Server Bug Fix: the same ssh rsa key does not work in Ubuntu(WSL) while from RHEL7 it works

Original Source Link

I’m trying connect from Ubuntu(WLS) to RHEL7 server using ssh RSA key.
And it does not work, while the same key when used from another RHEL7 host works.

  • I checked all file permissions
  • There is no “from clause” in authorized keys on the other side
  • I explicitly use -i option for ssh

From Ubuntu:

Ubuntu$ md5sum .ssh/id_rsa
986428c7e5882c26c9ba2b9ca403fbe3  .ssh/id_rsa

Ubuntu$ ssh -l "ansible_install" -i ~/.ssh/id_rsa -vvv -p 6000 rhel7-target

sshd debug:
debug1: userauth-request for user ansible_install service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:KNOpLJ8hyXysUkO9PlVuBap/YpcIB67D9dxBBOKy0bo [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x55cc1cfca760
debug1: temporarily_use_uid: 4001/4001 (e=0/0)
debug1: trying public key file /home/ansible_install/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug2: key not found
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x55cc1cfca760 is not allowed
Failed publickey for ansible_install from 2.252.221.223 port 53431 ssh2: RSA SHA256:KNOpLJ8hyXysUkO9PlVuBap/YpcIB67D9dxBBOKy0bo

ssh debug:
debug1: identity file /home/ivabrezi/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
... (this is non-sense, the file is there)
debug2: key: /home/ivabrezi/.ssh/id_rsa (0x7fffe1905f90), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner

WARNING:
...

debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
...
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:KNOpLJ8hyXysUkO9PlVuBap/YpcIB67D9dxBBOKy0bo /home/ivabrezi/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51

The same from RHEL:

# md5sum ~/.ssh/id_rsa
986428c7e5882c26c9ba2b9ca403fbe3  /root/.ssh/id_rsa

# ssh -l "ansible_install" -i ~/.ssh/id_rsa  rhel7-target

sshd debug
debug1: userauth-request for user ansible_install service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:Rm7/A+A+sNr/1jeSVOe29DKa/F+eWOCGf+zba8LIy1s [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x5607a9495770
debug1: temporarily_use_uid: 4001/4001 (e=0/0)
debug1: trying public key file /home/ansible_install/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /home/ansible_install/.ssh/authorized_keys, line 1 RSA SHA256:Rm7/A+A+sNr/1jeSVOe29DKa/F+eWOCGf+zba8LIy1s
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x5607a9495770 is allowed

ssh debug:
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:Rm7/A+A+sNr/1jeSVOe29DKa/F+eWOCGf+zba8LIy1s
debug3: sign_and_send_pubkey: RSA SHA256:Rm7/A+A+sNr/1jeSVOe29DKa/F+eWOCGf+zba8LIy1s
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).

Is it possible Ubuntu does something secure with their ssh, so it no more can connect to RHEL?
Something like that I saw more than 20 years ago on AIX(but that was caused by a bug in gcc).

Your post says you are using the same key, but the logs indicate that you’ve used two different keys for each connection attempt.

The successful key from yuor RHEL client has, according to the logs, RSA SHA256:Rm7/A+A+sNr/1jeSVOe29DKa/F+eWOCGf+zba8LIy1s. While the failing key from your Ubuntu WSL client has, according to the logs, RSA SHA256:KNOpLJ8hyXysUkO9PlVuBap/YpcIB67D9dxBBOKy0bo. As you can see, you are not actually using the same key.

Of course, you shouldn’t be sharing the same key between systems anyway, but using different keys, both of which are authorized in the server’s authorized_keys file.

Tagged : / / / /

Server Bug Fix: How can I read explicit https proxy CA certificate on RHEL7?

Original Source Link

I have server behind explicit https proxy with SSL decryption but I don’t know its certificate and I have no way to obtain it from human being. Is it possible to retrieve https proxy certificate from server CLI so that I could add it as trusted CA?

