Transferring a sosreport from a system when rsync/scp is not an option.
Environment
Issue
- Files need to be transferred to another system, but
sshandrsyncare not setup and/or allowed. - A
sosreportneeds to be transferred to another system so that it can be uploaded to the Red Hat Customer Portal
Resolution
Red Hat Enterprise Linux 5.x
Configuring iptables
**NOTE**
*If iptables is not used in your environment, you can skip to "Configuring nc"*
- Setup networking for the system in the Rescue Environment
- This can be done during the initial setup or later using iproute
- Note the ip address of the system in the Rescue Environment by running
# ip -4 a
sh-3.2# ip -4 a
3: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
inet 192.168.122.3/24 scope global eth0
- Examine the existing chains on the system to receive the
sosreportwith# iptables -L -n -v
# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2594 3484K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2174 packets, 307K bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
32 3822 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
2561 3480K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Insert a new initial rule to either
INPUTor a child chain ofINPUTusing the ip address of the Rescue system determined earlier in the form of: # iptables -I <chain name> 1 -p tcp --dport <port to receive traffic> -s <IP address of Rescue system> -j ACCEPT
NOTE
The port associated with dport can be arbitrary, but it is recommended that an unused high number port be used to avoid any conflicting network traffic- Given the above setup, run:
# iptables -I "RH-Firewall-1-INPUT" 1 -p tcp --dport 12345 -s 192.168.122.3 -j ACCEPT
Configuring nc
**Receiving Server**
- Ensure that
# ncis installed on the receiving host. - The executable comes from the
ncrpm
# rpm -qf $(which nc)
nc-1.84-10.fc6
- The package should be installed by default on the system
- Determine the ip address of the receiving host by running
# ip -4 a - Start a listener on the port specified from the above IP chain, if applicable, otherwise it is recommended that you choose an unused high-numbered port
- Redirect the output of the
# nccommand to a file # nc -l 12345 > /tmp/sosreport-$(date +%F).tar.bz2
Sending Server
- Generate a sosreport from the Rescue Environment
# ncis present in the Rescue Environment under/usr/bin/nc- Connect to the open port of the receiving host in the form of
# nc <ip address> <port>- Send the
sosreportto the receiving system by redirecting stdin to# nc # nc 192.168.122.149 12345 < /mnt/sysimage/tmp/sosreport-jdoe.0123456789.tar.bz2
Receiving Server
- Delete the previously added ipchain:
# iptables -D "RH-Firewall-1-INPUT" 1
Red Hat Enterprise Linux 6.x
Configuring iptables
**NOTE**
*If iptables is not used in your environment, you can skip to "Configuring nc"*
- Setup networking for the system in the Rescue Environment
- This can be done during the initial setup or later using iproute
- Note the ip address of the system in the Rescue Environment by running
# ip -4 a
bash-4.1# ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 192.168.122.3/24 scope global eth0
- Examine the existing chains on the system to receive the
sosreportwith# iptables -L -n -v
# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1173 463K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
1 328 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 712 packets, 129K bytes)
pkts bytes target prot opt in out source destination
- Insert a new initial rule to either INPUT or a child chain of INPUT using the ip address of the Rescue system determined earlier in the form of:
# iptables -I <chain name> 1 -p tcp --dport <port to receive traffic> -s <IP address of Rescue system> -j ACCEPT
NOTE
The port associated with dport can be arbitrary, but it is recommended that an unused high number port be used to avoid any conflicting network traffic- Given the above setup, run:
# iptables -I INPUT 1 -p tcp --dport 12345 -s 192.168.122.3 -j ACCEPT
Configuring nc/ncat
**Receiving Server**
- Ensure that
# ncOR# ncatis installed on the receiving host. - The executable comes from the nc and nmap rpms respectively
# rpm -qf $(which nc)
nc-1.84-24.el6.x86_64
# rpm -qf $(which ncat)
nmap-5.51-4.el6.x86_64
- The
ncpackage is available in the RHEL 6.X repo - Determine the ip address of the receiving host by running
# ip -4 a - Start a listener on the port specified from the above IP chain, if applicable, otherwise it is recommended that you choose an unused high-numbered port
- Redirect the output of the
# nccommand to a file # nc -l 12345 > /tmp/sosreport-$(date +%F).tar.xz
Sending Server
- Generate a sosreport from the Rescue Environment
# ncis present in the Rescue Environment under/usr/bin/nc- Connect to the open port of the receiving host in the form of
# nc <ip address> <port>- Send the
sosreportto the receiving system by redirecting stdin to# nc # nc 192.168.122.149 12345 < /mnt/sysimage/tmp/sosreport-jdoe.0123456789.tar.xz
Receiving Server
- Delete the previously added ipchain:
# iptables -D INPUT 1
Red Hat Enterprise Linux 7.x
Configuring firewalld
**NOTE**
*iptables is not used by defualt in RHEL 7. Instead firewalld is used as the firewall manager. If you are not using firewalld skip to "Configuring nc"*
*If you are using iptables in your environment, the existing instructions specified for RHEL 6 will also work for RHEL 7*
- Setup networking for the system in the Rescue Environment
- This can be done during the initial setup or later using iproute
- Note the ip address of the system in the Rescue Environment by running
# ip -4 a
sh-4.2# ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 192.168.122.7/24 scope global eth0
valid_lft forever preferred_lft forever
- Examine the existing rules, including rich-rules, on the system to receive the
sosreportwith# firewall-cmd --list-all
# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule port port="6000" protocol="tcp" drop
- Add a new rich rule using the ip address of the Rescue system determined earlier in the form of:
# firewall-cmd --add-rich-rule 'rule family=ipv4 source address="source address" port port="port number" protocol=tcp accept'
NOTE
The port associated with "port" can be arbitrary, but it is recommended that an unused high number port be used to avoid any conflicting network traffic- Given the above setup, run:
# firewall-cmd --add-rich-rule 'rule family=ipv4 source address="192.168.122.7" port port=12345 protocol=tcp accept'
Configuring nc
**Receiving Server**
- Ensure that
# ncis installed on the receiving host. - The executable comes from the nmap-ncat rpm
# rpm -qf $(which nc)
nmap-ncat-6.40-7.el7.x86_64
- The nc package is available in the RHEL 7.X repo
- Determine the ip address of the receiving host by running
# ip -4 a - Start a listener on the port specified from the above firewalld rule, if applicable, otherwise it is recommended that you choose an unused high-numbered port
- Redirect the output of the
# nccommand to a file # nc -l 12345 > /tmp/sosreport-$(date +%F).tar.xz
Sending Server
- Generate a sosreport from the Rescue Environment
# ncis not present in the Rescue Environment.
NOTE it will be necessary to setup the locally mounted dvd/iso as a repository- Install the nmap-ncat rpm:
# yum install nmap-ncat - Connect to the open port of the receiving host in the form of
# nc <ip address> <port>- Send the
sosreportto the receiving system by redirecting stdin to# nc # nc 192.168.122.149 12345 < /mnt/sysimage/var/tmp/sosreport-jdoe.0123456789.tar.xz
Receiving Server
- Delete the previously added firewalld rich rule:
# firewall-cmd --remove-rich-rule 'rule family=ipv4 source address="192.168.122.7" port port=12345 protocol=tcp accept'
Root Cause
nc/ncatis a network utility with a vast array of features including the ability to read and write data across a network.- By opening a specific port through
ncat, data can be transferred between two systems without needingssh,rsync, orscp.
SBR
Product(s)
Components
Category
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.