arrow_upward

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
VPS 9 SELinux issues after upgrade to KVM
#1
@"Hidden Refuge"

Following your remedy for fixing VPS 18 CentOS 7 Selinux issues, I can't help but wonder whether my VPS 9 issues after the upgrade to KVM are the same?

If you check the suggestion by Virmach, they ask one to disable Selinux (after the upgrade) for CentOS.  I was unaware it was for CentOS 7 specifically, but that was the OS I had loaded anyway.  I had to reload it 5 times while I was trying to change the port number, but got kicked out time and time again.  Yum also didn't look as though it loaded properly.


Virmach Upgrade to KVM Admin Wrote:For CentOS, please check to ensure SELinux is disabled. Check out this guide here. This should fix any issues you are having with polkit service as well as others.
https://access.redhat.com/documentation/...ng_selinux

Check your firewall rules. For example, there may be new rules set blocking port 80/443. Here is a good guide.
https://wiki.centos.org/HowTos/Network/IPTables

Attempt to start all your packages. For example, if your website is not working, ensure you attempt to start apache/nginx, MySQL, PHP, and any other related services. For most services, the command would be systemctl start or /etc/init.d/ start where is the service name. If there are any errors, it will usually be because of an incompatibility and you can install or update the appropriate services or contact us for assistance. If you contact us, please let us know exactly the services you are running and their configuration.

For web panels, first make sure you disable SELinux as instructed above. Then, check iptables as instructed above. cPanel needs /usr/local/cpanel/scripts/upcp to be ran afterward. For other panels we are investigating, but there is an issue with /etc/init.d files missing. Please restore this from your own backups or contact us to copy it over for you.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#2
I don't know what your issues with VPS 9 are if you don't mention them.

The issues that @youssefbasha and @sohamb03 had are indeed at all mixed up with these common things a) CentOS 7 and b) SELinux being active and set to enforcing security level.

While the VPS of @youssefbasha was absolutely taken down by SELinux and couldn't be used at all, @sohamb03 simply couldn't change the hostname. However who knows what other issues he might have had if we would have ignored that hostname issue and kept SELinux active.

So given that you have CentOS 7 also I would most likely say that your issues whatever they actually are could indeed be related to the same culprit (SELinux). Disable SELinux on your system and see how things go from there (if you didn't already). Or try to set it to premissive as suggested by @fChk here. Although I'm really against SELinux as one should always take care of security at their own to learn and know what they do. And what good is a security feature that makes everything pretty useless and unusable, right? Not going to lie, I don't see any point in SELinux. Never had any issues after disabling it.
[Image: zHHqO5Q.png]
#3
(12-08-2019, 12:02 PM)Hidden Refuge Wrote: (...)

So given that you have CentOS 7 also I would most likely say that your issues whatever they actually are could indeed be related to the same culprit (SELinux). Disable SELinux on your system and see how things go from there (if you didn't already). Or try to set it to premissive as suggested by @fChk here. Although I'm really against SELinux as one should always take care of security at their own to learn and know what they do. And what good is a security feature that makes everything pretty useless and unusable, right? Not going to lie, I don't see any point in SELinux. Never had any issues after disabling it.

@Hidden_Refuge
It's not an Either/OR situation here, SELinux is just another layer of system security that it is provided to you as well as all the rest, and you're advised to learn about and use it.

I understand your frustration with it; we've all being there at some point... The wise thing to do (as we all did) is to learn more about it then you'll be gratefull that it's their, at least when running one of RedHat systems.

@deanhills
For the situation at hand here, ie 'SELinux and virtualization', things can get really messed up if it's not configured properly at the host level, which is the responsibility of the VPS provider.

In Centos 7, SELinux is by default set to its enforcing mode. So if they ask you to disable it then it won't work at all, thus you should disable it (or never set it to the enforcing mode if it's already disabled.) You got your excuse right there...

(12-08-2019, 11:37 AM)deanhills Wrote: Yum also didn't look as though it loaded properly.
Centos 7 is the server edition of Fedora 20 and above and there were a lot of changes at that version. Among them the shift from the use of yum to dnf.
VirMach's Buffalo_VPS-9 Holder (Dec. 20 - July 21)
microLXC's Container Holder (july 20 - ?)
VirMach's Phoenix_VPS-9 Holder (Apr. 20 - June 20)
NanoKVM's NAT-VPS Holder (jan. 20 - ?)
#4
(12-09-2019, 06:04 AM)fChk Wrote: @deanhills
For the situation at hand here, ie 'SELinux and virtualization', things can get really messed up if it's not configured properly at the host level, which is the responsibility of the VPS provider.

@fChk.  Thank you for the feedback.  You may not be aware but VPS 9 used to be a flagship VPS here at post4vps - I hope it can still be.  Ubuntu was the only real problem we had up to the KVM upgrade as they had an old version for loading on the VPS from the Admin Panel, and if members tried to update it, it broke the SSH.  But for the rest and particularly CentOS on VPS 9 it was flawlessly put together.

Then followed pressure on Virmach to upgrade the VPSs from OpenVZ 6 to KVM.   @"Hidden Refuge"icked up on the need for this upgrade near end of August - this is a really good thread to beef up on the background of the upgrade if you're interested:
https://post4vps.com/Thread-The-End-of-O...t4VPS-VPSs

It must have been a massive upgrade at Virmach that occupied their technicians to great exhaustion, and I'm almost certain as they progressed, they started to take short cuts.  Why I say this is if you check the progress of our 7 VPS 9 VPSs, the first two upgrades Chicago and Seattle were almost flawless.  The original disk size was maintained, and we didn't receive any negative feedback.  However then a few weeks after that when the momentum for the upgrade must have been overpowering at Virmach, we noticed that they had implemented something to discourage the large VPS disk size, and also plenty of negative feedback.  Possibly the technicians had been more hands on during the earlier upgrades than the last ones.  My VPS Phoenix was the very last one, and I've been having real issues with it to the extent I mothballed it temporarily.  

There have been a few other post4vps discussions as well during the upgrade process from November to date, but this one is probably the one that gives an overall picture of how the upgrades had gone for post4vps VPSs:
https://post4vps.com/Thread-VPS-9-Schedu...-locations

@"Hidden Refuge"  I'm going to try my VPS 9 from scratch again and see how I go with this.  And then as requested will provide more detailed info about the hickups if I experience any.  Thank you for your detailed feedback and suggestions.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#5
@deanhills

Great to hear. If you experience any hickups we're here to get the stone rollin and solve everyone's issues. I'm sure the folks are willing to help where and how everyone can Smile.


@fChk

I won't argue with you or anyone else on the topic of SELinux at this point. I grew up with Ubuntu 8.04 (how it all started), later moved to Debian (5/6), used CentOS 5/6 and a bit of 7 for a some years (mainly during my activity on FreeVPS.us) and returned to Debian 8/9/10 a few years ago (using it now and Ubuntu LTS a bit for some servers and projects). One could say I'm an old hand in business but such sayings are never really true because we always learn new things and stuff evolves further (sometimes to quick to catch up). I have never needed SELinux because I configure everything as needed and as secure as I can. The old school way (like I also actually still vote for BIOS and to get rid of Intel ME and other similar evil). That said I'm not against changes and new things!

Anyway. On the subject I've read some stuff about SELinux recently after working on these cases and reading your replies. It's not bad but you have to be prepared to learn and be aware that simple things turn into a task that requires more work and time. And most important maybe is that you need knowledge and proper management skills. Also (with my job and etc I don't have much of it).


(https://www.youtube.com/watch?v=KOjCJXHJhPg)

My two cents. Eitherway we shouldn't turn the support topics into "SELinux Yes vs SELinux No" or similar. Let's focus on actually solving issues.
[Image: zHHqO5Q.png]
#6
@deanhills
Thanks for the background story! So, it was five OpenVZ(6) to KVM migrations, each one with its own context and outcome (5 different locations/nodes.)

The disk size issue is expected given that it's easier to advertise a virtual 100GB SSD on OpenVZ than with KVM. Thus (I presume) on the nodes where storage is scarce, they didn't reserve it in bulk but rather on demand.

(12-09-2019, 08:05 PM)Hidden Refuge Wrote: (...)
Anyway. On the subject I've read some stuff about SELinux recently after working on these cases and reading your replies. It's not bad but you have to be prepared to learn and be aware that simple things turn into a task that requires more work and time. And most important maybe is that you need knowledge and proper management skills. Also (with my job and etc I don't have much of it).
(...)
Glad to have read this @Hidden_Refuge, that was the goal :-) I'm sure you'll find the time and the motivation going forward.
VirMach's Buffalo_VPS-9 Holder (Dec. 20 - July 21)
microLXC's Container Holder (july 20 - ?)
VirMach's Phoenix_VPS-9 Holder (Apr. 20 - June 20)
NanoKVM's NAT-VPS Holder (jan. 20 - ?)
#7
OK.  So I have some free time at last to start on Project VPS 9 Phoenix again.  Off the bat immediately have problems.  I disabled Selinux and after trying to get into the VPS again (I did remember to reboot), root is no longer lower case - but ROOT - and my password is denied.

I then go for loading the OS again, and then learned the following from Virmach:

Quote:Note: This OS does not work with our protected IP addon.
Linux Centos 7.1503.01 X86 64 Minimal Gen2 V1

Not sure what that means. I take it my new IP that was given after the upgrade to KVM is protected. Everything seems to be protected. When I started reloading the only other closest CentOS version (the above version is the last available CentOS) 6.5 it says I only have 49 attempts left. Now that tells me a story in its own right. All of the Virmach upgraded customers are having to repeatedly reload their OS due to all of these finicky headaches we have to endure. Can't be an ideal situation for the Servers.

I've written to Virmach and asked them if they could set up my VPS so I can work with it again. As it's not working for me now. I also asked them why the first two upgraded VPSs are in such excellent form and we seem to have countless problems with the others necessitating a disabling of SeLinux. Why wasn't the disabling of SeLinux needed for the first two upgrades? Not sure what answer I'm going to get.

Anyway, what irks me too is when I accessed my VPS today there had been more than 36,000 attempts to get in. Last time when I tried to change the port number, it was successful for only two rounds, and then no longer after that.

My experience of this "upgrade" feels much more like a "downgrade" in every sense of the word. Grumble grumble grumble .... OK let's see what happens with CentOS 6.5. Last time I was unable to access the network with this CentOS.

Well I'm in 6.5 CentOS now. I'm first going to try to use it without disabling SeLinux and then see how far that gets me.
First project was to change port number.  Went through the whole thing.  All of the steps as previously successfully accomplished, but now this time round "no".  Who knows, maybe there are different steps for CentOS 6.5.  Have just reloaded the OS again and am starting from scratch again.

In the meanwhile results of the speed tests pain me when I consider it against my previous speed with my previous IP before the upgrade to KVM.  This was the speedtest after the upgrade taken today from South Africa when my IP was changed:

[Image: 8875187060.png]

This speed test was taken immediately after I received the new IP during early November:
[Image: 8813191142.png]

This was my last speed test taken in South Africa in August 2018 with the old IP:

[Image: 7532833913.png]

Latency is through the roof.

OK let's try again one last time, and also wait for feedback from Virmach. I'm going to let go of changing the port number now.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#8
OK. Looks like VPS 9 Phoenix is OK with CentOS 6.5. And NOT with CentOS 7. Virmach doesn't have CentOS 8 yet. Nor updated Ubuntu yet.

I decided to abandon my efforts to change the port number. I also didn't need to disable SeLinux - when I was installing software with yum I had no issues at all and it went reasonably fast. I was able to get a panel up successfully, create a database, and set up my WordPress site from the command line. All of it went very well.

In the end however I think my VPS functionality is reduced from before. Particularly the change in IP. Ping shot up from 36 for the old IP to 147 for the new IP and the speed is much reduced from before. I don't know how Virmach is doing the networking for the IPs, but could be it's a German IP that is networked through the US, so my ISP has to do a double take in transporting the packages to and from where the IP has been network to be located in Phoenix.

The VPS is still good for working, but there are a number of hurdles to work through. For someone with more sophisticated demands, for now, VPS 9 Phoenix is not recommended.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  


Possibly Related Threads…
Thread
Author
Replies
Views
Last Post
2,314
10-25-2020, 05:34 PM
Last Post: OldMeister
7,652
09-23-2018, 02:58 PM
Last Post: Kururin

person_pin_circle Users browsing this thread: 1 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting