Re: [CentOS] routing with 2 public ips

[Gordon Messmer]

On 12/28/2015 04:50 AM, Eliezer Croitoru wrote:
Which means he has 1 server with two gateway devices which each has 
it's own broadcast space\network.
It's not clear to me if there are two gateways in the same 
broadcast\network or not.


I think it's safe to assume that the two addresses and, necessarily, the 
gateways, are in separate broadcast domains.  However, even if that 
weren't the case, it is still sufficient to create two routing tables 
and use "ip rule" to select the appropriate table (and the gateway it 
specifies) based on the source address of the packet being routed.


Just to walk you through it, assume his server has two addresses in 
separate broadcast domains.  The first interface has 1.2.3.4/24 with 
gateway 1.2.3.1.  The second interface has 2.3.4.5/24 with gateway 2.3.4.1.


Now, a host at 192.0.2.2 initiates a connection.  It sends a TCP SYN 
packet to 1.2.3.4.  The server receives that packet and sends a TCP 
SYN/ACK to 192.0.2.2.  The source address of that packet is 1.2.3.4.  A 
rule exits that matches packets from 1.2.3.4 and selects the first 
routing table, where the default gateway is 1.2.3.1.


Later, a host at 198.51.100.3 initiates a connection.  It sends a TCP 
SYN packet to 2.3.4.5.  The server receives that packet and sends a TCP 
SYN/ACK to 198.51.100.3.  The source address of that packet is 2.3.4.5, 
since that is the address that the SYN was sent to.  A rule exists on 
the server that matches packets from 2.3.4.5 and selects the second 
routing table, where the default gateway is 2.3.4.1.


if it's on the same network then he must have some routing rules and 
the issue is not about a specific src address but about a connection..


You wouldn't normally have two addresses on two interfaces in the same 
broadcast domain.  You'd probably bond the interfaces instead. But if 
you did, it wouldn't change the process.  Reply packets will still have 
their source address set to the same address that received the request, 
and you'd still be able to specify the routing table based on that address.


So, again, you *can* mark connections and select a route that way, but 
it's slower and more complex than using information that's already 
available.  There's simply no reason to do that in a standard 
multi-homed setup.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] systemd-sysctl not running on boot

[Ofer Hasson]

I dont see any reason this will have anything to do with the issue.
In any case, i re-installed the package, had the symlink, moved my
definitions to sysctl.conf. still the same

On Mon, Dec 28, 2015 at 1:17 PM, Sylvain CANOINE <
sylvain.cano...@tv5monde.org> wrote:

>
> - Mail original -
> > De: "Ofer Hasson" 
> > À: "centos" 
> > Envoyé: Jeudi 24 Décembre 2015 11:36:00
> > Objet: Re: [CentOS] systemd-sysctl not running on boot
>
> > [root@web-devel-local-1 ~]# ll -Z /etc/ | grep sysctl
> > drwxr-xr-x. root   root   system_u:object_r:etc_t:s0   sysctl.d
> >
> > [root@web-devel-local-1 ~]# ll -Z /etc/sysctl.d/
> > -rw-r--r--. root root unconfined_u:object_r:system_conf_t:s0 sysctl.conf
> >
> Is there a relationship with the new symlink created by the upgrade in my
> servers ?
>
> # ls -l /etc/sysctl.d/
> total 0
> lrwxrwxrwx.  1 root root   14 23 déc.  18:11 99-sysctl.conf ->
> ../sysctl.conf
>
> # yum provides /etc/sysctl.d/99-sysctl.conf
> initscripts-9.49.30-1.el7.x86_64 : The inittab file and the /etc/init.d
> scripts
> Dépôt   : base
> Correspondance depuis :
> Nom de fichier : /etc/sysctl.d/99-sysctl.conf
>
>
> Sylvain.
> Pensez ENVIRONNEMENT : n'imprimer que si ncessaire
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld services

[Mike - st257]

On Mon, Dec 28, 2015 at 4:22 PM, Robert Moskowitz 
wrote:

> I am familiar with using commands like:
>
> firewall-cmd --permanent --add-service=http
>
> To enable firewalld services.  I am also aware that this is through xml
> 'scripts' in:
>
> /usr/lib/firewalld/services/
>
> But what I find interesting is what services are there and which are not.
> I went a'lookin with:
>
> grep "port=" /usr/lib/firewalld/services/*|more
>

firewall-cmd --get-services

Only the "most common" services, which will undoubtedly be up for
interpretation and opinions will differ.
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7

