logs archiveIRC Archive / Freenode / #centos / 2015 / July / 23 / 1
Lithiumx
inever had this error
but i ever use crashkernel=auto when i try something
XenophonF
i just installed all of the available jetty RPMs (yum install jetty-\*), but none of them seem to include a systemctl startup script or service registry entry or whatever systemd calls it
would someone clue me in?
i've done a little google, but no one seems to use RPMs
they're always installing from the jetty source
carlgeorge
XenophonF: writing custom service files is pretty easy, especially compared to writing legacy init scripts
PryMar56
XenophonF, systemctl list-unit-files | grep jet
carlgeorge
and with systemd, there is a clear distinction between vendor service files in /usr/lib/systemd and end user service files in /etc/systemd
XenophonF
PryMar56, that command returns nothing
carlgeorge: writing legacy init scripts was pretty easy, too ;)
carlgeorge
compared to service files, they are way more complicated
baking a cake may be easy, but making toast is easier
XenophonF: http://0pointer.de/blog/projects/systemd-for-admins-3.html
Zequal
Gawd, I wish there was a UEFI SecureBoot / EFI Shell emulator.
It's such a hack to get this going in a qemu test bed.
dfinn
anyone happen to have any info on a fix for this?
http://arstechnica.com/security/2015/07/bug-in-widely-used-openssh-opens-servers-to-password-cracking/
         

Zequal
dfinn: The fix is a better configuration.
dfinn: For starters, start using PKI instead of password authentication. Another is to utilize some iptable rules, or fail2ban to catch repeated password attempts.
dfinn
I'm looking into both of those although I think the iptables rule will cause other things like rsync to not work correctly. But those are temp fixes really.
nick9299
Lithiumx: there no value currently for var 'crashkernel'. Should I try adding "crashkernel=auto"?
Zequal
dfinn: https://blog.bigdinosaur.org/securing-ssh-with-iptables/
dfinn: fail2ban is pretty easy, lots of documentation available as well.
It's easy to have iptables read from a chain of blocked IP, similar to what featured in that tutorial. You can add a lot more to it as well. It all depends on your preference.
dfinn
thanks
I was already aware of the iptables config but was wondering if there was any talk of a fix coming down from openssh. It doesn't sound like it yet.
Zequal
dfinn: Whatever you do, keep it sane and don't use non-standard ports.
Security through obscurity is no security at all. :/
tessier
I've been fighting a crazy problem for the last 24 hours: I have this box with 28 externally facing IPs on it. No firewall, no firewall rules, nothing. Yet only 3 of the IPs ping. The server seems to not be responding to arp requests for the other IP addresses. /proc/sys/net/ipv4/conf/eth0/arp_ignore and the various others are set to 0 (default, we've never even played with that for any reason) so it should not be ignoring arp. What on earth could po
CentOS 5.11 btw
nick9299
Lithiumx: I'm adding the crashkernel line I'll let you know how it goes
pj
tessier: do they all show up when you do: ip a
tessier
pj: Yes, they do.
pj
sounds like a routing issue with your host, but you'll need to check with tcpdump
you will be able to see if the pings come in and if responses go out, etc.
tessier
I've been tcpdumping...I see the arp request come from their gateway router. But I never see my machine reply.
pj
hrmmmm
@uname tessier
centbot
tessier, please paste the single line of output from the 'uname -a' command run on the server in question to the channel.
tessier
I see pings and replies go in and our for the IPs that respond to ping. For those that don't I see the arp request come from the router but then my machine never replies it seems.
Linux mailer.edirectpublishing.com 2.6.18-406.el5 #1 SMP Tue Jun 2 17:25:57 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
It's the weirdest thing. Me and two coworkers have been banging on it all day and it doesn't make any sense.
pj
yeah, and you're certain that your firewall is disabled?
what about selinux? what's the output of sestatus?
tessier
Yes. /sbin/iptables -L -n shows no rules and policy ACCEPT on all.
SELinux status: disabled
pj
what about the other tables: nat, mangle and raw?
are they also empty with a default policy of accept?
tessier
Yes.
GlenK
tessier: had a similar thing going on on my end not so long ago. route flush all or something like that helped out. On the machine that wasn't responding to arp requests
         

tessier
GlenK: I'll try that. But I've rebooted this machine a number of times in trying to sort this out.
pj
the only other thing I can think of, and it's a long shot because this doesn't sound like a driver issue, is maybe it's the driver for the NIC.
tessier
Hmm...this is a VM which does complicate things a bit. But none of the many other VMs on this machine have this issue...
pj
what hypervisor?
tessier
KVM
Stock CentOS 7
Zequal
tessier: iptable rules on that?
pj
ok, when you checked tcpdump, did you check on the host or the vm?
tessier
There's another machine here on the same bridge and it is fine. Is there any limit to the arp table for the bridge? This machine has 29.
pj: I checked on the vm. Checking tcpdump on the bridge on the host is a good idea...
pj
yeah, I will usually check on the bridge, and on the relevant virtual interfaces and even the physical interface on the host, although if you see the pings and not responses on the guest then I doubt it will tell you any different on the other interfaces.
tessier
On the bridge I am seeing a constant stream of who-has for the unresponsive IPs
pj
oh
coming from the guest or the host?
tessier
Coming from the upstream gateway
The gateway is saying who-has the IP on my guest.
pj
oh, ok, interesting, but you don't see those on the guest?
tessier
And the guest seems to never be replying.
I do see those on the guest too.
pj
ok, nm, same issue, then
tessier
So the gateway never learns my mac so it can't send me the traffic.
It only knows the macs for 3 particular IPs of the 28 on this box.
pj
yeah, the guest should be replying, though (obviously)
tessier
Yep.
Zequal
Ohh
I take it this VM was from another host?
Migrated from another virtual host, I assume?
pj
when you reboot the guest does it keep the same mac address as the other guests? Are you sure the MAC is unique?
tessier
Zequal: Actually, this VM was migrated from Xen to KVM and setup in new datacenter on a totally different subnet. But yes, it was.
pj
I mean when you reboot does it keep the same mac as before
Zequal
Yeah, sounds like he has a MAC mismatch.
pj
heh, strangely enough I could help you better if it were Xen
tessier
pj: Positive the MAC is unique. The guest has its own mac which I randomly generated. And re-generated. And re-generated once more. MAC collision was my first thought.
Zequal
Mmm..
pj
ok, I would try flushing the arp cache on the host, then, though it's a long shot.
tessier
If it were MAC mismatch why would 3 of the IPs work? That's the weird thing.
I've rebooted the host a number of times. That woudl flush the arp cache I would think.
I've had the upstream ISP flush their router too.
pj
yeah, so would I
Zequal
Well, I am interested now. As I have a KVM at home. This is worth knowing. ;)
pj
not sure in KVM what kind of virtual nic is used on the guest, if it uses an emulated hardware nic or something more like Xen's PV drivers or ???
tessier
Zequal: Whatever the solution ends up being I'm sure it will be interesting.
pj: Actually, I'm using an emulated e1000 at the moment. I haven't tried switching to the paravirt virtio nic...I think I'll try that next.
pj
yeah, I would definately do that
emulated nics have issues, alternatively switch to a different emulated nic and see if the problem goes away.
I would think that even without this issue you'd be better off with the paravirt nic anyways.
tessier
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
oops...sorry
« prev 1 2 3 4 5 6 7 8 next »