Monday, April 30, 2018

active directory - Run service under AD account

I am trying to run a custom service (made in visual studio) on a networked applications server that has been joined to a domain. I would like the service to run under a very specific account (Service_ServiceName) for security reasons.



I have created the domain account and granted it the log in as a service right but the service fails to start with the message "The [Service name] on Local Computer started and then stopped. Some services stop automatically if they are not used by other services or programs".



When the service is started under local system it loads correctly. If I grant the user admin rights it starts, however (again for security reasons) I don't want the service to run under an administrator account. Is there a specific right that I need to grant to allow this service to run?

email - How to resolve problems with spf / softfail?



I'm having problems with Google rejecting mail because of SPF problems. I thought I had this fixed, but evidently not...



The mail is being sent from a Drupal site running mimemail. A message that shows the problem looks like:



Delivered-To: reg@receiver.com
Received: by 10.112.47.229 with SMTP id g5csp300564lbn;
Wed, 2 Apr 2014 10:21:06 -0700 (PDT)

X-Received: by 10.66.249.233 with SMTP id yx9mr1407538pac.3.1396459264202;
Wed, 02 Apr 2014 10:21:04 -0700 (PDT)
Return-Path:
Received: from sender.com (sender.com. [xxx.xxx.xxx.xxx])
by mx.google.com with ESMTP id m8si1612133pbd.503.2014.04.02.10.21.03
for ;
Wed, 02 Apr 2014 10:21:04 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning sender@sender.com does not designate xxx.xxx.xxx.xxx as permitted sender) client-ip=xxx.xxx.xxx.xxx;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning sender@sender.com does not designate xxx.xxx.xxx.xxx as permitted sender) smtp.mail=sender@sender.com

Received: by sender.com (Postfix, from userid 48)
id 3E486101774; Wed, 2 Apr 2014 17:21:02 +0000 (UTC)
To: "reg"
Subject: Message Subject here
X-PHP-Originating-Script: 501:mimemail.module
MIME-Version:1.0
Content-Type:multipart/mixed;
boundary="ca08a4eb4d5f903d3ee41d8632611e3ff9f7e67713"
Content-Transfer-Encoding:8Bit
X-Mailer:Drupal

Sender:Sender
From:Sender
Message-Id: <20140402172102.3E486101774@sender.com>
Date: Wed, 2 Apr 2014 17:21:02 +0000 (UTC)

This is a multi-part message in MIME format.

--ca08a4eb4d5f903d3ee41d8632611e3ff9f7e67713
Content-Type:multipart/alternative;
boundary="2db314e2a942d712c21894936b800a2c7998463d12"

Content-Transfer-Encoding:8bit


--2db314e2a942d712c21894936b800a2c7998463d12
Content-Type:text/plain; charset=utf-8
Content-Disposition:inline
Content-Transfer-Encoding:8bit

Message text goes here...


--2db314e2a942d712c21894936b800a2c7998463d12
Content-Type:text/html; charset=utf-8
Content-Disposition:inline
Content-Transfer-Encoding:8Bit





--2db314e2a942d712c21894936b800a2c7998463d12--


--ca08a4eb4d5f903d3ee41d8632611e3ff9f7e67713--


[Apologies for the anonomyzing.]



The SPF records for the domain, obtained from http://www.whatsmyip.us/txt, look like:



v=spf1 ip4:xxx.xxx.xxx.xxx ~all , ttl : 14144
v=spf1 include:_spf.google.com ~all , ttl : 14144

v=spf1 a -all , ttl : 14144
v=spf1 ip4:xxx.xxx.xxx.yyy ~all , ttl : 14144


similarly anonymized.



I can't figure out what's wrong -- the appropriate SPF records seem to be in place. The only issue I can see is that I have indeed set up (or tried to set up) two servers as legal senders for the domain; this is meant to cover both a production and a development server (let's call them sender.com and dev.sender.com). Is this an issue?



Any thoughts about what's wrong? Again, I thought this was once working correctly, but it's definitely not now. Thanks!


Answer




You can only have one SPF record. Since you created four of them, which one actually gets used is essentially random. You should combine them together into a single record.


Sunday, April 29, 2018

firewall - EC2 Traffic Between Nodes



By default, all ports are closed in EC2 until a user opens them up. I would like to keep this behavior but also open up all ports for internal usage (that is, EC2 nodes can communicate with each other on any port but not with the outside world).



The documentation on EC2 security groups does not specify if this is the default behavior or how one would go about doing this. The command line tools provide a way to do this but only if I make each node its own security group and then allow only the groups to talk to each other.



Do you know how I would be able to use the EC2 tools to allow all traffic between nodes in EC2 (or documentation that could help)?


Answer




After spawning up some nodes and testing it out myself, the behavior is as follows.



The security group's ports start off all closed, and the ec2-authorized command opens up a given port or range of ports. Then, any box can connect to any box in that security group on that port. This also means that any box in the security group can only connect to other boxes in the same security group on open ports in the security group.



To solve the problem as originally specified, I simply opened all ports in the security group to ensure my nodes can talk to each other on any port and then used iptables to lock down access from the outside world to my boxes except on the few ports that are needed.


networking - Cable management and Rack design

I'm new here, and looking for some suggestions on how to design my rack. I have a chance to tidy up my server room and got a green light on server downtime for 24 hours this weekend. Below is my inventory.





  1. 2x 48U compaq racks (no provision for adding vertical managers
    what so ever)

  2. 35x 2U servers

  3. 4x 1U servers

  4. 2x 48port cisco 1G ethernet switch (3750)

  5. 1x Cisco 1941w router

  6. 1x Juniper 40 port 10G switch (ex4500)




How can I wisely position them in the racks so that any cabling after wrapping them with zip ties looks neat. And what should I start off with? Wwitches and network cables first and then mounting servers and connect those cables?
And when I Googled I saw some people positioning the switches on the back of the rack. Is this OK?

Saturday, April 28, 2018

SSH Allow Password For One User, Rest Only Allow Public Keys

Is it possible with ssh to allow passwords from a certain user, but deny using passwords for everybody else?




Basically I want to allow password auth for user justin but everybody else must use public keys.



PasswordAuthentication no


Seems to be global though, no way to specify by user.

iis 7.5 - IIS 7.5 URL Rewrite looping

I have a webapp that is located in /subdir1/subdir2/ I'd like to simplify it for the users by adding a subdomain sub.domain.com but it keeps looping. I'd tried to add additional rules to prevent it but no joy.



So what happens is http://sub.domain.com/subdir1/subdir2/subdir1/subdir2/subdir1/subdir2/subdir1/subdir2/subdir1/subdir2/subdir1/subdir2/




My rule in web.config:














Any ideas?



Edit:
So what i'm really trying to do is make it easier for the users. Right now they have to type www.domain.com/subdir1/subdir2/ to access the login page for the product. What I wanted to do was create a single subdomain that would rewrite to the above link. Rather than typing the long url just go to sub.domain.com and it would redirect or rewrite to the www.domain.com/subdir1/subdir2/ location. I hope that makes my desire a bit more clear.



Thanks!

linux - Process claims to use a lot of memory, but 'free' indicates that the memory is still free

I've seen the opposite of this, but this is puzzling.



In short, I have a process where %MEM claims to use 74% of memory when using 'ps' and 'top'. However, 'free' shows that I'm only using 32% of the available memory.




Here is this output of 'top':



top - 18:25:49 up 203 days, 14 min,  1 user,  load average: 3.48, 3.75, 3.79
Tasks: 349 total, 1 running, 347 sleeping, 1 stopped, 0 zombie
Cpu(s): 10.3%us, 4.7%sy, 0.0%ni, 75.1%id, 6.5%wa, 0.0%hi, 3.4%si,0.0%st
Mem: 189.054G total, 188.280G used, 793.473M free, 253.570M buffers
Swap: 4095.996M total, 967.234M used, 3128.762M free, 126.370G cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

14416 root 20 0 165g 139g 81g S 250.3 74.0 764266:39 asd
30660 root 20 0 15164 1328 836 R 2.0 0.0 0:00.01 top


You will notice that the 'asd' process claims to use 74% (139g) of the available RAM. If you look at the total memory used - the cached memory (188-126), it looks like the entire system is only using 62G. That is obviously much lower that the one process 'asd' claims to use.



'free' is just as confusing. It shows 61G free:



# free -g
total used free shared buffers cached

Mem: 189 188 0 81 0 126
-/+ buffers/cache: 61 127
Swap: 3 0 3


'ps' seems to agree with the process listing in 'top':



# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 14416 261 74.0 173381464 146791980 ? Ssl Jan25 764310:00 /usr/bin/asd



I understand why 'free' would claim there is less memory available than 'top', but I don't see how a process can claim to use more RAM than the overall system reports as 'used'.



UPDATE:
I don't think this is the same as the posts you pointed me to Tim. Those appear to reference the opposite issue where people either mis-read the 'free' output and don't take into account the cache and buffers. Consequently, they can't find processes that are using the memory they think 'free' is claiming to use. In my case, I have a process that is claiming to use a lot of memory, but 'free' seems to think that memory is still available.

Friday, April 27, 2018

Backup storage server with ZFS

I am IT everything man at a small company. I want to design a new infrastructure including a new server and a separate backup server with company wide backup policy.




