Re: dnsmasq and systemd
I had tftp-secure when testing manually. And I was running dnsmasq in the foreground as root in verbose mode so I could see what it was doing with respect to pxe requests. I probably forgot the admonition about tftp-secure and assumed it was like the '-s' option on in.tftpd which does a chroot. Seems strange that dnsmasq would admonish running as root when syslinux-tftpboot installs its files as owned by root. I didn't do anything with dnsmasq.conf. Instead, I added a dhcp.conf and pxe.conf to dnsmasq.d to do dhcp/dns and pxe. I solved it by using the user=root directive. On 5/17/19 10:33 AM, Tom H wrote: > On Fri, May 17, 2019 at 3:07 PM Teh, Kenneth M. > <0864eace5c83-dmarc-requ...@listserv.fnal.gov> wrote: >> On 5/16/19 9:23 PM, Orion Poplawski wrote: >>> On 5/16/19 1:23 PM, Teh, Kenneth M. wrote: Systemd continues to baffle me. I've set up a router machine that provides pxe boot and tftp services on a private network with dnsmasq. Pxeboot works if I run dnsmasq manually, but not when I turn on the service with systemctl. I can't think through its layers of obtuseness and would appreciate someone with a fresher brain to point me in the right direction. >>> >>> You don't give us much to work with. When you start it manually, >>> what exactly do you run? What does 'journalctl -u dnsmasq' report? >>> Anything else that might be relevant? >> >> Sorry. You're right. A moment of exasperation and frustration with >> systemd whose bits of config/info are strewn all over the place >> instead of everything in init.d. I guess I resent learning new ways >> of doing old things. Must be my age. :) >> >> Turned out the problem is dnsmasq's tftp module has no permission >> to read pxelinux.0 even though the file is 0644. Checked audit.log >> for possible selinux problem. Nothing. >> >> Everything in /var/lib/tftpboot is selinux type tftpdir_rw_t except >> for pxelinux.0 (plus a few more) which are cobbler_var_lib_t. Tried >> an semanage fcontext/restorecon to change it just to see if dnsmasq >> would read it. Doesn't change. Nothing in journalctl. Used chcon. >> Changes it. But dnsmasq still cannot read the file. >> >> Finally set dnsmasq to run as root in its config. Works. Only thing >> I can think of is dnsmasq which apparently runs as nobody when >> started from systemd cannot read files it does not own. > > 1) From the manpage > > --tftp-secure > Enable TFTP secure mode: without this, any file which is readable by > the dnsmasq process under normal unix access-control rules is > available via TFTP. When the --tftp-secure flag is given, only files > owned by the user running the dnsmasq process are accessible. If > dnsmasq is being run as root, different rules apply: --tftp-secure > has no effect, but only files which have the world-readable bit set > are accessible. It is not recommended to run dnsmasq as root with > TFTP enabled, and certainly not without specifying --tftp-root. Doing > so can expose any world-readable file on the server to any host on > the net. > > Are you using this option? > > 2) When you were testing and running it manually, were you setting > command-line options or were you simply using the options in > "/etc/dnsmasq.conf" like the systemd unit? >
Re: dnsmasq and systemd
On Fri, May 17, 2019 at 5:08 PM Orion Poplawski wrote: > Probably related: > >--tftp-secure > Enable TFTP secure mode: without this, any file which is > readable by the dnsmasq process under normal unix access- > control rules is available via TFTP. When the --tftp-secure > flag is given, only files owned by the user running the dns‐ > masq process are accessible. If dnsmasq is being run as > root, different rules apply: --tftp-secure has no effect, > but only files which have the world-readable bit set are > accessible. It is not recommended to run dnsmasq as root > with TFTP enabled, and certainly not without specifying > --tftp-root. Doing so can expose any world-readable file on > the server to any host on the net. Just read and sent the same :) > I'm still surprised it made a difference starting it by hand or by systemd. +1 dnsmasq runs as "nobody" if "/etc/dnsmasq.conf" doesn't have "user=foo" or dnsmasq isn't started with "--user=foo" (or "-u foo").
Re: dnsmasq and systemd
On Fri, May 17, 2019 at 3:07 PM Teh, Kenneth M. <0864eace5c83-dmarc-requ...@listserv.fnal.gov> wrote: > On 5/16/19 9:23 PM, Orion Poplawski wrote: >> On 5/16/19 1:23 PM, Teh, Kenneth M. wrote: >>> >>> Systemd continues to baffle me. >>> >>> I've set up a router machine that provides pxe boot and tftp >>> services on a private network with dnsmasq. Pxeboot works if I >>> run dnsmasq manually, but not when I turn on the service with >>> systemctl. >>> >>> I can't think through its layers of obtuseness and would >>> appreciate someone with a fresher brain to point me in the right >>> direction. >> >> You don't give us much to work with. When you start it manually, >> what exactly do you run? What does 'journalctl -u dnsmasq' report? >> Anything else that might be relevant? > > Sorry. You're right. A moment of exasperation and frustration with > systemd whose bits of config/info are strewn all over the place > instead of everything in init.d. I guess I resent learning new ways > of doing old things. Must be my age. :) > > Turned out the problem is dnsmasq's tftp module has no permission > to read pxelinux.0 even though the file is 0644. Checked audit.log > for possible selinux problem. Nothing. > > Everything in /var/lib/tftpboot is selinux type tftpdir_rw_t except > for pxelinux.0 (plus a few more) which are cobbler_var_lib_t. Tried > an semanage fcontext/restorecon to change it just to see if dnsmasq > would read it. Doesn't change. Nothing in journalctl. Used chcon. > Changes it. But dnsmasq still cannot read the file. > > Finally set dnsmasq to run as root in its config. Works. Only thing > I can think of is dnsmasq which apparently runs as nobody when > started from systemd cannot read files it does not own. 1) From the manpage --tftp-secure Enable TFTP secure mode: without this, any file which is readable by the dnsmasq process under normal unix access-control rules is available via TFTP. When the --tftp-secure flag is given, only files owned by the user running the dnsmasq process are accessible. If dnsmasq is being run as root, different rules apply: --tftp-secure has no effect, but only files which have the world-readable bit set are accessible. It is not recommended to run dnsmasq as root with TFTP enabled, and certainly not without specifying --tftp-root. Doing so can expose any world-readable file on the server to any host on the net. Are you using this option? 2) When you were testing and running it manually, were you setting command-line options or were you simply using the options in "/etc/dnsmasq.conf" like the systemd unit?
Re: dnsmasq and systemd
On 5/17/19 7:07 AM, Teh, Kenneth M. wrote: > Sorry. You're right. A moment of exasperation and frustration with systemd > whose > bits of config/info are strewn all over the place instead of everything in > init.d. I guess I resent learning new ways of doing old things. Must be my > age. :) > > Turned out the problem is dnsmasq's tftp module has no permission to read > pxelinux.0 even though the file is 0644. Checked audit.log for possible > selinux > problem. Nothing. > > Everything in /var/lib/tftpboot is selinux type tftpdir_rw_t except for > pxelinux.0 (plus a few more) which are cobbler_var_lib_t. Tried an semanage > fcontext/restorecon to change it just to see if dnsmasq would read it. > Doesn't > change. Nothing in journalctl. Used chcon. Changes it. But dnsmasq still > cannot > read the file. > > Finally set dnsmasq to run as root in its config. Works. Only thing I can > think > of is dnsmasq which apparently runs as nobody when started from systemd > cannot > read files it does not own. > Probably related: --tftp-secure Enable TFTP secure mode: without this, any file which is readable by the dnsmasq process under normal unix access- control rules is available via TFTP. When the --tftp-secure flag is given, only files owned by the user running the dns‐ masq process are accessible. If dnsmasq is being run as root, different rules apply: --tftp-secure has no effect, but only files which have the world-readable bit set are accessible. It is not recommended to run dnsmasq as root with TFTP enabled, and certainly not without specifying --tftp-root. Doing so can expose any world-readable file on the server to any host on the net. I'm still surprised it made a difference starting it by hand or by systemd. > > On 5/16/19 9:23 PM, Orion Poplawski wrote: >> On 5/16/19 1:23 PM, Teh, Kenneth M. wrote: >>> Systemd continues to baffle me. >>> >>> I've set up a router machine that provides pxe boot and tftp services on a >>> private network with dnsmasq. Pxeboot works if I run dnsmasq manually, but >>> not >>> when I turn on the service with systemctl. >>> >>> I can't think through its layers of obtuseness and would appreciate someone >>> with >>> a fresher brain to point me in the right direction. >>> >> >> You don't give us much to work with. When you start it manually, what >> exactly >> do you run? What does 'journalctl -u dnsmasq' report? Anything else that >> might >> be relevant? >> -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ smime.p7s Description: S/MIME Cryptographic Signature
Re: dnsmasq and systemd
Sorry. You're right. A moment of exasperation and frustration with systemd whose bits of config/info are strewn all over the place instead of everything in init.d. I guess I resent learning new ways of doing old things. Must be my age. :) Turned out the problem is dnsmasq's tftp module has no permission to read pxelinux.0 even though the file is 0644. Checked audit.log for possible selinux problem. Nothing. Everything in /var/lib/tftpboot is selinux type tftpdir_rw_t except for pxelinux.0 (plus a few more) which are cobbler_var_lib_t. Tried an semanage fcontext/restorecon to change it just to see if dnsmasq would read it. Doesn't change. Nothing in journalctl. Used chcon. Changes it. But dnsmasq still cannot read the file. Finally set dnsmasq to run as root in its config. Works. Only thing I can think of is dnsmasq which apparently runs as nobody when started from systemd cannot read files it does not own. On 5/16/19 9:23 PM, Orion Poplawski wrote: > On 5/16/19 1:23 PM, Teh, Kenneth M. wrote: >> Systemd continues to baffle me. >> >> I've set up a router machine that provides pxe boot and tftp services on a >> private network with dnsmasq. Pxeboot works if I run dnsmasq manually, but >> not >> when I turn on the service with systemctl. >> >> I can't think through its layers of obtuseness and would appreciate someone >> with >> a fresher brain to point me in the right direction. >> > > You don't give us much to work with. When you start it manually, what > exactly > do you run? What does 'journalctl -u dnsmasq' report? Anything else that > might > be relevant? >
converting SL7 install to CentOS7 installation
Does anyone know if it possible to convert a SL7 installation to a CentOS7 installation? In the past I have done it the other way around but can't find if it possible to do it vice versa?
Problem with volume groups after latest updates
Hi After updating kernel qemu-kvm and libvirt from 7x I have found that one of my volume groups is not found with pvdisplay or vgdisplay. The /dev and /dev/mapper files are still there and the virtual servers are running fine. How do I fix this without destroying my virtual servers? Cheers Bill Maidment
