Can someone help me with how can I setup memcached with TLS. I tried following Memcache wiki to no avail.
Compiled the source with --enable-tls and when trying to start the memcache service getting the following error:
memcached --enable-ssl -o ssl_ca_cert=/etc/ssl/localcerts/memcache.pem -u memcache -v
140062054467392:error:20074002:BIO routines:file_ctrl:system lib:crypto/bio/bss_file.c:293:
140062054467392:error:140DC002:SSL routines:use_certificate_chain_file:system lib:ssl/ssl_rsa.c:615:
Error loading the certificate chain: (null) : error:0200100E:system library:fopen:Bad address
Any help is appreciated.
You are probably starting incorrectly your memcached instance. This is correct command line:
/memcached --protocol=auto -p 11211 --enable-ssl -o ssl_chain_cert=/etc/ssl/localcerts/memcache.pem,ssl_key=/etc/ssl/localcerts/memcache.key -v
Related
I'm trying to get gunicorn running behind an Apache proxy via a UNIX socket in the file system. Long story short, it works with SELinux in non-enforcing mode but not when enforcing. I'm trying to fix that. Here's my socket file as created by gunicorn:
srwxrwxrwx. dh dh system_u:object_r:httpd_sys_content_t:s0 /var/www/wsgi/dham_wsgi.sock
Here's what audit2why has to say about this after a failed access via Apache:
type=AVC msg=audit(1641287516.397:870181): avc: denied { connectto } for pid=23897 comm="httpd" path="/var/www/wsgi/dham_wsgi.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Let's follow that hint, read some man pages and the Internet, and get to work:
$ sudo cat /var/log/audit/audit.log | audit2allow -m httpd_socket -l > httpd_socket.te
$ cat httpd_socket.te
module httpd_socket 1.0;
require {
type httpd_t;
type httpd_sys_content_t;
class sock_file write;
}
#============= httpd_t ==============
allow httpd_t httpd_sys_content_t:sock_file write;
$ checkmodule -M -m -o httpd_socket.mod httpd_socket.te
checkmodule: loading policy configuration from httpd_socket.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 19) to httpd_socket.mod
$ semodule_package -o httpd_socket.pp -m httpd_socket.mod
$ sudo semodule -i httpd_socket.pp
But it doesn't work, everything is as before. Restarting Apache makes no difference. What now?
My initital audit2allow seems not to have caught all problems because I used the '-l' flag (last policy reload). Using a more aggressive approach like below got me a few more entries in the generated module. After installing that, it worked.
sudo grep dham_wsgi /var/log/audit/audit.log | audit2allow -M httpd_socket
I am running a virtual environment on CentOS with podman.
When I used the --net option of the podman run command, I get an error.
[user#server ~]$ podman run --net slirp4netns:port_handler=slirp4netns -p 1080:80 -d --name web nginx
Error: cannot join CNI networks if running rootless: invalid argument
Is this option unavailable?
Or is there a problem with the way the options are specified?
Please tell me solution.
I used this site as a reference for the command.
This is the configuration of the server.
[user#server ~]$ cat /etc/redhat-release
CentOS Linux release 8.2.2004 (Core)
[user#server ~]$ podman -v
podman version 2.0.6
The port_handler option requires Podman >= 2.1.0, which isn't released at this moment: https://github.com/containers/podman/commit/d86bae2a01cb855d5964a2a3fbdd41afe68d62c8
You can use that option if you compile Podman from its master branch.
I find this link quite helpful to see rootless communication :
https://www.redhat.com/sysadmin/container-networking-podman
https://podman.io/getting-started/network
I am not sure if you have seen this link before or even if it is helpful to you at this instance. But, in view of helping others out, I think the blog post quotes the following helpful statements:
Note: All podman network commands are for rootfull containers only.
Technically, the container itself does not have an IP address, because without root privileges, network device association cannot be achieved
When using Podman as a rootless user, the network is setup automatically. The container itself does not have an IP Address, because without root privileges, network association is not allowed. You will also see some other limitations.
I used to create brokers in Artemis on both Windows, Linux and in WSL. There was never a problem.
Except on one of my machine having Windows and running WSL2.
I did everything the same when installing artemis:
sudo groupadd artemis
sudo useradd -s /bin/false -g artemis -d /opt/artemis artemis
cd /opt
sudo wget https://archive.apache.org/dist/activemq/activemq-artemis/2.12.0/apache-artemis-2.12.0-bin.tar.gz
sudo tar -xvzf apache-artemis-2.12.0-bin.tar.gz
sudo mv apache-artemis-2.12.0 artemis
sudo chown -R artemis: artemis
sudo chmod o+x /opt/artemis/bin/
sudo rm apache-artemis-2.12.0-bin.tar.gz
It installs, but when I try to create my own broker instance:
/opt/artemis/bin/artemis create --user app --password pwd --allow-anonymous test
I've got the following error message:
Cannot initialize queue:Function not implemented
I've tried it several times, even uninstalled artemis and removed the user and group and started the whole process again, but the result was always the same.
I can't figure out what the difference would be or how to fix the problem. Any help would be highly appreciated!
UPDATE 1:
There is not much log, but turning on verbose mode gives the following lines:
Executing org.apache.activemq.artemis.cli.commands.Create create --verbose --user app --password pwd --allow-anonymous test
Home::/opt/artemis, Instance::null
Cannot initialize queue:Function not implemented
As far as I can tell the message "Cannot initialize queue:Function not implemented" comes from the AIO integration layer. I recommend you try creating the instance using --nio to force the broker to use the Java-based NIO storage interface.
I'm trying to bootstrap a node sudo knife bootstrap 10.40.116.100 --ssh-user ubuntu --sudo --identity-file /home
/ec2-user/.ssh/ihies-east-1.pem -N newsite -r "recipe[pilot_sec-update]","recipe[vmpilot]" and I get ERROR: Net::SSH::HostKeyMismatch: fingerprint 16:78:0d:29:7d:5e:cf:25:01:92:df:3a:94:64:5d:b6 does not match for "10.40.116.100"
1. i can ssh with ssh -i /home/ec2-user/.ssh/ihies-east-1.pem decs#10.40.116.100
2. i cleared my known-host file
Still get the error
As https://stackoverflow.com/users/78722/coderanger sugested to clear the known host from the root user as well and that fixed it
I am doing a on prem setup of openwhisk using local couchdb installation on ubuntu 16.04 for which I downloaded the code from the github. I have followed all the steps of the setup, after the build, I have to run various playbooks
when is run the below playbook with the below command
ansible-playbook -i environments/local openwhisk.yml
I get error
"error": "The server is currently unavailable (because it is overloaded or down for maintenance).",
"code": 4
when I check I found it is coming while executing installRouteMgmt.sh from /openwhisk/ansible/roles/routemgmt/files
the line in the script which is throwing error is
enter code here`echo Installing routemgmt package.
$WSK_CLI -i -v --apihost "$APIHOST" package update --auth "$AUTH" --shared no "$NAMESPACE/routemgmt" \
-a description "This experimental package manages the gateway API configuration." \
-p gwUser "$GW_USER" \
-p gwPwd "$GW_PWD" \
-p gwUrl "$GW_HOST" \
-p gwUrlV2 "$GW_HOST_V2"
where
APIHOST=172.17.0.1
AUTH=path to auth.whisk.system
WSK_CLI= wsk path
NAMESPACE= whisk.system
This error comes when the DB host value is not resolvable from the controller container or when the DB which the controller trying to connect to is not created in the couch DB. Mine was the second case once __subjects db was there,
it was able to run