I've got these fails with my nextcloud service which runs in LXD container via snap
audit: type=1400 audit(1617309095.824:9617): apparmor="DENIED" operation="ptrace" namespace="root//lxd-nextcloud_<var-snap-lxd-common-lxd>" profile="snap.nextcloud.nextcloud-cron" pid=12317 comm="ps" requested_mask="read" denied_mask="read" peer="unconfined"
audit: type=1400 audit(1617309095.828:9625): apparmor="DENIED" operation="open" namespace="root//lxd-nextcloud_<var-snap-lxd-common-lxd>" profile="snap.nextcloud.nextcloud-cron" name="/proc/199/cmdline" pid=12317 comm="ps" requested_mask="r" denied_mask="r" fsuid=1000000 ouid=1000100
Related
I've been trying to run a QEMU that I compiled by myself. I could run it if I use plain qemu commands, but it gets wrong when I substitute the system QEMU with the one I compiled.
If you use the virus edit VM_name, you could edit the configuration. I changed
<emulator>/usr/bin/qemu-system-x86_64</emulator>
into
<emulator>/home/user/Documents/qemu/build/x86_64-softmmu/qemu-system-x86_64</emulator>
You may get something like below
<devices>
<emulator>/home/user/Documents/qemu/build/x86_64-softmmu/qemu-system-x86_64</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2' discard='unmap'/>
<source file='/var/lib/libvirt/images/ubuntu20.04.qcow2'/>
<target dev='vda' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
</disk>
I got the permission denied issue at first, and I referenced this question below.
https://unix.stackexchange.com/questions/471345/changing-libvirt-emulator-permission-denied
After I changed AppArmor configuration (Add "/home/user/Documents/qemu/build/x86_64-softmmu/qemu-system-x86_64 PUx,"), I get this:
"error: unsupported configuration: domain configuration does not support video model 'qxl'
Failed. Try again? [y,n,i,f,?]:"
My system is ubuntu-22.04LTS, Libvirt version is 8.0.0(installed via apt-get), the QEMU in the system is 6.2.0 (installed via apt-get). The QEMU I compiled is from https://gitlab.com/virtio-fs/qemu.git, and the branch is virtio-fs-dev (version is QEMU 7.0.0).
Are there any features that I forgot to enable when compiling QEMU? Or are there any tutorials to use the QEMU I compiled? Thank you!
Update
I find the qxl problem above is solved if I changed to an older model. But I still got the permission denied problem.
This is what I get from "dmesg":
[12227.019203] virbr0: port 2(vnet5) entered blocking state
[12227.019211] virbr0: port 2(vnet5) entered disabled state
[12227.019390] device vnet5 entered promiscuous mode
[12227.019765] virbr0: port 2(vnet5) entered blocking state
[12227.019769] virbr0: port 2(vnet5) entered listening state
[12227.179234] audit: type=1400 audit(1654891381.082:487): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-16b54d8a-be5c-4530-a8d8-ebc1bd02481d" pid=317483 comm="apparmor_parser"
[12227.233741] audit: type=1400 audit(1654891381.134:488): apparmor="DENIED" operation="exec" profile="libvirt-16b54d8a-be5c-4530-a8d8-ebc1bd02481d" name="/home/xlf/Documents/qemu/build/qemu-system-x86_64" pid=317485 comm="rpc-libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[12227.256173] virbr0: port 2(vnet5) entered disabled state
[12227.257559] device vnet5 left promiscuous mode
[12227.257569] virbr0: port 2(vnet5) entered disabled state
[12227.482556] audit: type=1400 audit(1654891381.386:489): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="libvirt-16b54d8a-be5c-4530-a8d8-ebc1bd02481d" pid=317503 comm="apparmor_parser"
I've already added "/home/user/Documents/qemu/build/x86_64-softmmu/qemu-system-x86_64 PUx," to file /etc/apparmor.d/usr.sbin.libvirtd and execute systemctl reload apparmor.
Are there any solutions? Thanks.
I'm using the Mercure hub 0.13, everything works fine on my development machine, but on my test server the hub keeps on trying to bind on port 80, resulting in a error, as nginx is already running on port 80.
run: loading initial config: loading new config: http app module: start: tcp: listening on :80: listen tcp :80: bind: address already in use
I'm starting the hub with the following command:
MERCURE_PUBLISHER_JWT_KEY=$(cat publisher.key.pub) \
MERCURE_PUBLISHER_JWT_ALG=RS256 \
MERCURE_SUBSCRIBER_JWT_KEY=$(cat publisher.key.pub) \
MERCURE_SUBSCRIBER_JWT_ALG=RS256 \
./mercure run -config Caddyfile.dev
Caddyfile.dev is as follows:
# Learn how to configure the Mercure.rocks Hub on https://mercure.rocks/docs/hub/config
{
{$GLOBAL_OPTIONS}
}
{$SERVER_NAME:localhost:3000}
log
route {
redir / /.well-known/mercure/ui/
encode zstd gzip
mercure {
# Transport to use (default to Bolt)
transport_url {$MERCURE_TRANSPORT_URL:bolt://mercure.db}
# Publisher JWT key
publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
# Subscriber JWT key
subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
# Permissive configuration for the development environment
cors_origins *
publish_origins *
demo
anonymous
subscriptions
# Extra directives
{$MERCURE_EXTRA_DIRECTIVES}
}
respond /healthz 200
respond "Not Found" 404
}
When I provider the SERVER_NAME as an environment variable, without a domain, SERVER_NAME=:3000, the hub actually starts on port 3000, but runs in http mode, which only allows for anonymous subscriptions and is not what I need.
Server:
Operating System: CentOS Stream 8
Kernel: Linux 4.18.0-383.el8.x86_64
Architecture: x86-64
Full output when trying to start the Mercure hub:
2022/05/10 04:50:29.605 INFO using provided configuration {"config_file": "Caddyfile.dev", "config_adapter": ""}
2022/05/10 04:50:29.606 WARN input is not formatted with 'caddy fmt' {"adapter": "caddyfile", "file": "Caddyfile.dev", "line": 3}
2022/05/10 04:50:29.609 INFO admin admin endpoint started {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2022/05/10 04:50:29.610 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2022/05/10 04:50:29.610 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc0003d6150"}
2022/05/10 04:50:29.627 INFO tls cleaning storage unit {"description": "FileStorage:/root/.local/share/caddy"}
2022/05/10 04:50:29.628 INFO tls finished cleaning storage units
2022/05/10 04:50:29.642 INFO pki.ca.local root certificate is already trusted by system {"path": "storage:pki/authorities/local/root.crt"}
2022/05/10 04:50:29.643 INFO tls.cache.maintenance stopped background certificate maintenance {"cache": "0xc0003d6150"}
run: loading initial config: loading new config: http app module: start: tcp: listening on :80: listen tcp :80: bind: address already in use
I'm a bit late, but I hope that will help someone.
As mentionned here, you can specify the http_port manually in your caddy configuration file.
I am trying to restart a redis server using the following command:
service redis-server restart
And I am getting the error:
Failed to restart redis-server.service: Interactive authentication required.
See system logs and 'systemctl status redis-server.service' for details.
I know the redis password but I am not sure how to pass it in in the line of code that I mentioned.
The recommended logs are like this and not very helpful:
● redis-server.service - Advanced key-value store
Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2022-04-05 13:31:23 UTC; 12min ago
Docs: http://redis.io/documentation,
man:redis-server(1)
Process: 358704 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf (code=exited, status=1/FAILURE)
I have a xrdp server running and would like to connect to it using Guacamole. However, each time I try to make any RDP connection it always fails with "You Have Been Disconnected." I know it is a fault with guacamole because I can log into xRDP using Remmina RDP client using the same credentials.
Here are my Logs:
/var/run/syslog :
Jul 26 10:02:36 ubuntu guacd[1291]: Creating new client for protocol "rdp"
Jul 26 10:02:36 ubuntu guacd[1291]: Connection ID is "$0c72bf59-0ff9-448d-a5a2-dc3229157122"
Jul 26 10:02:36 ubuntu guacd[5737]: Security mode: ANY
Jul 26 10:02:36 ubuntu guacd[5737]: Resize method: none
Jul 26 10:02:36 ubuntu guacd[5737]: User "#cce2ec3d-03c5-4387-be88-054a00927f56" joined connection "$0c72bf59-0ff9-448d-a5a2-dc3229157122" (1 users now present)
Jul 26 10:02:36 ubuntu guacd[5737]: Loading keymap "base"
Jul 26 10:02:36 ubuntu guacd[5737]: Loading keymap "en-us-qwerty"
Jul 26 10:02:36 ubuntu kernel: [ 4736.455320] guacd[5749]: segfault at 8000000000 ip 0000008000000000 sp 00007f3bc9f8bc98 error 14
Jul 26 10:02:36 ubuntu kernel: [ 4736.455323] traps: guacd[5750] general protection ip:7f3bcb074c69 sp:7f3bc978ac98 error:0
Jul 26 10:02:36 ubuntu kernel: [ 4736.455323]
Jul 26 10:02:36 ubuntu kernel: [ 4736.455325] in libguac.so.5.0.0[7f3bcb070000+d000]
Jul 26 10:02:36 ubuntu guacd[1291]: Connection "$0c72bf59-0ff9-448d-a5a2-dc3229157122" removed.