It’s RHEL 7 so as far as I know there’s no openssl 1.1.x (which supports -proxy parameter and allows to do that)

Tagged : / /

Server Bug Fix: home logical volume is not available after reboot

Original Source Link

On a server with RHEL 7.2 it gets to emergency mode when rebooting. Looking a bit I found out that what happens is that the /home partition was missing and the reason was LVM:

  --- Logical volume ---
  LV Name                /dev/rhel/home
  VG Name                rhel
  LV UUID                6GB8TR-ih7d-vg7J-xCLE-A8OH-gmwy-3XLyOb
  LV Write Access        read/write
  LV Status              NOT available
  LV Size                200.88 GiB
  Current LE             51425
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto

In this emergency mode, if I do

  vgchange -a y

the volume becomes “active” and I can mount it and see the content. The problem is that after rebooting, the same problem appears…

1) Why is this happening?

2) If vgchange -a y is the only solution, how can I make this permanent after each reboot?

in you fstab file add the _netdev flag to the device so the boot process waits for the phyiscal volume to become ready, and retries the mount.

so

defaults

becomes

defaults,_netdev

and make sure netfs is running on boot too

chkconfig netfs on

that should do it I hope

I believe you need to add lvm module to /etc/modules and rebuild the initrd, and grub (with update-grub and update-initramfs on debian family and dracut on RHEL family linux)

This happens when during boot the bootloader gets loaded, reaches and unpacks the initrd filesystem and then encounters the fstab which tells him to mount LVM volume, however the lvm kernel modules are not present in the initrd environment (minified linux bootstrap to mount all filesystems needed to mount rootfs and its children) and thus fails during boot.

Tagged : / /

Server Bug Fix: Getting OOPS when trying to install Rhel 7.8 on dell laptop

Original Source Link

I’ve upgraded a Dell Inspiron 15 to 32GB RAM, so I could use Red Hat on it.
However, when I try to boot from a USB that contains rhel 7.8 DVD ISO, I get the following OOPS:

OOPS

Can rhel 7 be installed on this Dell laptop?

Notes

  • for my development needs (clients), I have to use rhel 7.
  • CentOS 7.6 also gives an OOPS when I try installation from a USB (which I installed several desktops from).
Tagged : / / /

Server Bug Fix: Microsoft ADV190023: How to force LDAPS on RHEL 7?

Original Source Link

I am working in a company who works with an Active Directory domain, running on Win Server 2016.
I have some Linux servers (RHEL6) AD integrated with Samba.
I’ve read Microsoft will release soon an update Microsoft ADV190023, and I am working with RHEL 7 (8 not approved yet), in order to work with AD controllers only via LDAPS.

I want my Linux client to speak only to DC on target port 636.
I tried to look at several forums but I am a little bit lost between the different configs (realmd, krb5, sssd, pam, ldap.conf).

I know there are several ways to join an AD Domain. The last I tried was the realm who configured automatically sssd and krb5. that works successfully but I would like only on 636. moreover, I would need a little refresh on the above, I am wondering what is the difference between join a Linux to AD via the net ads join -U administrator and realm join mydomain.com ?

Is there a way to force my linux client to speak only to DC on port 636 ?
Do I need to generate certificates on my Linux client and make it approve by our certification authority ? I already imported the DC certificates + the root CA.

Thanks for your help,
Regards

Realmd allows you to configure AD an LDAP client integration on your Linux host. In the backend it will create all needed configuration files (SSSD, krb5, PAM) and join the domain.

At this moment realmd can be used to configure AD and LDAP only. You can use SSSD with LDAPS too but that will need some manual and slightly complicated configuration yourself.

