Sunday, December 30, 2018

linux - Apache Server files in /var/www/




All right... I have my server set up and I have 4 sites residing in /var/www/. Each site directory and the files underneath it are all root:www-pub according to this post:



What's the best way of handling permissions for Apache 2's user www-data in /var/www?



My user, cdog, is part of the www-pub, as directed by the above post and, after more research, I believe umask is set up properly.



Issues 1: Creating new files inside any of the /var/www/ directories gives me permissions



cdog:www-pub -rw-r--r--



all other files are



root:www-pub -rw-rw-r--


I was led to believe (according to above post) that any new files created would be the later.



Issue 2 Most of these directories, with permissions of




drwxrwsr-x


are Joomla directories. Logging into the Joomla back end gives me a whole bunch of unwritable directories, which isn't good for updating/installing extensions/plugins, etc.



First, why aren't my files being created with the correct permissions?
Second, why are the Joomla directories not writable?


Answer



The user's umask determines what permissions new files receive. When a file or directory is created the systems starts with the most permissive permissions (0666 and 0777 respectively), and then clears the bits specified in the umask. The default umask of 022 therefore causes the group and world write bits to be cleared, which is why you end up with 0644.




To create files with group write permission you need to change the umask to 002 (i.e. only clear the world write permission). This can be done in a specific shell session with umask 002, but this won't persist across sessions.



There are a number of ways to set the umask permanently. If the pam_umask PAM module is installed and configured, you can set this in /etc/login.defs:



UMASK   002


Otherwise you can set it in your shell initialisation scripts, either ~/.bashrc if you only want it to apply to your user, or /etc/bash.bashrc if you want it to apply to all users:



umask 002


Saturday, December 29, 2018

windows server 2012 - Multiple users in a single session of Remote Desktop

I would like to know if it is possible to have multiple users connected for viewing the same remote desktop.



The server is running under Windows Server 2012 Standard Edition.



This question is the same as this one but for Windows Server 2012 Standard Edition (since Terminal Services doesn't exist anymore in 2012).

Set default TLS SNI vhost for Apache 2.2 on CentOS 6

I have a CentOS 6 server with Apache (httpd-2.2.15-15.el6.centos.x86_64). Now I configured TLS SNI using OpenSSL and that was pretty easy.



Now I have two TLS vhosts on the same ip and I want to specify which one should be the default it the client does not support TLS SNI (yes, I'm looking at you, git/hg).



Looking at the Apache docs there should be at least two ways to do this:





  • set for the default host (and *:443 for all others)

  • set "SSLStrictSNIVHostCheck on" for the non-default hosts.



Unfortunately neither method works for me. Can someone explain to me how to achieve the goal anyway and why the two methods above don't work as I expected?

Thursday, December 27, 2018

apache 2.2 - Why is iptables not blocking an IP address? (LB/proxy version)

WARNING: Long. Lots of info here.




3 years ago someone asked Why is iptables not blocking an IP address? and it turned out the reason was because the servers were behind CloudFlare which made it impossible to block IP addresses directly they way they wanted to unless you use it differently. Any reverse proxy or load balancer would cause the same thing.



Similarly we have setup fail2ban with a rule to ban any bots which attempt to brute-force their way into the administrative login or spam xmlrpc. The site is sitting behind a load balancer so obviously we can't directly ban the IP address but iptables is supposed to be accepting the connection and pattern matching the packet data to ban specific traffic.



This is fail2ban jail.conf config:



[wp-auth] 
enabled = true
filter = wp-auth
action = iptables-proxy[name = lb, port = http, protocol = tcp]

sendmail-whois[name=LoginDetect, dest=ITemail@ourdomain.com, sender=acceptablebotbot@ourdomain.com, sendername="Fail2Ban"]
logpath = /obfuscated/path/to/site/transfer_log
bantime = 604800
maxretry = 4
findtime = 120


This is the simply pattern match for wp-login requests:



[Definition]

failregex = ^ .* "POST /wp-login.php
ignoreip = # our ip address


This is our fail2ban iptables action which is supposed to be able to block these bots but for the most part doesn't seem to. It is from the CentOS site Tips section for fail2ban behind a proxy. For the sake of brevity I've left only the section header comments in place.



# Fail2Ban configuration file
#
# Author: Centos.Tips
#


[INCLUDES]

before = iptables-blocktype.conf

[Definition]

# Option: actionstart
actionstart = iptables -N fail2ban-
iptables -A fail2ban- -j RETURN

iptables -I -p --dport -j fail2ban-

# Option: actionstop
actionstop = iptables -D -p --dport -j fail2ban-
iptables -F fail2ban-
iptables -X fail2ban-

# Option: actioncheck
actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]'


# Option: actionban
actionban = iptables -I fail2ban- 1 -p tcp --dport 80 -m string --algo bm --string 'X-Forwarded-For: ' -j DROP

# Option: actionunban
actionunban = iptables -D fail2ban- -p tcp --dport 80 -m string --algo bm --string 'X-Forwarded-For: ' -j DROP

[Init]
# Default name of the chain
name = default


# Option: port
port = http

# Option: protocol
protocol = tcp

# Option: chain
chain = INPUT



So as I mentioned the site is on a pair of servers behind an elastic load balancer and seems to work in test. We can add any of our own IP addresses and we cannot reach the site. Despite this bots seem to be able to get through.



[root:~/] iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-SSH
-N fail2ban-lb
-A INPUT -p tcp -m tcp --dport 80 -j fail2ban-lb
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 24007:24020 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

-A fail2ban-SSH -j RETURN
-A fail2ban-lb -p tcp -m tcp --dport 80 -m string --string "X-Forwarded-For: 91.200.12.33" --algo bm --to 65535 -j DROP
-A fail2ban-lb -p tcp -m tcp --dport 80 -m string --string "X-Forwarded-For: 91.134.50.10" --algo bm --to 65535 -j DROP
-A fail2ban-lb -p tcp -m tcp --dport 80 -m string --string "X-Forwarded-For: 160.202.163.125" --algo bm --to 65535 -j DROP
-A fail2ban-lb -p tcp -m tcp --dport 80 -m string --string "X-Forwarded-For: 162.243.68.232" --algo bm --to 65535 -j DROP
-A fail2ban-lb -j RETURN


Port 80 is the only port open to all. All others are ACL'd via AWS Security Groups. IPtables appears to be processing in the correct order and should therefore be blocking these IPs based on their X-Forwarded-For header. There is a Firefox plugin which allows you to send these headers with initial requests and we get blocked as a result with any of these bot IPs as well.




The source IP address does not appear to be forging the X-Forwarded-For header as we've been playing with as the ELB rewrites them anyway. tcpdump does not show any extra information on the packet at the server level.



22:07:14.309998 IP ip-10-198-178-233.ec2.internal.11054 > ec2-10.4.8.71.http: Flags [P.], seq 2545:3054, ack 19506, win 166, options [nop,nop,TS val     592575835 ecr 2772410449], length 509
E..1..@.@..9
...
f.p+..P.Nz.
20............
#Q.[.?.QPOST /wp-login.php HTTP/1.1
host: www.thiswebsite.com
Accept: */*

Accept-Language: zh-cn
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Referer: http://www.thiswebsite.com/wp-login.php
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
X-Forwarded-For: 91.200.12.33
X-Forwarded-Port: 80
X-Forwarded-Proto: http
Content-Length: 21
Connection: keep-alive



These requests are all being logged in the transfer_log.
When we do the same thing and forge the X-Forwarded-For we get caught by iptables before ever reaching Apache. tcpdump also shows our extra IPs.



20:10:25.378873 IP ip-10-198-178-233.ec2.internal.11054 > ec2-10.4.8.71.http: Flags [P.], seq 3157:3860, ack 124583, win 267, options [nop,nop,TS     val 526293643 ecr 2507283790], length 703
E...Tf@.@.[.
...
f.p,O.P...GU........m.....
.^...r.QPOST /wp-login.php HTTP/1.1

host: www.thiswebsite.com
Accept: /
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
Cache-Control: no-cache
Cookie: __utma=190528439.16251225.1476378792.1478280188.1478289736.3; __utmz=190528439.1476378792.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _icl_current_language=en; __utmc=190528439; __utmb=190528439.2.10.1478289736; __utmt=1
Pragma: no-cache
Referer: http://www.thiswebsite.com/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
X-Forwarded-For: 91.200.12.33,

X-Forwarded-Port: 80
X-Forwarded-Proto: http
Connection: keep-alive


I also have the ELB access log here which I expect to see an entry for, just not the Apache transfer logs.



2016-11-07T22:07:14.309917Z mLB 91.200.12.33:60407 10.4.8.71:80 0.000079 1.99244 0.000091 200 200 21 3245 "POST http://www.thiswebsite.com:80/wp-login.php HTTP/1.1" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)" - -



So the IP address (at least according to the ELB) does not appear to be forced at the X-Forwarded-For level. Why is traffic from it not being blocked? The IP address also shows up constantly in the fail2ban log with the usual:



fail2ban.actions[11535]: INFO [wp-auth] 91.200.12.33 already banned

Wednesday, December 26, 2018

hardware - How can I enable caching on the RAID card or Hard Disk(s)



I've got a HP ML350 G5 server running 6 disks as two RAID-5 configurations. This server has been notifying me of an empty battery on the E200i card. This seems to result in disabled cache: read and write speeds are very slow (around 20MB/s).



A possibility would be to replace the battery on the RAID card, but I don't really want to spend the money for the risk of losing data on power failure.



I found that it was possible to enable cache on the hard disks themselves, however, I can't find how this would be done on my server.




Another possibility would be to enable caching on the RAID card somehow, without replacing the battery.



Does anyone know how any of the above things are done?



Thanks in advance!


Answer



The HP Smart Array E200i controller does not support the no-battery cache override option like newer HP controllers.



Replace the battery on the controller. You can leverage warranty (unlikely, due to the server's age), buy a part from eBay or another HP parts reseller. Don't buy new.




The ML350 G5 is an old system, mainly sold from 2005-2008. It's useful life is over, as it's been eclipsed by FIVE newer generations of HP hardware.



At this point, you should not have high expectations for the performance of the system. You can continue to run without controller battery, but DO NOT enable the individual disk caches. If the performance is unacceptable, buy the battery or plan to move to newer hardware.


Tuesday, December 25, 2018

Moving from Exchange 2003 to Exchange 2010 within a SBS 2003 Domain



I am currently facing the problem that my Exchange 2003 Database will hit the 75 GB limit in the next months, so I am thinking about retiring our current Exchange 2003 which is part of a Small Business Server 2003 Standard installation.




This is our current Setup




  • 1x Dell Power Edge 2900 with SBS 2003 (DC/Exchange/Fileserver)



and I would like to migrate to the following Setup





  • [old] 1x Dell Power Edge 2900 with SBS 2003 (DC & Fileserver)

  • [new] 1x Dell R510 with Windows Server 2008 Std & Exchange 2010 Std.



this raises a bunch of Questions:




  1. Is it technically possible to install and add Exchange 2010 in a
    Domain which primary and only DC is on a SBS2003?


  2. Is this legal in terms of the SBS 2003 License?



  3. Do I need to buy new Windows 2008 User CALs or am I fine with the
    SBS 2003 CALs we already own?



Answer



You can add an Exchange 2010 Server to your network. As long as your Windows Small Business Server 2003 machine has Windows 2003 Service Pack 2 installed and your AD forest functional level and domain functional level are Windows 2003 Exchange 2010 will install and work fine. You will be able to move mailboxes from the Exchange 2003 installation on the Windows SBS machine to the new Exchange 2010 installation and Outlook will automatically redirect users to their new mailbox location. It's really quite slick.



I've added E2K7 to a Windows SBS 2003 domain in the past and it's been no problem. Nobody has ever asked me to add E2K10 but I'd anticipate no problems.



Licensing questions really need to referred to Microsoft for authoritative answers. I would expect that you're going to need to purchase a Windows Server 2008 server license, an Exchange 2010 server license, and a sufficient number of Exchange 2010 CALs (device or user) for your needs. Microsoft can tell you that for sure.




There is no restriction that I'm aware of in the Windows SBS 2003 license that prevents you from having additional Exchange Server computers. (The restrictions relate to multi-domain forests and maximum numbers of users but don't address maximum numbers of *servers.) Again, licensing questions should go to Microsoft for an authoritative answer.


Monday, December 24, 2018

What are acceptable failure rates in load testing scenarios



I am doing a report on load testing for a client.



I am using a service called blitz IO.



He would like to handle 1000 concurrent users at 500ms.




Every time I have run a test like this there it has never come back 100%, invariably if i run the test for 10 minutes a few of the connections out of the thousands timeout, and some go over the 500ms threshold.



How do you manage client expectations, and what sort of thresholds do you set.



Do you say that 90% of connections do not timeout and 90% of connections are within 500ms?



Interested to hear how manage this.


Answer



If he wants to handle 1000 concurrent users at 500ms, then I would expect a zero error rate. However, it is common that the specification allow for some slow requests. I am used to specification like "95% of the requests will be completed in with 500ms with 1000 concurrent users". Dropping connections is generally not acceptable.



web applications - Training for load testing web apps?





We've discussed the tools used for load testing here on ServerFault, but what about training on how to use them properly? Are there companies that specialize in IT training that cover load testing? How do you properly come up with a simulated load? How long should you run the test for? What are the best metrics to be tracking on the server-side while the test is running? And so on...


Answer




  1. First, start with the business representatives. They (should) know the application best. Identify the key transactions, and the end to end response times. Ideally, they'll be able to hand you a document which captures their non functional requirements. If your application is replacing a legacy application, all the better - get as many applicable usage metrics from that app as you can. This is the most critical success factor to performance testing. Understanding the size of your potential userbase, the number of users likely to be using it concurrently, the # % of each one of your key transactions executing simultaneously, growth rate per [timeframe].


  2. Build an automated script which simulates the key transactions. Include think time in this script. Very few users are going to power through your application/website without having to take a few seconds to see what the app did in response to their input. Failure to adequately simulate think time can result in you subjecting your application to unrealistic load, which leads to unhappinesss all around. That being said, the business may identify that 10% of the userbase are power users, and you may want to deliver your load with 90% normal users, with 'normal' think time, and 10% power users, with faster, more aggressive think times.


  3. Add your virtual users over a time period (ramp-up time) - don't go from 0-500 in 1 second, unless you will actually have that kind of load (sale starts at 9:00 AM!). It's good to understand how your application will behave under load spikes, but some apps may fail in these scenarios, which is only a problem if you're expecting that kind of load. Otherwise, you may find yourself spending a lot more money than what's required to support a load that may never come.


  4. Factor in latency and network speed. For a stress test, it's great to have a gigabit Ethernet connection with less than 1 ms latency to your application, which you can use to push your application to determine when it will fail. In reality, though, your users aren't usually that close to your application - they're coming over all different types of network conditions.


  5. Endurance testing - at least 24 hours is recommended, more if you can afford it. You want to capture what happens to your application when periodic batch processes run, like backups, antivirus definition updates, or even IIS app pool recycles (every 29 hours by default).


  6. Understand the difference between performance testing and load testing. Load tests will generally show the perspective of the server. This isn't entirely true - many tools will show you the time a transaction takes in terms of TTLB - but most tools today don't reflect client-side rendering times, which are material in JS-heavy applications, or ones that use XSLT, for example.


  7. Don't solely rely upon your automated test numbers - at least not starting on day one. Periodically manually validate the numbers you get back. Over time you can let this subside as you become more confident in your simulations.



  8. Performance counters - every application will vary, but you won't go wrong starting with the four basic food groups - cpu, memory, disk i/o, network i/o. A list of my preferred counters is at ht tp://www.oneredlight.com/perf.config.txt. You can set your application up to log these counters to a 300 MB circular file with the following command line:
    logman create counter PERF -f bincirc -max 300 -si 2 --v -o "c:\perflogs\perf" -cf
    "perf.config". I've only tried these on windows 2008/IIS 7/SQL 2008, so your mileage may vary. I would also recommend reading ht tp://msdn.microsoft.com/en-us/library/ms998530.aspx, if your application is on the ms stack.




(apologies for the broken urls; new users cant post hyperlinks)


Sunday, December 23, 2018

Creating an efficient image deployment lab



In our organization we frequently deploy images on new computers and we would like to optimize this process.




We are currently using Norton Ghost - Creating a boot floppy with a unique IP for every new computer and deploying the image from a server using Unicast (since Broadcast floods the network).



We do not want to use a management product such as SCCM. We just need an efficient way to deploy 2-4 types of different images on many computers efficiently.



Any suggestions?


Answer



Look at the Windows AIK and the Microsoft Deployment Toolkit 2010 (both are free downloads)



Combined with Windows Deployment Services (if you have a Windows Server), you can use PXE boot to deploy over the network.


Hostname or subdomain?




I understand that, in the direction "webmail.chemistry.iit.edu", "chemistry" is a subdomain and "webmail" the hostname. Then, why in "mail.google.com", according to Google's documentation, is "mail" a subdomain? Isn't it mandatory to have the hostname to the left of the domain?


Answer



No, it is not mandatory to have the any particular format for domain names. You can put almost anything you want in DNS, and companies do use all kinds of schemes.



That said, the word "hostname" if often used to mean two different things. It can mean





  1. The name of the computer. This can be in many different formats, including single words, full domain names, and anything in between.

  2. The full domain name of a computer, whether the computer does or does not have that full name set on the computer as its host name.



To complicate this, there is absolutely no reason that either of the things you mentioned in your question is a "hostname" in the first sense of the word. In fact, many places do not have a computer with the name "webmail", instead having that name point to another machine with a different name. For example, in my old office, "mail.example.com" actually could be on a machine named "mailserver2.office.example.internal". As you can see, the "hostname" in the first sense of the word is not even a publicly accessible address.



For your example of "mail.google.com", GMail actually runs on many servers (hundreds or thousands, though no one outside Google knows for sure) so there is no computer with the name "mail.google.com". Google does not publish the actual names of the servers that "mail.google.com" points to. Even when you see "googlemail.l.google.com" when you look up the where it points to, that is also not the real name of the server, but a name that points to many servers.



For example, there could be a server named "webmail01-newyork342-version1.googlemail.datacenter-newyork.google.private" which is publicly accessible as "googlemail.l.google.com". Google uses DNS round-robin, region-based DNS partitions, and IP anycasting to make all of those servers respond to the same name.




In smaller setups, it is often true that the leftmost portion of the full address is the name of the machine that you are connecting to, but that is rarely the case when dealing with any large company.


redhat - Linux external USB drive failure - corrupt filesystem



I have been given the responsibility of looking after a server with Red Hat Enterprise Linux (RHEL) AS release 3, with a USB external 500Gb hard disc, (Freecom part # 28604), it has failed in a strange way.




Ideally I would like to fix the drive or at least wipe it and be able to use it.



To start with the hard drive was mounted but the files that were on it had disappeared, when I tried to create a file (even with touch) it says :




Read-only file system




A df command shews that it is not empty. This is the mtab entry for the drive :





/dev/sdb1 /mnt/usbhd ext3 rw 0 0




Any thoughts as to how to resolve this?



What I have tried so far :



Ran fsck.ext3 -n /mnt/usbhd, it says :





e2fsck 1.32 (09-Nov-2002)
fsck.ext3: Attempt to read block from filesystem resulted in short read while trying to open /mnt/usbhd
Could this be a zero-length partition?




I then umounted it and ran fsck /dev/sdb1 :




fsck 1.32 (09-Nov-2002)
e2fsck 1.32 (09-Nov-2002)
fsck.ext2: No such device or address while trying to open /dev/sdb1
Possibly non-existent or swap device?





fdisk -l does not shew the device, however it is shewn in /proc/partitions, I have found an entry in /log/messages :




May 10 10:40:51 server4 devlabel: The device /dev/sdb1 is being put in devlabel's
temporary ignore list /etc/sysconfig/devlabel.d/ignore_list to avoid errors.
May 10 10:50:14 server4 devlabel: The device /dev/sdb1 is being put in devlabel's
temporary ignore list /etc/sysconfig/devlabel.d/ignore_list to avoid errors.




and the dmesg command returns a few errors relating to the device, this is a sample :





I/O error: dev 08:11, sector 66984
I/O error: dev 08:11, sector 4360
EXT3-fs error (device sd(8,17)): ext3_readdir: directory #2 contains a hole at o
ffset 0
I/O error: dev 08:11, sector 0
I/O error: dev 08:11, sector 264
EXT3-fs error (device sd(8,17)): ext3_get_inode_loc: unable to read inode block
- inode=2, block=33
I/O error: dev 08:11, sector 0
EXT3-fs error (device sd(8,17)) in ext3_reserve_inode_write: IO failure
I/O error: dev 08:11, sector 0
I/O error: dev 08:11, sector 4360
ext3_abort called.
EXT3-fs abort (device sd(8,17)): ext3_journal_start: Detected aborted journal
Remounting filesystem read-only
usb.c: USB disconnect on device 00:1d.7-5 address 3
hub.c: new USB device 00:1d.7-5, assigned address 4
WARNING: USB Mass Storage data integrity not assured
USB Mass Storage device found at 4



Answer



it could be happen because of the device ejected, fs corrupted.



try to unmount and fsck /dev/sdb1
if still happen, try to unplug and plug the usb cable (or using different port)


Saturday, December 22, 2018

apache 2.2 - Why the php-cgi wrapper script for php-fpm? (Using virtualhost and suexec.)

I just setup my server with Apache, FastCGI, and PHP-FPM. My question is regarding the /cgi-bin/ folder: is it really necessary to have a /cgi-bin/php-fpm wrapper for every single virtualhost that runs apache using a different user/group? Furthermore, if a user deletes the cgi-bin folder... the fpm/fastcgi benefits are lost. Ideally, I'd like to setup PHP-FPM without the need for anything outside of the .conf file.



As far as I can tell, the php-cgi binary (which is all that the php-fpm wrapper executes) is executable by all users on the system... so why the hassle of wrapping the same executable that's going to be run by the user anyway? More specifically, how can I change this configuration to use the php-cgi binary directly, instead of going through the wrapper?



The relevant files/results related to my question are:




/etc/apache2/modules.d/20_mod_fpm.conf
---------------------------------------------------------------------------------

...

FastCgiExternalServer /var/www/localhost/cgi-bin/php-fpm -host 127.0.0.1:9000

AddHandler php-fpm .php
Action php-fpm /cgi-bin/php-fpm

DirectoryIndex index.php

...




/var/www/localhost/cgi-bin/php-fpm
---------------------------------------------------------------------------------
#!/usr/bin/php-cgi



phpinfo()

---------------------------------------------------------------------------------
...
Server API: FPM/FastCGI
...


Lovely. Running benchmarks reports that the setup is, indeed, functioning very well: with ~135 requests per second, rather than 13 requests per second using the default Apache/PHP interpreter setup. So all that's left is making the multi-user aspect seamless.

Friday, December 21, 2018

reverse proxy - Nginx Redirect all location block to https except 1




I have a nginx config where everything is forced to https. I wanted to add a location block which is served over http. I get a "Too many redirects" with my current config.



Here's the config



# HTTP
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

server_name example.com;


# redirect non-SSL to SSL
location / {
return 301 https://$server_name$request_uri;
}
location /blog {
rewrite ^/blog/(.*)$ /$1 break;

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;

proxy_pass http://remote-ip;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

#HTTPS server
server{
listen 443 ssl spdy;

server_name example.com;

ssl_certificate /path/to/pem/file/fullchain.pem;
ssl_certificate_key /path/to/private/key/privkey.pem;

# performance enhancement for SSL
ssl_stapling on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;


# safety enhancement to SSL: make sure we actually use a safe cipher
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';

# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "max-age=31536000;";

# If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update

# This works because IE 11 does not present itself as MSIE anymore
if ($http_user_agent ~ "MSIE" ) {
return 303 https://browser-update.org/update.html;
}

location /blog {
return 301 http://$host$request_uri;
}
# pass all requests to Meteor
location /{

# meteor application config
}
}


As you can see in the config, all request to block /blog are reverse proxied to another server. I do not want to enforce https here.



As mentioned before, if I go to example.com/blog, I get a "Too many redirects". Other location block is working as expected.


Answer



You cannot do this because you're enabling HSTS and thus telling the browser to only browse your domain via HTTPS. If you need to do this remove this line and clear your browser cache:




add_header Strict-Transport-Security "max-age=31536000;";

centos - Mirroring Docker Traffic to Different Port in Same Container



I am using docker containers on CentOS to simulate devices on the network and have two tools that are to run inside each of those containers to simulate communication with actual network devices. Individually, either tool works inside the docker containers and can communicate with the outside world via one port we'll call 8000 here, but due to both attempting to use 8000, they are unable to run simultaneously. To resolve this, I am looking to mirror traffic on 8000 to another port we'll call 8001 here so that one tool can run on 8000 while the other receives its packets on 8001. In my Dockerfile, I EXPOSE both of these (though do not publish them in the run command).



Poking around the internet, I found this. Attempting to adapt it to my purposes, I ended up with the below, which I execute from within docker exec -it bash. By my primitive understanding, it should copy the message to a different localhost IP's port 8000 while letting the original message through, then pass the duplicate packet back to 127.0.0.1:8001.




iptables -t mangle -A PREROUTING -p UDP --dport 8000 -j TEE --gateway 127.0.0.2
iptables -t nat -A PREROUTING -d 127.0.0.2 -p UDP --dport 8000 -j DNAT --to 127.0.0.1:8001


This does not appear to be working. Running a tool on 8001 caused it to miss all packets I threw at 8000 from the outside world.



Similarly, I found this one, and tried adapting it to the below, but it doesn't seem to work either, and trying to get netcat running properly in a container has proven to be quite the headache.



iptables -A PREROUTING -t mangle -p tcp ! -s 127.0.0.1 --dport 8000 -j TEE --gateway 127.0.0.1

iptables -A OUTPUT -t nat -p tcp -s 127.0.0.1/32 --dport 8000 -j DNAT --to 127.0.0.1:8001


I am new to both docker and iptables, so any explanation of the underlying mechanisms of what is going wrong here would be greatly appreciated.


Answer



After a great deal of effort, the following solution was discovered that needs to run inside the container:



sysctl -w net.ipv4.conf.eth0.route_localnet=1
iptables -t mangle -A PREROUTING -i eth0 -p UDP --dport 8000 -j TEE --gateway 127.0.0.1
iptables -t nat -A PREROUTING -p UDP --dport 8000 -j DNAT --to-destination 127.0.0.1:8001



The key thing missing was the sysctl command to be run inside the container to allow things in the first place. Then, it needed to be eth0 instead of the previous solutions as otherwise you would end up with infinite loops.


Thursday, December 20, 2018

weblogic - Different pid between NodeManager Managed Server and Java Process

On our Weblogic server, when the server goes OOM, the hprof file is generated with a pid java_pidA.hprof but there is another message from the Node Manager that says managed server ManagedServer_1 with pid pidB was shut down successfully.



Why are the PIDs different between the java process and the one reported by Node Manager?

domain name system - DNS MX vs CNAME entries

I have recently bought a domain for setting up a website.



The website is hosted on OpenShift. Since OpenShift doesn't use its own nameservers, I've edited the DNS records on the domain registrar's website such that the CNAME entries point to the OpenShift URL (https://appname-domain.rhcloud.com).



The domain registrar provides only two email addresses as of now, so I tried hosting it on Pawnmail, for which I need to update my MX records.



While updating the DNS entry, I'd have to point the MX for mysite.com to Pawnmail's record. However, this is not allowed to happen since there is already a CNAME for mysite.com. Any workarounds? I'm sure I'm doing something wrong, but I'm very new to web-management, so excuse me if I'm missing out on anything. Is there any other way I can achieve what I'm trying to do?




Any help would be much appreciated!

Wednesday, December 19, 2018

networking - VOIP and internet connection speeds [cable vs. fiber]



Our office is migrating to IP telephony. We have less than 10 employees that will be using the phones. We currently have cable internet, and they just bumped the speeds:



speed test



There is a data center that was just recently built in our building, and we were considering co-lo'ing there in the near future. As a result, they offered us access to their triple-redundant internet, but it's quite expensive. They are offering 3mbps committed with up to 10mbps burst for $250/month (discounted). We pay ~$120 for our cable (which the plan was to keep--at least for TV).




I want the phone system and LAN to be as separate as possible. Was thinking about keeping the cable for LAN, and using the other connection for the phones (until I saw the price). Now I'm thinking it might make sense to add on to our existing cable setup, and change our phone to only have DSL as a backup for the cable.



Is there any real benefit to the fiber? Especially for the price? Any other suggestions or ideas?



Thanks.


Answer



Yes there is benefit for fiber...low latency.



VoIP is prone to problems with Jitter (latency). You'll have low volume issues, dropped calls and noise on the line.




Although to support 10 users I'm not sure if you really need the fiber. Especially if you add QoS on your network...and that is a must if you do VoIP.



Lets say I would consider it a very nice to have.


Tuesday, December 18, 2018

Moving existing software raid to different windows 2003 machine



On a windows 2003 server with 2 x 750 GB raid for data (using the builtin windows 2003 software raid with dynamic disks), the main board broke. (The system and the whole c:\ with c:\windows, c:\programs and c:\documents and settings was on a separete disk and all this is no longer important, only the data raid is what I need.)



Now I want to take the 2 x 750 gb disks and add them to a different windows 2003 server as software raid.



But how do I do this and keep the raid intact?



I can imagine I could add one disk (and as the 2 disks are identical copies) just erase the second disk and add it again and windows will build a new raid system like I had before. With all the data on it hopefully.




But of course during the copying process there is a certain risk, because at this time the data is only present on the first disc, until it is finished.



So how do I get this right and keep the raid intact during the whole process?



EDIT: I just added the 2 drives to a different system like suggested.



what happened is that windows recognized the raid and treated it as such from the beginning and all my data was there. BUT: it started "resyncing" of the 2 drives, which takes many hours showing me the progress (97% now). Doesn't this mean that until the sync is finished I do not have redundancy. What if the master drive fails during sync at 50%
?




EDIT 2: The resync has finished now and the drive is marked as "error free". But because I do not know if I had redundncy at all times during the process this is actually just what I not wanted. Can someone add some informtion?


Answer



With Windows created software RAID that is a non-boot volume, you can just plug both disks in, boot up and then import the volume through Disk Management. It should be very straightforward - no trickery needed.


domain name system - Heroku apex record setup



I have a heroku application and I want to configure my domain to redirect the apex record to www..



Are there any free services I could use for this purpose?




I mean other than rolling my own solution and hosting it in a free hosting environment that supports A records, or using a service like that of dnsimple.


Answer



Two options I've used:




Monday, December 17, 2018

ZFS on enterprise RAID pass-through, and ZFS on FreeBSD root



We've been running ZFS on top of a single hardware RAID on dell poweredge for years. I know most people are against this, but the snapshot/clone, compression and flexible partition of ZFS served us very well. Whenever a drive dies, a dell technician is dispatched (the server is in another State), he will confirm that drive has an amber light, and replace it.




Now we want to take advantage of L2ARC/ZIL caching of ZFS, we are seriously thinking about running ZFS on bare disks. Current dell RAID controllers (PERC H730/H330) do support pass-through. My remaining questions are:




  1. if a drive fails from ZFS, does it display amber light on the front panel? This is important because, the dispatched dell technician may need to confirm the drive is indeed faulty. Otherwise we may have problem with dell.


  2. do any people run ZFS on FreeBSD root? It is in production quality? Any known issues?



Answer



You can control the PERC H730 and H330 using the LSI MegaCLI utility as both of these cards are Dell PERC badged LSI cards.



There is an excellent article and tutorial on how to do this at https://calomel.org/megacli_lsi_commands.html




I know that zfsonlinux has a ZFS Event Daemon (ZED) which you can use to cause particular things to happen on certain events (e.g. use MegaCLI to turn on the amber light for a particular slot when a drive dies).



IIRC, FreeBSD has a ZFSd which can do similar things but I am not an expert on FreeBSD so can not point you to more information other than to say that the FreeBSD forums are full of useful advice and helpful people.



I suspect that the hardest part of doing this will be figuring out what the MegaCLI "slot" number is for a given drive, because ZFS only knows about the device node / name, and doesn't have specific LSI or PERC information. if the device node name is directly related to the card and slot number, it may be a trivial transformation....otherwise, it may be quite difficult.



Even if you have to manually use MegaCLI to turn on the amber light from the shell when a drive dies to satisfy the Dell tech's procedural expectations, you're still better off giving ZFS raw drives rather than overlaying ZFS on top of hardware raid - you're losing most of the important features of ZFS by doing that, and they're the most important features (e.g. error detection and correction for your data).


kvm virtualization - KVM: guest with FQDN DNS resolution / no bridge



I have a (Hetzner) server with a public IP of eg. 123.123.123.123, and an additional IP of eg. 456.456.456.456.



I want to serve some private webspace apps on 123.123.123.123, including a hidden master BIND server for some domains, and bridge a KVM guest to 456.456.456.456 for some publicly published webspace.



Is it possible to do that while also setting up a separate virtual network with libvirt that will resolve FQDNs to guests? These guests should be able to be accessed by, and access the internet, and should be able to have multiple FQDN's per guest, but will not have public IPs of their own. I see some documentation that states that adding 192.168.122.1 to /etc/resolv.conf on the host will allow connecting to guests via their hostname locally, and I see some information for libvirt regarding Addressing, here, but I'm ma bit lost. It seems as if this should be possible, but I'm missing something.



Do I just need to purchase IP space for every VM I want accessed by the internet, or is there a way to accomplish this?




TLDR Is it possible to set up a virtual network with libvirt that will resolve FQDNs to guests from the internet?


Answer



Short answer: this is not possible.



Better to use IPv6 addresses (which are in abundance) for any KVM that does not absolutely require the general public to access it. Any traffic that is server-to-server will work fine on IPv6, and anything such as private cloud services will work so long as your ISP offers IPv6, which most ( > 80% ) ISP's do, and you're client is configured to use it (which most are).



Therefore just use a network bridge with IPv6 on the KVM instances.



For the public facing requirements, set up a reverse proxy like Nginx (recommended), Pound, Squid as a reverse proxy, or Apache's mod_proxy on IPv4 and reverse proxy to the IPv6 instances from there.




There are other ways of achieving this, such as SIIT-DC, but I know little about that.


Sunday, December 16, 2018

apache 2.2 - How to minimise effect of mischievous, persistent POST requests

For a few months now one of our shared hosting servers has been persistently and constantly hammered by "POST /" requests from what must be hundreds of thousands of individual IPs. On a number of occasions this has overwhelmed the server and led to a denial of service-type outage. The target domain is pretty boring (a small Estate Agent) so whilst this appears to be malicious I can't understand motive of this long-running and 99% unsuccessful attack.



A typical request (taken from TCPDUMP) looks something like this:



POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream

Content-Length: 570
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: xxx.co.uk
Connection: Keep-Alive
Cache-Control: no-cache

2+cIPSyYVJFqB9xPFzWoLj9seNyEKIcuIJz/yfkc9tVP+orXgjDk8ywglufcXsMz
bVP4XLcowz/fQtsn2kceQEj/EaEWx/GEbcC3eTbCbTube0suAfEGje3qISKQJ+ka
HaChqun3whii3OTh7vCayGV72lh4raLRandKC5g/73wgQ9Jzh2OLIzNvsiEMSJco
yG+4i35XJMvX7ovx8qJkyByHUIeE5G5M2Kp97O4sOT4jTAK2y/KAMjf6oFgtAJhI

K4/HdcnyfNdI3/4RJXlrSfhUQAc+qhGMEL7AZdtzgRub7lnu+hbuPGZvS3rF1MvL
WK1q4mrnZr0Q3m0bWkzsMZCndQ7fqOBafchjprhn4JKPsjO+upRm2m+irvmJjqnl
sDiR3fnD6pzbWyLTm2qonMJPCll3p6zg06gEfIaW04t9r89/PdHgz8AU8nzO4BX8
qwTG6dSjgbowHyJQmud8Ro+ZT+gHfw/YQUrBqKm7RoFmfJzUoOCKaP1LTwHfI1Gc
E+L8bwQV6ztKBwVn2NqbE83SAXYr9E0QkpaxGg==


We haven't been able to determine what's in the POST request as it looks like garbage, but I'm not sure its relevant. It's not base64 encoded.



To reduce the amount of bandwidth being used up by responses to this request we have banned the use of POST requests in the Apache2 configuration:






Order deny,allow
Deny from all




This restricts the response size to just a simple 403 Forbidden message, rather than the client's usual homepage.




To try and block the IPs doing this we've tried piping the access log, filtering for the POST request, and feeding this directly into iptables:



tail -f /var/www/vhosts/xxx.co.uk/statistics/logs/access_log | grep "POST / " | awk '{print $1}' | xargs -I{} iptables -A INPUT -s {} -j DROP


This works well and reduces the effect of the problem, but it is relentless and we usually have to clear the iptables rule set when it reaches 50-60k due to iptables/kernel problems. It's not a solution as I can't just leave this running for a few weeks until whoever is responsible gets the message and gives up.



We've turned off KeepAlive for this particular VirtualHost too to keep the number of occupied Apache workers to a minimum which has helped, but it's not a solution.




Does anybody have any better ideas on how to blackhole these requests, on a scale of hundreds of thousands of remote IPs, or to reduce the impact on Apache to the absolute minimum? The best I can do at the moment is configuring it to send a 403 Forbidden, combined with IP-blocking for a few hours...



Thanks!

Simply Apache virtual host configuration not working



I'm tying to configure Apache for running phpmyadmin in it's own folder, using phpmyadmin.local server name. I'm not an Apache "guru" and i can't figure out why this is not working. Any help would be much appreciated. The error is: it's redirecting me on my ISP search page (like DNS not working).



hosts file:




127.0.0.1 localhost
127.0.0.1 phpmyadmin.local


httpd-vhosts.conf file:




ServerName localhost
DocumentRoot "C:/Users/Marco/Documents/www"



Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all





ServerName phpmyadmin.local
DocumentRoot "C:/Users/Marco/Documents/www/phpMyAdmin-3.4.5-english"


DirectoryIndex index.php
AllowOverride All
Order allow,deny
Allow from all




Answer



Before the virtualhost definitions put this line:



NameVirtualHosts *:80


When trying to access the URL from the browser be sure to type http:// before the url.


zfs - Can you add a different size RAIDZ1 to an exists zpool?

For example, I have a 4x2TB RaidZ1 set up right now, but I would like to add only a 3X4TB RaidZ1 in addition to it. Is there a way to do this with zdevs/another Zpool?



Thanks

Saturday, December 15, 2018

ESXi volumes: where are they located?



I've changed disks in my ESXi server and am hoping for some advice about the config I now have. After a bit of trouble with block sizes, the extra partitions I used to have (for scratch etc.) are no longer there and I'm trying to work out where the different volumes in use are physically located.



Specifically, I'm worried that it's using a ram disk for one or more of them as my memory usage with no VMs running is over 900MB of the host's 4GB.



How do I find out?



Additional info:





  • ESXi (4.1u1) is now installed to a 2 GB USB stick (was on a disk before)

  • 4 volumes (i.e. GUIDs in /vmfs/volumes) are available

  • Sym-links map the volumes to Hypervisor[1-3] and my datastore

  • ... and in '/', the Hypervisor volumes are sym-linked respectively to


    • altbootbank

    • bootbank

    • store & locker (same volume)



  • 'scratch' seems to have settled down to a .locker folder on the datastore I created

  • My hardware is on the ESXi HCL (With the probable exception of the drives, although presumably the Dell SAS 6/iR RAID controller ESXi sees is supported),



Any help gratefully received!



Edit: config not remembered



I've just restarted the machine and it's forgotten all the VMs (the inventory has gone back to a list of "Unknown" entries, which was what happened to the VMs when I removed the old datastore). So my Scratch is not persisting, even though it looks like it's configured to be stored on disk.



Answer



Hypervisor volumes are just partitions on the USB stick. You can see their location by running



vmkfstools -P /vmfs/volumes/Hypervisor1


And to see everything about storage on the host (more than you'll ever want to know), run



esxcfg-info -s



As to the memory utilization, just run esxtop and hit "m" to see what's using it.


website - How to configure S3 or DNS to handle incomplete name (sans www) for web site?



I have a set up a bucket called "www.mydomainname.com" to host my website and I have configured the CNAME such that "www.mydomainname.com" points to the my endopint http://www.mydomainname.com.s3-website-us-east-1.amazonaws.com/



It works and when people who type the the full url "www.mydomainname.com" are able to see my index page



But most people are in the habit of typing incoplete domain name -- they just type "mydomainname.com" and their browser fails to find my site.




Is there a way to configure CName or S3 bucket such that typing "mydomainname.com" take them to my s3 website ?
(I am using Networksolutions as my DNS provider).


Answer



You would just add a CNAME for mydomainname.com pointing to www.mydomainname.com.s3-website-us-east-1.amazonaws.com.


Friday, December 14, 2018

virtualization - XenServer Performance



we've got 2 x HP DL360 G5s with Quad Quad Xeons 2.6GHz and 32GB of memory each running XenServer 5.5 and they access an OpenFiler box (with 8 x 320GB SAS 10K drives) via copper CAT5 (1GB) for the storage.



We've used this setup for testing a lot of stuff which has worked out perfectly, but now we are moving to use this setup in production and are experiencing performance issues. There are currently 27 VMs split across the two servers which are all in use (albeit not doing a lot of work) but they seem "slow", especially our employee thin clients - they always complain logging in times and accessing files via the network are slow.



Personally, I think it's a throughput issue and we should go SCSI or FC for our storage but I need some evidence to back my theory up and I'm quite new to Xen (it was setup by a previous employee).



My questions: from the info I've gave would it be possible that the storage box is overloaded, trying to squeeze too much over that one cable;? how do I monitor network access in real-time from the XenServers themselves?




Thanks :-)


Answer



I have seen this issue many times.
I really love xenserver, however, its like an unpolished gem...



you should check with ifconfig -a (on dom0, xenserver console )
and look for dropped packets



you can use:
ifconfig -a | grep dropped | awk {'print $3'} | grep -v ":0"




if you see dropped packets , you should do:




  1. On the Virtual Machines, Click Start, click Run, type regedit, and then click OK.

  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  3. In the right pane, make sure that the DisableTaskOffload registry entry exists. If this entry does not exist, follow these steps to add the entry:
    a. On the Edit menu, point to New, and then click DWORD Value.
    b. Type DisableTaskOffload, and then press ENTER.


  4. Click DisableTaskOffload.

  5. On the Edit menu, click Modify.

  6. Type 1 in the Value data box, and then press ENTER.

  7. Exit Registry Editor.

  8. Restart all Virtual Machines



and on server xenserver console:



Get the UUID of the physical interface:

xe pif-list host-name-label=XEN1



Disable checksum on the interfaces:



xe pif-param-set other-config:ethtool-tx="off" uuid=3281b044-2a93-2f1b-e8e1-eaf0faccbd1f;
xe pif-param-set other-config:ethtool-rx="off" uuid=3281b044-2a93-2f1b-e8e1-eaf0faccbd1f


Thursday, December 13, 2018

domain name system - postfix - dns error - can't resolve my A or MX record

I've installed postfix on my arch linux pc. I use systemd-resolved and systemd-networkd to establish a network connection.



I want to use postfix as a satellite system to send some mails if my raid systems is broken.



So, when I want to send some test mails with echo "Body" | mail -s "Header" markus.pesch@my-mail.com postfix write in my logs, that he can't resolve my domain after a A or MX record





Okt 21 22:16:54 markus-pc postfix/error[17574]: F1C6E2E0C10: to=, orig_to=, relay=none, delay=360970, delays=360969/0.57/0/0.02, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=smtp1.example.com type=AAAA: Host not found, try again)



Okt 21 22:16:54 markus-pc postfix/error[17569]: 0448E2E0C0E: to=, relay=none, delay=360970, delays=360969/0.57/0/0.02, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=smtp1.example.com type=AAAA: Host not found, try again)



Okt 21 22:16:54 markus-pc postfix/error[17577]: F420B2E0B46: to=, relay=none, delay=360970, delays=360969/0.57/0/0.02, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=smtp1.example.com type=AAAA: Host not found, try again)



Omt 21 22:16:54 markus-pc postfix/error[17572]: F257B2E0C12: to=, orig_to=, relay=none, delay=360970, delays=360969/0.57/0/0.02, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=smtp1.example.com type=AAAA: Host not found, try again)





But when I tried it with dig, I get a valid response.



How can I fix this dns error, that my local postfix installation can find my mailserver and can send him some mails?



Volker

ubuntu - Loggin in ssh server: Permission denied, please try again



I'm trying to login to my ssh server using a username and password, but I get this error after entering the correct password:



Permission denied, please try again.


I can login using a pubkey on another machine, though, but I have NOT disabled regular password authentication. The only thing I disabled was root logins.



Here's my sshd_config file:





# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0

Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600

ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes


RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts

RhostsRSAAuthentication no

# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)

ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes


# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes

#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server


# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

IgnoreUserKnownHosts no
PasswordAuthentication yes


I've added the last 2 lines in a latest attempt at getting it to work. (I have them on my other vps, and they work there)



Here's the listing of the ~/.ssh/ directory of my user:




ls -la /home/skerit/.ssh

total 16
drwx------ 2 skerit skerit 4096 2011-06-25 15:11 .
drwxr-xr-x 4 skerit skerit 4096 2011-07-07 21:05 ..
-rw-r--r-- 1 skerit skerit 1882 2011-06-25 15:15 authorized_keys
-rw-r--r-- 1 skerit skerit 884 2011-06-23 22:59 known_hosts


This is the output of /usr/sbin/sshd -d:





debug1: userauth-request for user skerit service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "skerit"
debug1: PAM: setting PAM_RHOST to "82.197.70.70"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user skerit service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048

debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/skerit/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/skerit/.ssh/authorized_keys2
debug1: Could not open authorized keys '/home/skerit/.ssh/authorized_keys2': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for skerit from 82.197.70.70 port 57154 ssh2
debug1: userauth-request for user skerit service ssh-connection method password

debug1: attempt 2 failures 1
debug1: PAM: password authentication failed for skerit: Authentication failure
Failed password for skerit from 82.197.70.70 port 57154 ssh2


I then tried to login to the ssh server FROM the ssh server (locally) using THE SAME username and password, and it worked. This was in the auth.log file:




Jul 8 12:21:50 vpsnl1 sshd[27298]: debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': No such file or directory
Jul 8 12:21:50 vpsnl1 sshd[27298]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

Jul 8 12:22:16 vpsnl1 sshd[27298]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.197.70.70 user=
skerit
Jul 8 12:23:50 vpsnl1 sshd[27439]: Server listening on 0.0.0.0 port 22.
Jul 8 12:23:50 vpsnl1 sshd[27439]: Server listening on :: port 22.
Jul 8 12:24:07 vpsnl1 sshd[27458]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Jul 8 12:24:14 vpsnl1 sshd[27458]: Accepted password for skerit from 127.0.0.1 port 57667 ssh2
Jul 8 12:24:14 vpsnl1 sshd[27458]: pam_unix(sshd:session): session opened for user skerit by (uid=0)
Jul 8 12:24:25 vpsnl1 sshd[27471]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jul 8 12:24:25 vpsnl1 sshd[27458]: pam_unix(sshd:session): session closed for user skerit


Answer



Are you certain that the user account you're attempting to access is correctly configured? If you log in as root on the system, can you su to the user account?



# su - username


What do you see in your logs after a failed connection attempt? On many systems, sshd will log to something /var/log/secure or /var/log/auth.log. Also, I note that you have PasswordAuthentication enabled but ChallengeResponseAuthentication disabled. Do you see the same behavior if you enable ChallengeResponseAuthentication?



Here are some general diagnostic steps to use when you have ssh problems:





  • Enable verbose diagnostics in ssh:



    ssh -v host.example.com


    This will cause the client to output a variety of diagnostic messages as it negotiates the connection. This will often provide a clue to the problem.


  • Run the server in debug mode.



    On your server, stop sshd, then run it from the command line like this:




    /usr/sbin/sshd -d


    This will produce verbose debug logging on stderr that will very often contain useful information.




If neither of these helps you figure out what's going on, would you add the output to your question?


Wednesday, December 12, 2018

networking - Use specific interface for outbound connections (Ubuntu 9.04)



I have two ethernet interfaces in my computer, which is running Ubuntu 9.04. Both interfaces sport static IPs, but use separate gateways. My /etc/network/interfaces file looks something like this:




auto eth0 eth1
iface eth0 inet static
address 10.0.0.5

netmask 255.255.255.0
gateway 10.0.0.1

iface eth1 inet static
address 192.168.2.5
netmask 255.255.255.0
gateway 192.168.2.1


I want to have all traffic going to the internet-at-large run through eth0, but it seems to want to go through eth1. Is there a way that I can channel my general outbound traffic through eth0 instead and only use eth1 for traffic to its subnet?




The answer should be persistent; that is to say, it should survive reboot without a superuser needing to run a command after restart.



EDIT: as requested, here is the output of my route -n command:




Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth1
0.0.0.0 192.168.2.1 0.0.0.0 UG 100 0 0 eth1
0.0.0.0 10.0.0.1 0.0.0.0 UG 100 0 0 eth0

Answer



You should only have one default gateway. If you remove the gateway line from eth1, it'll all just work (after networking is restarted).


Monday, December 10, 2018

centos6 - Apache want port 80 without binding it to this port

When I want to start my apache server, it shows me this error:





Starting httpd:



(98) Address already in use: make_sock: could not bind to address [::]:80



(98) Address already in use: make_sock: could not bind to address 0.0.0.0:80



no listening sockets available, shutting
down Unable to open logs



[FAILED]





My httpd.conf file:



Listen 8181


As you can see, I have deleted everything else. Still, Apache wants to bind to port 80 which is used by varnish. Any idea how to solve it?

domain name system - Site takes time to resolve in the browser

Here's a problem that i've seen for the first time and unfortunatley after trying everything I still couldn't fix the issue. Any suggestions will be a great help.



The issue is that when we try to open greenworldinvestor.com it takes awful amount of time to load. The browser keeps on showing that its trying to find greenworldinvestor and when it finally finds it..it loads it in a snap.



few points -




  • earlier it was on wpwebhost and I was using godaddy to manage the dns

  • Right now its on a shared account on bluehost with nameservers pointing to bluehost

  • happens with all the browsers and on all the OS - windows, linux, mac.




Here's what i've done from my end to fix the issue ---



Although, I understand that these points are not directly related to the issue however, just to be on safe side and to avoid assumptions - i'm listing everything that i did to try and fix the issue.




  • It's on wordpress - disabled all the plugins - no luck

  • used the default wordpress theme - no luck [confirms that the issue is not with the current theme]

  • even applied a CDN - no luck

    {all these steps definitely improved the page load time, but again that wasn't the issue in the first place - still, i thought that it may help somehow so listed them too}



Now here are some of the results of tests on tools.pingdom.com -




  1. Full page test - here's the archived result

  2. Ping test - archived ping result [tools.pingdom.com/ping/default.aspx?target=www.greenworldinvestor.com&o=2&id=5320266]

  3. Traceroute - archived traceroute result




Dig result -




; <<>> DiG 9.6.-ESV-R4-P3 <<>> www.greenworldinvestor.com ;; global
options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status:
NOERROR, id: 29114 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY:
2, ADDITIONAL: 0



;; QUESTION SECTION: ;www.greenworldinvestor.com. IN A




;; ANSWER SECTION: www.greenworldinvestor.com. 14400
IN CNAME greenworldinvestor.com.
greenworldinvestor.com. 4311 IN A 66.147.244.226



;; AUTHORITY SECTION:
greenworldinvestor.com. 162711 IN NS ns1.bluehost.com.
greenworldinvestor.com. 162711 IN NS ns2.bluehost.com.



;; Query time: 67 msec ;; SERVER: 71.252.219.43#53(71.252.219.43) ;;

WHEN: Thu Aug 4 05:39:14 2011 ;; MSG SIZE rcvd: 119




Result of HTTPFox



the first byte takes 17 sec. to load... crazy!

How do I renew an expired Ubuntu OpenLDAP SSL Certificate



We went through the steps of revoking an SSL Certificate used by our OpenLDAP server and renewing it but we are unable to start slapd.




Here are the commands we used:




openssl verify hostname_domain_com_cert.pem


We got back that the certificate was expired but "OK"



We revoked the certificate we'd been using:





openssl ca -revoke /etc/ssl/certs/hostname_domain_com_cert.pem


Revoking worked fine.



We created the new Cert Request by passing it the key file as input:




openssl req -new -key hostname_domain_com_key.pem -out newreq.pem



We generated a new certificate using the newly created request file "newreq.pem"




openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem


We looked at our cn=config.ldif file and found the locations for the key and cert and placed the newly dated certificate in the needed path.




Still we are unable to start slapd with:




service slapd start


We get this message:




Starting OpenLDAP: slapd - failed.

The operation failed but no output was produced. For hints on what went
wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
try running the daemon in Debug mode like via "slapd -d 16383" (warning:
this will create copious output).

Below, you can find the command line options used by this script to
run slapd. Do not forget to specify those options if you
want to look to debugging output:
slapd -h 'ldap:/// ldapi:/// ldaps:///' -g openldap -u openldap -F /etc/ldap/slapd.d/



Here is what we found in /var/log/syslog




Oct 23 20:18:25 ldap1 slapd[2710]: @(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:40:04) $#012#011buildd@allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
Oct 23 20:18:25 ldap1 slapd[2710]: main: TLS init def ctx failed: -1
Oct 23 20:18:25 ldap1 slapd[2710]: slapd stopped.
Oct 23 20:18:25 ldap1 slapd[2710]: connections_destroy: nothing to destroy.



After generating a new ldap1 key/cert pair now we get this whenever we try to start slapd




Oct 24 08:38:12 ldap1 slapd[5461]: @(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:40:04) $#012#011buildd@allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
Oct 24 08:38:12 ldap1 slapd[5463]: hdb_db_open: database "cn=accesslog" cannot be opened, err 13. Restore from backup!
Oct 24 08:38:12 ldap1 slapd[5463]: bdb(cn=accesslog): txn_checkpoint interface requires an environment configured for the transaction subsystem
Oct 24 08:38:12 ldap1 slapd[5463]: bdb_db_close: database "cn=accesslog": txn_checkpoint failed: Invalid argument (22).
Oct 24 08:38:12 ldap1 slapd[5463]: backend_startup_one (type=hdb, suffix="cn=accesslog"): bi_db_open failed! (13)
Oct 24 08:38:13 ldap1 slapd[5463]: bdb_db_close: database "cn=accesslog": alock_close failed
Oct 24 08:38:13 ldap1 slapd[5463]: slapd stopped.



Should we try to restore ldap from backup?


Answer



Two things done to fix this...1) Create a new key/cert pair for the ldap1 server. 2) restore LDAP from a recent ** slapcat ** b/u.


Windows Server 2003 DNS not resolving internal and external domains for clients

I'm attempting to setup an AD Domain in Amazon's EC2 Cloud. I have several EC2 instances running inside a VPC. Security Groups are configured to allow all traffic from the subnet the instances are on.



I have a server (AwsAdmin1) setup as the DNS server. Running NSLOOKUP on AwsAdmin1 works perfectly, and it can access the internet. It is set to use its internal IP as the Primary DNS server.



The server I setup to test the DNS (AwsTest1) is set to use AwsAdmin1 as the primary DNS. Running NSLOOKUP returns the error, "Can't find the server name for address: 10.1.1.4 (AwsAdmin1's IP): Timed Out




Trying to ping AwsAdmin1 by name times out



AwsAdmin1 CAN be pinged BY IP



AwsAdmin1 has a A Name and a PTR record on itself



Running WireShark shows that DNS traffic from AwsTest1 reaches AwsAdmin1



The primary DNS suffix for both of the servers is imkamzn.public.com (Fake address here, obviously, but it is a routable address)




These computers are NOT in a domain currently. Trying to get the DNS running first before I setup AD.



What could be causing these issues? I suspect it has to do with the DNS suffix, but I don't know.

Saturday, December 8, 2018

php - Can I globally set $_SERVER['REDIRECT_URL'] before script execution?

I'm in the process of migrating many sites from an old to a new server configuration. Each site is based on a similar (but sadly not identical) codebase, using mod_rewrite URLs.




  • Ubuntu 8.04 LTS => Ubuntu 12.04 LTS


  • Apache 2.22.8 => Apache 2.2.22

  • PHP 5.2 (FastCGI) => PHP 5.3 (PHP5-FPM)



Mostly working like a charm, but on the new config the $_SERVER['REDIRECT_URL'] is no longer set, and the code is failing due to a dependence on this global variable.



From what I understand, this variable gets set by Apache when a redirect occurs. Obviously this isn't happening now, but I'm struggling to find the cause.




  • Is it the Apache upgrade, or (my guess) the switch from PHP FastCGI to PHP5-FPM?


  • How do I get this variable back?



I'd really rather not have to edit the code on each site, so I'll set a global PHP auto_prepend if necessary, but ideally I'd like to fix the server configuration and have this set in the first place.



Potentially related: I now also have a couple of new $_SERVER variables, namely REDIRECT_SCRIPT_URL and REDIRECT_REDIRECT_SCRIPT_URL. These seem to have the correct data I want for the REDIRECT_URL, but also seem to indicate there's two internal redirects occurring that weren't before - Google searches for REDIRECT_REDIRECT_SCRIPT_URL only returns random var_dump outputs. Is SCRIPT_URL the new REDIRECT_URL?



Edit 1



Checking again REDIRECT_URL is (now) set, but always to 'index.php' (the mod_rewrite target) instead of the expected typed URL. I have resorted to a using PHP auto_prepend_file to manually set the needed variable.




I'm not sure how I missed it the first time round, but I've made several changes in the meantime so I suppose there's an outside chance it wasn't there. Apologies if this mislead anyone.



Edit 2



To address the mentions of ErrorDocument below, the mod_rewrite rule in use is:



RewriteRule ^(.*)$ /index.php?url=$1 [QSA,L]



The $_GET['url'] variable is set, so the rule must be working.



To be clear, at this stage I've gone with the auto_prepend_file workaround I mentioned initially.

debian wheezy - Just installed LSI 9211; no drives showing up to Linux



I just added a LSI 9211-8i to a system running Debian Wheezy (on the Linux kernel). All software is up to date and the kernel is 3.2.65-1+deb7u2 x86_64 according to uname.




The card came straight out of the packaging and into the host after visual inspection that didn't uncover anything that was clearly wrong with the card (though I have no known good card to compare against). This, along with the fact that the kernel is speaking to the card (see below) leads me to believe that the card itself is slightly more useful than a dud.



Physically installing the card posed no problems. The card being PCIe x8 didn't need the full length of the PCIe x16 slot I had available, but as far as I can tell that should not be a problem if the host and card are speaking to each other at all. The motherboard has two PCIe x16 slots, one of which is listed as "x4 performance". Since the card is obviously being detected at some level, I do not believe anything like the graphics-card-only x16 slots is at play here.



To the 9211's internal ports I hooked up two 8077-to-4x8482 breakout cables, connecting each to two HDDs (leaving unused the other two plugs on each) with no PMP or anything similar in between. One of the two 8077 ports (in the unlikely case it makes a difference, the one farther from the PCIe slot) was slightly finicky, but the cable clicked into and locked in place without arguments once I slided it in at the right angle. I looked more closely around the area of that port but could find no evidence of physical damage to the card.



The system was noticably noisier on boot compared to what it was before I installed these new drives, which leads me to believe that the card is, at the very least, supplying power and spinning up the drives. The drives subsequently spun down.



I expected the card to make some utterances during the boot process, and was rather surprised to get nothing of the sort (no "Press Ctrl-C to start LSI Logic Configuration Utility" prompt). I looked through the motherboard's BIOS setup, but could find no relevant switches that needed to be flipped for off-board BIOSes or HBAs. Hammering Ctrl+C during the boot process up to GRUB (to try to invoke the card's on-board configuration utility) did not produce any visible results.




The mpt2sas module was loaded automatically on boot, and seems to talk to the card just fine:



[    1.692606] mpt2sas version 10.100.00.00 loaded
[ 1.698699] mpt2sas 0000:08:00.0: enabling device (0000 -> 0002)
[ 1.698717] mpt2sas 0000:08:00.0: setting latency timer to 64
[ 1.698721] mpt2sas0: 64 BIT PCI BUS DMA ADDRESSING SUPPORTED, total mem (32967612 kB)
[ 1.698761] mpt2sas0: IO-APIC enabled: IRQ 16
[ 1.698764] mpt2sas0: iomem(0x00000000d0440000), mapped(0xffffc90013ea8000), size(16384)
[ 1.698766] mpt2sas0: ioport(0x0000000000001000), size(256)
[ 2.139165] mpt2sas0: Allocated physical memory: size(3379 kB)

[ 2.139168] mpt2sas0: Current Controller Queue Depth(1483), Max Controller Queue Depth(1720)
[ 2.139170] mpt2sas0: Scatter Gather Elements per IO(128)
[ 2.360461] mpt2sas0: LSISAS2008: FWVersion(20.00.00.00), ChipRevision(0x03), BiosVersion(07.27.01.00)
[ 2.360464] mpt2sas0: Protocol=(Initiator), Capabilities=(Raid,TLR,EEDP,Snapshot Buffer,Diag Trace Buffer,Task Set Full,NCQ)
[ 2.360563] mpt2sas0: sending port enable !!
[ 4.895613] mpt2sas0: host_add: handle(0x0001), sas_addr(0x500605b00963d470), phys(8)
[ 10.024028] mpt2sas0: port enable: SUCCESS


lspci shows that the card is being detected and identified:




$ lspci | grep LSI
08:00.0 Serial Attached SCSI controller: LSI Logic / Symbios Logic SAS2008 PCI-Express Fusion-MPT SAS-2 [Falcon] (rev 03)
$


However, and this is where it gets interesting, neither lsblk nor udevadm info --exportdb shows any of the new HDDs, insofar as I can tell. They are also (obviously, given udevadm) not showing up in any of the /dev/disk/by-* directories.



I tried running udevadm trigger just in case there was something iffy with the boot sequence ordering, but that did not change anything and did not add anything at all to the system log (i.e., the most recent portion of the output of dmesg was the same before and after running that command).




I am not inclined to believe that both of the brand new breakout cables are somehow broken.



Physically unplugging both of the breakout cables from the card (to remove the HDDs and cables from consideration in the case) did not make any discernable difference.



I followed these instructions to install the most recent version of MegaRAID Storage Manager on my system. (Basically, take the rpms, use alien --scripts to convert them to debs, and then dpkg --install the debs.) After that, with the drives plugged in and /etc/init.d/vivaldiframeworkd started, running /usr/local/MegaRAID Storage Manager/StorCLI/storcli64 show all prints the following:



Status Code = 0
Status = Success
Description = None


Number of Controllers = 0
Host Name = my-host
Operating System = Linux3.2.0-4-amd64


At this point I am somewhat running out of ideas. If there's any other information I can provide that might help answering this, just let me know. I'm almost starting to think that this is somehow a motherboard issue after all.



With the ultimate goal of using them for a ZFS pool, what incantations, magic utterances, sacrifices or other relevant rituals do I need to perform for the drives connected to the 9211 to show up in Linux?



UPDATE: After physically switching places of the graphics card and the 9211, the 9211's BIOS now shows up on boot and I was able to enter the configuration utility. It still shows no disks attached (even in the SAS Topology view), however, despite disks very definitely being attached and cables firmly seated on both ends. (I have not, however, created any RAID array using the card's configuration utility.) What's more is that the card reports that it has been "disabled". At this point I'm almost willing to chalk down my initial problems to a crappy motherboard, and my current problems to IR vs IT firmware on the 9211 itself. I will try flashing the card to IT firmware later and see how that goes; I plan on using IT firmware anyway because of ZFS, so there's no harm to doing so that I can see.



Answer



There turned out to be two actual problems (and one minor annoyance) involved in this. Many thanks to ewwhite for providing me with troubleshooting suggestions that eventually allowed me to fix this.



The first problem was that the PCI Express slot I installed the LSI in for whatever reason did not work fully with the HBA. What confused me here was mainly that Linux was detecting the card, but not doing much more (and certainly not detecting any of the disks attached to it). When I switched places between the graphics card and the HBA, the HBA's BIOS came up and I was able to enter the configuration utility as per ewwhite's instructions, and graphics is still working fine. (I guess that's what I get for working with what I have...) However, still no drives were showing up either in the configuration utility's "SAS Topology" menu, or in Linux, despite my triple-checking that the connections were secure.



At one point the controller was reporting itself as being "disabled by user"; this was related to the boot support setting in its configuration. Setting it to one of the "enabled" choices fixed that. This was the minor annoyance.



The second problem was mainly a misunderstanding on my part. I somehow thought that the card's 8077 ports would provide power for the drives, but they didn't. In retrospect, I suppose that makes sense. Connecting the power cable attached to the respective 8482 connector for the drives I was using to the system's power supply fixed that easily enough. (However, I have no good explanation for the initial noise when I powered the system up for the first time after installing the LSI.)



Having sorted out the above, the controller now works perfectly and the disks are currently being provisioned. I'm leaving this here in the hope that someone, some time, will find it useful and not make the same mistakes that I did.



Wednesday, December 5, 2018

storage - Performance Difference SAS vs. SATA?




Can not find that anywhere it seems.



What is the expected performance difference in a storage backend scenario that is heavily parallellized in access (like a SAN, Virtualization host storage etc.) between SAS and SATA, all other things being equal?



I Think it runs down to the impact of NCQ (32 command limit) to the MUCH higher oustanding command limit of SAS discs.



We are considering replacing some discs and have a chance to go for SAS or SATA - all the rest is in place - and I look for an evaluation from a performance point. Please ignore all the other issues (reliability etc.) - I purely wonder about the impact SAS will have on similar specced discs (RPM etc. being equal). The discs we have in mind can be ordered with both connectors and - there is an idea here to use SATA for ap ossibly repurpose later. THe price difference is not really high, but it made me wonder about the performance impact...


Answer



Yes, the extensive command set of the SCSI is a big bonus of using it over SATA. from SAS' Wiki:





SATA uses a command set that is based on the parallel ATA command set and then extended beyond that set to include features like native command queuing, hot-plugging, and TRIM. SAS uses the SCSI command set, which includes a wider range of features like error recovery, reservations and block reclamation. Basic ATA has commands only for direct-access storage. However SCSI commands may be tunneled through ATAPI[2] for devices such as CD/DVD drives.




The error recovery commands and block reclamation commands are pivotal in data integrity, S.M.A.R.T. is really for consumer grade equipment.



Also, SAS uses a higher signaling voltage, which enables longer cables compared to that of SATA. That's important when trying to cable up additional storage to an existing SAN.



You menitoned NCQ, but SCSI uses TCQ instead, which can be used in three different modes, however the bigger bonus imo with regard to parallelized setups is the ability to send up to 2^64 commands before filling the queue. Protocols like iSCSI and Fibre Channel limit this right now but the ability is there for future use.




I can only answer that portion, because I don't know if going with SAS for a couple of new disk will give you the same benefit of a purely SAS setup.


Monday, December 3, 2018

SmartOS Virtualization with one public IP address



Is it possible? (title of this question)



Googling Virtualization with one public IP address yields nothing useful



What I have:





  • SmartOS on a dedicated server.

  • Dedicated server has one public IP address.



What I want to do:




  • Host multiple guest OS from that server




Problem:




  • Access to the guest through the (server that virtualizes the guest)'s IP address.






Is this possible at all?




Sorry, newbie to all this






Research



http://www.machine-unix.com/beginning-with-smartos/#comment-7256
Does not solve my problem - the guide sets up an internal IP




http://blog.bgentil.fr/smartos-use-global-zone-as-gateway-for-guests.html



Ideas




  • Perhaps it is possible to do host-based translation like with nginx proxy?


Answer



Yes, you can!




For general help with SmartOS:



Google treats SmartOS as a synonym for Solaris. Always use the search located at smartos.org; do not use Google directly. #SmartOS on Freenode and the mailing list are also invaluable resources.



Security concerns with a single IP setup at a datacenter:



In SmartOS you typically have an admin interface (private/LAN) and a public one (public/WAN). I realize this may not be possible in your deployment, but it's very important that to know that KVM virtual hosts will run unprotected VNC on the admin interface. You will need to secure that using a firewall or configuration change.



What you'll want to do is set up a zone that will act as a firewall,gateway,load balancer, etc. That firewall zone will have two nics, one on the admin interface, one on the WAN. You can place all of your guests on a virtual switch which will be like having them connected to a physical one.




Since you only have one IP, which I would try to rectify, this can be tricky to set up in a zone, if you mess up your network configuration you may loose access to the machine. Although generally not advised, you may need to run your firewall in the global zone.




  1. For the guests to get out to the internet, set up NAT:
    http://wiki.smartos.org/display/DOC/NAT+using+Etherstubs


  2. For incoming https/http: I run an nginx instance and use a file for each
    service/website in the sites-available/sites-enabled folders. The
    default configuration of NGINX with SmartOS is minimalistic and will
    not contain these folders.


  3. For incoming tcp/udp services: You can use the built-in firewall (see

    man fwadm) in your firewall zone or use HAProxy if you want to do
    virtual hosts. (You could use HAProxy exclusively and eliminate NGINX)



linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...