Re: [CentOS] Disabling Firewall/iptables on CentOS 7??
Data Wed, 22 Mar 2017 19:56:03 -0400 James Pifer wrote: > I apologize if this has been asked and answered, but I googled and > attempted things for several hours today without success. Iptables isn't used by default, at least not directly. Easiest way to do dosable firewall is: # systemctl mask firewalld and restart the machine. 192.168.122. subnet is something for libvirt and KVM. I have it completely disabled on my locals and VPSes without any problem. If You write specific rules in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables, with -F -X -P INPUT DROP at the beginning, any trace of 192.168.122 will be gone. Here's mine ipv4 rules for my local machines: *filter -F -X -P INPUT DROP -A INPUT -s 0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT # localhost -A INPUT -i lo -j ACCEPT # ping -A INPUT -p icmp -j ACCEPT # ssh -A INPUT -s 192.168.234.0/24 -p tcp --dport 22 -j ACCEPT COMMIT -- Łukasz Posadowski ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Python 3.x on Centos 7
> # yum install python34 I already have epel installed. If it breaks something is it as simple as yum erase python34 to restore everything back to normal? On Thu, Mar 23, 2017 at 6:27 PM, Christian, Mark wrote: > On Thu, 2017-03-23 at 18:16 -0500, Matt wrote: >> Is there a way to install Python 3.x on Centos 7.x without breaking >> anything that depends on an older version of Python? This server is a >> minimal Centos 7 install that primarily runs a simple LAMP setup. > Yes. > # yum install python34 > > >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] polkit helper timeout and defunct pkla-check-authorization processes on CentOS 7.3
Hi everyone, I'm replying to myself to help anyone else who happens to get the polkit timeouts. Our CentOS7 machines are joined to our Active Directory domain and use AD for authentication and account lookups (Using the SSSD AD provider). We're NOT using FreeIPA. The polkit timeouts were caused by sssd taking too long to respond to user information lookups for users that were in Active Directory. The solution was to set "enumerate = False" in /etc/sssd/sssd.conf and restart the sssd service or reboot the machine. If "enumerate" is not present in sssd.conf, then it defaults to False. In addition to the polkit hangs, we were also experiencing the following problems, which went away or improved after the sssd.conf change was made: - Running "id $USERNAME" was taking many seconds when looking up users in Active Directory - Logins were taking a while (5+ seconds) or would just hang - Unlocking a machine from the screensaver would sometimes fail. - General system sluggishness. - High system CPU/load with no obvious culprits according to "top" - The sssd_be process was often taking 5% or more of a CPU. The problems were more prevalent on our big time-sharing systems (64 cores/512GB RAM), that have multiple (15+) simultaneous users running large memory or CPU interactive jobs. The problems also hit some of our single-user workstations, but the most-affected users were still our compute-heavy research users. For others' reference, I'm also running the sssd cache on a tmpfs filesystem and here is my sanitized sssd.conf file.: > [sssd] > config_file_version = 2 > services = nss, pam > domains = subdomain.example.com > > [domain/subdomain.example.com] > ad_domain = subdomain.example.com > krb5_realm = subdomain.example.com > realmd_tags = manages-system joined-with-samba > cache_credentials = True > id_provider = ad > auth_provider = ad > chpass_provider = ad > > enumerate = False > access_provider = ad > krb5_store_password_if_offline = True > ldap_id_mapping = False > use_fully_qualified_names = False > krb5_renewable_lifetime = 60d > krb5_lifetime = 60d > krb5_renew_interval = 600s > Sincerely, Jason --- Jason Edgecombe | Linux Administrator UNC Charlotte | The William States Lee College of Engineering 9201 University City Blvd. | Charlotte, NC 28223-0001 Phone: 704-687-1943 jwedg...@uncc.edu | http://engr.uncc.edu | Facebook --- If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply e-mail or by telephone at 704-687-1943. Thank you. On Fri, Mar 10, 2017 at 1:01 PM, Edgecombe, Jason wrote: > Hi everyone, > > We seem to be having issues on multiple CentOS 7.3 machines. The problem > seems to revolve around polkitd. At some random time, polkitd seems to stop > responding on my systems. Along with this, there might be hundreds of > defunct pkla-check-authorization processes. If I reboot, then things are > fine for a while. > > I don't see any activity in the unabridged journal to suggest anything > that might be triggering polkitd. The puppet run finished 5 minutes before > polkitd lost it's head. > > polkit version is polkit-0.112-11.el7_3.x86_64 > > Any help is appreciated. > > Thanks, > Jason > > Here is some condensed output from the "journalctl -u polkit" command: > Mar 09 04:02:14 myhost systemd[1]: Starting Authorization Manager... > Mar 09 04:02:14 myhost polkitd[1018]: Started polkitd version 0.112 > Mar 09 04:02:14 myhost polkitd[1018]: Loading rules from directory > /etc/polkit-1/rules.d > Mar 09 04:02:14 myhost polkitd[1018]: Loading rules from directory > /usr/share/polkit-1/rules.d > Mar 09 04:02:14 myhost polkitd[1018]: Finished loading, compiling and > executing 7 rules > Mar 09 04:02:14 myhost systemd[1]: Started Authorization Manager. > Mar 09 04:02:14 myhost polkitd[1018]: Acquired the name > org.freedesktop.PolicyKit1 on the system bus > Mar 09 04:02:53 myhost polkitd[1018]: Registered Authentication Agent for > unix-session:c1 (system bus name :1.41 [gnome-shell --mode=gdm], object > path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > Mar 09 04:08:25 myhost polkitd[1018]: Reloading rules > Mar 09 04:08:25 myhost polkitd[1018]: Collecting garbage unconditionally... > Mar 09 04:08:25 myhost polkitd[1018]: Loading rules from directory > /etc/polkit-1/rules.d > Mar 09 04:08:25 myhost polkitd[1018]: Loading rules from directory > /usr/share/polkit-1/rules.d > Mar 09 04:08:25 myhost polkitd[1018]: Finished loading, compiling and > executing 8 rules > Mar 09 04:08:25 myhost polkitd[1018]: Reloading rules > Mar 09 04:08:25 myho
