I run a virtual server with a standard minimal openSUSE 11.4 installation (Strato image) and all recent updates installed.
$ uname -a
Linux servername 2.6.18-028stab089.1 #1 SMP Thu Apr 14 13:46:04 MSD 2011 i686 athlon i386 GNU/Linux
A few days into running the server I found that although /usr/sbin/cron was running it didn’t execute the cron scripts. Instead, I find this:
$ tail -n 3 /var/log/messages
Jun 28 18:00:01 servername /usr/sbin/cron[28590]: pam_warn(crond:session): function=[pam_sm_open_session] service=[crond] terminal=[cron] user=[root] ruser=<unknown>] rhost=<unknown>]
Jun 28 18:00:01 servername /usr/sbin/cron[28590]: (root) PAM ERROR (Cannot make/remove an entry for the specified session)
Jun 28 18:00:01 servername /usr/sbin/cron[28590]: (root) FAILED to open PAM security session (Cannot make/remove an entry for the specified session)
repeated every 20 minutes. I have this
$ cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
auth sufficient pam_rootok.so
account sufficient pam_listfile.so item=user sense=allow file=/etc/cron.allow onerr=succeed quiet
auth include common-auth
account include common-account
password include common-password
as per the standard installation and /etc/cron.allow doesn’t exist (I tested if it made a difference if it existed with the single line root in it, but there was no effect).
Although there are similar but not identical issues reported on the web, days of searching the forums and Google didn’t resolve it for me. Any advice how I can debug this? I need cron to execute because I want zypper to auto-update my server. On my home openSUSE 11.4 installation the problem doesn’t exist. Is it perhaps related to the settings in the yast security center?
> 2.6.18-028stab089.1
This is no openSUSE kernel version, it is most probably a CentOS 5/Red Hat 5
kernel.
–
PC: oS 11.3 64 bit | Intel Core2 Quad Q8300@2.50GHz | KDE 4.6.4 | GeForce
9600 GT | 4GB Ram
Eee PC 1201n: oS 11.4 64 bit | Intel Atom 330@1.60GHz | KDE 4.6.4 | nVidia
ION | 3GB Ram
fixed it! Some checking showed that the cronie package installed on my virtual server is cronie-1.4.7-9.21.1.i586 and that apparently does not contain above line.
On my home computer, which is x86_64, the cronie package is cronie-1.4.7-9.19.1.x86_64 and it does already contain above line.
Would that be expected behaviour? Anyway, thanks very much.
Oh by the way, why wouldn’t it be reasonable to have automatic updates on for my server? Say I go on summer leave and will be off-line for 4 weeks and, after a day or so, some new exploit is made public? I wouldn’t want the server to remain vulnerable? Or perhaps amateur admins shouldn’t go on leave :’(
@wmsx
On your server (the one with the 2.6.18-028stab089.1 kernel), what is the
output from
cat /etc/*release*
I would not be surprised if you will see something like that
[centos@centos ~]$ cat /etc/*release*
cat: /etc/lsb-release.d: Is a directory
CentOS release 5.6 (Final)
instead of
martinh@sirius:~> cat /etc/*release*
openSUSE 11.4 (x86_64)
VERSION = 11.4
If I am wrong and you have a openSUSE with this custom kernel, you should
contact your provider about it, what other special customizations are made
to the version they provide on that machine.
–
PC: oS 11.3 64 bit | Intel Core2 Quad Q8300@2.50GHz | KDE 4.6.4 | GeForce
9600 GT | 4GB Ram
Eee PC 1201n: oS 11.4 64 bit | Intel Atom 330@1.60GHz | KDE 4.6.4 | nVidia
ION | 3GB Ram
> Oh by the way, why wouldn’t it be reasonable to have automatic updates
> on for my server?
Because sometimes updates do break the system.
> Say I go on summer leave and will be off-line for 4
> weeks and, after a day or so, some new exploit is made public? I
> wouldn’t want the server to remain vulnerable? Or perhaps amateur admins
> shouldn’t go on leave :’(
Bad luck >:-)
Worse, you have a non openSUSE kernel, so I would certainly not touch that
machine.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
but I believe that Strato servers use Virtuozzo (by Parallels) for the virtualisation. I don’t know much about it but I believe that it means that on a single physical machine there’s only a single special kernel running multiple “operating systems” (i.e. anything except the kernel) in parallel. This would be more efficient than running multiple instances of a traditional virtualisation product such as VMware of VirtualBox. That would explain why the kernel is not openSUSE while the rest is.
The software repositories are openSUSE’s but there’s no kernel rpm installed. In fact, I couldn’t find a kernel binary on the virtual server which somehow supports above hypothesis.
Yes, I agree with you. In this special case I would prefer to have a broken system than a broken-into system Not excluding the possibility that the former could promote the latter, of course…
>
> Well, it really is openSUSE 11.4
Thanks for the feedback, at the end I somehow expected something like that
(without understanding much about such systems like virtuozzo) after you
mentioned your version of cronie which simply is not used in RHEL or CentOS.
I just was a bit side tracked by the version which is from an openvz RHEL5
repository. http://mirror.europhase.net/openvz/kernel/branches/rhel5-2.6.18/028stab089.1/
and corresponds well to the version I know from my CentOS 5.6 installation
(2.6.18).
So I ran into a false conclusion.
Sorry.
–
PC: oS 11.3 64 bit | Intel Core2 Quad Q8300@2.50GHz | KDE 4.6.4 | GeForce
9600 GT | 4GB Ram
Eee PC 1201n: oS 11.4 64 bit | Intel Atom 330@1.60GHz | KDE 4.6.4 | nVidia
ION | 3GB Ram
There remains the question, from a general point of view, why the cronie version cronie-1.4.7-9.21.1.i586 doesn’t include the line which Carlos proposed above (and which fixed the issue) in /etc/pam.d/crond. Apparently, the standard openSUSE i586 cronie works without that line - I mean, otherwise somebody would have noticed before me? Perhaps I’m confused.
This is from my netbook where I never touched the configuration (it was a
fresh 11.4 install, no update from 11.3)
martinh@ganymed:~> cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
auth sufficient pam_rootok.so
account sufficient pam_listfile.so item=user sense=allow
file=/etc/cron.allow onerr=succeed quiet
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
martinh@ganymed:~> rpm -q cronie
cronie-1.4.7-9.21.1.x86_64
it includes the line by default.
–
PC: oS 11.3 64 bit | Intel Core2 Quad Q8300@2.50GHz | KDE 4.6.4 | GeForce
9600 GT | 4GB Ram
Eee PC 1201n: oS 11.4 64 bit | Intel Atom 330@1.60GHz | KDE 4.6.4 | nVidia
ION | 3GB Ram
You’re right, and the same goes for the i586 version cronie-1.4.7-9.21.1.i586 which I just applydeltarpm’d from download.opensuse.org. I will drop the Strato support an e-mail. Somehow they may have mixed things up.
On 2011-06-29 19:36, wmsx wrote:
>
> Thanks for your comments, folks.
>
> There remains the question, from a general point of view, why the
> cronie version cronie-1.4.7-9.21.1.i586 doesn’t include the line which
> Carlos proposed above (and which fixed the issue) in /etc/pam.d/crond.
Mine does have it, I checked two installs. I don’t suppose being 64 bit
matters.
I would not update your system. Perhaps it shares more than the kernel.
Doesn’t it have documentation?
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
> You’re right, and the same goes for the i586 version
> cronie-1.4.7-9.21.1.i586 which I just applydeltarpm’d from
> download.opensuse.org. I will drop the Strato support an e-mail. Somehow
> they may have mixed things up.
There have been several updates to cron and cronie. One of them might
contain that missing line.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
Not excluding the possibility that the former could promote the latter, of course…