Permission Denied When Updating CentOS 8 Streams

Home » CentOS » Permission Denied When Updating CentOS 8 Streams
CentOS 4 Comments

Hello,

On a remote server (in an IPv6-only infrastructure) I am getting the following error when trying to update CentOS 8 Streams x86_64:

$ sudo dnf upgrade –refresh Failed to set locale, defaulting to C.UTF-8
CentOS Stream 8 – AppStream

0.0 B/s | 0 B 00:16
Errors during downloading metadata for repository ‘appstream’:
– Curl error (7): Couldn’t connect to server for http://mirrorlist.CentOS.org/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock
[Failed to connect to mirrorlist.CentOS.org port 80: Permission denied]
Error: Failed to download metadata for repo ‘appstream’: Cannot prepare internal mirrorlist: Curl error (7): Couldn’t connect to server for http://mirrorlist.CentOS.org/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock
[Failed to connect to mirrorlist.CentOS.org port 80: Permission denied]

Trying to retrieve the mirror list with wget gives similar errors (see log below).

This is a development VM and I was playing with firewalld zones on this interface (drop, block, etc.) in order to see the most restrictive that I
could use in order to update a system. But the error also appears if I
switch back the zone to public.

Could it be that my address has been blacklisted because of all these tests?

From my laptop, also running CentOS 8 Streams, everything is working as expected.

Thank in advance for hints on how to analyze further!

Mathieu

## wget log

$ wget http://mirrorlist.CentOS.org/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock

–2021-02-19 08:35:14

4 thoughts on - Permission Denied When Updating CentOS 8 Streams

  • Are you sure? At least from here over IPv4, http works well but https doesn’t work at all. Sounds strange if http would work only over IPv4 and https would work only over IPv6.

    Simon

  • It wouldn’t work anyway because CentOS mirrors do not have https. I tried this from my home system
    “`
    [ssmoogen@localhost ~]$ for i in “2001:4178:5:200::10”
    “2600:1f16:c1:5e01:4180:6610:5482:c1c0” “2604:1380:2001:d00::3”
    “2604:1580:fe02:2::10” “2604:1380:1001:6c00::1”; do curl -v6
    “https://[${i}]/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock”;
    done
    * Trying 2001:4178:5:200::10:443…
    * connect to 2001:4178:5:200::10 port 443 failed: Permission denied
    * Failed to connect to 2001:4178:5:200::10 port 443: Permission denied
    * Closing connection 0
    curl: (7) Failed to connect to 2001:4178:5:200::10 port 443: Permission denied
    * Trying 2600:1f16:c1:5e01:4180:6610:5482:c1c0:443…
    * connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443 failed:
    Permission denied
    * Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port 443:
    Permission denied
    * Closing connection 0
    curl: (7) Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port
    443: Permission denied
    * Trying 2604:1380:2001:d00::3:443…
    * connect to 2604:1380:2001:d00::3 port 443 failed: Permission denied
    * Failed to connect to 2604:1380:2001:d00::3 port 443: Permission denied
    * Closing connection 0
    curl: (7) Failed to connect to 2604:1380:2001:d00::3 port 443: Permission denied
    * Trying 2604:1580:fe02:2::10:443…
    * connect to 2604:1580:fe02:2::10 port 443 failed: Permission denied
    * Failed to connect to 2604:1580:fe02:2::10 port 443: Permission denied
    * Closing connection 0
    curl: (7) Failed to connect to 2604:1580:fe02:2::10 port 443: Permission denied
    * Trying 2604:1380:1001:6c00::1:443…
    * connect to 2604:1380:1001:6c00::1 port 443 failed: Permission denied
    * Failed to connect to 2604:1380:1001:6c00::1 port 443: Permission denied
    * Closing connection 0
    curl: (7) Failed to connect to 2604:1380:1001:6c00::1 port 443: Permission denied
    “`

    removing the -v gives the following error:
    “`
    [ssmoogen@localhost ~]$ for i in “2001:4178:5:200::10”
    “2600:1f16:c1:5e01:4180:6610:5482:c1c0” “2604:1380:2001:d00::3”
    “2604:1580:fe02:2::10” “2604:1380:1001:6c00::1”; do curl -6
    “https://[${i}]/?release=8-stream&arch=x86_64&repo=AppStream&infra=stock”;
    done curl: (7) Failed to connect to 2001:4178:5:200::10 port 443: Permission denied curl: (7) Failed to connect to 2600:1f16:c1:5e01:4180:6610:5482:c1c0 port
    443: Permission denied curl: (7) Failed to connect to 2604:1380:2001:d00::3 port 443: Permission denied curl: (7) Failed to connect to 2604:1580:fe02:2::10 port 443: Permission denied curl: (7) Failed to connect to 2604:1380:1001:6c00::1 port 443: Permission denied
    “`

    Notice that the permission denied is different from what was reported in the original email. I am not sure why that is.

    If I change that from https: to http all of the IP addresses work. So my guess is that something is blocking the originator IP to those mirror servers but it isn’t clear what.

  • It’s unusual to see EPERM on a call to connect()… The man page suggests that this can be caused by a local firewall rule or an SELinux policy.

    https://man7.org/linux/man-pages/man2/connect.2.html

    “yum” and “wget” should be running in an unconfined domain, so SELinux is *probably* not the cause.  I’d take a look at the output of “iptables
    -L OUTPUT” first.  I’ve tried creating local firewall rules that I’d expect to result in EPERM, but they do not, so I’m not sure what such a rule looks like.