Archive for Uncategorized

uWSGI is ignoring uid, gid and chown-socket

010110110101 asked:

I’m trying to use uWSGI with nginx. The root problem I am having is that I’m getting “No such file or directory” from nginx trying to connect to the uWSGI socket file.

When I use the following settings, I am expecting the socket file’s permissions to change. However, they aren’t. It continues to show uwsgi:uwsgi.

The error from nginx is *17 connect() to unix:/tmp/myapp.sock failed (2: No such file or directory) while connecting to upstream, client: 192.168.1.122, server: , request: "GET / HTTP/1.1", upstream: "uwsgi://unix:/tmp/myapp.sock:", host: "192.168.1.123:81"

myapp.ini (uwsgi)

[uwsgi]
chdir = /var/local/myapp
plugins = python
module = wsgi:app
home = /var/local/virtualenv/myapp
file = main.py
daemonize = /var/log/uwsgi/myapp.log
pidfile = /var/run/uwsgi/myapp.pid
socket = /tmp/%n.sock

chmod-socket = 777
chown-socket = webuser:nginx
uid = webuser
gid = nginx

vacuum = true

file permissions

srwxrwxrwx.  1 uwsgi uwsgi    0 Jul  3 12:43 myapp.sock

myapp.conf (nginx)

server {
    listen 81;

    access_log /var/log/nginx/myapp_access.log;
    error_log /var/log/nginx/myapp_error.log;

    location / {
        try_files $uri @yourapplication;
    }

    location @yourapplication {
        include uwsgi_params;
        uwsgi_pass unix:/tmp/myapp.sock;
    }
}

I also tried this:

usermod -a -G nginx uwsgi
usermod -a -G uwsgi nginx
useradd webuser
usermod -a -G nginx webuser
usermod -a -G uwsgi webuser

and I tried this:

grep avc /var/log/audit/audit.log | audit2allow -M nginx
semodule -i nginx.pp

I answered:

You can’t put sockets for interprocess communication in /tmp.

RHEL/CentOS 7, Fedora, etc., use private /tmp directories, meaning each daemon configured for it (in this case, at least nginx) has a completely different view of /tmp than any other.

To resolve the problem, either place the socket in another directory or use TCP connections.

And don’t blindly audit2allow things without understanding what’s going on. You’ll likely open up some security hole.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

KVM debian wheezy packages with ceph support

mongo533 asked:

Does anybody know any packages out there for kvm which are compiled with RBD support?

I have these installed right now:

ii  kvm                              1:1.1.2+dfsg-6+deb7u8         amd64        dummy transitional package from kvm to qemu-kvm
ii  qemu-kvm                         1.1.2+dfsg-6+deb7u8           amd64        Full virtualization on x86 hardware
ii  libvirt-bin                      1.2.9-9~bpo70+1               amd64        programs for the libvirt library
ii  libvirt-clients                  1.2.9-9~bpo70+1               amd64        programs for the libvirt library
ii  libvirt-daemon                   1.2.9-9~bpo70+1               amd64        programs for the libvirt library
ii  libvirt-daemon-system            1.2.9-9~bpo70+1               amd64        Libvirt daemon configuration files
ii  libvirt0                         1.2.9-9~bpo70+1               amd64        library for interfacing with different virtualization systems
ii  python-libvirt                   1.2.1-2~bpo70+1               amd64        libvirt Python bindings

Building kvm on my own seems to be very difficult since it has many dependencies including gui libraries.

Thank you!


I answered:

qemu, libvirt and virt-manager support RBD on Fedora.

Interestingly I did not see support on CentOS 7.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

How configure environment variable with AcceptEnv

Saryas asked:

In /etc/ssh/sshd_config, there is an option called AcceptEnv that allows the ssh client to send environment variables. I need to be able to send a large number of environment variables,
how can i do this?


I answered:

You can specify multiple environment variables on one line with AcceptEnv, and you can even give the option multiple times if you want.

For example:

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

The man page also stated this:

Multiple environment variables may be separated by whitespace or spread across multiple AcceptEnv directives.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Clarification of netcat result

Doug McK asked:

I’ve been trying to debug an issue on our servers and Im confused by this response from netcat. Can anyone explain why Im getting these 2 contradictory messages when checking to see if a port is working? Is it failing to connect via TCP and then succeeding with some other method (*)?

ubuntu@1-2-3-4:/var/log$ nc -vz localhost 7777
nc: connect to localhost port 7777 (tcp) failed: Connection refused
Connection to localhost 7777 port [tcp/*] succeeded!

IP4/6 results

nc -vz4 localhost 7777
Connection to localhost 7777 port [tcp/*] succeeded!
nc -vz6 localhost 7777
nc: connect to localhost port 7777 (tcp) failed: Connection refused

I answered:

This is happening because your daemon is only listening on IPv4.

IPv6 is the default protocol, so if a given hostname has both IPv4 and IPv6 addresses, the IPv6 address is always tried first.

In your case, localhost has the IPv4 address 127.0.0.1 and the IPv6 address ::1. But your daemon is only listening on 127.0.0.1.

So, when nc tries to connect to localhost it first connects to ::1, finds nothing is listening, and returns Connection refused. It then tries to connect to 127.0.0.1 and finds your daemon.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

List of packages for RH 5.x

AverageAllen asked:

I need to install SSSD onto some of my client’s servers, but a few of them are pretty old. Is there a list of all of the packages in the repository for a specific release of redhat?

Specifically I need to see what is the newest version of SSSD that is supported by RH 5.3, 5.4, and 5.4 Beta without downloading them.


I answered:

sssd was added to RHEL 5 with the RHEL 5.6 service pack.

Bring the systems up to date, (the current release is RHEL 5.11) and you will then have access to it.

And, do not run RHEL without a subscription.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Mount windows server 2012 DVD on centos 7

prodigerati asked:

I’m trying to install windows server 2012 R2 on a VM using virt-manager on centos 7. During the install it will not allow me to select the DVD drive (greyed out).

I tried the following command:

mount -r -t iso9660 /dev/sr0 /mnt/DVD/

The DVD mounted without error but there is only one file:

readme.txt

This disc contains a “UDF” file system and requires an operating system
that supports the ISO-13346 “UDF” file system specification.

So I tried the following command:
mount -r -t iso13346 /dev/sr0 /mnt/DVD/

got this error:
mount: unknown filesystem type ‘iso13346′

Could it be that the DVD drive I’m using is too old? It was manufactured in 2003…


I answered:

Don’t specify a filesystem type; mount will figure it out (correctly).

And if you’re trying to install Windows in a virtual machine, you do not need to (and should not) mount the image at all. Simply provide the path to the ISO when setting up the VM in virt-manager.

Virt-manager install media selection page


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

PHP-FPM on Linux, SCHED_BATCH or SCHED_OTHER?

pepoluan asked:

I have a Linux webserver (Ubuntu 12.04, kernel 3.2.0) running Magento with quite a number of PHP-FPM child processes.

Since Magento is a heavy framework, I often see several child processes to baloon in CPU% (when viewed using htop) for several seconds before dropping out of the top N.

I have been reading about Linux CPU schedulers, and what I got was that SCHED_BATCH seems to give longer timeslices to processes than the default SCHED_OTHER.

Would it be beneficial if I change the schedulers for all PHP-FPM processes to SCHED_BATCH? Or am I misunderstanding the schedulers?


I answered:

After learning a little about SCHED_BATCH, I wouldn’t even attempt to benchmark it:

SCHED_BATCH also triggers much longer, batch-like
timeslices – the default SCHED_BATCH timeslice is 1.5 seconds.

SCHED_BATCH was clearly designed for very long running (hours or even days) compute-intensive jobs. Your jobs are only compute-intensive for seconds or fractions of seconds.

This pretty much makes it a no-go for a web server. And it would be worse if the database is on the same machine, as they might contend for one of those extra-long timeslices.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Installing compat-libstdc++-33 on RHEL 7

Mark Williams asked:

As part of an Oracle install I need the “compat-libstdc++-33-3.2.3 (x86_64) package. However no matter what variant of the package I try to install with yum, it can’t be found

[root@ip-xxx-xx-x-xxx ~]# yum install compat-libstdc++-33
Loaded plugins: amazon-id, langpacks, rhui-lb
No package compat-libstdc++-33 available.
Error: Nothing to do
[root@ip-xxx-xx-x-xxx ~]#

Am I missing a repo or something more obvious?


I answered:

You need to enable the RHEL optional and/or extras channels.

yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

How do i find the overcommit ratio for CPU on a KVM host or for that matter on any hypervisor?

The_Lost_Avatar asked:

I have a host and I have installed KVM on it.Now I need to know how much overcommiting of resources it allows, CPU, memory. Is there some command to get the ratios or it all exists in theory and no official documentation exists for it ?


I answered:

KVM is just the hypervisor itself. It allows overcommitment without any artificial limit.

The limits are provided by any management tools installed on top of KVM, such as OpenStack.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

firewalld: match which zone by policy

ibotty asked:

I have the following zones that are relevant for this question.

  • SemiTrusted and
  • Public

I want to treat IPSEC-encrypted traffic (that is coming from some specific IP addresses) as belonging to SemiTrusted.

In iptables I would use policy matching to use a semitrusted chain.

How can I achieve this with firewalld. I did not see any mention of policy in the firewalld man pages and did not see how to match based on ipsec policy in firewalld.richlanguage(5).

I assume I can use firewalld.direct(5) but I don’t know how to integrate it with the other firewalld.zone(5)-based configuration.


I answered:

You don’t need a direct rule for this; firewalld already has a service definition for IPsec.

firewall-cmd --zone=SemiTrusted --add-service=ipsec

The definition permits all AH, ESP and UDP port 500 traffic.

You’ll need a second rule if either end has NAT and you need to add UDP port 4500:

firewall-cmd --zone=SemiTrusted --add-port=4500/udp

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.