The most important thing in the company is the SQL Server and its databases. There are 10 database, but only 2 of them are really important. The first one 8GB, mostly text data and numbers. The second one about 300GB with 16GB/month grow containing PDFs and GIFs.



To save the storage current backup policy consists of one full backup per week and 6 differentials. I think its about 350GB per week, 1.4TB per month.



After reading so articles about silent data corruption I decided to try ZFS with Nexenta Community edition.



My question: is ZFS with deduplication good for storing backup files in term of reliability or should i think about some tape backup or something else?



EDIT: I know that right now we cannot predict performance, deduplication ratio etc, but I want to know if it is a good idea at all.

Thursday, April 26, 2018

What is the best practice to keep a linux ubuntu server up to date (build packages, dist-upgrade, alt repos...)




We are running a production server based on Ubuntu 9.10 Karmic Koala, kernel is almost up-to-date (2.6.38.2-grsec-xxxx-grs-ipv6-64) but karmic package repositoryis now ridiculously outdated, eg. Nginx is 0.7.62 - really buggy - while latest stable is 1.0.x!!



In addition Karmic just reached its end of life.



This question: Best practices for keeping UNIX packages up to date? looks similar but actually only includes some suggestions about package managers; not at all what I need!



so the options that I see are:





  1. get a new machine, install it from scratch, migrate

  2. distribution upgrade

  3. use a different repository (launchpad/ppa / backport / pinning)

  4. build your own



The disadvantages of 1. are quite obvious.



I do not dare doing a dist-upgrade path though, as downtime and possible catastrophic consequences are just impossible to predict for a production server, and currently are mostly re-building my own required packages. But I'm sure I might be missing some.




It is not really clear to me what are the risks (stability/compatibility) of using ubuntu backports, in addition nothing is officially provided for 9.10 anymore.
Launchpad are individual-builds, similar question - how better is this than compiling your own.



Building packages seems fine, but:
1. sometimes I have trouble reproducing the correct ./configure options in order to re-use my existing configuration files
1. I am sure there are tons of packages and dependencies that are now pretty outdated and possible source of bugs



Finally... what about 'old' packages in a recent distrib? I guess there's no other way than re-building them myself? Is a combination of 2. and 4. finally the best path?



Is there any objective consensus on what is the best way to do this, or reasons why some of my options are fine/not fine?




If really there isn't, I will accept that the question gets closed before creating an endless thread!


Answer



Maintaining your own distribution is a lot of work. Even if you maintain the backports, you will soon be overwhelmed by security issues to fix, and have to pull low-level libraries to keep updating your software, which might break other things (I maintain servers running 6-year-old distros, it's not fun).



Upgrading is generally a good solution. do-release-upgrade is well made, and you should be able to upgrade without issues (especially if you only used official packages).



My favourite solution though might be the reinstall path. More specifically, your servers should be managed using a configuration management system such as Puppet, Cfengine or Chef. If all your configuration/package needs are specified using such a tool and your data are safe on a separate partition, it's much easier to reinstall quickly. You just install a new distribution without erasing the data partitions, and then run the configuration management tool to reset your packages/configurations. I believe this is the cleanest way to do, especially if you have several servers to manage.



If you are using non-official packages, you might want to identify them before you upgrade/reinstall. maintenance-check can help you identify the packages that are not officially maintained by Ubuntu:




$ bzr branch lp:ubuntu-maintenance-check
$ cd ubuntu-maintenance-check
$ ./maintenance-check -f n


If you want to reinstall, you can also export the list of installed packages:



$ dpkg --get-selections > myinstall.txt



and your debconf database:



$ debconf-get-selections > debconf.txt # from the debconf-utils package


As a note, since you're currently using Karmic, it might not be too violent to upgrade to Lucid, which is an LTS release, still supported until 2015 for the main server packages. This should leave you enough time to setup a viable automated installation for the future.



When you ask about Launchpad packages, I suppose you mean PPAs. There are tons of different PPAs. Some are experimental, some are stable. Some are maintained by official Ubuntu developers, some are maintained by people hardly know how to do a package properly. It's hard to say in general if packages you find on PPAs are good, there's no general rule. The best hint in this case might be too look at the owner of the PPAs to get an idea of the possible quality of their packages.


email - Postfix on Ubuntu not delivering mail to a few addresses

On my ubuntu server my WordPress installation sends email the normal way using wp_mail (which in turn uses php mail()..).



The server is set up with Postfix for delivery.



Recently there's been a problem with some addresses not receiving emails sent from the server.




Let's say the server itself uses domain server.com which is also used for Google apps email. The domain has the appropriate SPF record set.



Emails sent to @server.com, @hotmail.com and @gmail.com are all delivered fine.



However emails sent to @.com are not delivered. They don't even hit the spam folder.



Here is a mail log which I think might be relevant (email addresses replaced to correspond with above):



Sep  3 10:39:00 vps postfix/pickup[20267]: B991F2A11: uid=33 from=
Sep 3 10:39:00 vps postfix/cleanup[20354]: B991F2A11: message-id=

Sep 3 10:39:00 vps postfix/qmgr[20268]: B991F2A11: from=, size=730, nrcpt=1 (queue active)
Sep 3 10:39:01 vps postfix/smtp[20356]: B991F2A11: to=<.com>, relay=ASPMX.L.GOOGLE.COM[2a00:1450:400c:c0a::1b]:25, delay=0.4, delays=0.05/0.01/0.05/0.28, dsn=2.0.0, status=sent (250 2.0.0 OK 1441269756 li14si9718740wic.1 - gsmtp)
Sep 3 10:39:01 vps postfix/qmgr[20268]: B991F2A11: removed
Sep 3 10:40:01 vps postfix/pickup[20267]: DFD2E2A39: uid=105 from=
Sep 3 10:40:01 vps postfix/cleanup[20354]: DFD2E2A39: message-id=<20150903084001.DFD2E2A39@vps.server.com>
Sep 3 10:40:01 vps postfix/qmgr[20268]: DFD2E2A39: from=, size=708, nrcpt=1 (queue active)
Sep 3 10:40:02 vps postfix/smtp[20356]: DFD2E2A39: to=, orig_to=, relay=aspmx.l.google.com[64.233.166.27]:25, delay=0.21, delays=0.03/0/0.03/0.15, dsn=5.1.1, status=bounced (host aspmx.l.google.com[64.233.166.27] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 https://support.google.com/mail/answer/6596 w4si45121598wju.16 - gsmtp (in reply to RCPT TO command))
Sep 3 10:40:02 vps postfix/cleanup[20354]: 1DABA2A37: message-id=<20150903084002.1DABA2A37@vps.server.com>
Sep 3 10:40:02 vps postfix/bounce[20389]: DFD2E2A39: sender non-delivery notification: 1DABA2A37
Sep 3 10:40:02 vps postfix/qmgr[20268]: 1DABA2A37: from=<>, size=3181, nrcpt=1 (queue active)

Sep 3 10:40:02 vps postfix/qmgr[20268]: DFD2E2A39: removed
Sep 3 10:40:02 vps postfix/smtp[20356]: 1DABA2A37: to=, relay=aspmx.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.29, delays=0/0/0.16/0.13, dsn=5.1.1, status=bounced (host aspmx.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 https://support.google.com/mail/answer/6596 d4si33273494wjn.153 - gsmtp (in reply to RCPT TO command))
Sep 3 10:40:02 vps postfix/qmgr[20268]: 1DABA2A37: removed


Any ideas what's going on here?



Edit:



Here is the output of postconf | grep '^mydomain\|^myhostname':




mydomain = server.com
myhostname = vps.server.com
mydestination = vps.server.com, localhost.server.com, localhost


(where server.com is actually my server's domain name)



Edit2:




Mails sent from the server under postfix seem to have the wrong time: e.g.



Date: Thu, 3 Sep 2015 13:45:16 +0000



This is 1 hour out from what it should be, even though the timezone should be "Europe/London", currently on BST.



The server date is correct, just postfix (both mail headers and log entries) are incorrect.



I'm thinking this may be making some emails marked as spam

Wednesday, April 25, 2018

domain name system - Internal/external DNS with subdomains



I've got an internal DNS server (part of OS X server) and it's acting as the main DNS server for a specific (physical) site. When it can't resolve hostnames itself, it forwards requests to Google's DNS servers. Everything works well apart from a couple of issues, which I think may be related but can't get to the bottom of.




I've got a number of intranet sites setup, that people can access by going to something like:




intranet.mydomainname.com



selfservice.mydomainname.com




These point to various servers in the building that host these sites. Whether internal or external (without VPN), I can access these sites just dandy.




Where the issue comes is when I want to host, say, test.mydomainname.com on an external server it fails to resolve as the primary zone for mydomainname.com is internal. How can I get it to look up Google's DNS (or an external one) for that zone if it's not in the list? I've tried everything I can think (adding my host's nameservers etc) of but nothing seems to work fully.



Also I can't access intranet sites when connected via VPN and from what I can gather - I believe this might be related to the DNS issue but just wanted to give as much information as possible.



Edit



The domain mydomainname.com is hosted externally and pointed at the site's public IP. From there we can forward the requests to the relevant internal server. Externally everything works, internally though any subdomain of mydomainname.com is served locally, I want it to be served from Google's DNS / externally.



DNS Configuration




As per a request, here's the current DNS configuration (OS X server's DNS tab). I've blurred out the .private address as it's not really relevant but it's the server's name. The colored dots are just there to link everything together. Screenshot:



enter image description here



In an attempt to clarify this is what I want:



intranet.mydomain.com -> 192.168.0.12
selfservice.mydomain.com -> 192.168.0.13
*.mydomain.com -> forward to external DNS
mydomain.com -> forward to external DNS



At the moment any subdomain of mydomain.com is not forwarded on (think this is because of the primary zone being mydomain.com with a NS of intranet.mydomain.com but could do with a little nod in the right direction.


Answer



I figured out a workaround but it's far from perfect. Ideally I'd have liked to add "*.mydomain.com" as a catch all forwarding to external DNS (my registrar) and only point the relevant ones to internal servers. Unfortunately OS X server doesn't currently allow wildcard entries so I've had to add everything manually pointing out/in where appropriate.


Tuesday, April 24, 2018

pci dss - PCI scan failure for SSL Certificate with Wrong Hostname?

A client had a PCI scan completed by SecurityMetrics, and it now says they failed due to the SSL certificate for the SMTP port 25 (and POP3s/IMAPS) not matching the domain scanned. Specifically:






Description: SSL Certificate with Wrong Hostname




Synoposis: The SSL certificate for this
service is for a different host.



Impact: The commonName (CN) of the SSL certificate
presented on this service is for a different machine.






The mail server uses sendmail (patched) and provides email service for a number of domains. The server itself has a valid SSL certificate, but it does not match each domain (as we add/remove domains all the time as clients move around).




Seems SecurityMerics is the only ASV that marks this as failing PCI. Trustwave, McAfee, etc... do not see this as failing PCI.



Is this issue truly a PCI failure? Or is it just SecuritMetrics being wrong?

domain name system - Global Reverse DNS look-ups not working

I am moving from an old server to a new one and everything went well until I got to the DNS server. I cannot get the reverse look-up to work.




I cannot find any misconfiguration but I'm not an expert. rDNS locally works but from other Inet hosts it fails.



named.conf:




zone "5.253.159.in-addr.arpa" IN {



   type master;
file "5.253.159.in-addr.arpa";
allow-query { any; };



};




Zone config: (5.253.159.in-addr.arpa)




$TTL 86400




@ IN SOA h4u.be. root.h4u.be. (



  2012083001  ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL


)




5.253.159.in-addr.arpa. IN NS ns.h4u.be.
5.253.159.in-addr.arpa. IN NS ns2.h4u.be.



123 IN PTR h4u.be.




Localhost dig result:




;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65102
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2




;; QUESTION SECTION:
;123.5.253.159.in-addr.arpa. IN PTR



;; ANSWER SECTION:
123.5.253.159.in-addr.arpa. 86400 IN PTR h4u.be.



;; AUTHORITY SECTION:
5.253.159.in-addr.arpa. 86400 IN NS ns2.h4u.be.
5.253.159.in-addr.arpa. 86400 IN NS ns.h4u.be.



;; ADDITIONAL SECTION:
ns.h4u.be. 86400 IN A 159.253.5.123
ns2.h4u.be. 86400 IN A 159.253.5.123



;; Query time: 3 msec
;; SERVER: 159.253.5.123#53(159.253.5.123)
;; WHEN: Thu Aug 30 13:11:58 2012
;; MSG SIZE rcvd: 131





Inet dig result:




;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43907
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0



;; QUESTION SECTION:
;123.5.253.159.in-addr.arpa. IN PTR



;; AUTHORITY SECTION:
5.253.159.in-addr.arpa. 8032 IN SOA ns3.uxw.nl. ns3.uxw.nl. 0 10800 3600 >604800 3600




;; Query time: 0 msec
;; SERVER: 62.193.206.133#53(62.193.206.133)
;; WHEN: Thu Aug 30 13:12:32 2012
;; MSG SIZE rcvd: 90


ubuntu - MySQL server keep on crashing



I'm facing a problem that i can't figure out,
for some reason my MySQL server keeps on crashing after 30-40minutes
the server load itself isn't too high, it's not even 0.5 (for 2 cpu machine)
i've been trying to snoop around in the error log /var/log/mysql/error.log but couldn't find any clue, but i'll be the first to admit i might be due to lack of knowledge.



the server is ubuntu 12.04 with basic lamp settings..
every time to server crash i have to manually restart mysql otherwise it will stay down.




this is the error log i have:



130623 15:09:18 [Note] Plugin 'FEDERATED' is disabled.
130623 15:09:18 InnoDB: The InnoDB memory heap is disabled
130623 15:09:18 InnoDB: Mutexes and rw_locks use GCC atomic builtins
130623 15:09:18 InnoDB: Compressed tables use zlib 1.2.3.4
130623 15:09:18 InnoDB: Initializing buffer pool, size = 128.0M
130623 15:09:18 InnoDB: Completed initialization of buffer pool
130623 15:09:18 InnoDB: highest supported file format is Barracuda.

130623 15:09:18 InnoDB: Waiting for the background threads to start
130623 15:09:19 InnoDB: 5.5.31 started; log sequence number 2220260
130623 15:09:19 [Note] Server hostname (bind-address): '127.0.0.1'; port: 3306
130623 15:09:19 [Note] - '127.0.0.1' resolves to '127.0.0.1';
130623 15:09:19 [Note] Server socket created on IP: '127.0.0.1'.
130623 15:09:19 [Note] Event Scheduler: Loaded 0 events
130623 15:09:19 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.5.31-0ubuntu0.12.04.2' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
130623 15:27:48 [Note] Plugin 'FEDERATED' is disabled.
130623 15:27:48 InnoDB: The InnoDB memory heap is disabled

130623 15:27:48 InnoDB: Mutexes and rw_locks use GCC atomic builtins
130623 15:27:48 InnoDB: Compressed tables use zlib 1.2.3.4
130623 15:27:48 InnoDB: Initializing buffer pool, size = 128.0M
InnoDB: mmap(137363456 bytes) failed; errno 12
130623 15:27:48 InnoDB: Completed initialization of buffer pool
130623 15:27:48 InnoDB: Fatal error: cannot allocate memory for the buffer pool
130623 15:27:48 [ERROR] Plugin 'InnoDB' init function returned error.
130623 15:27:48 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
130623 15:27:48 [ERROR] Unknown/unsupported storage engine: InnoDB
130623 15:27:48 [ERROR] Aborting


130623 15:27:48 [Note] /usr/sbin/mysqld: Shutdown complete

130623 15:27:49 [Note] Plugin 'FEDERATED' is disabled.
130623 15:27:49 InnoDB: The InnoDB memory heap is disabled
130623 15:27:49 InnoDB: Mutexes and rw_locks use GCC atomic builtins
130623 15:27:49 InnoDB: Compressed tables use zlib 1.2.3.4
130623 15:27:49 InnoDB: Initializing buffer pool, size = 128.0M
InnoDB: mmap(137363456 bytes) failed; errno 12
130623 15:27:49 InnoDB: Completed initialization of buffer pool

130623 15:27:49 InnoDB: Fatal error: cannot allocate memory for the buffer pool
130623 15:27:49 [ERROR] Plugin 'InnoDB' init function returned error.
130623 15:27:49 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
130623 15:27:49 [ERROR] Unknown/unsupported storage engine: InnoDB
130623 15:27:49 [ERROR] Aborting


does anyone see something i don't ?


Answer



Uhmm, it appears twice in your log file




InnoDB: Fatal error: cannot allocate memory for the buffer pool

Monday, April 23, 2018

cron - All methods of making iptables persist are not working




I set rules in iptables a few months back and used iptables-persistent to make the rules persist through reboot. I just updated my rules and am trying to make them persist but nothing is working they keep resetting to the earlier version. I have tried:



Creating a cronjob that runs on reboot AND every minute,



#!/bin/bash
iptables-restore -c < /home/amart219/iptables.backup


I have saved to the file that supposedly is default location of the rules and reconfigured iptables-persistent




iptables-save > /etc/iptables/rules.v4

dpkg-reconfigure iptables-persistent


I have placed a script in /etc/network/if-pre-up.d/ directory that says the following:



#!/bin/bash
/sbin/iptables-restore < /home/amart219/iptables.backup

/sbin/ip6tables-restore < /home/amart219/iptables.backup


None of these changes make any difference. My understanding is that dpkg-reconfigure iptables-persistent is the correct method however nothing I try works. I am afraid that some time in the past I might have attempted to make them persistent in some other way that worked prior to installing iptables-persistent but if so I have no idea how I might have done that. I ran:
tail -500 /var/log/syslog
right after reboot to see if the system loaded anything but I see nothing but the usual boot data. This server has no cron jobs aside from the one that I created trying to restore the iptables setting. I don't know if that is the problem or not, but if it was I don't know how to locate where it might be running from to change it.



If I manually run the script I set up in cron to restore iptables settings, it works just fine but does not persist through reboot. The cronjob is set up properly, on a separate server I have 40+ cronjobs, I am familiar with the process.



Any suggestions? I am not picky on the method I just need it to work.



Answer



I used to put the line with "iptables-restore" in /etc/rc.local (tested on both Debian 8 and Ubuntu 16.04) and it worked just fine.


Sunday, April 22, 2018

apache 2.2 - Changing default permssion on ubuntu 10.4 server

I have a a Joomla CMS which is a PHP script that needs to write new files and directories, I changed the umask value and I ended up re-installing the system :-s.



Can you please guide me step by step on how to set the default permissions for uploaded/new files in the www directory "which where the website is"



I'm using apache2.2 on a Ubuntu 10.4 server.




Thank you all in advance.

How to debug apache timeouts?



I run a PHP web application on an Apache 2.2 server (Ubuntu Server 10.04, 8x2GHz, 12Gb RAM) using prefork. Each day Apache gets about 100k-200k requests, of these about 100-200 hits the timeout limit (so about one in every thousand), pretty much all other requests are served well below the timeout.



What can I do to find out why this happens? Or is it normal to have some small parts of all requests timing out?



This is what I've done so far:



Requests response time




As can be seen there's very few requests that's between the timeout limit and more reasonable request. Currently the timeout limit is set to 50 seconds, previously it was set to 300 and it was still the same situation with some timeouts and then a huge gap down to the other requests.



All requests that times out are AJAX requests, but then the vast majority of them are, so perhaps that's more of a coincidence. The Apache return code is 200, but the timeout limit is clearly reached. They are from a wide range of different IPs.



I've looked at the requests that times out and there's nothing special about them, if I do the same requests they go through in far less than a second.



I've tried to look at the different resources to see if I can find the cause but no luck. There is always plenty of free memory (minimum is about 3GB free), load sometimes goes as high as 1.4 and CPU utilization to 40%, but many of the timeouts happen when the load and CPU utilization is low. Disk write/read are pretty much constant during the day. There's no entries in the MySQL slow query log (set to log anything above 1 second), an no request uses that many database writes/reads.



Request response time with system load/cpu




Blue is CPU utilization, which peaks at 40%, maroon is load with peak at 1.4. So we can see we get timeouts even with low CPU utilization/load (the ten second spikes correspond well to the CPU utilization, but that is another issue, I have higher hopes of finding out what might be causing those).



There's no errors in the Apache error log and I haven't seen it reach more than 200 active Apache processes.



Server Settings:



Timeout 50 
KeepAlive On
MaxKeepAliveRequests 100

KeepAliveTimeout 2


ServerLimit 350
StartServers 20
MinSpareServers 75
MaxSpareServers 150
MaxClients 320
MaxRequestsPerChild 5000




Update:



I updated to Ubuntu 12.04.1, just in case, no change.
I added mod_reqtimeout with settings:



RequestReadTimeout header=20-40,minrate=500
RequestReadTimeout body=10,minrate=500



Now almost all timeouts happens at 10 seconds, one or two at 20 seconds. I take that to mean that most of the time it's getting the request body that's problematic to receive? The request body should never be larger than a few hundred bytes.
I've monitored the network traffic on a per 1 second basis and it never gets higher than 1Mbit/s and I don't see any rxerrs or rxdorps, considering that the server is on a 1Gbit/s line it doesn't sound like the HopelessN00b posted about. Could it be just a case of some bad user connections?



For the spikes every hour (they seem to drift around a bit, in the graphs above they're on 33 minutes past the hour, now they're on 12 minutes past), I've tried to see if there's anything periodically running (crons etc) but found nothing. PHP garbage collection runs twice every hour, but not at the time of the spikes, still I've tried with disabling it but it makes no difference.



I've used dstat with --top-cpu and top to look at the processes at the time of the spikes and all that shows up is apache working hard for a few seconds but no other process is using significant cpu.



I've made a zoomed in graph of the spikes:
Zoomed request response time




To me it looks like apache halts for some few seconds and then works hard to process the requests that came in during the halt. What might cause such a halt, or am I misinterpreting it?


Answer



The first thing I note, looking at your first graph, there seems to be an hourly slowdown (occurring around 40 minutes past the hour) which may be contributing to the problem. You should have a look at the task schedulers on the OS / database.



Based on the data you've supplied, my next step woud be to look at the frequency of response times (number of responses on Y axis vs duration on X) but only including URLs which exhibit the timeout (or preferably one URL at a time). On a typical system this should follow a normal or poisson distribution - the requests which are timing out may simply be part of the tail - in which case you need to focus your efforts on general tuning. OTOH if the distribution is bi-modal then you need to look for contention somewhere in your code.


Friday, April 20, 2018

Windows Server 2008 - File Permissions and Administrator



This is what I did on my Windows 2008r2




  1. Logged in as Administrator (UAC is disabled for a test sake)


  2. Select a folder


  3. Edit Advanced Permissions


  4. Uncheck"Include inheritable permissions" and click on Remove button to remove inheritable permissions



  5. Got a message "No one will be able to access the folder except for the owner". At this point I thought that Administrator should still have access and "no one" doesn't apply to me :)


  6. After answering OK, I lost all control over the permissions window and got "Access denied" message. The only option was to take ownership and put back Administrator with Full Control.




Is there a Linux root equivalent in Windows that can have access to a file without granting full control?



If not, is the only option to administrate files in Windows is to give Administrator Full Control to ALL files (I'm excluding the take ownership option as not practical)?


Answer




Is there a Linux root equivalent in Windows that can have access to a file without granting full control?





No. Unless your Administrator user has permissions to perform an action on a file (either explicitly, or through group membership), he will not be able to perform the action on the file.



The exception, which you have noted, is file/folder ownership. An administrative user will always be able to take ownership of a file, and change permissions that way.




If not, is the only option to administrate files in Windows is to give Administrator Full Control to ALL files (I'm excluding the take ownership option as not practical)?





It's not especially clear what you mean by this, but in general, if you want a user to administer a file or folder, yeah, they need to have the filesystem permissions to do so.


windows - monitor local network traffic issue

I am using Networking Tab of Windows Task manager to monitor local network traffic to test how much bandwidth my application will use. My scenario is, I will use a local console client application to send data (using Http POST method) to local IIS 7.0 server.



My issue is no traffic could be monitored using Networking Tab of Windows Task manager. My environment is, VSTS 2008 + C# + .Net 3.5 + Windows Vista x86 Enterprise. Any ideas what is wrong?



thanks in advance,
George

Thursday, April 19, 2018

windows server 2003 - IIS6: Web Site presenting the wrong SSL certificate



Consider an IIS6 installation with multiple Web Sites. Each is intended to be a different subdomain with its own cert (not a wildcard cert). Each has their host-header specified properly.





  • foo.example.com - port 443. Require SSL w/128 bit. Working properly! It presents its SSL cert properly to the browser. Configured for a specific IP address.


  • bar.example.com - port 443. Require SSL w/128 bit. Configured for all unassigned addresses. When inspecting the IIS property page, it fully shows the cert for bar.example.com on the View Certificate button. This is a NEW web site that is having cert problems. It's presenting the cert for foo.example.com. Ouch!




alt text http://www.imagechicken.com/uploads/1251156847014486300.png



Question: can you have more than one subdomains both running on separate websites with SSL certs on the same port (443)? How would you configure 2 web sites on the same range of 'all unassigned' for the same port (443) ?




Update: ignoring the cert error, when browsing to https://bar, the content served is from https://foo site.



When NOT using SSL, browsing to http://bar serves the correct content from bar.



Just one address is assigned to this DMZ server.


Answer



SSL certificates are bound to the internal IP address of the web server, not the external IP addresses.



Let's say you have foo.example.com bound to Public IP A and bar.example.com on Public IP B, but your web server only has the IP address 192.168.0.1




Whether the request comes in on IP A or IP B, it is still going to end up at 192.168.0.1. Which means that IIS has no choice but to use the certificate that is assigned to foo.example.com.



To work around this issue, you will need to have multiple IP addresses assigned to your web server. This is easy to do. Speak to your sysadmin to have some IP's removed from the DHCP range (or ask him/her which ones you can use), then go to your properties for the network card (Control Panel > Network Connections), and go to the properties for TCP/IP.



You will need to have a static IP enabled in the first place (being a server I hope this is done anyway), and then click Advanced, and under the box for "IP addresses" click "Add" - and enter the new IP addresses you've been assigned by your sysadmin (Let's say 192.168.0.2).



Then, at your router, you need to ensure that requests from IP A on port 443 go to 192.168.0.1 and that all other requests on port 443 go to 192.168.0.2.



Then, in your IIS configuration, you need to bind the SSL Cert from foo.example.com to 192.168.0.1, and bind the rest to 192.168.0.2 (or leave as All Unassigned, as you have).




If this doesn't work, or you already have this configured, update your question and leave a comment to let us know.



Update: I just saw your comments, thanks for the update. You will need to ensure foo.example.com and bar.example.com are on two different public IP addresses. The reason being that because the packets are encrypted, there's no way you can use hostname based routing to send the request to the right IP address (I believe this is the case. If anyone knows different, let me know). The only part of the request that's visible to the routers is the destination IP. This is why you can only have one SSL per IP address. So you will need to have public IP's for this to work, and in your DNS an A record for bar.example.com that is different to foo.example.com.


Wednesday, April 18, 2018

virtual machines - Install SQL Server 2017 on Windows 10 Azure VM




I have one Azure Windows 10 VM set up as a workstation which has among other things:




  • Visual Studio 2017

  • Python 2.7

  • NodeJS

  • SQL Server 2017



When a coworker created a new Windows 10 VM and went to install SQL Server, he got an error. I then created a new Windows 10 VM and attempted to install SQL Server and got the same error. Thinking it had something to do with the VM configuration I chose the original configuration which worked, tried again, and it again failed.




Here's the Windows 10 machines we've used
Standard D2 v2 (2 vcpus, 7 GB memory): Success
Standard DS11 v2 (2 vcpus, 14 GB memory): Fail
Standard DS11 v2 (2 vcpus, 14 GB memory): Fail
Standard D2 v2 (2 vcpus, 7 GB memory): Fail



This is from the install Detail file:
...




(01) 2018-01-05 18:10:04 Slp: Current SqlServer Connection closed...
(01) 2018-01-05 18:10:04 Slp: Configuration action failed for feature SQL_Engine_Core_Inst during timing ConfigRC and scenario ConfigRC.
(01) 2018-01-05 18:10:04 Slp: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
(01) 2018-01-05 18:10:04 Slp: The configuration failure category of current exception is ConfigurationFailure
(01) 2018-01-05 18:10:05 Slp: Configuration action failed for feature SQL_Engine_Core_Inst during timing ConfigRC and scenario ConfigRC.
(01) 2018-01-05 18:10:05 Slp: Microsoft.SqlServer.Configuration.Sco.ScoException: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) ---> System.Data.SqlClient.SqlException: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) ---> System.ComponentModel.Win32Exception: The system cannot find the file specified
(01) 2018-01-05 18:10:05 Slp: --- End of inner exception stack trace ---
(01) 2018-01-05 18:10:05 Slp: at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, String accessToken, Boolean applyTransientFaultHandling)
(01) 2018-01-05 18:10:05 Slp: at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)
(01) 2018-01-05 18:10:05 Slp: at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup, DbConnectionOptions userOptions)
(01) 2018-01-05 18:10:05 Slp: at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)
(01) 2018-01-05 18:10:05 Slp: at System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource
1 retry, DbConnectionOptions userOptions)
(01) 2018-01-05 18:10:05 Slp: at System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource1 retry)
(01) 2018-01-05 18:10:05 Slp: at System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource
1 retry)
(01) 2018-01-05 18:10:05 Slp: at System.Data.SqlClient.SqlConnection.Open()
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.Sco.SqlScriptExecution.GetConnection()
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.Sco.SqlScriptExecution.Connect()
(01) 2018-01-05 18:10:05 Slp: --- End of inner exception stack trace ---
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.Sco.SqlScriptExecution.Connect()
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlDatabaseServiceConfig.Install(SqlServiceInstallScriptParameters scriptParameters, Boolean fTemplateDB)
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.ConfigSQLServerSystemDatabases(EffectiveProperties properties, Boolean isConfiguringTemplateDBs, Boolean useInstallInputs)
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.DoCommonDBStartConfig(ConfigActionTiming timing)
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.Install(ConfigActionTiming timing, Dictionary2 actionData, PublicConfigurationBase spcb)
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlConfigBase.PrivateConfigurationBase.Execute(ConfigActionScenario scenario, ConfigActionTiming timing, ConfigBaseAction action, Dictionary
2 actionData, PublicConfigurationBase spcbCurrent)
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlConfigBase.SqlFeatureConfigBase.Execute(ConfigActionScenario scenario, ConfigActionTiming timing, ConfigBaseAction action, Dictionary2 actionData, PublicConfigurationBase spcbCurrent)
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlConfigBase.SlpConfigAction.ExecuteAction(String actionId)
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlConfigBase.SlpConfigAction.Execute(String actionId, TextWriter errorStream)
(01) 2018-01-05 18:10:05 Slp: The following is an exception stack listing the exceptions in outermost to innermost order
(01) 2018-01-05 18:10:05 Slp: Inner exceptions are being indented
(01) 2018-01-05 18:10:05 Slp:
(01) 2018-01-05 18:10:05 Slp: Exception type: Microsoft.SqlServer.Configuration.Sco.ScoException
(01) 2018-01-05 18:10:05 Slp: Message:
(01) 2018-01-05 18:10:05 Slp: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
(01) 2018-01-05 18:10:05 Slp: HResult : 0x84bb0001
(01) 2018-01-05 18:10:05 Slp: FacilityCode : 1211 (4bb)
(01) 2018-01-05 18:10:05 Slp: ErrorCode : 1 (0001)
(01) 2018-01-05 18:10:05 Slp: Data:
(01) 2018-01-05 18:10:05 Slp: DisableRetry = true
(01) 2018-01-05 18:10:05 Slp: SQL.Setup.FailureCategory = ConfigurationFailure
(01) 2018-01-05 18:10:05 Slp: WatsonConfigActionData = INSTALL@CONFIGRC@SQL_ENGINE_CORE_INST
(01) 2018-01-05 18:10:05 Slp: WatsonExceptionFeatureIdsActionData = System.String[]
(01) 2018-01-05 18:10:05 Slp: Stack:
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.Sco.SqlScriptExecution.Connect()
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlDatabaseServiceConfig.Install(SqlServiceInstallScriptParameters scriptParameters, Boolean fTemplateDB)
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.ConfigSQLServerSystemDatabases(EffectiveProperties properties, Boolean isConfiguringTemplateDBs, Boolean useInstallInputs)
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.DoCommonDBStartConfig(ConfigActionTiming timing)
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlEngine.SqlEngineDBStartConfig.Install(ConfigActionTiming timing, Dictionary
2 actionData, PublicConfigurationBase spcb)
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlConfigBase.PrivateConfigurationBase.Execute(ConfigActionScenario scenario, ConfigActionTiming timing, ConfigBaseAction action, Dictionary2 actionData, PublicConfigurationBase spcbCurrent)
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlConfigBase.SqlFeatureConfigBase.Execute(ConfigActionScenario scenario, ConfigActionTiming timing, ConfigBaseAction action, Dictionary
2 actionData, PublicConfigurationBase spcbCurrent)
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlConfigBase.SlpConfigAction.ExecuteAction(String actionId)
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.SqlConfigBase.SlpConfigAction.Execute(String actionId, TextWriter errorStream)
(01) 2018-01-05 18:10:05 Slp: Inner exception type: System.Data.SqlClient.SqlException
(01) 2018-01-05 18:10:05 Slp: Message:
(01) 2018-01-05 18:10:05 Slp: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
(01) 2018-01-05 18:10:05 Slp: HResult : 0x80131904
(01) 2018-01-05 18:10:05 Slp: Data:
(01) 2018-01-05 18:10:05 Slp: HelpLink.ProdName = Microsoft SQL Server
(01) 2018-01-05 18:10:05 Slp: HelpLink.EvtSrc = MSSQLServer
(01) 2018-01-05 18:10:05 Slp: HelpLink.EvtID = 2
(01) 2018-01-05 18:10:05 Slp: HelpLink.BaseHelpUrl = http://go.microsoft.com/fwlink
(01) 2018-01-05 18:10:05 Slp: HelpLink.LinkId = 20476
(01) 2018-01-05 18:10:05 Slp: Stack:
(01) 2018-01-05 18:10:05 Slp: at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, String accessToken, Boolean applyTransientFaultHandling)
(01) 2018-01-05 18:10:05 Slp: at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)
(01) 2018-01-05 18:10:05 Slp: at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup, DbConnectionOptions userOptions)
(01) 2018-01-05 18:10:05 Slp: at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)
(01) 2018-01-05 18:10:05 Slp: at System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource
1 retry, DbConnectionOptions userOptions)
(01) 2018-01-05 18:10:05 Slp: at System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource1 retry)
(01) 2018-01-05 18:10:05 Slp: at System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource
1 retry)
(01) 2018-01-05 18:10:05 Slp: at System.Data.SqlClient.SqlConnection.Open()
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.Sco.SqlScriptExecution.GetConnection()
(01) 2018-01-05 18:10:05 Slp: at Microsoft.SqlServer.Configuration.Sco.SqlScriptExecution.Connect()
(01) 2018-01-05 18:10:05 Slp: Inner exception type: System.ComponentModel.Win32Exception
(01) 2018-01-05 18:10:05 Slp: Message:
(01) 2018-01-05 18:10:05 Slp: The system cannot find the file specified
(01) 2018-01-05 18:10:05 Slp: HResult : 0x80004005
(01) 2018-01-05 18:10:05 Slp: Error : 2
(01) 2018-01-05 18:10:05 Slp: Watson Bucket 1
Original Parameter Values




...




SQL Server installed to some degree, but it won't start. When telling it to start, this is in the event log:




FileMgr::StartLogFiles: Operating system error 2(The system cannot find the file specified.) occurred while creating or opening file 'd:\dbs\sh\sprel\0822_164025\cmd\33\obj\x64retail\sql\mkmastr\databases\mkmastr.proj\modellog.ldf'. Diagnose and correct the operating system error, and retry the operation.




For the above error, while I do have a d: drive, it's the Azure VM "Temporary Storage" so nothing should be looking for files there.


Answer



Found the answer at https://social.technet.microsoft.com/wiki/contents/articles/31786.sql-server-not-starting-after-fresh-installation.aspx




Open a command, and start SQL Server:



net start MSSQL$SQLEXPRESS /f /t3608


Then open a SQL command prompt:



sqlcmd -S .\SQLEXPRESS



Verify that SQL Server is pointing to files in the wrong place. You should see which db and log file paths are incorrect:



1> select name, physical_name, state_desc from sys.master_files order by database_id;
2> go


Grab the correct paths to those files, then build and run this query:



ALTER DATABASE model MODIFY FILE ( NAME = modeldev, FILENAME = 'C:\Program Files\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQL\DATA\model.mdf');

ALTER DATABASE model MODIFY FILE ( NAME = modellog, FILENAME = 'C:\Program Files\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQL\DATA\modellog.ldf');
ALTER DATABASE msdb MODIFY FILE ( NAME = MSDBData, FILENAME = 'C:\Program Files\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQL\DATA\MSDBData.mdf');
ALTER DATABASE msdb MODIFY FILE ( NAME = MSDBLog, FILENAME = 'C:\Program Files\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQL\DATA\MSDBLog.ldf');
ALTER DATABASE tempdb MODIFY FILE ( NAME = tempdev, FILENAME = 'C:\Program Files\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQL\DATA\temp.mdf');
ALTER DATABASE tempdb MODIFY FILE ( NAME = templog, FILENAME = 'C:\Program Files\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQL\DATA\temp.ldf');
go


Exit, stop, then start SQL Server:




1> exit
net stop MSSQL$SQLEXPRESS
net start MSSQL$SQLEXPRESS


Fire up SSMS, attempt to connect to the instance, and notice that you can't connect even with Windows auth. Now, stop the server, restart again in recovery mode, and give sa a password:



net stop MSSQL$SQLEXPRESS
net start MSSQL$SQLEXPRESS /f /t3608
sqlcmd -S .\SQLEXPRESS


ALTER LOGIN sa WITH PASSWORD = 'newpassword' UNLOCK
go
exit


Make sure the server is configured with SQL Server auth. Open RegEdit and ensure the value of Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQLServer\LoginMode is 2. If you can't find this key, do a search for LoginMode as it might be different for you.



Stop the recovery mode server, and start the regular server




net stop MSSQL$SQLEXPRESS
net start MSSQL$SQLEXPRESS


You should now be able to log in with sa and the password you set earlier


vps - Maintaining name servers when redelegating the main domain

Just wanting to make sure I don't seriously bugger something up here, I'm 70% sure I'm doing the right thing. We have 2 hosting accounts, one is shared hosting, one is a VPS.



We are just about ready to cancel our shared account as we have moved all our sites over to the VPS. My only concern is the name servers, do the A records for the name servers have to be hosted somewhere other than the server its-self?



Our name servers are ns1.example.com.au and ns2.example.com.au - so we have the a records for these pointing to the correct IP addresses - BUT our domain example.com.au is pointed at the share host's name servers, if we point it to our name servers (ns1.example.com.au) will everything continue to work?



I've created the a records on the vps so it should receive it fine..




If someone could clarify this for me that would be great.

Tuesday, April 17, 2018

ubuntu - Accurately benchmarking a server



I'm getting a server ready for production, and I'm trying to accurately estimate how much it can handle.



For example, on one of the static pages (the whole page is the same all the time), If I run apache benchmark on it, I can get anywhere between 5000 and 10000 requests per second (depends on the concurrency). But if I run the same test on a different same server (benchmarking the same server, but running apache benchmark on a different machine), I get like 168 requests per second. That's a huge difference.




For another example, on a dynamic page I might get between 100 and 200 requests per second when testing locally, yet only 50 requests per second when testing off of a different server.



What accuracy do these tests have? How can I figure out how good the server really is?


Answer



That is not a server issue - it depends a lot on the load you generate. Any realistic sizing has to come from a realistic test of data delivers, for which there are farmeworks (commercial, possibly some open source) that run through your web application in a determined way, with possibly many agents hitting the server to find out the load it can handle.




For example, on one of the static pages (the whole page is the same all the time), If I run
apache benchmark on it, I can get anywhere between 5000 and 10000 requests per second
(depends on the concurrency). But if I run the same test on a different same server

(benchmarking the same server, but running apache benchmark on a different machine), I get
like 168 requests per second. That's a huge difference.




hat is pretty much the network introduced. Staying on the same server is zero latnecy, pretty much unlimited bandwidth. This changes when you make the test from another server.


domain name system - nameservers reported by whois cannot be found by nslookup



The nameservers of my domain are listed correctly on the whois entry:




whois destiglobal.com | grep NS


gives the following result:



Name Server: HEATHER.NS.CLOUDFLARE.COM
Name Server: OWEN.NS.CLOUDFLARE.COM


but a nameserver search with dig does not return anything:




dig +search +short NS destiglobal.com


I was looking at this querstion which described a similar issue and the hint in this question was the problem might be that no authoritive answer for my domain lookup exists:



so I investigated further to trace back the DNS resultion path using dig trace:



dig +trace destiglobal.com  


; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace destiglobal.com
;; global options: +cmd
. 427432 IN NS d.root-servers.net.
. 427432 IN NS e.root-servers.net.
. 427432 IN NS f.root-servers.net.
. 427432 IN NS g.root-servers.net.
. 427432 IN NS h.root-servers.net.
. 427432 IN NS i.root-servers.net.
. 427432 IN NS j.root-servers.net.
. 427432 IN NS a.root-servers.net.

. 427432 IN NS k.root-servers.net.
. 427432 IN NS l.root-servers.net.
. 427432 IN NS m.root-servers.net.
. 427432 IN NS b.root-servers.net.
. 427432 IN NS c.root-servers.net.
;; Received 811 bytes from 127.0.1.1#53(127.0.1.1) in 11 ms

com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.

com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.

com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20180423170000 20180410160000 39570 . YDhqBnGqUMqkWRz6hPQB4lhfX6A73qsKQBi4a+ZzkbSUhwtc1T/RmViI e7P8nl+Z3lsKD8+AhBN3V/7JDeriNSK6+nq6U1zq5iGP/kEw86BFA8L2 oBY8czheCNkilLWSfCYzHz726R69fNUMW6ajp0lGeGAr8J9brM/01set yUJQvVvJWc73d5cnbs7y2eiUgGh939SqGnLl4b+1dwswRlKt5lMYIdv5 WiQUbHecvtvMvg/PT6xlR91kHTh1ON3DUFeZFXOdwtfq9ehNoOuvWutG HERT2VbEx1XY/p7A1y3BeTXAW1M7N0iDolkHKc2qslN22nkn0pUnB1QC yKPiig==
;; Received 1175 bytes from 2001:500:1::53#53(h.root-servers.net) in 163 ms

com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1523441761 1800 900 604800 86400
com. 900 IN RRSIG SOA 8 1 900 20180418101601 20180411090601 46967 com. gWGmFMc7JcV66HRPf5rC/6qbV38K18q4O4i6TeUjHIQYyXSE4G6xncl+ CTcsj4I5jDszxM/8izmhwrHpRz4Fxs/BsFyUbViSKbRbYbzrA+Pu9ma+ N5fAFT+BvTY01tx2luu3qKFQLa8pMfW9HjUTLVAvvh9zPFNpRrLBA3jX Kmo=
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20180418044729 20180411033729 46967 com. k9ZhhJ/HGc6o2LJBpzYkMlOhkw2tYNoP85bUnifUBGOLojGB7nHOmiv6 ozeiL5Cnyz070tWmbyz0CYvhX78CrrObOt9DjTmSe9019GVBHYrqXk/7 9zXoJu+s3DdD1PaJUexgE91ducHmYhXF0618GQX3/xYZn3xmcUgjIjGK mCw=
0G3KEATRSRVKUADEK0SQM4UT7GO0B0NK.com. 86400 IN NSEC3 1 1 0 - 0G3LK864G8GRULBC1RUEGK0RT2PFRHA3 NS DS RRSIG
0G3KEATRSRVKUADEK0SQM4UT7GO0B0NK.com. 86400 IN RRSIG NSEC3 8 2 86400 20180417050536 20180410035536 46967 com. jwFRmb77tWyVgdZuKIiud8zz31sthpmpqbTNvbQBsjEXHh7u3kesE6xN zEuNJ1YrvAOaEW2TLX/M0geOv1LgnEqkI7CjdrRZECIvgkekDRZmWyUz hJQCoktkNn+7vwxn7/WCyPWiiZ/Xdh0p9+z12aY6tPdxGXe+q3F9ZvOK QRw=

3RL20VCNK6KV8OT9TDIJPI0JU1SS6ONS.com. 86400 IN NSEC3 1 1 0 - 3RL3ODP8D910939I655B97GAQU6VE1Q7 NS DS RRSIG
3RL20VCNK6KV8OT9TDIJPI0JU1SS6ONS.com. 86400 IN RRSIG NSEC3 8 2 86400 20180415042450 20180408031450 46967 com. IhbnQXIq5RlG9CMXhBshx052OWd4vCgXfJdqqNjJgS3iWDJXpv1KFsy1 W8fCqrqXvU2TkpCosVmM1fUViUwVVJGABZKHVttYdjpy2pnYh26xMSVF MwwvBO3yRDeNrhPRd1Ktel8Pue1SJ4G8mdwbVAKnwrQy3fhLcDfudIQf FRs=
;; Received 1007 bytes from 2001:503:d414::30#53(f.gtld-servers.net) in 41 ms


according to this and this explanaiton of dig trace the domain resolves up until step 3 (root server back to recursive resolver) and fails at step 4 (recursive resolver to authorative servers)



Is my assumption that there are no authorative nameservers set for my domain correct?
And if so what could I/should I do to resolve this issue?

I have pointed my nameservers to cloudflare on my hosting provider (I do not have access to the zone files on my hosting provider and want to manage DNS through cloudflare on my domain)


Answer



The core of your problem can be found from this line in your whoisdb information:




Domain Status: clientHold https://icann.org/epp#clientHold



This status code tells your domain's registry to not activate your
domain in the DNS and as a consequence, it will not resolve. It is an
uncommon status that is usually enacted during legal disputes,
non-payment, or when your domain is subject to deletion.




Often, this status indicates an issue with your domain that needs resolution. If so, you should contact your registrar to resolve the issue. If your domain does not have any issues, but you need it to resolve, you must first contact your registrar and request that they remove this status code.




This leads to the fact, that zone com returns NXDOMAIN for destiglobal.com. This is not a technical problem; it's likely a legal or contract problem, so you need to contact the registrar.



From technical point of view I can't see any other error. Your authoritative nameservers are both configured fine, confirmed by directly querying from them for A, NS and SOA – all coherent:



$ dig destiglobal.com @heather.ns.cloudflare.com +short
$ dig destiglobal.com @owen.ns.cloudflare.com +short
54.154.220.247


$ dig destiglobal.com SOA @heather.ns.cloudflare.com +short
$ dig destiglobal.com SOA @owen.ns.cloudflare.com +short
heather.ns.cloudflare.com. dns.cloudflare.com. 2027493360 10000 2400 604800 3600

$ dig destiglobal.com NS @heather.ns.cloudflare.com +short
$ dig destiglobal.com NS @owen.ns.cloudflare.com +short
heather.ns.cloudflare.com.
owen.ns.cloudflare.com.



And all this matches the information in the whois database:



Domain Name: DESTIGLOBAL.COM 
Name Server: HEATHER.NS.CLOUDFLARE.COM
Name Server: OWEN.NS.CLOUDFLARE.COM


Once you get things clear with the registrar, this should work fine, probably within 24-48 hours.


Monday, April 16, 2018

windows 7 - How can I resolve Oracle 11g XE connection failure straight after installation?



I have just installed Oracle 11g XE on a Windows 7 VirtualBox VM, using all the default options.



"Getting Started" fails




When I click on Getting Started I get taken to http://127.0.0.1:8080/apex/f?p=4950 which fails. After some browsing I came across a suggestion to confirm the HTTP port, but I can't get this far, because I can't connect.



connect system fails



If I select Run SQL command line I get taken to a SQL prompt. I enter connect system and get prompted for a password. I enter the password. I immediately get the following error:



ERROR:
ORA-01033: ORACLE initialization or shutdown in progress
Process ID: 0

Session ID: 0 Serial number: 0


Info: Start database



This happens whether or not I run Start database first. (Start database just opens a Windows command prompt window.)



Info: Windows services



My Oracle services start as follows:




Oracle XE services default startup



Starting the manual services doesn't resolve the problem. Enabling and starting the disabled service doesn't resolve the problem.



Is there something I haven't done? How can I resolve this connection error?


Answer



For each and every unexpected behaviour/error see the installation logs at C:\oraclexe\app\oracle\product\11.2.0\server\config\log. It will tell what went wrongs during notifications.



In my case, it shows some thing related to windows events are full. I cleared all the events, de-install oracle and re-install. Everything is perfect.



Sunday, April 15, 2018

amazon ec2 - Issues with EC2 Elastic Load Balancer DNS and routing



We're trying to run a fairly straightforward setup on Amazon EC2 - several HTTP servers sitting behind an Amazon Elastic Load Balancer (ELB).




Our domain is managed in Route53, and we have a CNAME record set up to point to the ELB.



We've experienced some issues where some - but not all - locations are intermittently unable to connect to the load balancer; it seems that this may be the resolution of the ELB's domain name.



Amazon support advised us that the underlying Elastic IP of the load balancer has been changing, and that the problem is that some ISPs' DNS servers do not honour the TTL. We're not satisfied with this explanation, because we replicated the problem using Amazon's own DNS servers from an EC2 instance, as well as on local ISPs in Australia and via Google's DNS server (8.8.8.8).



Amazon also confirmed that during the period where we noticed down time from some locations, traffic passing through the ELB was down significantly - so the problem is not with our endpoints.



Interestingly, the domain seems to resolve to the correct IP on the servers that cannot connect - but the attempt to establish a TCP connection fails.




All the instances attached to the ELB have been healthy at all times. They're all



Does anyone know how we might go about diagnosing this problem more deeply? Has anyone else experienced this problem with the Elastic Load Balancer?



Thanks,


Answer



I found this question while Googling for how to diagnose Amazon Elastic Load Balancers (ELBs) and I want to answer it for anyone else like me who has had this trouble without much guidance.






ELBs have some interesting properties. For instance:




  • ELBs are made up of 1 or more nodes

  • These nodes are published as A records for the ELB name

  • These nodes can fail, or be shut down, and connections will not be closed gracefully

  • It often requires a good relationship with Amazon support ($$$) to get someone to dig into ELB problems




NOTE: Another interesting property but slightly less pertinent is that ELBs were not designed to handle sudden spikes of traffic. They typically require 15 minutes of heavy traffic before they will scale up or they can be pre-warmed on request via a support ticket





Update: AWS has since migrated all ELBs to use Route 53 for DNS. In addition, all ELBs now have a all.$elb_name record that will return the full list of nodes for the ELB. For example, if your ELB name is elb-123456789.us-east-1.elb.amazonaws.com, then you would get the full list of nodes by doing something like dig all.elb-123456789.us-east-1.elb.amazonaws.com. For IPv6 nodes, all.ipv6.$elb_name also works. In addition, Route 53 is able to return up to 4KB of data still using UDP, so using the +tcp flag may not be necessary.



Knowing this, you can do a little bit of troubleshooting on your own. First, resolve the ELB name to a list of nodes (as A records):



$ dig @ns-942.amazon.com +tcp elb-123456789.us-east-1.elb.amazonaws.com ANY



The tcp flag is suggested as your ELB could have too many records to fit inside of a single UDP packet. I'm also told, but haven't personally confirmed, that Amazon will only display up to 6 nodes unless you perform an ANY query. Running this command will give you output that looks something like this (trimmed for brevity):



;; ANSWER SECTION:
elb-123456789.us-east-1.elb.amazonaws.com. 60 IN SOA ns-942.amazon.com. root.amazon.com. 1376719867 3600 900 7776000 60
elb-123456789.us-east-1.elb.amazonaws.com. 600 IN NS ns-942.amazon.com.
elb-123456789.us-east-1.elb.amazonaws.com. 60 IN A 54.243.63.96
elb-123456789.us-east-1.elb.amazonaws.com. 60 IN A 23.21.73.53



Now, for each of the A records use e.g. curl to test a connection to the ELB. Of course, you also want to isolate your test to just the ELB without connecting to your backends. One final property and little known fact about ELBs:




  • The maximum size of the request method (verb) that can be sent through an ELB is 127 characters. Any larger and the ELB will reply with an HTTP 405 - Method not allowed.



This means that we can take advantage of this behavior to test only that the ELB is responding:



$ curl -X $(python -c 'print "A" * 128') -i http://ip.of.individual.node
HTTP/1.1 405 METHOD_NOT_ALLOWED

Content-Length: 0
Connection: Close


If you see HTTP/1.1 405 METHOD_NOT_ALLOWED then the ELB is responding successfully. You might also want to adjust curl's timeouts to values that are acceptable to you.





Of course, doing this can get pretty tedious so I've built a tool to automate this called elbping. It's available as a ruby gem, so if you have rubygems then you can install it by simply doing:




$ gem install elbping


Now you can run:



$ elbping -c 4 http://elb-123456789.us-east-1.elb.amazonaws.com
Response from 54.243.63.96: code=405 time=210 ms
Response from 23.21.73.53: code=405 time=189 ms
Response from 54.243.63.96: code=405 time=191 ms
Response from 23.21.73.53: code=405 time=188 ms

Response from 54.243.63.96: code=405 time=190 ms
Response from 23.21.73.53: code=405 time=192 ms
Response from 54.243.63.96: code=405 time=187 ms
Response from 23.21.73.53: code=405 time=189 ms
--- 54.243.63.96 statistics ---
4 requests, 4 responses, 0% loss
min/avg/max = 187/163/210 ms
--- 23.21.73.53 statistics ---
4 requests, 4 responses, 0% loss
min/avg/max = 188/189/192 ms

--- total statistics ---
8 requests, 8 responses, 0% loss
min/avg/max = 188/189/192 ms


Remember, if you see code=405 then that means that the ELB is responding.





Whichever method you choose, you will at least know if your ELB's nodes are responding or not. Armed with this knowledge, you can either turn your focus to troubleshooting other parts of your stack or be able to make a pretty reasonable case to AWS that something is wrong.




Hope this helps!


amazon web services - Coturn server behind AWS application load balancer



I'm trying to make coturn server work behind an AWS application load balancer. I'm using icetrickle to test it and the coturn seems that works as expected if I skip the load balancer and I hit directly the instance. The security group for the instance allows TCP and UDP traffic on every port (0 - 65535) for all the IPs (0.0.0.0/0::/0)



This is the configuration that I have on the turn server:



vim /etc/default/coturn:



TURNSERVER_ENABLED=1



vim /etc/turnserver.conf:



external-ip={aws_public_ip}
fingerprint
user={turn_user}:{turn_password}
lt-cred-mech
realm=realm
simple-log



then I start the server and I check it with icetrickle.



Icetrickle response - stun:{aws_public_ip}:3478



Time    Component   Type    Foundation  Protocol    Address Port    Priority
0.002 1 host 430735571 udp 192.168.1.102 64841 126 | 30 | 255
0.100 1 srflx 842163049 udp 109.242.109.35 64841 100 | 30 | 255
0.104 Done

0.106


turn server log - tail -f /var/log/turn_15892_:



3983: session 001000000000000146: TCP socket closed remotely 172.31.18.64:4630
3983: session 001000000000000146: closed (2nd stage), user <> realm origin <>, local 172.31.13.20:3478, remote 172.31.18.64:4630, reason: TCP connection closed by client (callback)
3986: handle_udp_packet: New UDP endpoint: local addr 172.31.13.20:3478, remote addr 109.242.109.35:57844
3986: session 001000000000000147: realm user <>: incoming packet BINDING processed, success



Wireshark log



96848   2875.279343 192.168.1.102   3.8.87.160  STUN    62  Binding Request
96851 2875.373118 3.8.87.160 192.168.1.102 STUN 114 Binding Success Response XOR-MAPPED-ADDRESS: 109.242.109.35:57844 MAPPED-ADDRESS: 109.242.109.35:57844 RESPONSE-ORIGIN: {aws_public_ip}:3478


Then I've configured the application load balancer. It accepts traffic at port 3478 (HTTP protocol) and forwards the traffic to the instance at port 3478. Here are the results:



Icetrickle response - stun:{aws_lb_url}:3478




Time    Component   Type    Foundation  Protocol    Address Port    Priority
0.001 1 host 430735571 udp 192.168.1.102 54374 126 | 30 | 255
39.861 Done
39.864


turn server log - tail -f /var/log/turn_15892_:



No new logs (only healthchecks)



Wireshark log



110396  3769.417283 192.168.1.102   52.56.189.26    STUN    62  Binding Request
110403 3769.511074 52.56.189.26 192.168.1.102 ICMP 90 Destination unreachable (Port unreachable)
An array of similar logs as it retries


As I see it is trying to connect to random ports that are configurable and the default config can span from ports 49152 to 65535 which I suspect this is the issue because the only port that we forward the traffic from load balancer to the instance is on port 3478. I wonder if there coturn config should be finetuned now that the server is behind load balancer.




Any advice/help will be much appreciated.


Answer



You should forward coturn UDP and TCP ports,
but I am not sure if Application can do this.



For me it is unclear according the following if it is possible to forward udp ports.
https://aws.amazon.com/elasticloadbalancing/features/#Product_comparisons
If I understand it correctly, it says that Application Loadbalancer is only for http/https..


Friday, April 13, 2018

domain name system - CloudFlare CDN and static site with root on Amazon S3



I've set up an S3 bucket to host my static site.



Now I am trying to wrap CloudFlare around this, but I get the following warning when adding a CNAME entry for the root domain in CloudFlare's DNS manager:




CNAME  example.com  example.com.s3-website-us-east-1.amazonaws.com



Root domain CNAME records are not allowed by the DNS specification.
Older recursors and mail programs may not follow this CNAME. You may
want to change this record to an A record if you plan to use it as a
MX or SRV target.





The examples I've found show a working setup using a subdomain (i.e. images.example.com per https://support.cloudflare.com/entries/22077268-How-do-I-use-CloudFlare-with-Amazon-s-S3-Service-) but I am interested in hosting the site entirely from the root domain.



Everything appears to work right now... The domain is setup with Google Apps MX records - can I ignore the warning from CloudFlare? I would feel more comfortable being able to set the root domain as an A record, but I'm not sure how to achieve this.


Answer



When your email stops coming in tomorrow, you'll know that it wasn't safe to ignore this warning.



The CNAME replaces all other resource records, so it overrides the SOA record, MX records and any other records you might have defined for the zone. That's why it's strongly recommended against. (And why providers recommend you not use the naked domain in preference to www.)



If you're on Route 53, they have a workaround to make this "work" (though it's ugly and nasty behind the scenes). It sounds like CloudFlare has the same sort of workaround in place. It's probably equally nasty, but you should be able to do it.


windows server 2008 - Domain name help with Active Directory and DNS

I want to install Active directory on my server so that i can have centralized user authetication.




I don't know much about about AD but i am reading stuff.



I am also reading about DNS servers.



Now in every subject they talk about domain name. Now i am confused what domain name they are talking bout.



is there any website domain name i have to type here or what.



If i type any name then it says can't connect to that.




How can i find what domain name i have to type while doing the DNS or AD

active directory - How can I get rid of the "Do you trust this printer" message box and add my printer via GPO?




  • Workstation: Windows 7 (x64) [Install target for printer]

  • Server: Windows Server 2012 R2 (x64) [Active Directory, Print Server]



I have been bashing my head on the desk trying to get this printer to be installed via group policy! For some reason, I simply can NOT get this printer deployed with GPO. I have tried setting it up to deploy via Computer Configuration->Policies->Windows Settings->Deployed Printers, as well as Computer Configuration->Preferences->Control Panel Settings->Printers and User Configuration->Preferences->Control Panel Settings->Printers. I have also tried going through my Print Server Management console to add it via user and/or computer targeting. I have tried ALL KINDS of ways and nothing is working. I followed a bunch of tutorials and watched a bunch of videos just to make sure I was not missing something but it really is a simple task (in theory)... It just will not work.




In trying to debug the issue I found that if I went to \\myserver\ and double clicked on the printer it would try to install the printer and then prompt me to install the drivers with a UAC type prompt.
enter image description here



I have tried everything I can think of to get that message box to stop popping up. I dug into it and found that if I was to edit a GPO called Point and Print Restrictions located at Computer Configuration->Policies->Administrative Templates->Printers and was as at User Configuration->Policies->Administrative Templates->Control Panel->Printers you could try setting the policy to Disabled or Enabled and choose Do not show warning or elevation prompt for the two Security Prompts listed at the bottom of the policy settings.



Well that was a bust too...



I did find that if I tried to manually install the printer by going to the unc and typing in my Administrator credentials it would download the drivers from the server and install the printer (as expected). If the user tried to remove the printer and was successful somehow as soon as they would log off and back on the GPO would do what I want and add the printer back. But it required me to add it manually the first time on EVERY PC.



After testing this and then removing the printer from the GPO, then logging off and on again. I could run the command printui /s /t2 to bring up a GUI that would allow me to remove the installed drivers with ease to put the PC back to it's original state (asking for Administrator credentials). Also something else I learned was the printers were stored in the registry located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Connections. When I was trying to remove a printer and it told me I couldn't, I just went to that registry key and removed the GUID key of the printer I was trying to delete. Then just restarted the Print Spooler service and boom it was gone. This was no help getting me get to where I wanted but it was helpful in removing the printer during debugging the issue.




I read somewhere that maybe the cause is some type of windows security update that changed something. It was released because of some article showing how you could pwn an entire network if you were able to pwn a single printer. Something about when users connected to the printer and downloaded the drivers it would install injected software and run on the machine, etc...



My main goal is to be able to deploy this printer to a set of users in this OU with the GPO I'm using. But everything I try requires an Administrator to be logged on to do it (at least the first time). Does anyone have any idea why my printer will not automatically add itself via the GPO and also how do I get that dang "Do you trust this printer?" message to go away?


Answer



The "fix" is to download trusted, package-aware print drivers from the printer manufacturer; however, since not all manufacturers will produce these drivers, there is a work around that I found here: Cannon Forum - Package-Aware Print Drivers (Note: This does not work for unsigned drivers, but there are plenty of tutorials out there for self-signing a print driver.)



Here are the steps to get around the issue:





  1. Install the required drivers on the print server

  2. Note any drivers that have "false" listed under the "Packaged" column. All of these will have to be modified to deploy via Group Policy.

  3. Edit the registry on your print server and go to the following locations:


    • For 64-bit drivers: HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx64\Drivers\Version-X\{Driver Name}

    • For 32-bit drivers: HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windows NT x86\Drivers\Version-X\{Driver Name}

    • Where "X" is the print driver "Type", usually either "3" or "4"


  4. Edit the key named "PrinterDriverAttributes" by adding 1 to whatever value is currently set. (Example: if the current value is "6", change it to "7".) This will make the print server believe that these drivers are packaged.


  5. Do this for every driver that is not listed as a "Packaged" driver.

  6. Restart the print server.

  7. Everything should now deploy through Group Policy (provided you have all the usual GPO settings configured correctly).



I am in the process of deploying this fix myself; however, since it requires a restart of the print server I cannot test it until this evening since our print server also runs a few networked applications.



An alternate solution to the registry edit is to edit the printer driver INF file and add the following:



For 32-bit drivers:




[PrinterPackageInstallation.x86]
PackageAware=TRUE


For 64-bit driver



[PrinterPackageInstallation.amd64]
PackageAware=TRUE



If you decide to edit the INF file, it'll be easier to remove the driver from the print server, edit the INF file from a clean download, and then install the edited driver.



Aside from this, double check the Group Policy settings for Point and Print Restrictions and Package Point and print - Approved Servers.





Microsoft Security Bulletin MS16-087 detailed a security issue where a rogue print server could inject malicious code through a "man in the middle" style attack. Security update KB3170455 was issued on July 12, 2016 to fix it, which then messed with the distribution of print drivers from the print server.


linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...