一、问题描述
某次OS升级到Anolis 8.6后,但是还需要centos 6.5的yum源,恢复回去后,yum更新,报如下错误:
Errors during downloading metadata for repository ‘base’:
- Curl error (8): Weird server reply for ftp://10.172.1.206/centos6.5/media/repodata/repomd.xml [Got a 500 ftp-server response when 220 was expected]
错误:为仓库 ‘base’ 下载元数据失败 : Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
资源:CURL-FAQ
二、报错处理
2.1、根据报错,执行:
curl -vvv ftp://10.172.1.206/centos6.5/media/repodata/repomd.xml
* Trying 10.172.1.206...
* TCP_NODELAY set
* Connected to 10.172.1.206 (10.172.1.206) port 21 (#0)
< 500 OOPS: tcp_wrappers is set to YES but no tcp wrapper support compiled in
* Got a 500 ftp-server response when 220 was expected
* Closing connection 0
curl: (8) Got a 500 ftp-server response when 220 was expected
#curl版本确认
curl -V #输出如下
curl 7.61.1 (x86_64-Anolis-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1k zlib/1.2.11 brotli/1.0.6 libidn2/2.2.0 libpsl/0.20.2 (+libidn2/2.2.0) libssh/0.9.6/openssl/zlib nghttp2/1.33.0
Release-Date: 2018-09-05
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz brotli TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL
FTP server配置文件回顾:其中,tcp_wrappers用于访问控制,如上显示yum安装的默认未启用该功能支持,因此,我们只需要禁用即可。除非你必须使用,可从新编译,增加:
说明:TCP_Wrappers实际是Linux OS中的一个安全机制,可叫它为TCP_Wrappers防火墙,是一个工作在第四层(传输层)的安全工具,它有一个TCP的守护进程叫作tcpd,可以对有状态连接的特定服务进行安全检测并实现访问控制,凡是包含有libwrap.so库文件的程序就可以受TCP_Wrappers的安全控制。它的主要功能就是控制谁可以访问,常见的程序有rpcbind、vsftpd、sshd,telnet。优点 :配置改变,立即生效;缺点:缺只能针对服务程序和主机地址进行访问控制策略的设置,而不能指定网络解析和其他属性进行设置。
对于基于UDP连接的访问控制,可以通过使用内置或第三方的防火墙来实现。比如:每当有ssh的连接请求时,tcpd即会截获请求,先读取系统管理员所设置的访问控制文件,符合要求,则会把这次连接原封不动的转给真正的ssh进程,由ssh完成后续工作;如果这次连接发起的ip不符合访问控制文件中的设置,则会中断连接请求,拒绝提供ssh服务。
它的控制文件就是用OS的:/etc/hosts.allow 定义允许的访问,/etc/hosts.deny 定义拒绝的访问,另外deny文件里的过滤规则说明:
LOCAL 主机中不含.的主机(通常是指自己)
KNOWN 所有在DNS中可以解析到的主机
UNKNOWN 所有在DNS不可以解析到的主机
PARANOID 所有在DNS中正向解析与反向解析不匹配的主机
ALL 代表匹配所有(这个主机和服务都可以定义)
EXCEPT 反向选择
2.2、重新编译支持制定功能
FTP编译是没有configure,可编辑构建文件启用相关功能:vi /usr/local/src/vsftp-d.2.3.4/builddefs.h
默认值如下:支持则将对应项设为define,否则设为undef,建议全部define
#undef VSF_BUILD_TCPWRAPPERS #是否支持TCP WRAPPERS*/
#define VSF_BUILD_PAM #是否支持自定义虚拟用户登录*/
#undef VSF_BUILD_SSL #是否支持SSL传输*/
2.3、报错:不支持media协议, Unsupported protocol for media
Errors during downloading metadata for repository 'base':
- Curl error (1): Unsupported protocol for media://1385726732.061157/#1/repodata/ca525c73086186bfcb81ad9edd45796026dac7e4e50524e0f2daf901532aaf66-c6-x86_64-comps.xml.gz [Protocol "media" not supported or disabled in libcurl]
- Curl error (1): Unsupported protocol for media://1385726732.061157/#1/repodata/495d3964f864fbab835ea1afb8a5272352cd12ded13d607205109fefaddd0ab6-primary.xml.gz [Protocol "media" not supported or`strace -f ` disabled in libcurl]
- Curl error (1): Unsupported protocol for media://1385726732.061157/#1/repodata/6ac72f497df511cc2dc584eaa59779884fc572c1618e7c62dbd631ab8babf53d-filelists.xml.gz [Protocol "media" not supported or disabled in libcurl]
错误:为仓库 'base' 下载元数据失败 : Yum repo downloading error: Downloading error(s): repodata/6ac72f497df511cc2dc584eaa59779884fc572c1618e7c62dbd631ab8babf53d-filelists.xml.gz - Download failed: Curl error (1): Unsupported protocol for media://1385726732.061157/#1/repodata/6ac72f497df511cc2dc584eaa59779884fc572c1618e7c62dbd631ab8babf53d-filelists.xml.gz [Protocol "media" not supported or disabled in libcurl]; repodata/ca525c73086186bfcb81ad9edd45796026dac7e4e50524e0f2daf901532aaf66-c6-x86_64-comps.xml.gz - Download failed: Curl error (1): Unsupported protocol for media://1385726732.061157/#1/repodata/ca525c73086186bfcb81ad9edd45796026dac7e4e50524e0f2daf901532aaf66-c6-x86_64-comps.xml.gz [Protocol "media" not supported or disabled in libcurl]; repodata/495d3964f864fbab835ea1afb8a5272352cd12ded1
调试过程:
curl -vvv ftp://10.172.1.206/centos6.5/media/repodata/repomd.xml #输出如下
* Trying 10.172.1.206...
* TCP_NODELAY set
* Connected to 10.172.1.206 (10.172.1.206) port 21 (#0)
< 220 (vsFTPd 3.0.3)
> USER anonymous
< 331 Please specify the password.
> PASS ftp@example.com
< 230 Login successful.
> PWD
< 257 "/" is the current directory
* Entry path is '/'
> CWD centos6.5
* ftp_perform ends with SECONDARY: 0
< 250 Directory successfully changed.
> CWD media
< 250 Directory successfully changed.
> CWD repodata
< 250 Directory successfully changed.
> EPSV
* Connect data stream passively
< 229 Entering Extended Passive Mode (|||60100|)
* Trying 10.172.1.206...
* TCP_NODELAY set
* Connecting to 10.172.1.206 (10.172.1.206) port 60100
* Connected to 10.172.1.206 (10.172.1.206) port 21 (#0)
> TYPE I
< 200 Switching to Binary mode.
> SIZE repomd.xml
< 213 4062
> RETR repomd.xml
< 150 Opening BINARY mode data connection for repomd.xml (4062 bytes).
* Maxdownload = -1
* Getting file with size: 4062
<?xml version="1.0" encoding="UTF-8"?>
<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
<revision>1385726898</revision>
<data type="group">
<checksum type="sha256">b4e0b9342ef85d3059ff095fa7f140f654c2cb492837de689a58c581207d9632</checksum>
<location xml:base="media://1385726732.061157#1" href="repodata/b4e0b9342ef85d3059ff095fa7f140f654c2cb492837de689a58c581207d9632-c6-x86_64-comps.xml"/>
<timestamp>1385726992.63</timestamp>
<size>1220797</size>
</data>
<data type="filelists">
<checksum type="sha256">6ac72f497df511cc2dc584eaa59779884fc572c1618e7c62dbd631ab8babf53d</checksum>
<open-checksum type="sha256">94e6b785bf5990ce8d806b2b3f369104ec05b135e5a4b052cd5374e170588f3b</open-checksum>
<location xml:base="media://1385726732.061157#1" href="repodata/6ac72f497df511cc2dc584eaa59779884fc572c1618e7c62dbd631ab8babf53d-filelists.xml.gz"/>
<timestamp>1385726972</timestamp>
<size>5475008</size>
<open-size>71286426</open-size>
</data>
<data type="group_gz">
<checksum type="sha256">ca525c73086186bfcb81ad9edd45796026dac7e4e50524e0f2daf901532aaf66</checksum>
<open-checksum type="sha256">b4e0b9342ef85d3059ff095fa7f140f654c2cb492837de689a58c581207d9632</open-checksum>
<location xml:base="media://1385726732.061157#1" href="repodata/ca525c73086186bfcb81ad9edd45796026dac7e4e50524e0f2daf901532aaf66-c6-x86_64-comps.xml.gz"/>
<timestamp>1385726992.61</timestamp>
<size>225591</size>
</data>
<data type="primary">
<checksum type="sha256">495d3964f864fbab835ea1afb8a5272352cd12ded13d607205109fefaddd0ab6</checksum>
<open-checksum type="sha256">e8032322f7f5f06bd3485583420d81c54b5d3782b17b60cb054f4ee2b53206a8</open-checksum>
<location xml:base="media://1385726732.061157#1" href="repodata/495d3964f864fbab835ea1afb8a5272352cd12ded13d607205109fefaddd0ab6-primary.xml.gz"/>
<timestamp>1385726972</timestamp>
<size>2625479</size>
<open-size>17198556</open-size>
</data>
<data type="primary_db">
<checksum type="sha256">0dafccfdbf892f02acca8267ade4bdcee7280a682e65dc7e29145f3341fd7a8c</checksum>
<open-checksum type="sha256">4b2eb9c43c432dde3528fe5bd88fc9ba4f01ef5eb5e0ca2ea8f7665eefd6dd86</open-checksum>
<location xml:base="media://1385726732.061157#1" href="repodata/0dafccfdbf892f02acca8267ade4bdcee7280a682e65dc7e29145f3341fd7a8c-primary.sqlite.bz2"/>
<timestamp>1385726992.5</timestamp>
<database_version>10</database_version>
<size>4595171</size>
<open-size>20478976</open-size>
</data>
<data type="other_db">
<checksum type="sha256">fdd542ef36b0cde54ee0521fae90b98911db06483163aa1c049995b6d109349b</checksum>
<open-checksum type="sha256">969cff0b4ced02852da2df6b6b7ba964561e37c3f817f7b98266216097ae22b5</open-checksum>
<location xml:base="media://1385726732.061157#1" href="repodata/fdd542ef36b0cde54ee0521fae90b98911db06483163aa1c049995b6d109349b-other.sqlite.bz2"/>
<timestamp>1385726976.09</timestamp>
<database_version>10</database_version>
<size>2835495</size>
<open-size>12257280</open-size>
</data>
<data type="other">
<checksum type="sha256">5af8199bd0ffb441c34ef946582d0d06c1ad770755e631690771e0bceb0ad222</checksum>
<open-checksum type="sha256">661feb7628bd6d3d73b37bdc7371c7fd4ad6b056c296932d6d36fa7bd1a859cf</open-checksum>
<location xml:base="media://1385726732.061157#1" href="repodata/5af8199bd0ffb441c34ef946582d0d06c1ad770755e631690771e0bceb0ad222-other.xml.gz"/>
<timestamp>1385726972</timestamp>
<size>3148903</size>
<open-size>12981292</open-size>
</data>
<data type="filelists_db">
<checksum type="sha256">594d4bb4a79ed01d66635adbcf76c45ca4a85b30fc3e3c3c28316e64f0a83f21</checksum>
<open-checksum type="sha256">74459fc0aaf65a4603c3b47dbcbc241d2cabbd2a382271f8273c830806152074</open-checksum>
<location xml:base="media://1385726732.061157#1" href="repodata/594d4bb4a79ed01d66635adbcf76c45ca4a85b30fc3e3c3c28316e64f0a83f21-filelists.sqlite.bz2"/>
<timestamp>1385726986.64</timestamp>
<database_version>10</database_version>
<size>6121534</size>
<open-size>33275904</open-size>
</data>
</repomd>
* Remembering we are in dir "centos6.5/media/repodata/"
< 226 Transfer complete.
* Connection #0 to host 10.172.1.206 left intact
#跟踪调试
strace -f yum makecache|grep -iE '(curl|ssl)'
#查看当前curl支持的协议
curl --version | grep Protocols
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
2.4、如需支持media协议,需重新编译curl
要支持media协议,需要重新编译Curl并启用media协议支持。可以在configure时加上–with-protocols=media参数。更多参看:curl安装手册:
wget "https://curl.se/download/curl-7.61.1.tar.gz"
tar xvf curl-7.57.0.tar.gz
cd curl-7.61.1
#配置并开启多个协议支持,包括media
./configure --with-ssl --with-ssh2 --with-librtmp --with-nghttp2 --with-gssapi --with-zlib --with-pop3 --with-imap --with-ftp --with-rtsp --enable-dict --enable-ldap --enable-ldaps --enable-proxy --enable-ipv6 --enable-unix-sockets --with-libidn --with-libssh2 --with-libmetalink --with-libpsl --with-curl --with-protocols=http,https,ftp,ftps,scp,sftp,tftp,telnet,ldap,ldaps,dict,file,ftp,mms,rtsp,rtmp,rtmpt,rtmpe,rtmpte,rtmpts,gopher,http,imap,imaps,mqtt,pop3,pop3s,smtp,smtps,telnet,tftp,gopher,mqtt,media
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
......
checking whether to enable AsynchDNS... yes
checking whether to enable alt-svc... no
checking whether to enable artifacts transfer compression support... no
checking whether to enable falsy URL support... no
checking whether to enable HTTPS proxy support... yes
checking whether to enable IDN (Internationalized Domain Names)... yes
checking whether to enable internationalized domain names (IDN)... yes
checking whether to enable IPv6 support... yes
checking whether to enable IRC... no
checking whether to enable Kerberos/GSSAPI... yes
checking whether to enable large file support... yes
checking whether to enable LDAP... yes
checking whether to enable ldaps... yes
checking whether to enable libcurl debug memory tracking... no
checking whether to enable metalink support... no
checking whether to enable MQTT... no
checking whether to enable multi SSL backends... no
checking whether to enable NTLM delegation to winbind's ntlm_auth helper... no
checking whether to enable NTLM support... yes
checking whether to enable NTLMWB support... no
checking whether to enable RTSP... yes
checking whether to enable SMB... no
checking whether to enable SMTP... yes
checking whether to enable SSL/TLS... yes
checking whether to enable transparent zlib compression... yes
checking whether to enable dict... yes
checking whether to enable file... yes
checking whether to enable FTP... yes
checking whether to enable GOPHER... yes
checking whether to enable HTTP... yes
checking whether to enable IMAP... yes
checking whether to enable LDAPS... yes
checking whether to enable POP3... yes
checking whether to enable RTMP... yes
checking whether to enable RTSP... yes
checking whether to enable SCP... yes
checking whether to enable SFTP... yes
checking whether to enable SMBS... no
checking whether to enable SMTP... yes
checking whether to enable TELNET... yes
checking whether to enable TFTP... yes
checking whether to use allegro for DNS resolver... no
......
configure: creating ./config.status
config.status: creating Makefile
config.status: creating scripts/Makefile
config.status: creating lib/Makefile
config.status: creating src/Makefile
config.status: creating tests/Makefile
config.status: creating docs/Makefile
config.status: creating src/curl_config.h
config.status: src/curl_config.h is unchanged
config.status: executing depfiles commands
config.status: executing libtool commands
# 编译、安装
make
make install
……
.libs/libcurl_la-vtls/wolfssl.o -ldl -lpthread -lz -lrt -lm -lssl -lcrypto -lnghttp2 -lidn -lgssapi_krb5 -lssl -lcrypto -lrtmp -lz -lssh2 -lidn -lssh2 -lidn2 -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -llber -lz -lldap -llber -lssl -lcrypto -lssl -lcrypto -lssl -lcrypto -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lz -O2 -Wl,-z -Wl,relro -Wl,-z,now -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -o .libs/libcurl.so.4.5.0
echo >libcurl.la
libtool: install: cp -af .libs/libcurl.lai libcurl.la
libtool: install: cp -af .libs/libcurl.a /usr/local/lib/libcurl.a
libtool: install: ranlib /usr/local/lib/libcurl.a
libtool: install: cp -af .libs/libcurl.so.4.5.0 /usr/local/lib/libcurl.so.4.5.0
libtool: install: ln -sf libcurl.so.4.5.0 /usr/local/lib/libcurl.so.4
libtool: install: ln -sf libcurl.so.4.5.0 /usr/local/lib/libcurl.so
libtool: install: cp -af .libs/libcurl.lai /usr/local/lib/libcurl.la
libtool: install: cp -af .libs/libcurl.a /usr/local/lib/libcurl.a
libtool: install: ranlib /usr/local/lib/libcurl.a
libtool: finish: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/root/bin": ldconfig -n /usr/local/lib
----------------------------------------------------------------------
Libraries have been installed in:
/usr/local/lib
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,-rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
#验证
/usr/local/bin/curl -V #输出如下
Protocols: dict file ftp ftps gopher http https imap imaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp media
或直接修改上述repomd.xml,替换media协议为本地:%s#media://#file://#g,验证无效
完成后,createrepo -u repodata/
#清除缓存,重新加载yum源:
yum clean expire-cache
yum makecache
三、附录
1)FTP启动脚本
#!/bin/bash
#
# vsftpd This shell script takes care of starting and stopping
# standalone vsftpd.
#
# chkconfig: - 60 50
# description: Vsftpd is a ftp daemon, which is the program
# that answers incoming ftp service requests.
# processname: vsftpd
# config: /etc/vsftpd/vsftpd.conf
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -x /usr/local/sbin/vsftpd ] || exit 0
RETVAL=0
prog="vsftpd"
start() {
# Start daemons.
if [ -d /etc/vsftpd ] ; then
for i in `ls /etc/vsftpd/*.conf`; do
site=`basename $i .conf`
echo -n $"Starting $prog for $site: "
/usr/local/sbin/vsftpd $i &
RETVAL=$?
[ $RETVAL -eq 0 ] && {
touch /var/lock/subsys/$prog
success $"$prog $site"
}
echo
done
else
RETVAL=1
fi
return $RETVAL
}
stop() {
# Stop daemons.
echo -n $"Shutting down $prog: "
killproc $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/$prog ]; then
stop
start
RETVAL=$?
fi
;;
status)
status $prog
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL