ubuntu - linux ssh -X graphical applications will not start when system load is high

So I am using ssh -X to access a server. I am at a Xubuntu desktop accessing a Ubuntu server that is in the next room. Usually everything works fine, but when the system load gets high, any graphical applications I have freeze and fail to be restarted.

This happens even if the process that is causing the high load has been niced to a low priority with "nice -n 19". And even though the system load is high, the command line works fine with no delay, and other applications I have running on the server (e.g. virtual machines) run fine. But any graphical application running through X dies.

When the graphical applications fail they usually give out an error message that suggests a time-out.

It seems that something connected to X has a low priority and times out. But what is it, and how does one fix it?

Using Dell PERC H330 RAID controller with not-dell-certified SSDs

We think about replacing our Dell PowerEdge T100 (2009) with a Dell PowerEdge T330 for our small business. Up to 15 clients are using the MSSql Server, some fileshares and printers. The database size is about 7G with little writes.

We think about using SSDs and HDDs (Raid 1 + Raid 1) with a PERC H330 RAID controller.

Buying SSDs at Dell is very expensive and that's why we want to buy them separately.

Is it possible to use some Samsung Evo 850 Pro with this RAID controller?
Are they stable in a RAID 1 setup or is the RAID crashing (without hardware failure)?
I read about leaving unpartitioned space to over-provisioning them but is there anything else to think about?

Our server will not have heavy loads, so I think this consumer SSDs fit our requirements, but they need to be reliable for some years :) .

Is this a good way to save some money or will we regret it someday?

HP Proliant DL360 G6 Maximum Logical Drives

I have an HP Proliant DL360 G6 server with 8 HD bays. Currently I have the first two bays working with ESXi and I'm just running RAID 0 on a single drive. This is not a production machine. It has a P410i Controller. I'm trying to add a third drive to machine and when I go into the controller menu at boot time and select "Create Logical Drive" it says I've reached the max of 2 logical drives. I was under the impression I could many more logical drives than just 2? I'm not a server admin by any means, so this is definitely not my strength, but any help would be greatly appreciated. Thank you.

Answer

Similar to this issue, you need to have a cache memory module on your RAID controller in order to have more than 2 logical drives on a Smart Array P410 setup.

See:
HP ProLiant DL360p Gen8 Server - Unable to Create More Than 2 Logical Drives

Installing CentOS 5.5 from Windows 7 remotely to a new computer?

How can I remotely install CentOS 5.5 from my laptop running Windows 7 to a system with an empty hard drive. I've enabled PXE, Ethernet boot on the the new system, and I've got a tftp and dhcp server running on the Windows 7 laptop. What next? Any sort of guidelines will help.

EDIT: So far...

The remote system is being correctly assigned an ip from dhcp server on windows 7

Setup TFTP server:

• Enabled PXE Compatibility


• Set pxelinux.0 as boot file in DHCP settings


• Copied the following files from syslinux for centos 5.5 64bit to tftp basedir :chain.c32 mboot.c32 memdisk menu.c32 pxelinux.0


• Created configuration file on basedir pxelinux.cfg

.

default menu.c32
prompt 0
timeout 300
ONTIMEOUT localMENU TITLE PXE Menu
LABEL CentOS 5.5 64bit NO KS eth0
MENU LABEL CentOS 5.5 64bit NO KS eth0
KERNEL images/vmlinuz
APPEND ks initrd=images/initrd.img ramdisk_size=100000 ksdevice=eth0

But I get the the following errors on boot after DHCP address assignment.

PXE-E11: ARP timeout
PXE-E38: TfTP cannot open connection
PXE-M0F: Exiting PXE ROM.

Boot Failure

Answer

You almost got it working! :) your problem right now is the tftp server not being accessible from the machine you're trying to install.

Check the following to make sure it's working

• Check that the next-server parameter in DHCP points to your laptop IP


• Check that the tftp server is not firewalled (you need to open tcp and udp port 69)


• Check that you can recover files from the tftp server using a tftp client

If all those checks work and you assigned an IP to your CentOS install in the same network as your laptop the install should go fine

configuration - Configure squid to forward ftp requests to ftp server on some other machine

I have installed squid proxy servers and vsftpd FTP server on 2 separate VMs. How can I Configure squid proxy servers on machines-A (where squid installed)to forward ftp requests to machine-B (where vsftpd installed)

domain name system - Forwarding Active Directory Queries through DNSMASQ

I've set up an AD domain controller through Samba 4. I'm using Samba 4's internal DNS Server for handling the SRV queries.

However, due to project requirements, my clients need to have a DNSMASQ as their one and only DNS server.

Thus, my plan was to forward all queries which DNSMASQ can't handle to the Samba 4 server.

Let's assume the IP addresses of the servers are like this:

Server with DNSMASQ: 192.168.0.10

Server with SAMBA4: 192.168.0.11

To achieve that, I have added the following line to my DNSMASQ.conf:

server=192.168.0.11

After restarting DNSMASQ, it is not forwarding SRV quries to the SAMBA 4 DC.
If I add the following line:

srv-host= _ldap._tcp.dc._msdcs.domain.example.com

the query gets forwarded, but the clients still can't join the domain. I get the following error message:

Host(A) or (AAAA) records that map the names of the domain controllers
to their IP addresses are missing or contain incorrect addresses

Domain controllers registered in DNS are not connected to the network
or are not running.

I assume there are still DNS problems, so these are my questions:

• Is what I want to do possible at all?


• Is there a way to just forward all SRV queries to another host with DNSMASQ?


• Why is the server=192.168.0.11 line not working? Am I missing anything there?

Answer

I got it up and running.

Here's what my dnsmasq.conf looks like for a domain called
domain.example.com, and a samba 4 domain controller with the IP of 192.168.0.11:

server=192.168.0.11
srv-host_ldap._tcp.dc_msdcs.domain.example.com, 192.168.0.11
srv-host=ldap._tcp.gc._msdcs.domain.example.com, 192.168.0.11
srv-host=_kerberos._tcp.dc._msdcs.domain.example.com, 192.168.0.11
srv-host=ldap._tcp.pdc._msdcs.domain.example.com, 192.168.0.11

The server on which dnsmasq is installed also needs to be able to resolve the FQDN of the samba 4 domain controller, so an entry into /etc/hosts is needed:

192.168.0.11 dc1-samba.domain.example.com 

The /etc/hosts on the samba 4 server needs to be set up appropriately according to https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

I took the information from here:

https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-that-are-required-for-proper-functionality-of-active-directory/

email - Change Envelope From to match From header in Postfix

I am using Postfix as a gateway for my domain and need it to change or rewrite the Envelope From address to match the From header. For example, the From: header is "joe@domainA.org" and the Envelope From is "bob@domainB.com". I want Postfix to make the Envelope From "joe@domainA.org" before relaying it on. I took a look at the Postfix Address Rewriting document but couldn't find anything that matched my use case.

(In case you're curious why I need to do this: Gmail uses the same Envelope From when sending from a particular account, no matter which From: address you choose to use. I would prefer not to disclose the account being used to send the email. Also, it messes with SPF/DMARC domain alignment - see 4.2.2 of the DMARC draft spec.)

virtualization - SmartOS reboots spontaneously

I run a SmartOS system on a Hetzner EX4S (Intel Core i7-2600, 32G RAM, 2x3Tb SATA HDD).
There are six virtual machines on the host:

[root@10-bf-48-7f-e7-03 ~]# vmadm list
UUID                                  TYPE  RAM      STATE             ALIAS
d2223467-bbe5-4b81-a9d1-439e9a66d43f  KVM   512      running           xxxx1

5f36358f-68fa-4351-b66f-830484b9a6ee  KVM   1024     running           xxxx2
d570e9ac-9eac-4e4f-8fda-2b1d721c8358  OS    1024     running           xxxx3
ef88979e-fb7f-460c-bf56-905755e0a399  KVM   1024     running           xxxx4
d8e06def-c9c9-4d17-b975-47dd4836f962  KVM   4096     running           xxxx5
4b06fe88-db6e-4cf3-aadd-e1006ada7188  KVM   9216     running           xxxx5
[root@10-bf-48-7f-e7-03 ~]#

The host reboots several times a week with no crash dump in /var/crash and no messages in the /var/adm/messages log.
Basically /var/adm/messages looks like there was a hard reset:

2012-11-23T08:54:43.210625+00:00 10-bf-48-7f-e7-03 rsyslogd: -- MARK --
2012-11-23T09:14:43.187589+00:00 10-bf-48-7f-e7-03 rsyslogd: -- MARK --
2012-11-23T09:34:43.165100+00:00 10-bf-48-7f-e7-03 rsyslogd: -- MARK --
2012-11-23T09:54:43.142065+00:00 10-bf-48-7f-e7-03 rsyslogd: -- MARK --
2012-11-23T10:14:43.119365+00:00 10-bf-48-7f-e7-03 rsyslogd: -- MARK --
2012-11-23T10:34:43.096351+00:00 10-bf-48-7f-e7-03 rsyslogd: -- MARK --
2012-11-23T10:54:43.073821+00:00 10-bf-48-7f-e7-03 rsyslogd: -- MARK --
2012-11-23T10:57:55.610954+00:00 10-bf-48-7f-e7-03 genunix: [ID 540533 kern.notice] #015SunOS Release 5.11 Version joyent_20121018T224723Z 64-bit
2012-11-23T10:57:55.610962+00:00 10-bf-48-7f-e7-03 genunix: [ID 299592 kern.notice] Copyright (c) 2010-2012, Joyent Inc. All rights reserved.

2012-11-23T10:57:55.610967+00:00 10-bf-48-7f-e7-03 unix: [ID 223955 kern.info] x86_feature: lgpg
2012-11-23T10:57:55.610971+00:00 10-bf-48-7f-e7-03 unix: [ID 223955 kern.info] x86_feature: tsc
2012-11-23T10:57:55.610974+00:00 10-bf-48-7f-e7-03 unix: [ID 223955 kern.info] x86_feature: msr
2012-11-23T10:57:55.610978+00:00 10-bf-48-7f-e7-03 unix: [ID 223955 kern.info] x86_feature: mtrr
2012-11-23T10:57:55.610981+00:00 10-bf-48-7f-e7-03 unix: [ID 223955 kern.info] x86_feature: pge
2012-11-23T10:57:55.610984+00:00 10-bf-48-7f-e7-03 unix: [ID 223955 kern.info] x86_feature: de
2012-11-23T10:57:55.610987+00:00 10-bf-48-7f-e7-03 unix: [ID 223955 kern.info] x86_feature: cmov
2012-11-23T10:57:55.610995+00:00 10-bf-48-7f-e7-03 unix: [ID 223955 kern.info] x86_feature: mmx
2012-11-23T10:57:55.611000+00:00 10-bf-48-7f-e7-03 unix: [ID 223955 kern.info] x86_feature: mca
2012-11-23T10:57:55.611004+00:00 10-bf-48-7f-e7-03 unix: [ID 223955 kern.info] x86_feature: pae

2012-11-23T10:57:55.611008+00:00 10-bf-48-7f-e7-03 unix: [ID 223955 kern.info] x86_feature: cv8

The problem is that sometimes the host loses the network interface on reboot so we need to perform a manual hardware reset to bring it back.
We do not have physical or virtual access to the server console - no KVM, no iLO or anything like this. So, the only way to debug is to analyze crash dumps/log files.
I am not a SmartOS/Solaris expert so I am not sure how to proceed. Is there any equivalent of Linux netconsole for SmartOS? Can I just redirect the console output to the network port somehow? Maybe I am missing something obvious and crash information is located somewhere else.

Answer

Run the command dumpadm to check crash dumps are enabled, and on what device.

If it is enabled and you find no crash dumps, then suspect a hardware fault and ask your hosting company to move you to a different physical server. (They will also be able to check hardware logs and fault lights and call the vendor and so on.)

hp - First Time Setting Up RAID Array

I have never set up a RAID array before.

I just purchased an HP Proliant DL580 G2 server that has a Smart Array 5i RAID controller on it. Do I need any special utility CD to configure the RAID before I load the OS on it? Or is it some type of GUI that I can load after the BIOS loads? I will be loading the operating system and all files onto one partition. I will be putting Debian Linux on this server. It comes with 3x36GB drives, and I want to do a RAID1 array with one hot spare (not looking for speed, just redundancy).

The server does not come with any software, so I'm wondering if there's something else I need to get to be able to configure the RAID. Also, any tips to help get it set up correctly would be greatly appreciated.

Answer

For a Debian Lenny install on top of a hardware RAID no special drivers are needed (unless your model of RAID controller is so brand new that the stable release doesn't have drivers for it). And the CD's that come with the server are completely useless when you install Linux.

The various lists indicate that Debian Lenny should install OK on that server. You might need to install the bnx2-firmware package for the ethernet cards. Probably best to first install the base system from a CD, download the bnx2-firmware package onto a USB stick and install it from there. Once that is in place, you can configure your network and from there on it's blue skies all the way.

You might want to check this regarding the RAID controller.

php - aegir nginx logging

I'm a developer rather than a sysadmin by trade. I'm working on a drupal site that's been installed with aegir which is clearly dying part-way through loading several drupal pages.

I reckon there's a PHP fatal error which is killing processing.

However, I can't seem to get errors either logging or displaying. I've configured the /etc/php5/fpm/php.ini to set log_errors = On, with error level set to E_ALL and pointing to a valid logfile.

Is there anything else I could have missed in either the nginx.conf or the php.ini? Am I even using the right php.ini? (there are 5 on the system)

My other suspicion is that maybe there are two different web services running, one to provide Aegir and one to provide the hosted Drupal sites.

Any help greatly appreciated, thanks.

domain name system - Windows DNS as secondary to BIND Master

Could someone please explain to me the process of setting up DNS on Windows Server 2008 as a secondary to a BIND DNS Master.

The BIND master is setup and operating correctly as a Nameserver.

I'm trying to setup DNS in Windows Server 2008 to act as a secondary DNS nameserver, but when I attempt to transfer the zone data to the slave, Windows DNS gives me the following error:

"Zone Not Loaded by DNS Server - The DNS server encountered a problem while trying to load the zone. The transfer of zone data from the master server failed."

I think this might be because the BIND maser is not configured for zone transfers, however I read somewhere: "The default behaviour is to allow zone transfers to any host."

I am not too familiar with BIND, I've only used Windows DNS in the past.

Does anyone know where I might be going wrong, what I can do to fix this or explain to me how to setup the 2 servers correctly.

Answer

Add the ip address, or the host name of your Windows DNS server to the allow-transfer list. For example: allow-transfer { 10.10.10.10; }.

Make sure your firewall does not interfere.

networking - How to tell if it's your problem or your ISP's problem

I originally titled this "how to tell if your internet is down or your network is just screwed up" and Jeff's AI said that this questioned would probably be closed.

Nevertheless, someone here is always on the phone with the ISP and it's usually our fault. What are some of the best techniques for telling whether you've got an issue or they've got an issue.

I know this might be too much of a blanket question, but in a case where there's intermittent latency and disconnects (not just overall outages [i.e. can't ping google.com]) what do you do before calling the ISP?

Answer

A handy test site is: http://downforeveryoneorjustme.com/

Pings and traceroutes are some of the first and best tests when beginning this sort of investigation. Firewalls may block this traffic however.

Don't just stop at normal pings. Try ping -l 2048 to send some big packets and make sure it's not a fragmentation/MTU issue.

Check your utilization -- your tubes may be full.

networking - Advice on Active Directory design for multihomed servers

I've been tasked by a customer to come up with a working Active Directory design for a scenario with the following requirements (simplified, they are actually a lot worse):

• There is a subnet for client systems.


• There is a subnet for server systems.


• The two networks are not connected.


• Each server should have two network cards, one on the servers' network, the other one on the clients' network.


• Traffic between clients and servers should only flow on the clients' network.


• Traffic between servers should only flow on the servers' network.


• This should apply to domain controllers, too.

Needless to say, this doesn't go very well with how Active Directory uses DNS to locate domain controllers; any possible approach would lead to one of the following scenarios:

• DCs register their "client-side" IP address in the domain DNS; clients will talk with them using that address, but so will do servers, and AD replication traffic.


• DCs register their "server-side" IP address in the domain DNS; servers will talk with them using that address and replication traffic will flow on that network, but clients will be unable to reach them.


• DCs will register both IP addresses in the domain DNS; it's anyone's guess what any system will do to reach them.

Of course, these requirements are completely crazy and all of them can't be satisfied at the same time, unless using crazy solutions like splitting the DNS service on the two networks and populating its SRV records by hand (argh) or having the servers locate DCs using DNS and the clients locate DCs using WINS (double-argh).

The solution I came up with is having two DCs on the "servers" network and two DCs on the "clients" one, defining two AD sites and crossing the boundary between the two networks only with DC replication traffic. This will still require some DNS mangling, because each server will still have two network cards (apart from the two server-side DCs and purely back-end servers), but it has at least some chances to work.

Any advice, other than fleeing as fast as possible?

Answer

In the end I went with the two sites solution:

• Two DCs for the "servers" network, two DCs for the "clients" network.


• Two AD sites, one for the "servers" networks and one for "clients" one.


• DCs in the "servers" network will only have a NIC sitting on that one (clients are not going to talk to them at all), so this is easy.


• DCs in the "clients" zone will have two, but will only register in the DNS their client-side ones.



• Servers will talk to their DCs, clients will talk to their ones.

Of course, this means enabling replication traffic between the two networks; the DCs in the "clients" network will still have a NIC sitting on the "servers" network, but as it will not get registered in the DNS, the DCs in that network will contact them using their client-side IP addresses; so that NIC will in fact be completely useless, and some firewall ports will need to be opened. The only other option would be mangling the DCs' hosts files, but let's hope that can be avoided.

Well, I think this is the best that could be done to fulfill as many (crazy) requirements as possible.

Thanks for all advice :-)

security - How should I test google cloud's DDOS protection?

I've an application deployed on a Google compute engine, which is being load balanced using Google's HTTPS Load Balancer. And according to this article ,

With global HTTP(S) load balancing, the first Google Cloud Platform
(GCP) service to support Cloud Armor, you get built-in defense against
infrastructure DDoS attacks. No additional configuration, other than
to configure load balancing, is required.

So I've tried to do a simple DOS attack on my application using Jmeter. I've configured Jmeter with following configuraiton

• Total number of threads : 1500


• Rampup time : 10 sec


• Loop count : forever

I've ran this above configuration for around 5 min, after some time, I was able to see from the response that Load balancer is returning 502. But the server was down & I can't even able to access my application from machine's other than where I've setup Jmeter. So if google's security is in place I should be able to see the page from other machine. and the machine from where I've done the DOS attach, that machine should've been block listed.

I might be wrong , but there is no documentation available on google cloud to verify the behavior of Load balancer's DDOS security using cloud Armor.

So if anyone can help me, that will be great.

domain name system - Gmail DNS Settings - Do I need CNAME and an A Record?

I'm just a little confused... I'm using Gmail for my mail service, and have followed their instructions. I wanted to allow users to access their email via mail.mydomain.com, but just hoping to get a little clarification.

Do I need both the CNAME and A records, or just the CNAME?

I deleted the A record for mail.mydomain.com and added a CNAME recored which points to ghs.googlehosted.com. But, now I'm wondering if I should have kept that in there?

Answer

No, you were correct to remove the old A record and replace it with the CNAME for ghs.googlehosted.com. If a particular entry (e.g. mail.example.com) has a CNAME record, it should not have either A or AAAA records as these will be disregarded.

Google does not provide individual IP addresses for each customer to use. Setting the CNAME to ghs.googlehosted.com causes requests to go to a specialized server at that address that looks up your domain and redirects web users to Gmail for your domain.

Should I expose my Active Directory to the public Internet for remote users?

I have a client whose workforce is comprised entirely of remote employees using a mix of Apple and Windows 7 PCs/laptops.

The users don't authenticate against a domain at the moment, but the organization would like to move in that direction for several reasons. These are company-owned machines, and the firm seeks to have some control over account deactivation, group policy and some light data-loss prevention (disable remote media, USB, etc.) They are concerned that requiring VPN authentication in order to access AD would be cumbersome, especially at the intersection of a terminated employee and cached credentials on a remote machine.

Most services in the organization are Google-based (mail, file, chat, etc.) so the only domain services are DNS and the auth for their Cisco ASA VPN.

The customer would like to understand why it is not acceptable to expose their domain controllers to the public. In addition, what is a more acceptable domain structure for a distributed remote workforce?

Edit:

Centrify is in use for a handful of Mac clients.

Answer

I'm posting this as answer mainly because everyone has their own "educated opinion" based on experience, 3rd party info, hearsay, and tribal knowledge within IT, but this is more a list of citations and readings "directly" from Microsoft. I used quotes because I'm sure they don't properly filter all opinions made by their employees, but this should prove helpful nonetheless if you are after authoritative references direct from Microsoft.

---

BTW, I also think it is VERY EASY to say DOMAIN CONTROLLER == ACTIVE DIRECTORY, which isn't quite the case. AD FS proxies and other means (forms based auth for OWA, EAS, etc.) offer a way to "expose" AD itself to the web to allow clients to at least attempt to authenticate via AD without exposing the DCs themselves. Go on someone's OWA site and attempt to login and AD will get the request for authentication on a backend DC, so AD is technically "exposed"...but is secured via SSL and proxied through an Exchange server.

---

Citation #1

Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines

Before you go "Azure isn't AD"...you CAN deploy ADDS on an Azure VM.

But to quote the relevant bits:

Never expose STSs directly to the Internet.

As a security best practice, place STS instances behind a firewall and
connect them to your corporate network to prevent exposure to the
Internet. This is important because the STS role issues security
tokens. As a result, they should be treated with the same level of
protection as a domain controller. If an STS is compromised, malicious
users have the ability to issue access tokens potentially containing

claims of their choosing to relying party applications and other STSs
in trusting organizations.

ergo...don't expose domain controllers directly to the internet.

Citation #2

Active Directory - The UnicodePwd Mystery of AD LDS

Exposing a domain controller to the Internet is normally a bad
practice, whether that exposure comes directly from the production
environment or through a perimeter network. The natural alternative is
to place a Windows Server 2008 server with Active Directory
Lightweight Directory Services (AD LDS) role running in the perimeter
network.

Citation #3 - not from MS...but useful still in looking ahead

Active Directory-as-a-Service? Azure, Intune hinting at a cloud-hosted AD future

In the end, there is no great "short" answer which meets the goals of
ridding the office of the AD server in exchange for an Azure
alternative. While Microsoft is being complacent in allowing customers
to host Active Directory Domain Services on Server 2012 and 2008 R2
boxes in Azure, their usefulness is only as good as the VPN
connectivity you can muster for your staff. DirectAccess, while a very

promising technology, has its hands tied due to its own unfortunate
limitations.

Citation #4

Deploy AD DS or AD FS and Office 365 with single sign-on and Windows Azure Virtual Machines

Domain controllers and AD FS servers should never be exposed directly

to the Internet and should only be reachable through VPN

SSH directly "through" another server

Multiple networks I can connect to have the following set up. There is a single node that can be accessed with ssh from the internet, and from there you can ssh to the inside network.

Is there a way, that on my ubuntu box (no sudo rights), I somehow can configure that the command ssh internal.host is first setting up an connection to external.host and from there to internal.host? In the ideal situation it would be something very transparent, so that I even would be able to do scp myfile internal.host:

All authentication is done with certificates.

Btw. I am aware of ssh tunnels. I'm only searching something more transparent, I don't want to have to always manually open an ssh tunnel to reach a host.

linux - htop res & virt colors

I did some googling about htop, I found this and this.
But I couldn't seem to find what the red color of virt and res means.

As you can see in the screenshot, some are whitish and other are red.
Does it simply means allot of memory used or is it something else?

Answer

The red color indicates that the amount of VIRT or RES memory is in the area of gigabytes. The light blue color corresponds to megabytes, and therefore white color means kilobytes.

This is, that the users has instantly a visual information, if he searches for processes, which consume a lot of memory. Notice that, the nice values (NI) are also red, when they differ from 0 for the same reason as above.

iis - Serve websites from multiple servers behind a single IP

I have a network setup as illustrated below. A Windows Server 2012 R2 box with a public IP, with multiple CentOS 7 web servers behind it. Each CentOS box is a web server for multiple sites. The CentOS boxes are running Apache 2.4 and PHP 5.5.

The DNS entries for all the sites point to the public IP of Win Server (1.2.3.4).

My question is: How do I most efficiently serve the sites from the CentOS boxes, through to end users?

I've been looking at IIS reverse proxies. Here's my current (super-clunky) solution:

• Win Server gets a request for foo.com


• The URL is re-written to com.foo.web1 and IIS includes a $_SERVER variable to feed PHP the correct URL (foo.com).


• The Win Server hosts file says com.foo.web1 goes to the IP of Web1 (192.168.1.2)


• Web1 has a vhost for com.foo.web1 which then serves all the stuff for foo.com.

This works but it feels like a horrible hack. Ideally, I'd like to avoid rewriting URLs. I just want to say foo.com? Send that request to 192.168.1.2. thing.com? send that to 192.168.1.3. That sounds just like DNS to me, but obviously I can't just tell the user to go to some internal IP. Maybe I actually need a forward proxy? I can't just forward port 80 because of the need to split requests between multiple servers.

I feel like this problem must have been solved before, but I can't figure it out. (I'm really a developer, not a sys-admin). Help would be much appreciated!

I dumped Win Server for Linux and used HAProxy

To save anyone who finds this from reading through all the comments, I ended up dumping Windows Server and using Linux with HAProxy. HAProxy is able to forward the requests without re-writing the URLs.

I haven't yet found a good solution for Windows, but I think this might be acceptable:

Re-write all URLs by adding a port, so:

• foo.com -> foo.com:8081


• bar.com -> bar.com:8081


• thing.com -> thing.com:8082


• stuff.com -> stuff.com:8082

Then, on the Windows Server:

• Forward port 8081 to port 80 on Web1



• Forward port 8082 to port 80 and Web2

This is untested.

apache 2.2 - Optimizing VPS Server Memory

WHAT I'M TRYING TO DO

The server resource limits sometimes run tight; to help prevent memory exhaustion, I've had to limit server processes. I'm needing a little expert help to know if I'm on the right track, and perhaps spot any obvious settings changes that would help the system run more with more stability.

HISTORY

Recently my company upgraded to a VPS, from shared hosting. Basically we outgrew our shared hosting, and began to have problems due to the host suspending our site because of excessive CPU usage on the weekend. Our website users tend to double or triple on Friday and Saturday, every week, which is not unexpected in our case. (About 5000 visits [~2500 visitors] per day during the week, about 9500 visits [~4500 visitors] on weekends.)

Now that we are on a VPS, we have no CPU problems. (In fact, the CentOS WHM control panel says we are at ".000201% CPU load".) However, we are having out-of-memory problems, leading to crashes.

SUMMARY OF ISSUE

Our website is WordPress based. However, aside from comments, there is very little "write" activity; mostly users are simply seeing fairly static pages that we've created.

When we first upgraded to a VPS several months ago, in October 2012, the website ran well during the week, but choked on memory every weekend. Often it would crash repeatedly (5-20 times during a 24-hour period, sporadically), usually starting Friday evening, and continuing through Saturday afternoon.

During the week, the server ran consistently at 65-90% memory usage, and on the weekend it would hit 100%, causing crashes.

STEPS TAKEN TO CORRECT IT

Since I was new to VPS, I started with all the default settings. I later started tweaking, following advice I read about solving memory issues here on this site and other websites.

I've made adjustments to MySQL, PHP, and Apache, summarized below in "Current Configuration". I also recompiled Apache and PHP to remove unwanted modules. I installed a better caching plugin for WordPress (W3T), and added APC opcode caching. I also started using gz compression, and moved a lot of static files to a separate subdomain.

I wrote a nifty little script to check the server status on a schedule, and restart it as needed, and it also sends me a transcript of the server error log, to help troubleshoot. (I know, it's just a band-aid, if that. But it was important to keep the website online, since no one wants to sit around and monitor it on the weekend.)

Just recently, a week or so ago (January 2013), I upgraded the server RAM from 1 GB (2 GB burstable) to 2 GB (3 GB burstable). This seems to have fixed the majority of the problem, but still I get an occasional notice (once a week or so) that the server is hanging, along with "can't apply process slot" PHP errors.

CURRENT CONFIGURATION

It's an Apache server, running CentOS 6, Apache 2 (Worker MPM), PHP 5.3.20 (FastCGI/fcgi), and MySQL 5.5.28. 2 GB RAM (3 GB burstable), 24 CPUs.

MySQL currently uses about 618 MB, about 20.1% of RAM. PHP uses up to 89 MB per process. Apache uses up to 14 MB per process.

Typical weekday top output:

top - 15:31:13 up 89 days,  5:26,  1 user,  load average: 1.54, 1.00, 0.70
Tasks:  49 total,   1 running,  48 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.2%us,  0.1%sy,  0.0%ni, 99.7%id,  0.1%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   3145728k total,  1046444k used,  2099284k free,        0k buffers
Swap:        0k total,        0k used,        0k free,        0k cached

Unfortunately I do not have a current example of weekend/busiest time top output.

Apache config:

StartServers: 5
MinSpareThreads: 5
MaxSpareServers: 10
ServerLimit: 80
MaxClients: 56
MaxRequestsPerChild: 5000

KeepAlive: Off

PHP config:

MaxRequestsPerProcess 500
FcgidMaxProcesses 15
FcgidMinProcessesPerClass 0
FcgidMaxProcessesPerClass 8
FcgidIdleTimeout 30

FcgidIdleScanInterval 15
FcgidProcessLifeTime 60
FcgidIOTimeout 300
FcgidMaxRequestLen 268435456

MySQL config:

[mysqld]
max_user_connections            = 75

net_buffer_length               = 8K
read_buffer_size                = 256K
read_rnd_buffer_size            = 512K
skip-external-locking
sort_buffer_size                = 512K

# MyISAM #
key_buffer_size                 = 32M
myisam_sort_buffer_size         = 16M
#myisam_recover                 = FORCE,BACKUP


# SAFETY #
max_allowed_packet              = 8M
#max_connect_errors             = 1000000

# CACHES AND LIMITS #
tmp_table_size                  = 104M
max_heap_table_size             = 104M
join_buffer_size                = 208K
#query_cache_type               = 0

query_cache_size                = 32M
max_connections                 = 150
thread_cache_size               = 4
#open_files_limit               = 65535
table_cache                     = 512
#table_definition_cache         = 1024
table_open_cache                = 2048
wait_timeout                    = 300

# INNODB #

#innodb_flush_method            = O_DIRECT
#innodb_log_files_in_group      = 2
#innodb_log_file_size           = 64M
#innodb_flush_log_at_trx_commit = 1
#innodb_file_per_table          = 1
innodb_buffer_pool_size         = 416M

# This setting ensures that aio limits are not exceeded
# (default is 65536, each instance of mysql takes 2661 with this enabled)
innodb_use_native_aio           = 0


# LOGGING #
log-slow-queries
log-queries-not-using-indexes

Any help/suggestions would be much appreciated. The website address is 3abn.org.

ubuntu - Write errors because two different users could create a log file

I'm reasonably inexperienced with Linux/Ubuntu and struggling with what I thought would be a fairly simple permissions question. I'm running into problems where log files are being created as two different users, which can cause writing issues depending on which user wrote to it first, even though they are in the same group.

Users:
server user belongs to the www-data group
www-data user also belongs to the www-data group

When the log file is created, it has permissions of 644 (-rw-r--r--). So the user can write to it, but the group cannot.

So what happens is server will write to it first, but then www-data cannot, or vice versa.

In Ubuntu, is there any way to:

• Give two users full write access to a folder overriding the file permissions?


• Change the permissions when default files are created in a folder?

Details:

• Ubuntu 16.04.2 LTS


• It's a PHP/Laravel application running under Apache. But there are also command line tools, cron jobs, etc. that all end up writing to the log file once they call into the Laravel infrastructure. So it seems to be random chance on which one writes to the file first.


• I did see this post (How can I set the default permissions for files uploaded by apache2?) about using umask, but I hope that isn't the only solution. I don't want to change how everything is created in Apache just for the log files. Feels like using a hammer to kill an ant.

hard drive - KVM Virtual Server Disk Resize on Ubuntu with GParted

We have Ubuntu 14.04 server on KVM with MySQL database which is just close to fill its disk space, which is 80 GB. We have upgraded the server to 160 GB disk, but the problem is that the new disk space is there just unallocated.

I have been recommended to run GParted, so I did (please see the attached screenshot) and found out couple of tutorials on how to resize the disk, but when I click on Resize, it does not allow resizing of /dev/vda5, probably because it is outside /dev/vda2 extended partition.

What I need is to extend /dev/vda5 from 80 to 160 GB without losing data. I would like to be sure that I can't do it wrong (this is also why I did not do any experiments on my own). So if someone knows how to do step-by-step, so that it can't get wrong, I would be very grateful.

It is possible for me to run another tool too, but I guess that would be much more difficult.

Update 1:
I have tried system-config-lvm, but I am in the same position, here is the pic:

Again, it does not allow resizing as there is zero remaining space.

Update 2:

# fdisk -l -s /dev/vda

Disk /dev/vda: 171.8 GB, 171798691840 bytes
16 heads, 63 sectors/track, 332881 cylinders, total 335544320 sectors

Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0006f748

   Device Boot      Start         End      Blocks   Id  System
/dev/vda1   *        2048      499711      248832   83  Linux
/dev/vda2          501758   167770111    83634177    5  Extended
/dev/vda5          501760   167770111    83634176   8e  Linux LVM

Update 3:

I have setup a similar machine locally in VMware. In my local setup, instead of /dev/vda* I've got /dev/sda* and the disk size is 20 GB instead of 80 GB and the new space that I want to add is 30 GB instead of 80 GB, otherwise it is the same. I can see in GParted the very same situation, it behaves exactly the same as the real server, the /dev/sda5 can't be resized. Here are my attempts with fdisk:

# fdisk -l -s /dev/sda

Disk /dev/sda: 53.7 GB, 53687091200 bytes
255 heads, 63 sectors/track, 6527 cylinders, total 104857600 sectors
Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0003ce62

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048      499711      248832   83  Linux
/dev/sda2          501758    41940991    20719617    5  Extended
/dev/sda5          501760    41940991    20719616   8e  Linux LVM

Here I can see the /dev/sda2 (local virtual machine) even starts on the same sector as /dev/vda2 (real server). Same for /dev/sda5 and /dev/vda5.

# fdisk /dev/sda

Command (m for help): d
Partition number (1-5): 5

Command (m for help): d
Partition number (1-5): 2


Command (m for help): u
Changing display/entry units to cylinders (DEPRECATED!)

Command (m for help): u
Changing display/entry units to sectors

Command (m for help): n
Partition type:
   p   primary (1 primary, 0 extended, 3 free)
   e   extended

Select (default p): e
Partition number (1-4, default 2): 2
First sector (499712-104857599, default 499712): 501758
Last sector, +sectors or +size{K,M,G} (501758-104857599, default 104857599):
Using default value 104857599

Command (m for help): n
Partition type:
   p   primary (1 primary, 1 extended, 2 free)
   l   logical (numbered from 5)

Select (default p): l
Adding logical partition 5
First sector (503806-104857599, default 503806): 501760
Value out of range.
First sector (503806-104857599, default 503806): ^C

So this is why I guess the real server would also fail here. Note that I have used "u" command twice, because it was already in "sectors" mode.

Answer

You are proceeding in the wrong order. Please follow these steps:

• first, BACKUP YOUR DATA (and take a snapshot)


• use GParted to resize /dev/vda2 first and /dev/vda5 after


• reboot your virtual machine


• use pvresize /dev/vda5 and lvresize to resize your physical and logical volumes, respectively.

EDIT: how to resize partition using fdisk
To resize your partition, precisely follow these steps:

• first, BACKUP YOUR DATA (and take a snapshot)


• launch fdisk /dev/vda


• press d (delete) and remove partition 5


• press d (delete) and remove partition 2


• press u to change units to sectors (should be the default, anyway)


• press n (new) and create a new extended partition, using all the available spaces. This is a critical step. As first sector, enter 501758; as last sector, simply use the default value


• press n (new) and create a logical partition. This is a critical step. As first sector, use the defaul (which is wrong, but we will change it later); as last sector, simply use the default value


• press t (type), select partition n.5, and enter the code 8e (LVM)



• press x (expert mode)


• press b (change beginning of partition) and select partition 5


• when asked for "new beginning of data", enter 501760


• press r (return) to return to main fdisk menu


• press p (print) to print partition table and triple-check that it is OK


• press w (write to disk)


• reboot your virtual machine


• inside your virtual machine, issue pvresize /dev/vda5. Now, your physical volume is resized


• you can now resize your logical volumes. Let suppose that your volume group is called vg, that your logical volume is called lv and you have an ext4 filesystem on it, you can resize it using the following command: lvresize vg/lv -l +100%FREE; resize2fs /dev/vg/lv

site to site vpn - Fortigate to Azure - working VPN suddenly stops working

I have a FortiGate 60E that I successfully used to create a VPN to an Azure virtual network (see here). It had the 6.0.4 firmware.

Recently, I updated the Fortigate firmware to 6.2.0 and the VPN came up correctly, but after a few days, it started to not route anything. The VPN was still up on both sides, but I couldn't see anything. Rebooting the Fortigate had no effect.

So I deleted all the VPN objects on Azure and recreated everything from scratch. It worked again... for a while.

So I decided to downgrade the Fortigate to 6.0.5 (released a few days ago), without changing anything in Azure. It worked again... for around 15 hours. And now it's down.

I will try downgrading again to 6.0.4, but I am starting to think that may not be it. When I redid everything in Azure, it came back up. The second time I did nothing in Azure, and it came back up. So I am starting to think that it's something on the Fortigate side that brings up the VPN but then messes up.

On another, older Fortigate I have the exact same setup (but firmware 5.6.8), and it has been working flawlessly for weeks.

-- EDIT --

On further inspection, I looked at the logs and found a Dead Peer Detection error:

The tunnel_stats events before that show sent and received bytes (bidirectional), but all tunnel_stats events after the dpd_failure only show sent bytes, but received bytes are always zero.

-- END EDIT --

-- EDIT 2 --

Last night I downgraded to 6.0.4 and the VPN did not come back up.

I had a deeper look at the logs and found that same DPD error every day at exactly the same time, just after 11 am. It just happened that yesterday's DPD error closed the tunnel for good.

-- END EDIT 2 --

Any ideas are welcome!

networking - I've inherited a rat's nest of cabling. What now?

You know, you see pictures like below and sort of chuckle until you actually have to deal with it.

I have just inherited something that looks like the picture below. The culture of the organization does not tolerate down time very well, yet I have been tasked to 'clean it up'. The network functions as it is, and there doesn't seem to be rush to get it done, but I will have to tackle the bear at some point. I get the ugly eye when I mention anything about weekends.

So my question goes, is there sort of a structured approach to this problem?

My Ideas thus far:

• Label, Label, Label


• Make up my patch cables of desired length ahead of time



• Do each subnet at a time (appears that each subnet are for different physical locations)


• Replace one cable at a time for each subnet


• It's easier to get forgiveness than permision?

Answer

In no particular order here are some suggestions that have been helpful to me over the years-

1. Can any of the equipment in those racks be eliminated, upgraded or consolidated? It's hard to tell what's there, but in my experience these kinds of messes tend to be aggravated by gear that should have been pulled out years ago.




2. Once you've got some idea of the minimum set of equipment then consider how best to lay it out. The criteria here may vary, but grouping by technology type or business function might make sense. Clearly the proximity of high density devices (i.e. switches) and patch panels and such will immediately be apparent.




3. Use cable management!!! There are both horizontal and vertical cable management solutions. Use both - horizontals around patch panels and other significant concentrations, verticals next to switches and to facilitate risers.




4. It's always surprising, but how power cables are routed should be considered. UPS units in the bottom of racks, PDU selection and diversity all need to be considered before pulling a cable.




5. Keep inventory of common cable lengths. It's late at night and you want to go home. A 3' cable is what's necessary but the closest you have handy is 5'. This is how these kinds of messes develop.




6. Documenting is part of the game, but the importance of labeling cannot be overstated. With clear labels and efficient/clean cabling the number of mistakes will be vastly decreased and troubleshooting simplified.




7. Limit who can pull cables!!! Differing styles and degrees of attention to detail can yield chaos pretty quickly.

apache 2.2 - www-data default permissions on files/directories

I have a very interesting situation. I have a Debian Lenny server running Apache/2.2.9 and PHP 5.2.6-1+lenny10. When Apache creates a new file (simple php upload script or http svn checkin) the permissions and ownership on the file is:

www-data test -rwxr-xr-x

When a new directory is created the permissions and ownership are:

www-data    test drwxr-sr-x

I have made changes on the server to /etc/profile with umask 0002. This setting is supposed to make newly created files to 664 and newly created directories to 775. It ONLY does this when I actually log in as the www-data user and manually do so via command line. It does NOT do it when Apache creates the data. Has anyone else ever witnessed this behavior? What is the difference between logging in as the "www-data" user and creating files versus the "www-data" user running through Apache? Do the files inherit permissions from the /tmp folder or something? I'm interested in directly resolving the default permissions with Apache not implementing a workaround.

Here are my steps thus far:

1. create a new group (test)


2. usermod -a -G test usera


3. usermod -a -G test userb


4. groups usera


5. Change the ownership of everything under html/ with the user and new group


6. chmod 2775 html/


7. find html/ -type d -exec chmod 2775 {} \;



8. find html/ -type f -exec chmod 0664 {} \;


9. edit /etc/profile with new umask setting of 0002


10. restarted apache and logged in and out with the "www-data" user and site user

explain apache status

My Apache Status Page shows several stats and shortcuts.
Some are easy to understand other aren't explained...

who could explain me the following data words from my apache status page in detail?
it looks similar to this one: >http://www.apache.org/server-status

Parent Server Generation: 33 Resets?

Total accesses: 2458466 Requests?

CPU Usage: u33.6 s9.83 cu45.75 cs0 - .00579% CPU load u? s? cu? cs?

1.6 requests/sec - 3473 B/second - 2177 B/request requests/sec a day?

Answer

Parent Server Generation: 33 Resets?

Number of times you have instructed apache to re-read its configuration file and gracefully restart all child processes.

Total accesses: 2458466 Requests?

Number of requests to server.

CPU Usage: u33.6 s9.83 cu45.75 cs0 - .00579% CPU load u? s? cu? cs?

u=user, s=system... cu and cs are the cumulative values of u and s

1.6 requests/sec - 3473 B/second - 2177 B/request requests/sec a day?

uptime

NS records chicken and egg: NS in the domain it's serving

I've dealt with BIND for years and this has always kind of bugged me.

$ dig google.com ns

;; QUESTION SECTION:
;google.com.            IN  NS

;; ANSWER SECTION:
google.com.     87046   IN  NS  ns3.google.com.
etc...

;; ADDITIONAL SECTION:

ns1.google.com.     87274   IN  A   216.239.32.10
etc.

I get that, at least notionally, the root servers handle ., and hand off .com., .gov., whatever to the right servers (though in practice this is all cached several levels down), but at some point, somebody has to know to ask the server at 216.239.32.10 for the A record of whatever.google.com. But how did resolvers figure that out in the first place, since you need to know the A of the NS to do that? (And for that matter, since we know it's an Internet NS and not, say, Chaos or something, why do you have to use a name rather than an address for the NS record?)

My nameservers have always had names that could be found by somebody upstream (eg, I hosted DNS for bar.com on foo.com, and my upstream handled foo.com), but I have never quite grasped how people like Google get over the chicken and egg problem of hosting the DNS for google.com under the name google.com.

Answer

I think the concept you're struggling with is glue records.

---

From that linked article above:

For example, if the authoritative name server for example.org is ns1.example.org, a computer trying to resolve www.example.org first resolves ns1.example.org. Since ns1 is contained in example.org, this requires resolving example.org first, which presents a circular dependency. To break the dependency, the name server for the top level domain org includes glue along with the delegation for example.org. The glue records are address records that provide IP addresses for ns1.example.org. The resolver uses one or more of these IP addresses to query one of the domain's authoritative servers, which allows it to complete the DNS query.

If I set a new linux copy up, and then set the hostname in /etc/sysconfig/network (CentOS) is that my FQDN?

Is my full qualified domain name my host name, if I set up a new server and set it in /etc/sysconfig/network?

I have two VM's setup on my LAN, and I noticed that one saw the other as puppet-db.apt15 which I am guessing is my FQDN? Does the apt15 get appended from my router?

Answer

You'll also need to change it in /etc/hosts. Once you've done this, a simple "service network restart" should sort you out.

Yes, your FQDN is your full domain name, complete with the last dotted part(s) (i.e., for a server named "fancypants", while you might refer to it as "fancypants" casually, its FQDN is actually "fancypants.somedomain.net"). Type "hostname" to see what your server thinks it is.

dell poweredge - Can I do a Raid 5 with a SAS6i/R?

I have a PowerEdge 2970 server with a:
SAS6i/R Integrated Controller for PowerEdge 2950/2970, x6 Backplane
http://accessories.dell.com/sna/products/cables/productdetail.aspx?c=ca&l=en&s=corp&sku=330-2277

I just bought 3 hard drives that I plan to use in a RAID Configuration
I believe it's called a Raid 5 Configuration where there's 1 main drive all the stay in Sync.

My question is: Will the SAS6i/R Integrated Controller work?

Or do I need to buy something like: Dell Perc5I PCI-E SAS RAID Kit for PowerEdge 2970
http://www.xbyte.com/ProductDesc.aspx?code=CAT_832_25

Thanks!

openldap - SASL auth to LDAP behind HAPROXY with name mismatches

My kerberos domain in MYEXAMPLE.ORG, but servers are located in the dmz-int.example.org dns zone.

LDAP server is b1.dmz-int.example.org; its keytab include:

udo ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:

Vno  Type                     Principal                              Aliases
  7  arcfour-hmac-md5         b1$@MYEXAMPLE.ORG
  7  aes128-cts-hmac-sha1-96  b1$@MYEXAMPLE.ORG
  7  aes256-cts-hmac-sha1-96  b1$@MYEXAMPLE.ORG
  7  arcfour-hmac-md5         host/b1.dmz-int.example.org@MYEXAMPLE.ORG
  7  aes128-cts-hmac-sha1-96  host/b1.dmz-int.example.org@MYEXAMPLE.ORG
  7  aes256-cts-hmac-sha1-96  host/b1.dmz-int.example.org@MYEXAMPLE.ORG

  7  arcfour-hmac-md5         ldap/b1.dmz-int.example.org@MYEXAMPLE.ORG
  7  aes128-cts-hmac-sha1-96  ldap/b1.dmz-int.example.org@MYEXAMPLE.ORG
  7  aes256-cts-hmac-sha1-96  ldap/b1.dmz-int.example.org@MYEXAMPLE.ORG
  7  arcfour-hmac-md5         ldap/ldap.dmz-int.example.org@MYEXAMPLE.ORG
  7  aes128-cts-hmac-sha1-96  ldap/ldap.dmz-int.example.org@MYEXAMPLE.ORG
  7  aes256-cts-hmac-sha1-96  ldap/ldap.dmz-int.example.org@MYEXAMPLE.ORG
  7  arcfour-hmac-md5         ldap/ldap.unimore.it@MYEXAMPLE.ORG
  7  aes128-cts-hmac-sha1-96  ldap/ldap.unimore.it@MYEXAMPLE.ORG
  7  aes256-cts-hmac-sha1-96  ldap/ldap.unimore.it@MYEXAMPLE.ORG

ldap2.myexample.org is a CNAME of b1.dmz-int.example.org

Now I can connect with GSSAPI to LDAP server:

$ kinit
$ ldapsearch -ZZ -h b1.dmz-int.example.org 'uid=test'
SASL/GSSAPI authentication started
SASL username: user@MYEXAMPLE.ORG
SASL SSF: 56

SASL data security layer installed.
[...]
$ ldapsearch -ZZ -h ldap2.myexample.org 'uid=test'
SASL/GSSAPI authentication started
SASL username: user@MYEXAMPLE.ORG
SASL SSF: 56
SASL data security layer installed.
[...]
$ klist
Credentials cache: FILE:/tmp/krb5cc_1000

    Principal: user@MYEXAMPLE.ORG

Issued                Expires               Principal
Sep  6 09:03:35 2016  Sep  6 19:03:32 2016  krbtgt/MYEXAMPLE.ORG@MYEXAMPLE.ORG
Sep  6 09:03:39 2016  Sep  6 19:03:32 2016  ldap/b1.dmz-int.example.org@MYEXAMPLE.ORG

Looks fine.

Now comes the proxy.

Proxy A record is ldap.dmz-int.example.org and it has a CNAME as ldap.myexample.org.

Proxy is a HAPROXY layer 4 for ports 389 and 636. Without SASL it works fine.

$ ldapsearch -ZZ -h ldap.myexample.org 'uid=test'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text) (Matching credential (ldap/ldap.dmz-int.example.org@DMZ-INT.EXAMPLE.ORG) not found)

$ ldapsearch -h ldap.dmz-int.example.org 'uid=test'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text) (Matching credential (ldap/ldap.dmz-int.example.org@DMZ-INT.EXAMPLE.ORG) not found)

And now SASL doesn't work. Do I need an extra SPN in the server keytab? Do I need some dns fixes? Why the proxy query looks for the: ldap/ldap.dmz-int.example.org@DMZ-INT.EXAMPLE.ORG principal and not ldap/ldap.dmz-int.example.org@MYEXAMPLE.ORG?

As a reference, follows the haproxy conf file:

$ cat /etc/haproxy/haproxy.cfg
global
        log /dev/log    local0
#       log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy

        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

        ssl-default-bind-options no-sslv3

# LDAP and LDAP/STARTTLS
frontend ldap_service_front
  log           global
  mode                  tcp
  bind                  *:389
  description           LDAP Service
  option                socket-stats
  option                tcpka

  option                tcplog
  timeout client        10s
  default_backend       ldap_service_back

backend ldap_service_back
  log           global
  server                ldap-1 b1.myexample.org:389 check fall 1 rise 1 inter 2s
  server                ldap-2 b2.myexample.org:389 check fall 1 rise 1 inter 2s
  mode                  tcp
  balance               leastconn

  option                tcpka
  option                ldap-check
  timeout server        10s
  timeout connect       1s

ssl - apache https port 80 redirects to wrong https site

When I listen to port 80 in /etc/apache2/sites-available/majichook.com.conf and do a permanent redirect to https://majichook.com for some reason it is forwarding to my https://99centbeats.com instead. Everything looks right in the file. I am very confused... I have other domains with SSL certificates on this server that forward fine with the same exact setup.

majichook.com.conf:

   ServerName majichook.com
   Redirect permanent / https://majichook.com/






    ServerName majichook.com
    ServerAlias www.majichook.com

    SSLEngine On
    SSLCertificateFile /var/www/majichook.com/majichook_com.crt
    SSLCertificateKeyFile /var/www/majichook.com/majichook.com.key

    SSLCACertificateFile /var/www/majichook.com/majichook_com.ca-bundle

    ServerAdmin admin@majichook.com
    DocumentRoot /var/www/majichook.com

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

Answer

When reconfiguring Apache

Always clear your browser's cache

domain name system - Specific DNS sometimes resolves to wildcard, incorrectly

I have an intermittent problem, and I'm not sure where to start trying to troubleshoot it.

In our dev environment, we have two visible IP addresses on load balancers, one to the front-end, and one to a number of back-end service machines. The front-end is configured to take a wildcard DNS name to support generic "portals."

dev.example.com   A     10.1.1.1
*.dev.example.com CNAME dev.example.com

The back-end servers are all specific names within the same space:

core.dev.example.com   A     10.1.1.2
cms.dev.example.com    CNAME core.dev.example.com

search.dev.example.com CNAME core.dev.example.com

Here's the problem. Periodically a developer or a program trying to reach, say, cms.dev.example.com will get a result that points to the front-end, instead of the back-end load balancer:

cms.dev.example.com is an alias to core.dev.example.com
core.dev.example.com is an alias to dev.example.com (WRONG!)
dev.example.com 10.1.1.1

The developers are all on Mac OS X machines, though I've seen the problem occur on an Ubuntu machine as well, using a local cloud host DNS resolver.

Sometimes the developer is using a VPN, which directs the DNS to its own resolver, and sometimes he's on the local net using a DNS resolver assigned by the NAT router.

Sometimes clearing the Mac OS X DNS cache, logging into the VPN, then logging out of the VPN, will make the problem go away.

The origin authoritative server is on zerigo, and a dig directly to their name servers always seems to give the correct answer. The published DNS cache time for these records is 15 minutes, but the problem has been intermittent for about a week.

Any troubleshooting suggestions?

Answer

Hmmm....what happens when you replace the wildcard CNAME directive with:

 *.dev.example.com.    A      10.1.1.1

linux - CIFS mounted drive setting "stick-bit" on all files, cannot change permissions or modify files

I have a folder mounted on an Ubuntu 8.10 sever through cifs that I simply cannot change the permissions on once mounted.

Here is a breakdown of what's going on:

• All files within the mounted folder automatically have their permissions set to -rwxrwSrwx regardless of whether the file is create on the windows server or on the linux machine.



• I have the same directory mounted on two other linux servers (both running 9.10 instead of 8.10) with no problems at all. They all are using the same fstab options and the same credentials.

  
  
  
  

  //server/folder /media/backups cifs credentials=/etc/samba/.arcadia_cred,noexec,noserverino 0 0




• I've I run a chmod command a million different ways, all of which report successfully changing the permissions. However it doesn't.



• The issue began after I updated from 8.04 to 8.10

Any idea why this may be happening on one machine? Since it started after an upgrade I'm not sure what is the bes thing to do.

Any help you could give would great! None of my automated backup scripts are working because of this!

Answer

What OS is the server? Does it support CIFS Unix extensions? If not then nothing you do with chmod matters. You can set the user owner, file and directory permissions by setting options within your mount.

http://linux.die.net/man/8/mount.cifs

uid=arg
sets the uid that will own all
files on the mounted filesystem. It
may be specified as either a username
or a numeric uid. This parameter is
ignored when the target server

supports the CIFS Unix extensions.

gid=arg
sets the gid that will own all
files on the mounted filesystem. It
may be specified as either a groupname
or a numeric gid. This parameter is
ignored when the target server
supports the CIFS Unix extensions.

file_mode=arg

If the server does not
support the CIFS Unix extensions this
overrides the default file mode.

dir_mode=arg
If the server does not
support the CIFS Unix extensions this
overrides the default mode for
directories.

Nginx + PHPBB3 reverse proxy images problem

Hello all I have a problem with my Nginx Frontend + Apache2 backend + PHPBB3 software. It doesn't load the CSS and the images neither.

I get constant errors like these:

2010/04/14 16:57:25 [error] 13365#0: *69 open() "/var/www/foo/styles/styles/coffee_time/theme/large.css" failed (2: No such file or directory), client: 83.44.175.237, server: www.foo.com, request: "GET /styles/coffee_time/theme/large.css HTTP/1.1", host: "www.foo.com", referrer: "http://www.foo.com/viewforum.php?f=43"

This is my config of the site:

server {

listen 80;
server_name www.foo.com;
access_log /var/log/nginx/foo.access.log;

    # serve static files directly
    location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico)$ {
    access_log        off;
    expires           30d;
    root  /var/www/foo/;

    }



    location / {
            root   /var/www/foo/;
            index  /var/www/foo/index.php;
    }

   # proxy the PHP scripts to predefined upstream .apache.        #

    location ~ .php$ {
            proxy_pass   http://apache;
   }

    location /styles/ {
            root   /var/www/foo/styles/;
            }

Answer

I fixed the problem. It was kinda noob-problem, wrong paths :)

Finding ZFS .zfs/snapshots directory in OpenSolaris

My home directory in OpenSolaris 0906 is part of the zpool rpool. I can view the pool in zpool list. I can view the file system in zfs list. I can create snapshots. I can use zfs list and see a list of the snapshots I've taken. It's my understanding there should be a .zfs directory inside /export/home/test at /export/home/test/.zfs

---

zfs snapshot rpool/export/home/test@1 

creates my snapshot successfully

---

zfs list -t snapshot 

shows my snapshots successfully

---

I can't figure out where to find the snapshots. I see no .zfs directory anywhere.

Any hints where else I should look or what else I should do to find the .zfs directory and the snapshots?

Answer

Change the snapdir property of the dataset if you need to make it visible.

# ls -la /rpool/
total 6
drwxr-xr-x  5 root root  4 2010-09-14 05:21 .
drwxr-xr-x 25 root root 25 2010-11-18 13:18 ..
dr-xr-xr-x  4 root root  4 2010-09-14 05:15 .zfs
drwxr-xr-x  3 root root  3 2010-09-14 05:15 boot

drwxr-xr-x  2 root root  3 2010-09-14 05:21 etc

# zfs set snapdir=hidden rpool

# ls -la /rpool/
total 6
drwxr-xr-x  4 root root  4 2010-09-14 05:21 .
drwxr-xr-x 24 root root 25 2010-11-18 13:18 ..
drwxr-xr-x  3 root root  3 2010-09-14 05:15 boot
drwxr-xr-x  2 root root  3 2010-09-14 05:21 etc

domain name system - Are separate dns records necessary for web and mail on a single server?

When setting up a web/mail server on a single server or VPS with one IP address almost every guide online follows the same structure for DNS:

example.com.               IN A    192.0.2.0  

hostname.example.com.      IN A    192.0.2.0  
mail.example.com.          IN A    192.0.2.0  
example.com.               IN MX   10 mail.example.com.  
0.2.0.192.in-addr.arpa.  IN PTR  hostname.example.com  

I used this several times and it has always worked for me. But I was wondering if there's a reason why the mail server points to a different name? Would it be possible to point the MX record to the hostname and simply use hostname.example.com for SMTP and POP3?

Answer

Yes, it would be possible, but you will lose some important advantages if you choose to do so:

If you point all services to the same DNS name, you can't put them onto separate servers any more without reconfiguring any client that refers to them.

As an example: With different names, when the load on the server grows too much, you can simply offload the mail services to another server without affecting the clients. All you have to do is to adapt your DNS records.

windows - DFS Namespaces DNS and NetBIOS Name Resolution

I have a Windows Domain which hosts a number of DFS Namespaces in an environment which has DNS servers only (the clients are Windows 7+ and NetBIOS is not disabled on them).

Example

Domain: andshrew.com
DFS Namespace: andshrew.com\Files

I have an situation in that in many instances these have been referred to using the NetBIOS name only (ie. \\andshrew\Files) rather than the FQDN, and as a result of this (I believe) there is often a slowness associated with accessing these links for the first time. Accessing the FQDN (ie. \\andshrew.com\Files) is always near instant.

From the testing I have done I believe this is due to the use of the NetBIOS name, and any connecting clients are essentially sending out a broadcast to discover the address of these when they are first accessed. In my testing I have disabled NetBIOS on the network adapter and these then become completely inaccessible which I think confirms this to be the case.

Changing these references to use the FQDN is going to be challenging, so I've tested an idea to create a CNAME record in our DNS with the same name as the Domain pointing back to the Domains FQDN.

CNAME andshrew.andshrew.com which resolves to andshrew.com

The idea being that when a client accesses \\andshrew\Files their DNS client will try a search which automatically appends the Domains FQDN which then resolves to the Domains FQDN.

I've tested this and it seems to work, but is doing this a fundamentally bad idea? Is there anything which I am overlooking (eg. can NetBIOS lookups take precedence over DNS in Windows Explorer)? Obviously the end-game is to get everything correctly referring to the FQDN but until then I'm hoping this would resolve the slow NetBIOS lookups.

Are there any other suggestions for how I could resolve this?

Thanks

Andrew

Answer

We have been doing this exact same thing for about six years now (CNAME the short name to the domain), with no apparent ill effects.

Name resolution on Windows is a maze of twisty passages, so figuring out exactly how any given component might try to look up a name (or trying to change/control that) is very difficult.

If you don't want to use NetBIOS, you may want to consider disabling NetBIOS-over-TCP on every adapter, everywhere. Otherwise NetBIOS will tend to pop up unexpectedly and confuse things. Alternatively, if you still want NetBIOS for whatever reason, I'd recommend setting up a WINS server.

How can I tell where an Amazon AWS key is being used?

I have inherited an Amazon AWS environment in which the Root account key has been widely distributed for the purposes of making backups to S3 buckets.

I need to track down where the key is being used, so that I can replace it with a key with limited permissions.

I've setup event notifications on the buckets to send messages to an SQS Q to tell me when objects are created. These messages contain the ip address of the server from where the object request originated, but not the IAM key in use (only the ID of the Amazon Account in use).

Cloudtrail isn't of use here either, as S3 requests are not written to Cloudtrail.

Is there any other way I can tell which key is being used when making S3 requests?

---

PLEASE NOTE THAT THIS IS NOT A SUGGESTED SOLUTION, MERELY AN UPDATE ON WHAT I DID. USE THE METHOD SUGGESTED ABOVE. I SHOULD HAVE UPDATED THE QUESTION.

#

Thanks EEAA

I considered that, but there are hundreds of buckets in play, so it wasn't really practical. I was hoping there was somewhere in IAM that I could track down key usage.

Given that I had Events and SQS already set up, what I ended up doing eventually was to set up events on likely buckets and match the S3 event timestamp to the timestamp provided by the key-last-used timestamp from IAM.

This gave me the ip addresses of the servers that were sending requests to S3 at the same time as the Root key was being used, out of which I was able to find the root key on a few servers. Hopefully, when I check the root key over the next few days, I will no longer see it in use.

If not, I will probably have to set up logging on individual buckets as you've suggested.

Correctly setting the hostname - Fedora 20 on Amazon EC2

Context

I have a Fedora 20 cloud image running on Amazon EC2 (henceforth called the "instance"). And I have some uncertainty about persistently setting its hostname.

Goal

In this case, let's say I want to set the instance's hostname to penpen.homelinux.org. (This name will also be registered at DynDNS using ddclient, but that is another aspect which we are not interested in here.)

The hostname can of course be set manually after boot completes (using hostnamectl among others). But we want to have the correct hostname set before the first login.

Traditionally, to persistently configure the hostname, one would modify the contents of /etc/hostname. Unfortunately this does not work here.

Default system behaviour

By default, the instance sets its hostname to an internal EC2 name. After boot, we can look at all the little different places that yield the hostname, and we find:

Kernel hostname via 'sysctl'                      : ip-10-164-65-105.ec2.internal
Kernel domainname via 'sysctl'                    : (none)
File '/etc/hostname'                              : contains 'ip-10-164-65-105.ec2.internal'
File '/etc/sysconfig/network'                     : exists but has no 'HOSTNAME' line
According to the shell                            : HOSTNAME = ip-10-164-65-105.ec2.internal
Nodename given by 'uname --nodename'              : ip-10-164-65-105.ec2.internal
Hostname ('hostname')                             : ip-10-164-65-105.ec2.internal
Short hostname ('hostname --short')               : ip-10-164-65-105

NIS domain name ('domainname')                    : (none)
YP default domain ('hostname --yp')               : [hostname --yp failed]
DNS domain name ('hostname --domain')             : ec2.internal
Fully qualified hostname ('hostname --fqdn')      : ip-10-164-65-105.ec2.internal
Hostname alias ('hostname --alias')               : 
By IP address ('hostname --ip-address')           : 10.164.65.105
All IPs ('hostname --all-ip-addresses')           : 10.164.65.105 
All FQHNs via IPs ('hostname --all-ip-addresses') : ip-10-164-65-105.ec2.internal 
Static hostname via 'hostnamectl'                 : ip-10-164-65-105.ec2.internal
Transient hostname via 'hostnamectl'              : ip-10-164-65-105.ec2.internal

Pretty hostname via 'hostnamectl'                 : 

So let's try to write to /etc/hostname ...

If one writes the desired hostname to /etc/hostname, this change is lost again at the next boot. Let's examine the boot process, which is performed by systemd.

Example run

Write rorororoor.homelinux.org to /etc/hostname, then reboot.

Using journald we find (Note that the log lines are not entirely orderd by time):

The boot process starts off with hostname as localhost then switches root, at which point the hostname becomes rorororoor.homelinux.org.

Dec 26 15:12:08 localhost systemd[1]: Starting Cleanup udevd DB...
Dec 26 15:12:08 localhost systemd[1]: Started Cleanup udevd DB.
Dec 26 15:12:08 localhost systemd[1]: Starting Switch Root.
Dec 26 15:12:08 localhost systemd[1]: Reached target Switch Root.
Dec 26 15:12:08 localhost systemd[1]: Starting Switch Root...

Dec 26 15:12:08 localhost systemd[1]: Switching root.
Dec 26 15:12:08 localhost systemd-journal[67]: Journal stopped
Dec 26 15:12:12 rorororoor.homelinux.org systemd-journal[155]: Runtime journal is using 8.0M
Dec 26 15:12:12 rorororoor.homelinux.org systemd-journal[155]: Runtime journal is using 8.0M
Dec 26 15:12:12 rorororoor.homelinux.org systemd-journald[67]: Received SIGTERM
...........
Dec 26 15:12:12 rorororoor.homelinux.org kernel: SELinux: initialized
Dec 26 15:12:12 rorororoor.homelinux.org systemd-journal[155]: Journal started
Dec 26 15:12:08 rorororoor.homelinux.org systemd-cgroups-agent[128]: Failed to get D-Bus connection: Failed to connect to socket /run/systemd/private: No such file or directory
Dec 26 15:12:10 rorororoor.homelinux.org systemd[1]: systemd 208 running in system mode.

Dec 26 15:12:10 rorororoor.homelinux.org systemd[1]: Detected virtualization 'xen'.
Dec 26 15:12:10 rorororoor.homelinux.org systemd[1]: Set hostname to .
Dec 26 15:12:10 rorororoor.homelinux.org systemd[1]: Failed to open private bus connection: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
Dec 26 15:12:11 rorororoor.homelinux.org systemd[1]: Mounted Debug File System.

We see that systemd sets the hostname to rorororoor.homelinux.org, evidently successfully as the log's host column changes. Some errors are issued, possibly because hostnamectl cannot contact DBus at this point in time.

I am not sure who does the namesetting here; some internal part of systemd? Anyway, continuing through the journal, we find that the hostname is set back to the EC2 internal name pretty soon:

Dec 26 15:12:33 rorororoor.homelinux.org cloud-init[485]: [CLOUDINIT] util.py[DEBUG]: Running command ('resize2fs', '/dev/xvda1') with allowed return codes [0] (shell=False, capture=True)
Dec 26 15:12:33 rorororoor.homelinux.org cloud-init[485]: [CLOUDINIT] cc_resizefs.py[DEBUG]: Resizing took 0.067 seconds
Dec 26 15:12:33 rorororoor.homelinux.org cloud-init[485]: [CLOUDINIT] cc_resizefs.py[DEBUG]: Resized root filesystem (type=ext4, val=True)
Dec 26 15:12:33 rorororoor.homelinux.org cloud-init[485]: [CLOUDINIT] helpers.py[DEBUG]: config-set_hostname already ran (freq=once-per-instance)
Dec 26 15:12:33 rorororoor.homelinux.org cloud-init[485]: [CLOUDINIT] helpers.py[DEBUG]: Running config-update_hostname using lock ()
Dec 26 15:12:33 rorororoor.homelinux.org cloud-init[485]: [CLOUDINIT] cc_update_hostname.py[DEBUG]: Updating hostname to ip-10-164-65-105.ec2.internal (ip-10-164-65-105)
Dec 26 15:12:33 rorororoor.homelinux.org cloud-init[485]: [CLOUDINIT] util.py[DEBUG]: Running command ['hostname'] with allowed return codes [0] (shell=False, capture=True)
Dec 26 15:12:33 rorororoor.homelinux.org cloud-init[485]: [CLOUDINIT] __init__.py[DEBUG]: Attempting to update hostname to ip-10-164-65-105.ec2.internal in 1 files
Dec 26 15:12:33 rorororoor.homelinux.org cloud-init[485]: [CLOUDINIT] util.py[DEBUG]: Running command ['hostnamectl', 'set-hostname', 'ip-10-164-65-105.ec2.internal'] with allowed return codes [0] (shell=False, capture=True)
Dec 26 15:12:33 rorororoor.homelinux.org dbus-daemon[226]: dbus[226]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service'

Dec 26 15:12:33 rorororoor.homelinux.org dbus[226]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service'
Dec 26 15:12:34 rorororoor.homelinux.org systemd[1]: Starting Hostname Service...
Dec 26 15:12:34 rorororoor.homelinux.org dbus-daemon[226]: dbus[226]: [system] Successfully activated service 'org.freedesktop.hostname1'
Dec 26 15:12:34 rorororoor.homelinux.org dbus[226]: [system] Successfully activated service 'org.freedesktop.hostname1'
Dec 26 15:12:34 rorororoor.homelinux.org systemd[1]: Started Hostname Service.
Dec 26 15:12:34 rorororoor.homelinux.org systemd-hostnamed[598]: Changed static host name to 'ip-10-164-65-105.ec2.internal'
Dec 26 15:12:34 ip-10-164-65-105.ec2.internal systemd-hostnamed[598]: Changed host name to 'ip-10-164-65-105.ec2.internal'
Dec 26 15:12:34 ip-10-164-65-105.ec2.internal systemd[1]: Started Initial cloud-init job (metadata service crawler).
Dec 26 15:12:34 ip-10-164-65-105.ec2.internal systemd[1]: Starting Cloud-config availability.
Dec 26 15:12:34 ip-10-164-65-105.ec2.internal systemd[1]: Reached target Cloud-config availability.

Dec 26 15:12:34 ip-10-164-65-105.ec2.internal systemd[1]: Starting Apply the settings specified in cloud-config...
Dec 26 15:12:34 ip-10-164-65-105.ec2.internal [485]: [CLOUDINIT] helpers.py[DEBUG]: Running config-update_etc_hosts using lock ()
Dec 26 15:12:34 ip-10-164-65-105.ec2.internal [485]: [CLOUDINIT] cc_update_etc_hosts.py[DEBUG]: Configuration option 'manage_etc_hosts' is not set, not managing /etc/hosts in module update_etc_hosts
Dec 26 15:12:34 ip-10-164-65-105.ec2.internal [485]: [CLOUDINIT] helpers.py[DEBUG]: config-rsyslog already ran (freq=once-per-instance)
Dec 26 15:12:34 ip-10-164-65-105.ec2.internal [485]: [CLOUDINIT] helpers.py[DEBUG]: config-users-groups already ran (freq=once-per-instance)

Hostname setting here is done via the unit "systemd-hostnamed". The "unit file" for "systemd-hostnamed" is /usr/lib/systemd/system/systemd-hostnamed.service and contains:

[Unit]

Description=Hostname Service
Documentation=man:systemd-hostnamed.service(8) man:hostname(5) man:machine-info(5)
Documentation=http://www.freedesktop.org/wiki/Software/systemd/hostnamed

[Service]
ExecStart=/usr/lib/systemd/systemd-hostnamed
BusName=org.freedesktop.hostname1
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE

The program invoked by the above /usr/lib/systemd/systemd-hostnamed is actually a binary (WHY!). However source code can be found.

The point is that we are back at ip-10-164-65-105.ec2.internal

WHAT DO?

Answer

You need to do two things (but have only done one of them):

1. Set the hostname in /etc/hostname.



2. Edit /etc/cloud/cloud.cfg and set preserve_hostname to True. (You can also pass this option in with your user data.)

The second step is required because Fedora uses cloud-init to bring in user data from the EC2 environment to provision the instance, and cloud-init needs to be told that the hostname should persist.

wiki - Most popular misconceptions about networking

00000001 + 00000001 = 00000011 alt text http://locobox.googlepages.com/red_x_round.png

Time to fess-up!... 'at some point' you thought you knew something, and it ended up not being correct, or not entirely correct due to a misconception about the subject.

Let's build a good list of popular misconceptions novice AND even some seasoned IT administrators have, explicitly about Networking. My hope is to build a very useful brain-dump to serve as a good resource for the members of this community.

---

I'll start with an extremely obvious example (items with the most votes up will be on top):

• All addresses beginning with 169 come from the APIPA failover system

  
  
  
  

  Only 169.254.0.0/16 is reserved for the APIPA assignation when the OS can't find an assigned address for a network interface (read:rfc3927).

---

*****Not to be mistaken with "Mistakes made by sysadmins"