Note: all these problems are associated with CentOS-7.2 or higher
We have two Linux platforms; one for development and second for production (comment: two platforms may not be enough when using Linux; see the IBM-Managed warning after this section). The recommended approach is to first install (or update) software on the development box. If testing for the next few days (to few weeks) proves that everything is working properly then we would repeat the procedure on the production box. This also keeps both platforms more-or-less in sync.
I wanted to install the tree utility so I logged onto the development box where I entered this command:
sudo yum install tree
... which worked properly.
Then I repeated this command on the production platform which failed with numerous errors associated with file /usr/libexec/urlgrabber-ext-down which is a python script. What was worse was this: you could not execute "firewall-cmd" or most yum commands including "yum check-update". Investigating further, I noticed that someone had installed python3 then updated the symbolic link so that the python command pulls up python3 rather than python2 (most Linux utilities in 2018 require Python 2.7)
There are only two ways out of this problem (remember that this is an active business system).
Tip: if this is an emergency, just make minimal changes. For now, just modify the scripts for whatever is broken (eg. yum or firewall-cmd). But you will eventually need to put everything back to a pristine state. If your stuff needs python3 then you need to rely upon shebang. I have no idea why the Linux maintainers didn't do this for their scripts requiring Python2.
# # 1) this is an example of a good working setup with two versions of python installed # 2) notice (on the first result line) that python is pointing to python2 # and python2 is pointing to python2.7 # 3) if yum and firewall-cmd require python2 then you would have thought the # developers would have modified the shebang lines of those utilites # $ cd /usr/bin $ ls pytho* -la lrwxrwxrwx. 1 root root 7 Jan 12 15:25 python -> python2 lrwxrwxrwx. 1 root root 9 Dec 20 2016 python2 -> python2.7 -rwxr-xr-x. 1 root root 7136 Nov 5 2016 python2.7 lrwxrwxrwx. 1 root root 9 Apr 12 2017 python3 -> python3.4 -rwxr-xr-x. 2 root root 11312 Jan 17 2017 python3.4 lrwxrwxrwx. 1 root root 17 Apr 12 2017 python3.4-config -> python3.4m-config -rwxr-xr-x. 2 root root 11312 Jan 17 2017 python3.4m -rwxr-xr-x. 1 root root 173 Jan 17 2017 python3.4m-config -rwxr-xr-x. 1 root root 3366 Jan 17 2017 python3.4m-x86_64-config lrwxrwxrwx. 1 root root 16 Apr 12 2017 python3-config -> python3.4-config
I have experienced several instances where updating software though the graphical interface fails for some reason then breaks the graphical interface (or the whole system). It should not surprise anyone that updating gnome-session, or any of its dependencies, might disturb the very session that is running yum or rpm
So if you are on the system console (which is almost always a VGA monitor) and want to move to non-graphical session, try one of the following keystrokes:
|CTRL ALT F2||switch to terminal 2 (/dev/tty2)||text only|
|CTRL ALT F3||switch to terminal 3 (/dev/tty3)||text only|
|CTRL ALT F4||switch to terminal 4 (/dev/tty4)||text only|
|CTRL ALT F5||switch to terminal 5 (/dev/tty5)||text only|
|CTRL ALT F6||switch to terminal 6 (/dev/tty6)||text only|
|CTRL ALT F1||switch to terminal 1 (the graphical interface)||only graphical when runlevel > 3|
The only other way to safely disable graphics is to lower the runlevel of your system to 3. (but only do this if you are certain that you won't kill some process currently needed by your customers). Alternatively, use ssh to log into your system via the network then execute yum on that session.
The self-help blogs really fall down on this one because the only secure way to do this is to tunnel x-sessions over SSH. But whenever anyone on a self-help blog asks how to do this only using SSH, some idiot will chime in with a procedure on how to do it using VNC, RealVNC, TigerVNC or Vino which are all insecure.
To make matters worse, setting up a remote graphical session is almost
impossible (at least under certain circumstances like Windows -> RedHat/CentOS)
because GNOME3 contains 3-d extensions not found in most Windows clients. The
best way out of this is to setup RedHat/CentOS on a machine at the client end
then use it to connect to the desired Linux platform.
comment: some conspiracy-minded people think this change was deliberately done to stop support professionals from from using Windows as their default platform to support all others.
CygWin and CygWin/X
action : start your local x-server (on the start menu) : task will appear on your horizontal task bar action : start xterm : it is one of the items associated with the x-server icon on the task bar type : ssh -X name@fully-qualified-domain-name (replacing "-X" with "-Y" is even better) action : wait for the password prompt then enter it type : xterm & action : a new window should open type : /gnome-weather & action : a graphical weather app will pop up type : /gnome-session --disable-acceleration-check & action : a new window manager should open (but does not) : 1) the switch shown is only available in gnome starting with version 3.16 : 2) without it you may see something like this: "Oh no! Something has gone wrong. A problem has occurred and the system can't recover. Please log out and try again." : 3) gnome3 requires advanced graphics so may never work this way; try a desktop other than gnome
# notes: # 1) well-known port 1433 is reserved for Microsoft SQL Server # 2) SQL Server 2005 appears to support ssl2 but nothing higher # 3) contrary to popular belief, as soon as you specify a username and password in your # ODBC connect string (via sqlcmd) then the initial handshake will be encrypted # # this passes # openssl s_client -debug -state -connect ip-address:1433 -ssl2 # # this fails # openssl s_client -debug -state -connect ip-address:1433 -ssl3
|Platform||CentOS Notes||OpenSSL version||OpenSSL Notes|
|Production||CentOS 7.3 (built 14-months ago)||OpenSSL-1.0.1e||ssl2 is supported|
|Development||CentOS 7.4 (yum updated 2018-01-29)||OpenSSL-1.0.2k||ssl2 has been disabled prior to build|
wget https://openssl.org/source/openssl-1.0.2k.tar.gz tar -xvf openssl-1.0.2k.tar.gz cd openssl-1.0.2k/ # --prefix will make sure that make install copies the files locally instead of system-wide # --openssldir will make sure that the binary will look in the regular system location for openssl.cnf # no-shared builds a mostly static binary ./config --prefix=`pwd`/local --openssldir=/usr/lib/ssl enable-ssl2 enable-ssl3 no-shared make depend make # # these next two steps are not required if openssl-1.0.2k already exists on your system. # make -i install sudo cp local/bin/openssl /usr/local/bin/ # # test the newly created binary like so: ./apps/openssl s_client -debug -state -connect ip-address:1433 -ssl2 # ...remembering that many other destinations will no longer accept ssl2 # then rename the old binary (paranoid): mv /usr/bin/openssl /usr/bin/openssl-old # then copy the new binary: cp ./apps/openssl /usr/bin/openssl #
One of our developers was experiencing problems developing a new LDAP-based application. So he invoked YUM to update LDAP on our production box. The big problem here is that the update was done in a careless way (without reading all the release notes). So the LDAP update also updated OpenSSL for the whole system so now we can no longer connect to that older Microsoft platform in Montreal. (see: this previous note)
It now appears that we will need to install a third CentOS platform whose only purpose would be to reach through to the older Microsoft platform. This platform would need to be modified so that it could never been updated.
This problem is so weird that I'll stick to bullet points
# NOT Generated by NetworkManager # /etc/resolv.conf options timeout:1 options attempts:1 options rotate options no-check-names search on.bell.ca nameserver 18.104.22.168 nameserver 22.214.171.124 #nameserver 126.96.36.199
cd /etc cp resolv.conf resolv.conf-copy
We are running CentOS-7.2 on two HP-DL385-g6 servers (one PROD, one DVLP) and both have been running for 24 months without a reboot. These are older hardware platforms so I have been preparing to cut the whole thing over to to two new servers (HP-DL385p-gen8) next month. I just noticed I can't access one of the older via the console.
|CTRL ALT F1||screen turns solid blue|
|CTRL ALT F2||screen turns solid green|
|CTRL ALT F3||screen turns sold green|
I've tried everything (short of rebooting) including a restart of various services (eg. "systemctl restart gdm.service") but it seems that the graphics card itself is locked up somehow.
I need to point out that we can do anything else we want via a remote ssh terminal session over the network. In fact, the customers are unaware of fact that anything is wrong. So let me advise everyone to ensure that at least one network port is configured -AND- that the firewall has been configured to allow ssh connections so you be able to manage your platform if your VGA console is fubared.