Workaround for Nagios check_linux_raid failure in RHEL / CentOS 6.2

I recently stumbled upon another Nagios plugin that no longer works with SELinux under RHEL / CentOS 6.2: check_linux_raid.

Just like the check_disk plugin, it has the nagios_checkdisk_plugin_exec_t SELinux type. As of May 2012, this problem has not yet been fixed.

The workaround is simple, as with the check_disk plugin:

chcon -t nagios_unconfined_plugin_exec_t /usr/lib64/nagios/plugins/check_linux_raid

Or, for 32-bit systems:

chcon -t nagios_unconfined_plugin_exec_t /usr/lib/nagios/plugins/check_linux_raid

Workaround for Nagios check_disk failure in RHEL / CentOS 6.2

After updating from EL 6.1 to 6.2, the Nagios “check_disk” plugin suddenly stopped working with “Permission denied” errors. This problem is related to the SElinux policy (you *are* running with SElinux enabled, aren’t you?).

By default, these AVC denials are not logged in /var/log/audit/audit.log which makes this problem harder to spot (if you want, you can enable all audit-messages by running semodule -DB).

There are at least two relevant entries in Bugzilla:

  • Bug 771245 – nagios-plugins-disk fails when checking /boot on RHEL6.2 boxes
  • Bug 768055 – SELinux silent denials of Nagios NRPE check of /boot

Fortunately, there is a simple workaround while we wait for an updated selinux-policy package. As root, do the following:

chcon -t nagios_unconfined_plugin_exec_t /usr/lib64/nagios/plugins/check_disk

Or, for 32-bit systems:

chcon -t nagios_unconfined_plugin_exec_t /usr/lib/nagios/plugins/check_disk

No need to restart anything; just wait until Nagios re-checks the service and the problem should be gone. Enjoy!

Tip: Importing multiple CentOS Linux DVDs into Cobbler

Linux distributions are getting larger and larger; CentOS 6.0 64-bit won’t fit on a single DVD anymore. A Cobbler-based provisioning server will normally import only one DVD. So, how do you get around this?

  1. Import the first DVD as usual
  2. Manually add content from the second DVD

Import the first DVD (ISO image):

  mkdir /mnt/dvd1; mount -o ro,loop /tmp/CentOS-6.0-x86_64-bin-DVD1.iso /mnt/dvd1

  cobbler import --name=${DISTRO} --path=/mnt/dvd1

Watch the output from Cobbler closely – it will basically tell show you the commands you need to import the second DVD ;-)

Import the second DVD (ISO image):

  mkdir /mnt/dvd2; mount -o ro,loop /tmp/CentOS-6.0-x86_64-bin-DVD2.iso /mnt/dvd2

  rsync -a  '/mnt/dvd2/' /var/www/cobbler/ks_mirror/${DISTRO} --exclude-from=/etc/cobbler/rsync.exclude --progress
  COMPSXML=$(ls /var/www/cobbler/ks_mirror/${DISTRO}/repodata/*comps*.xml)
  createrepo -c cache -s sha --update --groupfile ${COMPSXML} /var/www/cobbler/ks_mirror/${DISTRO}

Done! You have now added the contents of the second DVD to your existing “ks_mirror” directory and updated the Yum repodata.

Update 2011.08

  • FIXED: Forgot the trailing / on the DVD2 mount point '/mnt/dvd2/'. Otherwise, the rsync command will create a 'dvd2' subdirectory.

Passed the RHCSA and RHCE exams!

My RHCE certification (RHEL 4) was no longer current so I had to re-take the exam with RHEL 6. I decided to take the 4-day course (RH300) as well as the exam (EX300) in one week but it turned out to be quite the obstacle-course:

  • Monday. The first day of the course: while waiting in Amsterdam for the trainer to arrive, we were informed that he had fallen ill – course canceled, no backup trainer available. Meh.
  • A couple of weeks later, the course finally starts with Sander van Vugt as trainer, someone else will proctor the exam (Friday). Things start to look good ;-)
  • Friday: while waiting in Amersfoort for the proctor to arrive, we hear he’s had an accident and the exam will have to be canceled. No backup proctor available. More meh.

Fortunately, Red Hat tried their best to remedy the situation and got Wander to proctor an extra exam on Tuesday. Pffff, what a journey…

But the good news: I PASSED both exams! Yay! Time for beer and BBQ, celebrations are in order ;-)

Tip: Configuring network aliases with NetworkManager on Fedora 14

Linux supports the concept of “network aliases”; a NIC with more than one IP-address.

Previously, with networking managed by /etc/init.d/network, you would create a configuration file (/etc/sysconfig/network-scripts/ifcfg-eth0:0) holding the IP-address information for alias “0” of network interface “eth0“.

With NetworkManager, things become more complicated for non-trivial network configurations. The primary interface settings are in /etc/sysconfig/network-scripts/ifcfg-eth0 as usual:

  NAME="System eth0"

Based on a comment by Cristiano, I added a script to NetworkManager that would take care of configuring any network aliases that might be defined:

  $ cat /etc/NetworkManager/dispatcher.d/00-aliases
  # Based on comment by Cristiano,
  if [ "$action" = "up" ]; then
    for ALIAS in /etc/sysconfig/network-scripts/ifcfg-$iface:*; do
      ALIAS=`echo $ALIAS | cut -d: -f 2`
      /sbin/ifup $iface:$ALIAS
  # EOF

Note: This script needs to be executable.

The alias settings are configured in /etc/sysconfig/network-scripts/ifcfg-eth0:0


The essential ingredient here is “NM_CONTROLLED=no” (thanks to IRC @so_solid_moo, #fedora). Without that setting, NetworkManager will treat your alias as a real device and mess up your network accordingly ;-)