James has some good information here regarding precedence of service vs
port-based firewalld rules and creating your own custom service definitions.
https://www.hogarthuk.com/?q=node/9


>
> And found some like:
>
> http, https, imaps, smtp, and pop3s
>
> What I do not find are others that I would think are 'standard' like:
>
> pop3 (110) and imap (143)
>

(Given your findings which I've not confirmed...)
With the inclusion of pop3s, I'd expect imap, pop3, and imaps too.


>
> I can understand 587 not being included, but imap?
>
> I can always just add them with:
>
> firewall-cmd --permanent --add-port=587/tcp
>

I noticed the same for SNMP. No pre-configured "service profile" so I had
to use 161/udp ... but it was a small thing. ;-)


>
> But I want to use the standard files.  Perhaps because they are there.
> Have I missed how some are handled?
>

I don't think you have.
I was curious some weeks ago at the time, but had my solution with
port-based and moved on to other tasks.

-- 
---~~.~~---
Mike
//  SilverTip257  //
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Network services start before network is up since migrating to 7.2

[Sylvain CANOINE]

- Mail original -
> De: "Gordon Messmer" 
> À: "centos" 
> Envoyé: Jeudi 24 Décembre 2015 07:25:00
> Objet: Re: [CentOS] Network services start before network is up since 
> migrating to 7.2

> On 12/23/2015 08:38 AM, Sylvain CANOINE wrote:
>> Then I'm wondering :
>> 2/ why "After=foo" does not imply "Requires=foo" for systemd 219, while it
>> appeared to be in systemd 208. Either it's a regression, or the behaviour of
>> 208, although logical, is buggy.
> 
> I'm not entirely certain, but "After=" is independent of "Requires=", as
> documented on an up-to-date install of CentOS 7.
http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ says :
"Services using the network should hence simply place an After=network.target 
dependency in their unit files, and avoid any Wants=network.target or even 
Requires=network.target."

But all the other related explanations I found on the web either says nothing 
about the relationship between "After=" and "Requires="/"Wants=", or confirms 
there's not. For example in 
http://www.freedesktop.org/software/systemd/man/systemd.unit.html :
"Note that this setting (NDR : "After=" or "Before=") is independent of and 
orthogonal to the requirement dependencies as configured by Requires=."

I didn't found the related CentOS documentation, but I suppose it's correct. I 
suppose it mentions NetworkManger, anyway.

I'm able to understand systemd isn't designed to make the 
relationship between "After=" and "Requires="... But why designing it like that 
? Giving the ability to start a service before or after a disabled other is a 
nonsense.

But all of that don't give any clue concerning the different behaviour of the 
two quoted versions of systemd. I think an additional "Requires=network.target" 
parameter in the network-online.target unit by default, or at least a note to 
the users, would be appreciated.

Sylvain.



Pensez ENVIRONNEMENT : n'imprimer que si ncessaire

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 pcp-pmda-nvidia-gpu SELinux problems

[David O'Shea]

I think I worked out one part: the SELinux issues probably didn't pop up 
initially because the nVidia PMDA was probably started within the context of me 
running 'sudo ./Install', whereas after a reboot it was started within the 
context of systemd starting up pmcd.  I just hit a similar issue with a PMDA 
that I wrote myself, where it worked fine after I ran the Install script but 
hit SELinux problems after 'sudo systemctl restart pmcd'.

Regards,
David

From: dcos...@hotmail.com
To: centos@centos.org
Subject: CentOS 7 pcp-pmda-nvidia-gpu SELinux problems
Date: Wed, 23 Dec 2015 22:47:01 +1000




Hi all,

I installed Performance Co-Pilot 3 days ago, and installed the nVidia PMDA 
according to the instructions at 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/ch03s03s02.html
 and was able to view metrics about my video card using pmchart.  I then played 
around a little with the lmsensors PMDA (but it doesn't look too useful to me - 
it doesn't support my sensors, and I think it's for a 2.x kernel).

After not looking at PCP at all for a few days, today I tried using pmchart to 
look at the nVidia metrics again but they were unavailable, and after checking 
/var/log/messages I found SELinux complaints.  After a few iterations of the 
suggested 'grep pmdanvidia /var/log/audit/audit.log | audit2allow -M [...]', 
'semodule -i [...].pp', restarting the PCP service, getting new SELinux errors, 
going back to step 1, I ended up with this content in the .te file:

"""
module doshea-selinux-pcp-pmda-nvidia-gpu 1.0;

require {
type xserver_misc_device_t;
type pcp_pmcd_t;
class capability sys_admin;
class chr_file { read write ioctl open };
}

#= pcp_pmcd_t ==
allow pcp_pmcd_t self:capability sys_admin;

# This avc is allowed in the current policy
allow pcp_pmcd_t xserver_misc_device_t:chr_file { read write ioctl open };
"""

I don't get why this worked 3 days ago and not today.  I haven't installed many 
packages in the meantime.

Should I file a bug somewhere about this?

I don't know much about SELinux - I have a slight ability to edit those .te 
files and I think I remember what to do with them afterwards - but it seems 
like the sys_admin capability is pretty significant to be granting.  Is there 
any way to work out why that's needed?

Thanks in advance,
David

  
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] systemd-sysctl not running on boot

[Sylvain CANOINE]

- Mail original -
> De: "Ofer Hasson" 
> À: "centos" 
> Envoyé: Jeudi 24 Décembre 2015 11:36:00
> Objet: Re: [CentOS] systemd-sysctl not running on boot

> [root@web-devel-local-1 ~]# ll -Z /etc/ | grep sysctl
> drwxr-xr-x. root   root   system_u:object_r:etc_t:s0   sysctl.d
> 
> [root@web-devel-local-1 ~]# ll -Z /etc/sysctl.d/
> -rw-r--r--. root root unconfined_u:object_r:system_conf_t:s0 sysctl.conf
> 
Is there a relationship with the new symlink created by the upgrade in my 
servers ?

# ls -l /etc/sysctl.d/
total 0
lrwxrwxrwx.  1 root root   14 23 déc.  18:11 99-sysctl.conf -> ../sysctl.conf

# yum provides /etc/sysctl.d/99-sysctl.conf
initscripts-9.49.30-1.el7.x86_64 : The inittab file and the /etc/init.d scripts
Dépôt   : base
Correspondance depuis :
Nom de fichier : /etc/sysctl.d/99-sysctl.conf


Sylvain.
Pensez ENVIRONNEMENT : n'imprimer que si ncessaire

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Fiber Channel target with CentOS 6.7?

[Joacim Melin]

Hi all,

I've been googling for this for a day now and I can't seem to find a coherent 
structured way to build a fiber channel storage box where CentOS 6.7 is used 
both at the fiber channel target and initiator ends.  

My Brocade HBA:s are installed and the driver loads just fine in both boxes. 

Any ideas, pointers or URL:s are more than welcome.

Thanks,

Joacim


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] routing with 2 public ips

[Eliezer Croitoru]

I still do not understand something.
The thread started with:
i have a server with 2 public ips on 2 devices.

I want that the request of incoming traffic dont use the default 
gateway. Incoming traffic sould be answered using the gateway of the 
incoming device


Could i realize this with firewalld? Or directly iptables?
##END OF QUOTE

Which means he has 1 server with two gateway devices which each has it's 
own broadcast space\network.
It's not clear to me if there are two gateways in the same 
broadcast\network or not.
if it's on the same network then he must have some routing rules and the 
issue is not about a specific src address but about a connection..

Now with both of these devices there he has an issue.
He sure needs to use basic routing skills to make it work using some 
metrics if he wants a static routing setup... but when it becomes almost 
asymmetric it is possible to have a "reverse-path" routing situation 
which is because the server has two default gateways and not one.
For this situation he cannot utilize the source address but only the 
source mac address unless these 2 devices are some sort reverse proxies 
which in this case do not require any routing settings at all and not 
even a default gateway or direct Internet access.


So from what I understood he will need to do some connection marking by 
the MAC address if these two devices are two routers which does NAT.


Eliezer

On 28/12/2015 09:22, Gordon Messmer wrote:

No, but you don't have to.  In the scenario presented, two links with
two IP addresses in different broadcast domains, traffic that is sent in
response to requests received on the second link/IP address will have
the second IP address in the source address field.  You can use that as
the rule.

Remember that Ethernet and IP are separate technologies.  You can make
routing policies entirely in the IP layer without mixing in Ethernet
stuff like MAC addresses.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Perl DBI 1.52 on el6

[Brian Mathis]

You might want to try installing the version of DBI you want using
local::lib, which can be done with something like (this is using cpan
minus):
cpanm --local-lib=/path/to/custom/location DBI@1.52

then in your Perl script:
use local::lib '/path/to/custom/location';

If you need to do a full compile of perl, use perlbrew.  You don't want to
mess with the system version of Perl in any way if you can avoid it.


~ Brian Mathis
@orev


On Sat, Dec 26, 2015 at 10:49 AM, Erick Ocrospoma 
wrote:

> Hello guys,
>
> I was told by the client to install Perl DBI version 1.52 on a el6 box, by
> default el6 branch comes with DBI version 1.6x, this version is AFAIK not
> the desired one.
>
> First I tried installing DBI 1.52 from some rpm package [1], which had some
> dependencies, Perl 5.8.8 and dbd.4.4.x, this last package was also present
> el6, so it made conflict and it was not possible to install DBI 1.52 from a
> rpm.
>
> Then, I downloaded version 1.52 [2], and tried to compiled it, but it
> failed while doing the make test. I'm not sure if it is not a problem,
> because while doing make, it did not show error/failure messages.
>
> Finally, it seems I'd have to compile Perl 5.8.8 by hand, and then try to
> add DBI module also. Is this possible to install it safely and make it
> coexist with default Perl version (5.10.1) in el6 ?
>
> I'm also writing to DBI user list, about make test failure messages. But
> maybe, I guess, it is failing because it is not supported by Perl 5.10.1
> and Perl 5.8.8 does.
>
> No clue about this, in my opinion it should compile with Perl 5.10.1
>
> Regards.
> --
> Erick.
> ---
> IRC :   zerick
> Blog: http://zerick.me
> About :  http://about.me/zerick
> Linux User ID :  549567
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] routing with 2 public ips

[Gordon Messmer]

On 12/28/2015 01:19 AM, Александр Кириллов wrote:

Are you sure? You assume the destination of the incoming traffic is  > the 
gateway. What if it isn't?


Can you explain what you mean?  Not only am I not assuming that, I can 
hardly conceive of any situation in which a host will receive traffic 
for its own gateway.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewalld services

[Robert Moskowitz]

I am familiar with using commands like:

firewall-cmd --permanent --add-service=http

To enable firewalld services.  I am also aware that this is through xml 
'scripts' in:


/usr/lib/firewalld/services/

But what I find interesting is what services are there and which are 
not.  I went a'lookin with:


grep "port=" /usr/lib/firewalld/services/*|more

And found some like:

http, https, imaps, smtp, and pop3s

What I do not find are others that I would think are 'standard' like:

pop3 (110) and imap (143)

I can understand 587 not being included, but imap?

I can always just add them with:

firewall-cmd --permanent --add-port=587/tcp

But I want to use the standard files.  Perhaps because they are there.  
Have I missed how some are handled?


thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Yum Weird Message

[Marcelo Roccasalva]

On Mon, Dec 28, 2015 at 5:24 PM, Alice Wonder  wrote:
>
> I ran into this exact issue last night -
>
> http://www.iotti.biz/?p=433
>
> When a computer is connected via IPv4 but the IPv4 a repo host connects to is 
> not available, yum then tries the IPv6 address and will fail with a confusing 
> message telling you it failed to connect to the IPv6 address.
>
> I don't know if there is a way for yum to figure out whether the current 
> network connection to the Internet is IPv4 or IPv6.
>
> But if there is a way, it might make a usability improvement. A lot of people 
> have no idea what IPv6 is and would be confused.
>
> I was confused myself at first, wondering if DHCP pulled in IPv6 from the 
> router.

If your DNS answers IPv6, it will have prefence over IPv4. You can set
 ip_resolve=4 in your yum.conf

-- 
Marcelo

"¿No será acaso que esta vida moderna está teniendo más de moderna que de
vida?" (Mafalda)
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Yum Weird Message

[Alice Wonder]

On 12/28/2015 02:10 PM, Marcelo Roccasalva wrote:

On Mon, Dec 28, 2015 at 5:24 PM, Alice Wonder  wrote:


I ran into this exact issue last night -

http://www.iotti.biz/?p=433

When a computer is connected via IPv4 but the IPv4 a repo host connects to is 
not available, yum then tries the IPv6 address and will fail with a confusing 
message telling you it failed to connect to the IPv6 address.

I don't know if there is a way for yum to figure out whether the current 
network connection to the Internet is IPv4 or IPv6.

But if there is a way, it might make a usability improvement. A lot of people 
have no idea what IPv6 is and would be confused.

I was confused myself at first, wondering if DHCP pulled in IPv6 from the 
router.


If your DNS answers IPv6, it will have prefence over IPv4. You can set
  ip_resolve=4 in your yum.conf



The issue is the yum server was down, so IPv4 didn't work.

Once that server was back up (third party repo) it of course worked no 
issue.


The issue is the error message, while a technically correct one, is one 
that is not very user friendly and can be confusing to people who are 
not dual-stack.


It could be improved.

--
-=-
Sent my from my laptop, may not be able to respond timely
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Yum Weird Message

[Alice Wonder]

I ran into this exact issue last night -

http://www.iotti.biz/?p=433

When a computer is connected via IPv4 but the IPv4 a repo host connects 
to is not available, yum then tries the IPv6 address and will fail with 
a confusing message telling you it failed to connect to the IPv6 address.


I don't know if there is a way for yum to figure out whether the current 
network connection to the Internet is IPv4 or IPv6.


But if there is a way, it might make a usability improvement. A lot of 
people have no idea what IPv6 is and would be confused.


I was confused myself at first, wondering if DHCP pulled in IPv6 from 
the router.


--
-=-
Sent my from my laptop, may not be able to respond timely
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Yum Weird Message

[Always Learning]

On Mon, 2015-12-28 at 19:23 -0500, Mark LaPierre wrote:

> The place to complain about this is the Fedora list since what CentOS
> has comes from them by way of RHEL.  They, Fedora, are not apt to pay
> you any mind because they have already abandoned yum and are going
> with a new package manager named dnf soon to be appearing in a system
> near you.

DNF is a stupid name. The Feds could have called it yum2 - K.I.S.S.


-- 
Regards,

Paul.
England, EU.  England's place is in the European Union.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Yum Weird Message

[Mark LaPierre]

On 12/28/15 17:16, Alice Wonder wrote:
> 
> 
> On 12/28/2015 02:10 PM, Marcelo Roccasalva wrote:
>> On Mon, Dec 28, 2015 at 5:24 PM, Alice Wonder 
>> wrote:
>>>
>>> I ran into this exact issue last night -
>>>
>>> http://www.iotti.biz/?p=433
>>>
>>> When a computer is connected via IPv4 but the IPv4 a repo host
>>> connects to is not available, yum then tries the IPv6 address and
>>> will fail with a confusing message telling you it failed to connect
>>> to the IPv6 address.
>>>
>>> I don't know if there is a way for yum to figure out whether the
>>> current network connection to the Internet is IPv4 or IPv6.
>>>
>>> But if there is a way, it might make a usability improvement. A lot
>>> of people have no idea what IPv6 is and would be confused.
>>>
>>> I was confused myself at first, wondering if DHCP pulled in IPv6 from
>>> the router.
>>
>> If your DNS answers IPv6, it will have prefence over IPv4. You can set
>>   ip_resolve=4 in your yum.conf
>>
> 
> The issue is the yum server was down, so IPv4 didn't work.
> 
> Once that server was back up (third party repo) it of course worked no
> issue.
> 
> The issue is the error message, while a technically correct one, is one
> that is not very user friendly and can be confusing to people who are
> not dual-stack.
> 
> It could be improved.
> 

The place to complain about this is the Fedora list since what CentOS
has comes from them by way of RHEL.  They, Fedora, are not apt to pay
you any mind because they have already abandoned yum and are going with
a new package manager named dnf soon to be appearing in a system near you.

-- 
_
   °v°
  /(_)\
   ^ ^  Mark LaPierre
Registered Linux user No #267004
https://linuxcounter.net/

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos