How to over-provision an Intel SSD RAID Array via the Dell H700 PERC RAID Controller

I would like to set up a RAID10 array of 6 Intel SSD 320 SSDs, but over-provision them to enhance their performance and duration as per this PDF:
http://cache-www.intel.com/cd/00/00/45/95/459555_459555.pdf

Is this as simple as creating the array with lower capacity than the drive total? I can't seem to find options in the H700 BIOS config utility that pertain to physical drive partitions or options.

Ultimately the question is: If I create a 600gb RAID 10 across 6 300gb drives, will the remaining 300gb be evenly distributed across the drives, and will this space be available to the 320 controller for use as spare area?

Answer

You can use the Linux hdparm utility to set your provisioning parameters in this fashion:

root@ubuntu-10-10:~# hdparm -N /dev/sdb


/dev/sdb:
 max sectors   = 312581808/312581808, HPA is disabled

root@ubuntu-10-10:~# hdparm -Np281323627 /dev/sdb

/dev/sdb:
 setting max visible sectors to 281323627 (permanent)
Use of -Nnnnnn is VERY DANGEROUS.
You have requested reducing the apparent size of the drive.

This is a BAD idea, and can easily destroy all of the drive's contents.
Please supply the --yes-i-know-what-i-am-doing flag if you really want this.
Program aborted.

root@ubuntu-10-10:~# hdparm -Np281323627 --yes-i-know-what-i-am-doing /dev/sdb

/dev/sdb:
 setting max visible sectors to 281323627 (permanent)
 max sectors   = 281323627/312581808, HPA is enabled


root@ubuntu-10-10:~# 

To give credit where it's due, I've got this info from a German server builder's website wiki.

But according to the Intel docs, it would be enough simply to keep the sectors in a "clean" state (in which they would be after a secure erase) by never writing to them. If you define a container/volume which only ever uses 300 GB of each of your drives, this is exactly what you are doing for half of your drives' sectors.

swap - Increase Swapfile on operational system

new to this and I am trying to figure what will be the best way to go on about this. I have a system that I need to increase its swap file, I realized that the swap partition is not lvm so that is kind of out. However, my current swap partition is 8Gb but needs to be at 16GB.

#  swapon -s

Filename      Type    Size      Used     Priority
/swapfile     file    8191996   6341008  -1

I guess my issue is that it is a swap file and not a partition (at least is an issue for me :(...) I read online I can use dd to create a swapfile, but I'm not sure I understand how to actually increase the size or if I need to create a new partition.

/etc/fstab looks like this:

/swapfile        swap           swap    defaults        0 0

Any recommendations on how to proceed?

Answer

As mentioned above, you can resize the swapfile to gain the desired effect.
But I would recommend adding another swapfile, with the same priority, so you will not need to swap out the GB's of swapped data.

# Create another swapfile, mind the filename!
sudo dd if=/dev/zero of=/swapfile2 bs=1M count=8192
# Make the new file a swapfile
sudo mkswap /swapfile2

# Enable it
sudo swapon /swapfile2
# Change its priority
sudo swapon /swapfile2 -p -1 # Or anything you want

Then add /swapfile2 swap swap defaults 0 0 to /etc/fstab.

How to determine number of write cycles or expected life for SSD under Linux?

We've been running an SSD (Intel X25-M) in a Linux (RHEL 5) server for a while, but never made any effort to figure out how much write load it was under for the past year. Is there any tool under Linux to tell us approximately how much has been written to the disk over time or (even better) how much wear it has accumulated? Just looking for a hint to see if it's near death or not...

Answer

Intel SSDs do keep statistics on total writes and how far through it's likely lifespan it is.

The following is from an Intel X25-M G2 160GB (SSDSA2M160G2GC)

# smartctl -data -A /dev/sda
smartctl 5.40 2010-10-16 r3189 [x86_64-redhat-linux-gnu] (local build)

Copyright (C) 2002-10 by Bruce Allen, http://smartmontools.sourceforge.net

=== START OF READ SMART DATA SECTION ===
SMART Attributes Data Structure revision number: 5
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME          FLAG     VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE
  3 Spin_Up_Time            0x0020   100   100   000    Old_age   Offline      -       0
  4 Start_Stop_Count        0x0030   100   100   000    Old_age   Offline      -       0
  5 Reallocated_Sector_Ct   0x0032   100   100   000    Old_age   Always       -       1
  9 Power_On_Hours          0x0032   100   100   000    Old_age   Always       -       6855

 12 Power_Cycle_Count       0x0032   100   100   000    Old_age   Always       -       68
192 Unsafe_Shutdown_Count   0x0032   100   100   000    Old_age   Always       -       30
225 Host_Writes_32MiB       0x0030   200   200   000    Old_age   Offline      -       148487
226 Workld_Media_Wear_Indic 0x0032   100   100   000    Old_age   Always       -       3168
227 Workld_Host_Reads_Perc  0x0032   100   100   000    Old_age   Always       -       1
228 Workload_Minutes        0x0032   100   100   000    Old_age   Always       -       1950295543
232 Available_Reservd_Space 0x0033   099   099   010    Pre-fail  Always       -       0
233 Media_Wearout_Indicator 0x0032   098   098   000    Old_age   Always       -       0
184 End-to-End_Error        0x0033   100   100   099    Pre-fail  Always       -       0

The Host_Writes_32MIB raw value shows how many 32MiB units of data have been written to this drive.

The Media_Wearout_Indicator value shows you a normalised percentage of how far through its useful wear-lifespan the drive is. This starts at 100 (or 099, I forget which), and proceeds down to 001, at which point Intel consider the drive to have exceeded its useful life. Intel use the MWI as part of warranty claims too - once the MWI reaches 001, the warranty is expired.

The MWI reaching 001 does not mean the drive will fail immediately however! Intel will have tolerance built in to deal with variances in flash units. I've seen drives last well past this point, and I'm actively wear-testing some Intel 320 series SSDs to see how much longer they last.

However, as the warranty expires when the MWI reaches 001, I'd replace any drives at that point.

domain name system - Why does DNS work the way it does?

This is a Canonical Question about DNS (Domain Name Service).

If my understanding of the DNS system is correct, the .com registry holds a table that maps domains (www.example.com) to DNS servers.

1. What is the advantage? Why not map directly to an IP address?




2. If the only record that needs to change when I am configuring a DNS server to point to a different IP address, is located at the DNS server, why isn't the process instant?




3. If the only reason for the delay are DNS caches, is it possible to bypass them, so I can see what is happening in real time?

Answer

Actually, it's more complicated than that - rather than one "central registry (that) holds a table that maps domains (www.mysite.com) to DNS servers", there are several layers of hierarchy

There's a central registry (the Root Servers) which contain only a small set of entries: the NS (nameserver) records for all the top-level domains - .com, .net, .org, .uk, .us, .au, and so on.

Those servers just contain NS records for the next level down. To pick one example, the nameservers for the .uk domain just has entries for .co.uk, .ac.uk, and the other second-level zones in use in the UK.

Those servers just contain NS records for the next level down - to continue the example, they tell you where to find the NS records for google.co.uk. It's on those servers that you'll finally find a mapping between a hostname like www.google.co.uk and an IP address.

As an extra wrinkle, each layer will also serve up 'glue' records. Each NS record maps a domain to a hostname - for instance, the NS records for .uk list nsa.nic.uk as one of the servers. To get to the next level, we need to find out the NS records for nic.uk are, and they turn out to include nsa.nic.uk as well. So now we need to know the IP of nsa.nic.uk, but to find that out we need to make a query to nsa.nic.uk, but we can't make that query until we know the IP for nsa.nic.uk...

To resolve this quandary, the servers for .uk add the A record for nsa.nic.uk into the ADDITIONAL SECTION of the response (response below trimmed for brevity):

jamezpolley@li101-70:~$dig nic.uk ns

; <<>> DiG 9.7.0-P1 <<>> nic.uk ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21768
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 14

;; QUESTION SECTION:

;nic.uk.                IN  NS

;; ANSWER SECTION:
nic.uk.         172800  IN  NS  nsb.nic.uk.
nic.uk.         172800  IN  NS  nsa.nic.uk.

;; ADDITIONAL SECTION:
nsa.nic.uk.     172800  IN  A   156.154.100.3
nsb.nic.uk.     172800  IN  A   156.154.101.3

Without these extra glue records, we'd never be able to find the nameservers for nic.uk. and so we'd never be able to look up any domains hosted there.

To get back to your questions...

a) What is the advantage? Why not map directly to an IP address?

For one thing, it allows edits to each individual zone to be distributed. If you want to update the entry for www.mydomain.co.uk, you just need to edit the information on your mydomain.co.uk's nameserver. There's no need to notify the central .co.uk servers, or the .uk servers, or the root nameservers. If there was only a single central registry that mapped all the levels all the way down the hierarchy that had to be notified about every single change of a DNS entry all the way down the chain, it would be absolutely swamped with traffic.

Before 1982, this was actually how name resolution happened. One central registry was notified about all updates, and they distributed a file called hosts.txt which contained the hostname and IP address of every machine on the internet. A new version of this file was published every few weeks, and every machine on the internet would have to download a new copy. Well before 1982, this was starting to become problematic, and so DNS was invented to provide a more distributed system.

For another thing, this would be a Single Point of Failure - if the single central registry went down, the entire internet would be offline. Having a distributed system means that failures only affect small sections of the internet, not the whole thing.

