Re: [CentOS] DHCP max-lease-time maximum
> Thanks, I did know that and we are using this in other situations. But > as written in my third reply: > > To much work every MAC I dont have to type counts. Take some time to write a script, and you'll earn much time after. But it's a really, really bad idea to configure too long leases. Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] mount bind problem
- Mail original - > De: "望月忠雄" > À: "centos" > Envoyé: Mardi 12 Avril 2016 08:17:13 > Objet: [CentOS] mount bind problem > I have set on fstab /home with 'mount bind' but it seems like bind is not > effective. Indeed. By default, nothing mounts "bind" filesystems. The init scripts don't read the hole fstab file, there are filters to mount only some filesystems types. If you want to mount the "bind" FS on boot, you need to add the related commands into /etc/rc.d/rc.local. Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] centos samba sssd active directory
- Mail original - > De: "Stefan Fuhrmann" > À: "centos" > Envoyé: Jeudi 7 Avril 2016 16:13:26 > Objet: [CentOS] centos samba sssd active directory > Hello all, > Im having the latest centos that should be integrated into win 2012 active > directory domain. > Im having Authentication running, an AD user can login via ssh, getent and id > working > But Im not able to get the samba shares running with AD To make samba work with SSSD, I had to make some tuning in smb.conf : security = ads workgroup = MYDOMAIN realm = MYDOMAIN.TLD encrypt passwords = yes passdb backend = tdbsam kerberos method = secrets and keytab winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind refresh tickets = yes To use the "valid users" directive, I have to deal with the AD SIDs. You can get it by running : $ wbinfo --name-to-sid ad_user $ wbinfo --name-to-sid ad_group The RID idmap backend doesn't work as expected. So I use the NSS backend : idmap config MYDOMAIN : backend = nss idmap config MYDOMAIN : range = 1-9 idmap config * : backend = tdb idmap config * : range = 10-99 And in /etc/nsswitch.conf : passwd: files sss shadow: files sss group: files sss Hope this helps. Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 6.7 netinstall fails at insert cd to continue
- Mail original - > De: "g" > À: "centos" > Envoyé: Jeudi 3 Mars 2016 23:46:10 > Objet: [CentOS] 6.7 netinstall fails at insert cd to continue > system: hp compact dc7800 dual 64 bit > cd/dvd: oem sata-- recognized as > atapi dvd c dh48c2s sata5 > cd/dvd: lg gp60ns50 usb dvd -- recognized as > hl-dt-st dvdram gp60ns50 > > attempting install using centos 6.7 x86_64 netinstall. > > after 'installation method' with 'local cd/dvd' selected, famous > 'disc not found' shows. Did you try to disconnect the USB device before booting the station ? Perhaps it's detected before the SATA one. I never had problem with this kind of workstations. Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPtables block user from outbound ICMP
Hello, - Mail original - > De: "John Cenile" > À: "centos" > Envoyé: Mercredi 24 Février 2016 15:42:36 > Objet: [CentOS] IPtables block user from outbound ICMP > Is it possible at all to block all users other than root from sending > outbound ICMP packets on an interface? > > At the moment we have the following two rules in our IPtables config: > > iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT > iptables -A OUTPUT -o eth1 -j DROP > > But this still allows ICMP for some reason (but *does* block other TCP/UDP > packets, which is what we want, as well as ICMP). According to the iptables documentation (http://ipset.netfilter.org/iptables.man.html), not specifying "-p" is equivalent to specifying "-p all", which matches with all protocols, icmp included. So these rules are good. BUT... I suppose /bin/ping has a suid bit set, no ? Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7, NSF, "feature"
> De: "Ricardo J. Barberis"
> [Unit]
> After=network.target remote-fs.target nss-lookup.target network-online.target
>
>
>
> The After line is the important one, I copied it from
> /usr/lib/systemd/system/nginx.service and added "network-online.target"
> at the end.
>
> After making your changes, be sure to reenable the service so it takes your
> new unit, e.g.:
>
> # systemctl reenable nginx.service
>
>
> It worked for me, maybe it works for you?
On my systems, I saw that network.target was not started, because no service
required it ("After=foo" is totally useless if there isn't any "Require=foo"
too... Mwokay, why not...). I just added a symlink to force network.target to
start, and the ordering problem is solved :
/etc/systemd/system/multi-user.target.wants/network.target ->
/usr/lib/systemd/system/network.target
That link avoids modifying the configuration of _all_ the services needing a
fully working network (ssh, web, mail, snmp, and so on) with a crappy, but
easy-to-deploy, one-liner like this (no, I'm not ashamed) :
# for fic in $(grep -rl "After=.*network.target" /lib/systemd/system | cut -d/
-f5 | grep -v "network-online.target") ; do [ ! -d
"/etc/systemd/system/${fic}.d" ] && mkdir "/etc/systemd/system/${fic}.d" ; echo
-e "[Unit]\nAfter=network-online.target" >
"/etc/systemd/system/${fic}.d/local-network-online.conf" ; done && systemctl
daemon-reload
By the way, congratulations to the genius who decided to name one of the files
"-.slice"... Yes, a filename beginning by a hyphen. I suppose anybody here
understands why it's probably one of the worst ideas he never had.
Sylvain.
Pensez ENVIRONNEMENT : n'imprimer que si ncessaire
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Just need to vent
>> Jonathan Billings wrote: >> >> >> > Maybe you're not >> >> > aware of it, but there are a LOT of things that systemd fixes that >> >> > people are happy about. >> >> >> Like what ? I don't remember there were as many errors to fix before >> >> systemd appeared. >> >> > I suggest reading the previous emails (SOME OF WHICH YOU REPLIED TO) >> > that listed many of the features people are happy about. >> >> I don't take a position in the systemd argument, >> but you said that systemd fixes lots of problems. >> It is perfectly reasonable to ask you to name one of these problems, >> perhaps the one you think is most important. > > Well, here's a great one. I agree with Matthew: > > https://lists.centos.org/pipermail/centos/2016-January/157399.html > > Note who responded to that message. ... And what "who" answered. Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Just need to vent
- Mail original - > De: "Jonathan Billings" > Maybe you're not aware of it, but there are a LOT of things that > systemd fixes that people are happy about. Like what ? I don't remember there were as many errors to fix before systemd appeared. Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Just need to vent
> * insure that when something is stopped, it's actually stopped. (If > you've ever managed an HPC cluster and had processes escape the > scheduler, you know this problem is real.) # systemctl list-units | grep -c abandoned 453 # uptime 15:53:58 up 11 days, 21:03, 1 user, load average, 0,01, 0,02, 0,05 > > * track process lifecycle, and restart (or take other action) on > failure. (If software were perfect, this wouldn't be needed, but as > is, this can save you being paged in the middle of the night.) No. A software which falls down is buggy, and needs to be fixed. Period. Masking the problem is the best way to never fix it. With this "feature", systemd (and other init systems providing it) will just make GNU/linux more unstable. > > * actually securely connect output to the process it came from for > logging -- both stdout/stderr and actual log messages. (This is why > journald is closely integrated.) Driving sysadmins unable to read logs just because the file is corrupted, or to send logs to a dedicated server, is a real security improvement, indeed. > > There are other advantages (real dependency ordering, resource > management/reservation with cgroups, etc.), but process supervision is > the big deal. There are other alternative systems which _also_ do this, > but overall, Fedora, openSUSE, Arch, Debian, Ubuntu, and others > eventually decided that systemd was the technically best choice. Redhat employs Lennart Poettering. Redhat derivates have to follow. Ubuntu and Debian choose systemd, on one hand, because more and more softs depend on systemd (Gnome 3, for example), and on the other hand, to save maintainers time, dropping their own init system. The technically best choice, you say ? Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Just need to vent
> Ultimately it's all software, and software can be
> written/changed/updated to do anything required - all that's needed is
> the skill and the motivation. If systemd is so "core" that it can't be
> unplugged and plugged easily, and glues together a lot of otherwise
> unrelated components, then it's just bad software - end of story (the
> problems with tightly-coupled components were first identified over 40
> years ago, and modularization has been the watchword ever since.)
>
> In my view, it's high time someone independently analysed systemd down
> to basic code level, and understood why it's so invasive (if it actually
> is.) Then the way forward would be clear - fork it, and produce a new
> version which wasn't so invasive, and which could be swapped in/out. I'm
> not saying it would be easy! ("We do not do these things because they
> are easy - we do them because they are hard!")
I know only one attempt : uselessd. Unfortunatly, the project is dead.
http://uselessd.darknedgy.net/
>
>> I remember people complaining about SysV-style init too, "what's with
>> all these scripts" and "why can't I just add a line to /etc/rc".
>> systemd is a different way of thinking, but it isn't exactly original
>> (Sun and Mac have similar launchers); practical experience has shown
>> that this can be a better way of managing services.
>
> No one is saying that sysvinit is perfect. What I can't grasp is why
> replace it with something which is no less imperfect, and is almost
> certainly worse in at least some respects - and to make that replacement
> unavoidable and mandatory.
I agree.
There are other init/service managers (no, init and service manager are not one
same program) that combine the best of System V (simplicity, lightness,
minimalism), and interesting ideas used by systemd ("BSD-style" dependencies
management between services, for example). On Gentoo, the duo sysvinit/openrc
works well, for example.
> - faster boot time (this was apparently the main motivation behind it.)
> My experience with systemd-managed systems has been limited - but so
> far, I've not noticed faster boot times with systemd (maybe because the
> boxes booted fast enough previously.)
My professional experience shows me systemd is by far lower than, for example,
upstart.
But... let's be honest : is the OS launch time so important to make a software
like systemd so revolutionary when it promises to save a handful of seconds ?
On servers, which spend much more time checking and starting the hardware
components than really booting the system, the difference is negligible. A bit
less on virtual guests, I agree, but, anyway, they're always on, and the lonely
reason to reboot them is normally to update the kernel... This kind of
intervention is normally scheduled, and the announced unavailability time is
often overestimated, to be able to get round Murphy's laws. Benefit ? Zero.
On stations, maybe, systemd might potentially be useful. I don't know, I don't
have systemd-dependant stations to hand. And I reboot my stations as often as
my servers.
>
> - parallel startup of services. Not sure that I'd want that anyway
Especially when the obvious directives are not respected. Tell systemd to start
sshd AFTER network, for exemple, but forget to say sshd REQUIRES network, and
systemd starts sshd... BEFORE network ! And says network isn't started, by the
way.
Anyway, one more time, why this obsession to gain one or two seconds ?
> - better handling of hot-plug devices. I've not yet seen that in action,
> but that is the one thing which makes me inclined to investigate systemd
> in more detail.
Why does systemd care about devices pluging ? It's not its rule, it's the
device manager's one. Udev, for example. Oh, wait...
>
>> Nobody is forcing you to run systemd; you can continue to run CentOS 6
>> and earlier for years. But if you are a system administrator, your job
>> is about learning and adapting, not trying to keep a static setup for
>> life. systemd is different (just like SELinux was years ago), but I
>> suggest you learn it.
So I learn... I adapt... And I update... So I learn... I adapt...
>> It can make your admin life easier.
But it didn't say us how, then. :)
> As we all know (don't we just?) sysadmin work and responsibilities are
> heavy, and frequently eat into evenings, nights, weekends and
> (so-called) holidays. Anything which increases the sysadmin workload -
> e.g. suddenly faced with a vertical learning curve just to do the tasks
> they did yesterday, or a GUI which leaves them unable to find anything
> on their screens - is a major issue, and prejudicial not only to the
> sysadmin's own work, but also to that of the users to whom he/she is
> responsible. And when you're talking about systems used by hundreds and
> thousands of users, that's a big problem.
I don't think systemd was designed for servers... But sysadmins have to deal
with it though.
