Hello,
On a remote server (in an IPv6-only infrastructure) I am getting the following error when trying to update CentOS 8 Streams x86_64:
$ sudo dnf upgrade --refresh Failed to set locale, defaulting to C.UTF-8 CentOS Stream 8 - AppStream
0.0 B/s | 0 B 00:16 Errors during downloading metadata for repository 'appstream': - Curl error (7): Couldn't connect to server for http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS... [Failed to connect to mirrorlist.centos.org port 80: Permission denied] Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: Curl error (7): Couldn't connect to server for http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS... [Failed to connect to mirrorlist.centos.org port 80: Permission denied]
Trying to retrieve the mirror list with wget gives similar errors (see log below).
This is a development VM and I was playing with firewalld zones on this interface (drop, block, etc.) in order to see the most restrictive that I could use in order to update a system. But the error also appears if I switch back the zone to public.
Could it be that my address has been blacklisted because of all these tests?
From my laptop, also running CentOS 8 Streams, everything is working as
expected.
Thank in advance for hints on how to analyze further!
Mathieu
## wget log
$ wget http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS...
--2021-02-19 08:35:14-- http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS... Resolving mirrorlist.centos.org (mirrorlist.centos.org)... 2001:4178:5:200::10, 2600:1f16:c1:5e01:4180:6610:5482:c1c0, 2604:1380:2001:d00::3, ... Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2001:4178:5:200::10|:80... failed: Permission denied. Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2600:1f16:c1:5e01:4180:6610:5482:c1c0|:80... failed: Permission denied. Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2604:1380:2001:d00::3|:80... failed: Permission denied. Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2604:1580:fe02:2::10|:80... failed: Permission denied. Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2604:1380:1001:6c00::1|:80... failed: Permission denied. Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2a05:d012:8b5:6503:9efb:5cad:348f:e826|:80... failed: Permission denied.
On Fri, 19 Feb 2021, Mathieu Baudier wrote:
Hello,
On a remote server (in an IPv6-only infrastructure) I am getting the following error when trying to update CentOS 8 Streams x86_64:
$ sudo dnf upgrade --refresh Failed to set locale, defaulting to C.UTF-8 CentOS Stream 8 - AppStream
0.0 B/s | 0 B 00:16Errors during downloading metadata for repository 'appstream':
- Curl error (7): Couldn't connect to server for
http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS... [Failed to connect to mirrorlist.centos.org port 80: Permission denied] Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: Curl error (7): Couldn't connect to server for http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS... [Failed to connect to mirrorlist.centos.org port 80: Permission denied]
Try using an https:// URL.
On Fri, 19 Feb 2021, Mathieu Baudier wrote:
Hello,
On a remote server (in an IPv6-only infrastructure) I am getting the following error when trying to update CentOS 8 Streams x86_64:
$ sudo dnf upgrade --refresh Failed to set locale, defaulting to C.UTF-8 CentOS Stream 8 - AppStream
0.0 B/s | 0 B 00:16Errors during downloading metadata for repository 'appstream':
- Curl error (7): Couldn't connect to server for
http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS... [Failed to connect to mirrorlist.centos.org port 80: Permission denied] Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: Curl error (7): Couldn't connect to server for http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS... [Failed to connect to mirrorlist.centos.org port 80: Permission denied]
Try using an https:// URL.
Are you sure? At least from here over IPv4, http works well but https doesn't work at all. Sounds strange if http would work only over IPv4 and https would work only over IPv6.
Simon
On Fri, 19 Feb 2021 at 09:47, Simon Matter simon.matter@invoca.ch wrote:
On Fri, 19 Feb 2021, Mathieu Baudier wrote:
Hello,
On a remote server (in an IPv6-only infrastructure) I am getting the following error when trying to update CentOS 8 Streams x86_64:
$ sudo dnf upgrade --refresh Failed to set locale, defaulting to C.UTF-8 CentOS Stream 8 - AppStream
0.0 B/s | 0 B 00:16Errors during downloading metadata for repository 'appstream':
- Curl error (7): Couldn't connect to server for
http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS...
[Failed to connect to mirrorlist.centos.org port 80: Permission denied] Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: Curl error (7): Couldn't connect to server for
http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS...
[Failed to connect to mirrorlist.centos.org port 80: Permission denied]
Try using an https:// URL.
Are you sure? At least from here over IPv4, http works well but https doesn't work at all. Sounds strange if http would work only over IPv4 and https would work only over IPv6.
It wouldn't work anyway because CentOS mirrors do not have https. I tried this from my home system ``` [ssmoogen@localhost ~]$ for i in "2001:4178:5:200::10" "2600:1f16:c1:5e01:4180:6610:5482:c1c0" "2604:1380:2001:d00::3" "2604:1580:fe02:2::10" "2604:1380:1001:6c00::1"; do curl -v6 "https://%5B$%7Bi%7D%5D/?release=8-stream&arch=x86_64&repo=AppStream&..."; done * Trying 2001:4178:5:200::10:443... * connect to 2001:4178:5:200::10 port 443 failed: Permission denied * Failed to connect to 2001:4178:5:200::10 port 443: Permission denied * Closing connection 0 curl: (7) Failed to connect to 2001:4178:5:200::10 port 443: Permission denied * Trying 2600:1f16:c1:5e01:4180:6610:5482:c1c0:443... * connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443 failed: Permission denied * Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443: Permission denied * Closing connection 0 curl: (7) Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443: Permission denied * Trying 2604:1380:2001:d00::3:443... * connect to 2604:1380:2001:d00::3 port 443 failed: Permission denied * Failed to connect to 2604:1380:2001:d00::3 port 443: Permission denied * Closing connection 0 curl: (7) Failed to connect to 2604:1380:2001:d00::3 port 443: Permission denied * Trying 2604:1580:fe02:2::10:443... * connect to 2604:1580:fe02:2::10 port 443 failed: Permission denied * Failed to connect to 2604:1580:fe02:2::10 port 443: Permission denied * Closing connection 0 curl: (7) Failed to connect to 2604:1580:fe02:2::10 port 443: Permission denied * Trying 2604:1380:1001:6c00::1:443... * connect to 2604:1380:1001:6c00::1 port 443 failed: Permission denied * Failed to connect to 2604:1380:1001:6c00::1 port 443: Permission denied * Closing connection 0 curl: (7) Failed to connect to 2604:1380:1001:6c00::1 port 443: Permission denied ```
removing the -v gives the following error: ``` [ssmoogen@localhost ~]$ for i in "2001:4178:5:200::10" "2600:1f16:c1:5e01:4180:6610:5482:c1c0" "2604:1380:2001:d00::3" "2604:1580:fe02:2::10" "2604:1380:1001:6c00::1"; do curl -6 "https://%5B$%7Bi%7D%5D/?release=8-stream&arch=x86_64&repo=AppStream&..."; done curl: (7) Failed to connect to 2001:4178:5:200::10 port 443: Permission denied curl: (7) Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443: Permission denied curl: (7) Failed to connect to 2604:1380:2001:d00::3 port 443: Permission denied curl: (7) Failed to connect to 2604:1580:fe02:2::10 port 443: Permission denied curl: (7) Failed to connect to 2604:1380:1001:6c00::1 port 443: Permission denied ```
Notice that the permission denied is different from what was reported in the original email. I am not sure why that is.
If I change that from https: to http all of the IP addresses work. So my guess is that something is blocking the originator IP to those mirror servers but it isn't clear what.
On 2/19/21 12:37 AM, Mathieu Baudier wrote:
- Curl error (7): Couldn't connect to server for
http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS... [Failed to connect to mirrorlist.centos.org port 80: Permission denied]
It's unusual to see EPERM on a call to connect()... The man page suggests that this can be caused by a local firewall rule or an SELinux policy.
https://man7.org/linux/man-pages/man2/connect.2.html
"yum" and "wget" should be running in an unconfined domain, so SELinux is *probably* not the cause. I'd take a look at the output of "iptables -L OUTPUT" first. I've tried creating local firewall rules that I'd expect to result in EPERM, but they do not, so I'm not sure what such a rule looks like.
In article 8dc3d2af-a7b0-d54f-85b4-fbdbc49b3106@gmail.com, Gordon Messmer gordon.messmer@gmail.com wrote:
On 2/19/21 12:37 AM, Mathieu Baudier wrote:
- Curl error (7): Couldn't connect to server for
http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS... [Failed to connect to mirrorlist.centos.org port 80: Permission denied]
It's unusual to see EPERM on a call to connect()... The man page suggests that this can be caused by a local firewall rule or an SELinux policy.
https://man7.org/linux/man-pages/man2/connect.2.html
"yum" and "wget" should be running in an unconfined domain, so SELinux is *probably* not the cause. I'd take a look at the output of "iptables -L OUTPUT" first. I've tried creating local firewall rules that I'd expect to result in EPERM, but they do not, so I'm not sure what such a rule looks like.
Of course, SELinux can be confirmed or ruled out by doing "setenforce 0" and then trying the operation again.
Then "setenforce 1" again afterwards, of course.
Cheers Tony
-
Gordon Messmer -
Mathieu Baudier -
Paul Heinlein -
Simon Matter -
Stephen John Smoogen -
tony@softins.co.uk