Re: [CentOS] Python 3.x on Centos 7
On Fri, 2017-03-24 at 08:52 -0500, Matt wrote: > > # yum install python34 > > I already have epel installed. If it breaks something is it as simple > as yum erase python34 to restore everything back to normal? > If it's in epel it will have been tested with RHEL/CentOS so shouldn't break anything. But yes, a yum erase should remove it. P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Python 3.x on Centos 7
On 03/24/2017 06:52 AM, Matt wrote: I already have epel installed. If it breaks something is it as simple as yum erase python34 to restore everything back to normal? Consider using "yum history undo" or "yum history revert" to remove dependencies as well. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Python 3.x on Centos 7
On 3/24/2017 6:52 AM, Matt wrote: # yum install python34 I already have epel installed. If it breaks something is it as simple as yum erase python34 to restore everything back to normal? be pretty hard to break anything, it installs... /usr/bin/python3 /usr/bin/python3.4 and puts all the runtime libs in /usr/lib64/python3.4 the default C7 python is... /usr/bin/python /usr/bin/python2 /usr/bin/python2.7 with libraries in /usr/lib64/python2.7 so no overlap at all.if you want python 3.4, you have to invoke it explicitly. -- john r pierce, recycling bits in santa cruz ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Python 3.x on Centos 7
I much prefer the Anaconda distribution of Python3. It installs for a single user and is completely self contained. Also much more recent versions are available: https://www.continuum.io/downloads On 24 March 2017 at 00:16, Matt wrote: > Is there a way to install Python 3.x on Centos 7.x without breaking > anything that depends on an older version of Python? This server is a > minimal Centos 7 install that primarily runs a simple LAMP setup. > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] RHEL 6.9 is out
On 03/23/2017 06:57 PM, Johnny Hughes wrote: > On 03/22/2017 05:11 PM, Digimer wrote: >> On 22/03/17 05:31 PM, Johnny Hughes wrote: >>> On 03/22/2017 08:27 AM, Phelps, Matthew wrote: On Wed, Mar 22, 2017 at 9:16 AM, Valeri Galtsev wrote: > > On Wed, March 22, 2017 7:46 am, Phelps, Matthew wrote: >> Red Hat released RHEL 6.9 yesterday. >> >> Why isn't CentOS 6.9 out yet? :) >> > Somebody has to do a hard work, I'm sure. Thanks, guys for the great work > you are doing! > > Or you as sysadmin know that and just being ironic? > > Valeri > To be clear, I was being ironic. Hence the smiley face. I just wanted to start a thread for future updates to appear in. >>> >>> There are 270 SRPMs that need to be built .. of those 18 require >>> modification for branding. All the mods have been applied and a build >>> consisting of those 270 SRPMs has been queued. >>> >>> As of right now (time of writing this mail), we are still building in >>> pass 1 .. so far 236 of the 270 SRPMs have tried to build, 15 have had >>> some sort of failure and the rest have built fine. >>> >>> Working right now to figure out the failures and will resubmit those >>> once the first pass of all 270 completes. >>> >> >> Sending a digital $drink... :) >> > > > OK .. current status on CentOS-6.9 testing: > > We have a CR tree (see this link if you don't know what CR is > http://bit.ly/2mWkdq7 ) > > We have been testing this tree for several hours in QA and have made > some corrections. > > If we don't find any deal breaking errors, the plan is to push the CR > repo to 6.8 tree tomorrow at 1600 UTC .. it will take a couple hours to > get to all of mirror.centos.org. > > So expect some announcements on the CR-Annoucne list tomorrow: > > https://lists.centos.org/mailman/listinfo/centos-cr-announce > OK guys, the CR release has happened. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Disabling Firewall/iptables on CentOS 7??
On 3/24/2017 3:16 AM, Łukasz Posadowski wrote: Data Wed, 22 Mar 2017 19:56:03 -0400 James Pifer wrote: I apologize if this has been asked and answered, but I googled and attempted things for several hours today without success. Iptables isn't used by default, at least not directly. Easiest way to do dosable firewall is: # systemctl mask firewalld and restart the machine. 192.168.122. subnet is something for libvirt and KVM. I have it completely disabled on my locals and VPSes without any problem. If You write specific rules in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables, with -F -X -P INPUT DROP at the beginning, any trace of 192.168.122 will be gone. Here's mine ipv4 rules for my local machines: *filter -F -X -P INPUT DROP -A INPUT -s 0/0 -m state --state RELATED,ESTABLISHED -j ACCEPT # localhost -A INPUT -i lo -j ACCEPT # ping -A INPUT -p icmp -j ACCEPT # ssh -A INPUT -s 192.168.234.0/24 -p tcp --dport 22 -j ACCEPT COMMIT Thanks for the help. Basically I was making it more complex than it needed to be. Disabling firewalld and removing the libvirt NIC did the job. Thanks James ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
