tickets #60791
closedprovo-mirror: @ERROR: access denied to opensuse-full-really-everything-including-repositories from UNKNOWN (2620:113:8044:72:130:57:72:8)
100%
Description
admin-auto has lots of mails from provo-mirror saying (repeatedly)
@ERROR: access denied to opensuse-full-really-everything-including-repositories from UNKNOWN (2620:113:8044:72:130:57:72:8)
rsync error: error starting client-server protocol (code 5) at main.c(1672) [Receiver=3.1.3]
The first mail with this error is from Nov 29 0:46 CET.
#60557 started around the same time, so it might be somewhat related.
Updated by lrupp over 4 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 40
Had a quick look - looks to me like someone copied the rsyncd.conf from pontifex to the provo-mirror. As pontifex only allows the machines explicitly listed as mirror servers, all the standard modules are unavailable...
I checked the list of exported modules at rsync.opensuse.org now and added a
hosts allow = *
to the rsyncd.conf modules on provo-mirror.opensuse.org. For me this fixed the problem.
There are other rsync modules with "hosts allow = *" on the provo-mirror, but I did not check them (yet).
Updated by lrupp over 4 years ago
- Status changed from In Progress to Closed
- % Done changed from 40 to 100
works, verified
Updated by cboltz over 4 years ago
- Status changed from Closed to New
Reopening - I still (or again?) see those mails on admin-auto.
Checking the script shows that the error is about rsync'ing from stage.o.o to provo-mirror, which means we'll probably need to whitelist 2620:113:8044:72:130:57:72:8 on stage.o.o.
Also note that the error message includes UNKNOWN which indicates that the IP doesn't have a reverse DNS entry.
And finally, I wonder why this started only 2 weeks ago - did provo-mirror switch to another IP for rsync'ing from stage.o.o?
Updated by pjessen over 4 years ago
Looking in my email inbox, I see those errors going all the way back 15 Feb 2019 14:00 CET, but from :10.
I'll update the acl.
Updated by pjessen over 4 years ago
Remarkably, I added 2620:113:8044:72:130:57:72:10 in March, see issue#48608. I see that 2620:113:8000::/40 belongs to Attachmate, but I don't want to whitelist a /40. I have added 2620:113:8044:72::/64.
Updated by lrupp over 2 years ago
- Status changed from New to Closed
Hi there - and a Happy and Healthy 2022!
I'm currently closing old tickets which did not see much change.
If the main concern still exists and should be handled, please re-open by just replying to this Email.
Thanks in advance,
Lars