Category CentOS

Puppet and 64bits packages

Since I use puppet to manage my machines (and the machines of customers), I noticed that I had more packages installed then before, I noticed also obviously the same behavior in packages to update and bandwidth consumption during updates. I realize that on 64bits machines, most of the time, the 32bits version of the packages managed by puppet were also installed. This is what I did in my recipes before: 
    package { "corosync":
        ensure => "installed",
        require => Yumrepo["clusterlabs"];
    }
This kind of package declaration installed then the two version of the package, in this case corosync and the dependencies too. To avoid this I added the fact hardwaremodel and used the alias to keep my recipes consistent: 
    package { "corosync.$hardwaremodel":
        ensure => "installed",
        alias => "corosync",
        require => Yumrepo["clusterlabs"];
    }
Hope this could help people having noticed the same behavior... or not :-)

High Availability Open-Xchange Server

Since I tested it 4 years ago, I like Open-Xchange (even if I'm not a java app fan). I like the layout and also all the feature it provides. The calendar is very complete. For a customer where I set it up 4 years ago, I've migrated this service to a cluster running the last version. The machines are fully installed via kickstart from a pxeboot (using cobbler) This post describes the solution. The setup is based on CentOS and use the pair corosync / pacemaker as cluster. The solution consists in two nodes where only one machine provides the service. The components are : - one ip balancing between the two nodes - apache running on the "active/master" server (the server providing the service) - open-xchange running on one node at the time - funambol running on one node at the time - openldap running on both machines in mirroring - cyrus running on both machines as master/slave - mysql running on both machines as master/master replication. This is an overview of the crm: Most of the needed steps are put in some puppet recipes to help the provisioning (you can find them on my github account) With the cyrus-imapd delivered by default on redhat/centos, when the cyrus master starts without the slave running, cyrus won't reply for a long time... the bug we are hitting here as been resolved in newer version. I use cyrus-imapd 2.4.6, package from Simon Matter. You can find the source of this package here

tomcat6 with APR on RHEL5.5

The other day at $CLIENT I had to install a webapp that needed tomcat6 and I found it was quite a hassle to install a packaged version on a 32bits RedHat RHEL 5.5. During that painful process, lefred helped finding the magic package that solved it all so I felt it was only fair for me to publish the complete solution as a guest post on his blog!

Windows 7 and Samba

Today I tried to put in production an update of Samba 3 (3.5.4) to allow Windope 7 clients to join the domain. After having performed what's on the samba wiki page about this topic [here], I could join the machine to the domain but I was not able to login !? :( In the log : 
[2010/08/20 16:55:20.682477,  0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client RO-BACKUP machine account RO-BACKUP$
[2010/08/20 16:55:30.993850,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2010/08/20 16:55:30.993958,  0] lib/util_sock.c:1432(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
The problem was easy to solve but not easy to find : the two machines had not the same time (30 secs delay !) Fixing the time sync fixed the problem (and I'm not using kerberos and AD)

the culprit is always… SELinux :)

After having setup squid and dansguardian (using clamd) on Centos 5, I wasn't able to use it :( I had always the following error, even if the dansguardian user was the same as clamd (clamav) : 
2010.7.9 12:22:41 - 10.0.200.6 http://www.eicar.org/anti_virus_test_file.htm
 *INFECTED* *DENIED* /tmp/tfIlR1j6: lstat() failed: Permission denied. 
ERROR GET 15590 0 Content scanning 1 403 text/html
I just realize after having searched too long that SELinux (I know life is too short for it) was the culprit. It was my mistake as I completely forgot that this machine had selinux enabled :-S So in /var/log/audit/audit.log I had : 
type=AVC msg=audit(1278673113.470:3489): avc:  denied  { getattr } for
pid=32164 comm="clamd" path="/tmp/tfCSCirx" dev=dm-3 ino=17 
scontext=user_u:system_r:clamd_t:s0 
tcontext=user_u:object_r:initrc_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1278673113.470:3489): arch=c000003e 
syscall=6 success=no exit=-13 a0=8cce370 a1=421f2dc0 a2=421f2dc0 
a3=8 items=0 ppid=1 pid=32164 auid=1004 uid=102 gid=114 euid=102 
suid=102 fsuid=102 egid=114 sgid=114 fsgid=114 tty=(none) ses=437 
comm="clamd" exe="/usr/sbin/clamd" subj=user_u:system_r:clamd_t:s0 
key=(null)
Note to myself: Never forget to check in audit.log ! To create the selinux policies, I used the following commands, which are quiet easy: 
audit2allow -a -m dansguardian > dansguardian.te
checkmodule -M -m dansguardian.te 
checkmodule -M -m dansguardian.te -o dansguardian.mod
semodule_package -o dansguardian.pp -m dansguardian.mod
semodule -i dansguardian.pp
Et voilà ! Dansguardian is running and I didn't disable selinux :-)

As MySQL Community Manager, I am an employee of Oracle and the views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

You can find articles I wrote on Oracle’s blog.

Continue