exim4 Unrouteable address - smtp

have setup an exim4 for smart-host to migadu.com.
Get an error
2022-06-03 13:10:46 1nx5CY-0002TT-TI <= www-data#localhost U=www-data P=local S=817
2022-06-03 13:10:46 1nx5CY-0002TT-TI ** lars#gnf.dk: Unrouteable address
when trying to send from PHP site (local on machine) to lars#gnf.dk.
Trying to send from CLI like:
echo "Test message" | mail -s "Test message" lars#gnf.dk
2022-06-03 13:23:03 1nx5OR-0002XM-6a <= root#gnf.dk U=root P=local S=339
root#gnf:/etc/exim4# 2022-06-03 13:23:03 1nx5OR-0002XM-6a ** lars#gnf.dk: Unrouteable address
2022-06-03 13:23:03 1nx5OR-0002XP-7I <= <> R=1nx5OR-0002XM-6a U=Debian-exim P=local S=1470
2022-06-03 13:23:03 1nx5OR-0002XM-6a Completed
2022-06-03 13:23:03 1nx5OR-0002XP-7I => lakn <root#gnf.dk> R=local_user T=maildir_home
2022-06-03 13:23:03 1nx5OR-0002XP-7I Completed
if I try to send to lars#dulmens.dk from CLI - it works.
Any idea why this is so?
Br
Lars
cat update-exim4.conf.conf
dc_eximconfig_configtype='smarthost'
dc_other_hostnames='smtp.migadu.com; gnf.dk; localhost'
dc_local_interfaces='127.0.0.1'
dc_readhost='gnf.dk'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
#dc_smarthost='smtp.migadu.com::465'
dc_smarthost='smtp.migadu.com::587'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='false'
dc_mailname_in_oh='true'
dc_localdelivery='maildir_home'
disable_ipv6=true
root#gnf:/etc/exim4# /usr/sbin/exim4 -d -bt lars#gnf.dk
Exim version 4.92 uid=0 gid=0 pid=9846 D=f7715cfd
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DANE DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [8.3.0]
Library version: Glibc: Compile: 2.28
Runtime: 2.28
Library version: BDB: Compile: Berkeley DB 5.3.28: (September 9, 2013)
Runtime: Berkeley DB 5.3.28: (September 9, 2013)
Library version: GnuTLS: Compile: 3.6.7
Runtime: 3.6.7
Library version: PCRE: Compile: 8.39
Runtime: 8.39 2016-06-14
Total 13 lookups
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
changed uid/gid: forcing real = effective
uid=0 gid=0 pid=9846
auxiliary group list: <none>
seeking password data for user "uucp": cache not available
getpwnam() succeeded uid=10 gid=10
configuration file is /var/lib/exim4/config.autogenerated
log selectors = 0000cffc c6401022 00000001
trusted user
admin user
seeking password data for user "mail": cache not available
getpwnam() succeeded uid=8 gid=8
user name "root" extracted from gecos field "root"
originator: uid=0 gid=0 login=root name=root
sender address = root#localhost
Address testing: uid=0 gid=109 euid=0 egid=109
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Testing lars#gnf.dk
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Considering lars#gnf.dk
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
routing lars#gnf.dk
--------> hubbed_hosts router <--------
local_part=lars domain=gnf.dk
checking domains
expansion of "${if exists{/etc/exim4/hubbed_hosts}{partial-lsearch;/etc/exim4/hubbed_hosts}fail}" forced failure: assume not in this list
hubbed_hosts router skipped: domains mismatch
--------> smarthost router <--------
local_part=lars domain=gnf.dk
checking domains
gnf.dk in "#:localhost:smtp.migadu.com: gnf.dk: localhost"? yes (matched "#")
gnf.dk in "! +local_domains"? no (matched "! +local_domains")
smarthost router skipped: domains mismatch
--------> real_local router <--------
local_part=lars domain=gnf.dk
real_local router skipped: prefix mismatch
--------> system_aliases router <--------
local_part=lars domain=gnf.dk
checking domains
cached yes match for +local_domains
cached lookup data = NULL
gnf.dk in "+local_domains"? yes (matched "+local_domains" - cached)
R: system_aliases for lars#gnf.dk
calling system_aliases router
rda_interpret (string): ${lookup{$local_part}lsearch{/etc/aliases}}
search_open: lsearch "/etc/aliases"
search_find: file="/etc/aliases"
key="lars" partial=-1 affix=NULL starflags=0
LRU list:
7/etc/aliases
End
internal_search_find: file="/etc/aliases"
type=lsearch key="lars"
file lookup required for lars
in /etc/aliases
lookup failed
expanded:
file is not a filter file
parse_forward_list:
system_aliases router declined for lars#gnf.dk
--------> userforward router <--------
local_part=lars domain=gnf.dk
checking domains
cached yes match for +local_domains
cached lookup data = NULL
gnf.dk in "+local_domains"? yes (matched "+local_domains" - cached)
checking for local user
seeking password data for user "lars": cache not available
getpwnam() returned NULL (user not found)
userforward router skipped: lars is not a local user
--------> procmail router <--------
local_part=lars domain=gnf.dk
checking domains
cached yes match for +local_domains
cached lookup data = NULL
gnf.dk in "+local_domains"? yes (matched "+local_domains" - cached)
checking for local user
seeking password data for user "lars": using cached result
getpwnam() returned NULL (user not found)
procmail router skipped: lars is not a local user
--------> maildrop router <--------
local_part=lars domain=gnf.dk
checking domains
cached yes match for +local_domains
cached lookup data = NULL
gnf.dk in "+local_domains"? yes (matched "+local_domains" - cached)
checking for local user
seeking password data for user "lars": using cached result
getpwnam() returned NULL (user not found)
maildrop router skipped: lars is not a local user
--------> lowuid_aliases router <--------
local_part=lars domain=gnf.dk
checking domains
cached yes match for +local_domains
cached lookup data = NULL
gnf.dk in "+local_domains"? yes (matched "+local_domains" - cached)
checking for local user
seeking password data for user "lars": using cached result
getpwnam() returned NULL (user not found)
lowuid_aliases router skipped: lars is not a local user
--------> local_user router <--------
local_part=lars domain=gnf.dk
checking domains
cached yes match for +local_domains
cached lookup data = NULL
gnf.dk in "+local_domains"? yes (matched "+local_domains" - cached)
checking local_parts
lars in "! root"? yes (end of list)
checking for local user
seeking password data for user "lars": using cached result
getpwnam() returned NULL (user not found)
local_user router skipped: lars is not a local user
--------> mail4root router <--------
local_part=lars domain=gnf.dk
checking domains
cached yes match for +local_domains
cached lookup data = NULL
gnf.dk in "+local_domains"? yes (matched "+local_domains" - cached)
checking local_parts
lars in "root"? no (end of list)
mail4root router skipped: local_parts mismatch
no more routers
lars#gnf.dk is undeliverable: Unrouteable address
search_tidyup called
>>>>>>>>>>>>>>>> Exim pid=9846 (main) terminating with rc=2 >>>>>>>>>>>>>>>>
root#gnf:/etc/exim4#

Related

Fiware error: Access-Control-Allow-Origin

I'm making a call to the contextBroker and it gives me this error.
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access. The response had HTTP status code 405.
From postman or from freeboard I do not get any of this.
getContextBroker(){
console.log("Consumimos el servicio getContextBroker");
let headers = new Headers ({'Accept': 'application/json', 'Fiware-Service': 'x', 'Fiware-ServicePath': '/x', 'Access-Control-Allow-Origin': '*'});
let options = new RequestOptions ({headers : headers});
return this._http.get(this.urlcontextBrokers, {headers : headers}).map(res => res.json());
}
}
how can I solve that?
I've tried adding: 'Access-Control-Allow-Origin': '*'
But it still does not work
EDIT:
ps ax | grep contextBroker:
862 pts/4 S+ 0:00 grep contextBroker
3792 ? Ssl 27:35 /usr/bin/contextBroker -port 1026 -logDir /var/log/contextBroker -pidpath /var/run/contextBroker/contextBroker.pid -dbhost localhost -db orion -multiservice -logAppend
version:
{
"orion": {
"version": "1.7.0",
"uptime": "12 d, 18 h, 24 m, 20 s",
"git_hash": "e544780eb64a4a2557c1f51dde070b8d82b86c49",
"compile_time": "Wed Feb 8 13:30:24 CET 2017",
"compiled_by": "fermin",
"compiled_in": "centollo"
}
}
EDIT02
Hello, as I said, I do not want to use the cors, I have eliminated that from the header in such a way:
   getContextBroker () {
     console.log ("We consume the getContextBroker service");
     let headers = new Headers ({'Accept': 'application / json', 'Fiware-Service': 'IoFAlmeria', 'Fiware-ServicePath': '/ ARMpalmerillas'});
     let options = new RequestOptions ({headers: headers});
     return this._http.get (this.urlcontextBrokers, {headers: headers}). map (res => res.json ());
   }
}
and I keep giving the same error:
OPTIONS http: // XXX: 1026 / v2 / entities / 405 (Method Not Allowed)
Failed to load http: // XXX: 1026 / v2 / entities /: Response to preflight request does not pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http: // localhost: 4200' is therefore not allowed access. The response had HTTP status code 405.
it has to be the problem of the fiware API since I have designed one with nodejs and I have no problem changing the URL
Update:
Limpiando repositorios:base epel extras fiware mongodb-org-3.2
: mysql-connectors-community mysql-tools-community
: mysql57-community nodesource updates
Limpiando todo
Cleaning up list of fastest mirrors
[root#UAL-IoF2020 ~]# yum install contextBroker
Complementos cargados:fastestmirror, refresh-packagekit, security
Configurando el proceso de instalación
Determining fastest mirrors
epel/metalink | 25 kB 00:00
* base: ftp.uma.es
* epel: ftp.uma.es
* extras: ftp.uma.es
* updates: ftp.uma.es
base | 3.7 kB 00:00
base/primary_db | 4.7 MB 00:00
epel | 4.7 kB 00:00
epel/primary_db | 6.0 MB 00:00
extras | 3.4 kB 00:00
extras/primary_db | 29 kB 00:00
fiware | 951 B 00:00
fiware/primary | 45 kB 00:00
mongodb-org-3.2 | 2.5 kB 00:00
mongodb-org-3.2/primary_db | 78 kB 00:00
mysql-connectors-community | 2.5 kB 00:00
mysql-connectors-community/primary_db | 18 kB 00:00
mysql-tools-community | 2.5 kB 00:00
mysql-tools-community/primary_db | 38 kB 00:00
mysql57-community | 2.5 kB 00:00
mysql57-community/primary_db | 139 kB 00:00
nodesource | 2.5 kB 00:00
nodesource/primary_db | 51 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db | 6.4 MB 00:00
El paquete contextBroker-1.7.0-1.x86_64 ya se encuentra instalado con su versión más reciente
Nada para hacer
CORS requests are only supported by Orion Context Broker version 1.10 and above.
As #JoseManuelCantera has pointed out, you do not need to add any CORS specific headers to your request, those are handled by your client (browser, Postman etc.)
You need to:
Upgrade your version to 1.10
Start Orion in CORS mode
You can start Orion in CORS mode for any origin (Orion will accept CORS requests from any origin) as below:
contextBroker -corsOrigin __ALL
Please take a look at the CORS documentation for Orion for more information.
UPDATE
Please allow me to shortly explain CORS pre-flight logic. If your request is not a simple request, your browser will do a pre-flight request prior to yours with the OPTIONS method. If Orion is not started in CORS mode, you will always get method not allowed as a response to your non-simple requests.
So what is the problem, why are you getting different results with different clients? Postman (curl etc.) does exactly what you want it to do and sends the requests as you have configured. It does not check if the request you are sending should be pre-flighted or not.
On the other hand, your browser does check your request and do a pre-flight if necessary. You have no control over this other than modifying your request.
The Javascript framework you are working with is probably adding a header to the request rendering it a "non-simple" request. For example: X-Requested-With. Please see this question.
My suggestion is to take a look at the details of the request your browser sends (headers, methods etc.) and see what makes it a non-simple request. Then do the necessary changes on your js code to make sure your request falls within the scope of simple requests.
Having said that, you will need to upgrade your Orion version eventually since for example, a DELETE request is never going to be treated as a simple request when sent over a browser.
I think you need to upgrade to version 1.10 so that you can use CORS.
You do not need to add any header ;) and actually the Access-Control-Allow-Origing header is sent in the server response not by the client request

DKIM hmailserver and NameCheap Setup

I've been trying to setup my hmailserver with DKIM.
I was following this guide -> https://www.hmailserver.com/forum/viewtopic.php?t=29402
And I created my keys with this site -> https://www.port25.com/dkim-wizard/
Domain name: linnabary.us
DomainKey Selector: dkim
Key size: 1024
I created a pem file;
-----BEGIN RSA PRIVATE KEY-----
<key>
-----END RSA PRIVATE KEY-----
Saved it and loaded it into hmailserver
When I set this up on NameCheap I selected TXT Record, set my host as #, and put this line in, minus key of course;
v=DKIM1; k=rsa; p=<KEY>
Now when I test with -> http://www.isnotspam.com
It says my DKIM key is as follows;
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: invalid
ID(s) verified: header.From=admin#linnabary.us
Selector=
domain=
DomainKeys DNS Record=._domainkey.
I was wondering if I am making any obvious errors in my record.
Edit;
The email contains the following line;
dkim-signature: v=1; a=rsa-sha256; d=linnabary.us; s=dkim;
This is what the setup looks like on NameCheap;
And here is the next test email from ;
This message is an automatic response from isNOTspam's authentication verifier service. The service allows email senders to perform a simple check of various sender authentication mechanisms. It is provided free of charge, in the hope that it is useful to the email community. While it is not officially supported, we welcome any feedback you may have at .
Thank you for using isNOTspam.
The isNOTspam team
==========================================================
Summary of Results
==========================================================
SPF Check : pass
Sender-ID Check : pass
DKIM Check : invalid
SpamAssassin Check : ham (non-spam)
==========================================================
Details:
==========================================================
HELO hostname: [69.61.241.46]
Source IP: 69.61.241.46
mail-from: admin#linnabary.us
Anonymous To: ins-a64wsfm3#isnotspam.com
---------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result: pass
ID(s) verified: smtp.mail=admin#linnabary.us
DNS record(s):
linnabary.us. 1799 IN TXT "v=spf1 a mx ip4:69.61.241.46 ~all"
----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result: pass
ID(s) verified: smtp.mail=admin#linnabary.us
DNS record(s):
linnabary.us. 1799 IN TXT "v=spf1 a mx ip4:69.61.241.46 ~all"
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: invalid
ID(s) verified: header.From=admin#linnabary.us
Selector=
domain=
DomainKeys DNS Record=._domainkey.
----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin 3.4.1 (2015-04-28)
Result: ham (non-spam) (04.6points, 10.0 required)
pts rule name description
---- ---------------------- -------------------------------
* 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* [score: 1.0000]
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.0 SPF_PASS SPF: sender matches SPF record
* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
* [score: 1.0000]
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
* 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
X-Spam-Status: Yes, hits=4.6 required=-20.0 tests=BAYES_99,BAYES_999,
DKIM_SIGNED,RDNS_NONE,SPF_HELO_PASS,SPF_PASS,T_DKIM_INVALID autolearn=no
autolearn_force=no version=3.4.0
X-Spam-Score: 4.6
To learn more about the terms used in the SpamAssassin report, please search
here: http://wiki.apache.org/spamassassin/
==========================================================
Explanation of the possible results (adapted from
draft-kucherawy-sender-auth-header-04.txt):
==========================================================
"pass"
the message passed the authentication test.
"fail"
the message failed the authentication test.
"softfail"
the message failed the authentication test, and the authentication
method has either an explicit or implicit policy which doesn't require
successful authentication of all messages from that domain.
"neutral"
the authentication method completed without errors, but was unable
to reach either a positive or a negative result about the message.
"temperror"
a temporary (recoverable) error occurred attempting to authenticate
the sender; either the process couldn't be completed locally, or
there was a temporary failure retrieving data required for the
authentication. A later retry may produce a more final result.
"permerror"
a permanent (unrecoverable) error occurred attempting to
authenticate the sender; either the process couldn't be completed
locally, or there was a permanent failure retrieving data required
for the authentication.
==========================================================
Original Email
==========================================================
From admin#linnabary.us Wed Apr 12 17:41:22 2017
Return-path: <admin#linnabary.us>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on isnotspam.com
X-Spam-Flag: YES
X-Spam-Level: ****
X-Spam-Report:
* 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* [score: 1.0000]
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.0 SPF_PASS SPF: sender matches SPF record
* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
* [score: 1.0000]
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
* 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
X-Spam-Status: Yes, hits=4.6 required=-20.0 tests=BAYES_99,BAYES_999,
DKIM_SIGNED,RDNS_NONE,SPF_HELO_PASS,SPF_PASS,T_DKIM_INVALID autolearn=no
autolearn_force=no version=3.4.0
Envelope-to: ins-a64wsfm3#isnotspam.com
Delivery-date: Wed, 12 Apr 2017 17:41:22 +0000
Received: from [69.61.241.46] (helo=linnabary.us)
by localhost.localdomain with esmtp (Exim 4.84_2)
(envelope-from <admin#linnabary.us>)
id 1cyMGg-0007x2-1Q
for ins-a64wsfm3#isnotspam.com; Wed, 12 Apr 2017 17:41:22 +0000
dkim-signature: v=1; a=rsa-sha256; d=linnabary.us; s=dkim;
c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
bh=Ns4aRUgWUtil4fiVnvitgeV+q1K/smEYtRGN497S5Ew=;
b=Nc2Kzrzas0QqMpWM4fnF5o5wLWlWYFxlGlAipe+85H9cwGgc4hvEKUj1UvgB6I2VHUbJ0OGN/sJO9tjWgwlGypaUuW7Q8x/iI0UtC6cn7X6ZLHT+K6A2A6MdoyR1NF4xxvqPadcmcQwnrY0Tth4ycydpQMlBCZS30sc1qUjUrN0=
Received: from [192.168.1.12] (Aurora [192.168.1.12])
by linnabary.us with ESMTPA
; Wed, 12 Apr 2017 13:41:28 -0400
To: ins-a64wsfm3#isnotspam.com
From: Admin <admin#linnabary.us>
Subject: Welcome to Linnabary
Message-ID: <8e8be6cd-6354-aeb9-b577-2b0efc25a1a1#linnabary.us>
Date: Wed, 12 Apr 2017 13:41:28 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-DKIM-Status: invalid (pubkey_unavailable)
I honestly have no idea what I should put in here in order to protect
myself from filters, so I'm just making it up as I go.
- Tad
The Host value for your TXT entry should just be dkim._domainkey. Currently your domain key is located at: dkim._domainkey.linnabary.us.linnabary.us, so you're not supposed to add the domain here.
That's why the response to the test email says X-DKIM-Status: invalid (pubkey_unavailable) - the public key can't be found where it is supposed to be.

Upgrading K8S cluster from v1.2.0 to v1.3.0

I have 1 master and 4 minions all running on version 1.2.0. I am planning to upgrade them to 1.3.0. I want this done with minimal downtime.
So I did the following on one minion.
systemctl stop kubelet
yum update kubernetes-1.3.0-0.3.git86dc49a.el7
systemctl start kubelet
Once I bring up the service, i see the following ERROR.
Mar 28 20:36:55 csdp-e2e-kubernetes-minion-6 kubelet[9902]: E0328 20:36:55.215614 9902 kubelet.go:1222] Unable to register node "172.29.240.169" with API server: the body of the request was in an unknown format - accepted media types include: application/json, application/yaml
Mar 28 20:36:55 csdp-e2e-kubernetes-minion-6 kubelet[9902]: E0328 20:36:55.217612 9902 event.go:198] Server rejected event '&api.Event{TypeMeta:unversioned.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:api.ObjectMeta{Name:"172.29.240.169.14b01ded8fb2d07b", GenerateName:"", Namespace:"default", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:unversioned.Time{Time:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*unversioned.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]api.OwnerReference(nil), Finalizers:[]string(nil)}, InvolvedObject:api.ObjectReference{Kind:"Node", Namespace:"", Name:"172.29.240.169", UID:"172.29.240.169", APIVersion:"", ResourceVersion:"", FieldPath:""}, Reason:"NodeHasSufficientDisk", Message:"Node 172.29.240.169 status is now: NodeHasSufficientDisk", Source:api.EventSource{Component:"kubelet", Host:"172.29.240.169"}, FirstTimestamp:unversioned.Time{Time:time.Time{sec:63626321182, nsec:814949499, loc:(*time.Location)(0x4c8a780)}}, LastTimestamp:unversioned.Time{Time:time.Time{sec:63626330215, nsec:213372890, loc:(*time.Location)(0x4c8a780)}}, Count:1278, Type:"Normal"}': 'the body of the request was in an unknown format - accepted media types include: application/json, application/yaml' (will not retry!)
Mar 28 20:36:55 csdp-e2e-kubernetes-minion-6 kubelet[9902]: E0328 20:36:55.246100 9902 event.go:198] Server rejected event '&api.Event{TypeMeta:unversioned.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:api.ObjectMeta{Name:"172.29.240.169.14b01ded8fb2fc88", GenerateName:"", Namespace:"default", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:unversioned.Time{Time:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*unversioned.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]api.OwnerReference(nil), Finalizers:[]string(nil)}, InvolvedObject:api.ObjectReference{Kind:"Node", Namespace:"", Name:"172.29.240.169", UID:"172.29.240.169", APIVersion:"", ResourceVersion:"", FieldPath:""}, Reason:"NodeHasSufficientMemory", Message:"Node 172.29.240.169 status is now: NodeHasSufficientMemory", Source:api.EventSource{Component:"kubelet", Host:"172.29.240.169"}, FirstTimestamp:unversioned.Time{Time:time.Time{sec:63626321182, nsec:814960776, loc:(*time.Location)(0x4c8a780)}}, LastTimestamp:unversioned.Time{Time:time.Time{sec:63626330215, nsec:213381138, loc:(*time.Location)(0x4c8a780)}}, Count:1278, Type:"Normal"}': 'the body of the request was in an unknown format - accepted media types include: application/json, application/yaml' (will not retry!)
Is v1.2.0 incompatible with v1.3.0 ?
Seems like the issue is with JSON incompatibility ? application/json, application/yaml
From master standpoint ::
[root#kubernetes-master ~]# kubectl get nodes
NAME STATUS AGE
172.29.219.105 Ready 3h
172.29.240.146 Ready 3h
172.29.240.168 Ready 3h
172.29.240.169 NotReady 3h
The node that I upgraded is in NotReady state.
As per the documentation you must upgrade your master components (kube-scheduler, kube-apiserver and kube-controller-manager) before your node components (kubelet, kube-proxy).
https://kubernetes.io/docs/getting-started-guides/ubuntu/upgrades/

site to site VPN between GPC and Fortinet 800C

I have a VPN site to site configuration Fortinet800C and Google Cloud VPN as link: https://cloud.google.com/files/CloudVPNGuide-UsingCloudVPNwithFortinetFortiGate300C.pdf.
But it's not successful.The logs look like this repeated over and over:
16:43:36.240
sending packet: from 146.148.29.x[500] to 27.72.57.x[500] (640 bytes)
16:43:36.547
received packet: from 27.72.57.x[500] to 146.148.29.x[500] (360 bytes)
16:43:36.548
parsed IKE_SA_INIT request 0 [ SA KE No ]
16:43:36.548
27.72.57.x is initiating an IKE_SA
16:43:36.559
generating IKE_SA_INIT response 0 [ SA KE No N(MULT_AUTH) ]
16:43:36.559
sending packet: from 146.148.29.x[500] to 27.72.57.x[500] (384 bytes)
16:43:36.565
received packet: from 27.72.57.x[500] to 146.148.29.x[500] (360 bytes)
16:43:36.565
parsed IKE_SA_INIT response 0 [ SA KE No ]
16:43:36.571
authentication of '146.148.29.x' (myself) with pre-shared key
16:43:36.571
establishing CHILD_SA vpn_27.72.57.x{1}
16:43:36.571
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
16:43:36.572
sending packet: from 146.148.29.x[500] to 27.72.57.x[500] (316 bytes)
16:43:36.885
received packet: from 27.72.57.x[500] to 146.148.29.x[500] (204 bytes)
16:43:36.886
parsed IKE_AUTH request 1 [ IDi AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
16:43:36.886
looking for peer configs matching 146.148.29.x[%any]...27.72.57.x[192.168.0.x]
16:43:36.886
no matching peer config found
16:43:36.886
generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
16:43:36.886
sending packet: from 146.148.29.x[500] to 27.72.57.x[500] (76 bytes)
16:43:36.891
received packet: from 27.72.57.x[500] to 146.148.29.x[500] (124 bytes)
16:43:36.891
parsed IKE_AUTH response 1 [ IDr AUTH N(TS_UNACCEPT) ]
16:43:36.891
authentication of '192.168.0.x' with pre-shared key successful
16:43:36.891
constraint check failed: identity '27.72.57.x' required
16:43:36.891
selected peer config 'vpn_27.72.57.x' inacceptable: constraint checking failed
16:43:36.891
no alternative config found
16:43:36.891
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
16:43:36.891
sending packet: from 146.148.29.x[500] to 27.72.57.x[500] (76 bytes)
16:43:37.887
received packet: from 27.72.57.x[500] to 146.148.29.x[500] (360 bytes)
16:43:37.888
parsed IKE_SA_INIT request 0 [ SA KE No ]
16:43:37.888
27.72.57.140 is initiating an IKE_SA
16:43:37.900
generating IKE_SA_INIT response 0 [ SA KE No N(MULT_AUTH) ]
I'd be very grateful if someone can spot my mistake. Thank you.
My guess is that cloud VPN and Fortinet device are not configured to the same IKE version. Please check that.
Also, try looking at the status message of the VPN as displayed in the cloud console, or using 'gcloud compute vpn-tunnels describe' in command line.
It looks like one or more of the phase 1 setting did not match up on both sides. Without looking at the actual config, I cannot determine. But generally, check the pre-shared key, authentication and encryption algorithm, DH groups, IP of the remote gateway and the outgoing interface of the connection. These factors have to match. Also, if you have NAT-Traversal enabled on one end, it has to be enabled on the other end as well.
I agree with the previous answers. The logs says, that phase 1 could not be established. So the parameters are not equal.
It seems, that the psi (pre-shared key) is equal:
"authentication of '192.168.0.x' with pre-shared key successful"

Encrypting Nagios report mails with GnuPG fails with empty mails, why?

I am trying to crytp using gpg2 the mails sent by Nagios3. For that, I have create this custom command on /etc/nagios3/commands.cfg :
/usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/bin/gpg2 --armor --encrypt --recipient toto#titi.com | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
}
Some points:
The e-mail is sent but it is "empty":
Sep 19 14:35:25 tutu nagios3: Finished daemonizing... (New PID=4313)
Sep 19 14:36:15 tutu nagios3: SERVICE ALERT:
tete_vm;HTTP;OK;HARD;4;HTTP OK: HTTP/1.1 200 OK - 347 bytes in 0.441
second response time Sep 19 14:36:15 tutu nagios3: SERVICE
NOTIFICATION: tata;tete_vm;HTTP;OK;notify-service-by-email;HTTP OK:
HTTP/1.1 200 OK - 347 bytes in 0.441 second response time
The command:
/usr/bin/gpg2 --armor --encrypt --recipient toto#titi.com | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$</code>
works very well on command line
I have tested this command:
/usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/bin/gpg2 --armor --encrypt --recipient toto#titi.com >> /tmp/toto.txt
The file /tmp/toto.txt is created but "empty".
So, it seems to be a problem using /usr/bin/gpg2 on this file, but I cannot find why!
The most common mistake when encrypting from within services using GnuPG is that the recipient's key was imported by another (system) user than the one the service is running under, for example imported by root, but the service runs as nagios.
GnuPG maintains per-user "GnuPG home directories" (usually ~/.gnupg) with per-user keyrings in them. If you imported as root, other service accounts don't know anything about the keys in there.
The first step for debugging the issue would be to redirect gpg's stderr to a file, so you can read the error message by adding 2>>/tmp/gpg-error.log to the GnuPG call:
/usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/bin/gpg2 --armor --encrypt --recipient toto#titi.com 2>>/tmp/gpg-error.log | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
If the issue is something like "key not found" or similar, you've got two possibilities to resolve the issue:
Import to the service's user account. Switch to the service's user, and import the key again.
Hard-code the GnuPG home directory to somewhere else using the --homedir [directory] option, for example in a place you also store your Nagios plugins.
Be aware of using appropriate, restrictive permissions. GnuPG is very picky if other users than the owner are allowed to read the files!