Scheduled backups aren't triggered

Hi,

I’ve setup scheduled backups (full monthly, incremental daily) on my server and they don’t seem to get triggered.

The root user’s crontab contains this:

@monthly /etc/webmin/virtual-server/backup.pl --id 123974394718634
@daily /etc/webmin/virtual-server/backup.pl --id 123974406619089

and if I execute either one of those commands manually at the command line, the backups gets done as expected. Same if I do it manually in the Virtualmin web interface.

I’m running Virtualmin 3.68 Pro on CentOS Linux 5.3.

Is there a problem with crontab? Maybe the "@word" notation?

Thanks

Howdy,

Well, those 2 entries look okay.

What happens if you restart cron, then look in /var/log/messages – do you see any errors in there?

It’s possible that an error with a different cron entry is causing cron in general to bail out.
-Eric

I did “service crond restart” and nothing got added to /var/log/messages. I’m assuming that means that the restart occurred without any error.

Well, you should see at least a message stating that it restarted.

If you don’t see that, it’s in one of the other files there. But I forget which, I don’t have a CentOS machine right here
-Eric

crond is the right service. I don’t see any messages when restarting it on my system, either. So, I guess we can’t use that as an indicator of anything.

So, I’ve restarted the service again and this line got added to the /var/log/cron file:

Jun 3 11:36:30 server crond[9148]: (CRON) STARTUP (V5.0)

In the same file, there’s a whole bunch of messages like this:

These are all from midnight last night, when it should have tried to to the incremental backup (and a whole bunch of other things, I assume). I’m assuming there’s a link but since CentOS isn’t my usual platform, I’ll be asking google after posting here.

Aha! I think you’re having an SELinux problem.

Now, the above should usually work – SELinux shouldn’t prevent cron jobs from running.

But, to simplify your life a bit – you might consider simply disabling SELinux.

Take a look in /etc/selinux/config – I would suggest setting "SELINUX=disabled" in there.

Also, to prevent having to reboot, you can run this (as root):

[code:1]echo 0 >/selinux/enforce[/code:1]

Which will manually switch it off – and the next time you reboot, the changes to the config file will prevent it from coming on at all.
-Eric

I’m all for simplifying my life but isn’t SELinux a good thing? I don’t know much about it but disabling it wholesale seems a little extreme. Does it not bring advantages that would outweigh a few minutes/hours spent configuring it correctly?

Anyway, I’ll do it if the other solution is really heinous and cludgy and SELinux isn’t worth it, but I’d like to know more before doing so.

How about this – can you try disabling SELinux temporarily – and if that does indeed solve the problem, you can then decide what direction to move from there.

If it doesn’t solve the problem, well, then something else is hindering cron and the backups

To do that, just run:

echo 0 > /selinux/enforce
/etc/init.d/crond restart

Check out the cron log file, and see if those errors persist.

You can easily re-enable selinux with:

echo 1 > /selinux/enforce

SELinux is a good thing, but the reliability of it and its policies on most distros currently leaves much to be desired. And, the tools for managing policy truly and completely suck.

Most importantly, though, not having cron is a pretty big problem, and you need to take steps to get the problem corrected.

If you know what you’re doing with SELinux (and are OK with users being pretty serious restricted, and occasional mysterious errors) then you could turn it back on after testing with it turned off. Virtualmin has the beginnings of support for setting context for files and such (though it’s still a long way from complete, so your policy will need to be pretty open for users).

Okay,

I tried to disable SELinux as suggested by running this:

echo 0 > /selinux/enforce

and then restarted crond. Those same message continue to appear in the cron log file.

It seems that by running the command above, I created a folder named “selinux” at the root and a file named “enforce” inside it with “0” as its content. (There’s nothing else in the folder and its date show as being a few moments ago.)

I understand from the notation that that’s what it is supposed to do, but I figured “selinux” was a special folder (like proc).

Is something else wrong here?

Hehehe…Actually you can use:

setenforce 0

Not sure what Eric was after with the echo command…I guess there probably is a /proc entry for selinux. I dunno what it is, though.

Hrm, when SELinux is enabled, there should be a /selinux directory that is a bit like /proc.

That not being there suggests to me that it’s either not enabled, or that my information is really old. Either is totally plausible
-Eric

Actually, you’re right. There is an /selinux directory. There is no “enforce” in my system, though.

Okay, SELinux is disabled.

[code:1]bash-3.2# setenforce 0
setenforce: SELinux is disabled[/code:1]

I then restarted cron and monitored the /var/log/cron file. Here’s its contents after a few minutes:

[code:1]Jun 4 10:22:26 server crond[26301]: (CRON) STARTUP (V5.0)
Jun 4 10:25:02 server crond[26880]: Cannot make/remove an entry for the specified session
Jun 4 10:25:02 server crond[26880]: CRON (mailman) ERROR: failed to open PAM security session: Success
Jun 4 10:25:02 server crond[26880]: CRON (mailman) ERROR: cannot set security context
Jun 4 10:25:02 server crond[26881]: Cannot make/remove an entry for the specified session
Jun 4 10:25:02 server crond[26881]: CRON (root) ERROR: failed to open PAM security session: Success
Jun 4 10:25:02 server crond[26881]: CRON (root) ERROR: cannot set security context
Jun 4 10:26:01 server crond[27254]: Cannot make/remove an entry for the specified session
Jun 4 10:26:01 server crond[27254]: CRON (root) ERROR: failed to open PAM security session: Success
Jun 4 10:26:01 server crond[27254]: CRON (root) ERROR: cannot set security context[/code:1]

This isn’t for the backups specifically, but something seems to still be wrong with cron.

What distro/version are you using?

And is everything fully up to date – all the latest patches and updates made available by the vendor have been applied?

There’s some issues similar to what you’re seeing on some older versions of RHEL/CentOS/Fedora, but they all should have been resolved by the latest updates.
-Eric

I’m running Virtualmin 3.68 Pro on CentOS Linux 5.3.

I’m not fully up to date. yum has a problem updating some clamav stuff (it seems to be looking for /usr/bin/freshclam, which is there but it’s still complaining that it is missing; wouldn’t mind pointer with that one either).

As a crutch until this cron issue is fixed, I’m using the cron on my local box to SSH into the server and run the scripts. It’s not pretty, but it works.

Well, as a last resort, we have the option of disabling SELinux entirely by editing /etc/selinux/config (all we did is change it to permissive mode, which prevents it from enforcing it’s ruleset), and then rebooting.

But, rebooting production servers sucks, so a couple of other thoughts before we get to that point –

What are the contents of the following files:

1. /etc/cron.deny

2. /etc/cron.allow

3. /etc/security/access.conf

4. /etc/pam.d/crond

It’s possible something in one of those will stand out as the culprit.
-Eric

1. /etc/cron.deny is empty

2. /etc/cron.allow doesn’t exist

3. /etc/security/access.conf only contains commented lines

4. Here are the contents of /etc/pam.d/crond:

Hopefully something here will help avoid a reboot.

Thanks!

Yeah, none of those looks like a culprit.

What does this command output:

yum check-update