Discuss April 2021

discuss@lists.centos.org

76 participants
49 discussions

rsync over ssh stalls after completing the job
by Frank Cox 15 Apr '21

15 Apr '21

Here's a weird one. I have two Centos 8 machines that use rsync-over-ssh to back up files between each other. (Each machine acts as a backup machine for the other one.) There's are nightly cronjobs that do the backing up, the commands look like this: rsync -av --delete /home/mydirectory jeff:/home/mydirectorybackup That command works fine when it's run through the cronjob. When I try to run a rsync command between mutt and jeff from the commandline, that's where the problem starts. It worked a few days ago but now when I log into jeff and do a rsync to or from mutt it works fine. When I log into mutt and do a rsync to or from jeff it works and does the job, but then it seems to stall afterward and I have to hit ctrl-c to get my cursor back. Here's a test run so you can see what happens. [me@mutt temp]$ rsync -avv ../temp/ jeff:temp opening connection using: ssh jeff rsync --server -vvlogDtpre.iLsfxC . temp (7 args) sending incremental file list delta-transmission enabled bookmarks.html is uptodate ./ abc total: matches=0 hash_hits=0 false_alarms=0 data=26321 ^Crsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at rsync.c(644) [sender=3.1.3] A file named bookmarks.html existed in both directories so it wasn't changed, and a new file abc was copied to the backup directory. Then my ctrl-c stopped the job and brought the cursor back after it stalled. scp works fine to copy files either way when logged into either machine and, again, my backup-this-to-that cronjobs that run rsync seem to be working fine as well. I just discovered this last night when I went to rsync some files manually between these machines. The last time I did that was at least a few days ago and it worked fine then. -- MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com

6 18

NAME:WRECK
by mark 14 Apr '21

14 Apr '21

I'm reading a story linked to from slashdot, and I see FreeBSD is vulnerable. Has anyone looked at CentOS? mark

2 1

Missing /etc/ld.so.conf.d/kernel-3.10.0-1127.19.1.el7.x86_64.conf
by Kenneth Porter 14 Apr '21

14 Apr '21

I'm yum updating some CentOS 7 systems today and got this error. Two systems (so far) seem to have rebooted fine. Should I worry? error: file /etc/ld.so.conf.d/kernel-3.10.0-1127.19.1.el7.x86_64.conf: No such file or directory

4 7

Re: [CentOS] Proxmox Backup Server equivalent for the RHEL/CentOS world ?
by Blaž Bogataj 14 Apr '21

14 Apr '21

Hello As I said a couple of weeks ago in response to Niki I have been using ProxMox almost from the beginning ;). No "enterprise" version. And backup is one of the reasons for that. NFS on NAS as a backup target is really nice, even one time quicker than backup to local storage (NAS with 10gb FC). Also fiddling with RHV. But there is no "free" backup solution. I am trying with Bacchus but no way to schedule backup. Single backup OK, schedule backup no go. So now use vProtect, for 5 years not a lot of $. But I hope to find some instructions on how to build Prox and use it as software defined storage. I must learn how to build this, especially about a separated management network, without I think I can't build this to get HA. And them migrate from RHV. All the best Blaz

1 0

What to do when a selinux policy doesn't work?
by hw 14 Apr '21

14 Apr '21

Hi, I'm getting log file entries about ejabberd not being able to remove files that were uploaded by client through the file upload facility of XMPP. With the help of audit2allow, I have already created and installed some selinux modules to solve such issues, and still files can't be expired. So I used grep '/srv/data/ejabberd' /var/log/audit/audit.log | audit2allow -w to find out what might cause this, and the answer is: type=AVC msg=audit(1606302910.314:2905): avc: denied { open } for pid=18687 comm="8_dirty_io_sche" path="/srv/data/ejabberd/[...]" dev="md100" ino=166 scontext=system_u:system_r:ejabberd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1 Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. I have reloaded the policies with 'semodule -R', and that didn't change anything. The files in question seem to have the correct attributes like: ls -laZ /srv/data/ejabberd/[...] -rw-r--r--. 1 ejabberd ejabberd system_u:object_r:var_t:s0 1384362 Nov 25 12:15 /srv/data/ejabberd/[...] Ejabberd is supposed to expire files when they are older than desired, and selinux prevents it. How can I solve this problem other than by disabling selinux or by deleting the files manually?

