Mathieu Baudier
2021-Feb-19 08:37 UTC
[CentOS] Permission denied when updating CentOS 8 Streams
Hello,
On a remote server (in an IPv6-only infrastructure) I am getting the
following error when trying to update CentOS 8 Streams x86_64:
$ sudo dnf upgrade --refresh
Failed to set locale, defaulting to C.UTF-8
CentOS Stream 8 - AppStream
0.0 B/s | 0 B 00:16
Errors during downloading metadata for repository 'appstream':
- Curl error (7): Couldn't connect to server for
http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock
[Failed to connect to mirrorlist.centos.org port 80: Permission denied]
Error: Failed to download metadata for repo 'appstream': Cannot prepare
internal mirrorlist: Curl error (7): Couldn't connect to server for
http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock
[Failed to connect to mirrorlist.centos.org port 80: Permission denied]
Trying to retrieve the mirror list with wget gives similar errors (see log
below).
This is a development VM and I was playing with firewalld zones on this
interface (drop, block, etc.) in order to see the most restrictive that I
could use in order to update a system. But the error also appears if I
switch back the zone to public.
Could it be that my address has been blacklisted because of all these tests?
>From my laptop, also running CentOS 8 Streams, everything is working as
expected.
Thank in advance for hints on how to analyze further!
Mathieu
## wget log
$ wget
http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock
--2021-02-19 08:35:14--
http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock
Resolving mirrorlist.centos.org (mirrorlist.centos.org)...
2001:4178:5:200::10, 2600:1f16:c1:5e01:4180:6610:5482:c1c0,
2604:1380:2001:d00::3, ...
Connecting to mirrorlist.centos.org
(mirrorlist.centos.org)|2001:4178:5:200::10|:80...
failed: Permission denied.
Connecting to mirrorlist.centos.org
(mirrorlist.centos.org)|2600:1f16:c1:5e01:4180:6610:5482:c1c0|:80...
failed: Permission denied.
Connecting to mirrorlist.centos.org
(mirrorlist.centos.org)|2604:1380:2001:d00::3|:80...
failed: Permission denied.
Connecting to mirrorlist.centos.org
(mirrorlist.centos.org)|2604:1580:fe02:2::10|:80...
failed: Permission denied.
Connecting to mirrorlist.centos.org
(mirrorlist.centos.org)|2604:1380:1001:6c00::1|:80...
failed: Permission denied.
Connecting to mirrorlist.centos.org
(mirrorlist.centos.org)|2a05:d012:8b5:6503:9efb:5cad:348f:e826|:80...
failed: Permission denied.
Paul Heinlein
2021-Feb-19 14:30 UTC
[CentOS] Permission denied when updating CentOS 8 Streams
On Fri, 19 Feb 2021, Mathieu Baudier wrote:> Hello, > > On a remote server (in an IPv6-only infrastructure) I am getting the > following error when trying to update CentOS 8 Streams x86_64: > > $ sudo dnf upgrade --refresh > Failed to set locale, defaulting to C.UTF-8 > CentOS Stream 8 - AppStream > > 0.0 B/s | 0 B 00:16 > Errors during downloading metadata for repository 'appstream': > - Curl error (7): Couldn't connect to server for > http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock > [Failed to connect to mirrorlist.centos.org port 80: Permission denied] > Error: Failed to download metadata for repo 'appstream': Cannot prepare > internal mirrorlist: Curl error (7): Couldn't connect to server for > http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock > [Failed to connect to mirrorlist.centos.org port 80: Permission denied]Try using an https:// URL. -- Paul Heinlein heinlein at madboa.com 45?38' N, 122?6' W
Gordon Messmer
2021-Feb-20 22:33 UTC
[CentOS] Permission denied when updating CentOS 8 Streams
On 2/19/21 12:37 AM, Mathieu Baudier wrote:> - Curl error (7): Couldn't connect to server for > http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock > [Failed to connect to mirrorlist.centos.org port 80: Permission denied]It's unusual to see EPERM on a call to connect()... The man page suggests that this can be caused by a local firewall rule or an SELinux policy. https://man7.org/linux/man-pages/man2/connect.2.html "yum" and "wget" should be running in an unconfined domain, so SELinux is *probably* not the cause.? I'd take a look at the output of "iptables -L OUTPUT" first.? I've tried creating local firewall rules that I'd expect to result in EPERM, but they do not, so I'm not sure what such a rule looks like.