When we need simply, robust and reliable softwa
Re: [CentOS] Just need to vent
>> I'm also still trying to figure out in what way systemd is supposed to >> be "better". > > https://wiki.debian.org/Debate/initsystem/systemd#Why_Debian_should_default_to_systemd > Counter-arguments are easy to find as well. For example : http://judecnelson.blogspot.fr/2014/09/systemd-biggest-fallacies.html Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Just need to vent
> If that is the case, why do you run CentOS 7 on the server? You can stay > with CentOS 6 for now and either wait till Linux systemd-free distribution > mature enough to be run on server is available. Which it almost is: Devuan > (systemd-free fork of Debian) has released "alpha" version about half a > year ago. If you feel "married" to Linux, maybe it is a good idea to play > with Devuan, provide them feedback thus helping them to become system-free > Linux acceptable for servers. Simultaneously you can explore other options > which would be to migrate away from Linux (Open Solaris, FreeBSD, NetBSD, > OpenBSD will be much smaller step than stepping up to CentOS 7 - that is > my experience, though FreeBSD migration of servers I started came much > earlier than CentOS 7 and for different reason). If I had the choice... The OS and the version are decreed by the contractor, I'm just a maintainer. Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Just need to vent
> I believe that RHEL7 (and CentOS7) both have systemd integrated into them > enough > that it isn’t as simple as “choose init system” on install. That's because of systemd. Even if most of the linux distros don't, giving the choice is a bit less difficult with any other init system. The main problem is systemd makes (often badly) more and more things that, as a "simple" init system, it should not do (login, and "su-ing" now, journaling, device management via udev, and so on), violating the KISS principle. If you use systemd, you have to use all the systemd tentacles, even if you don't want. Worse, more and more programs hardly depend on systemd now. Gnome 3 is an example, and that's why I don't, and won't, use Gnome 3. I don't use any systemd-based distro personally. Sadly, professionally, I have to, since RedHat/CentOS and Debian adopted it (and Ubuntu LTS will do soon). And systemd makes my job uselessly more complicated. For exemple, why must I deal with journald and its fancies when I setup a syslog server (and I have to, because journald don't even know what are centralized logs...) on my servers ? Why systemd maintainers continuously change big parts of its behaviour, without any consideration of major-minor versionning, and why RedHat/CentOS maintainers dismiss this fact (the CentOS 7.1 to 7.2 update is painful, because systemd switched from 208 to 219) ? Why, more generally, the answer is often "systemd" when I encounter a problem on a server ? Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bind fails to start after update from 7.1 to 7.2
>>> zone relationship123.com/IN: loading from master file relationship123.com.db
>>> failed: file not found
>>> zone relationship123.com/IN: not loaded due to errors.
>>> _default/relationship123.com./IN: file not found
>>
>> here: relationship123.com
>
> ??
>
>>
>>> If I change the zone defs to include the full path:
>>>
>>> From
>>>
>>> zone "relationships123.com." IN {
>>> type master;
>>> file "relationships123.com.db";
>>> };
>>
>> there: relationships123.com.db
>
> ??
A missing "s".
Sylvain CANOINE.
Pensez ENVIRONNEMENT : n'imprimer que si ncessaire
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] No GUI with CentOS-7.2
> No error is given in /var/log/Xorg.0.log. > It seems to find an appropriate ATI Radeon driver, > but it has the warnings > (WW) Falling back to old probe method for modesetting > (WW) Falling back to old probe method for fbdev > (WW) Falling back to old probe method for vesa Could you share your whole Xorg.0.log ? Do you use a custom xorg.conf, or custom xorg.conf.d files ? Opensource Ati driver, ou proprietary blobs ? > Also it ends with what look like a problem with the USB mouse: > (II) config/udev: Adding input device PIXART USB OPTICAL MOUSE > (/dev/input/mouse0) > (II) No input driver specified, ignoring this device. > (II) This device may have been added with another device file. > (II) config/udev: Adding input device PC Speaker (/dev/input/event5) > (II) No input driver specified, ignoring this device. > (II) This device may have been added with another device file. > (II) evdev: PIXART USB OPTICAL MOUSE: Close > (II) UnloadModule: "evdev" > (II) evdev: HID 04f3:0103: Close > (II) UnloadModule: "evdev" > (II) evdev: HID 04f3:0103: Close > (II) UnloadModule: "evdev" > (II) evdev: Power Button: Close > (II) UnloadModule: "evdev" > (II) evdev: Power Button: Close > (II) UnloadModule: "evdev" > (II) Server terminated successfully (0). Closing log file. As these logs have "info" level (II), there is no real problem for xorg. Sylvain CANOINE. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] A query on graphic console
- Mail original - > De: "Timothy Murphy" > À: "centos" > Envoyé: Mardi 5 Janvier 2016 14:39:22 > Objet: [CentOS] A query on graphic console > I'm only getting a text console with CentOS-7.2 > on my (oldish) HP MicroServer. > > The only explicit error I see in Xorg.0.log > is that no driver is found for my Pixart USB optical mouse. > > My query is: would that be sufficient > to prevent a graphic console? Definitly not. X is able to run even with no input device at all (mouse, keyboard, and so on). Most of the times, X refuses to start because of missing or inappropriate video drivers. Next in the other discussion thread... Sylvain CANOINE. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] systemd-sysctl not running on boot
- Mail original - > De: "Ofer Hasson" > À: "centos" > Envoyé: Jeudi 24 Décembre 2015 11:36:00 > Objet: Re: [CentOS] systemd-sysctl not running on boot > [root@web-devel-local-1 ~]# ll -Z /etc/ | grep sysctl > drwxr-xr-x. root root system_u:object_r:etc_t:s0 sysctl.d > > [root@web-devel-local-1 ~]# ll -Z /etc/sysctl.d/ > -rw-r--r--. root root unconfined_u:object_r:system_conf_t:s0 sysctl.conf > Is there a relationship with the new symlink created by the upgrade in my servers ? # ls -l /etc/sysctl.d/ total 0 lrwxrwxrwx. 1 root root 14 23 déc. 18:11 99-sysctl.conf -> ../sysctl.conf # yum provides /etc/sysctl.d/99-sysctl.conf initscripts-9.49.30-1.el7.x86_64 : The inittab file and the /etc/init.d scripts Dépôt : base Correspondance depuis : Nom de fichier : /etc/sysctl.d/99-sysctl.conf Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Network services start before network is up since migrating to 7.2
- Mail original - > De: "Gordon Messmer" > À: "centos" > Envoyé: Jeudi 24 Décembre 2015 07:25:00 > Objet: Re: [CentOS] Network services start before network is up since > migrating to 7.2 > On 12/23/2015 08:38 AM, Sylvain CANOINE wrote: >> Then I'm wondering : >> 2/ why "After=foo" does not imply "Requires=foo" for systemd 219, while it >> appeared to be in systemd 208. Either it's a regression, or the behaviour of >> 208, although logical, is buggy. > > I'm not entirely certain, but "After=" is independent of "Requires=", as > documented on an up-to-date install of CentOS 7. http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ says : "Services using the network should hence simply place an After=network.target dependency in their unit files, and avoid any Wants=network.target or even Requires=network.target." But all the other related explanations I found on the web either says nothing about the relationship between "After=" and "Requires="/"Wants=", or confirms there's not. For example in http://www.freedesktop.org/software/systemd/man/systemd.unit.html : "Note that this setting (NDR : "After=" or "Before=") is independent of and orthogonal to the requirement dependencies as configured by Requires=." I didn't found the related CentOS documentation, but I suppose it's correct. I suppose it mentions NetworkManger, anyway. I'm able to understand systemd isn't designed to make the relationship between "After=" and "Requires="... But why designing it like that ? Giving the ability to start a service before or after a disabled other is a nonsense. But all of that don't give any clue concerning the different behaviour of the two quoted versions of systemd. I think an additional "Requires=network.target" parameter in the network-online.target unit by default, or at least a note to the users, would be appreciated. Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Network services start before network is up since migrating to 7.2
- Mail original -
> De: "Sylvain CANOINE"
> À: "centos"
> Envoyé: Mercredi 23 Décembre 2015 12:26:39
> Objet: Re: [CentOS] Network services start before network is up since
> migrating to 7.2
> > # systemctl status network.target
> ● network.target - Network
> Loaded: loaded (/usr/lib/systemd/system/network.target; static; vendor
> preset:
> disabled)
> Active: inactive (dead)
> Docs: man:systemd.special(7)
> http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget
>
> Dead ? Hmmm...
Ok, I found the difference between the failing servers (I updated one more this
morning, and the same symptom came) : the failing ones don't need to mount NFS
shares.
So I didn't install nfs-utils, so there's not a rpc-statd-notify.service, which
unit file contain "Requires=network.target"... And so there's no service
"requiring" network.target at all !
Then I'm wondering :
1/ why "After=foo" does not imply "Requires=foo" for systemd. That's obvious,
yet,
2/ why "After=foo" does not imply "Requires=foo" for systemd 219, while it
appeared to be in systemd 208. Either it's a regression, or the behaviour of
208, although logical, is buggy.
Anyway, for the NetworkManager-opponents, it may be opportune to add a
"Requires=network.target" on an usual network service's unit, such as sshd ou
ntpd... Or, better, on network-online.target's unit.
I chose another solution : I made a symlink to
/usr/lib/systemd/system/network/target in
/etc/systemd/system/multi-user.target.wants/ directory ("systemctl enable
network.target" sent me to hell). And voilà.
Sylvain.
Pensez ENVIRONNEMENT : n'imprimer que si ncessaire
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Network services start before network is up since migrating to 7.2
- Mail original - > De: "Gordon Messmer" > À: "centos" > Envoyé: Mercredi 23 Décembre 2015 10:11:05 > Objet: Re: [CentOS] Network services start before network is up since > migrating to 7.2 > I'm a little confused, too. But, it might be more informative to query > the system for "network.target" than "network.service" since the former > is the one missing. # rpm -V systemd S.5T. c /etc/rc.d/rc.local Ok, normal... # ll /usr/lib/systemd/system/network.target -rw-r--r--. 1 root root 480 20 nov. 05:49 /usr/lib/systemd/system/network.target # cat /usr/lib/systemd/system/network.target # This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. [Unit] Description=Network Documentation=man:systemd.special(7) Documentation=http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget After=network-pre.target RefuseManualStart=yes # systemctl status network.target ● network.target - Network Loaded: loaded (/usr/lib/systemd/system/network.target; static; vendor preset: disabled) Active: inactive (dead) Docs: man:systemd.special(7) http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget Dead ? Hmmm... Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Network services start before network is up since migrating to 7.2
- Mail original - > De: "Gordon Messmer" > À: "centos" > Envoyé: Vendredi 18 Décembre 2015 12:06:26 > Objet: Re: [CentOS] Network services start before network is up since > migrating to 7.2 >>> The network service is not blocking the flow so it executes and systemd >>> carries on ... >>> >>> From the point of view of the system as soon as /etc/init.d/network start >>> has been called the service is running as a state... as you can see from >>> your logs lots of other services also start before the network interface >>> itself is up. >> I understand this, but why only on one of my servers ? Is the order the >> services >> start only a question of latencies ? I'm confused. I updated two more servers this afternoon, and... all is working well. The services start in correct order. Even after three reboots. So only one of the (now) five updated servers doesn't start properly. Then what is the difference ? All I see for now is the network.target unit seems not active on the failing server. (failing) # systemctl list-units|grep network network.service loaded active exitedLSB: Bring up/down networking rhel-import-state.service loaded active exitedImport network configuration from initramfs network-online.target loaded active activeNetwork is Online (failing) # systemctl status network ● network.service - LSB: Bring up/down networking Loaded: loaded (/etc/rc.d/init.d/network) Active: active (exited) since lun. 2015-12-21 12:49:31 CET; 1 day 5h ago Docs: man:systemd-sysv-generator(8) déc. 21 12:49:35 (failing) systemd[1]: Starting LSB: Bring up/down networking... déc. 21 12:49:26 (failing) network[747]: Activation de l'interface loopback : [ OK ] déc. 21 12:49:28 (failing) network[747]: Activation de l'interface ens160 : [ OK ] déc. 21 12:49:31 (failing) network[747]: Activation de l'interface ens192 : [ OK ] déc. 21 12:49:31 (failing) systemd[1]: Started LSB: Bring up/down networking. (correct) # systemctl list-units|grep network network.service loaded active exitedLSB: Bring up/down networking rhel-import-state.service loaded active exitedImport network configuration from initramfs network-online.target loaded active activeNetwork is Online network.target loaded active activeNetwork (correct) # systemctl status network ● network.service - LSB: Bring up/down networking Loaded: loaded (/etc/rc.d/init.d/network) Active: active (exited) since mar. 2015-12-22 17:42:15 CET; 33min ago Docs: man:systemd-sysv-generator(8) Process: 753 ExecStart=/etc/rc.d/init.d/network start (code=exited, status=0/SUCCESS) déc. 22 17:42:07 (correct) systemd[1]: Starting LSB: Bring up/down networking... déc. 22 17:42:10 (correct) network[753]: Activation de l'interface loopback : [ OK ] déc. 22 17:42:13 (correct) NET[935]: /etc/sysconfig/network-scripts/ifup-post : updated /etc/resolv.conf déc. 22 17:42:13 (correct) network[753]: Activation de l'interface ens160 : [ OK ] déc. 22 17:42:15 (correct) network[753]: Activation de l'interface ens192 : [ OK ] déc. 22 17:42:15 (correct) systemd[1]: Started LSB: Bring up/down networking. To be continued... Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Network services start before network is up since migrating to 7.2
- Mail original - > De: "Marcelo Ricardo Leitner" > À: "centos" > Envoyé: Lundi 21 Décembre 2015 21:46:10 > Objet: Re: [CentOS] Network services start before network is up since > migrating to 7.2 > Agreed. Sylvain, if possible, please elaborate on their reasoning for > this, because it just seems like a case of "we fear what we don't know", > so they are recommending to stick to old habits instead. > > Or have they identified real attack vectors in NM? If yes, we would love > to hear that so it can be fixed. In short, "you don't need it, so don't use it". They said NM is more a desktop-oriented tool, already had privilege escalation issues in the past (I didn't search if they're right), has too many dependencies (such as wpa_supplicant and avahi, which are, of course, also forbidden), needs extra mechanisms (PAM ? Polkit ?) to avoid users changing its settings, needs D-bus just to work, so it is too much complex just to set static IP addresses on network interfaces. They said multiples administrator actions, and potentially human errors, to set it up, may be a security risk... Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Network services start before network is up since migrating to 7.2
> If you're using NetworkManager, you can "systemctl enable
> NetworkManager-wait-online.service" and you won't have to override any
> of the individual services.
Our security experts don't want me to use NetworkManager... It's even
uninstalled on the models, so I understand better why all the required files
are not here :
# systemctl status NetworkManager-wait-online.service
● NetworkManager-wait-online.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
So I made a crappy but easy-to-deploy script to make the services start after
network is online :
for fic in $(grep -rl "After=.*network.target" /lib/systemd/system | cut -d/
-f5 | grep -v "network-online.target")
do
[ ! -d "/etc/systemd/system/${fic}.d" ] && mkdir -v
"/etc/systemd/system/${fic}.d"
echo -e "[Unit]\nAfter=network-online.target" >
"/etc/systemd/system/${fic}.d/local-network-online.conf" && echo
"/etc/systemd/system/${fic}.d/local-network-online.conf"
done
systemctl daemon-reload
That's working as is, so I'll keep this workaround for now.
Sylvain.
Pensez ENVIRONNEMENT : n'imprimer que si ncessaire
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Network services start before network is up since migrating to 7.2
Hello James, > Well it looks like you are using the network service rather than the > recommended NetworkManager ... Yes. That's the way our security experts made the models I use to setup my servers. I'll test a migration to NetworkManager, and take their advice on it. > > The network service is not blocking the flow so it executes and systemd > carries on ... > > From the point of view of the system as soon as /etc/init.d/network start > has been called the service is running as a state... as you can see from > your logs lots of other services also start before the network interface > itself is up. I understand this, but why only on one of my servers ? Is the order the services start only a question of latencies ? > > There's a few of different ways of accomplishing what you want ... > > Keep in mind that you must not edit files in /usr/lib/systemd/ if you want > to maintain your sanity for future updates... use overrides in > /etc/systemd/system/foo.service.d Ok. Thank you for the tip. I'm trying to avoid this workaround, anyway. > > The real reason httpd/sshd/snmpd failed there is that unlike the default > configuration of these you aren't listening on all addresses (:: or > 0.0.0.0) but on a specific 172.X address ... which isn't present until the > network adaptor is up and configured. It is by design, for security considerations. So I can't make the services listen on all interfaces. > 3) Provide overrides for each service to order it after > network-online.target (which is effectively when the non-local IP address > can be found on the interface) as per the systemd.special man page > documenting this. > > Look at man systemd.special for more detail on this ... I'll take a look on this. > > Incidentally I just tried a quick test in a VM and it would appear > NetworkManager.service completed with an IP on the network interface before > network.target was considered reached ... you may want to test this on your > system to see if it's a race condition or it actually works out that way > for you as a systemctl cat NetworkManager indicates it should be before > network and it looks like it may block progress until it's on dbus ... Ok, I'll try, and see if that solves my problem. Thank you. Sylvain CANOINE. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Network services start before network is up since migrating to 7.2
Hello all, I updated two of my servers to CentOS 7.2 (1511) two days ago, and since, on one of them, the network services are started (and fail to start) before the network interfaces are online. Parts of "journalctl" after the last reboot : déc. 17 10:21:44 myserver kernel: NET: Registered protocol family 40 déc. 17 10:21:45 myserver sshd[700]: error: Bind to port 22 on 172.20.XX.XX failed: Cannot assign requested address. déc. 17 10:21:45 myserver sshd[700]: fatal: Cannot bind any address. déc. 17 10:21:45 myserver systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a déc. 17 10:21:45 myserver systemd[1]: Unit sshd.service entered failed state. déc. 17 10:21:45 myserver