2 3

How to find out what's eating the bandwidth
by Frank Cox 14 Apr '21

14 Apr '21

Is there a program that will tell me what's eating the bandwidth on a lan? I'm thinking of something that would tell me that a.b.c.d is using so many mbps and a.b.c.e is using this many and so on. Or can just-another-computer-on-the-network actually see that sort of information? I don't know enough about the low level nuts and bolts of networking to know if it has that kind of access. I'm really just interested in volume of traffic per attached device rather than specific origin/destination information if that's easier to obtain. This way if something is eating the network I can find out what it is without having to start unplugging cables and so on to find out when it stops. -- MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com

5 6

How to organize your VMs
by Nicolas Kovacs 13 Apr '21

13 Apr '21

Hi, Up until now my main production server has been a "bare metal" installation of CentOS 7.9 hosting a variety of stuff. * DNS server with BIND for eight domains * IMAP mail server with Postfix and Dovecot for these domains, with about two dozen mail accounts * Webmail with Roundcube for all the mail accounts * Various WordPress-based websites and blogs * Several instances of the management software Dolibarr * The learning platform GEPI for our local school * One instance of OwnCloud for half a dozen users The hardware has no problems to deal with all that performance-wise. But managing all this in one big bulk has become a bit of a problem, since the LAMP-based PHP applications (WordPress, Dolibarr, GEPI, OwnCloud) increasingly cultivate their idiosyncrasies, so this feels more and more like herding cats. My main goal in migrating all this stuff preogressively to a series of neat VMs hosted on a KVM hypervisor is clarity and ease of maintenance. Now I wonder what could be a smart subdivision of all these VMs. After a bit of brainstorming, here's what I can come up with. 1. It would make sense to regroup all the applications, e. g. one VM for all the Dolibarr hostings, and then a different VM for WordPress, and a third VM for OwnCloud. 2. It's tempting to have a lot of small VMs for clarity's sake. On the other hand, it's maybe better to have one single VM for all the mail stuff. 3. Should I put all the Roundcube instances in a separate VM? Or does that go with the Postfix/Dovecot mail VM? 4. DNS is a bit of a special case, a bit of a catch 22. I would be tempted to setup an extra (bare-metal) machine for just handling this. Since BIND provides the DNS information about the hypervisor and the backup server themselves this becomes a bit of a chicken-and-egg situation. 5. Even if it's tempting to multiply VMs, let's not forget that I have to keep an eye on hardware resources, not to forget I have to pay for every extra IPv4 address. I'd be curious to have your input, since I'm fairly new to this sort of approach. Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info(a)microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12

7 7

Resize a VM: any risk involved ?
by Nicolas Kovacs 11 Apr '21

11 Apr '21

Hi, I'm currently fiddling with KVM, Proxmox and various VMs. I setup a very basic VM with a manual (fdisk) partitioning scheme: one /boot partition, one swap partition, and one root partition, the latter being the last partition and thus expandable). I'm starting with a reduced disk size (6 GB in total) and a minimal installation. The idea behind this approach is that I can clone this minimal VM and then eventually expand it to fit my needs. Here's how I expand the available disk size. First I increase the virtual disk in the hypervisor. Then I fire up the VM and do the following: # yum install cloud-utils-growpart # lsblk # growpart -v /dev/sda 3 # resize2fs /dev/sda3 Now here's my question (finally): is there any risk involved in this sort of operation? Or can it be performed on a production system without having to worry about data loss? Cheers from the sunny South of France, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info(a)microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12

8 10

"System error" when trying to logon via SSH to CentOS 8 joined to AD
by Konstantin Boyandin 11 Apr '21

11 Apr '21

Hello, I joined a CentOS 8 box to an AD, using the below document as general guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/ht… (section 14.1) A problem: after I tried to log on via SSH (as an AD user) to the box, the journalctl gets the below records: March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.0.55 user=username March 23 12:41:01 sandbox.lan sshd[2262]: pam_sss(sshd:account): Access denied for user username: 4 (System error) March 23 12:41:01 sandbox.lan sshd[2262]: Failed password for username from 10.10.0.55 port 57610 ssh2 March 23 12:41:01 sandbox.lan sshd[2262]: fatal: Access denied for user username by PAM account configuration [preauth] Quick and dirty fix: When I comment a line in /etc/pam.d/password-auth (the one commented below), error goes away: ======= /etc/pam.d/password-auth below auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem #account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so ======= /etc/pam.d/password-auth above If I understand correctly, the commented line means "account is invalid by default; if found in SSSD, it's good; if not found - ignore and proceed". Commenting it is not a good idea, but I can't figure out what's wrong (according to first line from jornalctl authentication *is* passed normally). Additional data (AD domain in this example is EXAMPLE.COM): $ realm list realm list example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U login-policy: allow-realm-logins $ cat /etc/sssd/sssd.conf [sssd] domains = example.com config_file_version = 2 services = nss, pam, ssh debug_level = 9 [domain/example.com] ad_domain = example.com krb5_realm = EXAMPLE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_sasl_authid = SANDBOX$ ldap_id_mapping = True use_fully_qualified_names = False ad_gpo_ignore_unreadable = True fallback_homedir = /home/%u access_provider = ad debug_level = 9 === end of /etc/sssd/sssd.conf $ cat /etc/krb5.conf includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 default_ccache_name = KEYRING:persistent:%{uid} default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true [realms] EXAMPLE.COM = { kdc = dc.example.com kdc = bdc.example.com admin_server = dc.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM === end of /etc/krb5.conf GPO cache exists and is properly owned: ls -al /var/lib/sss/gpo_cache/example.com/ total 0 drwx------. 3 sssd sssd 22 Mar 22 14:52 . drwxr-xr-x. 3 sssd sssd 24 Mar 22 14:52 .. drwx------. 3 sssd sssd 52 Mar 22 14:52 Policies I would appreciate pieces of advice on how to fix authentication issue without commenting out the pam.d configuration file line. Thank you. Sincerely, Konstantin

5 6

CentOS-announce Digest, Vol 193, Issue 1
by centos-announce-request＠centos.org 11 Apr '21

11 Apr '21

Send CentOS-announce mailing list submissions to centos-announce(a)centos.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.centos.org/mailman/listinfo/centos-announce or, via email, send a message with subject or body 'help' to centos-announce-request(a)centos.org You can reach the person managing the list at centos-announce-owner(a)centos.org When replying, please edit your Subject line so it is more specific than "Re: Contents of CentOS-announce digest..." Today's Topics: 1. CESA-2021:1071 Important CentOS 7 kernel Security Update (Johnny Hughes) 2. CESA-2021:1072 Important CentOS 7 libldb Security Update (Johnny Hughes) ---------------------------------------------------------------------- Message: 1 Date: Sat, 10 Apr 2021 17:09:38 +0000 From: Johnny Hughes <johnny(a)centos.org> To: centos-announce(a)centos.org Subject: [CentOS-announce] CESA-2021:1071 Important CentOS 7 kernel Security Update Message-ID: <20210410170938.GA12184(a)bstore1.rdu2.centos.org> Content-Type: text/plain; charset=us-ascii CentOS Errata and Security Advisory 2021:1071 Important Upstream details at : https://access.redhat.com/errata/RHSA-2021:1071 The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: bfe191b783a11c70daf05fb86e81e2e36d80b7dec5eb2243fa223700ce330824 bpftool-3.10.0-1160.24.1.el7.x86_64.rpm 996ee55268c9971d07d38c3217e0fb813a202d1b838963b6db16217069d193db kernel-3.10.0-1160.24.1.el7.x86_64.rpm 33b524d6eec3fc82a17df2220b596193025c1faf20c5939c4271809681f95803 kernel-abi-whitelists-3.10.0-1160.24.1.el7.noarch.rpm 8764032443efee4dc7bfb0ee1a11749205880cd86b230ad538346b697120c5e7 kernel-debug-3.10.0-1160.24.1.el7.x86_64.rpm e2b80fc90e80e10166a785ab1c718ed12380055d955ab295c5363ad6405fe815 kernel-debug-devel-3.10.0-1160.24.1.el7.x86_64.rpm 52fc84afa30b500c79c2116a67a199c3eba6bbed1b7b171fc4fec483dc2c9f4c kernel-devel-3.10.0-1160.24.1.el7.x86_64.rpm cda402fcb291052201381d37c733af954d30e2e6e3f24e5b636ae67715e8c0d0 kernel-doc-3.10.0-1160.24.1.el7.noarch.rpm 2a69b561a8c58b7ed126929ce0f305827b54da8604e8f662568fc8ec96090f26 kernel-headers-3.10.0-1160.24.1.el7.x86_64.rpm 150b5e83d6acc1e5a6e22bee18216d6c7e0c581dca489071a61aab70eb9b93fb kernel-tools-3.10.0-1160.24.1.el7.x86_64.rpm 540ad2675ab792c4e347811b9c59c9dfa46be5932ed582b6b0748c7a27660973 kernel-tools-libs-3.10.0-1160.24.1.el7.x86_64.rpm 44904175313b13552ac962d42d456dc5d52bface994ef485f56c33f7f6971440 kernel-tools-libs-devel-3.10.0-1160.24.1.el7.x86_64.rpm 9124221e268619f8424d72980a7b256e0e00ba0639fcf0be1387712d145c7416 perf-3.10.0-1160.24.1.el7.x86_64.rpm 2308127baa502197469a17cef0a36622ccd5c528247af648e424284943e73572 python-perf-3.10.0-1160.24.1.el7.x86_64.rpm Source: 6fc0eaf2486a736d0793f6165e07c183bb0c8db2c858bd0dbefc1a2b23a0528b kernel-3.10.0-1160.24.1.el7.src.rpm -- Johnny Hughes CentOS Project { http://www.centos.org/ } irc: hughesjr, #centos(a)irc.freenode.net Twitter: @JohnnyCentOS ------------------------------ Message: 2 Date: Sat, 10 Apr 2021 17:14:31 +0000 From: Johnny Hughes <johnny(a)centos.org> To: centos-announce(a)centos.org Subject: [CentOS-announce] CESA-2021:1072 Important CentOS 7 libldb Security Update Message-ID: <20210410171431.GA12486(a)bstore1.rdu2.centos.org> Content-Type: text/plain; charset=us-ascii CentOS Errata and Security Advisory 2021:1072 Important Upstream details at : https://access.redhat.com/errata/RHSA-2021:1072 The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: 67364ca692de365478eee5a94879717c1fae2b7a4ba46d128ec04f0477c8c2b5 ldb-tools-1.5.4-2.el7.x86_64.rpm 36ad5a43df60889dd9c1134cb0e042317befa64f7293f44bc91271fddbbfc7e6 libldb-1.5.4-2.el7.i686.rpm cec370a7441899c3ffcd47f783a0437d9d649fd4a1252c6c317561f431e537c4 libldb-1.5.4-2.el7.x86_64.rpm 359852ce38e0555b23e78c945070ef67c0599138eac0c52de77a819e8fdebce9 libldb-devel-1.5.4-2.el7.i686.rpm 4d0e360eff9294623b345353bcf2cb4623c50a3e2bf31ace6ba05141150d85fd libldb-devel-1.5.4-2.el7.x86_64.rpm 29124a79cce7024da4f024131a66f80d78a70d73c5fafe6456617633e5b83560 pyldb-1.5.4-2.el7.i686.rpm 8043266fac97f3c92dfeaa8fad590469ad37ab990d86e9ece87829bdd9e0c8ae pyldb-1.5.4-2.el7.x86_64.rpm b3dbb953a4dc9b8b5ee95024d51d922488db5a0f0ec2ece9bf47d8d5cbbf24fa pyldb-devel-1.5.4-2.el7.i686.rpm 8f596e23215f48c31a9bb115c327431b21431ac93d7279b39dc998ca0bdfc6b8 pyldb-devel-1.5.4-2.el7.x86_64.rpm Source: e678f1a0df3c67bd8f6319dbe32013a311d6d797b51284ff7d5e254c2f7a1ff5 libldb-1.5.4-2.el7.src.rpm -- Johnny Hughes CentOS Project { http://www.centos.org/ } irc: hughesjr, #centos(a)irc.freenode.net Twitter: @JohnnyCentOS ------------------------------ Subject: Digest Footer _______________________________________________ CentOS-announce mailing list CentOS-announce(a)centos.org https://lists.centos.org/mailman/listinfo/centos-announce ------------------------------ End of CentOS-announce Digest, Vol 193, Issue 1 ***********************************************

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss April 2021