1. Problem description
After the OS was upgraded to Anolis 8.6, the yum source of centos 6.5 was still needed. After restoring it, yum was updated and the following error was reported:
Errors during downloading metadata for repository base’:
- Curl error (8): Weird server reply for ftp://10.172.1.206/centos6.5/media/repodata/repomd.xml [Got a 500 ftp-server response when 220 was expected]
Error: Failed to download metadata for repository ‘base’: Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
Resource: CURL-FAQ
2. Error handling
2.1. According to the error report, execute:
curl -vvv ftp://10.172.1.206/centos6.5/media/repodata/repomd.xml * Trying 10.172.1.206... *TCP_NODELAY set * Connected to 10.172.1.206 (10.172.1.206) port 21 (#0) < 500 OOPS: tcp_wrappers is set to YES but no tcp wrapper support compiled in * Got a 500 ftp-server response when 220 was expected * Closing connection 0 curl: (8) Got a 500 ftp-server response when 220 was expected #curl version confirmation curl -V #The output is as follows curl 7.61.1 (x86_64-Anolis-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1k zlib/1.2.11 brotli/1.0.6 libidn2/2.2.0 libpsl/0.20.2 ( + libidn2/2.2.0 ) libssh/0.9.6/openssl/zlib nghttp2/1.33.0 Release-Date: 2018-09-05 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz brotli TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL
FTP server configuration file review: Among them, tcp_wrappers is used for access control. As shown above, the yum installation does not enable this feature by default, so we only need to disable it. Unless you must use it, recompile and add:
Explanation: TCP_Wrappers is actually a security mechanism in Linux OS. It can be called TCP_Wrappers firewall. It is a security tool that works on the fourth layer (transport layer). It has a TCP daemon called As tcpd, you can perform security detection and implement access control on specific services with stateful connections. Any program that contains the libwrap.so library file can be subject to the security control of TCP_Wrappers. Its main function is to control who can access. Common programs include rpcbind, vsftpd, sshd, and telnet. Advantages: Configuration changes take effect immediately; Disadvantages: Access control policies can only be set for service programs and host addresses, but network resolution and other attributes cannot be specified.
Access control based on UDP connections can be achieved by using built-in or third-party firewalls. For example: whenever there is an SSH connection request, tcpd will intercept the request and first read the access control file set by the system administrator. If the requirements are met, the connection will be transferred intact to the real SSH process. SSH will complete the subsequent work; if the IP initiated by this connection does not comply with the settings in the access control file, the connection request will be interrupted and the SSH service will be refused.
Its control file is based on the OS: /etc/hosts.allow defines allowed access, /etc/hosts.deny defines denied access, and the filtering rules in the deny file describe:
LOCAL Host does not contain . (usually refers to itself)
KNOWN all hosts that can be resolved in DNS
UNKNOWN All hosts that cannot be resolved in DNS
PARANOID All hosts whose forward resolution and reverse resolution do not match in DNS
ALL means match all (this host and service can be defined)
EXCEPT reverse selection
2.2. Recompile to support customized functions
There is no configure for FTP compilation. You can edit the build file to enable related functions: vi /usr/local/src/vsftp-d.2.3.4/builddefs.h
The default values are as follows: If supported, set the corresponding item to define, otherwise set it to undef. It is recommended to define all
#undef VSF_BUILD_TCPWRAPPERS #Whether TCP WRAPPERS is supported*/
#define VSF_BUILD_PAM #Whether to support custom virtual user login*/
#undef VSF_BUILD_SSL #Whether SSL transmission is supported*/
2.3. Error: Unsupported protocol for media
Errors during downloading metadata for repository 'base': - Curl error (1): Unsupported protocol for media://1385726732.061157/#1/repodata/ca525c73086186bfcb81ad9edd45796026dac7e4e50524e0f2daf901532aaf66-c6-x86_64-comps.xml.gz [Protocol "media" not supported or disabled in libcurl] - Curl error (1): Unsupported protocol for media://1385726732.061157/#1/repodata/495d3964f864fbab835ea1afb8a5272352cd12ded13d607205109fefaddd0ab6-primary.xml.gz [Protocol "media" not supported or `strace -f ` disabled in libcurl] - Curl error (1): Unsupported protocol for media://1385726732.061157/#1/repodata/6ac72f497df511cc2dc584eaa59779884fc572c1618e7c62dbd631ab8babf53d-filelists.xml.gz [Protocol "media" not supported or disabled in libcur l] Error: Download failed: Yum repo downloading error: Downloading error(s): repodata/6ac72f497df511cc2dc584eaa59779884fc572c1618e7c62dbd631ab8babf53d-filelists.xml.gz - Download failed: Curl error (1): Unsupported protocol for media://1385 726732.061157 /#1/repodata/6ac72f497df511cc2dc584eaa59779884fc572c1618e7c62dbd631ab8babf53d-filelists.xml.gz [Protocol "media" not supported or disabled in libcurl]; repodata/ca525c73086186bfcb81ad9edd45 796026dac7e4e50524e0f2daf901532aaf66-c6-x86_64-comps.xml.gz - Download failed: Curl error (1): Unsupported protocol for media://1385726732.061157/#1/repodata/ca525c73086186bfcb81ad9edd45796026dac7e4e50524e0f2daf901532aaf66-c6-x86_64-comps.xml.gz [Protocol "media" not supported or disabled in libcurl]; repodata/495d3964f864fbab835ea1afb8a5272352cd12ded1
Debugging process:
curl -vvv ftp://10.172.1.206/centos6.5/media/repodata/repomd.xml #The output is as follows * Trying 10.172.1.206... *TCP_NODELAY set * Connected to 10.172.1.206 (10.172.1.206) port 21 (#0) < 220 (vsFTPd 3.0.3) > USER anonymous < 331 Please specify the password. > PASS [email protected] < 230 Login successful. > PWD < 257 "/" is the current directory * Entry path is '/' > CWD centos6.5 * ftp_perform ends with SECONDARY: 0 < 250 Directory successfully changed. > CWD media < 250 Directory successfully changed. > CWD repodata < 250 Directory successfully changed. > EPSV * Connect data stream passively < 229 Entering Extended Passive Mode (|||60100|) * Trying 10.172.1.206... *TCP_NODELAY set * Connecting to 10.172.1.206 (10.172.1.206) port 60100 * Connected to 10.172.1.206 (10.172.1.206) port 21 (#0) > TYPE I < 200 Switching to Binary mode. > SIZE repomd.xml < 213 4062 > RETR repomd.xml < 150 Opening BINARY mode data connection for repomd.xml (4062 bytes). * Maxdownload = -1 * Getting file with size: 4062 <?xml version="1.0" encoding="UTF-8"?> <repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm"> <revision>1385726898</revision> <data type="group"> <checksum type="sha256">b4e0b9342ef85d3059ff095fa7f140f654c2cb492837de689a58c581207d9632</checksum> <location xml:base="media://1385726732.061157#1" href="repodata/b4e0b9342ef85d3059ff095fa7f140f654c2cb492837de689a58c581207d9632-c6-x86_64-comps.xml"/> <timestamp>1385726992.63</timestamp> <size>1220797</size> </data> <data type="filelists"> <checksum type="sha256">6ac72f497df511cc2dc584eaa59779884fc572c1618e7c62dbd631ab8babf53d</checksum> <open-checksum type="sha256">94e6b785bf5990ce8d806b2b3f369104ec05b135e5a4b052cd5374e170588f3b</open-checksum> <location xml:base="media://1385726732.061157#1" href="repodata/6ac72f497df511cc2dc584eaa59779884fc572c1618e7c62dbd631ab8babf53d-filelists.xml.gz"/> <timestamp>1385726972</timestamp> <size>5475008</size> <open-size>71286426</open-size> </data> <data type="group_gz"> <checksum type="sha256">ca525c73086186bfcb81ad9edd45796026dac7e4e50524e0f2daf901532aaf66</checksum> <open-checksum type="sha256">b4e0b9342ef85d3059ff095fa7f140f654c2cb492837de689a58c581207d9632</open-checksum> <location xml:base="media://1385726732.061157#1" href="repodata/ca525c73086186bfcb81ad9edd45796026dac7e4e50524e0f2daf901532aaf66-c6-x86_64-comps.xml.gz"/> <timestamp>1385726992.61</timestamp> <size>225591</size> </data> <data type="primary"> <checksum type="sha256">495d3964f864fbab835ea1afb8a5272352cd12ded13d607205109fefaddd0ab6</checksum> <open-checksum type="sha256">e8032322f7f5f06bd3485583420d81c54b5d3782b17b60cb054f4ee2b53206a8</open-checksum> <location xml:base="media://1385726732.061157#1" href="repodata/495d3964f864fbab835ea1afb8a5272352cd12ded13d607205109fefaddd0ab6-primary.xml.gz"/> <timestamp>1385726972</timestamp> <size>2625479</size> <open-size>17198556</open-size> </data> <data type="primary_db"> <checksum type="sha256">0dafccfdbf892f02acca8267ade4bdcee7280a682e65dc7e29145f3341fd7a8c</checksum> <open-checksum type="sha256">4b2eb9c43c432dde3528fe5bd88fc9ba4f01ef5eb5e0ca2ea8f7665eefd6dd86</open-checksum> <location xml:base="media://1385726732.061157#1" href="repodata/0dafccfdbf892f02acca8267ade4bdcee7280a682e65dc7e29145f3341fd7a8c-primary.sqlite.bz2"/> <timestamp>1385726992.5</timestamp> <database_version>10</database_version> <size>4595171</size> <open-size>20478976</open-size> </data> <data type="other_db"> <checksum type="sha256">fdd542ef36b0cde54ee0521fae90b98911db06483163aa1c049995b6d109349b</checksum> <open-checksum type="sha256">969cff0b4ced02852da2df6b6b7ba964561e37c3f817f7b98266216097ae22b5</open-checksum> <location xml:base="media://1385726732.061157#1" href="repodata/fdd542ef36b0cde54ee0521fae90b98911db06483163aa1c049995b6d109349b-other.sqlite.bz2"/> <timestamp>1385726976.09</timestamp> <database_version>10</database_version> <size>2835495</size> <open-size>12257280</open-size> </data> <data type="other"> <checksum type="sha256">5af8199bd0ffb441c34ef946582d0d06c1ad770755e631690771e0bceb0ad222</checksum> <open-checksum type="sha256">661feb7628bd6d3d73b37bdc7371c7fd4ad6b056c296932d6d36fa7bd1a859cf</open-checksum> <location xml:base="media://1385726732.061157#1" href="repodata/5af8199bd0ffb441c34ef946582d0d06c1ad770755e631690771e0bceb0ad222-other.xml.gz"/> <timestamp>1385726972</timestamp> <size>3148903</size> <open-size>12981292</open-size> </data> <data type="filelists_db"> <checksum type="sha256">594d4bb4a79ed01d66635adbcf76c45ca4a85b30fc3e3c3c28316e64f0a83f21</checksum> <open-checksum type="sha256">74459fc0aaf65a4603c3b47dbcbc241d2cabbd2a382271f8273c830806152074</open-checksum> <location xml:base="media://1385726732.061157#1" href="repodata/594d4bb4a79ed01d66635adbcf76c45ca4a85b30fc3e3c3c28316e64f0a83f21-filelists.sqlite.bz2"/> <timestamp>1385726986.64</timestamp> <database_version>10</database_version> <size>6121534</size> <open-size>33275904</open-size> </data> </repomd> * Remembering we are in dir "centos6.5/media/repodata/" < 226 Transfer complete. * Connection #0 to host 10.172.1.206 left intact #Trace debugging strace -f yum makecache|grep -iE '(curl|ssl)' #View the protocols currently supported by curl curl --version | grep Protocols Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
2.4. If you need to support the media protocol, you need to recompile curl
To support the media protocol, you need to recompile Curl and enable media protocol support. You can add the –with-protocols=media parameter when configure. See more: curl installation manual:
wget "https://curl.se/download/curl-7.61.1.tar.gz"
tar xvf curl-7.57.0.tar.gz
cd curl-7.61.1
#Configure and enable multiple protocol support, including media
./configure --with-ssl --with-ssh2 --with-librtmp --with-nghttp2 --with-gssapi --with-zlib --with-pop3 --with-imap --with-ftp -- with-rtsp --enable-dict --enable-ldap --enable-ldaps --enable-proxy --enable-ipv6 --enable-unix-sockets --with-libidn --with-libssh2 --with-libmetalink --with-libpsl --with-curl --with-protocols=http,https,ftp,ftps,scp,sftp,tftp,telnet,ldap,ldaps,dict,file,ftp,mms,rtsp,rtmp,rtmpt, rtmpe,rtmpte,rtmpts,gopher,http,imap,imaps,mqtt,pop3,pop3s,smtp,smtps,telnet,tftp,gopher,mqtt,media
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk...gawk
checking whether make sets $(MAKE)... yes
...
checking whether to enable AsynchDNS... yes
checking whether to enable alt-svc... no
checking whether to enable artifacts transfer compression support... no
checking whether to enable falsy URL support... no
checking whether to enable HTTPS proxy support... yes
checking whether to enable IDN (Internationalized Domain Names)... yes
checking whether to enable internationalized domain names (IDN)... yes
checking whether to enable IPv6 support... yes
checking whether to enable IRC... no
checking whether to enable Kerberos/GSSAPI... yes
checking whether to enable large file support... yes
checking whether to enable LDAP... yes
checking whether to enable ldaps... yes
checking whether to enable libcurl debug memory tracking... no
checking whether to enable metalink support... no
checking whether to enable MQTT... no
checking whether to enable multi SSL backends... no
checking whether to enable NTLM delegation to winbind's ntlm_auth helper... no
checking whether to enable NTLM support... yes
checking whether to enable NTLMWB support... no
checking whether to enable RTSP... yes
checking whether to enable SMB... no
checking whether to enable SMTP... yes
checking whether to enable SSL/TLS... yes
checking whether to enable transparent zlib compression... yes
checking whether to enable dict... yes
checking whether to enable file... yes
checking whether to enable FTP... yes
checking whether to enable GOPHER... yes
checking whether to enable HTTP... yes
checking whether to enable IMAP... yes
checking whether to enable LDAPS... yes
checking whether to enable POP3... yes
checking whether to enable RTMP... yes
checking whether to enable RTSP... yes
checking whether to enable SCP... yes
checking whether to enable SFTP... yes
checking whether to enable SMBS... no
checking whether to enable SMTP... yes
checking whether to enable TELNET... yes
checking whether to enable TFTP... yes
checking whether to use allegro for DNS resolver... no
...
configure: creating ./config.status
config.status: creating Makefile
config.status: creating scripts/Makefile
config.status: creating lib/Makefile
config.status: creating src/Makefile
config.status: creating tests/Makefile
config.status: creating docs/Makefile
config.status: creating src/curl_config.h
config.status: src/curl_config.h is unchanged
config.status: executing depfiles commands
config.status: executing libtool commands
# Compile and install
make
make install
…
.libs/libcurl_la-vtls/wolfssl.o -ldl -lpthread -lz -lrt -lm -lssl -lcrypto -lnghttp2 -lidn -lgssapi_krb5 -lssl -lcrypto -lrtmp -lz -lssh2 -lidn -lssh2 -lidn2 -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -llber -lz -lldap -llber -lssl -lcrypto -lssl -lcrypto -lssl -lcrypto -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lz -O2 -Wl,-z -Wl,relro -Wl,-z ,now -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -o .libs/libcurl.so.4.5.0
echo>libcurl.la
libtool: install: cp -af .libs/libcurl.lai libcurl.la
libtool: install: cp -af .libs/libcurl.a /usr/local/lib/libcurl.a
libtool: install: ranlib /usr/local/lib/libcurl.a
libtool: install: cp -af .libs/libcurl.so.4.5.0 /usr/local/lib/libcurl.so.4.5.0
libtool: install: ln -sf libcurl.so.4.5.0 /usr/local/lib/libcurl.so.4
libtool: install: ln -sf libcurl.so.4.5.0 /usr/local/lib/libcurl.so
libtool: install: cp -af .libs/libcurl.lai /usr/local/lib/libcurl.la
libtool: install: cp -af .libs/libcurl.a /usr/local/lib/libcurl.a
libtool: install: ranlib /usr/local/lib/libcurl.a
libtool: finish: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/root/bin": ldconfig -n /usr/local/ lib
-------------------------------------------------- -------------------
Libraries have been installed in:
/usr/local/lib
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,-rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
#verify
/usr/local/bin/curl -V #The output is as follows
Protocols: dict file ftp ftps gopher http https imap imaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp media
Or directly modify the above repomd.xml and replace the media protocol with local: %s#media://#file://#g. The verification is invalid.
After completion, createrepo -u repodata/ #Clear cache and reload yum source: yum clean expire-cache yum makecache
3. Appendix
1) FTP startup script
#!/bin/bash
#
# vsftpd This shell script takes care of starting and stopping
# standalone vsftpd.
#
# chkconfig: - 60 50
# description: Vsftpd is a ftp daemon, which is the program
# that answers incoming ftp service requests.
# processname: vsftpd
# config: /etc/vsftpd/vsftpd.conf
# Source function library.
./etc/rc.d/init.d/functions
# Source networking configuration.
./etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] & amp; & amp; exit 0
[ -x /usr/local/sbin/vsftpd ] || exit 0
RETVAL=0
prog="vsftpd"
start() {<!-- -->
# Start daemons.
if [ -d /etc/vsftpd ] ; then
for i in `ls /etc/vsftpd/*.conf`; do
site=`basename $i .conf`
echo -n $"Starting $prog for $site: "
/usr/local/sbin/vsftpd $i & amp;
RETVAL=$?
[ $RETVAL -eq 0 ] & amp; & amp; {<!-- -->
touch /var/lock/subsys/$prog
success $"$prog $site"
}
echo
done
else
RETVAL=1
fi
return $RETVAL
}
stop() {<!-- -->
# Stop daemons.
echo -n $"Shutting down $prog: "
killproc $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] & amp; & rm -f /var/lock/subsys/$prog
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/$prog ]; then
stop
start
RETVAL=$?
fi
;;
status)
status $prog
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL