Re: [CentOS] CentOS 8: two external network adapters, two ISPs - routing problems
You need to SNAT the outbound traffic on eth0 and eth2 to use the interface address that the packets leave from. On 31/07/2021 02:27, Konstantin Boyandin via CentOS wrote: Hello! Given: a CentOS 8-powered computer with three network adapters. eth0, eth2: external, connected to two different ISPs eth1: faces home network (intranet) The task: allow accessing certain internal services from either ISP. There are several services, I only mention SSH below. In the configs below: IP1: external IP at first ISP (ISP1), assigned to eth0 Gateway1: IP of gateway provided by ISP1 Network1,Netmask1: related to IP1 IP2: external IP at second ISP (ISP2), assigned to eth2 Gateway2: IP of gateway provided by ISP2 Network2,Netmask2: related to IP2 LocalSSHIP: IP in intranet (eth1) where SSH server is running Current configs follow. Routing tables: echo "200 isp1" >> /etc/iproute2/rt_tables echo "201 isp2" >> /etc/iproute2/rt_tables Routing policies: /etc/sysconfig/network-scripts/route-eth0 Network1 dev eth0 src IP1 table isp1 default via Gateway1 dev eth0 table isp1 /etc/sysconfig/network-scripts/route-eth2 Network2 dev eth2 src IP2 table isp2 default via Gateway2 dev eth2 table isp2 Routing rules: /etc/sysconfig/network-scripts/rule-eth0 from IP1/32 table isp1 /etc/sysconfig/network-scripts/rule-eth2 from IP2/32 table isp2 iptables snippets. External traffic forwarded to local SSH server from both interfaces: iptables -A PREROUTING -t nat -i eth0 -p tcp -d IP1 --dport 22 -j DNAT --to LocalSSHIP:22 iptables -A PREROUTING -t nat -i eth2 -p tcp -d IP2 --dport 22 -j DNAT --to LocalSSHIP:22 iptables -A FORWARD -p tcp -d LocalSSHIP --dport 22 -j ACCEPT eth0 is default gateway: $ ip route default via Gateway1 dev eth0 proto static metric 100 default via Gateway2 dev eth2 proto static metric 101 ... $ ip rule 0: from all lookup local 32764: from IP2 lookup isp2 32765: from IP1 lookup isp1 32766: from all lookup main 32767: from all lookup default SNAT is applied for the traffic originating from eth1: iptables -t nat -A POSTROUTING -i eth1 -o eth0 -j SNAT --to-source IP1 Current situation: - All services forwarded from eth0 are working normally. - All traffic originating from intranet passes out and back normally. - All the attempts to access services from eth2 time out. There are no obvious hints in /var/log/messages (such as complaints about "martian IPs"). I am somewhat at a loss here, all the pieces of advice would be very welcome. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Upgrade to 8.4 .2105 Problems
Thank you. I managed: #!/bin/bash for rp in `rpm -q -a ` do echo $rp rpm --verify $rp done but rpm -Va is neater. It only showed up config files and the like that you would expect to be different. I'll check the list of rpms next against a clean install/upgrade to make sure I have them all. Alan -- Alan McRae On 05/06/2021 21:32, Simon Matter wrote: On Sat, Jun 05, 2021 at 04:32:30PM +1200, Alan McRae via CentOS wrote: I noticed in journalctl that gnome-shell was core dumping. yum reinstall gnome-shell fixed my displays problem. So I am back to my first premise that the 'yum update' did not complete properly for some reason. Is there any way I can check the integrity of the packages installed? rpm, but not to my knowledge, has a "verify" command. rpm -Va It checks all files from the specified package are present and compares 9 properties with the original specs. -- Jon H. LaBadie j...@labadie.us ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Upgrade to 8.4 .2105 Problems
I noticed in journalctl that gnome-shell was core dumping. yum reinstall gnome-shell fixed my displays problem. So I am back to my first premise that the 'yum update' did not complete properly for some reason. Is there any way I can check the integrity of the packages installed? What could cause 'yum upgrade' to say 'Nothing to do' and not install the latest 305 kernel? Alan -- Alan McRae On 05/06/2021 15:30, Alan McRae via CentOS wrote: The yum upgrade from 8.3 to 8.4 on my main machine looked as if it was working fine so I went to have a coffee. When I came back the screens were blank so I don't know what happened. On rebooting the screens are still blank. I have two graphics cards running three