systemd[1]: sshd.service failed. déc. 17 10:21:45 myserver sssd[729]: Starting up déc. 17 10:21:45 myserver kernel: nf_conntrack version 0.5.0 (16384 buckets, 65536 max) déc. 17 10:21:34 myserver systemd[1]: Time has been changed déc. 17 10:21:35 myserver iptables.init[699]: iptables: Applying firewall rules: [ OK ] déc. 17 10:21:35 myserver systemd[1]: Started IPv4 firewall with iptables. déc. 17 10:21:35 myserver systemd[1]: Starting LSB: Bring up/down networking... déc. 17 10:21:35 myserver network[790]: Activation de l'interface loopback : [ OK ] déc. 17 10:21:36 myserver httpd[686]: (99)Cannot assign requested address: AH00072: make_sock: could not bind to address 172.19.XX.XX:443 déc. 17 10:21:36 myserver httpd[686]: no listening sockets available, shutting down déc. 17 10:21:36 myserver httpd[686]: AH00015: Unable to open logs déc. 17 10:21:36 myserver systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE déc. 17 10:21:36 myserver kernel: vmxnet3 :03:00.0 ens160: intr type 3, mode 0, 2 vectors allocated déc. 17 10:21:36 myserver kernel: vmxnet3 :03:00.0 ens160: NIC Link is Up 1 Mbps déc. 17 10:21:36 myserver kill[924]: kill: cannot find process "" déc. 17 10:21:36 myserver systemd[1]: httpd.service: control process exited, code=exited status=1 déc. 17 10:21:36 myserver systemd[1]: Failed to start The Apache HTTP Server. déc. 17 10:21:36 myserver systemd[1]: Unit httpd.service entered failed state. déc. 17 10:21:36 myserver systemd[1]: httpd.service failed. déc. 17 10:21:36 myserver postfix/postfix-script[959]: starting the Postfix mail system déc. 17 10:21:36 myserver postfix/master[961]: daemon started -- version 2.10.1, configuration /etc/postfix déc. 17 10:21:36 myserver systemd[1]: Started Postfix Mail Transport Agent. déc. 17 10:21:36 myserver snmpd[704]: Turning on AgentX master support. déc. 17 10:21:36 myserver snmpd[704]: Error opening specified endpoint "udp:172.19.XX.XX:161" déc. 17 10:21:36 myserver snmpd[704]: Server Exiting with code 1 déc. 17 10:21:36 myserver systemd[1]: snmpd.service: main process exited, code=exited, status=1/FAILURE déc. 17 10:21:36 myserver systemd[1]: Failed to start Simple Network Management Protocol (SNMP) Daemon.. déc. 17 10:21:36 myserver systemd[1]: Unit snmpd.service entered failed state. déc. 17 10:21:36 myserver systemd[1]: snmpd.service failed. (...) déc. 17 10:21:38 myserver network[790]: Activation de l'interface ens160 : [ OK ] déc. 17 10:21:38 myserver kernel: vmxnet3 :0b:00.0 ens192: intr type 3, mode 0, 2 vectors allocated déc. 17 10:21:38 myserver kernel: vmxnet3 :0b:00.0 ens192: NIC Link is Up 1 Mbps déc. 17 10:21:39 myserver ntpd[694]: Listen normally on 1 ens160 172.19.XX.XX UDP 123 déc. 17 10:21:39 myserver ntpd[694]: new interface(s) found: waking up resolver déc. 17 10:21:40 myserver ntpd[694]: 0.0.0.0 c61c 0c clock_step +11.002914 s déc. 17 10:21:51 myserver ntpd[694]: 0.0.0.0 c614 04 freq_mode déc. 17 10:21:51 myserver systemd[1]: Time has been changed déc. 17 10:21:51 myserver network[790]: Activation de l'interface ens192 : [ OK ] déc. 17 10:21:51 myserver systemd[1]: Started LSB: Bring up/down networking. déc. 17 10:21:51 myserver systemd[1]: Reached target Network is Online. déc. 17 10:21:51 myserver systemd[1]: Starting Network is Online. déc. 17 10:21:51 myserver systemd[1]: Reached target Multi-User System. déc. 17 10:21:51 myserver systemd[1]: Starting Multi-User System. déc. 17 10:21:51 myserver systemd[1]: Starting Update UTMP about System Runlevel Changes... déc. 17 10:21:51 myserver systemd[1]: Started Stop Read-Ahead Data Collection 10s After Completed Startup. déc. 17 10:21:51 myserver systemd[1]: Started Update UTMP about System Runlevel Changes. déc. 17 10:21:51 myserver systemd[1]: Startup finished in 650ms (kernel) + 2.623s (initrd) + 13.647s (userspace) = 16.922s. I found a workaround, by replacing "After=network.target" by "After=network-online.target" is the failing services' units, but I want to understand what is the root problem, and what is the difference between my two servers... And by now, I found nothing. Got an