Check Impact of Microsoft Security Advisory ADV190023 | LDAP Channel Binding and LDAP Signing on RHEL and AD integration. Red Hat stated that:

  • They have verified by enforcing LDAP channel binding and LDAP signing on Active Directory Domain domain 2016 with various scenarios and observed no impact on Red Hat Enterprise Linux 6, 7 and 8 client systems functionality.
  • The default configuration can result in an event with ID 2889 on the domain controller, but this looks like a false/positive log event which is currently under investigation.
  • They are working on an SSSD/adcli enhancement that allows the use of LDAPS protocol with the SSSD active directory provider. This will allow us to configure AD integration as you are used to (realmd) but with LDAPS in the backend. This type of configuration is optional and only needed in environments where the default LDAP port 389 is closed. The aforementioned RFE’s will also set GSS-SPNEGO as default SASL mechanism in adcli. Currently GSSAPI is hardcoded in adcli and can not be changed.

Update: Red Hat released RHEL 7.8 yesterday which has the new adcli feature aboard. Check adcli man pages for more details. Currently there seems to be no realm integration, so if you want to go “full LDAPS” (on port 636) you will have to combine adcli with manual LDAPS configuration in SSSD.

There is no need to switch to TLS-based communication when ADV190023 recommendations are enforced on AD side. The RHEL client daemon SSSD uses SASL by default when talking to an AD backend. SASL can also sign and seal the connection so that there is no need to use TLS. Currently the SASL library shipped in RHEL does not support Channel Binding Tokens (work is already completed upstream though and will come to RHEL shortly) so that you would even run into problems when you move from SASL on default LDAP port 389 to port 636 and rely on TLS for the sealing and signing of the connection. Channel Bindung Tokens are only required when TLS is used.

Tagged : / / / /

Server Bug Fix: Installing Redhat repositories in a chroot jail with no repositories installed

Original Source Link

I have installed software that runs in a chroot jail in Redhat 7.3. Unfortunately, there are no repositories installed in this jail, so I can not download the packages I need through yum. I would like to add the Redhat repositories to the jail but I have not found a way to do so. Simply copying over the repository files from the host doesn’t work because the repos require keys and certificates. Copying over the keys and certs doesn’t seem to work either.

How can I install the Redhat repositories onto a machine with no repositories installed? I do have yum and yum-config-manager.

The path of least resistance might be just to run your software in a docker or LXC. But the simplest way I know to get this to work in a chroot is to set up a filesystem with an entire working linux distribution. So here’s how to copy your entire existing OS into a /chroot directory and then you can do in the chroot pretty much anything you could do with the base system.

I don’t have a RHEL system lying around, so this instructions were tested on CentOS 7.

run all of these as root:

Move to the root directory

cd /

Create a chroot directory

mkdir chroot

Copy most of the operating system

cp {bin,etc,lib,lib64,sbin,usr} /chroot/ -a

Make placeholders for the rest

mkdir /chroot/{root,dev,home,mnt,opt,proc,run,sys,tmp,var}

mount the special filesystems to your chroot

mount -o bind /run /chroot/run/

mount -o bind /proc /chroot/proc/

mount -o bind /sys /chroot/sys/

mount -o bind /dev /chroot/dev/

Enter the chroot

chroot chroot

Since we didn’t copy /var or /run, yum won’t be able to resolve the $releasever and $basearch variables, so we hard code them into the repo file. This is the path to the CentOS repo, you should change this to whatever Red Hat uses. S you might replace CentOS-Base.repo with RedHat-Base.repo or whatever is your base repository in the /etc/yum.repos.d/ directory. ALso, make sure the architecture matches, this instruction is for 64-bit x86, which is most likely what your using, but if you have a PowerPC server or something really strange, then modify accordingly.

sed s/$basearch/x86_64/g /etc/yum.repos.d/CentOS-Base.repo -i

sed s/$releasever/7/g /etc/yum.repos.d/CentOS-Base.repo -i

Now you can invoke yum and install software

yum intall vim

This will install vim in your chroot but not your base system. For hardening, you might want to go through and remove a bunch of packages from your chroot, as this is pretty much a full fledged Red Hat server running in the chroot at this point.

Tagged : / /

Server Bug Fix: Is there a way display cn=changelog in Directory Tree of OpenLDAP when exploring with and directory explorer like phpldapadmin?

Original Source Link

I have configured my changelog to get logged using this procedure :This tutorial I followed to set up changelog

Now I have a ldif that is logging the changelog. But the requirement is to be able to see an ou cn=changelog is directory tree which can be used to see these changelogs while using any ldap explorer. I am not able to find any resource on how to do it. Please guide me. I have added a picture for the reference.

Something like this

You might be looking for the slapo-accesslog(5) overlay, which logs operations in an internal LDAP database.

Tagged : / / / /

Server Bug Fix: Is it possible to add an os variant to the virt-manager list?

Original Source Link

I just installed RHEL 7.1 on a server. I’m using it to study for the RHCSA/RHCE exams. One of the steps in the study guide is to install a VM through virt-manager using installation media on an FTP server. The OS variant list only goes up to RHEL 7.0.

I attempted to install 7.1 but it threw an error every time:

An unknown error has occurred

The dialog that contains the error also provides debug information and a backtrace leading up to the error. I have not been able to find any cause of the problem when sifting through this data.

I downloaded the RHEL 7.0 installation media. When pointing the VM at that during the configuration the installation does not throw the error and runs normally.

I find it strange that virt-manager on RHEL 7.1 can’t install a RHEL 7.1 VM. But that’s neither here nor there.

Is it possible to add RHEL 7.1 to the list? If so will it be recognized or are there other things that virt-manager relies on to ensure the process functions correctly?

The OS variant isn’t really that important. It just sets some defaults like the default amount of RAM and CPUs. You can safely set it to the closest available match (e.g. RHEL 7.0 for 7.1).

Tagged : /

Server Bug Fix: fence_gce is not working as expected on GCP?

Original Source Link

I have configured vanilla cluster with fence_gce. stonith_rhnfs01 is on node1 and stonith_rhnfs02 is on node2. Now I bring down node2. The stonith_rhnfs01 was already on node1 & stonith_rhnfs02 will be fail on node2 and starts on node1 with no specific error in logs. clearing the stonith_rhnfs02 resource will bring stonith_rhnfs02 on node 2.

I also increased the monitoring interval of stonith to 120s but still no success.

Below is the output for reference.

[[email protected] ~]# pcs status
Cluster name: etutorialguru_cluster
Stack: corosync
Current DC: rhnfs01 (version 1.1.19-8.el7_6.5-c3c624ea3d) - partition with quorum
Last updated: Tue Jun  2 11:50:41 2020
Last change: Tue Jun  2 08:20:27 2020 by hacluster via crmd on rhnfs01

2 nodes configured
2 resources configured

Online: [ rhnfs01 rhnfs02 ]

Full list of resources:

 stonith_rhnfs01        (stonith:fence_gce):    Started rhnfs01
 stonith_rhnfs02        (stonith:fence_gce):    Started rhnfs01

Failed Actions:
* stonith_rhnfs02_start_0 on rhnfs02 'unknown error' (1): call=10, status=Timed Out, exitreason='',
    last-rc-change='Tue Jun  2 11:34:00 2020', queued=0ms, exec=20013ms


Daemon Status:
  corosync: active/enabled
  pacemaker: active/enabled
  pcsd: active/enabled

Cluster configuration:

[[email protected] ~]# pcs config
Cluster Name: etutorialguru_cluster
Corosync Nodes:
 rhnfs01 rhnfs02
Pacemaker Nodes:
 rhnfs01 rhnfs02

Resources:

Stonith Devices:
 Resource: stonith_rhnfs01 (class=stonith type=fence_gce)
  Attributes: pcmk_host_map=rhnfs01:rhnfs01 pcmk_reboot_retries=4 pcmk_reboot_timeout=480s power_timeout=240 zone=us-central1-a project=mytower
  Operations: monitor interval=120s (stonith_rhnfs01-monitor-interval-120s)
 Resource: stonith_rhnfs02 (class=stonith type=fence_gce)
  Attributes: pcmk_host_map=rhnfs02:rhnfs02 pcmk_reboot_retries=4 pcmk_reboot_timeout=480s power_timeout=240 zone=us-central1-b project=mytower
  Operations: monitor interval=120s (stonith_rhnfs02-monitor-interval-120s)
Fencing Levels:

Location Constraints:
Ordering Constraints:
Colocation Constraints:
Ticket Constraints:

Alerts:
 No alerts defined

Resources Defaults:
 No defaults set
Operations Defaults:
 No defaults set

Cluster Properties:
 cluster-infrastructure: corosync
 cluster-name: etutorialguru_cluster
 dc-version: 1.1.19-8.el7_6.5-c3c624ea3d
 have-watchdog: false
 last-lrm-refresh: 1591086027
 maintenance-mode: false
 no-quorum-policy: ignore
 stonith-enabled: true

Quorum:
  Options:

messages Logs output:

[[email protected] ~]# tail -f /var/log/messages
Jun  2 11:33:52 rhnfs01 corosync[1046]: [TOTEM ] A new membership (192.168.0.68:96) was formed. Members joined: 2
Jun  2 11:33:52 rhnfs01 corosync[1046]: [QUORUM] Members[2]: 1 2
Jun  2 11:33:52 rhnfs01 corosync[1046]: [MAIN  ] Completed service synchronization, ready to provide service.
Jun  2 11:33:52 rhnfs01 crmd[1162]:  notice: Node rhnfs02 state is now member
Jun  2 11:33:52 rhnfs01 pacemakerd[1089]:  notice: Node rhnfs02 state is now member
Jun  2 11:33:54 rhnfs01 attrd[1159]:  notice: Node rhnfs02 state is now member
Jun  2 11:33:54 rhnfs01 stonith-ng[1156]:  notice: Node rhnfs02 state is now member
Jun  2 11:33:55 rhnfs01 cib[1155]:  notice: Node rhnfs02 state is now member
Jun  2 11:33:55 rhnfs01 crmd[1162]:  notice: State transition S_IDLE -> S_INTEGRATION
Jun  2 11:33:59 rhnfs01 pengine[1161]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:33:59 rhnfs01 pengine[1161]:  notice:  * Move       stonith_rhnfs02     ( rhnfs01 -> rhnfs02 )
Jun  2 11:33:59 rhnfs01 pengine[1161]:  notice: Calculated transition 13, saving inputs in /var/lib/pacemaker/pengine/pe-input-30.bz2
Jun  2 11:33:59 rhnfs01 crmd[1162]:  notice: Initiating monitor operation stonith_rhnfs01_monitor_0 on rhnfs02
Jun  2 11:33:59 rhnfs01 crmd[1162]:  notice: Initiating stop operation stonith_rhnfs02_stop_0 locally on rhnfs01
Jun  2 11:33:59 rhnfs01 stonith-ng[1156]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:33:59 rhnfs01 crmd[1162]:  notice: Result of stop operation for stonith_rhnfs02 on rhnfs01: 0 (ok)
Jun  2 11:33:59 rhnfs01 stonith-ng[1156]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:34:00 rhnfs01 stonith-ng[1156]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:34:00 rhnfs01 crmd[1162]:  notice: Initiating monitor operation stonith_rhnfs02_monitor_0 on rhnfs02
Jun  2 11:34:00 rhnfs01 stonith-ng[1156]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:34:00 rhnfs01 stonith-ng[1156]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:34:00 rhnfs01 crmd[1162]:  notice: Initiating start operation stonith_rhnfs02_start_0 on rhnfs02
Jun  2 11:34:00 rhnfs01 stonith-ng[1156]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:34:00 rhnfs01 stonith-ng[1156]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:34:20 rhnfs01 crmd[1162]: warning: Action 8 (stonith_rhnfs02_start_0) on rhnfs02 failed (target: 0 vs. rc: 1): Error
Jun  2 11:34:20 rhnfs01 crmd[1162]:  notice: Transition aborted by operation stonith_rhnfs02_start_0 'modify' on rhnfs02: Event failed
Jun  2 11:34:20 rhnfs01 stonith-ng[1156]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:34:20 rhnfs01 crmd[1162]:  notice: Transition 13 (Complete=4, Pending=0, Fired=0, Skipped=0, Incomplete=1, Source=/var/lib/pacemaker/pengine/pe-input-30.bz2): Complete
Jun  2 11:34:20 rhnfs01 pengine[1161]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:34:20 rhnfs01 pengine[1161]: warning: Processing failed start of stonith_rhnfs02 on rhnfs02: unknown error
Jun  2 11:34:20 rhnfs01 pengine[1161]: warning: Processing failed start of stonith_rhnfs02 on rhnfs02: unknown error
Jun  2 11:34:20 rhnfs01 pengine[1161]:  notice:  * Recover    stonith_rhnfs02     (            rhnfs02 )
Jun  2 11:34:20 rhnfs01 pengine[1161]:  notice: Calculated transition 14, saving inputs in /var/lib/pacemaker/pengine/pe-input-31.bz2
Jun  2 11:34:20 rhnfs01 crmd[1162]:  notice: Transition aborted by transient_attributes.2 'create': Transient attribute change
Jun  2 11:34:20 rhnfs01 crmd[1162]:  notice: Transition 14 (Complete=0, Pending=0, Fired=0, Skipped=1, Incomplete=3, Source=/var/lib/pacemaker/pengine/pe-input-31.bz2): Stopped
Jun  2 11:34:20 rhnfs01 pengine[1161]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:34:20 rhnfs01 pengine[1161]: warning: Processing failed start of stonith_rhnfs02 on rhnfs02: unknown error
Jun  2 11:34:20 rhnfs01 pengine[1161]: warning: Processing failed start of stonith_rhnfs02 on rhnfs02: unknown error
Jun  2 11:34:20 rhnfs01 pengine[1161]: warning: Forcing stonith_rhnfs02 away from rhnfs02 after 1000000 failures (max=1000000)
Jun  2 11:34:20 rhnfs01 pengine[1161]:  notice:  * Recover    stonith_rhnfs02     ( rhnfs02 -> rhnfs01 )
Jun  2 11:34:20 rhnfs01 pengine[1161]:  notice: Calculated transition 15, saving inputs in /var/lib/pacemaker/pengine/pe-input-32.bz2
Jun  2 11:34:20 rhnfs01 crmd[1162]:  notice: Initiating stop operation stonith_rhnfs02_stop_0 on rhnfs02
Jun  2 11:34:20 rhnfs01 stonith-ng[1156]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:34:20 rhnfs01 stonith-ng[1156]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:34:20 rhnfs01 crmd[1162]:  notice: Initiating start operation stonith_rhnfs02_start_0 locally on rhnfs01
Jun  2 11:34:20 rhnfs01 stonith-ng[1156]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:34:21 rhnfs01 crmd[1162]:  notice: Result of start operation for stonith_rhnfs02 on rhnfs01: 0 (ok)
Jun  2 11:34:21 rhnfs01 crmd[1162]:  notice: Initiating monitor operation stonith_rhnfs02_monitor_120000 locally on rhnfs01
Jun  2 11:34:21 rhnfs01 stonith-ng[1156]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:34:21 rhnfs01 stonith-ng[1156]:  notice: On loss of CCM Quorum: Ignore
Jun  2 11:34:22 rhnfs01 crmd[1162]:  notice: Transition 15 (Complete=3, Pending=0, Fired=0, Skipped=0, Incomplete=0, Source=/var/lib/pacemaker/pengine/pe-input-32.bz2): Complete
Jun  2 11:34:22 rhnfs01 crmd[1162]:  notice: State transition S_TRANSITION_ENGINE

I also saw during the test that sometime stonith_rhnfs01 starts on node2 and stonith_rhnfs02 starts on node1.

Please suggest.

Tagged : / / /

Server Bug Fix: Unable to load mailparse even with a zz prefix

Original Source Link

I’ve read numerous articles stating that mailparse needs to load after mbstring, however, even when prefixing the mailparse with zz, it still has the same issue and I really am at my wits end in trying to figure out why.

Though I still see it in the list of modules.

[[email protected]:~]# php -m
PHP Warning:  PHP Startup: Unable to load dynamic library     '/usr/lib64/php/modules/zz-mailparse.so' - /usr/lib64/php/modules/zz-    mailparse.so: undefined symbol: mbfl_convert_filter_flush in Unknown on line 0
[PHP Modules]
bz2
calendar
Core
ctype
curl
date
dom
ereg
exif
fileinfo
filter
ftp
gd
gettext
gmp
hash
iconv
imap
intl
json
libxml
mailparse
mbstring
mcrypt
mhash
mysql
mysqli
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
readline
Reflection
session
shmop
SimpleXML
sockets
SPL
sqlite3
standard
tokenizer
wddx
xml
xmlreader
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache

in /etc/php.ini

extension=zz-mailparse.so

Not sure if this is the issue even though I have SSELinux as permissive.

[[email protected]:/usr/lib64/php/modules]# ls -lhZ
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       bz2.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       calendar.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       ctype.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       curl.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       dom.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       exif.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       fileinfo.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       ftp.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       gd.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       gettext.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       gmp.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       iconv.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       imap.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       intl.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       json.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       mbstring.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       mcrypt.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       mysqli.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       mysql.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       opcache.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       pdo_mysql.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       pdo.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       pdo_sqlite.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       phar.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       shmop.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       simplexml.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       sockets.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       sqlite3.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       tokenizer.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       wddx.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       xmlreader.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       xml.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       xmlwriter.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       xsl.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       zip.so
-rwxr-xr-x. root root unconfined_u:object_r:lib_t:s0   zz-mailparse.so

I am on a RHEL7 server with PHP 5.6.28 and MariaDB 5.5.52

Maybe you include the module twice. Something similar to:

$ /etc/php/7.1/cli/conf.d # ls -lh | grep parse
lrwxrwxrwx 1 root root 41 Feb  7 12:37 20-mailparse.ini -> /etc/php/7.1/mods-available/mailparse.ini
lrwxrwxrwx 1 root root 41 Feb  7 13:03 21-mailparse.ini -> /etc/php/7.1/mods-available/mailparse.ini

I had the same problem here.

The problem is caused by two facts:

  1. The mailparse.so PHP dynamic link library requires the mbstring.so PHP dynamic link library.

  2. PHP dynamic link libraries (“extensions”) are loaded from both /etc/php.ini (and /etc/php-cli.ini) and the files in the /etc/php.d directory in alphabetical order.

There are several solutions:

  1. Ensure that mbstring.so is loaded prior to mailparse.so in php-cli.ini:
extension=mbstring.so
extension=mailparse.so
  1. If you have either extension in a file in /etc/php.d, rename the .ini files themselves so that they are ordered.
mbstring.so

    extension=mbstring.so

zz-mailparse.so

    extension=mailparse.so
  1. Load the mbstring.so module twice. Note that this produces lots of PHP warnings in the logs which I dislike.
mailparse.so

    extension=mbstring.so
    extension=mailparse.so

mbstring.so

    extension=mbstring.so

Tagged : /