Re: [CentOS] routing with 2 public ips
On 12/28/2015 04:50 AM, Eliezer Croitoru wrote: Which means he has 1 server with two gateway devices which each has it's own broadcast space\network. It's not clear to me if there are two gateways in the same broadcast\network or not. I think it's safe to assume that the two addresses and, necessarily, the gateways, are in separate broadcast domains. However, even if that weren't the case, it is still sufficient to create two routing tables and use "ip rule" to select the appropriate table (and the gateway it specifies) based on the source address of the packet being routed. Just to walk you through it, assume his server has two addresses in separate broadcast domains. The first interface has 1.2.3.4/24 with gateway 1.2.3.1. The second interface has 2.3.4.5/24 with gateway 2.3.4.1. Now, a host at 192.0.2.2 initiates a connection. It sends a TCP SYN packet to 1.2.3.4. The server receives that packet and sends a TCP SYN/ACK to 192.0.2.2. The source address of that packet is 1.2.3.4. A rule exits that matches packets from 1.2.3.4 and selects the first routing table, where the default gateway is 1.2.3.1. Later, a host at 198.51.100.3 initiates a connection. It sends a TCP SYN packet to 2.3.4.5. The server receives that packet and sends a TCP SYN/ACK to 198.51.100.3. The source address of that packet is 2.3.4.5, since that is the address that the SYN was sent to. A rule exists on the server that matches packets from 2.3.4.5 and selects the second routing table, where the default gateway is 2.3.4.1. if it's on the same network then he must have some routing rules and the issue is not about a specific src address but about a connection.. You wouldn't normally have two addresses on two interfaces in the same broadcast domain. You'd probably bond the interfaces instead. But if you did, it wouldn't change the process. Reply packets will still have their source address set to the same address that received the request, and you'd still be able to specify the routing table based on that address. So, again, you *can* mark connections and select a route that way, but it's slower and more complex than using information that's already available. There's simply no reason to do that in a standard multi-homed setup. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] systemd-sysctl not running on boot
I dont see any reason this will have anything to do with the issue. In any case, i re-installed the package, had the symlink, moved my definitions to sysctl.conf. still the same On Mon, Dec 28, 2015 at 1:17 PM, Sylvain CANOINE < sylvain.cano...@tv5monde.org> wrote: > > - Mail original - > > De: "Ofer Hasson"> > À: "centos" > > Envoyé: Jeudi 24 Décembre 2015 11:36:00 > > Objet: Re: [CentOS] systemd-sysctl not running on boot > > > [root@web-devel-local-1 ~]# ll -Z /etc/ | grep sysctl > > drwxr-xr-x. root root system_u:object_r:etc_t:s0 sysctl.d > > > > [root@web-devel-local-1 ~]# ll -Z /etc/sysctl.d/ > > -rw-r--r--. root root unconfined_u:object_r:system_conf_t:s0 sysctl.conf > > > Is there a relationship with the new symlink created by the upgrade in my > servers ? > > # ls -l /etc/sysctl.d/ > total 0 > lrwxrwxrwx. 1 root root 14 23 déc. 18:11 99-sysctl.conf -> > ../sysctl.conf > > # yum provides /etc/sysctl.d/99-sysctl.conf > initscripts-9.49.30-1.el7.x86_64 : The inittab file and the /etc/init.d > scripts > Dépôt : base > Correspondance depuis : > Nom de fichier : /etc/sysctl.d/99-sysctl.conf > > > Sylvain. > Pensez ENVIRONNEMENT : n'imprimer que si ncessaire > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld services
On Mon, Dec 28, 2015 at 4:22 PM, Robert Moskowitzwrote: > I am familiar with using commands like: > > firewall-cmd --permanent --add-service=http > > To enable firewalld services. I am also aware that this is through xml > 'scripts' in: > > /usr/lib/firewalld/services/ > > But what I find interesting is what services are there and which are not. > I went a'lookin with: > > grep "port=" /usr/lib/firewalld/services/*|more > firewall-cmd --get-services Only the "most common" services, which will undoubtedly be up for interpretation and opinions will differ. https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7 James has some good information here regarding precedence of service vs port-based firewalld rules and creating your own custom service definitions. https://www.hogarthuk.com/?q=node/9 > > And found some like: > > http, https, imaps, smtp, and pop3s > > What I do not find are others that I would think are 'standard' like: > > pop3 (110) and imap (143) > (Given your findings which I've not confirmed...) With the inclusion of pop3s, I'd expect imap, pop3, and imaps too. > > I can understand 587 not being included, but imap? > > I can always just add them with: > > firewall-cmd --permanent --add-port=587/tcp > I noticed the same for SNMP. No pre-configured "service profile" so I had to use 161/udp ... but it was a small thing. ;-) > > But I want to use the standard files. Perhaps because they are there. > Have I missed how some are handled? > I don't think you have. I was curious some weeks ago at the time, but had my solution with port-based and moved on to other tasks. -- ---~~.~~--- Mike // SilverTip257 // ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Network services start before network is up since migrating to 7.2
- Mail original - > De: "Gordon Messmer"> À: "centos" > Envoyé: Jeudi 24 Décembre 2015 07:25:00 > Objet: Re: [CentOS] Network services start before network is up since > migrating to 7.2 > On 12/23/2015 08:38 AM, Sylvain CANOINE wrote: >> Then I'm wondering : >> 2/ why "After=foo" does not imply "Requires=foo" for systemd 219, while it >> appeared to be in systemd 208. Either it's a regression, or the behaviour of >> 208, although logical, is buggy. > > I'm not entirely certain, but "After=" is independent of "Requires=", as > documented on an up-to-date install of CentOS 7. http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ says : "Services using the network should hence simply place an After=network.target dependency in their unit files, and avoid any Wants=network.target or even Requires=network.target." But all the other related explanations I found on the web either says nothing about the relationship between "After=" and "Requires="/"Wants=", or confirms there's not. For example in http://www.freedesktop.org/software/systemd/man/systemd.unit.html : "Note that this setting (NDR : "After=" or "Before=") is independent of and orthogonal to the requirement dependencies as configured by Requires=." I didn't found the related CentOS documentation, but I suppose it's correct. I suppose it mentions NetworkManger, anyway. I'm able to understand systemd isn't designed to make the relationship between "After=" and "Requires="... But why designing it like that ? Giving the ability to start a service before or after a disabled other is a nonsense. But all of that don't give any clue concerning the different behaviour of the two quoted versions of systemd. I think an additional "Requires=network.target" parameter in the network-online.target unit by default, or at least a note to the users, would be appreciated. Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7 pcp-pmda-nvidia-gpu SELinux problems
I think I worked out one part: the SELinux issues probably didn't pop up initially because the nVidia PMDA was probably started within the context of me running 'sudo ./Install', whereas after a reboot it was started within the context of systemd starting up pmcd. I just hit a similar issue with a PMDA that I wrote myself, where it worked fine after I ran the Install script but hit SELinux problems after 'sudo systemctl restart pmcd'. Regards, David From: dcos...@hotmail.com To: centos@centos.org Subject: CentOS 7 pcp-pmda-nvidia-gpu SELinux problems Date: Wed, 23 Dec 2015 22:47:01 +1000 Hi all, I installed Performance Co-Pilot 3 days ago, and installed the nVidia PMDA according to the instructions at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/ch03s03s02.html and was able to view metrics about my video card using pmchart. I then played around a little with the lmsensors PMDA (but it doesn't look too useful to me - it doesn't support my sensors, and I think it's for a 2.x kernel). After not looking at PCP at all for a few days, today I tried using pmchart to look at the nVidia metrics again but they were unavailable, and after checking /var/log/messages I found SELinux complaints. After a few iterations of the suggested 'grep pmdanvidia /var/log/audit/audit.log | audit2allow -M [...]', 'semodule -i [...].pp', restarting the PCP service, getting new SELinux errors, going back to step 1, I ended up with this content in the .te file: """ module doshea-selinux-pcp-pmda-nvidia-gpu 1.0; require { type xserver_misc_device_t; type pcp_pmcd_t; class capability sys_admin; class chr_file { read write ioctl open }; } #= pcp_pmcd_t == allow pcp_pmcd_t self:capability sys_admin; # This avc is allowed in the current policy allow pcp_pmcd_t xserver_misc_device_t:chr_file { read write ioctl open }; """ I don't get why this worked 3 days ago and not today. I haven't installed many packages in the meantime. Should I file a bug somewhere about this? I don't know much about SELinux - I have a slight ability to edit those .te files and I think I remember what to do with them afterwards - but it seems like the sys_admin capability is pretty significant to be granting. Is there any way to work out why that's needed? Thanks in advance, David ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] systemd-sysctl not running on boot
- Mail original - > De: "Ofer Hasson"> À: "centos" > Envoyé: Jeudi 24 Décembre 2015 11:36:00 > Objet: Re: [CentOS] systemd-sysctl not running on boot > [root@web-devel-local-1 ~]# ll -Z /etc/ | grep sysctl > drwxr-xr-x. root root system_u:object_r:etc_t:s0 sysctl.d > > [root@web-devel-local-1 ~]# ll -Z /etc/sysctl.d/ > -rw-r--r--. root root unconfined_u:object_r:system_conf_t:s0 sysctl.conf > Is there a relationship with the new symlink created by the upgrade in my servers ? # ls -l /etc/sysctl.d/ total 0 lrwxrwxrwx. 1 root root 14 23 déc. 18:11 99-sysctl.conf -> ../sysctl.conf # yum provides /etc/sysctl.d/99-sysctl.conf initscripts-9.49.30-1.el7.x86_64 : The inittab file and the /etc/init.d scripts Dépôt : base Correspondance depuis : Nom de fichier : /etc/sysctl.d/99-sysctl.conf Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Fiber Channel target with CentOS 6.7?
Hi all, I've been googling for this for a day now and I can't seem to find a coherent structured way to build a fiber channel storage box where CentOS 6.7 is used both at the fiber channel target and initiator ends. My Brocade HBA:s are installed and the driver loads just fine in both boxes. Any ideas, pointers or URL:s are more than welcome. Thanks, Joacim ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] routing with 2 public ips
I still do not understand something. The thread started with: i have a server with 2 public ips on 2 devices. I want that the request of incoming traffic dont use the default gateway. Incoming traffic sould be answered using the gateway of the incoming device Could i realize this with firewalld? Or directly iptables? ##END OF QUOTE Which means he has 1 server with two gateway devices which each has it's own broadcast space\network. It's not clear to me if there are two gateways in the same broadcast\network or not. if it's on the same network then he must have some routing rules and the issue is not about a specific src address but about a connection.. Now with both of these devices there he has an issue. He sure needs to use basic routing skills to make it work using some metrics if he wants a static routing setup... but when it becomes almost asymmetric it is possible to have a "reverse-path" routing situation which is because the server has two default gateways and not one. For this situation he cannot utilize the source address but only the source mac address unless these 2 devices are some sort reverse proxies which in this case do not require any routing settings at all and not even a default gateway or direct Internet access. So from what I understood he will need to do some connection marking by the MAC address if these two devices are two routers which does NAT. Eliezer On 28/12/2015 09:22, Gordon Messmer wrote: No, but you don't have to. In the scenario presented, two links with two IP addresses in different broadcast domains, traffic that is sent in response to requests received on the second link/IP address will have the second IP address in the source address field. You can use that as the rule. Remember that Ethernet and IP are separate technologies. You can make routing policies entirely in the IP layer without mixing in Ethernet stuff like MAC addresses. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Perl DBI 1.52 on el6
You might want to try installing the version of DBI you want using local::lib, which can be done with something like (this is using cpan minus): cpanm --local-lib=/path/to/custom/location DBI@1.52 then in your Perl script: use local::lib '/path/to/custom/location'; If you need to do a full compile of perl, use perlbrew. You don't want to mess with the system version of Perl in any way if you can avoid it. ~ Brian Mathis @orev On Sat, Dec 26, 2015 at 10:49 AM, Erick Ocrospomawrote: > Hello guys, > > I was told by the client to install Perl DBI version 1.52 on a el6 box, by > default el6 branch comes with DBI version 1.6x, this version is AFAIK not > the desired one. > > First I tried installing DBI 1.52 from some rpm package [1], which had some > dependencies, Perl 5.8.8 and dbd.4.4.x, this last package was also present > el6, so it made conflict and it was not possible to install DBI 1.52 from a > rpm. > > Then, I downloaded version 1.52 [2], and tried to compiled it, but it > failed while doing the make test. I'm not sure if it is not a problem, > because while doing make, it did not show error/failure messages. > > Finally, it seems I'd have to compile Perl 5.8.8 by hand, and then try to > add DBI module also. Is this possible to install it safely and make it > coexist with default Perl version (5.10.1) in el6 ? > > I'm also writing to DBI user list, about make test failure messages. But > maybe, I guess, it is failing because it is not supported by Perl 5.10.1 > and Perl 5.8.8 does. > > No clue about this, in my opinion it should compile with Perl 5.10.1 > > Regards. > -- > Erick. > --- > IRC : zerick > Blog: http://zerick.me > About : http://about.me/zerick > Linux User ID : 549567 > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] routing with 2 public ips
On 12/28/2015 01:19 AM, Александр Кириллов wrote: Are you sure? You assume the destination of the incoming traffic is > the gateway. What if it isn't? Can you explain what you mean? Not only am I not assuming that, I can hardly conceive of any situation in which a host will receive traffic for its own gateway. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] firewalld services
I am familiar with using commands like: firewall-cmd --permanent --add-service=http To enable firewalld services. I am also aware that this is through xml 'scripts' in: /usr/lib/firewalld/services/ But what I find interesting is what services are there and which are not. I went a'lookin with: grep "port=" /usr/lib/firewalld/services/*|more And found some like: http, https, imaps, smtp, and pop3s What I do not find are others that I would think are 'standard' like: pop3 (110) and imap (143) I can understand 587 not being included, but imap? I can always just add them with: firewall-cmd --permanent --add-port=587/tcp But I want to use the standard files. Perhaps because they are there. Have I missed how some are handled? thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Yum Weird Message
On Mon, Dec 28, 2015 at 5:24 PM, Alice Wonderwrote: > > I ran into this exact issue last night - > > http://www.iotti.biz/?p=433 > > When a computer is connected via IPv4 but the IPv4 a repo host connects to is > not available, yum then tries the IPv6 address and will fail with a confusing > message telling you it failed to connect to the IPv6 address. > > I don't know if there is a way for yum to figure out whether the current > network connection to the Internet is IPv4 or IPv6. > > But if there is a way, it might make a usability improvement. A lot of people > have no idea what IPv6 is and would be confused. > > I was confused myself at first, wondering if DHCP pulled in IPv6 from the > router. If your DNS answers IPv6, it will have prefence over IPv4. You can set ip_resolve=4 in your yum.conf -- Marcelo "¿No será acaso que esta vida moderna está teniendo más de moderna que de vida?" (Mafalda) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Yum Weird Message
On 12/28/2015 02:10 PM, Marcelo Roccasalva wrote: On Mon, Dec 28, 2015 at 5:24 PM, Alice Wonderwrote: I ran into this exact issue last night - http://www.iotti.biz/?p=433 When a computer is connected via IPv4 but the IPv4 a repo host connects to is not available, yum then tries the IPv6 address and will fail with a confusing message telling you it failed to connect to the IPv6 address. I don't know if there is a way for yum to figure out whether the current network connection to the Internet is IPv4 or IPv6. But if there is a way, it might make a usability improvement. A lot of people have no idea what IPv6 is and would be confused. I was confused myself at first, wondering if DHCP pulled in IPv6 from the router. If your DNS answers IPv6, it will have prefence over IPv4. You can set ip_resolve=4 in your yum.conf The issue is the yum server was down, so IPv4 didn't work. Once that server was back up (third party repo) it of course worked no issue. The issue is the error message, while a technically correct one, is one that is not very user friendly and can be confusing to people who are not dual-stack. It could be improved. -- -=- Sent my from my laptop, may not be able to respond timely ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Yum Weird Message
I ran into this exact issue last night - http://www.iotti.biz/?p=433 When a computer is connected via IPv4 but the IPv4 a repo host connects to is not available, yum then tries the IPv6 address and will fail with a confusing message telling you it failed to connect to the IPv6 address. I don't know if there is a way for yum to figure out whether the current network connection to the Internet is IPv4 or IPv6. But if there is a way, it might make a usability improvement. A lot of people have no idea what IPv6 is and would be confused. I was confused myself at first, wondering if DHCP pulled in IPv6 from the router. -- -=- Sent my from my laptop, may not be able to respond timely ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Yum Weird Message
On Mon, 2015-12-28 at 19:23 -0500, Mark LaPierre wrote: > The place to complain about this is the Fedora list since what CentOS > has comes from them by way of RHEL. They, Fedora, are not apt to pay > you any mind because they have already abandoned yum and are going > with a new package manager named dnf soon to be appearing in a system > near you. DNF is a stupid name. The Feds could have called it yum2 - K.I.S.S. -- Regards, Paul. England, EU. England's place is in the European Union. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Yum Weird Message
On 12/28/15 17:16, Alice Wonder wrote: > > > On 12/28/2015 02:10 PM, Marcelo Roccasalva wrote: >> On Mon, Dec 28, 2015 at 5:24 PM, Alice Wonder>> wrote: >>> >>> I ran into this exact issue last night - >>> >>> http://www.iotti.biz/?p=433 >>> >>> When a computer is connected via IPv4 but the IPv4 a repo host >>> connects to is not available, yum then tries the IPv6 address and >>> will fail with a confusing message telling you it failed to connect >>> to the IPv6 address. >>> >>> I don't know if there is a way for yum to figure out whether the >>> current network connection to the Internet is IPv4 or IPv6. >>> >>> But if there is a way, it might make a usability improvement. A lot >>> of people have no idea what IPv6 is and would be confused. >>> >>> I was confused myself at first, wondering if DHCP pulled in IPv6 from >>> the router. >> >> If your DNS answers IPv6, it will have prefence over IPv4. You can set >> ip_resolve=4 in your yum.conf >> > > The issue is the yum server was down, so IPv4 didn't work. > > Once that server was back up (third party repo) it of course worked no > issue. > > The issue is the error message, while a technically correct one, is one > that is not very user friendly and can be confusing to people who are > not dual-stack. > > It could be improved. > The place to complain about this is the Fedora list since what CentOS has comes from them by way of RHEL. They, Fedora, are not apt to pay you any mind because they have already abandoned yum and are going with a new package manager named dnf soon to be appearing in a system near you. -- _ °v° /(_)\ ^ ^ Mark LaPierre Registered Linux user No #267004 https://linuxcounter.net/ ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos