---
canonical: https://safekit.evidian.com/wp-content/uploads/downloads_safekit/version-82/knowledge-base.pdf
---
# PDF Converted to Markdown
## Page 1
Knowledge Base - SafeKit 7.5 & 8.2
SK-0001 - File replication doesn't work if there is a mount point under the replicated directory (error “JUKEBOX”)
SK-0002 - With SQL Server, SafeKit sometimes stops on primary if “Boost SQL server priority” is used
SK-0005 - “safekit forcestop” doesn't complete on “nfsbox” death
SK-0009 - File attributes replication : file encryption and file compression are not supported
SK-0010 - Replicated directory can not be a root of a file system
SK-0013 - Interface checker doesn't work with bonding interfaces
SK-0014 - Failover of NFS mounts of replicated directories from remote NFS clients are not supported
SK-0017 - Mirror module start blocks into wait state when a heartbeat with ident=”flow” is configured while there is noreplication configuration
SK-0025 - Rename of directory between replicated and not replicated trees are not supported
SK-0030 - Mirror module configuration fails when a replicated directory is a mount point
SK-0033 - SafeKit servers can not communicate when the firewall is on
SK-0043 - Configure a mirror module with a virtual IP address mapped on a virtual MAC address
SK-0046 - Web console problems after SafeKit upgrade
SK-0049 - Problem using literal IPv6 address when using HTTPS with the Web console
SK-0052 - Modules fail to start at boot when safeagent is set to automatic start
SK-0054 - When setting the resource state in a custom checker, it logs a message in the module log even if the resource statedid not changed
SK-0056 - Incompatible configuration options50Gb) such as vhd files in Hyper-V module
SK-0093 - SafeKit web server don't start when using port 80
SK-0094 - Replicate anti-ransomware folders
SK-0095 - one\_side VIP and src routes limitations
SK-0096 - Zone reintegration is not operational
SK-0097 - In the web console, nodes sometimes show "Connection error" even when only one is down
SK-0098 - Unable to login to the web console after the OpenId connection expired
SK-0099 - Configure promiscuous mode in hypervisor network
## Page 2
SK-0100 - Farm load-balancing is 100% for each nodes during minor upgrade from SafeKit 8.2.3 to SafeKit 8.2.4
SK-0101 - Heartbeat issues in a mirror module
SK-0102 - SafeKit package installation fails
SK-0103 - SafeKit console web app install fails with Microsoft Edge
SK-0104 - Https connection to SafeKit console web return a ssl protocol error
SK-0105 - postgresql module did not start on RedHat if selinux is in enforcing mode
SK-0106 - Mirror module start fails with “Kernel configuration failed. Check for module conflict”
SK-0107 - Farm module configuration fails because the VIP kernel module cannot be compiled
SK-0001 - File replication doesn't work if there is a mount point under the replicateddirectory (error “JUKEBOX”)
SK-0002 - With SQL Server, SafeKit sometimes stops on primary if “Boost SQL serverpriority” is used
OS Linux
SafeKit
version
All
Restriction File replication doesn't work if there is a mount point under
the replicated directory (error “JUKEBOX”)
Jira, Mars IdMars 22041
Id SK-0001
OS Windows
SafeKit
version
All
Problem With SQL Server, SafeKit sometimes stops on primary if
“Boost SQL server priority” is used
(sqlserver process uses 100% cpu and safekit stops with
IOS - ReleaseINK kernel→user error)
Jira, Mars IdMars 21956
Solution Disable “Boost SQL server priority” (SQL Management
Studio => select your server =>Properties => Processors)
Id SK-0002
## Page 3
SK-0005 - “safekit forcestop” doesn't complete on “nfsbox” death
SK-0009 - File attributes replication : file encryption and file compression are notsupported
SK-0010 - Replicated directory can not be a root of a file system
OS Linux
SafeKit
version
All
Problem “safekit forcestop” doesn't complete on “nfsbox” death
Jira, Mars IdMars 19565
Solution Reboot your system
Id SK-0005
OS Windows
SafeKit
version
All
Restriction File attributes replication : file encryption and file
compression are not supported
Jira, Mars IdMars 20912-20913
Id SK-0009
OS Linux
SafeKit
version
All
Problem Replicated directory can not be a root of a file system
Jira, Mars Id
Solution See for a solution
Id SK-0010
SK-0030
## Page 4
SK-0013 - Interface checker doesn't work with bonding interfaces
SK-0014 - Failover of NFS mounts of replicated directories from remote NFS clients are notsupported
SK-0017 - Mirror module start blocks into wait state when a heartbeat with ident=”flow” isconfigured while there is no replication configuration
OS Linux
SafeKit
version
All
Restriction Interface checker doesn't work with bonding interfaces
Jira, Mars Id
Id SK-0013
OS Linux
SafeKit
version
All
Restriction Failover of NFS mounts of replicated directories from
remote NFS clients are not supported
Jira, Mars Id
Id SK-0014
OS Windows & Linux
SafeKit
version
Windows: < 7.5.0.12
Linux : < 7.5.0.11
Problem Mirror module start blocks into wait state when a heartbeat
with ident=”flow” is configured while there is no replication
configuration ( section)
Jira, Mars Id
Id SK-0017
## Page 5
SK-0025 - Rename of directory between replicated and not replicated trees are notsupported
Solution It has been fixed in 7.5.0.11 for Linux and 7.5.0.12 for
Windows.
For previous releases, remove the ident attribute.
OS Windows & Linux
SafeKit
version
All
Restriction Rename of directory between replicated and not replicated
trees are not supported
This restriction applies when you configure not replicated
directories into tag. For instance:
Rename of files between replicated and not replicated
trees are supported. For instance, the operations below are
allowed:
mv /repdir/file /repdir/notrepdir
mv /repdir/notrepdir/file /repdir
But, rename of directories between replicated and not
replicated trees may lead to secondary stop-start and/or to
degraded mode. For instance, the operations below are not
supported:
mv /repdir/dir /repdir/notrepdir
mv /repdir/notrepdir/dir /repdir
Jira, Mars IdMars 34165, 63859 and 63864
Id SK-0025
## Page 6
SK-0030 - Mirror module configuration fails when a replicated directory is a mount point
OS Linux
SafeKit
version
All
Problem Mirror module configuration fails when a replicated
directory is a mount point
Jira, Mars Id
Solution Apply the following manual procedure as work around.
This article takes the example of PostgreSQL module that
set as replicated directories /var/lib/pgsql/var and
/var/lib/pgsql/data, which are mount points. The
SafeKit module configuration fails with the error:
Error : Device or resource busy
It is the same procedure for all mounts points that must be
replicated.
Detect mount points with a command line
On both nodes, check mount points with the command df
-H that returns for instance:
df -H
/dev/mapper/vg01-lv\_pgs\_var …
/var/lib/pgsql/var
/dev/mapper/vg02-lv\_pgs\_data …
/var/lib/pgsql/data
/var/lib/pgsql/var and /var/lib/pgsql/data
are mount points and they must be replicated for
PostgreSQL. But the SafeKit module configuration
command /opt/safekit/safekit config –m
postgresql returns Error : Device or resource
busy
What to do if a replicated directory is a mount point
Id SK-0030
## Page 7
First, save the module with the two previous directories
configured. You should have in
/opt/safekit/modules/postgresql/userconfig
.xml:
Umount /var/lib/pgsql/var and
/var/lib/pgsql/data
Run the command /opt/safekit/safekit config
–m postgresql which should succeed (no errors)
Check the symbolic links created by running the
command ls -l /var/lib:
lrwxrwxrwx 1 root root var ->
var\_For\_SafeKit\_Replication
lrwxrwxrwx 1 root root data ->
data\_For\_SafeKit\_Replication
Edit /etc/fstab and change the two lines:
/dev/mapper/vg01-lv\_pgs\_var
/var/lib/pgsql/var ext4…
/dev/mapper/vg02-lv\_pgs\_data
/var/lib/pgsql/data ext4…
with
/dev/mapper/vg01-lv\_pgs\_var
/var/lib/pgsql/var\_For\_SafeKit\_Replication
ext4…
/dev/mapper/vg02-lv\_pgs\_data
/var/lib/pgsql/data\_For\_SafeKit\_Replicatio
n ext4..
Mount the file systems by running the commands
mount
/var/lib/pgsql/var\_For\_SafeKit\_Replication
and mount
/var/lib/pgsql/data\_For\_SafeKit\_Replicatio
n
1 2 3 4
## Page 8
SK-0033 - SafeKit servers can not communicate when the firewall is on
Apply this procedure on both nodes if replicated directories
are mount point on both nodes.
After this procedure, you can use SafeKit as usual: ie
safekit start stop etc ...
Note
To protect the start of SafeKit on a non-mounted and
empty directory, you can insert in userconfig.xml the
checking of a file inside the replicated directory. Example
for var/ (do the same for data/ with a file inside this
directory which is always present):
What to do for de-configuring the module (or uninstall
whole SafeKit)
If you want to deconfigure the module (or uninstall whole
safekit), you must reverse this procedure by:
Umount the file systems with umount
/var/lib/pgsql/var\_For\_SafeKit\_Replication
and umount
/var/lib/pgsql/data\_For\_SafeKit\_Replicatio
n
De-configure the module with
/opt/safekit/safekit deconfig -m
postgresql
Edit /etc/fstab to undo previous editing
Mount the file systems with mount
/var/lib/pgsql/var and mount
/var/lib/pgsql/data
1 2 3
OS Windows & Linux
Id SK-0033
## Page 9
SK-0043 - Configure a mirror module with a virtual IP address mapped on a virtual MACaddress
SafeKit
version
All
Problem SafeKit servers can not communicate when the firewall is
on
Jira, Mars Id
Solution When firewall is turned on, you have to configure the
firewall to allow connections on SafeKit module ports. Refer
to the ‘Firewall settingsʼ into the SafeKit Userʼs Guide
OS Windows & Linux
SafeKit
version
All
How to Configure a mirror module with a virtual IP address
mapped on a virtual MAC address
Jira, Mars Id
Solution The following is an extract of a mirror configuration file
userconfig.xml, set to user a virtual IP address mapped on
a virtual MAC address (type="vmac\_invisible").
The loadbalancing rule is a mandatory configuration option
when defining a virtual MAC address but all the trafic goes
to the primary server.
Id SK-0043
## Page 10
SK-0046 - Web console problems after SafeKit upgrade
SK-0049 - Problem using literal IPv6 address when using HTTPS with the Web console
OS Windows & Linux
SafeKit
version
All
Problem Web console problems after SafeKit upgrade
Jira, Mars Id
Solution You have to clear your browser's cache so as to get the
new web console pages. A quick way to do this is a
keyboard shortcut that works on IE, Firefox, and Chrome.
Open the browser to any web page and hold CTRL and
SHIFT while tapping the DELETE key. (This is NOT CTRL,
ALT, DEL). The dialog box will open to clear the browser.
Set it to clear everything and click Clear Now or Delete at
the bottom. Close the browser, stop the process still
running in the background if necessary, and re-open it
fresh to test what wasn't working for you previously.
Id SK-0046
## Page 11
SK-0052 - Modules fail to start at boot when safeagent is set to automatic start
OS Windows & Linux
SafeKit
version
7.5
Problem Problem using literal IPv6 address when using HTTPS with
the Web console
If you use https://[lIPV6]:9453/ or http://[IPV6]:9010/
where IPV6 is a literal IPv6 address, the connection fails
"Internet Explorer cannot display the webpage"
See :
Jira, Mars IdMars 44424
Solution Connect with https://[lIPV6]:9453/deploy.html,
https://[lIPV6]:9453/monitor.html ... will work. Or don't use
literal addresses for IPv6.
Id SK-0049
Apache-Bugzilla-Bug 52831
OS Windows & Linux
SafeKit
version
7.5
Problem Modules fail to start at boot when safeagent is set to
automatic start
Jira, Mars Id
Solution Follow the procedure below
1. Start the "service control manager" control panel applet
2. In the right-click contextual menu of the "Safeagent"
service, select "Properties"
3. Set the "safeagent" service "startup type" to "Automatic
(Delayed Start)"
4. Click OK
Id SK-0049
## Page 12
SK-0054 - When setting the resource state in a custom checker, it logs a message in themodule log even if the resource state did not changed
SK-0056 - Incompatible configuration options
## Page 13
SK-0058 - In a farm module, start load-balancing once the application is started and stopload-balancing before stopping the application
OS Windows & Linux
SafeKit
version
All
How to In a farm module, start load-balancing once the application
is started and stop load-balancing before stopping the
application
Default behaviour: the load-balancing is enabled before
running the user script start\_both ; the load-balancing is
disabled after running the user script stop\_both.
Wanted behaviour: when the application start/stop takes
a long time, it may be necessary to enable the load-
balancing only once the application is started and to
disable it before stopping the application so as to reduce
the failover time.
Jira, Mars Id
Solution Enable/disable the load\_balancing with special commands
ran into the user scripts start\_both and stop\_both. Find
below the scripts templates.
Windows scripts
Id SK-0058
SAFE/modules/AM/bin/start\_both.cmd
1…2rem must wait for vipd ready before stopping load-balancing3"%SAFEBIN%\sleep" 245echo "Stop the load-balancing"6%SAFE%\safekit" -r saferpc\_send -m %SAFEMODULE% vipdSETGROUPS donothing donothing none78rem Start services9…1011echo "Start the load-balancing"12%SAFE%\safekit -r saferpc\_send -m %SAFEMODULE% vipdSETGROUPS donothing donothing all13…
## Page 14
SK-0066 - Configure the USN journal for file replication enhancement
Linux scripts
SAFE/modules/AM/bin/stop\_both.cmd
1…2echo "Stop the load-balancing"3%SAFE%\safekit" -r saferpc\_send -m %SAFEMODULE% vipdSETGROUPS donothing donothing none45rem Stop services6…
SAFE/modules/AM/bin/start\_both
1 #!/bin/sh2...3 #must wait for vipd ready before stopping load-balancing4sleep25echo"Stop the load-balancing”6$SAFE/safekit -r saferpc\_send -m $SAFEMODULE vipdSETGROUPS donothing donothing none78#Start services9...10echo "Start the load-balancing”11$SAFE/safekit -r saferpc\_send -m $SAFEMODULE vipdSETGROUPS donothing donothing all12...
SAFE/modules/AM/bin/stop\_both
1 #!/bin/sh2...3echo "Stop the load-balancing”4$SAFE/safekit -r saferpc\_send -m $SAFEMODULE vipdSETGROUPS donothing donothing none56 #Stop services7...
OS Windows
SafeKit
version
All
How to Configure the USN journal for file replication enhancement
Id SK-0066
## Page 15
In Windows, to enable zone reintegration after reboot when
the module has been properly stopped, rfs component use
the NTFS USN change journal to check that saved
information on zones are still valid after reboot. When the
check succeeds, zone reintegration can be applied on the
file; otherwise, full reintegration must be used.
By default, an NTFS volume will have its USN journal active
only the system drive. If the replicated directories are
located on a drive different from the system drive, you have
to explicitly activate the journal.
Run the following command, as an administrator, to check
that the USN journal is enabled on your drive:
fsutil usn queryjournal D: (replace D: with the
desired drive).
When disabled, it returns "Error: The volume change
journal is not active.
Jira, Mars Id
Solution Run the following command, as an administrator, to create
the USN journal:
fsutil usn createjournal m=536870912
a=67108864 D:
(replace D: with the desired drive) ; where m, for maximum
size, specifies the maximum size, in bytes, that NTFS
allocates for the change journal and a, for allocation delta,
specifies the size, in bytes, of memory allocation that is
added to the end and removed from the beginning of the
change journal.
The default USN journal maximum size is 512 MB. If your
volume contains 400,000 files or fewer, no additional
configuration is required. For every 100,000 additional files
on a volume containing replicated directories, increase the
USN journal size by 128 MB. If files on the volume are
See before starting the module after the
USN journal creation.
SK-0067
## Page 16
changed or renamed frequently (regardless of whether
they are part of the replica set), consider sizing the USN
journal larger than these recommendations to prevent USN
journal wraps, which can occur when large numbers of files
change so quickly that the USN journal must discard the
oldest changes to stay within the specified size limit.
The table below includes the various figures needed to
create the USN journal to different amounts.
400 000 536 870 91267 108 864512
600 000 805 306 368100 663 296768
800 000 1 073 741
824
134 217 7281 024
1 000 000 1 342 177
280
167 772 1601 280
1 200 000 1 610 612
736
201 326 5921 536
1 400 000 1 879 048
192
234 881 0241 792
1 600 000 2 147 483
648
268 435 4562 048
1 800 000 2 415 919
104
301 989 8882 304
2 000 000 2 684 354
560
335 544 3202 560
2 200 000 2 952 790
016
369 098 7522 816
Number of
files
m
maximum
size in bytes
a
allocation
delta in
bytes
m
in MB
## Page 17
SK-0067 - The start of the module hangs into the WAIT(magenta) state after creating theUSN journal on the drive containing the replicated directories
2 400 000 3 221 225
472
402 653 1843 072
2 600 000 3 489 660
928
436 207 6163 328
2 800 000 3 758 096
384
469 762 0483 584
3 000 000 4 026 531
840
503 316 4803 840
3 200 000 4 294 967
296
536 870 9124 096
OS Windows
SafeKit
version
All
Problem The start of the module hangs into the WAIT(magenta)
state after creating the USN journal on the drive containing
the replicated directories
The start of the module hangs into the WAIT(magenta)
state with the following messages into the log of the
module:
| 2017-02-23 09:05:58:454000 | nfsboxv3 | D | Directory
D:\: Filesystem=NTFS (flags 3e700ff), Volume=Data
| 2017-02-23 09:06:00:302000 | rfsplug | D | Retrying
nfsbox port lookup
| 2017-02-23 09:06:00:302000 | rfsplug | D | Waiting for
nfsbox ready
| 2017-02-23 09:06:00:303000 | log | D | Last message
repeated 2 times
Id SK-0067
## Page 18
SK-0068 - Use of externally built httpd server instead of the SafeKit built-in httpd server
| 2017-02-23 09:06:00:333000 | nfsadmin | D | Retrying
nfsbox port lookup
| 2017-02-23 09:06:00:333000 | nfsadmin | D | Waiting for
nfsbox initialization
This occurs when the USN journal has just been created on
the drive containing the replicated directories and no
access has yet be done on the drive.
Jira, Mars Id
Solution After creating the USN journal and before starting the
module, run any modification on the drive so as to fill the
USN journal. For instance, you can create then delete a file.
OS Windows
SafeKit
version
All
How to Use of externally built httpd server instead of the SafeKit
built-in httpd server
Jira, Mars Id
Solution Download the appropriate version of the httpd server 2.4
package x64 binaries from a source you trust, or build it
yourself. For example, Apache 2 Server on Windows f
or (business) webmasters, developers, home users and
programmers provide x64 binaries for Windows. If you
intend to use the secured web console with HTTPS,
ensure that the mod\_ssl and openssl packages are also
delivered.
Download and install the associated Microsoft C Runtime
redistributable package
Stop safewebserver : safekit webserver stop
Id SK-0068
## Page 19
SK-0069 - Use of Linux httpd server instead of the SafeKit built-in httpd server
SK-0070 - Use mySQL with Safekit when SELinux is "Enforcing"
Take a copy of the SAFE/web/bin and
SAFE/web/modules directories
Copy the content of the "bin" directory from the httpd
server package to the SAFE/web/bin directory
Copy the content of the "modules" directory from the
httpd server package to the SAFE/web/modules
directory
Start safewebserver : safekit webserver start
OS Linux
SafeKit
version
7.5
How to Use of Linux httpd server instead of the SafeKit built-in
httpd server
Jira, Mars Id
Solution Download the appropriate version of the httpd server 2.4
package x64 binaries. If you intend to use the secured
web console with HTTPS, ensure that the mod\_ssl,
mod\_ldap and mod\_session packages are also delivered.
Stop safewebserver : safekit webserver stop
Edit the /opt/safekit/web/bin/safeapachectl script
according to the inline comments
Start safewebserver : safekit webserver start
Id SK-0069
OS Linux
SafeKit
version
All
Id SK-0070
## Page 20
How to Use mySQL with Safekit when SELinux is "Enforcing"
The start of the module mySQL.safe fails with mysql errors:
mkdir: cannot create directory
/var/lib/mysql: File exists
mariadb.service: main process exited,
code=exited, status=1/FAILURE
mariadb.service: control process exited,
code=exited status=1
Failed to start MariaDB database server.
And/Or :
[Note] /usr/libexec/mysqld (mysqld 5.5.44-
MariaDB) starting as process 29039 ...
Warning] Can't create test file
/var/lib/mysql/alambix2.lower-test
/usr/libexec/mysqld: Can't change dir to
'/var/lib/mysql/' (Errcode: 13)
170426 8:55:20 [ERROR] Aborting
Jira, Mars Id
Solution Generate SELinux policy allow rules from logs of denied
operations:
First deploy mySQL.safe module
Set SELinux in Permissive mode : setenforce 0
Execute: /sbin/service auditd rotate, to rotate
the SELinux log file "/var/log/audit/audit.log"
Execute : semodule -DB, to remove "dontaudits from
policy" (log becomes more verbose)
Start and Stop mySQL in command line : systemctl
start mariadb and systemctl stop mariadb
Start and stop mySQL.safe module (command line or
safekit web console)
Now, use "audit2allow" to build a policy module
"NewMySQL.pp" from denial and the associated system
call logged to /var/log/audit/audit.log:
## Page 21
grep mysqld /var/log/audit/audit.log |
audit2allow -M NewMySQL , 2 files are created :
NewMySQL.pp and NewMySQL.te
Set audit in initial mode: semodule -B
Load the new policy module: semodule -i
NewMySQL.pp
Set SELinux in Enforcing mode: setenforce 1
Start mySQL.safe module : it works !
File NewMySQL.te sample :
module NewMySQL 1.0;
require {
type var\_lib\_t;
type mysqld\_safe\_t;
type nfs\_t;
type mysqld\_t;
class process { siginh noatsecure rlimitinh
};
class sock\_file { create unlink };
class lnk\_file { read getattr };
class file { write getattr read lock create
unlink open };
class dir { write remove\_name getattr
add\_name };
}
#============= mysqld\_safe\_t ==============
#!!!! This avc has a dontaudit rule in the
current policy
allow mysqld\_safe\_t mysqld\_t:process {
siginh rlimitinh noatsecure };
#!!!! This avc has a dontaudit rule in the
current policy
allow mysqld\_safe\_t nfs\_t:dir getattr;
allow mysqld\_safe\_t var\_lib\_t:lnk\_file
read;
#============= mysqld\_t ============== allow
mysqld\_t nfs\_t:dir { write remove\_name
## Page 22
SK-0071 - Command "create" or "drop" on Mysql replicated database fails when SELinux is"Enforcing"
add\_name };
allow mysqld\_t nfs\_t:file { write getattr
read lock create unlink open };
allow mysqld\_t nfs\_t:sock\_file { create
unlink };
allow mysqld\_t var\_lib\_t:lnk\_file { read
getattr };
Remarks :
If the ".te" file is manually modified, the ".pp" file must be
build again
checkmodule -M -m -o NewMySQL.mod
NewMySQL.te
semodule\_package -o NewMySQL.pp -m
NewMySQL.mod
Then reload the policy module semodule -i
NewMySQL.pp .
OS Linux
SafeKit
version
All
Problem Command "create" or "drop" on Mysql replicated database
fails when SELinux is "Enforcing"
drop database MaBase;
ERROR 1010 (HY000): Error dropping database
(can't rmdir './MaBase', errno: 13)
or create database MaBase;
ERROR ...(HY000): Error creating database
(can't mkdir './MaBase', errno: 13)
Jira, Mars Id
Id SK-0071
## Page 23
SK-0072 - Set SELinux to "Permissive" mode OR set only enforcement mode for MySQL to"Permissive"
SK-0080 - Module communication failures if cluster configuration contains DNS names
Solution Edit your policy rules for MySQL (".te" file see )
and add rules for "create" and "rmdir" directory :
Replace the line : class dir { write remove\_name
getattr add\_name } with : class dir { create
rmdir write remove\_name getattr add\_name }
Replace the line : allow mysqld\_t nfs\_t:dir {
write remove\_name add\_name }
with : allow mysqld\_t nfs\_t:dir { create
rmdir write remove\_name add\_name }
Then compile and load the policy module :
checkmodule -M -m -o NewMySQL.mod
NewMySQL.te
semodule\_package -o NewMySQL.pp -m
NewMySQL.mod
semodule -i NewMySQL.pp
SK-0070
OS Linux
SafeKit
version
All
How to Set SELinux to "Permissive" mode OR set only
enforcement mode for MySQL to "Permissive"
Jira, Mars Id
Solution To set SELinux in "Permissive" mode execute :
setenforce 0 , to see the current mode :
getenforce
To set enforcement mode to "Permissive" only for MySQL
execute : semanage permissive -a mysqld\_t
Id SK-0072
## Page 24
SK-0081 - Hyper-V module (hyperv.safe) start fails with plugwait error
OS Windows & Linux
SafeKit
version
All
Problem Module communication failures if cluster configuration
contains DNS names
Some bugs in the DNS name resolution leads to module
internal communication failures if the cluster configuration
contains DNS names.
Jira, Mars Id
WorkaroundA work-around consists in setting only IP addresses. But if
you require DNS names for accessing the SafeKit web
console, the work-around consists in setting 2 lan
sections into into the cluster configuration. One lan
definition with DNS names used only by the SafeKit web
console ; one lan definition with IP addresses used for
the framework communications. For instance, the cluster
configuration may look like the following one :
Id SK-0080
## Page 25
SK-0082 - Hyper-V module (hyperv.safe) failover fails with VM import failure
OS Windows
SafeKit
version
All
Problem Hyper-V module (hyperv.safe) start fails with plugwait error
hyperv.safe relies on PowerShell scripts that require, for a
correct execution, the change of the execution policy.
Jira, Mars Id
Solution Change the execution policy as follow:
start a Windows PowerShell session
run Set-ExecutionPolicy RemoteSigned
reply yes when prompt
Id SK-0081
OS Windows
SafeKit
version
All
Problem Hyper-V module (hyperv.safe) failover fails with VM import
failure.
The failover on node2 fails and into the user script output
file SAFEVAR/modules/AM/userlog.ulog (where
SAFEVAR=c:\safekit and AM is your module name),
you have the following message:
Import-VM: Unable to import the virtual
machine due to configuration errors. Use
Compare-VM to to repair the virtual
machine.
The VM import during the failover is equivalent to the
virtual machine (VM) migration that consists in moving the
Id SK-0082
## Page 26
SK-0083 - Some SafeKit components and modules fails on Windows
VM from physical server node1 to node2. The import may
fail when the migration requirements are not met.
Jira, Mars Id
Solution Check the common requirements for HyperV VM migration
depending on you Windows release number. This
requirements applies on the physical server settings
(processor, Active Directory domain, ...) and the VM
settings (virtual hard disks, virtual networks, ...). For
checking incompatilities, you can try to manually import the
VM on node2 while SafeKit is stopped. It will logs
incompatibility error messages. One common error is
because the host hardware isn't compatible. This occurs
when a virtual machine has one or more snapshots, and
hosts have different processor versions. To fix this
problem, shut down the virtual machine on node1 and turn
on the processor compatibility setting as follow:
From Hyper-V Manager, in the Virtual Machines pane,
right-click the virtual machine and click Settings.
In the navigation pane, expand Processors and click
Compatibility.
Check Migrate to a computer with a different processor
version.
Click OK.
Be aware that it is anyway recommanded to have the same
physical servers when using hyperv.safe since you may
have other incompatibilities issues.
OS Windows
SafeKit
version
7.5
Problem Some SafeKit components and modules fails on Windows
Id SK-0083
## Page 27
SK-0085 - SafeKit may not run properly when relying on host name resolution service thatis not itself highly available
SafeKit relies on PowerShell scripts, that require for a
correct execution, the change of the execution policy. For
instance:
When the SafeKit web console is configured for HTTPS,
the cluster configuration fails with error on server
certificate
Hyper-V module (hyperv.safe) start fails with plugwait
error
Jira, Mars Id
Solution Change the execution policy as follow:
start a Windows PowerShell session
run Set-ExecutionPolicy RemoteSigned
reply yes when prompt
OS Windows & Linux
SafeKit
version
All
Problem SafeKit may not run properly when relying on host name
resolution service that is not itself highly available
If node addresses are specified using names instead of
numerical IP addresses in the cluster.xml file, then the
name resolution service must be highly available. For
instance, when using DNS service (for FQDN, fully qualified
domain name, such as
“node1.mysubdomain.mydomain.com” ), the local resolver
should have a cache that can cope with DNS server(s)
short failures. A long lasting name resolver failure will
prevent SafeKit cluster nodes from communicating with
each other, potentially leading to splitbrain situations.
Id SK-0085
## Page 28
SK-0087 - User scripts executed within the SafeKit environment return, into the applicationlog, an error with openssl version
Jira, Mars Id
Solution To avoid that, you must implement a robust DNS resolution
policy on the nodes participating in the cluster, such as :
Configuring more than 1 DNS server on the nodes.
Increasing resolver cache retention time (for Windows,
see Guidance for troubleshooting DNS - Windows Ser
ver)
Implementing a local DNS on the nodes (master or
cache with forwarding to the zoneʼs master)
Adding cluster FQDNs and corresponding IP addresses
in the hosts file of the nodes
As last resort, use numerical IP addresses in cluster.xml.
OS Linux
SafeKit
version
7.5
Id SK-0087
## Page 29
Problem User scripts executed within the SafeKit environment
return, into the application log, an error with openssl
version
For instance, you get errors like the following into the
application log:
PAM unable to
dlopen(/usr/lib64/security/pam\_unix.so):
/lib64/libk5crypto.so.3: undefined symbol:
EVP\_KDF\_ctrl, version OPENSSL\_1\_1\_1b
or
symbol lookup error: /lib64/librpmio.so.8:
undefined symbol: EVP\_md2, version
OPENSSL\_1\_1\_0
Jira, Mars Id
WorkaroundThis problem is probably due to a bad linking with the
openssl library delivered with SafeKit, that is, in some
cases, not compatible with the one delivered with RH 8 and
used by the application or commands.
User scripts are executed with LD\_LIBRARY\_PATH
environment variable set to SafeKit libraries.
The workaround is to execute commands after unsetting
LD\_LIBRARY\_PATH. Below an example that starts oracle
into start\_prim:
replace
/bin/su - oracle19 -c
"/usr/local/bin/startDb"
by
(unset LD\_LIBRARY\_PATH ; /bin/su - oracle19
-c "/usr/local/bin/startDb" )
Apply the same changes for all user scripts (start\_xxx,
stop\_xxx, ...)
## Page 30
SK-0088 - Hyper-V module (hyperv.safe) failover prerequisite
OS Windows
SafeKit
version
7.5
Restriction Hyper-V module (hyperv.safe) failover prerequisite
During the Hyper-V module failover, the virtual machine
(VM) is imported on the new primary node before being
started. It is equivalent to the VM migration that consists in
moving the VM from physical server node1 to node2. The
import may fail when the migration requirements are not
met. On failure, the user script output file
SAFEVAR/modules/AM/userlog.ulog (where
SAFEVAR=c:\safekit and AM is your module name),
contains the following message:
Import-VM : Unable to import virtual machine
due to configuration errors. Please use
Compare-VM to repair the virtual machine.
Jira, Mars Id
Solution Before testing the Hyper-V module failover, check the
common requirements for HyperV VM migration depending
on you Windows release number. This requirements
applies on the physical server settings (processor, Active
Directory domain, ...) and the VM settings (virtual hard
disks, virtual networks, ...).
For checking incompatilities, we recommand the following
procedure:
Configure the hyperv.safe module and start the module
on both nodes
When PRIM (node1)/SECOND (node2) green, shutdown
the VM on node1
Stop the module on node2
Id SK-0081
## Page 31
SK-0089 - Default failover rule for tcp checkers set to wait instead of restart
On node2, start a PowerShell as administrator and run
compare-vm -path "D:\Repli-Hyper-
V\VM1\Virtual Machines\8CB619CE-CFB4-45BD-
908B-F123A2E0AA24.vmcx" -Register
Change the path to the location of your VM configuration
file (extension may be xml instead of vmcx)
For details, see
This command lists incompatibilities if some. To get details
on incompatibilities, run
$report = compare-vm -path "D:\Repli-Hyper-
V\VM2\Virtual Machines\8CB619CE-CFB4-45BD-
908B-F12 3A2E0AA24.XML" -Register
$report.Incompatibilities | FL
When incompatibilites are found (e.g., hardware
incompatibilities, different name for virtual switch), fix them
before running the failover of the module.
One common error is due to host hardware incompatibility.
This occurs when a virtual machine has one or more
snapshots, and hosts have different processor versions. To
fix this problem, shut down the virtual machine on node1
and turn on the processor compatibility setting as follow:
From Hyper-V Manager, in the Virtual Machines pane,
right-click the virtual machine and click Settings.
In the navigation pane, expand Processors and click
Compatibility.
Check Migrate to a computer with a different processor
version.
Click OK.
Be aware that it is anyway recommanded to have the same
physical servers when using hyperv.safe since you may
have other incompatibilities issues.
Compare-VM Hyper-V
Id SK-0081
## Page 32
SK-0090 - Failover machine may generate a wakeup before checkers, with wait rules, havetime to set the associated resource state to up or down
SK-0091 - Timeout during reintegration of big files (>50Gb) such as vhd files in Hyper-Vmodule
OS Windows & Linux
SafeKit
version
7.5.0.16
Problem Default failover rule for tcp checkers set to wait instead of
restart
Jira, Mars IdMars 74378
Solution Do not configure tcp checker or upgrade to SafeKit >
7.5.0.16
OS Windows & Linux
SafeKit
version
7.5.0.16
Problem Failover machine may generate a wakeup before checkers,
with wait rules, have time to set the associated resource
state to up or down
Jira, Mars IdMars 74340
Solution Upgrade to SafeKit > 7.5.0.16
Id SK-0090
OS Windows
SafeKit
version
All
Problem Timeout during reintegration of big files (>50Gb) such as
vhd files in Hyper-V module
Id SK-0091
## Page 33
SK-0093 - SafeKit web server don't start when using port 80
During the file synchronisation, space on disk may need to
be allocated for new or extended files. In Windows, when
the file is large or zero filled, a timeout may occurs during
the synchronisation if the primary or the reintegration
process writes at the end of the file. This leads to
synchronisation failures.
This problem may occur with the Hyper-V module
(hyperv.safe) where VM disks are implemented by big vhd
files.
Jira, Mars Id
Solution Edit the module XML configuration file
SAFE/modules/AM/conf/userconfig.xml (replace AM by the
name of the module) and add the option allocthreshold into
the section as follow:
0, fast allocation of disk space is
enabled for files to be synchronized on the secondary node
The allocation is applied only:
for new files (files that do not exist on the secondary
when reintegration starts)
for a full synchronization (for example, during the first
reintegration or when the secondary is started with
safekit second fullsync)
when the file size on the primary is >= allocthreshold
(size in Gb)
OS Linux
SafeKit
version
7.5
Problem SafeKit web server don't start when using port 80
Id SK-0093
## Page 34
SK-0094 - Replicate anti-ransomware folders
Port 80 is a reserved port that could be bind only by root
processes or processes that have the needed capability
Jira, Mars Id
Solution As root , run the command :
setcap 'cap\_net\_bind\_service=+ep'
/opt/safekit/web/bin/httpd
OS Windows
SafeKit
version
All
How to Replicate anti-ransomware folders
To configure protected folders, use ‘Windows Securityʼ;
select ‘Virus & heart protectionʼ and ‘Manage ransomware
protectionʼ.
Set ‘Controlled accessʼ to on and select ‘Protected foldersʼ
to add folders.
Jira, Mars Id
Solution To use SafeKit to replicate such directories, you have to
allow SafeKit apps to access the protected folders.
Select ‘Allow an app through Controlled access folderʼ, ‘Add
an allowed appʼ and ‘Browse all appsʼ.
Then add the following apps :
c:\safekit\private\bin\nfsbox.exe
c:\safekit\private\bin\reintegre.exe
c:\safekit\private\bin\sync.exe
c:\safekit\private\plugin\heart\heartplug.exe
Replace c:\safekit by the SafeKit root install path if you
changed the default one.
Id SK-0094
## Page 35
SK-0095 - one\_side VIP and src routes limitations
SK-0096 - Zone reintegration is not operational
OS Linux
SafeKit
version
All
Restriction one\_side VIP and src routes limitations
On the PRI server where a one\_side VIP is configurated,
the route src are setted to the VIP for :
the VIP subnet
via routes using the vip interface that dont have an
explicit src
via routes to the localip of the vip subnet
So, if the VIP interface have more than one subnet, and if
there is routes for the subnets to which the VIP don't
belong, then, they must have explicit routes. Otherwise
their src will be setted to the VIP, what is not expected.
Jira, Mars Id
Id SK-0095
OS Linux
SafeKit
version
>= 7.5.2.11 & < 8.2.2.7
Problem Zone reintegration is not operational
This is a regression that will be corrected in a future
version. It is not critical, but it does result in more data
being recopied than necessary during reintegration, as
zone-based reintegration optimization is disabled.
Jira, Mars IdJira ES-659
Id SK-0096
## Page 36
SK-0097 - In the web console, nodes sometimes show "Connection error" even when onlyone is down
SK-0098 - Unable to login to the web console after the OpenId connection expired
Solution Fixed since SafeKit 8.2.2.7
OS Windows & Linux
SafeKit
version
>= 8.2.0 & <= 8.2.2.2
Problem In the web console, nodes sometimes show "Connection
error" even when only one is down
On the console loading, if the console is connected to
node2 and node1 is down (with the alphabetical order of
node names being important), the console displays a
‘connection errorʼ for all nodes. However, only node1 should
be displayed with this state. This issue does not occur
when the console is already loaded and the node1 goes
down.
Jira, Mars IdJira ES-650
Solution Fixed since SafeKit 8.2.2.3
Id SK-0097
OS Windows & Linux
SafeKit
version
>= 8.2.3
Problem Unable to login to the web console after the OpenId
connection expired
Once the OpenId connection has expired, the web console
do not present the login page but only unauthorized page..
Jira, Mars IdJira ES-723
Id SK-0098
## Page 37
SK-0099 - Configure promiscuous mode in hypervisor network
WorkaroundThere is 2 workarounds:
clear the browser's cache ; then reload the SafeKit web
console
change the SafeKit web server configuration as
described below ; then restart the SafeKit web server
Edit the configuration file
SAFE/web/conf/httpd.webconsoleopenidauth
.conf and uncomment the lines
# Circumvent Console quirks: worker
fetches index.html with header Sec-
Fetch-Dest set to 'empty' ... So it
would get 401 instead of going to the
login screen. OIDCUnAuthAction 401 "%
{HTTP:X-Requested-With} ==
'XMLHttpRequest' \ || ( -n %{HTTP:Sec-
Fetch-Mode} && %{HTTP:Sec-Fetch-Mode} !=
'navigate' ) \ || ( -n %{HTTP:Sec-Fetch-
Dest} && %{HTTP:Sec-Fetch-Dest} !=
'document' && %{HTTP:Sec-Fetch-Dest} !=
'empty' ) \ || ( ( %{HTTP\_ACCEPT} !~
m#text/html# ) \ && ( %{HTTP\_ACCEPT} !~
m#application/xhtml\+xml# ) \ && ( %
{HTTP\_ACCEPT} !~ m#\\*/\\*# ) )"
Restart the web server with SAFE/safekit
webserver restart
OS Windows & Linux
SafeKit
version
All
How to Configure promiscuous mode in hypervisor network
Id SK-0099
## Page 38
SK-0100 - Farm load-balancing is 100% for each nodes during minor upgrade from SafeKit8.2.3 to SafeKit 8.2.4
When using a SafeKit farm module that is configured on
two VMs with the SafeKit vmac\_invisible virtual
interface option, it is required that the network interfaces of
the machines on which SafeKit is installed support the
promiscuous mode. For the promiscuous mode to work, it
must be configured in the hypervisor settings of the virtual
switch or of the virtual network cards, depending on the
hypervisor.
Jira, Mars Id
Solution In order to configure the promiscuous mode in Hyper-V:
go to the Hyper-V Manager console, and for each virtual
machine of the module:
edit the settings of the virtual machine,
then edit the advanced features of the network adapter
to which the virtual IP address of the module
corresponds,
then enable MAC address spoofing
In order to configure the promiscuous mode in VMWare:
go to the VMWare console,
then edit the settings of the virtual switch whose
network the virtual IP address is on,
then allow Promiscuous mode.
If the promiscuous mode is not configured in the
hypervisor settings, the virtual IP address will be
unreachable (thus the application that is configured at this
IP address will be unreachable; the ping command will
not work either). Note that if the type of the SafeKit
virtual\_interface is not vmac\_invisible, but
instead is vmac\_directed, the virtual IP address will be
reachable regardless of whether the promiscuous mode is
configured or not.
## Page 39
SK-0101 - Heartbeat issues in a mirror module
OS Windows & Linux
SafeKit
version
8.2.3 with 8.2.4
Problem Farm load-balancing is 100% for each nodes during minor
upgrade from SafeKit 8.2.3 to SafeKit 8.2.4
This issue occurs temporarily during the minor upgrade
from SafeKit 8.2.3 to 8.2.4 under the following conditions:
one node has SafeKit 8.2.3 while the other has SafeKit
8.2.4
a farm module is configured with load-balancing but
without encryption for module communications
This issue is due to the farm protocol incompatibility
between SafeKit 8.2.3 to 8.2.4.
Jira, Mars Id
Solution This issue is resolved by configuring encryption for module
communications. You can also stop the module on the
node with SafeKit 8.2.3 and restart it once it has been
migrated to SafeKit 8.2.4.
Id SK-0100
OS Windows
SafeKit
version
All
Problem Heartbeat issues in a mirror module
The module never manages to stabilize in the PRIM-
SECOND states.
In the log of one node's module, you have the following
messages:
Id SK-0101
## Page 40
heart | I | Resource heartbeatlocaladdr.flow
set to up par heart
heart | E | Resource heartbeatlocaladdr.flow
to down par heart
And in the log of the module of the other node:
heart | W | Heartbeat recover from ...
heart | I | Transition HBRECOVER (...) from
heart
heart | W | Starting action
heartbeat\_recover (<- HBRECOVER)
heart | I | Resource heartbeat.flow set to
up by heart
heart | W | Action heartbeat\_recover
terminated (-> HBCMD\_OK)
heart | W | Heartbeat lost from ...
heart | I | Transition HBLOST (...) from
heart
heart | W | Starting action heartbeat\_lost
(<- HBLOST)
heart | E | Resource heartbeat.flow set to
down by heart
This issue occurs when
the cluster.xml contains names (hostname or DNS
names) for the nodes
the Windows name resolution results vary across
different nodes
As a result, the content of the
SAFEVAR/cluster/cluster\_ip.xml file is different
between the nodes, whereas it should be identical for
proper functioning. This file is built during the cluster
configuration.
Jira, Mars Id
WorkaroundReconfigure the cluster after setting numerical IP
addresses in cluster.xml.
## Page 41
SK-0102 - SafeKit package installation fails
OS Linux RedHat
SafeKit
version
8.2
Problem SafeKit package installation fails
The SafeKit package installation fails with, for instance, the
following error:
Error:
Problem: package SafeKit-8.2.3-3.el8.x86\_64
requires mod\_auth\_openidc, but none of the
providers can be installed
- conflicting requests
- package mod\_auth\_openidc-2.3.7-
4.module+el8.2.0+6919+ac02cfd2.3.x86\_64 is
filtered out by modular filtering
- package mod\_auth\_openidc-2.3.7-
3.module+el8+2454+f890a43a.x86\_64 is
filtered out by modular filtering
- package mod\_auth\_openidc-2.3.7-
8.module+el8.4.0+9707+f2438af7.x86\_64 is
filtered out by modular filtering
- package mod\_auth\_openidc-2.3.7-
11.module+el8.6.0+14082+b6f23e95.x86\_64 is
filtered out by modular filtering
(try to add '--skip-broken' to skip
uninstallable packages or '--nobest' to use
not only best candidate packages)
ERROR: SafeKit installation failed
Jira, Mars IdJira ES-937
WorkaroundThe error occurs because the SafeKit package requires
mod\_auth\_openidc, but all available versions of
mod\_auth\_openidc are filtered out by modular filtering.
Id SK-0102
## Page 42
SK-0103 - SafeKit console web app install fails with Microsoft Edge
SK-0104 - Https connection to SafeKit console web return a ssl protocol error
To resolve this, disable modular filtering for
mod\_auth\_openidc and then install SafeKit.
OS Windows
SafeKit
version
8.2
Problem SafeKit console web app install fails with Microsoft Edge
Whenever trying to install the web console as an app with
Microsoft Edge, a box pops up saying:
Jira, Mars Id
Solution Try to clear the browserʼs cache as described in
.
If this is not sufficient, look for solution described in
.
Id SK-0103
Knowled
ge Base - SafeKit 7.5 & 8.2 | SK 0046 Windows & Linux
Missing pwahelper.exe in Microsoft Edge
OS Windows & Linux
SafeKit
version
All
Problem Https connection to SafeKit console web return a ssl
protocol error
Connection to the web console return the following error :
ERR\_SSL\_PROTOCOL\_ERROR
Id SK-0104
## Page 43
SK-0105 - postgresql module did not start on RedHat if selinux is in enforcing mode
When setting log level in httpd.conf to debug the following
message is seen in httpd.log :
[ssl:info] [client .... ] AH02008: SSL
library error 1 in handshake
[ssl:info] SSL Library Error:
error:0A00018E:SSL routines::ca md too weak
Commands :
openssl x509 -text -noout -in server.crt and
openssl x509 -text -noout -in cacert.crt
donʼt show any error or weakness
Jira, Mars IdEHD-7460
Solution Recent openssl library version donʼt accept any weak
certificate in cacert.crt even if the weak certificate is
not part of server certificate certification chain.
openssl x509 -text -noout -in cacert.crt
shows only the first certificate in the ca bundle.
You must use :
openssl storeutl -text -noout -certs
cacert.crt
to see all certificates in cacert.crt and check that none
of them are signed with too weak protocol like SHA1
OS Linux RedHat
SafeKit
version
All
Id SK-0105
## Page 44
SK-0106 - Mirror module start fails with “Kernel configuration failed. Check for moduleconflict”
Problem postgresql module did not start on RedHat if selinux is in
enforcing mode
journalctl -xeu postgresql.service shows the following error
:
postgres: could not access directory "/var/lib/pgsql/data":
Permission denied
Solution Safekit file replication use internaly a nfs mountpoint, so a
selinux module must be created and installed to allow
postgres processes to access nfs\_t files.
1) Create a postgresnfs.te file with the following content :
2. Compile the selinux module :
3. Install the module :
1module postgresnfs 1.0;23require {4 type nfs\_t;5 type postgresql\_t;6 class dir { add\_name create getattr open readremove\_name search write };7 class file { append create getattr open readrename unlink write };8}910#============= postgresql\_t ==============11allow postgresql\_t nfs\_t:dir { add\_name create getattropen read remove\_name search write };12allow postgresql\_t nfs\_t:file { append create getattropen read rename unlink write };
1checkmodule -M -m -o postgresnfs.mod postgresnfs.te2semodule\_package -o postgresnfs.pp -m postgresnfs.mod
1semodule -i postgresnfs.pp
OS Windows
SafeKit
version
All
Id SK-0106
## Page 45
SK-0107 - Farm module configuration fails because the VIP kernel module cannot becompiled
Problem The mirror module failed to start due to a module conflict:
Solution This error occurs in two situations:
1. Two mirror modules are configured with the same
replicated directories.
This configuration is not supported. To fix it, assign
distinct replicated directories to each module and
reconfigure them
2. The kernel configuration for replicated directories was
not properly updated, even though no duplicates are
configured.
To reload the correct configuration into the kernel, stop
all modules and run the following command:
1nfsboxv3 | E | Kernel filter configuration failed forE:\replicated\_dir. Check for module conflicts.
1net stop rfsfilter
OS Red Hat
SafeKit
version
All
Problem Farm module configuration fails because the VIP kernel
module cannot be compiled:
Solution The VIP module compilation will fail if kernel-devel
package is missing or does not match the currently running
kernel version.
Id SK-0107
1"virtual\_interface" configuration need vip kernelmodule, trying to install :2Unable to find kernel include files/lib/modules/5.14.0-503.35.1.el9\_5.x86\_64/build/include/linux3Please see documentation to install kernel sourcepackage4make: \*\*\* [Makefile:21 : test] Erreur 156Error: not able to install vip kernel module. Pleasecheck prerequisite in %OEMNAME% Release Notes
## Page 46
1. Upgrage to the last kernel with yum update kernel
2. Reboot
3. Check the running kernel version using the command
uname -r (e.g. 5.14.0-503.35.1.el9\_5.x86\_64)
4. Check if kernel-devel is installed with rpm -q kernel-
devel. If not installed, install it.
5. If installed, verify that the installed package matches the
running kernel using rpm -q kernel-devel-$(uname -r). If
it does not match, install the correct package.