What really happens under the hood when we type 'ls' on Linux?
Quick Intro That's a question someone asked me a while ago and while I had a pretty good idea of exec(), read() and write() system calls, I decided to investigate further and to publish an article. In this article, I'm going through what happens when we type the following command: I'll be usingstracedebugging tool to capture the system calls a simple command such as this triggers. For reference, the process ID (PID) of my bash shell process above is the following: Also, if you don't know what system calls are, please refer to the Appendix 1 section. It may seem silly but this is the kind of knowledge that actually made me better at troubleshooting and contributed tremendously to my understanding of Linux OS as this pattern repeats over and over. As you may know, BIG-IP runs on top of Linux. The strace command First off, I'm usingstracecommand whichinterceptsand prints system callscalledby a process¹and the signals²receivedby a process. If I didn't add the redirection2>&1, the egrep command wouldn't work because it filters the file descriptor (FD) 1 (stdout) butstracewrites to FD 2 (stderr). Note that I'm attachingstraceto my bash shell process ID (4716). Fir this reason, I added the-foption to capture the shell's behaviour of creating a new child sub-shell process in order to executels. It does that because if Linux were to executelsdirectly,lsprogram would take over current process (bash shell) resources and we would not be able to go back to it oncelsexecuted becauselswould be no longer available as it's just been overwritten. Instead, bash shell creates an exact copy of itself by callingclone()system call and then executeslsso that ls resources are written to this new process and not to parent process. In fact, this new cloned processbecomesls. Interesting eh? ¹A process is a running instance of a program we execute. ²signals are software interrupts that one process can send to another or to a group of processes. A well known example is kill signal when a process hangs and we want to force a termination of a program. If you don't know what file descriptors and system calls are, please refer to Appendix 1 and 2 at the end. Strace output I can't it's raw output because I've filtered it out but this is what I'm going to explain: In fact, let's work on the output without the shared libraries: Typing "ls" and hitting Enter By default, Linux prompt writes to FD 2 (standard error) which also prints to terminal, just like standard output. When I hit the letterlon my keyboard, Linux reads from my keyboard and writes back to terminal: Both read() and write() system calls receive: file descriptor they're reading from/writing to as first argument the character as second argument the size in bytes of the character What we see here isread()reads from FD 0 (standard input - our keyboard) and writes using write() to FD 2 (standard error) and that ends up printing letter "l" in our terminal. The return value is what's after the equals sign and for both read() and write() it's the number of bytes read/written. If there was an error somehow, the return value would be -1. Bash shell creates a new process of itself The clone() system call is used instead offork()becausefork()doesn't allow child process to share parts of its execution context with the calling process, i.e. the one calling fork(). Modern Linux now mostly usesclone()because there are certain resources (such as file descriptor table, virtual memory address space, etc) that are perfectly fine to be shared between parent↔ child soclone() ends up being more efficient for most cases. So here, my Debian 10.x usesclone()system call: Up to this point, the above process is almost an exact replica of our bash shell except that it now has a memory address (stack) of its own as stack memory cannot be shared¹. flags contains what is shared between the parent process (bash shell) and the new process (the sub-shell that will turn into "ls" command shortly). The flagCLONE_CHILD_CLEARTIDis there to allow another function in the ls code to be able to clean up its memory address. For this reason, we also have to reference the memory address inchild_tidptr=0x7f3ce765ba10(this 0x.. is the actual memory address of ourlscommand). TheCLONE_CHILD_SETTIDstores the child's PID in memory location referenced bychild_tidpt. Lastly,SIGCHLDis the signal that "ls" process will send to parent process (bash shell) once it terminates. ¹A stack is the memory region allocated to a running program that contains objects that are statically allocated such as functions and local variables. There's another region of memory called the heap that store dynamic objects such as pointers. Stack memory is fast and automatically frees memory. Heap memory requires manual allocation using malloc() or calloc() and freeing using free() function. For more details, please refer tothis article here. Execution of ls finally starts I had to filter out other system calls to reduce the complexity of this article. There are other things that happen like memory mappings (using mmap() system call), retrieval of process pid (using getpid() system call),etc. Except for last 2 lines which is literally reading a blank character from terminal and then closing it, I'd just ignore this bit as it's referring to file descriptors that were filtered: The important line here is this one: In reality,execve()doesn't return upon success soI believe the 0 here is juststracesignalling there was no error. What happens here is execve() replaces current virtual address space (from parent process) with a new address space to used independently bylsprogram. We now finally have "ls" as we know it loaded into memory! ls looks for content in current directory The next step is forlscommand to list the contents of the directory we asked. In this case, we're listing the contents of current directory which is represented by a dot: Theopenat()system call creates a new file descriptor (number 3) withthe contents of current directory that we listed and then closes it. Contents are then written to our terminal using write() system call as shown above. Note that strace truncates the full list of directories but it displays the correct amount of bytes written (62 bytes). If you're wondering why FD 3 is closed before ls writes its contents to FD 1 (stdout), keep in mind thatstraceoutput is not the actuallscode! It's just the system calls, i.e. when code needs access to a privileged kernel operation. This snippet from ls.cfrom Linuxcoreutilspackage, shows thatlscode has a function calledprint_dirand inside such function, it uses a native C library functionopendir() to store the contents ofthe directory into a variable calleddirp. In reality, it's not the directory's content but a pointer to it. Theopenat()system call is triggered whenprint_dirfunction executesopendir()as seen below: The bottom line is thatstracewill only show us what is going on from the point of view of system calls. It doesn't give us a complete picture of everything that's going on inlscode. So to answer our question,opendir()function only usesopenat() system call to have access to the contents of current directory. It can then copy it to variable and close it immediately. Terminal prompt gets printed back to us After program closes, Linux prints our terminal prompt back to us: Appendix 1 -What are System Calls? The Linux OS is responsible for management devices, processes, memory and file system. It won't or at least try hard not to let anything coming from the user space to disrupt the health of our system. Therefore, for the most part, tasks like allocating memory, reading/writing from/to files use the kernel as intermediate. So, even printing a hello world in C can trigger a write() system call to write "Hello World" to our terminal. This is all I did: And this is the output of strace filtering onlywrite()system calls: So think of it as Linux trying to protect your computer resources from programs and the end user such as us using a safe API. Appendix 2 - What are File Descriptors? Every program comes with 3 standard file descriptors: 0 (standard input),1 (standard output) and 2 (standard error). These file descriptors are present in a table called file descriptor table that tracks open files for all our programs. When our "Hello World" was printed above, the write() system call "wrote" it to file descriptor 1 (standard output). By default, file descriptor 1 prints to terminal. On the other hand, file descriptor 0 is used byread()system call. I didn't hit enter here, but I just wanted to prove thatread()takes file descriptor 0 as input: It's reading from standard input (0), i.e. whatever we type on keyboard. Standard error (2) is reserved for errors. From FD 3 onwards, programs are free to use if they need to. When we open a file, such file is assigned the next lowest file descriptor number available, which might be 3 for first file, 4 for second file, and so on.Understanding how Linux reacts to memory pressure using vmstat
Introduction This article is just a quick hands-on practical example to show how a typical Linux system usually reacts when memory pressure builds up quickly. I'll usevmstatto watchfree,buffersandcachedcounters to watch how they react to a sharp memory increase. FYI, my test box has 4 GB of memory: To quickly increase memory usage, I wrote a simple C program that allocates 3 GB of RAM to an array of integers. It then waits 5 seconds before freeing up memory to give us some time to look at memory usage before program frees up memory. Here's the C code: I then compiled the code usinggcccommand: On the left terminal, I'm executingwatch -n 1 vmstatcommand and on the right terminal I'm running my C script./mem: I recorded a couple of seconds after program finished running, i.e. after we free up memory so we can see how free counters recover from memory pressure. I encourage you to go through the above animation 2 times. Once observing free and a 2nd time observing buff/cache. free For the first time, let's focus onfree. freeshows the amount of memory that is 100% physically free/idle. Notice that it starts out with about 2.7G (2759796 KB) and sharply decreases to just 107 MB (107876 KB) in 8 seconds: As soon as memory is freed, it sharply rises back to 3 GB (3039684 KB): buff/cache buff/cache are kept high in a healthy Linux system with plenty of memory available to make the most of available RAM. Cache is the size of memory page cache and buffers is the size of in-memory block I/O buffers. Since 2.4.10, both page and buffer cache are unified so we look at them together here. This is also the reason why top command shows both of them together: For Linux, idle RAM is a waste when it can be used for faster access to read frequently used data or to buffer data for faster retrieval. For this reason, Linux uses a lot of buff/cache so in reality, the total amount of free memory on Linux is the sum offree+buff/cache. In this particular case, the fact that buff/cache is reducing significantly in size, indicates that Linux no longer has the luxury of usingbuff/cachefor other purposes that much and is now prioritising our./memprogram as shown below: They immediately start building up again and 6 seconds later, values are much higher: If memory continued to be a problem, Linux could opt to use its swap address and as memory is swapped in/out of disk, we should see the values ofsi/soincreasing. Appendix - OOM Killer Since we're talking about memory here, it's worth mentioning that when memory is critically low or threatening the stability of the system, Linux can trigger the Out of Memory (OOM) Killer functionality. Its job is to kill process(es) until enough memory is freed so that the system can function smoothly. The OOM Killer selects process(es) that It considers as least important when it comes to damaging system's functionality. The kernel maintains anoom_scorefor each process which can be found in /proc: The lower the score, the less likely OOM killer will kill it as less memory process is using. The higher theoom_scorevalue, the higher the chances of process getting killed by OOM Killer in an OOM situation. As most processes on my Linux box are not using memory, most of them will get a score of 0 (143 out of 147 processes): The last command lists all the scores in my system. I usedsort -uto sort the entries and remove the duplicates in a sorted manner.
Linux CLI VPN Client - "Server certificate verification failed."
Hi all, We've recently gone live with our VPN (on v13 HF2) and some of our users have reported their having issues accessing the VPN from their Linux command line. On RHEL/Fedora, the VPN connection doesn't work. On Ubuntu, I can see the errors in the logs but it lets me through anyhow. After installing the package, they run the command to connect to the VPN: f5fpc -s -t https://ourvpn.com When querying how the connection went, I can see: f5fpc -i Connection Status: logon failed Server certificate verification failed. The certificate we're using is a properly signed QuoVadis cert. The ~/.F5Networks/standalone.log shows: 2017-07-24,14:39:27:019, 2839,2849,standalone, 0, /LinuxEventHandler.cpp, 924, , LinuxEventHandler::loadCAStore()- Using default Trusted cert store at=/etc/ssl/certs, for CA cert validation 2017-07-24,14:39:27:019, 2839,2849,standalone, 2, /LinuxEventHandler.cpp, 1052, LinuxEventHandler::verify_context_chain(), Server Cert chain is empty 2017-07-24,14:39:27:021, 2839,2849,standalone, 0, /LinuxEventHandler.cpp, 1063, , LinuxEventHandler::verify_context_chain() - X509_verify_cert(): verification error=2, string=unable to get issuer certificate 2017-07-24,14:39:27:021, 2839,2849,standalone, 48, /LinuxEventHandler.cpp, 68, CLinuxEventHandler::HandleEvent(), exit with, 0 2017-07-24,14:39:27:022, 2839,2849,standalone, 2, /USSLChannel.cpp, 312, USSLChannel::Write, SSL_write failed (result: -1, error: SSL_ERROR_SSL) 2017-07-24,14:39:27:022, 2839,2849,standalone, 1, /UHTTP.cpp, 38, UHTTP::makeRequest(), EXCEPTION - send request error 2017-07-24,14:39:27:022, 2839,2849,standalone, 1, /UHTTP.cpp, 115, , EXCEPTION caught: UHTTP::makeRequest() - EXCEPTION 2017-07-24,14:39:27:022, 2839,2849,standalone, 48, /UFirepass.cpp, 679, UFirepass::doGetRequestWithoutRedirect, server returned HTTP code, return code, 0, -1 2017-07-24,14:39:27:022, 2839,2849,standalone, 1, /UFirepass.cpp, 688, UFirepass::doGetRequestWithoutRedirect, (0x27) EXCEPTION - Channel error, 39 2017-07-24,14:39:27:022, 2839,2849,standalone, 48, /UChannelChain.cpp, 34, UChannelChain::~UChannelChain(), destroying channel 2. Stats (0) - Recv=3283 Send=524 2017-07-24,14:39:27:022, 2839,2849,standalone, 48, /UChannelChain.cpp, 34, UChannelChain::~UChannelChain(), destroying channel 1. Stats (0) - Recv=3283 Send=524 2017-07-24,14:39:27:022, 2839,2849,standalone, 1, /UFirepass.cpp, 782, , EXCEPTION caught: UFirepass::getFirepassToken - EXCEPTION 2017-07-24,14:39:27:022, 2839,2849,standalone, 1, /UFirepass.cpp, 911, UFirepass::DoPrelogon, Failed to obtain logon token: prelogon is not enabled or Firepass server has version below 5.5 2017-07-24,14:39:27:022, 2839,2849,standalone, 48, /UChannelChain.cpp, 55, UChannelChain::BuildChannels(), enter, 0x7: U_ENABLE_SOCKET_CHANNEL U_ENABLE_SSL_CHANNEL U_ENABLE_PROXY_CHANNEL 2017-07-24,14:39:27:022, 2839,2849,standalone, 48,,,, USSLChannel::USSLChannel:RAND_status(1) I've tried uploading the root/intermediate certificates to /etc/ssl/certs but still not luck. The workaround is to use the ignore certificate switch (-x) but I don't really want to do this. f5fpc -s -t https://ourvpn.com/ -x Any ideas?? Thanks, Nick
Linux SSL VPN client error - SSL handshake failed
Hello, We have recently update our SSL VPN infrastructure and after that I haven't been able to create a VPN tunnel from my laptop. I can successfully login to the web interface but when I try to create a tunnel a "Browser is waiting from status from Network Access Application" popup appears and after a short time it goes back to the popup that allows to download the client RPM or DEB. I can see these entries in the ~/.F5Networks/vpn.log when I try (always the same entries): ========================================================================== Kernel version: 1 SMP Debian 4.9.51-1 (2017-09-28) System: Linux Release: 4.9.0-4-amd64 Model: x86_64 Node name: robfas-lin ========================================================================== 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, ===================================== 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Location: /opt/f5/vpn/f5vpn 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Version: 7140.2017.0414.1 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Locale: C 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Qt version: 5.7.1 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, ===================================== 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, 2017-10-13,10:56:06:040, 19333,19333,, 48,,,, current log level = 63 2017-10-13,10:56:06:042, 19333,19333,, 48, /Helpers.h, 96, void f5::qt::setupLogs(const std::string&, const std::string&), OpenSSL supported: true. Lib in use: OpenSSL 1.0.2l 25 May 2017. Build: OpenSSL 1.0.2k 26 Jan 2017 2017-10-13,10:56:06:085, 19333,19333,, 48, /LinuxService.h, 45, void f5::qt::DBusInterface::Open(QStringList, QMap), D-Bus Open() method called 2017-10-13,10:56:06:097, 19333,19333,, 48, /HttpNetworkManager.cpp, 211, void f5::qt::HttpNetworkManager::HttpGet(const QUrl&, uint32_t), starting GET request to, https://vpn.paf.com/my.report.na 2017-10-13,10:56:06:200, 19333,19333,, 1, /HttpNetworkManager.cpp, 124, void f5::qt::HttpNetworkManager::error(QNetworkReply::NetworkError), Error occured while processing request(code), 6 2017-10-13,10:56:06:200, 19333,19333,, 1, /HttpNetworkManager.cpp, 271, void f5::qt::HttpNetworkManager::Finished(QNetworkReply*), Finished (code, error), 6, SSL handshake failed 2017-10-13,10:56:06:200, 19333,19333,, 48, /HttpNetworkManager.cpp, 420, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 6, 0 2017-10-13,10:56:06:200, 19333,19333,, 1, /HttpNetworkManager.cpp, 424, void f5::qt::HttpNetworkManager::RequestFinished(), Error occured (error code, HTTP code), 6, 0 2017-10-13,10:56:06:201, 19333,19333,, 48, /Session.cpp, 87, void f5::qt::Session::ProfileDownload(), Profile download starting, https://vpn.paf.com/pre/config.php?version=2.0 2017-10-13,10:56:06:201, 19333,19333,, 48, /HttpNetworkManager.cpp, 211, void f5::qt::HttpNetworkManager::HttpGet(const QUrl&, uint32_t), starting GET request to, https://vpn.paf.com/pre/config.php?version=2.0 2017-10-13,10:56:06:298, 19333,19333,, 1, /HttpNetworkManager.cpp, 124, void f5::qt::HttpNetworkManager::error(QNetworkReply::NetworkError), Error occured while processing request(code), 6 2017-10-13,10:56:06:298, 19333,19333,, 1, /HttpNetworkManager.cpp, 271, void f5::qt::HttpNetworkManager::Finished(QNetworkReply*), Finished (code, error), 6, SSL handshake failed 2017-10-13,10:56:06:298, 19333,19333,, 48, /HttpNetworkManager.cpp, 420, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 6, 0 2017-10-13,10:56:06:298, 19333,19333,, 1, /HttpNetworkManager.cpp, 424, void f5::qt::HttpNetworkManager::RequestFinished(), Error occured (error code, HTTP code), 6, 0 2017-10-13,10:56:06:298, 19333,19333,, 48, /Session.cpp, 59, void f5::qt::Session::ProfileDownloadFailed(QString), Profile download failed, Network error 2017-10-13,10:56:06:298, 19333,19333,, 48, /SessionManager.cpp, 222, void f5::qt::SessionManager::SessionError(QString), ----Session 46112466 ends----. Error occured: Network error 2017-10-13,10:56:06:298, 19333,19333,, 48, /SessionManager.cpp, 214, void f5::qt::SessionManager::CheckSessions(), No live sessions, quitting application.... I'm running on Debian Stretch 64 bit. I tried everything I could think about without success (and at the same time I can login successfully from an Android Tablet). Any tip on what I could try? Could this be related to this bug: ID382396 [Linux CLI] Certificate verification doesn't work for some Linux distributions? Thanks in advance!
Linux SSL VPN client error - GET request timeout/fail
I have a user with a laptop running Linux on a partition who's having trouble connecting to VPN from home (works fine on campus, however). The odd thing is, the first GET request completes and then the second and third appear to time out. The client log showing that is below. Are there any Linux folks here who may have an idea of how to tackle this issue? 2021-08-09,22:07:56:997, 16069,16069,, 0,,,,===================================== 2021-08-09,22:07:56:997, 16069,16069,, 0,,,,Location: /opt/f5/vpn/f5vpn 2021-08-09,22:07:56:997, 16069,16069,, 0,,,,Version: 7185.2021.0108.1 2021-08-09,22:07:56:997, 16069,16069,, 0,,,,Locale: en_US.UTF-8 2021-08-09,22:07:56:997, 16069,16069,, 0,,,,Qt version: 5.5.1 2021-08-09,22:07:56:997, 16069,16069,, 0,,,,===================================== 2021-08-09,22:07:56:997, 16069,16069,, 0,,,, 2021-08-09,22:07:56:997, 16069,16069,, 48,,,, current log level = 63 2021-08-09,22:07:57:006, 16069,16069,, 48, /Helpers.h, 117, void f5::qt::setupLogs(const string&, const string&), QT - OpenSSL supported: true. Lib in use: OpenSSL 1.0.2p14 Aug 2018. Build: OpenSSL 1.0.0-fips 29 Mar 2010 2021-08-09,22:07:57:006, 16069,16069,, 48, /Helpers.h, 118, void f5::qt::setupLogs(const string&, const string&), F5 - OpenSSL build version: OpenSSL 1.0.2p14 Aug 2018 2021-08-09,22:07:57:043, 16069,16069,, 48, /LinuxService.h, 45, void f5::qt::DBusInterface::Open(QStringList, QMap<QString, QVariant>), D-Bus Open() method called 2021-08-09,22:07:57:044, 16069,16069,, 48, /SessionManager.cpp, 198, boost::optional<QString> f5::qt::SessionManager::StartNASession(const QUrl&), otc is non empty, f79db5cb 2021-08-09,22:07:57:047, 16069,16069,, 48, /HttpNetworkManager.cpp, 205, void f5::qt::HttpNetworkManager::HttpGet(const QUrl&, uint32_t), starting GET request to, https://vpn.acme.com/vdesk/get_sessid_for_token.php3 2021-08-09,22:08:00:196, 16069,16069,, 48, /HttpNetworkManager.cpp, 396, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 0, 200 2021-08-09,22:08:00:196, 16069,16069,, 48, /SessionManager.cpp, 78, bool f5::qt::retrieveSidFromOtc(const QUrl&, const CString&, CString&), session id(308719ec) for otc(f79db5cb) 2021-08-09,22:08:00:197, 16069,16069,, 48, /SessionManager.cpp, 200, boost::optional<QString> f5::qt::SessionManager::StartNASession(const QUrl&), exchanged session id is, 308719ec 2021-08-09,22:08:00:198, 16069,16069,, 48, /HttpNetworkManager.cpp, 205, void f5::qt::HttpNetworkManager::HttpGet(const QUrl&, uint32_t), starting GET request to, https://vpn.acme.com/my.report.na 2021-08-09,22:08:15:197, 16069,16069,, 1, /HttpNetworkManager.cpp, 158, void f5::qt::HttpNetworkManager::RequestAbort(QNetworkReply*, bool) const, Request (https://vpn.acme.com/my.report.na) is being aborted (timeouted) 2021-08-09,22:08:15:197, 16069,16069,, 1, /HttpNetworkManager.cpp, 120, void f5::qt::HttpNetworkManager::error(QNetworkReply::NetworkError), Error occurred while processing request (5) 2021-08-09,22:08:15:197, 16069,16069,, 1, /HttpNetworkManager.cpp, 263, void f5::qt::HttpNetworkManager::Finished(QNetworkReply*), Finished (code, error), 5, Operation canceled 2021-08-09,22:08:15:197, 16069,16069,, 48, /HttpNetworkManager.cpp, 396, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 5, 0 2021-08-09,22:08:15:197, 16069,16069,, 1, /HttpNetworkManager.cpp, 400, void f5::qt::HttpNetworkManager::RequestFinished(), Error occurred (error code, HTTP code), 5, 0 2021-08-09,22:08:15:198, 16069,16069,, 48, /Session.cpp, 108, void f5::qt::Session::ProfileDownload(), Profile download starting, https://vpn.acme.com/pre/config.php?version=2.0 2021-08-09,22:08:15:198, 16069,16069,, 48, /HttpNetworkManager.cpp, 205, void f5::qt::HttpNetworkManager::HttpGet(const QUrl&, uint32_t), starting GET request to, https://vpn.acme.com/pre/config.php?version=2.0 2021-08-09,22:08:15:198, 16069,16069,, 48, /SessionManager.cpp, 268, bool f5::qt::SessionManager::CreateAndLaunchSessionInternal(const QUrl&), ----Session 308719ec starts---- 2021-08-09,22:09:15:198, 16069,16069,, 1, /HttpNetworkManager.cpp, 158, void f5::qt::HttpNetworkManager::RequestAbort(QNetworkReply*, bool) const, Request (https://vpn.acme.com/pre/config.php?version=2.0) is being aborted (timeouted) 2021-08-09,22:09:15:198, 16069,16069,, 1, /HttpNetworkManager.cpp, 120, void f5::qt::HttpNetworkManager::error(QNetworkReply::NetworkError), Error occurred while processing request (5) 2021-08-09,22:09:15:198, 16069,16069,, 1, /HttpNetworkManager.cpp, 263, void f5::qt::HttpNetworkManager::Finished(QNetworkReply*), Finished (code, error), 5, Operation canceled 2021-08-09,22:09:15:198, 16069,16069,, 48, /HttpNetworkManager.cpp, 396, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 5, 0 2021-08-09,22:09:15:198, 16069,16069,, 1, /HttpNetworkManager.cpp, 400, void f5::qt::HttpNetworkManager::RequestFinished(), Error occurred (error code, HTTP code), 5, 0 2021-08-09,22:09:15:198, 16069,16069,, 48, /Session.cpp, 80, void f5::qt::Session::ProfileDownloadFailed(QString), Profile download failed, Network error 2021-08-09,22:09:15:198, 16069,16069,, 48, /SessionManager.cpp, 310, void f5::qt::SessionManager::SessionError(QString), ----Session 308719ec ends----. Error occurred: Network error 2021-08-09,22:09:15:198, 16069,16069,, 48, /SessionManager.cpp, 302, void f5::qt::SessionManager::CheckSessions(), No live sessions, quitting application.... Thanks!
Kerberos Constrained Delegation to Linux backend
Hello, We are struggling with APM to perform Kerberos SSO toward an SAP system running on Linux, using this DG as ref : https://www.f5.com/pdf/deployment-guides/kerberos-constrained-delegation-dg.pdf. We find this in the APM log : 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/sapxxx.domain.com@DOMAIN.COM - Requesting ticket can't get forwardable tickets (-1765328163) As far as we understand the message this could be due to the fact that we are currently using "Trust this user for delegation to any service (Kerberos only)" in the delegation properties of the service account, when we should use "Trust this user for delegation to specified services only" > "Use any authentication protocol". But this doesn't work out of the box as the Linux backend is obviously not available in the AD to be added there. We tried to add a computer object for it but that doesn't help. So our question is : how can we configure the delegation to the Linux SAP backend ? Thanks in advance for your help :-)State lookup fails with "access denied" for firewall policy
I am in the process of setting up Ubuntu Linux (20.04) clients with VPN access using f5epi. Everything works, except for a firewall policy. The client side logs contain: 2021-09-29,12:50:17:954, 19837,19837,, 48, , 221, CreateInspector(), Created new OesisModule: SDK Version = '4.3.1161.0', V3V4 Adapter Version = '4.3.980.0' 2021-09-29,12:50:17:954, 19837,19837,, 48, , 224, CreateInspector(), Created new reference 2021-09-29,12:50:17:954, 19837,19837,, 48, , 74, OesisModule:Run(), policyData=type=fw&collect=2&count=1&check_list_type=required&vendor_id1=97&id1=0&version1=&platform1=2&state1=1 2021-09-29,12:50:17:954, 19837,19837,, 48, , 169, OesisLogInfoPolicy(), server configuration check list ===> Type: fw vendor_id: 97 id: 0 version: platform: 2 state: 1 2021-09-29,12:50:19:043, 19837,19837,, 48, , 86, OesisModule:Run(), testing product: id=97001 2021-09-29,12:50:19:043, 19837,19837,, 48, , 98, OesisModule:Run(), Product didn't match with any product from "server configuration check list"-> 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , id=97001 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , vendor_id=97 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , version=1.8.4 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , name=IPTables 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , vendor_name=IPTables 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , errors=Failed to get 'state'. code: -32 (Access denied) mId: 1 iId: 11 2021-09-29,12:50:19:087, 19837,19837,, 48, , 155, OesisModule:Run(), leave (check failed) I assume the issue is that the iptables state check is trying to do something it is not allowed to do locally. Does anyone recognize this problem or have any information on what OesisModule is trying to access in this case?
