Re: [CentOS] Need help with Linux networking interfaces and NIC bonding
On 04/10/2018 07:44, Sean Son wrote: Hi Sean, [snip] > 1) Whenever I ping any of the devices on our network, from this server, the > traffic goes out from the management port. I do not want the traffic to go > out of the management port. I want it to go out through the active port of > the NIC bond. How do I configure the networking so that all primary > network traffic flows to and from the NIC bonded interfaces? I only want > the management port to be used for SSH purposes and well, management of the > server. When the server *originates* traffic, it will use the main routing table, and that's why traffic goes out of em1. There's no rule telling the server that when the traffic is initiated by the server, it must consult a different routing table, t1. One way to ensure that all the monitoring traffic goes through bond0, is to configure every service with an explicit source address. However, some services allow this, and some don't, so this quickly becomes cumbersome. What you probably want to do is to invert your rules and routes, so that the bond0 interface is in the main table, and you put your management interface, em1, into another table (t1). Then, when you ssh into the server, it will use em1, but all other traffic will use bond0 by default. Regards, Anand ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Frefox update from firefox-60.2.0-1.el7.centos.x86_64 to 60.2.1-1.el7.centos.x86_64 lost master password
On 04/10/18 05:45, Akemi Yagi wrote: On Wed, Oct 3, 2018 at 9:19 AM Stephen John Smoogen wrote: It would seem that the problem is with upstream-upstream's (aka Firefox) cleaning up of items that are not supposed to be there after Firefox 58 https://bugzilla.mozilla.org/show_bug.cgi?id=1475775 It looks like it is deleting files it thinks should have been converted to a newer more secure version.. but don't seem to be for some reason. I am not sure if those files will just removed again every time you restore them. That link added to the related RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1633932 Yes, that seems to describe what I am experiencing. As I usually keep FF open for days at a time, it has taken a while to show up. Will now try the $ export NSS_DEFAULT_DB_TYPE="sql" Akemi ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 2038 year Problem
On 03/10/2018 14:31, Larry Martell wrote: > > It only went smoothly because there were people like me fixing the issues ;-) In that case perhaps I should take some of the credit for writing code that never had a Y2K problem in the first place. ;-) > I worked on Wall St at the time, and I got a reputation for being able > to find and fix Y2K issues. Really all that I did was grep the code > bases for 2 digit years, and code that blindly added 1900 to them. > There were a ton of those cases. It was not atypical for me to find > 500-1000 or more such cases at each site. The fixes were easy but the > testing took a while. I did this for banks, hedge funds, brokerages, > bond traders, etc. > > At one place where I had fixed probably 700 cases, after Y2K came and > went without an incident the CEO said "You made such a big deal about > this, and then nothing happened." I think this shows that it was partly an industry-related issue. At the ISP I mentioned, the vast majority of the systems were Y2K-compliant and had ended up that way through the normal process of upgrades and patches over many years. (Well, apart from the single, major semi-proprietary system we knew about anyway). However, your employer (and your employer's industry) was very different: It clearly ran numerous disparate code bases, many developed in house, many of which were non-compliant and whose compliance was unknown until you found and fixed them. I was definitely in the wrong industry! -- Mark Rousell ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Frefox update from firefox-60.2.0-1.el7.centos.x86_64 to 60.2.1-1.el7.centos.x86_64 lost master password
On Thu, 2018-10-04 at 21:27 +1300, Rob Kampen wrote: > On 04/10/18 05:45, Akemi Yagi wrote: > > On Wed, Oct 3, 2018 at 9:19 AM Stephen John Smoogen > om> wrote: > > > > > It would seem that the problem is with upstream-upstream's (aka > > > Firefox) cleaning up of items that are not supposed to be there > > > after > > > Firefox 58 > > > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1475775 > > > > > > It looks like it is deleting files it thinks should have been > > > converted to a newer more secure version.. but don't seem to be > > > for > > > some reason. I am not sure if those files will just removed again > > > every time you restore them. > > > > That link added to the related RHBZ: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1633932 > > Yes, that seems to describe what I am experiencing. As I usually keep > FFÂ > open for days at a time, it has taken a while to show up. Will now > try the > > $ export NSS_DEFAULT_DB_TYPE="sql" > > > > > Akemi > > Hi Akemi, That sorted the problem for me, thanks. Now to start re-entering all my previously stored passwords. Lucky I have a list of sites if not the usernames/passwords ;-( Regards Tony > > ___ > > CentOS mailing list > > CentOS@centos.org > > https://lists.centos.org/mailman/listinfo/centos > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos -- Tony Molloy Home ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Need help with Linux networking interfaces and NIC bonding
I don't know if this is your situation or not but I have found in my bonding testing that failover can take what I consider to be an inordinate amount of time (as in up to 50 seconds). Were you "patient" (possibly using an altered definition of the term) to see if ping would eventually reply. Join us at the 2018 Momentum User Conference! Register here Leroy Tennison Network Information/Cyber Security Specialist E: le...@datavoiceint.com 2220 Bush Dr McKinney, Texas 75070 www.datavoiceint.com TThis message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. These companies are listed here . If you prefer not to be contacted by Harris Operating Group please notify us . This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. From: CentOS on behalf of Sean Son Sent: Thursday, October 4, 2018 12:44 AM To: CentOS mailing list Subject: [EXTERNAL] [CentOS] Need help with Linux networking interfaces and NIC bonding Hello everyone I am running into some strange issues when configuring networking interfaces on my physical server running Centos 7.5. Let me give you an overview of what's going on: We have a physical server, running CentOS 7.5. This server has one 4 port NIC and one 2 port NIC and a Dell IDRAC port. The first port of the 4 port NIC, em1, is used for Management traffic. The first port of the 2 port NIC, is used for the second port in the NIC bond, device p6p2. The second port on the 4 port NIC, device em2 is the first, port on the NIC bond. These interfaces are using Static IPs. Here is my /etc/sysconfig/network-scripts/ifcfg-em1 file. Please keep in mind that I have changed the IPs and MAC addresses in the files for security reasons: ifcfg-em1: TYPE="Ethernet" PROXY_METHOD="none" BROWSER_ONLY="no" BOOTPROTO="none" DEFROUTE="yes" IPV4_FAILURE_FATAL="no" IPV6INIT="yes" IPV6_AUTOCONF="yes" IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" IPV6_ADDR_GEN_MODE="stable-privacy" NAME="em1" UUID="bbb2f9c2-141b-4a99-ab1e-328551aae612" DEVICE="em1" ONBOOT="yes" IPADDR="192.168.56.50" PREFIX="24" GATEWAY="192.168.56.1" DNS1="192.168.126.10" DNS2="192.168.220.10" IPV6_PRIVACY="no" NM_CONTROLLED=no as for the ifcfg-bond0 (the configuration file for the NIC bond, which is bond0): DEVICE=bond0 NAME=bond0 TYPE=Bond ONBOOT=yes BOOTPROTO=none IPADDR=192.168.56.70 PREFIX=24 BONDING_MASTER=yes BONDING_OPT="mode=1 miimon=100" TYPE=Ethernet and the ifcfg-slave1 configuration file, which is the first slave port for the NIC bond, this corresponds to em2: DEVICE=em2 HWADDR="c8:2f:87:fg:2a:31" ONBOOT=yes TYPE=Ethernet BOOTPROTO=none MASTER=bond0 SLAVE=yes and the ifcfg-slave2 configuration file , which corresponds to the second slave port for the NIC bond, which is interface p6p2: DEVICE=p6p2 HWADDR="00:6a:d7:7c:e8:09" BOOTPROTO=none ONBOOT=yes TYPE=Ethernet MASTER=bond0 SLAVE=yes I created a custom routing policy for the NIC bond, bond0. Here is the configuration for the routing policy: route-bond0: 192.168.56.0/24 dev bond0 src 192.168.56.70 table t1 default via 192.168.56.1 dev bond0 table t1 and the rule-bond0 file: table t1 from 192.168.56.70 as for the routing table: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 0.0.0.0192.168.56.10.0.0.0 UG0 00 bond0 192.168.56.00.0.0.0 255.255.255.0 U 0 00 bond0 192.168.56.00.0.0.0 255.255.255.0 U 0 00 em1 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 00 em1 169.254.0.0 0.0.0.0 255.255.0.0 U 1008 00 bond0 now here is the scenario I am dealing with: This linux server is used for monitoring purposes. We have Nagios, Cacti and other tools installed on it. There are a few things I have noticed and I want help on: 1) Whenever I ping any of the devices on our network, from this server, the traffic goes out from the management port. I do not want the traffic to go out of the management port. I want it to go out through the active port of the NIC bond. How do I configure the networking so that all primary network traffic flows to and from the NIC bonded interfaces? I only want the management port to be used for SSH purposes and well, management of the server. 2) I have configured the NIC bond in active-backup mode. I notice that when I used another computer to do a continuous ping to the NIC bond, and then I disable one of the sl
[CentOS] Copy to smb share fails with "invalid argument" on CentOS 7
Hi, I've had problems copying files to Windows shares from my CentOS 7 machine lately. I originally got this in the desktop file manager, but find that I can also reproduce using gvfs-copy. "cp" to the directory mounted by gvfs works just fine, on the other hand. Also, the problem does not occur with small files - I think anything below 64k is OK. The following command sequence should illustrate the problem (note that some of the names have been changed): [toralf@osl-97214 ~]$ dd if=/dev/zero of=tst.zero bs=65537 count=1 1+0 records in 1+0 records out 65537 bytes (66 kB) copied, 0.000919358 s, 71.3 MB/s [toralf@osl-97214 ~]$ gvfs-copy tst.zero "smb://pgs.com;toralf.lund@ourserver/theshare/" Error copying file tst.zero: Invalid argument [toralf@osl-97214 ~]$ cp tst.zero /run/user/1234/gvfs/smb-share:domain=pgs.com,server=ourserver,share=theshare,user=toralf.lund/ I actually get numerous references to similar issues when I search the web, including https://bugzilla.redhat.com/buglist.cgi?quicksearch=%22invalid%20argument%22&list_id=9500568 - but they seem to indicate that the cause was a samba issue that was resolved some time in during version 3 release cycle, and I have samba-4.7.1-9. Also, I never actually had problems like this with samba 3. Has anyone else seen this? Is there a way around it? Thanks. - Toralf ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 7.5, Apache 2.4, Kerberos
Hi List, My goal in sending this email is to get some direction on where to start looking to solve my problem. Thank you all in advance for reading through this and providing any guidance! I'm working on moving to new servers, upgrading from CentOS 6.7 to CentOS 7.5. In this move, we are also upgrading from Apache/2.2.15 to Apache/ 2.4.33. Our servers are all sitting behind a load balancer end point. System specifics CentOS Linux release 7.5.1804 (Core) Server version: Apache/2.4.33 (Unix) Server built: Jul 3 2018 11:33:42 On all of our CentOS 6.7 machines, kerberos works. On all of our 7.5 machines, it fails. I am looking, at this point, for direction on where to start looking. Here is some relevant information: Output from apache error log [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of : granted [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of : granted [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of : denied (no authenticated user yet) [auth_kerb:debug] src/mod_auth_kerb.c(1643): kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [headers:debug] mod_headers.c(900): AH01503: headers: ap_headers_error_filter() [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of : denied (no authenticated user yet) [auth_kerb:debug] src/mod_auth_kerb.c(1643): kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [auth_kerb:debug] src/mod_auth_kerb.c(1400): Verifying client data using KRB5 GSS-API [auth_kerb:debug] src/mod_auth_kerb.c(1416): Client didn't delegate us their credential [auth_kerb:debug] src/mod_auth_kerb.c(1444): Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration. [auth_kerb:debug] src/mod_auth_kerb.c(1116): GSS-API major_status:0001, minor_status: [auth_kerb:error] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error) [headers:debug] mod_headers.c(900): AH01503: headers: ap_headers_error_filter() [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted, referer: https://six.***.com/sso [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of : granted, referer: https://six.***.com/sso [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted, referer: https://six.***.com/sso [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of : granted, referer: https://six.***.com/sso [headers:debug] mod_headers.c(900): AH01503: headers: ap_headers_error_filter() [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted, referer: https://six.***.com/sso [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of : granted, referer: https://six.***.com/sso [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all granted: granted, referer: https://six.***.com/sso [authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of : granted, referer: https://six.***.com/sso apache vhost files ==site specific== Define vhost_name siteName Define vhost_home /path/to/site/home Include conf/vhosts.d/template.inc ==conf/vhosts.d/template.inc contains== AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbAuthoritative off KrbAuthRealms [list of realms removed for security] Krb5Keytab "/etc/krb5.keytab" KrbServiceName Any require valid-user ErrorDocument 401 "" And some output from kinit and klist $ sudo kinit -V -t /etc/krb5.keytab HTTP/six.***.com@EXT.**.COM keytab specified, forcing -k Using default cache: /tmp/krb5cc_0 Using principal: HTTP/six.***.com@EXT.**.COM Using keytab: /etc/krb5.keytab kinit: Client 'HTTP/six.***.com@EXT.**.COM Kerberos database while getting initial credentials $ sudo klist -etk Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal --- -- 3 09/27/2018 10:22:17 HTTP/one.***.com@aaa.**.COM (arcfour-hmac) 3 09/27/2018 10:22:17 HTTP/two.***.com@aaa.**.COM (arcfour-hmac) 3
Re: [CentOS] CentOS 7.5, Apache 2.4, Kerberos
Hi, rebecca, rebecca coleman wrote: > > My goal in sending this email is to get some direction on where to start > looking to solve my problem. Thank you all in advance for reading through > this and providing any guidance! > > I'm working on moving to new servers, upgrading from CentOS 6.7 to CentOS > 7.5. In this move, we are also upgrading from Apache/2.2.15 to Apache/ > 2.4.33. Our servers are all sitting behind a load balancer end point. > > [auth_kerb:debug] src/mod_auth_kerb.c(1416): Client didn't delegate us > their credential [auth_kerb:debug] src/mod_auth_kerb.c(1444): Warning: > received token seems to be NTLM, which isn't supported by the Kerberos > module. Check your IE configuration. [auth_kerb:debug] > src/mod_auth_kerb.c(1116): GSS-API major_status:0001, > minor_status: > [auth_kerb:error] gss_accept_sec_context() failed: An unsupported > mechanism was requested (, Unknown error) [headers:debug] > mod_headers.c(900): AH01503: headers: This is where I'd start. If you're using IE (why?!), what's it looking for for authentication? Also, the new version of CentOS and /etc/httpd/conf.d/ssl.conf may have the encryption that you're currently using disabled, as it's too weak. mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] NetworkManager, multiple IPs, and selinux...
Hello, I was wondering if any one has seen issues with selinux name_bind denials that result from having IP:PORT bindings for services to specific IP addresses managed on an interface under NetworkManager's control? I do realize that people will probably say stop using NetworkManager, and I may, but the behavior is strange, and I'd like to have a better understanding of what's going on. The config is like so: # nmcli c mod eth0 ipv4.addresses 192.168.1.10/24,192.168.1.11/24 # nmcli c down eth0 # nmcli c up eth0 # getenforce Enforcing # systemctl start httpd permission denied binding to 192.168.1.10:443 Apache has two simple IP based VHosts, site1 and site2, with different (and correct dns records and ssl certs). I'm snipping the config because I know the Apache config works. Listen 443 ... ... I find the denial strange. I've done some testing such as removing one VHost's config and adding a NIC to the VM (eth1) and reconfigure to have 1 IP on each NIC and use both Vhosts. Either way, the selinux denial disappears and everything works. All the packaged selinux policy relating to httpd_t and access to port 443 is correct. I don't doubt that if I ditched NetworkManager and went for eth0:0 and eth0:1 for the IP interfaces, all would be well. I'd just like to see if anyone has some input on the issue. --Sean ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NetworkManager, multiple IPs, and selinux...
On 10/4/18 4:10 PM, Sean wrote: > Hello, > > I was wondering if any one has seen issues with selinux name_bind denials > that result from having IP:PORT bindings for services to specific IP > addresses managed on an interface under NetworkManager's control? Is selinux denying the request or the socket? Does it work with setenforce permissive? > I do realize that people will probably say stop using NetworkManager, and I > may, but the behavior is strange, and I'd like to have a better > understanding of what's going on. > > The config is like so: > > # nmcli c mod eth0 ipv4.addresses 192.168.1.10/24,192.168.1.11/24 > # nmcli c down eth0 > # nmcli c up eth0 > # getenforce > Enforcing > # systemctl start httpd > permission denied binding to 192.168.1.10:443 > > Apache has two simple IP based VHosts, site1 and site2, with different (and > correct dns records and ssl certs). I'm snipping the config because I know > the Apache config works. > > Listen 443 > > ... > > ... > > I find the denial strange. I've done some testing such as removing one > VHost's config and adding a NIC to the VM (eth1) and reconfigure to have 1 > IP on each NIC and use both Vhosts. Either way, the selinux denial > disappears and everything works. All the packaged selinux policy relating > to httpd_t and access to port 443 is correct. > > I don't doubt that if I ditched NetworkManager and went for eth0:0 and > eth0:1 for the IP interfaces, all would be well. I'd just like to see if > anyone has some input on the issue. I don't believe apache selectively binds the socket to the address, but the interface. My suspicion is that you can only bind one listener for a port to an interface and not to individual IP addresses on the same interface. If you use "virtual" interfaces to separate the IP addresses (eth0:0, eth0:1) then I would expect it to work. - Mike ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to install Banshee on CentOS 7?
On 2018-10-02, MRob wrote: > on centos 7 I tried to install banshee from EPEL > > yum install banshee > > gotting this error: > > Error: Package: banshee-2.6.2-11.el7.x86_64 (epel) > Requires: libgpod-sharp >= 0.8.2 > You could try using --skip-broken to work around the problem > You could try running: rpm -Va --nofiles --nodigest > > seems known problem but ignored to fix it in a year or more: > > https://bugzilla.redhat.com/show_bug.cgi?id=1406012 > > I tried "yum insall --skip-broken banshee" however this will skip > banshee itself! lol > > what else can I do to install banshee? Your best bet is to talk to the maintainer of banshee in epel. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Frefox update from firefox-60.2.0-1.el7.centos.x86_64 to 60.2.1-1.el7.centos.x86_64 lost master password
On 05/10/18 01:27, Tony Molloy wrote: On Thu, 2018-10-04 at 21:27 +1300, Rob Kampen wrote: On 04/10/18 05:45, Akemi Yagi wrote: On Wed, Oct 3, 2018 at 9:19 AM Stephen John Smoogen wrote: It would seem that the problem is with upstream-upstream's (aka Firefox) cleaning up of items that are not supposed to be there after Firefox 58 https://bugzilla.mozilla.org/show_bug.cgi?id=1475775 It looks like it is deleting files it thinks should have been converted to a newer more secure version.. but don't seem to be for some reason. I am not sure if those files will just removed again every time you restore them. That link added to the related RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1633932 Yes, that seems to describe what I am experiencing. As I usually keep FF open for days at a time, it has taken a while to show up. Will now try the $ export NSS_DEFAULT_DB_TYPE="sql" Akemi Hi Akemi, That sorted the problem for me, thanks. Now to start re-entering all my previously stored passwords. Lucky I have a list of sites if not the usernames/passwords ;-( Regards Tony works for me too - will just need to make sure this goes somewhere safe to ensure survival after a reboot. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