displays. I have a "rescue" system on the same machine that upgraded from 8.3 to 8.4 fine. The 3 screens work fine on this. I am not sure the upgrade completed properly. For example the new kernel: vmlinuz-4.18.0-305.3.1.el8.x86_64 was not present in /boot. Even worse, "yum upgrade" said there was nothing to do and would not install it. I installed the kernel package manually. /etc/redhat-release says CentOS Linux release 8.4.2105 My main question is: Where are the config files for the screen(s). This used to be something like /etc/X11/xorg.conf. Since I have a working rescue system my current plan is to compare/copy the config files. Suggestions please as to where I should start. It is difficult to work without a GUI. I have ssh access to the machine. Thanks Alan ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Upgrade to 8.4 .2105 Problems
The yum upgrade from 8.3 to 8.4 on my main machine looked as if it was working fine so I went to have a coffee. When I came back the screens were blank so I don't know what happened. On rebooting the screens are still blank. I have two graphics cards running three displays. I have a "rescue" system on the same machine that upgraded from 8.3 to 8.4 fine. The 3 screens work fine on this. I am not sure the upgrade completed properly. For example the new kernel: vmlinuz-4.18.0-305.3.1.el8.x86_64 was not present in /boot. Even worse, "yum upgrade" said there was nothing to do and would not install it. I installed the kernel package manually. /etc/redhat-release says CentOS Linux release 8.4.2105 My main question is: Where are the config files for the screen(s). This used to be something like /etc/X11/xorg.conf. Since I have a working rescue system my current plan is to compare/copy the config files. Suggestions please as to where I should start. It is difficult to work without a GUI. I have ssh access to the machine. Thanks Alan -- Alan McRae ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] 8.2.2004 Quick recovery and fix for unbootable machines
This is a quick recovery and fix for the machines rendered unbootable after the grub2/shim yum update. It is written for CentOS 8.2.2004 but similar should work for any CentOS 8 or 7 as long as you get the correct shim file, that is, the one from the latest installation media. I am running on an x86_64 architecture (see uname -i). Please use the correct shim file for your architecture (shim--15-11.el8..rpm) I have tested this by breaking a machine and then recovering it. It works for me. I hope someone finds it useful. Let me know. Regards Alan HOW TO BOOT AN UNBOOTABLE MACHINE = 1) Download a copy of rEFind. This is a UEFI boot manager. Burn it to a USB key. # wget -O refind.zip http://sourceforge.net/projects/refind/files/0.12.0/refind-flashdrive-0.12.0.zip/download # unzip refind.zip # cd refind-flashdrive-0.12.0 # dd if=refind-flashdrive-0.12.0.img bs=4096 of=/dev/sdX (sdX is the device for your USB key, this will be erased, use the whole device use sdX not sdX1) 1800+0 records in 1800+0 records out 7372800 bytes (7.4 MB, 7.0 MiB) copied, 0.980893 s, 7.5 MB/s 2) Turn off secureboot in your UEFI hardware. 3) Boot the USB key. You should get a colourful screen with icons and a filename below. Use the left/right arrow keys to select the correct grubx64.efi. Hit space to boot. Your usual grub menu should appear and the system should boot normally. HOW TO FIX THE PROBLEM = 1) We need to downgrade the shim package. Now your system is running get an older copy of the correct shim package for your architecture from the CentOS installation media (e.g. CentOS-8.2.2004-x86_64-dvd1.iso) and install it. # mount CentOS-8.2.2004-x86_64-dvd1.iso /mnt # cd /mnt/BaseOS/Packages # cp shim-x64-15-11.el8.x86_64.rpm /root # cd /root # umount /mnt OR Get the package from a CentOS mirror: # cd /root # wget http://ucmirror.canterbury.ac.nz/linux/CentOS/8.2.2004/BaseOS/x86_64/os/Packages/shim-x64-15-11.el8.x86_64.rpm 2) We can now reinstall the older shim package using yum. This will downgrade the package to the working version. # yum install shim-x64-15-11.el8.x86_64.rpm Last metadata expiration check: 2:11:11 ago on Sun 02 Aug 2020 11:31:06 NZST. Dependencies resolved. Package Architecture Version Repository Size Downgrading: shim-x64 x86_64 15-11.el8 @commandline 647 k Transaction Summary Downgrade 1 Package Total size: 647 k Is this ok [y/N]: y Downloading Packages: Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Downgrading : shim-x64-15-11.el8.x86_64 1/2 Cleanup : shim-x64-15-13.el8.x86_64 2/2 Verifying : shim-x64-15-11.el8.x86_64 1/2 Verifying : shim-x64-15-13.el8.x86_64 2/2 Installed products updated. Downgraded: shim-x64-15-11.el8.x86_64 Complete! 3) Your system should now boot normally. 4) add "exclude=shim*" to /etc/yum.conf to prevent the broken one being reinstalled. You should now be able to run 'yum update'. Remove the exclude= when a proper fix becomes available. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] 8.2.2004 Latest yum update renders machine unbootable
I am running an Intel x64 machine using UEFI to boot an SSD. Installing the latest yum update which includes grub2 and kernel 4.18.0-193.14.2.el8_2.x86_64 renders the machine unbootable, blank screen where grub should be, no error messages, just hangs. After some hours I managed to modify another bootable partition (containing older software) and boot it from there. After that, I found out it is a known problem. The main point of this message is to make people aware of the problem and suggest admins don't run 'yum update' until they understand the problem and have a fix at hand. See 'UEFI boot blank screen post update' for a solution and directions to the redhat article. Regards Alan ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache (httpd) fails to start at boot - Centos 8.1
Thank you Gordon. That works for me. 8.2 needs the same fix. Alan On 16/06/2020 16:21, Gordon Messmer wrote: On 6/15/20 7:06 PM, Jay Hart wrote: If I do 'systemctl start httpd', apache will start right up. But during boot, it doesn't and I get the resulting errors below. Jun 15 21:17:28 dream httpd[1534]: (99)Cannot assign requested address: AH00072: make_sock: could not bind to address 10.20.30.11:80 httpd is starting before an interface has been configured with 10.20.30.11. The default configuration starts httpd after "network.target" but you want to start it after "network-online.target". IIRC: run "systemctl edit httpd.service" and insert: [Unit] After=network-online.target ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache (httpd) fails to start at boot - Centos 8.1
I have always had exactly the same problem. I had to write a script and run it at boot time: sleep 10 /usr/bin/systemctl start httpd Must be some timing problem with the interface addresses not being set up in time. Alan On 16/06/2020 14:06, Jay Hart wrote: If I do 'systemctl start httpd', apache will start right up. But during boot, it doesn't and I get the resulting errors below. Jun 15 21:17:28 dream httpd[1534]: (99)Cannot assign requested address: AH00072: make_sock: could not bind to address 10.20.30.11:80 Jun 15 21:17:28 dream httpd[1534]: no listening sockets available, shutting down Jun 15 21:17:28 dream httpd[1534]: AH00015: Unable to open logs Jun 15 21:17:29 dream systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Jun 15 21:17:29 dream systemd[1]: httpd.service: Failed with result 'exit-code'. the box's ip address is 10.20.30.11, and I am trying to get http (80), and https (443) going. Firewall is turned on. The listen parameter in httpd.conf is 10.20.30.11:80 The log files in /var/log/httpd are all owned by root. Httpd runs as user 'apache'. Google searches have not returned anything that looks remotely promising. Got any suggestions? Thanks in advance, Jay ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Diagnosing IPv6 routing
I struggled with this under CentOS 7. I think there is a bug. You can run /usr/sbin/radvdump to print out RAs. Leave it running for some minutes. I had this in my /etc/sysctl.d/50-net6.conf (on C7): # # IPv6 Forwarding # net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.default.forwarding = 1 net.ipv6.conf.all.accept_ra = 1 net.ipv6.conf.default.accept_ra = 1 # # Fix bug to received RAs from Router # Disable forwarding on enp4s0f1 interface so we still get RAs # net.ipv6.conf.enp4s0f1.forwarding = 0 #net.ipv6.conf.enp4s0f1.accept_ra = 1 where enp4s0f1 is the WAN interface. Note that ipv6 forwarding still works. I used my C7 as a firewall/gateway. I am running 8.1 now. Alan -- Alan McRae On 29/04/2020 06:54, Kenneth Porter wrote: I just got 50 Mbps symmetric fiber from AT and it includes a /56 of IPv6 addresses, replacing a much slower ADSL line. I never tried to get IPv6 working on the old connection. I'm using CentOS 7 as a gateway and it's worked great for several versions for IPv4. I'm not seeing any IPv6 default route on the WAN interface. I suspect I'm not getting route announcements. I think I have all the IPv6 variables in ifcfg-em2 set right. But I do notice that the accept_ra file in proc for that interface has value 1, not 2. Changing it to 2 doesn't change anything, though. No route appears. While I wait for an answer to my trouble ticket, is there some way to verify that I'm not receiving any RA packets? Is there a way to force a solicitation for one? Is there a tcpdump invocation I can use to watch for them? Are there log messages that will tell me when an RA has been seen and added to the routing table or ignored? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentO 8 and nftables default policy
I had the same problem. If you are not using virtual machines then # systemctl disable libvirtd works and is easily reversible. Alan On 18/04/2020 23:03, Alessandro Baggi wrote: Il 17/04/20 11:01, Alessandro Baggi ha scritto: Hi list, I'm studying nftables. I'm using CentOS 8.1 (Gnome) and I disabled firewalld. I noticed that a default policy is created with tables and chains probably for firewalld. So I created a .nft script where I stored my rules with a flush for previous ruleset, then saved on /etc/sysconfig/nftables.conf and the enabled nftables service. Running the script with nft -f script.nft all work as expected but when rebooting, running nft list ruleset I find my rules and the default policy (chains and tables) that I would not have in my configuration. My nftables.conf contains only my ruleset. For example, running nft list tables I found several default tables like: table ip filter table ip6 filter table bridge filter table ip nat table ip mangle So probably there is something that is applying its policy but I ignore what is. Can someone point me in the right direction? Thank you in advance. Hi have not received any replies but I tried to investigate. After checking configuration files in my system I supposed that this could caused by a daemon, so I found that libvirtd push some rules. running virsh nwfilter-list I get: UUID Nome -- 34fe8cba-af99-4438-8efc-b135143425e2 allow-arp dc110112-3824-4cf3-946f-ba6e15cd29c3 allow-dhcp fecc383a-bab5-465d-a5be-98834fb626ce allow-dhcp-server 761e7132-8738-47c2-8101-275d6fd6a347 allow-incoming-ipv4 d37b017f-8f21-4ad0-9fa6-052a5cb1ed2e allow-ipv4 a8c740d5-328c-452e-bae7-9828c54f95b7 clean-traffic 296bdfad-11d9-4aa0-9817-4656ef2be6e5 clean-traffic-gateway 69215a61-bff5-482a-b913-589bb1ce18f2 no-arp-ip-spoofing 70c61f0a-c005-407f-843d-d13c2495f05d no-arp-mac-spoofing 386cd2f4-7272-43e2-ba1f-80cb3518649c no-arp-spoofing 9117fa21-e3d6-4c32-9cdf-af97ebd6599e no-ip-multicast 7a964470-4f74-4eef-9fec-a0e9a79e168d no-ip-spoofing 8c9e45a3-5d44-4641-b23d-eded5c1f1632 no-mac-broadcast 82dcd4f0-f55a-43ad-b520-d4c8d4bf37cd no-mac-spoofing bdd0ba54-7ce0-4a2c-9c25-c24072d364ba no-other-l2-traffic fc50783e-d32b-42ba-8380-7576c4388244 no-other-rarp-traffic edfc1bb3-b325-4f8d-8c5b-423e55da66eb qemu-announce-self 8556bd82-dc97-47b0-b573-5986ebbad3b2 qemu-announce-self-rarp If I will remove these libvirt filters I will get errors? Thank you in advance. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] qeum on centos 8 with nvme disk
I have CentOS 8 install solely on one nvme drive and it works fine and relatively quickly. /dev/nvme0n1p4 218G 50G 168G 23% / /dev/nvme0n1p2 2.0G 235M 1.6G 13% /boot /dev/nvme0n1p1 200M 6.8M 194M 4% /boot/efi You might want to partition the device (p3 is swap) Alan On 13/10/2019 10:38, Jerry Geis wrote: Hi All - I use qemu on my centOS 7.7 box that has software raid of 2- SSD disks. I installed an nVME drive in the computer also. I tried to insall CentOS8 on it (the physical /dev/nvme0n1 with the -hda /dev/nvme0n1 as the disk. The process started installing but is really "slow" - I was expecting with the nvme device it would be much quicker. Is there something I am missing how to get a faster disk access ? Thanks, Jerry ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
