remote debug with xdebug on centos 6.4 - centos

I try remote debug php application with phpstorm. I use centos 6.4, php5.3 and apache 2.2 on vmware virtual machine, and phpstorm with firefox on real ubuntu.
xdebug is really installed:
Installed Packages
Name : php-pecl-xdebug
Arch : i686
Version : 2.1.4
Release : 1.el6
Size : 580 k
Repo : installed
From repo : epel
Summary : PECL package for debugging PHP scripts
URL : http://pecl.php.net/package/xdebug
License : PHP
And phpinfo confirm this too:
This program makes use of the Zend Scripting Language Engine:
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Xdebug v2.1.4, Copyright (c) 2002-2012, by Derick Rethans
When i run script (simple hello world) from console via ssh my script is stopped, i get connection to mu ide from xdebug and xdebug write info in own log.
But when i run script from browsen - is has no effect, even in xdebug log.
I try use firefox extension to start debug session, i try use xdebug.remote_autostart=1 option, tru turn off iptables in centos, but no effect too.
What i do wrong?
xdebug config:
; Enable xdebug extension module
zend_extension=/usr/lib/php/modules/xdebug.so
;xdebug.remote_host=10.0.0.1
xdebug.remote_connect_back=1
xdebug.remote_enable=1
xdebug.remote_port=9000
xdebug.remote_handler=dbgp
;xdebug.remote_mode=req
;xdebug.profiler_enable=1
;xdebug.profiler_enable_trigger=1
;xdebug.remote_autostart=1
;xdebug.idekey=PHPSTORM
xdebug.remote_log="/tmp/xdebug.log"

Oh my god, problem solved. It's all selinux.
setsebool httpd_can_network_connect=1, nttpd restart - and phpstorm get connection from xdebug.

etc/selinux/config change
This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
enforcing - SELinux security policy is enforced.
permissive - SELinux prints warnings instead of enforcing.
disabled - No SELinux policy is loaded.
SELINUX=enforcing
SELINUXTYPE= can take one of three two values:
targeted - Targeted processes are protected,
minimum - Modification of targeted policy. Only selected processes are
protected.
mls - Multi Level Security protection.
SELINUXTYPE=targeted
to
This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
enforcing - SELinux security policy is enforced.
permissive - SELinux prints warnings instead of enforcing.
disabled - No SELinux policy is loaded.
SELINUX=disabled
SELINUXTYPE= can take one of three two values:
targeted - Targeted processes are protected,
minimum - Modification of targeted policy. Only selected processes are
protected.
mls - Multi Level Security protection.
SELINUXTYPE=targeted

Related

How to set preferred Kerberos/GSSAPI library in ssh config file?

I can connect to a remote host using Kerberos in PuTTY on Windows 10, but I cannot do the same thing in VS Code.
In PuTTY, there is a setting (see below) that specifies the order of GSSAPI libraries:
Since this answer states that Windows "has two Kerberos libraries (MIT KfW & Windows SSPI)", I suspect that VS Code is not defaulting to the correct, MIT Kerberos GSSAPI64.DLL library.
But I can't seem to find any answers online that shows how to specify the preference or order of such libraries in my ssh config file.
Any suggestions are welcome! Thanks in advance.
There is no way to do that.
When VSCode makes an SSH connection, it normally uses the ssh.exe program from OpenSSH rather than using PuTTY.
PuTTY has been deliberately written to load the libraries on the fly (to avoid the .exe having any hard dependencies), so its ability to configure the library paths is there "for free". That's not the case for OpenSSH, however, or even most other Kerberos-using programs – ssh.exe is "hard" linked to one specific library at compile time; it can dynamically load PKCS#11 backends but hasn't been programmed to dynamically load GSSAPI backends.
In addition, Windows SSPI actually provides a different API from that of GSSAPI – the core concepts and flows are the same, but the function names and prototypes differ quite a bit. Again, PuTTY supports both only because it was deliberately written to do so. Standard OpenSSH would only support GSSAPI, and while Microsoft has patched the "in-box" Win32-OpenSSH to use SSPI, it is still one or the other – you can't really make the Windows ssh.exe load MIT libgssapi instead.
There are several workarounds, though:
You can try installing a different OpenSSH build for Windows that does use GSSAPI from MIT Kerberos; perhaps either Cygwin OpenSSH, or the MSYS OpenSSH that's included with Git could work (if it has GSSAPI support at all).
You can try configuring VSCode to run PuTTY's command-line SSH client plink.exe instead of ssh.exe. This likely won't work for interactive shell sessions, but might be able to handle non-interactive ones (such as VSCode Remoting).
You can try using Windows SSPI, as it does not actually require domain membership to work as a Kerberos client – it's enough to save your Kerberos credentials in Windows:
cmdkey /add:*.example.com /user:sam#EXAMPLE.COM /pass
Note that if the realm is not running Active Directory, you also need to mark it as a "MIT realm" as an Administrator (the presence of a "realm flags" setting – even an empty one – is needed to prevent Windows from doing AD-specific Netlogon probes):
ksetup /addrealmflags EXAMPLE.COM TcpSupported
With the password stored, enabling GSSAPIAuthentication yes in your ~.ssh\config will allow Windows OpenSSH (as well as PuTTY with SSPI) to connect using Kerberos to any host matching the specified *.example.com.

cache/Unable to load the cache configuration file in Moodle

My moodle was installed on Centos 7, disabled selinux but got error "cache/Unable to load the cache configuration file"
[
How to fix it ? Thank you very much
From the Moodle docs
https://docs.moodle.org/311/en/RedHat_Linux_installation#SELinux
Default RedHat Enterprise Linux comes with SELinux set to 'enforcing'. But this may cause user problem accessing web content placed at directory other than the default directory (/var/www/html) or other access problem. If you are not used to SELinux and setting permissions, it's (maybe less secure but) often easier to lower the SELinux level to 'permissive' or even 'disabled'.
Edit /etc/sysconfig/selinux
SELINUX=disabled

Keycloak: is MIT Kerberos client needed?

I am using the keycloak single sign on server and want to enable the kerberos authentication
https://www.keycloak.org/docs/latest/server_admin/index.html#_kerberos
In the documentation they say I have to install a MIT kerberos client on the keycloak server.
As far as I know that the JDK has classes for the kerberos protocol. For example that was one of the exceptions I had
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
... 93 more
And here is also a reference link.
https://docs.oracle.com/javase/10/security/single-sign-using-kerberos-java1.htm#JSSEC-GUID-D4230975-A28B-4532-B1DD-3C7219A4867F
So My question what is actually the MIT Kerberos client? is it part of the JDK? or is it a library on which the JDK depends?
BTW I am running the keycloak server on a windows machine and did not have to install any extra client.
On Linux, the MIT Kerberos client is an OS package, which includes C libraries and command-line utilities such as kinit, klist, ktutil
on RedHat / CentOS / etc sudo yum install krb5-workstation
on Ubuntu / etc sudo apt-get install krb5-user
On Windows, the OS comes with the Microsoft implementation of Kerberos (as used in Active Directory) which includes a ton of custom extensions and oddities, including a specific "LSA cache" for credentials which is managed by the OS (and which may not be accessible by non-Microsoft apps, depending on OS type and whether or not you have tweaked a registry flag).
But you can install the MIT Kerberos for Windows app that bridges the gap between "standard" and "Microsoft" Kerberos implementations. Somehow.
WARNING >> On Windows you may end with three different klist.exe utilities, which list different ticket caches with different options -- the one bundled with Windows, the one bundled with Java, the one bundled with MIT Kerberos for Windows app; mind your PATH.

How do I set the default browser for xdg-open on Centos 7 if xdg-settings has no desktop environment

There are many questions similar to mine (e.g. xdg-open not open default browser or xdgutils - xdg-settings not setting default-web-browser in gentoo, but none of the answers helped in my case. Therefor I ask for my particular situation:
On Centos 7 I have no free desktop manager running, I just run some X11 applications (like VS Code) from the command line where the DISPLAY variable is set to the X server on the (Windows) machine I connect from.
On the Centos machine I have two browsers installed, firefox and google-chrome. I can start both browsers just by typing firefox resp. google-chrome in the bash terminal.
xdg-open is available and it opens links in google-chrome - as does VS Code. However I want to change this to firefox.
I tried:
Ticking "Default browser" in Firefox's GUI preferences.
Using xdg-settings, but
xdg-settings get default-web-browser
returns "xdg-settings: unknown desktop environment"
Setting $BROWSER. In bash I issued
export BROWSER=firefox
but still google-chrome is started by xdg-open
How can I set in this environment the default browser to firefox?
Note: Strangely on another machine with Centos 6 (and "no desktop environment" either) the export BROWSER method works!
The desired behavior can be set in the mimeapps.list configuration files described in the XDG MIME Applications specification.
TLDR:
In order to configure firefox as the default browser for your user create ~/.config/mimeapps.list containing the following lines:
[Default Applications]
x-scheme-handler/http=firefox.desktop
x-scheme-handler/https=firefox.desktop
x-scheme-handler/ftp=firefox.desktop
x-scheme-handler/chrome=firefox.desktop
text/html=firefox.desktop
application/x-extension-htm=firefox.desktop
application/x-extension-html=firefox.desktop
application/x-extension-shtml=firefox.desktop
application/xhtml+xml=firefox.desktop
application/x-extension-xhtml=firefox.desktop
application/x-extension-xht=firefox.desktop
Details:
xdg-utils like xdg-open(1) and xdg-mime(1) look for this file in the locations listed under the File name and location section of this specification:
$XDG_CONFIG_HOME/$desktop-mimeapps.list user overrides, desktop-specific (for advanced users)
$XDG_CONFIG_HOME/mimeapps.list user overrides (recommended location for user configuration GUIs)
$XDG_CONFIG_DIRS/$desktop-mimeapps.list sysadmin and ISV overrides, desktop-specific
$XDG_CONFIG_DIRS/mimeapps.list sysadmin and ISV overrides
$XDG_DATA_HOME/applications/$desktop-mimeapps.list for completeness, deprecated, desktop-specific
$XDG_DATA_HOME/applications/mimeapps.list for compatibility, deprecated
$XDG_DATA_DIRS/applications/$desktop-mimeapps.list distribution-provided defaults, desktop-specific
$XDG_DATA_DIRS/applications/mimeapps.list distribution-provided defaults
The locations for the $XDG variables are governed by the XDG Base Directory specification. If you want to figure out where xdg-utils are looking for configuration in your particular case, run them with the XDG_UTILS_DEBUG_LEVEL environment variable like so:
$ XDG_UTILS_DEBUG_LEVEL=10 xdg-open 'https://www.example.com'
...
Checking /home/USERNAME/.config/mimeapps.list
...

TYPO3: OPcache activation causes server error in TYPO3 backend

I have some trouble with TYPO3 and opcache activation and hope someone can help me :).
Environment details:
PHP 7.1.10
OPcache Version: 7.1.10
TYPO3 7.6.23
Alfahosting (Business XL (SSD))
Situation:
If I enable PHP7 without opcache option then everything is working fine, but if I enable PHP7 with opcache option then I got irregular 500 errors in the backend of TYPO3 and the site is down for a few seconds or minutes. After this few seconds I could reload the page and everything is working until the next server error appears. So it seems that a server process is restarting after this crash.
Actions like opening the extension configuration of the TYPO3 backend extension and press save will lead to the server error. The server logs and the error logs are empty and for this reason the Alfahosting support can't help me.
Furthermore I have mirrored the TYPO3 on two other webservers (not Alfahosting), also PHP7 and opcache option enabled and got no problems on this two webservers. After that I have installed a fresh TYPO3 7.6.23 on a Alfahosting webserver (see environment details above) and I got the annoying 500 server error again. So I think a specific Alfahosting server configuration leads to the 500 server errors if opcache is enabled, but I am not a server admin and I don't know how I could solve this problem without changing the hosting :(.
So I hope someone could help me? Maybe it's possible to track the error to find out where the problem is?
Update:
This sounds like the files have not been refreshed in opcache. This can be the case if opcache.revalidate_freq is set to > 0 or opcache.validate_timestamps=0.
In this case you should make sure you flush opcache when you make changes to PHP files, including updating TYPO3 or your extensions. For example, set this up in your deployment / update pipeline, for example by doing apache2 reload, php-fpm reload, use gordaline/cachetool or flush Opcache in the TYPO3 Backend (Maintenance).
Please read the PHP documentation for the opcache settings and check your current settings (can be found in the TYPO3 backend: Environment | PHP Info). Particularly the following come with a risk:
; make sure you flush opcache if PHP scripts change.
opcache.validate_timestamps=0
; make sure you flush opcache if PHP scripts change.
opcache.revalidate_path= .... higher value > 0
; should be set to 1 for TYPO3
opcache.save_comments = 0
Resources:
PHP documentation for opcache: https://www.php.net/manual/en/opcache.configuration.php
Check the TYPO3 system reports for any obvious errors:
Run TYPO3 system report: "TYPO3 Backend" : "System" : "Reports" : "Status report"
In the "TYPO3 Install Tool" check "System environment"
Now check the logs
check the sys_log: "TYPO3 Backend" : "System" : "Log"
check the Webserver / PHP logs
check system logs (depends on operating system, e.g. journalctl)
have a look at the output of phpinfo (in TYPO3 Backend: Environment | PHP Info). It should include some OPcache statistics. Look at "wasted memory", "Free memory" and "OOM restart"