server and a centos7.1 client and xfs (NFS4.1). 
Of course it works with our current client server Version: Ubuntu 12.04 
/ CentOS 6.5.


It really does not seem to be a zfs issue - it does look more like a nfs 
problem with certain filessystems. I asked this already on the zfs 
mailing list.


So is there something I can do?
Is the problem known?
Is there a workaround , patch or fix?

I am still unsure if I missed something completely because the problem 
is just so serious...


With kind regards

Timo Ballin




 ESET 11570 (20150504) 
The message was checked by ESET Mail Security.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7, NFS 4, and a non ext4 fs (like zfs)

[John R Pierce]

On 5/4/2015 1:09 AM, tballin wrote:

Hello,

we want to migrate to CentOS 7(.1) , Server, Client etc ...

Right now we need to suspend that because we have some serious issues 
with NFS4 shared ZFS ( kernel module - zfs on linux project ) Volumes 
and CentOS 7 clients.


Our current server are CentOS6.5, if we share a zfs volume and do the 
following on this share: client A reads/access file "z.txt". Now 
client B replaces (copy, move, unlink+link ) files "z.txt" with a new 
different version and now client A reads/access the file "z.txt" ( and 
only the file - do not do anything which does a "stat" on the file 
e.g. "cat z.txt") the old version/content is read. As long as you do 
something that issues a "stat" for the file/dir.


I've used ZFS file systems on a NFS Server extensively on Solaris, and a 
fair bit with FreeBSD 9.x, 10.1, and its never had any such issues.   
AFAIK, ZFS on Linux is still considered experimental.



--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7, NFS 4, and a non ext4 fs (like zfs)

[tballin]

Hi

Perhaps. But they (ZoL) say its production ready. It worked since 
CentosOS 6.1 to 6.6 and still working. Problem occurs if we change the 
NFS version. Not the ZFS. And the problem also exsist with XFS on CentOS 
7. Also it works with all old Ubuntu Clients here. The main problem 
seems to be the client which seems to use NFS features which are not 
(yet) working! Also with XFS you need to use NFS 4.1 or you will have 
the old links/nodes. problem too.


As you say the Solaris/BSD NFS Server Version seems to work. Thats what 
the ZFS mailing list said. If it works under FreeBSD its the NFS Server...


I could try some other file systems... But I would also like to know 
what the issue is. I am still wondering what the problem is. because on 
the server everything looks fine.


Timo


On 05/04/2015 10:22 AM, John R Pierce wrote:

On 5/4/2015 1:09 AM, tballin wrote:

Hello,

we want to migrate to CentOS 7(.1) , Server, Client etc ...

Right now we need to suspend that because we have some serious issues 
with NFS4 shared ZFS ( kernel module - zfs on linux project ) Volumes 
and CentOS 7 clients.


Our current server are CentOS6.5, if we share a zfs volume and do the 
following on this share: client A reads/access file "z.txt". Now 
client B replaces (copy, move, unlink+link ) files "z.txt" with a new 
different version and now client A reads/access the file "z.txt" ( 
and only the file - do not do anything which does a "stat" on the 
file e.g. "cat z.txt") the old version/content is read. As long as 
you do something that issues a "stat" for the file/dir.


I've used ZFS file systems on a NFS Server extensively on Solaris, and 
a fair bit with FreeBSD 9.x, 10.1, and its never had any such 
issues.   AFAIK, ZFS on Linux is still considered experimental.








 ESET 11570 (20150504) 
The message was checked by ESET Mail Security.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] VPN connection before login

[Johnny Hughes]

On 05/01/2015 02:25 PM, Gordon Messmer wrote:
> On 05/01/2015 08:58 AM, Tim wrote:
>> I have an openvpn server running.
> 
> Probably the easiest thing to do with OpenVPN would be to use RSA
> authentication and configure openvpn to run on boot at the client.

I do this on several machines via scripts and rc.local for openvpn ..
you can do it many different ways.




signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Kvm + libvirt + virt-manager

[Johnny Hughes]

On 05/01/2015 12:30 PM, Alessandro Baggi wrote:
> Hi list,
> I have updated C7 to 7.1 and get some issue (I don't know if problems
> depend from upgrade).
> My first problem is on virt-manager that crash after some time. From system
> messages I get that virt-manager is crashed with signal sigsegv and this
> problem is related to python (python get sigsegv). Anyone get similar
> behaviour after upgrade?

This issue seems to be reported by ABRT in 2 bug reports (#8472 and
#8592 .. links from the below abrt report)

This ABRT bug is tracked here:

https://retrace.fedoraproject.org/faf/problems/796335/

Red Hat Engineers know that CentOS now dumps abrt information to this
location and they do now use that to help them prioritize bugs with high
bug counts that also apply to RHEL.  Obviously, CentOS does not have any
SLA or priority, but chances are much better now that there are
integrated ABRT reports that things like this might be fixed.






signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] can't disable tcp6 on centos 7

[Mike Burger]

On 2015-05-03 6:55 pm, Tim Dunphy wrote:


It's listening on both IPv6 and IPv4.  Specifically, why is that a 
problem?



The central problem seems to be that the monitoring host can't hit nrpe 
on

port 5666 UDP.

[root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
puppet.mydomain.com
CHECK_NRPE: Socket timeout after 10 seconds.

It is listening on the puppet host on port 5666

[root@puppet:~] #lsof -i :5666
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
xinetd  2915 root5u  IPv6  24493  0t0  TCP *:nrpe (LISTEN)

And the firewall is allowing that port:

[root@puppet:~] #firewall-cmd --list-ports
5666/udp

But if I check the port using nmap

[root@monitor1:~] #nmap -p 5666 puppet.mydomain.com

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:51 UTC
Nmap scan report for puppet.jokefire.com (216.120.250.140)
Host is up (0.012s latency).
PORT STATESERVICE
5666/tcp filtered nrpe

That port is closed despite the port being allowed on the firewall.

So I thought that the problem was that xinetd was listening to port 
5666
only on tcp v6. And when the monitoring host hits the puppet host using 
tcp

v4 it can't because only tcp v6 is active on that port.

You mention that it's listening on both tcp v4 and v6. But I only see 
v6 in

that output. How are you determining that

It's a problem because the port does not appear to be open from the
monitoring host:

[root@monitor1:~] #nmap -p 5666 puppet.mydomain.com

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:33 UTC
Nmap scan report for puppet.jokefire.com (216.120.250.140)
Host is up (0.011s latency).
PORT STATESERVICE
5666/tcp filtered nrpe


I see that there's been quite a bit of discussion on this issue, 
already, but I don't believe I've seen anyone note/mention this:


The above does not indicate that the port is closed...the above 
indicates that the port is open but is being filtered by your firewall 
rules.


You might want to also check your firewall rules to ensure that port 
5666 is allowing connections from the client system(s) in question.


--
Mike Burger
http://www.bubbanfriends.org

"It's always suicide-mission this, save-the-planet that. No one ever 
just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] syncookies.c

[Ibrahim Celikbilek]

Default,syncookies are  activate when syn list(backlog queue) is full. I
want hybrid system.
I propose a system , syncookies active dynamic per connection .
where will I write code , where syncookies system does call in the code
file.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7, NFS 4, and a non ext4 fs (like zfs)

[Jonathan Billings]

On Mon, May 04, 2015 at 10:09:04AM +0200, tballin wrote:
> It really does not seem to be a zfs issue - it does look more like a nfs
> problem with certain filessystems. I asked this already on the zfs mailing
> list.
> 
> So is there something I can do?
> Is the problem known?
> Is there a workaround , patch or fix?

There's probably a bug somewhere between the Linux Kernel NFS service
and the ZFS code.  I suspect that it'll be up to the ZFS on Linux
folks to debug it, since the Linux Kernel developers will probably be
more concerned with making supported filesystems work with NFS.

I know I used to have problems back in the RHEL4 days with exporting
XFS filesystems via NFS on Linux, and we had to migrate back to ext3.
XFS support is much better now, but it's also something that both
upstream (RHEL) and the kernel developers maintain.

-- 
Jonathan Billings 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] can't disable tcp6 on centos 7

[Jonathan Billings]

On Sun, May 03, 2015 at 08:25:45PM -0400, Tim Dunphy wrote:
> Rather than a yum install. If I install the nrpe package from yum I don't
> find a check_nrpe script on the system for some reason!

That's because the 'check_nrpe' command isn't in the nrpe package.
It's in the nagios-plugins-nrpe package.  The executable is installed,
along side all other nagios check commands, as
/usr/lib64/nagios/plugins/check_nrpe. 

-- 
Jonathan Billings 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] can't disable tcp6 on centos 7

[Tim Dunphy]

>
> On Sun, May 03, 2015 at 08:25:45PM -0400, Tim Dunphy wrote:
>
> > Rather than a yum install. If I install the nrpe package from yum I don't
> > find a check_nrpe script on the system for some reason!
> That's because the 'check_nrpe' command isn't in the nrpe package.
> It's in the nagios-plugins-nrpe package.  The executable is installed,
> along side all other nagios check commands, as
> /usr/lib64/nagios/plugins/check_nrpe.
>
>

Got it!! Thanks Johnathan!! I'll make sure I take a note of that. I'd
rather use packages on a regular basis rather than source code installs.

Thanks,
Tim

On Mon, May 4, 2015 at 9:33 AM, Jonathan Billings 
wrote:

> On Sun, May 03, 2015 at 08:25:45PM -0400, Tim Dunphy wrote:
> > Rather than a yum install. If I install the nrpe package from yum I don't
> > find a check_nrpe script on the system for some reason!
>
> That's because the 'check_nrpe' command isn't in the nrpe package.
> It's in the nagios-plugins-nrpe package.  The executable is installed,
> along side all other nagios check commands, as
> /usr/lib64/nagios/plugins/check_nrpe.
>
> --
> Jonathan Billings 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] VPN connection before login

[Leon Fauster]

Am 01.05.2015 um 17:58 schrieb Tim :
> I imagine something like Cisco AnyConnect on Windows, where you can connect 
> before
> login to the machine. So afterwards user specific network shares are 
> available and
> can be connect via scripts.
> 
> I have an openvpn server running.


First I would confirm the implementation in use ...
IPsec-VPN (e.g. OpenSWAN) vs. SSL-VPN (e.g. OpenVPN). 

Two totally different technologies.

--
LF


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] can't disable tcp6 on centos 7

[Gordon Messmer]

On 05/03/2015 03:55 PM, Tim Dunphy wrote:

You mention that it's listening on both tcp v4 and v6. But I only see v6 in
that output. How are you determining that


On Linux, IPv4 is mapped inside the IPv6 space.  An application that 
listens on an address-less v6 port is listening on both IPv4 and IPv6.  
For example, look at TCP port 22 for SSH.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Could not complete SSL handshake to Amazon EC2 host

[Arun Khan]

On Fri, May 1, 2015 at 10:16 AM, Tim Dunphy  wrote:

>  I am trying to monitor a host in the Amazon EC2 cloud.
>
> Yet when I try to check NRPE from the monitoring host I am getting an SSL
> handshake error:
>
> [root@monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H ops.jokefire.com
> CHECK_NRPE: Error - Could not complete SSL handshake.
>

Don't if these links are of any help but worth checking (if you have
not done so)

and


-- Arun Khan
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nfs (or tcp or scheduler) changes between centos 5 and 6?

[Matt Garman]

On Thu, Apr 30, 2015 at 7:31 AM, Peter van Hooft
 wrote:
>> You may want to try reducing sunrpc.tcp_max_slot_table_entries .
>> In CentOS 5 the number of slots is fixed: sunrpc.tcp_slot_table_entries = 16
>> In CentOS 6, this number is dynamic with a maximum of
>> sunrpc.tcp_max_slot_table_entries which by default has a value of 65536.
>>
>> We put that in /etc/sysconfig/modprobe.d/sunrpc.conf: options sunrpc
>> tcp_max_slot_table_entries=128
>
> Make that /etc/modprobe.d/sunrpc.conf, of course.


This appears to be the "smoking gun" we were looking for, or at least
a significant piece of the puzzle.

We actually tried this early on in our investigation, but were
changing it via sysctl, which apparently has no effect.  Your email
convinced me to try again, but this time configuring the parameters
via modprobe.

In our case, 128 was still too high.  So we dropped it all the way
down to 16.  Our understanding is that 16 is the CentOS 5 value.  What
we're seeing is now our apps are starved for data, so looks like we
might have to nudge it up.  In other words, there's either something
else at play which we're not aware of, or the meaning of that
parameter is different between CentOS 5 and CentOS 6.

Anyway, thank you very much for the suggestion.  You turned on the
light at the end of the tunnel!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos