perfSONAR User Q&A and Other Discussion

[Andrew Lake <>]

Hi George,

You can forcibly generate some traffic to 8086 by running something like the 
following:

curl -X GET --dump-header - 
"http://archive.eos.nasa.gov:8086/perfSONAR_PS/services/tracerouteCollector";

That's a GET instead of a post but it'd be interesting to see what it does. 
If it reaches the collector you will see something like the following:

HTTP/1.1 200 success
Date: Wed, 30 Apr 2014 13:07:00 GMT
Server: libwww-perl-daemon/5.827
User-Agent: perfSONAR-PS/3.2
Content-Length: 825
Content-Type: text/xml

<SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/";
                   xmlns:xsd="http://www.w3.org/2001/XMLSchema";
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
                   xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>
  <SOAP-ENV:Header/>
  <SOAP-ENV:Body>
<nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/"; 
id="message.1967190" type="ErrorResponse"><nmwg:metadata 
id="metadata.16742872"><nmwg:eventType>error.common.transport</nmwg:eventType></nmwg:metadata><nmwg:data
 metadataIdRef="metadata.16742872" id="data.9803672"><nmwgr:datum 
xmlns:nmwgr="http://ggf.org/ns/nmwg/result/2.0/";>Received message with an 
invalid HTTP request, are you using a web 
browser?</nmwgr:datum></nmwg:data></nmwg:message>  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>


On Apr 29, 2014, at 5:06 PM, "Uhl, George D. (GSFC-423.0)[ARTS]" 
<>
 wrote:

> Mark,
> 
> Thanks for following up.  I was running tcpdump on the traceroute source
> host so I used tcpdump to look for it attempting to communicate to the
> remote archive server on port 8086.  I'm not seeing anything related to
> http or traceroute in audit.log.
> 
> Thanks again,
> -George
> 
> On 4/29/14 4:53 PM, "Mark Tinberg" 
> <>
>  wrote:
> 
>> 
>> On Apr 29, 2014, at 2:48 PM, Uhl, George D. (GSFC-423.0)[ARTS]
>> <>
>>  wrote:
>> 
>>> Could this have something to do with selinux being enabled on the host?
>>> I
>>> did a tcpdump on this host and never saw any traffic sent to the MA
>>> server
>>> on port 8086.
>> 
>> tcpdump would see the traffic before any packet filtering or selinux
>> policy could affect it so if you aren¹t seeing it inbound then it¹s not
>> getting to the machine at all and you can conclude the problem is not on
>> the local machine.
>> 
>>> BTW, I'm prohibited from disabling selinux on this particular host.
>> 
>> As a point of reference, SELinux logs to the audit subsystem and if
>> auditd is running those logs should end up in /var/log/audit/audit.log
>> which should be root-only readable.  There are a lot of things which are
>> audited by default, look for AVC messages, they should tell you all the
>> information about what was denied, if anything.  For example, here is
>> what happens when apache tries to access a users home directory when
>> httpd_enable_homedirs has not been enabled by setsebool.
>> 
>> # grep AVC /var/log/audit/audit.log
>> type=AVC msg=audit(1398804336.495:232531): avc:  denied  { search } for
>> pid=9160 comm="httpd" name=³test" dev=dm-0 ino=663252
>> scontext=unconfined_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
>> type=AVC msg=audit(1398804336.498:232532): avc:  denied  { getattr } for
>> pid=9160 comm="httpd" path="/home/test" dev=dm-0 ino=663252
>> scontext=unconfined_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
>> 
>> 
>> ‹ 
>> Mark Tinberg, System Administrator
>> Division of Information Technology - Network Services
>> University of Wisconsin - Madison
>> 
>> 
>