/var/log/tomcat8/Catalina.out :
10:02:33.079 [http-nio-8080-exec-2] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 0:0:0:0:0:0:0:1 for user "-------" failed.
10:02:33.943 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 0:0:0:0:0:0:0:1 for user "jonathan" failed.
10:02:36.100 [http-nio-8080-exec-6] INFO o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully authenticated from 0:0:0:0:0:0:0:1.
10:02:36.241 [http-nio-8080-exec-10] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" connected to connection "3".
10:02:38.179 [Thread-7] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" disconnected from connection "3". Duration: 1937 milliseconds
Connection settings:
security mode: any
port: 3389
I am on ubuntu server 16.04. Any possible solutions would be much appreciated.
Try:
Removing the [path to libfreerdp*.so]/freerdp/guac*.so files that were copied, assuming this is the case.
Create symbolic links within [path to libfreerdp*.so]/freerdp/ to /usr/local/lib/freerdp/guac*.so, so you do not need to worry about
this going forward.
Source: RDP stopped working v0.9.9 - Apache Guacamole.
I am trying to install Redmine on CentOS 6.3 but I continue to get this error in the log file
Passenger could not be initialized because of this error: Unable to start
the Phusion Passenger watchdog (/usr/lib/ruby/gems/1.8/gems/passenger-4.0.20/buildout
/agents/PassengerWatchdog): Permission denied (errno=13)
I have been looking online and cannot find this error anywhere or any way to fix it. I have tried changing permissions to the folder to 777 and apache:apache but neither work.
The only solution that I have come up with to get redmine to work is to set SELinux to disabled or permissive (which I do not want to do).
Does anyone have another way to fix this problem that leaves SELinux enabled?
Found the SELinux log file under /var/log/messages
here is the end of the file
Oct 16 14:07:30 localhost pulseaudio[2329]: alsa-util.c: Disabling timer-based scheduling because running inside a VM.
Oct 16 14:07:30 localhost rtkit-daemon[2183]: Sucessfully made thread 2331 of process 2329 (/usr/bin/pulseaudio) owned by '500' RT at priority 5.
Oct 16 14:07:30 localhost pulseaudio[2329]: alsa-util.c: Disabling timer-based scheduling because running inside a VM.
Oct 16 14:07:30 localhost rtkit-daemon[2183]: Sucessfully made thread 2332 of process 2329 (/usr/bin/pulseaudio) owned by '500' RT at priority 5.
Oct 16 14:07:31 localhost rtkit-daemon[2183]: Sucessfully made thread 2427 of process 2427 (/usr/bin/pulseaudio) owned by '500' high priority at nice level -11.
Oct 16 14:07:31 localhost pulseaudio[2427]: pid.c: Daemon already running.
Oct 16 14:08:04 localhost kernel: type=1400 audit(1381957684.726:5): avc: denied { execute_no_trans } for pid=2663 comm="httpd" path="/usr/lib/ruby/gems/1.8/gems/passenger-4.0.20/buildout/agents/PassengerWatchdog" dev=dm-0 ino=1048752 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=file
Oct 16 14:08:04 localhost kernel: type=1400 audit(1381957684.760:6): avc: denied { execute_no_trans } for pid=2668 comm="httpd" path="/usr/lib/ruby/gems/1.8/gems/passenger-4.0.20/buildout/agents/PassengerWatchdog" dev=dm-0 ino=1048752 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=file
Oct 16 14:09:11 localhost pulseaudio[2329]: alsa-sink.c: ALSA woke us up to write new data to the device, but there was actually nothing to write!
Oct 16 14:09:11 localhost pulseaudio[2329]: alsa-sink.c: Most likely this is a bug in the ALSA driver 'snd_intel8x0'. Please report this issue to the ALSA developers.
Oct 16 14:09:11 localhost pulseaudio[2329]: alsa-sink.c: We were woken up with POLLOUT set -- however a subsequent snd_pcm_avail() returned 0 or another value < min_avail.
any suggestions?
So, you can fix this by using audit2allow (yum install audit-libs-python audit-libs).
SELinux logs to /var/log/audit/audit.log. If you tail and capture the output from restarting the web service (service httpd restart) you can then run the new output through audit2allow and make a module to install under selinux...
So, assuming you have captured it into a file called "audit_tmp":
cat audit_tmp | audit2allow -D -M passenger
This will create a file called passenger.pp which you can apply using:
semodule -i passenger.pp
Doing this will unblock the first thing that was stopping passenger from loading - but be aware that there will probably be more so you will need to repeats the process again until it works. I hope that makes sense!
Take a look at /var/log/syslog. That file contains SELinux error messages, which tell you how to fix up any permission problems.