Thursday, August 8, 2019

RHEL7.7 dracut Failed to install module libnvdimmvmxnet3

I just upgraded one of my systems from RHEL 7.6 to 7.7. During the update, I got the following error: 
dracut[43998]: Failed to install module libnvdimmvmxnet3
The fix is this: in /etc/dracut.conf.d/*.conf -- in my case, both nvdimm-security.conf and vmware-tools.conf, edit the "add_drivers" line to add a leading and trailing space. e.g. in nvdimm-security.conf, change: 
add_drivers+="libnvdimm"
to 
add_drivers+=" libnvdimm "
and in vmware-tools.conf, change: 
add_drivers+="vmxnet3 vmw_pvscsi"
to 
add_drivers+=" vmxnet3 vmw_pvscsi "
Then, run "dracut --force" to rebuild your initramfs. You should no longer get the "Failed to install module libnvdimmvmxnet3" error. The reason for the problem is that dracut is concatenating all the "add_drivers" strings together, without any processing. See the dracut.conf man page for the warning that was apparently ignored by the open-vm-tools folks: "Space-separated lists have to have a leading and trailing space"
Posted by Teridon at 8:10 AM 18 comments

Tuesday, June 4, 2019

rpm command pauses for 20 seconds

I'd just built a new system and found that when I issued any 'rpm' command, it paused for 20 seconds before doing anything.

Turns out that I had a build error in my kickstart, and it made /etc/hosts empty! So 'rpm' was trying to do a DNS lookup on 'localhost' and timing out. I don't know why rpm needs to do a lookup at all, but..

In any case, the fix was to add the "standard" /etc/hosts entries for localhost:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
Posted by Teridon at 8:29 AM 0 comments

Tuesday, April 2, 2019

How to use firewalld to filter traffic to docker

Note: My platform is on Docker CE 18.09 on Centos 7. YMMV I only recently started using docker, but there is one very important thing you need to know:
By default, all external source IPs are allowed to connect to the Docker daemon

Filtering by IP is actually easy once you know how, but I had a hell of a time finding the key information and for me that was three-fold:
1. If the "DOCKER-USER" chain is not present when Docker starts, Docker will add it and allow all connections being passed to it, therefore:
2. You must stop the docker service before configuring the DOCKER-USER iptables chain
3. You must add the DOCKER-USER chain (and rules) before the docker service starts

partial reference: https://github.com/moby/moby/issues/35043

i.e.:

service docker stop
firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -i ens224 -s 1.2.3.4 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 2 -i ens224 -s 5.6.7.8 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 3 -i ens224 -j DROP
service firewalld reload
service docker start
Posted by Teridon at 1:05 PM 0 comments
Subscribe to: Posts (Atom)