Hello,
On a remote server (in an IPv6-only infrastructure) I am getting the following error when trying to update CentOS 8 Streams x86_64:
$ sudo dnf upgrade --refresh Failed to set locale, defaulting to C.UTF-8 CentOS Stream 8 - AppStream
0.0 B/s | 0 B 00:16 Errors during downloading metadata for repository 'appstream': - Curl error (7): Couldn't connect to server for http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS... [Failed to connect to mirrorlist.centos.org port 80: Permission denied] Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: Curl error (7): Couldn't connect to server for http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS... [Failed to connect to mirrorlist.centos.org port 80: Permission denied]
Trying to retrieve the mirror list with wget gives similar errors (see log below).
This is a development VM and I was playing with firewalld zones on this interface (drop, block, etc.) in order to see the most restrictive that I could use in order to update a system. But the error also appears if I switch back the zone to public.
Could it be that my address has been blacklisted because of all these tests?
From my laptop, also running CentOS 8 Streams, everything is working as
expected.
Thank in advance for hints on how to analyze further!
Mathieu
## wget log
$ wget http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS...
--2021-02-19 08:35:14-- http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppS... Resolving mirrorlist.centos.org (mirrorlist.centos.org)... 2001:4178:5:200::10, 2600:1f16:c1:5e01:4180:6610:5482:c1c0, 2604:1380:2001:d00::3, ... Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2001:4178:5:200::10|:80... failed: Permission denied. Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2600:1f16:c1:5e01:4180:6610:5482:c1c0|:80... failed: Permission denied. Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2604:1380:2001:d00::3|:80... failed: Permission denied. Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2604:1580:fe02:2::10|:80... failed: Permission denied. Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2604:1380:1001:6c00::1|:80... failed: Permission denied. Connecting to mirrorlist.centos.org (mirrorlist.centos.org)|2a05:d012:8b5:6503:9efb:5cad:348f:e826|:80... failed: Permission denied.
On Fri, 19 Feb 2021 at 09:47, Simon Matter simon.matter@invoca.ch wrote:
It wouldn't work anyway because CentOS mirrors do not have https. I tried this from my home system ``` [ssmoogen@localhost ~]$ for i in "2001:4178:5:200::10" "2600:1f16:c1:5e01:4180:6610:5482:c1c0" "2604:1380:2001:d00::3" "2604:1580:fe02:2::10" "2604:1380:1001:6c00::1"; do curl -v6 "https://%5B$%7Bi%7D%5D/?release=8-stream&arch=x86_64&repo=AppStream&..."; done * Trying 2001:4178:5:200::10:443... * connect to 2001:4178:5:200::10 port 443 failed: Permission denied * Failed to connect to 2001:4178:5:200::10 port 443: Permission denied * Closing connection 0 curl: (7) Failed to connect to 2001:4178:5:200::10 port 443: Permission denied * Trying 2600:1f16:c1:5e01:4180:6610:5482:c1c0:443... * connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443 failed: Permission denied * Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443: Permission denied * Closing connection 0 curl: (7) Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443: Permission denied * Trying 2604:1380:2001:d00::3:443... * connect to 2604:1380:2001:d00::3 port 443 failed: Permission denied * Failed to connect to 2604:1380:2001:d00::3 port 443: Permission denied * Closing connection 0 curl: (7) Failed to connect to 2604:1380:2001:d00::3 port 443: Permission denied * Trying 2604:1580:fe02:2::10:443... * connect to 2604:1580:fe02:2::10 port 443 failed: Permission denied * Failed to connect to 2604:1580:fe02:2::10 port 443: Permission denied * Closing connection 0 curl: (7) Failed to connect to 2604:1580:fe02:2::10 port 443: Permission denied * Trying 2604:1380:1001:6c00::1:443... * connect to 2604:1380:1001:6c00::1 port 443 failed: Permission denied * Failed to connect to 2604:1380:1001:6c00::1 port 443: Permission denied * Closing connection 0 curl: (7) Failed to connect to 2604:1380:1001:6c00::1 port 443: Permission denied ```
removing the -v gives the following error: ``` [ssmoogen@localhost ~]$ for i in "2001:4178:5:200::10" "2600:1f16:c1:5e01:4180:6610:5482:c1c0" "2604:1380:2001:d00::3" "2604:1580:fe02:2::10" "2604:1380:1001:6c00::1"; do curl -6 "https://%5B$%7Bi%7D%5D/?release=8-stream&arch=x86_64&repo=AppStream&..."; done curl: (7) Failed to connect to 2001:4178:5:200::10 port 443: Permission denied curl: (7) Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443: Permission denied curl: (7) Failed to connect to 2604:1380:2001:d00::3 port 443: Permission denied curl: (7) Failed to connect to 2604:1580:fe02:2::10 port 443: Permission denied curl: (7) Failed to connect to 2604:1380:1001:6c00::1 port 443: Permission denied ```
Notice that the permission denied is different from what was reported in the original email. I am not sure why that is.
If I change that from https: to http all of the IP addresses work. So my guess is that something is blocking the originator IP to those mirror servers but it isn't clear what.
On 2/19/21 12:37 AM, Mathieu Baudier wrote:
It's unusual to see EPERM on a call to connect()... The man page suggests that this can be caused by a local firewall rule or an SELinux policy.
https://man7.org/linux/man-pages/man2/connect.2.html
"yum" and "wget" should be running in an unconfined domain, so SELinux is *probably* not the cause. I'd take a look at the output of "iptables -L OUTPUT" first. I've tried creating local firewall rules that I'd expect to result in EPERM, but they do not, so I'm not sure what such a rule looks like.
In article 8dc3d2af-a7b0-d54f-85b4-fbdbc49b3106@gmail.com, Gordon Messmer gordon.messmer@gmail.com wrote:
Of course, SELinux can be confirmed or ruled out by doing "setenforce 0" and then trying the operation again.
Then "setenforce 1" again afterwards, of course.
Cheers Tony