(To provide extra redundancy, there are actually 13 separate clusters of servers that serve the root zone. Any changes to the top-level domain records have to be pushed to all 13; imagine having to coordinate updating all 13 of them for every single change to any hostname anywhere in the world...)

b) If the only record that needs to change when I am configuring a DNS
server to point to a different IP address is located at the DNS

server, why isn't the process instant?

Because DNS utilises a lot of caching to both speed things up and decrease the load on the NSes. Without caching, every single time you visited google.co.uk your computer would have to go out to the network to look up the servers for .uk, then .co.uk, then .google.co.uk, then www.google.co.uk. Those answers don't actually change much, so looking them up every time is a waste of time and network traffic. Instead, when the NS returns records to your computer, it will include a TTL value, that tells your computer to cache the results for a number of seconds.

For example, the NS records for .uk have a TTL of 172800 seconds - 2 days. Google are even more conservative - the NS records for google.co.uk have a TTL of 4 days. Services which rely on being able to update quickly can choose a much lower TTL - for instance, telegraph.co.uk has a TTL of just 600 seconds on their NS records.

If you want updates to your zone to be near-instant, you can choose to lower your TTL as far down as you like. The lower your set it, the more traffic your servers will see, as clients refresh their records more often. Every time a client has to contact your servers to do a query, this will cause some lag as it's slower than looking up the answer on their local cache, so you'll also want to consider the tradeoff between fast updates and a fast service.

c) If the only reason for the delay are DNS caches, is it possible to
bypass them, so I can see what is happening in real time?

Yes, this is easy if you're testing manually with dig or similar tools - just tell it which server to contact.

Here's an example of a cached response:

jamezpolley@host:~$dig telegraph.co.uk NS


; <<>> DiG 9.7.0-P1 <<>> telegraph.co.uk NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36675
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;telegraph.co.uk.       IN  NS

;; ANSWER SECTION:

telegraph.co.uk.    319 IN  NS  ns1-63.akam.net.
telegraph.co.uk.    319 IN  NS  eur3.akam.net.
telegraph.co.uk.    319 IN  NS  use2.akam.net.
telegraph.co.uk.    319 IN  NS  usw2.akam.net.
telegraph.co.uk.    319 IN  NS  use4.akam.net.
telegraph.co.uk.    319 IN  NS  use1.akam.net.
telegraph.co.uk.    319 IN  NS  usc4.akam.net.
telegraph.co.uk.    319 IN  NS  ns1-224.akam.net.

;; Query time: 0 msec

;; SERVER: 97.107.133.4#53(97.107.133.4)
;; WHEN: Thu Feb  2 05:46:02 2012
;; MSG SIZE  rcvd: 198

The flags section here doesn't contain the aa flag, so we can see that this result came from a cache rather than directly from an authoritative source. In fact, we can see that it came from 97.107.133.4, which happens to be one of Linode's local DNS resolvers. The fact that the answer was served out of a cache very close to me means that it took 0msec for me to get an answer; but as we'll see in a moment, the price I pay for that speed is that the answer is almost 5 minutes out of date.

To bypass Linode's resolver and go straight to the source, just pick one of those NSes and tell dig to contact it directly:

jamezpolley@li101-70:~$dig @ns1-224.akam.net telegraph.co.uk NS


; <<>> DiG 9.7.0-P1 <<>> @ns1-224.akam.net telegraph.co.uk NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23013
;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:

;telegraph.co.uk.       IN  NS

;; ANSWER SECTION:
telegraph.co.uk.    600 IN  NS  use2.akam.net.
telegraph.co.uk.    600 IN  NS  eur3.akam.net.
telegraph.co.uk.    600 IN  NS  use1.akam.net.
telegraph.co.uk.    600 IN  NS  ns1-63.akam.net.
telegraph.co.uk.    600 IN  NS  usc4.akam.net.
telegraph.co.uk.    600 IN  NS  ns1-224.akam.net.
telegraph.co.uk.    600 IN  NS  usw2.akam.net.

telegraph.co.uk.    600 IN  NS  use4.akam.net.

;; Query time: 9 msec
;; SERVER: 193.108.91.224#53(193.108.91.224)
;; WHEN: Thu Feb  2 05:48:47 2012
;; MSG SIZE  rcvd: 198

You can see that this time, the results were served directly from the source - note the aa flag, which indicates that the results came from an authoritative source. In my earlier example, the results came from my local cache, so they lack the aa flag. I can see that the authoritative source for this domain sets a TTL of 600 seconds. The results I got earlier from a local cache had a TTL of just 319 seconds, which tells me that they'd been sitting in the cache for (600-319) seconds - almost 5 minutes - before I saw them.

Although the TTL here is only 600 seconds, some ISPs will attempt to reduce their traffic even further by forcing their DNS resolvers to cache the results for longer - in some cases, for 24 hours or more. It's traditional (in a we-don't-know-if-this-is-really-neccessary-but-let's-be-safe kind of way) to assume that any DNS change you make won't be visible everywhere on the internet for 24-48 hours.

networking - Routing table with two same static IPs on the network

We need a way to insert a device between a target device and the network, ideally without needing to change any IP addresses.

Currently, the situation is (please excuse the ASCII art)

-----------       -------------
| x.x.x.5 | ----- | x.x.x.10  |
-----------       -------------

What we are trying to do is insert a device with two network interfaces, and what we'd LIKE to do is arrange the IPs so each side thinks it's talking to the orignal device. We'll take care of moving the data from one interface to the other.

-----------     --------------------------------    ------------
| x.x.x.5 | --- | eth0 x.x.x.10   x.x.x.5 eth1 |--- | x.x.x.10 |
-----------     --------------------------------    ------------

Is there a way to setup the routing table such that a request for x.x.x.10 that comes in from eth0 gets sent out eth1, and requests for x.x.x.5 that arrive via eth1 get sent out eth0?

The middle box is running Linux.

Is a cloud-based domain controller behind a VPN feasible?

I'm considering setting up a windows domain controller in MS Azure within an Azure virtual network. Goal is to be able to centrally manage GPs and users.

Is this even feasible, since the client computers would need to essentially be on the VPN before being able to authenticate?

I guess I could set up a site-to-site VPN connection to our office, but we have some nomadic users that are almost always mobile.

Answer

It is definitely feasible and supported to run a domain controller in Azure. It depends on what you're looking to achieve as to whether that's the best option. If you're primarily looking to manage client PC policy and provide authentication, then you generally want a DC close to the machines it services. If most of the users are in an office and you have infrastructure there, it is still a good idea to keep your DC in the office near them. The main reason to put another DC in Azure would be to service applications that you are also putting in Azure VMs that require AD authentication or directory access.

If you are looking to get away from on premise infrastructure and still need traditional group policy and identity management, you could go with DCs in Azure and provide access via a VPN as you said. There is the site-to-site option to extend your network into Azure, or you can take a look at the new point-to-site VPN capability that allows direct VPN access into Azure using an agent installed on each client. This could work well for a small user base.

https://azure.microsoft.com/documentation/articles/vpn-gateway-point-to-site-create/

Remember too that Windows caches credentials, so as long as you get a user authenticated once through the VPN, they won't need to have it running to log in subsequently. Of course, they'll need to log in periodically to apply the latest policy, which might be enforced or encouraged through a logon script, etc.

Hope that helps.

domain name system - Is it better to set up DNS on my own server or to let my registrar handle it?

I just got a dedicated server, and was wondering if I should set up DNS on it or take advantage of my registrar's (GoDaddy) free DNS service?

Which is the better option and why?

I have a very high traffic website hosted on the server if that makes any difference.

ErrorDocument when using Apache as reverse-proxy

'evening,

I have an Apache server (2.2.19) and a 4D Webstar server (kinda unknown HTTP server) on the same physical server. Apache only listens the SSL port (443) and is used as a reverse-proxy to 4DW (through a SSL VHost).

Here are the two proxy directives I use :

ProxyPass / http://127.0.0.1:xxxx/ timeout=15 connectiontimeout = 15
ProxyPassReverse / http://127.0.0.1:xxxx/

Given the fact that the 4DW server can go offline from time to time, i'd like to have a custom 503 error page to notify the users of the downtime or maintenance of the back-end app.
Except Apache redirects everything from /htdocs/ (which is the documentroot) and we need quick access to the errordocument to edit it when needed (thus, an external errordoc is not an option).

Is there any way to force Apache not to proxy a given directory (let's say htdocs/error/), or any solution at all as to using an errordocument outside of the DocumentRoot?

Cheers

Answer

Sure, just exclude it from the ProxyPass rules. These are evaluated in order, so make sure the exclusion is on top:

ErrorDocument 503 /error/503.html
ProxyPass /error/ !
ProxyPass / http://127.0.0.1:xxxx/ timeout=15 connectiontimeout = 15

ProxyPassReverse / http://127.0.0.1:xxxx/

nginx: redirect subfolder to subdomain

I'm trying to redirect a subfolder to a subdomain in nginx. I want http://example.com/~meow/ to be redirected to http://meow.example.com/. I tried the following:

location ~ ^/\~meow/(.*)$ {
    rewrite ^(.*)$ http://meow.example.com$1 permanent;

}

But it doesn't work. It gets caught by my location block for user directories:

location ~ ^/~([^/]+)/(.+\.php)$ {
    [...]
}

and


location ~ ^/\~([^/]+)/(.*)$ {
    [...]
}

So, how would I do this? Oh, and I only want /~meow/ to be redirected. All other user directories should not be changed.

Answer

You could try using nested location like this

location ~ ^/\~([^/]+)/(.*)$ {
  location ~ ^/\~meow/(.*)$ {
    rewrite ^(.*)$ http://meow.example.com$1 permanent;     
  }
  [...]
}

smtp - How Does Low Volume Affect (esp. live.com) Email Deliverability?

I've been sending emails for years with out any serious reputational shocks, but with low IP volumes (no bulk mail or automated transactional email), even with multiple Domain names.

My Gmail deliverability is fair, however my hotmail/outlook.com/live.com and mail.com deliverability is poor, invariably being accepted, then confined to the Spam folder.

My sender host's rDNS is appropriately set, I'm a member of the JMRP and SNDS programs, send mail which receives a "PASS" for both SPF and DKIM and I have a SenderScore of 100...

Short of paying to register for Return Path Certified (which would presumably fail because of the multiple domain names) can anyone offer any advice as to where one might look for clues as to what's holding me back?

storage - HP Smart Array P822 w. Dual D2700 - cabling for best performance

Reading the D2600/D2700 User guide, there's a section called "Cabling examples", but none of the examples match what we intend to do.

I just want to make sure that it makes sense, before we do it.

So here's the plan:

We have 1xP822 in a Gen8 rack server and 2xD2700 enclosures. We have 24 drives in each D2700. Both D2700 is configured with the exact same disk layout. We create one RAID10 array on top of the D2700 enclosures (meaning one side of the mirror is on each D2700 enclosure - the HP ACU/SSM automatically makes sure of this).

We then connect the P822 controller with 4 cables in total to the D2700 enclosures (NO cascading):

P822 Port 1E: D2700 box1, IO Module A
P822 Port 2E: D2700 box2, IO Module A
P822 Port 3E: D2700 box1, IO Module B
P822 Port 4E: D2700 box2, IO Module B

Not thinking about the expansion options here, would this be the correct way of cabling, in terms of getting maximum performance from the drives/enclosures/p822 controller?

Thanks :)

EDIT: So what I'm reading from the comments so far, is that this approach is not "WRONG/INCORRECT", it's just not really beneficial in any way?...

Answer

I have lots of full D2700 enclosures... You will be oversubscribed at the enclosure level, due to the SAS expander backplane in the D2700. You'll have either 4 or 8 lanes of 6Gbps bandwidth available to you.

24 x 6Gbps-linked SAS disks, each really capable of 2Gbps == 48Gbps sequential capability (minus overhead).

That's versus your 4 x 6Gbps = 24Gbps SAS SFF-8088 link to the host.

You should be looking into a Dual-Domain configuration, where you're leveraging the multipath SAS connections between the host and the array and disks. This also provides some resiliency.

IOPS will be a function of workload and array layout, not the cabling arrangement.

Max throughput will be well below the PCIe 3.0 full-duplex 8 Gigabytes/second capability of the PCIe slot. The bottlenecks in raw throughput will be your D2700 enclosure, followed by the RAID controller.

There's no cabling arrangement that will yield an appreciable difference in that throughput, short of going to a dual-domain multipath configuration.

Mysql takes a lot of time to restore backup for test environment. How to work around it?

On a MySQL 5.1 Enterprise server db-dump takes a lot of time. I would like to reduce the amount of time to restore the db-dump or to be able to quickly go back to a known state. This machine is used for testing. So lets say we have a DB Dump at point A. I do some changes to the DB with an application and after a while I want to go back to the same db dump. I have the following options.

• Delete every thing and start with a fresh db-dump restore, takes about 14 hours


• Use a backup of the entire mysql folder

Do I have any other options. Some way to quickly get back to state A. Or to speed up my dbdump. I will try to provide you with more details if you ask (I am not sure what should I be putting here).

Answer

As 3molo suggested, another option is to run your test server as a virtual machine.

Set up your test machine VM with the initial conditions of the test you want to run, take a snaphot and then run your tests. If you want to get back to a clean test setup, use the snapshot to revert the state of the whole VM.

linux - fsck on LVM snapshots

I'm trying to do some file system checks using LVM snapshots of our Logical Volumes to see if any of them have dirty file systems.

The problem that I have is that our LVM only has one Volume Group with no available space. I was able to do fsck's on some of the logical volumes using a loopback file system. However my question is, is it possible to create a 200GB loopback file system, and saved it on the same partition/logical volume that I'll be taking a snapshot of? Is LVM smart enough to not take a snapshot copy of the actual snapshot?

[root@server z]# vgdisplay
--- Volume group ---
VG Name               Web2-Vol
System ID

Format                lvm2
Metadata Areas        1
Metadata Sequence No  29
VG Access             read/write
VG Status             resizable
MAX LV                0
Cur LV                6
Open LV               6
Max PV                0
Cur PV                1

Act PV                1
VG Size               544.73 GB
PE Size               4.00 MB
Total PE              139450
Alloc PE / Size       139450 / 544.73 GB
Free  PE / Size       0 / 0
VG UUID               BrVwNz-h1IO-ZETA-MeIf-1yq7-fHpn-fwMTcV


[root@server z]# df -h

Filesystem            Size  Used Avail Use% Mounted on
/dev/sda2             9.7G  3.6G  5.6G  40% /
/dev/sda1             251M   29M  210M  12% /boot
/dev/mapper/Web2--Vol-var
                       12G  1.1G   11G  10% /var
/dev/mapper/Web2--Vol-var--spool
                   12G  184M   12G   2% /var/spool
/dev/mapper/Web2--Vol-var--lib--mysql
                   30G   15G   14G  52% /var/lib/mysql
/dev/mapper/Web2--Vol-usr

                   13G  3.3G  8.9G  27% /usr
/dev/mapper/Web2--Vol-z
                  468G  197G  267G  43% /z
/dev/mapper/Web2--Vol-tmp
                  3.0G   76M  2.8G   3% /tmp
tmpfs                 7.9G   92K  7.9G   1% /dev/shm

The logical volume in question is /dev/mapper/Web2--Vol-z. I'm afraid if I created the loopback file system in /dev/mapper/Web2--Vol-z and take a snapshot of it, the disk size will be trippled in size, thus running out of disk space available.

Answer

However my question is, is it possible to create a 200GB loopback file system,
and saved it on the same partition/logical volume that I'll be taking a snapshot of?

No if based on file on the same LV you are taking snapshot. The underlying block device will be constantly changing and will result in infinite loop terminated by loop device exhaustion.

You could, depending on amount of changes to the filesystems (and amount of available RAM and/or disk-space), either create a loop device on /dev/sda2 or on another LV or use ramdisk. However, the preferred way is to make some free space in the VG.

Also, make sure the snapshot is allocated on the temporary PV (pass the PV path to lvcreate) and no other data are saved there, or they will be lost. I am not sure the pvcreate and subsequent snapshot operation could be made a single atomic operation.

Ask on #lvm IRC channel on freenode.

Is LVM smart enough to not take a snapshot copy of the actual snapshot?

I would not say it is not smart enough, it is just not suitable for the usecase. It does know nothing about files or filesystems, works on block devices and snapshot just mirrors any modified block including loop file's.

linux - Squid 2.7 : display custom error page on deny connect (503)

After some research, I finally managed to apply our company's blocked sites list to https/ssl websites using a "deny CONNECT" acl.

However, when a user tries to access a blocked website, he only sees the default 503 error page from his browser, instead of our standard access denied page.

Is there anyway to configure SQUID to display an error page instead of the browser's error page ?

samba - CIFS Mounting Permissions

I have an issue that I;m going round in circles with, I hope you can help.

The Set up:

Server 1 (CIFS Client) - CentOS 6.3 AD integrated uing Samba/Winbind & idmap_ad

Server 2 (CIFS Server) - CentOS 6.3 AD integrated uing Samba/Winbind & idmap_ad

All users (apart from root) are AD authenticated and this, including groups, etc works happily.

What's working:

I have created a share on Server 2:

[share2]
   path = /srv/samba/share2

   writeable = yes

Permissions on the share:

drwxrwx---. 2 root domain users 4096 Oct 12 09:21 share2

I can log into a Windows machine as user5 (member of domain users) and everything works as it should, for example: If I create a file it shows the correct permissions and attributes on both the MS and the Linux sides.

Where I Fall Down:

I mount the share on Server 1 using:

# mount //server2/share2 /mnt/share2/ -o username=cifsmount,password=blah,domain=blah

Or using fstab:

//server2/share2     /mnt/share2            cifs    credentials=/blah/.creds        0 0

This mounts fine, but....

If I su, or log onto server 1 as a normal user (say user5) and try to create a file I get:

#touch test
touch test
touch: cannot touch `test': Permission denied

Then if I check the folder the file was created but as the cifsmount user:

-rw-r--r--. 1 cifsmount domain users    0 Oct 12 09:21 test

I can rename, delete, move or copy stuff around as user5, I just can't create anything, what am I doing wrong?

I'm guessing it's something to do with the mount action as when I log onto server2 as user5 and access the folder locally it all works as it should.

Can anyone point me in the right direction?

Poor software raid10 read performance on Linux

I've recently set up new Linux based file server. The distribution I'm using is Ubuntu 10.10. I've created two software raid devices as follows:

mc@vmr:~$ cat /proc/mdstat
Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10]
md0 : active raid1 sdf1[1] sdh1[3] sde1[0] sdg1[2]
  19530688 blocks [4/4] [UUUU]

md1 : active raid10 sdh3[3] sdf3[1] sde3[0] sdg3[2]
  1912461184 blocks 64K chunks 2 near-copies [4/4] [UUUU]

Device /dev/md0 (raid1) is mounted on "/" and /dev/md1 (raid10) is mounted on "/home".
Unfortunately the performance of my raid10 is deeply unsatisfying.
Here is the performance of each single HDD:

mc@vmr:~$ sudo hdparm -t /dev/sdh3  
/dev/sdh3:
 Timing buffered disk reads:  410 MB in  3.00 seconds = 136.57 MB/sec


mc@vmr:~$ sudo hdparm -t /dev/sdf3
/dev/sdf3:
 Timing buffered disk reads:  402 MB in  3.01 seconds = 133.60 MB/sec

mc@vmr:~$ sudo hdparm -t /dev/sde3
/dev/sde3:
 Timing buffered disk reads:  418 MB in  3.01 seconds = 139.10 MB/sec

mc@vmr:~$ sudo hdparm -t /dev/sdg3
/dev/sdg3:

 Timing buffered disk reads:  406 MB in  3.00 seconds = 135.32 MB/sec

So naturally I was expecting read performance around 260 MB/sec, but instead I've got this:

mc@vmr:~$ sudo hdparm -t /dev/md1
/dev/md1:
 Timing buffered disk reads:  172 MB in  3.04 seconds =  56.64 MB/sec

Firstly I've assumed that hdparm testing method is not to be 100% trusted so I did kind of real-world read test and performance was still not as expected (random.bin is placed on raid10):

mc@vmr:~$ dd if=random.bin of=/dev/null bs=256k
38800+0 records in
38800+0 records out
10171187200 bytes (10 GB) copied, 96.3874 s, 106 MB/s

Lastly I would like to share that the read performance of raid1 is exactly as expected:

mc@vmr:~$ sudo hdparm -t /dev/md0
/dev/md0:
 Timing buffered disk reads:  412 MB in  3.01 seconds = 136.91 MB/sec

Has anyone came across problem like this? Any clues?

apache 2.4 - Scandinavian characters get messed up in Shibboleth SP header attributes

I have Shibboleth SP 2.5 with Apache 2.4 in front of Domino 9.0.1 server on Windows server 2008 R2.

This is the beginning of the incoming SAML message from Shibboleth SP debug log:

And here is an attribute value from the same log:

Mäkelä Test

Attributes are passed as HTTP headers to Domino. In Domino form I do @GetHTTPHeader("cn") to get that attribute value and I get

Mäkelä Test

In Shibboleth SP configuration I haven't set character set anywhere and I believe it should be always UTF-8.

My Apache proxy configuration looks like this:

ServerName my.test.fi:8443
UseCanonicalName On
ProxyPass / http://my.test.fi/

I have tried these:

ProxyHTMLMeta On
RequestHeader unset Accept-Encoding
AddDefaultCharset utf-8
CharsetSourceEnc  UTF-8
CharsetDefault    UTF-8

In domino Web Site document I have "Use UTF-8 for output" set to "Yes" and form character set is set to UTF-8. Domino response headers include this:

Content-Type:text/html; charset=UTF-8

For me it looks like the characters are already messed up when the arrive from Shibbolet SP/Apache to Domino. Any ideas how to fix this?

Answer

The solution is to use an XPage in Domino. This Server Side Javascript (SSJS) code returns scandinavian characters correctly:

facesContext.getExternalContext().getRequestHeaderMap().get("cn");

iis - IIS10 URL Rewrite 2.1 double encoding issue

I have an IIS10 server with ARR 3.0 and URL Rewrite Module 2.1 that acts as a reverse proxy for several other web servers. The other servers run on different ports, so the IIS10 server provides 'friendly URLs' on port 80. URL rewriting is used to hand the request off to the back-end server.

One such server is Jenkins.

Jenkins has a warning message that tells you if the reverse proxy is well configured (more details here), and this warning message helped me find an issue in my reverse proxy.

The issue is that URL Rewrite is decoding and encoding my URLs in a way that by the time they reach Jenkins they are different from what the browser requested.

Example:

URL Rewrite Rule:

When sending the following URL:

https://jenkins.mydomain/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https%3A%2F%2Fjenkins.mydomain%2Fmanage%3F

I noticed that the encoded characters where being decoded before triggering the rule, making {R:1} looking like this:
/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https:/jenkins.mydomain/manage/

After some research I found out that I could use {UNENCODED_URL} instead of {R:1} to get the request string before the decoding, so I adjusted my rule action:

Unfortunately the URL Rewrite is encoding the URL again after my Rewrite, making the URL received by Jenkins double encoded:

/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https%253A%252F%252Fjenkins.mydomain%252Fmanage%253F

Short summary:

When you look at this URL:
/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https%3A%2F%2Fjenkins.mydomain%2Fmanage%3F

What we have is:
/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/

where = https%3A%2F%2Fjenkins.mydomain%2Fmanage%3F

The slash characters in are encoded so that Jenkins can know what is part of the path and what is .

This means that, when the URL Rewrite Decodes the URL, gets mixed with the rest of the path.

The desired result is getting the URL exactly as the browser sent it but pointing to the localhost:

http://localhost:8080/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https%3A%2F%2Fjenkins.mydomain%2Fmanage%3F

Is there anyway to disable this Decoding/Encoding operations that URL Rewrite Module is doing?

PS: I found a blog post regarding URL Rewrite v2.1 features, and it says that there is a new flag that can be used to disable this behaviour, but I have no clue on how or where to set it.

In URL Rewrite versions prior to v7.1.1980, when one tries to use
UNENCODED_URL, URL Rewrite will encode it which may lead to double
encoding if the original URL was already encoded This is in violation
of section 2.4 of RFC3986, which says "Implementations must not
percent-encode or decode the same string more than once, as decoding
an already decoded string might lead to misinterpreting a percent data
octet as the beginning of a percent-encoding, or vice versa in the
case of percent-encoding an already percent-encoded string." It also

made the use of UNENCODED_URL impractical, especially in reverse
forwarder scenarios with ARR where the backend servers expect the URL
to be passed unmodified.

In v7.1.1980, we are adding a feature flag, useOriginalURLEncoding
that allows you to turn off this non-compliant URL Encoding when set
to true. The default behavior will remain unchanged
(useOriginalURLEncoding is true by default).

Does anyone here have any idea of how to do it?

Answer

I managed to fix the issue, by setting useOriginalURLEncoding = false described in the post I referenced in the question.

To set the flag to go IIS Manager then select Configuration Editor and go to the section system.webServer/rewrite/rules, where you will find the useOriginalURLEncoding flag.

Set the flag to false, and URL Rewrite will no longer encode the URLs when using the {UNENCODED_URL} variable in the rules.

mysql - unable to kill and exit a large insert query properly

I have a large insert into statement that takes a long time to complete, so I killed it, but then it just sitting on processlist with status killed, and then I'm unable to restart mysql properly. I have to reboot. It happens everytime. please see log trace below. How do I handle this kind of situation?

mysql> show processlist;

+----+------+--------------------+--------------+---------+------+--------+------------------------------------------------------------------------------------------------------+
| Id | User | Host               | db           | Command | Time | State  | Info                                                                                                 |
+----+------+--------------------+--------------+---------+------+--------+------------------------------------------------------------------------------------------------------+                                                                                        |
|  6 | root | 127.0.0.1:49971    | xxxxxx | Killed  |  826 | update | insert ignore into xxxxxx.xxxxxxs_tmp2 (xxxxxx, reshoot) values ('xxx.xxx',1),('0- |
|  7 | root | localhost          | xxxxxx | Query   |    0 | NULL   | show processlist                                                                                     |
+----+------+--------------------+--------------+---------+------+--------+------------------------------------------------------------------------------------------------------+
3 rows in set (0.01 sec)

mysql> quit
Bye

[root@x-xxx-x-xx ~]# service mysqld restart
mysqld: unrecognized service
[root@x-xxx-x-xx ~]# service mysql restart
Shutting down MySQL.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ERROR! 
 ERROR! Failed to stop running server, so refusing to try to start.
[root@x-xxx-x-xx ~]# service mysql status
 SUCCESS! MySQL running (4465)
[root@x-xxx-x-xx ~]# mysql -u root -xxxxx
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)

I'm guessing it's because it's trying to rollback all the rows that it inserted. is this right? here's the mysql error log:

110209 19:59:33 [Note] Event Scheduler: Purging the queue. 0 events
110209 19:59:34  InnoDB: Starting shutdown...
110209 20:09:15 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
110209 20:09:16 [Warning] options --log-slow-admin-statements, --log-queries-not-using-indexes and --log-slow-slave-statements have no effect if --log_slow_queries is not \
set
110209 20:09:16 [Note] Plugin 'FEDERATED' is disabled.

InnoDB: The InnoDB memory heap is disabled
InnoDB: Mutexes and rw_locks use GCC atomic builtins
InnoDB: Compressed tables use zlib 1.2.3
110209 20:09:16  InnoDB: Using Linux native AIO
110209 20:09:16  InnoDB: Initializing buffer pool, size = 6.0G
110209 20:09:17  InnoDB: Completed initialization of buffer pool
110209 20:09:17  InnoDB: highest supported file format is Barracuda.
110209 20:09:19  InnoDB: 1.1.4 started; log sequence number 16772431917
110209 20:09:20 [Warning] 'proxies_priv' entry '@ root@xx-xxx-xx-xx' ignored in --skip-name-resolve mode.
110209 20:09:20 [Note] Event Scheduler: Loaded 0 events

110209 20:09:20 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.5.8'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  MySQL Community Server (GPL)
110209 20:13:47 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
110209 21:07:07 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
110209 21:07:08 [Warning] options --log-slow-admin-statements, --log-queries-not-using-indexes and --log-slow-slave-statements have no effect if --log_slow_queries is not \
set
110209 21:07:08 [Note] Plugin 'FEDERATED' is disabled.
InnoDB: The InnoDB memory heap is disabled
InnoDB: Mutexes and rw_locks use GCC atomic builtins
InnoDB: Compressed tables use zlib 1.2.3

110209 21:07:08  InnoDB: Using Linux native AIO
110209 21:07:08  InnoDB: Initializing buffer pool, size = 6.0G
110209 21:07:09  InnoDB: Completed initialization of buffer pool
110209 21:07:10  InnoDB: highest supported file format is Barracuda.
InnoDB: Log scan progressed past the checkpoint lsn 16798669157
110209 21:07:11  InnoDB: Database was not shut down normally!
InnoDB: Starting crash recovery.
InnoDB: Reading tablespace information from the .ibd files...
InnoDB: Restoring possible half-written data pages from the doublewrite
InnoDB: buffer...

InnoDB: Doing recovery: scanned up to log sequence number 16803911680
InnoDB: Doing recovery: scanned up to log sequence number 16809154560
InnoDB: Doing recovery: scanned up to log sequence number 16813133382
InnoDB: 1 transaction(s) which must be rolled back or cleaned up
InnoDB: in total 219970 row operations to undo
InnoDB: Trx id counter is 1400
110209 21:07:20  InnoDB: Starting an apply batch of log records to the database...
InnoDB: Progress in percents: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 5\
0 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99
InnoDB: Apply batch completed

InnoDB: Starting in background the rollback of uncommitted transactions
110209 21:13:34  InnoDB: Rolling back trx with id 1200, 219970 rows to undo

InnoDB: Progress in percents: 1110209 21:13:34  InnoDB: 1.1.4 started; log sequence number 16813133382
 2110209 21:13:34 [Warning] 'proxies_priv' entry '@ root@xx-xxx-xx-xx' ignored in --skip-name-resolve mode.
 3 4110209 21:13:35 [Note] Event Scheduler: Loaded 0 events
110209 21:13:35 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.5.8'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  MySQL Community Server (GPL)
 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46

Optimizing Server Architecture with Apache/Varnish/MySQL on Linux

I am a server administrator for a small start-up as a side venture (meaning I am by no means a well seasoned expert on the subject), and I recently helped move the site from a single windows machine to a cluster of machines on Rackspace Cloud.

Currently the site benchmarks at about 600 requests/second, but given the amount of resources we have allocated to it, I feel it could be much higher.

Right now we are using the Rackspace Cloud Load Balancer (Apache Zeus) in front of 8 web servers. Each web server is running Linux on a 512MB cloud instance and the content is being served by Varnish with an Apache 2 backend.

The web application itself is PHP. Apache is running in mpm-worker, and php is running in fcgi. PHP APC is enabled as well.

As for the database backend, I have two 4gb server instances serving MySQL in a Master-Master replication setup with half of the web servers pointing at each server. The application is quite database intensive, thus having so many resources dedicated toward database.

Performance is usually fine, however we have had some load spikes that the existing infrastructure was unable to handle, so I dynamically increased the size of the nodes. This worked out great, but I feel that under the specific load conditions we had, I had to throw a lot more resources at the infrastrcture than I had anticipated to keep the site up and fast. In my research it seems that we are using a very uncommon setup with respect to having so many separate instances of varnish, and I might need to explore the option of a caching layer.

An overview of the current architecture is drawn here (google docs link)

The pricing model of rackspace cloud is pretty linear, meaning a 1024mb server instance is exactly double the cost of a 512mb instance. As such, I am looking to maximize my performance while working within the same amount of resources (cost).

My initial thought is to remove the rackspace load balancer in favor of using a single instance of varnish in front of the apache backends, and perhaps make the apache backend be 4x 1gb instances rather than 8x 512mb instances. The cost of the load balancer is extremely cheap, so in order to justify replacing it with another dedicated server the performance gain would need to be large.

I have toyed around with the idea of HAProxy and Nginx as well, but I do not want to start blindly experimenting on a production site.

My goal is to be able to serve as close to 2000 req/s on roughly the same hardware allocation.

Edit: I had mod_pagespeed working for a while which put me up by about 100 req/s but I seemed to have a lot of issues with how it interacted with varnish.

Edit: Varnish VCL, Disk is Rackspace Cloud default (non-san, guessing SATA), Database is approximately 1.5gb currently. No swapping to disk under normal conditions. Apache processes are about 20mb each. php-cgi processes tend to chew up a lot more resources.

Answer

I would go with one high-RAM (check the varnish RAM usage using the varnish-tools and increase until fine) Varnish instances and no load-balancer (or two varnishes and load-balancer it you want high-availability) and as many apache servers as you need... if your app is CPU bound (more servers) or RAM bound (servers with higher MEM) is up to you.

Also playing with the cache settings (what can be cashed for how long) will help.

docker - Cannot write to /etc/hosts file from Dockerfile with RUN

I am making a docker image using a pretty simple Dockerfile. Inside the Dockerfile I have this command:

RUN printf "192.92.13.243 www.hahaha.com \n" >> /etc/hosts

The command itself seems to be OK, since creation of the image does not halt at this point.

The issue is this: When running the image, the line that is supposed to have been inserted inside "/etc/hosts" is not there.

Now, I searched around and found out that before version 1.2 of docker, there was an issue with the hosts file inside the containers. In my case, I am using version 1.5, the latest as of this moment.

Am I missing something?

UPDATE 1:

There seem to be a lot of issues for this, both open and closed, in docker's github pages.

Answer

After writing the update to my question I decided to take one more hard look at the "issues" opened in github. Turns out, a workaround has been implemented:

docker run ... --add-host='server:0.0.0.0' ...

Using the "--add-host..." argument when starting a container it is possible to modify the hosts file.

domain name system - Free Web Forwarding without Nameservers

I have a site running Google App Engine and using CloudFlare (a free CDN proxy, using its own nameserver).

This leaves me with no options for the root domain.
App Engine does not support naked domains, and CloudFlare doesn't support web forwarding.

All forwarding options that I've seen, including my registrar's, only work if the domain's nameservers are set to them.

Does anyone know of a free service that will send HTTP 301 (or 302) redirects without forcing me to change my nameservers?
(I'd make an A record for @ pointing to their server)

linux - Does a Sneakernet make sense as a backup strategy?

Like many of you I am "the guy who takes care of backup" in the company. Luckily we are a software shop and most of the mission critical data are kept in a bunch of mercurial repositories. This makes it extremely easy for backup - all you need a script to update a remote copies and clone new repos.

There are things that aren't simply version controlled however - like a large parts of our server(s) configuration, email, web data etc. For that we use a combination of rsnapshot and plain rsync to a zfs snapshotted box. No matter what we use - the end result is a bunch of files on a filesystem.

Given the amount of data these can't simply be copied over the internet to our off-site backup store (which is simply a white box sitting at my home) I am toying with the idea of moving hard drives between the office and my home as an insurance against corruption to the on-site copies - whatever the cause will be.

Doing that is also very simple - for our rsnapshot backup all I need to do is to clone the MD devices which the filesystem resides on while for the backup on ZFS we can simple do a zfs send and recv on a new disk/zpool..

Does the Sneakernet approach make sense for us? It's also useful to quickly explain the whole idea to my fellow workmates. :)

p.s. English is not my first language so don't be alarmed if you see broken grammar above :)

Answer

Ultimately, after all the various electronic methods, most major corporations have their backup tapes/disks taken by hand off-site for long-term storage. I myself rotate a bunch of firewire-connected hard disks that I backup my various machines to into and out of a safety deposit box every few weeks. So yes, 'sneakernet' is a good way of dealing with backup in my opinion.

win2008 R2 server core software RAID

I am trying to set up software raid on a win2008 R2 server core. I have the disks configured as dynamic. In the server manager gui, i can see the disks, but when i right click, the option to set up "new mirrored volume" is not listed. I tried it with the command line using diskpart, and it gives the error "Virtual Disk Service Error: The size of the extent is less than the minimum." The drive are a new pair of 1Tb disks.

Is this not supported in server core, or am i missing something else?

Thank you

Answer

FYI, I gave up on this after about a month and never found a solution. I reimaged the box to a full install (non-server core) and everything just worked. It seems to me so far that server core adds a lot of administrative overhead without adding much benefit.

linux - Hardening Apache server

I want to learn about hardening and securing Apache server. Can anybody suggest me very detailed web resource. I also want to learn history of different vulnerabilities existed in Apache, possible attack against them and how to mitigate them. I required this for both Windows and Linux platforms. Anything else which you think I should know from security perspective is welcomed. (I am a student. I don't have industry experience. This question is asked before but I think the answers are for working professionals.)

hardware - HP ProLiant DL180 G6 refuses to boot

My HP ProLiant DL180 G6 died on me during the night. Sadly during an raid-5 to raid-6 rebuild so my data may or may not be lost. That's next but first, the server won't boot.

Problem details:

• Front LED is solid green, but it always is until POST anyway.


• BMC indicator LED on the motherboard is flashing green.


• Fans spins to maximum.


• Power supply LED is green on the back side.



• No VGA output.


• No Num Lock response on keyboard.

I have tried the following:

• Pulled all RAM but one stick - nothing


• Tried different RAM - nothing


• Re-seated the CPU - nothing



• Pulled the HBA controller - nothing


• Pulled the TPS board - nothing


• Pulled power to all disks - nothing


• Different power supply - nothing


• Tried every setting of the J26 jumper. Clear CMOS and Recovery BIOS had no effect. Recovery BMC made the BMC LED go solid green and the fans span even faster but then nothing and RTC reset turned on UUID LEDs, didn't spin the fans and then nothing.

Any ideas what could be the problem? Faulty CPU? Faulty motherboard?

Answer

Realized I never answered my own question here. After much troubleshooting, I measued the individual voltage rails and realized +5 V was missing. Turns out the PSU backplane does not just MOSFET-diode-OR the voltages from the power supplies together since the PSUs only produce +12 V to start with and the +5 V buck converter failed the high side FET to open.

The raid rebuild was a disaster. So much data lost...

HP ProLiant ML310e G8 v2 ssd

I have a HP ProLiant ML310e G8 v2 with Intel® Xeon® E3-1220v3 3.10GHz processor and I'd like to upgrade the storage to a SSD one.

Currently I have two Non-SSD hard drives that I've configured RAID 1 and I'd like to create a separate RAID 1 but with SSDs.

What kind of SSDs should I take:

1. 2 x Solid State Drive (SSD) Intel 540s Series, 1.0TB, M.2 80mm, SATA III


2. 2 x Solid State Drive (SSD) Intel 540s Series, 1.0TB, 2.5'', SATA III


3. 2 x Solid State Drive (SSD) Samsung MZ-7KE1T0BW, 2.5", 1TB, SATA III

I'm not sure if the HP ProLiant ML310e G8 v2 is compatible with Solid State Drive (SSD) Intel 540s Series, 1.0TB, M.2 80mm, SATA III

Seen also this question which faces some issues with SSD drive.

Answer

You should check the Raid Controller Model, in the manual of the Vendor will mention the type of disks it supports and if it can handle another RAID.

Cron jobs not running

Can anyone provide insight to why my cron jobs are not running? I has tried simple jobs, like a date/time job, and it works.

Below is an example of what I am trying to run:

# Begin Whenever generated tasks for: taxscribe
0 0,6,12,18 * * * /bin/bash -l -c 'cd /home/deploy/taxscribe/releases/20110311205859 && RAILS_ENV=production rake informer:sync:submitted --silent'

0 * * * * /bin/bash -l -c 'cd /home/deploy/taxscribe/releases/20110311205859 && RAILS_ENV=production rake informer:sync:extensions --silent'


0 * * * * /bin/bash -l -c 'cd /home/deploy/taxscribe/releases/20110311205859 && RAILS_ENV=production rake informer:sync:accounts --silent'

# End Whenever generated tasks for: taxscribe

Thanks for your help.

New Dell PE R710 - Storage

Dell PE R710, received from Dell in the following state :

Windows Disk 0 1800GB ( Volume C & D )

Windows Disk 1 526 GB (Volume E )

Perc6i Integrated Raid Controller
6 x 500GB Nearline SAS 7200RPM HDDs

Raid 5 Configuration with two Virtual Disks

I have installed Dell open Manage and it shows the following :

Virtual Disk 0 - State : Background Initialization ( 7% )

Virtual Disk 1 - State : Background Initialization ( 25% )

Now when I click on Virtual Disk 0 it shows me all 6 Disks and the same happens when I click on Virtual Disk 1 it displays all 6 disks.

But when I click on Storage > Perc6i > Connector 0 > I get 4 Physical disks with the following numbers :

Physical Disk 0:0:0
Physical Disk 0:0:1
Physical Disk 0:0:2
Physical Disk 0:0:3

When I click on Storage > Perc6i > Connector 1 > I get 2 Physical Disks Listed in the following way :

Physical Disk 1:0:4
Physical Disk 1:0:5

I am a little confused in this description, does this 1:0:4 interprets to Controller1, Disk4. Does this integrated raid card have two controllers coming out of it ?

Also, When I first switched on the machine, the boot partition was showing 1GB Available out of 40GB, now its showing 38GB available out of 40GB.

Is this because the Virtual Disks are still Initializing ?
Any recommendations or suggestions ?

Also, this server have 6 x 500GB NearLine SAS Hard drives, what would be a good raid config ?

We are planning to use it for Hyper-V with quite a few (7 or 8) virtual servers, your suggestions would be helpful.

Also, while the virtual disks are in a initialization state, can I destroy and re-create the raid configuration ? I would have to do it at the BIOS CTRL-M ?

Answer

I am a little confused in this description, does this 1:0:4
interprets to Controller1, Disk4. Does
this integrated raid card have two
controllers coming out of it ?

I think that it is still technically one controller. EDIT: @techieb0y has the right answer to this part of the question below.

Also, When I first switched on the

machine, the boot partition was
showing 1GB Available out of 40GB, now
its showing 38GB available out of
40GB.

Is this because the Virtual Disks are
still Initializing ?

Yes.

Any
recommendations or suggestions ?

Wait until they are finished initializing.

Also, this server have 6 x 500GB

NearLine SAS Hard drives, what would
be a good raid config ?

This really depends on your needs, and I am sure there are many threads here on ServerFault that talk about the benefits and drawbacks of various RAID configurations in various scenarios. What is most important to you? Safety? Speed? Maximum volume? When I'm in doubt, I usually stick with a RAID5, cause it offers a good combination of performance and safety.

We are planning to use it for Hyper-V
with quite a few (7 or 8) virtual
servers, your suggestions would be

helpful.

Depending on how much RAM and CPU you have, and depending on what you are doing with these systems, that might not be that many at all. I've run as many as 30 simultaneous VMs on my similarly spec'd hosts (although running VMware ESX and not Hyper-V). But those VMs have all been "light-duty" machines that aren't heavily utilized.

Also, while the virtual disks are in a
initialization state, can I destroy
and re-create the raid configuration ?

Yes, I've done this many times on my R710s with no ill-effects. Just make sure you do a new initialization before using them.

I would have to do it at the BIOS
CTRL-M ?

Yes, as far as I know, this is the only way to do it. There might be others though, I haven't looked for any alternatives.

Hope this helps. Good luck,

--jed

apache 2.2 - too many 408 error codes in access log

Apache access log is showing too many 408 error codes,nearly 400 per day.

x-x-x-x - - [25/Apr/2012:22:43:06 -0600] "-" 408 0 "-" "-"

there are around 400 of these kind of request from different ip address.

I don't know is this the reason for spawning too many children,sometimes its nearing to 624 children,and that too with just handful of users.How can i figure out the exact cause.we are using php,and

mysql(connections-800)

enabled: tcp_tw_reuse

syn_retries :2

syn_ack_retires :3

fin-time_out:30

apache timeout:15

keepalive on

keepalive timout 7

max_spare:40

min_spare:25

requestperchild:4000

MAX_CLIENTS:800

Answer

You set the Timeout to 15? Why?

HTTP 408 is "Request Timeout"

Basically it occurs when the client connect()s, but doesn't send any data before the Timeout.

10.4.9 408 Request Timeout

The client did not produce a request within the time that the server
was prepared to wait. The client MAY repeat the request without
modifications at any later time.

RFC2616 §10

Change your Timeout back to the default value of 300, and stop trying to prematurely optimise your system.

active directory - Forest trust on the same subnet to migrate users

Wondering if anyone could offer some advice on something. I have a domain that desperately needs to be upgraded. Typically, one would add a new DC with a reduced functional level to the domain, transfer roles, remove the old DC, raise the functional level and be done with it but I am left in a situation where I cannot adprep or forestprep the existing domain controller due to ages of mismanagement and poor maintenance leaving broken/untouchable objects in AD. I have tried every fix I could find even resorting to trying to make manual changes to the AD hive. Admittedly, this is probably how my predecessor broke it in the first place :/

My alternative option is now to create a fresh, new domain as we have a small environment. What I would like to do is create a trust between the old forest and new forest (2003 R2 and 2012 R2) and use ADMT to migrate/copy users with their sIDHistory to the new domain in the new forest so everyone can just keep their existing profiles.

The problem I can't seem to climb over is how to establish the trust between the two forests without having separate networks. The new DC can see the other forest to trust it but the old DC cannot see the new forest to reciprocate the trust relationship. This might be obvious to someone accustomed to managing corporate mergers as opposed to only managing existing infrastructure. I have a feeling this has to do with advertised services/DNS but I'm probably not correct and find myself on a tangent chasing loosely related solutions.

I have also played with the idea of converting everyone's domain profiles to local profiles, joining them to the new domain and then converting their profiles back to domain profiles. Would this in effect present the same requirement of the user accounts on the new domain needing the sIDHistory?

Thank you in advance for any advice.

linux - perl application won't start in apache when running as a service

I have installed Netdisco, which is a perl based network discovery tool

When I run httpd from a terminal prompt as root, it works fine.

When I try and start Apache as a service (service httpd start), I get the following error(s):

Starting httpd: [Mon Apr 23 19:45:48 2012] [warn] module perl_module is already loaded, skipping
[Mon Apr 23 19:45:48 2012] [warn] module apreq_module is already loaded, skipping
Syntax error on line 22 of /etc/httpd/conf/netdisco_apache.conf:
Can't locate netdisco.pm in @INC (@INC contains: /usr/local/netdisco /usr/local/lib/perl5 /usr/local/share/perl5 /usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5 /usr/share/perl5 . /etc/httpd) at /etc/httpd/conf/netdisco_apache.conf line 26.\nBEGIN failed--compilation aborted\t(in cleanup) Can't locate netdisco.pm in @INC (@INC contains: /usr/local/netdisco /usr/local/lib/perl5 /usr/local/share/perl5 /usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5 /usr/share/perl5 . /etc/httpd) at /etc/httpd/conf/netdisco_apache.conf line 26.\nBEGIN failed--compilation aborted at /etc/httpd/conf/netdisco_apache.conf line 26.\n

I tried adding the apache user to the netdisco group netdisco, and got the same result.

netdisco.pm is definitely in the first folder in @INC (/usr/local/netdisco), and the netdisco user / group owns that folder and all files, including netdisco.pm

Why won't it start?

Answer

Make sure that apache user has execute access to the /usr/local/netdisco folder and read access for the /usr/local/netdisco/netdisco.pm file.

You can also strace the startup of apache to find which files is trying to access. If those files exists it is a permission problem. Besides the Unix permissions you have to check the SELinux configuration.

hard drive - Reliability of SSD vs HDD (Over large temperature variations)

I've got an application which requires data recording in a outdoor environment, and I am interested in the reliability of SSDs vs HDD when placed in a cold (down to -20) and hot (+50) ambient environments. Intuition leads me to believe SSDs will be more reliable, with the possible exception of high temperatures. Air conditioning enclosures is not an option.

Does anyone have any information on disk reliability in these situations?

Answer

Look for an industrial or ruggedized SSD for this application.

A good example of a proper product spec.
http://www.pretec.com/products/ssd-series/item/sata-ssd-series/a5000-industrial-grade

．Standard 2.5" SATA III SSD, compatible with SATA III/II/I interface
．Capacity: 32GB ~ 256GB

．Data transfer rate: Up to 490 MB/s
．Built-in ECC (Error Correction Code) function
．Support ATA-8 command and SMART function
．Temperature
I.  Operating Temperature: 0℃ ~ +70℃
II. Extended Temperature: -40℃ ~ +85℃
III. Storage Temperature: -55℃ ~ +95℃

domain name system - Should we host our own nameservers?

This is a Canonical Question about whether to outsource DNS resolution for ones own domains

I currently have my ISP providing DNS for my domain, but they impose limitations on adding records. Therefore, I am thinking about running my own DNS.

Do you prefer to host your own DNS, or is it better to have your ISP do this?

Are there alternatives which I can look into?

Answer

I wouldn't run my own DNS server - in my case, the hosting company that hosts my website provides free DNS service. There are also alternatives, companies that do nothing but DNS hosting (DNS Made Easy comes to mind, but there are many others) which are the kind of thing you should probably look into.

The reason I wouldn't do it myself is that DNS is supposed to be fairly reliable, and unless you have a geographically distributed network of servers of your own, you'd be putting all your eggs in one basket, so to speak. Also, there are plenty of dedicated DNS servers out there, enough that you wouldn't need to start up a new one.

HP acu drive listing errors. Smart array

I have current config
HP Proliant bl460gen6 with controller smart array p711m Ubuntu OS
There are 35 hdd drives configured in raid 1+0 with 1 disk in spare
usually i monitor status of raid with default command

hpacucli ctrl all show config

and if it found failed disk i replace it.

By chance I noticed that the diodes are signaling of broken two HDDs on the storage system.
At the same time, hpacucli in the report said that all HDD were normal.
After googling the problem I got another version of the hpacucli syntaxis like

hpacucli ctrl slot=2 ld 1 show

After its implementation, it confirmed the existence of problematic HDD
Replacing one HDD continued to monitor the situation, the recovering of the raid took place in the normal mode, however, the numbering of the HDDs in the list is given the wrong with doubling drives numbers

Replaced HDD is in slot 2

hpacucli ctrl all show config

  Smart Array P711m in Slot 2
  array A (SATA, Unused Space: 0  MB)
  logicaldrive 1 (61.9 TB, RAID 1+0, Recovering, 75% complete)
  physicaldrive 1E:1:1 (port 1E:box 1:bay 1, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:1 (port 1E:box 1:bay 1, SATA, 4000.7 GB, OK)

  physicaldrive 1E:1:2 (port 1E:box 1:bay 2, SATA, 4000.7 GB, Rebuilding)
  physicaldrive 1E:1:2 (port 1E:box 1:bay 2, SATA, 4000.7 GB, Rebuilding)
  physicaldrive 1E:1:3 (port 1E:box 1:bay 3, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:3 (port 1E:box 1:bay 3, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:4 (port 1E:box 1:bay 4, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:4 (port 1E:box 1:bay 4, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:5 (port 1E:box 1:bay 5, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:5 (port 1E:box 1:bay 5, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:6 (port 1E:box 1:bay 6, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:6 (port 1E:box 1:bay 6, SATA, 4000.7 GB, OK)

  physicaldrive 1E:1:7 (port 1E:box 1:bay 7, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:7 (port 1E:box 1:bay 7, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:8 (port 1E:box 1:bay 8, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:8 (port 1E:box 1:bay 8, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:9 (port 1E:box 1:bay 9, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:9 (port 1E:box 1:bay 9, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:10 (port 1E:box 1:bay 10, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:10 (port 1E:box 1:bay 10, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:11 (port 1E:box 1:bay 11, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:11 (port 1E:box 1:bay 11, SATA, 4000.7 GB, OK)

  physicaldrive 1E:1:12 (port 1E:box 1:bay 12, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:12 (port 1E:box 1:bay 12, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:13 (port 1E:box 1:bay 13, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:13 (port 1E:box 1:bay 13, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:14 (port 1E:box 1:bay 14, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:14 (port 1E:box 1:bay 14, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:15 (port 1E:box 1:bay 15, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:16 (port 1E:box 1:bay 16, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:17 (port 1E:box 1:bay 17, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:18 (port 1E:box 1:bay 18, SATA, 4000.7 GB, OK)

  physicaldrive 1E:1:19 (port 1E:box 1:bay 19, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:20 (port 1E:box 1:bay 20, SATA, 4000.7 GB, OK)
  physicaldrive 1E:1:21 (port 1E:box 1:bay 21, SATA, 4000.7 GB, OK, active spare)

hpacucli ctrl slot=2 ld 1 show

     Smart Array P711m in Slot 2
     array A
     Logical Drive: 1

     Size: 61.9 TB
     Fault Tolerance: 1+0
     Heads: 255
     Sectors Per Track: 32
     Cylinders: 65535
     Strip Size: 256 KB
     Full Stripe Size: 4352 KB
     Status: Recovering, 78% complete
     MultiDomain Status: OK
     Caching:  Enabled

     Unique Identifier: 
     Disk Name: /dev/sda
     Mount Points: None
     Logical Drive Label: 
     Mirror Group 0:
        physicaldrive 1E:1:1 (port 1E:box 1:bay 1, SATA, 4000.7 GB, OK)
        physicaldrive 1E:1:2 (port 1E:box 1:bay 2, SATA, 4000.7 GB, Rebuilding)
        physicaldrive 1E:1:3 (port 1E:box 1:bay 3, SATA, 4000.7 GB, OK)
        physicaldrive 1E:1:4 (port 1E:box 1:bay 4, SATA, 4000.7 GB, OK)
        physicaldrive 1E:1:5 (port 1E:box 1:bay 5, SATA, 4000.7 GB, OK)

        physicaldrive 1E:1:6 (port 1E:box 1:bay 6, SATA, 4000.7 GB, OK)
        physicaldrive 1E:1:7 (port 1E:box 1:bay 7, SATA, 4000.7 GB, OK)
        physicaldrive 1E:1:8 (port 1E:box 1:bay 8, SATA, 4000.7 GB, OK)
        physicaldrive 1E:1:9 (port 1E:box 1:bay 9, SATA, 4000.7 GB, OK)
        physicaldrive 1E:1:10 (port 1E:box 1:bay 10, SATA, 4000.7 GB, OK)
        physicaldrive 1E:1:11 (port 1E:box 1:bay 11, SATA, 4000.7 GB, OK)
        physicaldrive 1E:1:12 (port 1E:box 1:bay 12, SATA, 4000.7 GB, OK)
        physicaldrive 1E:1:13 (port 1E:box 1:bay 13, SATA, 4000.7 GB, OK)
        physicaldrive 1E:1:14 (port 1E:box 1:bay 14, SATA, 4000.7 GB, OK)
        physicaldrive 1E:1:1 (port 1E:box 1:bay 1, SATA, 4000.7 GB, OK)

        physicaldrive 1E:1:2 (port 1E:box 1:bay 2, SATA, 4000.7 GB, Failed)
        physicaldrive 1E:1:3 (port 1E:box 1:bay 3, SATA, 4000.7 GB, OK)

Whats get wrong, how i can fix it and why different hpacucli commands return different HDD status

troubleshooting - Delegate permissions to subfolder in TFS project

I need to give a TFS Project Group contributor privileges to a Source Control subdirectory in a TFS project. I can connect successfully as someone from this group but can't browse Source Control, presumably because the user doesn't have access to the top level of the project. Is there any way to configure access in a manner that doesn't require giving read access to the whole project or maintaining privileges for every folder that shares a directory with folders in the path to the target subdirectory?

Clarification:

Project / Folder1 / Folder2 / TargetFolder

I have set this up by giving them permissions, but to restrict permissions to only TargetFolder and its contents, I need to give the group read access to Folder1 and Folder2. But because the permissions are inherited, I need to deny this group on every other folder under Project, Folder1, and Folder2. This is a maintenance headache and if new directories are added in the future, they will need to have their permissions changed as well.

Answer

There is no way to do this out of the box. If you're only going to be doing it rarely, the manual process of denying on the parent folders is going to be most efficient.

If, however, this is a task you think you'll find yourself repeating fairly often, you can create a utility using the TFS API to do it for you.

(Something along these lines. Warning, this is not tested)

vcs = //...VersionControlServer reference...

string checkinPath = @"$/MyProject/Sources/Whatever";
string identityName = @"[MyProject]\Contributors";
string[] removesNone = new string[]{ };    
string[] allowsNone = new string[]{ };

string[] deniesNone = new string[]{ };
string[] allowsCheckin = new string[]{ PermissionChange.ItemCheckin };
string[] deniesCheckin = new string[]{ PermissionChange.ItemCheckin };


PermissionChange pc = new PermissionChange(
    checkinPath, identityName, allowsCheckin, deniesNone, removesNone);

vcs.SetPermissions(new SecurityChange[]{ pc } );


// walk up the path denying on parent folders
checkinPath = checkinPath.Substring(0, checkinPath.LastIndexOf('/'));
while (checkinPath.Length > 2)
{
        PermissionChange pc = new PermissionChange(
            checkinPath, identityName, allowsNone, deniesCheckin, removesNone);

        vcs.SetPermissions(new SecurityChange[]{ pc } );

        checkinPath = checkinPath.Substring(0, checkinPath.LastIndexOf('/'));

}

php - Can't get Codeigniter URLs working on Nginx

After successfully setting up nginx on my windows, another problem where I am stuck. Though, everything works as usual. I am able to access pages and PHP works fine but problem comes when I try to use Codeigniter type urls, by which, I mean,

https://localhost/index.php/

Even if I insert one slash after "index.php" an error No input file specified is thrown which I think means the FastCGI server is not able to catch the right file. Here is my config file,

server {
    server_name localhost;
    listen 443; 
    root /wamp/www/;

    ssl on;
    ssl_certificate /wamp/www/server.crt;
    ssl_certificate_key /wamp/www/server.key;


    location / {        
        index index.php index.html index.htm;
    }

    location /NavHawk2 {
        try_files $uri $uri/ index.php/;
    }

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #

    location ~ \.php$ {
            fastcgi_intercept_errors on;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
    }
}

Nothing in error logs and access logs are filled with 404 requests. If I remove the try_files line, I get a nginx 404 page.

Answer

Looks like you need to use fastcgi_split_path_info.

An example:

fastcgi_split_path_info       ^(.+\.php)(.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO       $fastcgi_path_info;

mysql with innodb_file_per_table - cannot see any .ibd files

I've configured mysql to use the innodb_file_per_table option.

Everything works fine, I've been able to transfer data from another mysql server to the server with innodb_file_per_table set. All records are accessible and the application has been working fine for a couple of days now.

However I cannot find the .ibd files. I've restarted mysql via /etc/init.d/mysql restart.

In the /var/lib/mysql/xxx (xxx being the catalog name) there is a .frm file, but not a .ibd file.

I cannot find the expected .ibd file anywhere.

The operating system used is Ubuntu Linux:

Linux 2.6.24-24-server #1 SMP Tue Aug 18 16:51:43 UTC 2009 x86_64 GNU/Linux

The interesting thing is that du and df show different informtions about occupied space - df says 34GB are occupied whereas du shows 19G; the difference of 15GB is roughly the data occupied by the .ibd file (as shown in mysql admin).

I've pasted the output of du + df as well as the /proc/xxx/fd contents for the mysqld process. Interestingly the fd shows "/var/lib/mysql/ibdata1 (deleted)".

]du --max-depth 1 -h /
12M     ./etc
3,8M    ./lib32
1,9G    ./var
8,0K    ./media
1,6G    ./usr
159M    ./tmp
125M    ./boot
4,0K    ./initrd
86M     ./root

4,0K    ./srv
196M    ./opt
16K     ./lost+found
15G     ./jboss
12K     ./mnt
708M    ./lib
0       ./proc
48K     ./home
48K     ./dev
0       ./sys

6,7M    ./sbin
4,6M    ./bin
19G     .

]df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1             221G   34G  177G  16% /
varrun                7,9G  260K  7,9G   1% /var/run
varlock               7,9G     0  7,9G   0% /var/lock
udev                  7,9G   36K  7,9G   1% /dev

devshm                7,9G     0  7,9G   0% /dev/shm

]l /proc/15215/fd
total 0
/dev/null
pipe:[31469149]
 socket:[31469165]
 /tmp/ibyTflWI (deleted)
 socket:[31469166]
pipe:[31469149]

/var/lib/mysql/ibdata1 (deleted)
/tmp/ibYr0wC6 (deleted)
/tmp/ibX4rGe0 (deleted)
/tmp/ibjOaQQT (deleted)
/tmp/ibbGtntN (deleted)
/var/lib/mysql/ib_logfile0 (deleted)
/var/lib/mysql/ib_logfile1 (deleted)

Here's the output of show table status:

mysql> show table status like '%xxx%';
+-----------------+--------+---------+------------+---------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-----------------+----------+----------------+----------------------------------------------------------------------------------+
| Name            | Engine | Version | Row_format | Rows    | Avg_row_length | Data_length | Max_data_length | Index_length | Data_free | Auto_increment | Create_time         | Update_time | Check_time | Collation       | Checksum | Create_options | Comment                                                                          |
+-----------------+--------+---------+------------+---------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-----------------+----------+----------------+----------------------------------------------------------------------------------+
| xxx             | InnoDB |      10 | Compact    | 7982574 |           1674 | 13369344000 |               0 |     81526784 |         0 |           NULL | 2009-11-18 04:15:08 | NULL        | NULL       | utf8_general_ci |     NULL |                | InnoDB free: 4096 kB;                                                            |
+-----------------+--------+---------+------------+---------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-----------------+----------+----------------+----------------------------------------------------------------------------------+
1 row in set (0.21 sec)

and the mysql version: 5.0.51a-3ubuntu5.4

When VPN tunnel fails between primary Domain Controller and secondary DC - What happens?

I'm a little unclear as to what happens when a VPN tunnel fails between a primary and secondary Domain controller for an extended period of time. Here is a basic rundown of our environment. We have in our primary location the DC1 we recently moved out customer facing sites and DataBase (the DB is the only server on AD, the rest are DMZ) over to a data center and stood up DC5 (we have other domain controllers in various locations) we have a VPN tunnel between the two locations. I understand that systems will continue to function as normal for short disruptions to the VPN. My question is what if that tunnel is down for a couple of days or even a week. does DC5 continue to work with out DC1? is countdown to failure at some point?

My background is software development, our IT guy says after "some undetermined time" sites would fail to work if the VPN is not active. I am questioning that statement.

Thanks

debian - Using Apache / Kerberos / Keytab to Authenticate Redmine Users Against Active Directory

We have a Debian (squeeze) server to which I have root access. It is running Apache, and Redmine is deployed to the server (currently using a local MySQL database for authentication).

Apache is configured to use Kerberos and a keytab file to authenticate users against Active Directory. With the current configuration, as soon as a user attempts to access anything over https, the user is prompted for a username / password, which is successfully authenticated against Active Directory.

I understand (somewhat) that Redmine has its own LDAP configuration that can be used to authenticate users against an existing Active Directory, but this would require the user to enter their credentials one time for Apache and then a second time for Redmine.

Can I somehow configure Redmine to share the Apache authentication method as opposed to requiring the user to enter their credentials a second time? (Using Apache to authenticate against Active Directory is a requirement for a separate application on the server)

Answer

I'm not sure if there's built-in support in Redmine for this feature, as all the links I can find are pretty old. However, it seems like it shouldn't be too hard to add.

Basically, most Apache authentication modules will set an environment variable in the request called REMOTE_USER, which they fill with the username that the requester has proven themselves to be. If you modified Redmine to accept REMOTE_USER in lieu of an internal authentication provider as in this bug report, then you would be able to use only Apache and Kerberos to authenticate users.

It seems like somebody's already implemented a plugin that does a similar thing. This forum post also details such a solution.

Note: This method just provides authentication, not authorization; you'll be able to trust that a user is who they say they are, but you may still need to use a direct LDAP connection to Active Directory if you care about what groups a user is in or any other kind of graduated access control.