linux - CentOS 7 mpath Install, Can't Find /dev/centos/root

I am attempting to install CentOS 7 on an older SuperMicro H8QM8 motherboard (AIC-7902 SCSI controller, aic7xxx kernel module) with 3 attached drives. The Adaptec SCSI bios recognizes the drives and they have each been low-level formatted via the SCSI bios.

On using the CentOS GUI install to configure the hard drive layout, the installer detects the SCSI devices as a single mpath device (is this normal?), however there a comment on the single mpath device sda, sdb, and sdc. I seem to be able to successfully set up a partition table on a drive, but (at this point) I'm not sure exactly which drive I'm working on.

After the system reboots, I get an error about not finding /dev/centos/root and also not being able to find /dev/by-uuid/blahblahblah and get dropped into the dracut shell. I am able to confirm that (at this point) the aic7xxx, scsi_*, and dm_* modules are loaded via a kmod list but don't see the various HD nodes that the boot sequence was looking for. In /dev I see /dev/sda, /dev/sdb, and /dev/sdc, but no more specific partition nodes (i.e. /dev/sda1). I don't seem to have access to fdisk at this point, so I can't see which SCSI drive has the partition table, however the log shows that "something" detected that /dev/sda has 3 partitions.

So then I reboot with the CentOS 7 CD in rescue mode, and the rescue boot successfully detects and mounts all my partitions under /mnt/sysimage. At this point, I can see that the parititon table, file systems, and installed files all went to /dev/sda (/dev/sda1 for /boot, /dev/sda2 for lvm).

So there are a two sub-questions, but perhaps I don't quite know how the multipath works and it is just a single question:

• Why are the 3 drives displayed as a single mpath device in the installer? In the installer, is there a way to address a single drive (e.g. /dev/sda) instead of the mpath device as a "whole"?





• Why can the installed system not find the parition table on /dev/sda? What information can I use (perhaps from the dracut emergency prompt) to further debug?

Apache hangs after every 2-3 weeks, with closed_wait connections increasing until it is restarted

We have a cluster setup of 3 server, on all 3 servers weblogic is running to host website. On the top of weblogic using Apache as load balancer.

Last year I had upgraded Apache http server from 2.4.9 to 2.4.29. Before upgrade things were working fine but post upgrade after every 2-4 weeks Apache hangs. Website becomes inaccessible, on checking the server we don't see any error in fact the moment when apache hangs it stops logging too.

We monitored and found no abnormal memory usage, no suspicious type of request to website, no suspicious process running before the issue occurs.

After exploring over the internet, I found that problem could be related to MPM configuration. Apache was using event MPM but I found that event MPM configuration was not declared in apache configuration, I think during upgrade default configuration was replaced by old configuration.

So we have modified MPM configuration to use below event mpm configuration and this change worked. We did not face this issue for next 6 months.

StartServers 4
MinSpareThreads 256
MaxSpareThreads 512
ThreadsPerChild 64
MaxRequestWorkers 2048
MaxConnectionsPerChild 0

We thought it is fixed but now after 6 months Apache hangs again, only symptoms we can see increasing closed_wait connections from 20 to 550 in next 1 hours, no accessibility of website, apache stopped logging to it's ssl and error logs, we don't see any abnormal behaviour in different running process data, memory usage, also don't see any suspicious request before issue occurred.

domain name system - How are DNS PTR records managed?

As I understand it, an IP address-owner can set up a DNS PTR record for his IP address to map the IP addresses to its host names. There are some things about this I don’t understand. I’ve managed other DNS records often using web based interfaces, but never seen PTR records exposed in those.

A DNS record of type CNAME or A is stored in the DNS zone for a specific domain such as example.com. Are the PTR records pointing at example.com typically stored in the same zone or are they stored in separate zones? If the PTR record is stored in the same zone as as example.com, how does other servers know to query this zone for the PTR record?

What stops me from adding a PTR record saying that resolves to, say, gmail.com? If I manage the PTR records for my IP address, shouldn't I be able to add anything?

microsoft office 365 - Exchange 2010 - Moving one domain out of multiple to O365

I have multiple domains on my Exchange 2010. I have moved one of my domains to O365 as a pilot before I move the rest. All is good, except, when users from any internal domains email the migrated domain, understandably, the emails go to the local exchange server. So 365 users can't see the incoming emails of course. Otherwise they can receive emails from another external domain. What is the best way to fix this issue with out removing those users from Exchange/ affecting the exchange mail flow.

Answer

The behaviour you are seeing is what I would expect.
You need to eliminate all references to that domain from your Exchange to begin with - so that means removing the domain from accepted domains, email address policies and then from the user accounts.

However even then it will not stop the email from going to the internal accounts. That is because Exchange doesn't use the SMTP domain for routing - simply for lookup. It will do a lookup on the address, find it in the GAL and then send the email to the mailbox with the address attached.
Of course users who have emailed the recipients before will still send to the mailbox, not the address, because Outlook and Exchange know that is where it exists.

Removing the entries from the nickname files is the only way to stop that (on top of above).

If the mailboxes still exist on your Exchange platform then the quick and dirty method is to configure a forward on each mailbox and then put in the onmicrosoft.com address that each use has.

Of course if you had done a hybrid implementation this wouldn't have been a problem - Exchange would know where to route the email.

dns zone - Google Cloud Server Email Forwarding

I have a Google Cloud server with Cloud DNS working for my domain and IIS hosted website.

I need email for my domain to be forwarded, i.e. for john@myCloudServerDomain.com to go to my existing account john@gmail.com.

I tried putting an MX record in as per https://cloud.google.com/dns/what-is-cloud-dns but my emails aren't coming through.

What's the best option to get email from my domain?:

• Set Cloud DNS to forward emails


• Set GoDaddy email up? (I bought the domain from them but the nameservers point to Google Cloud, I imagine this means I cannot use their email service..)


• A better 'standard practice' option I haven't thought of?

Answer

OK, thanks for the comments guys. I didn't want to setup a mail server and have that drama, nor did I want to pay for email.

I've solved this by setting GoDaddy's name servers back to point to GoDaddy, and setting my VM's static IP as the A record in GoDaddy's management tool. This allows my website to load using DNS to resolve my domain and I can use the free GoDaddy email forwarders/accounts and I no longer have a requirement to use the Google Cloud DNS.

Laravel on nginx+php-fpm returns blank page

I'm having this issue with Laravel which is served by nginx + php-fpm, it's just returning a blank page. Neither nginx nor php nor laravel are logging any errors at all.

When running the index.php with the CLI, it will return the welcome page.

The laravel stack is untouched, all error reporting/displaying/logging is turned on.

Below is my nginx vhost:

server {
    listen 801;
    server_name _;


    root /path/to/laravel/public;
    index index.html index.html index.php;

    charset utf-8;

    gzip                    on;
    gzip_http_version       1.1;
    gzip_disable            "MSIE [1-6].";
    gzip_vary               on;

    gzip_proxied            expired no-cache no-store private auth;
    gzip_comp_level         9;

    fastcgi_buffers         8 16k;
    fastcgi_buffer_size     32k;
    fastcgi_read_timeout    180;

    # serve static files directly
    location ~* \.(jpg|jpeg|gif|css|png|js|ico|html)$ {
            access_log      off;

            expires         max;
    }

    location / {
            index  index.html index.htm index.php; #try static .html file first
            ##try_files $uri $uri/ /index.php;  <            try_files $uri $uri/ /index.php?q=$uri&$args;
    }

    # catch all

    error_page      404 /index.php;

    #set client_max_body_size
    client_max_body_size 25m;
    #set client_body_buffer_size
    client_body_buffer_size 128k;

    location ~ \.php$ {
            fastcgi_split_path_info         ^(.+\.php)(/.+)$;
            fastcgi_pass                    unix:/var/run/php-fpm.sock;

            fastcgi_index                   index.php;
            fastcgi_param                   SCRIPT_FILENAME   $document_root$fastcgi_script_name;
            include                         fastcgi_params;
    }
}

---

My problem was that app/storage had the wrong permissions. So if you get the same errors as myself, blank page, try chmod 0777 the entire app/storage folder.

sudo chmod -R 0777 app/storage

Answer

OP stated that his working solution is sudo chmod -R 0777 app/storage.

While it solved the problem, it is never the solution. The proper way is set the group as www-data and give it write permission.

chown -R www-data app/storage
chmod -R 0770 app/storage

For details explanation about chmod 777 and permissions on a Linux webserver, see this answer: What permissions should my website files/folders have on a Linux webserver?

Failover pacemaker cluster with two network interfaces?

So, i have two test servers in one vlan.

srv1
  eth1 10.10.10.11
  eth2 10.20.10.11

srv2
  eth1 10.10.10.12
  eth2 10.20.10.12


Cluster VIP - 10.10.10.100

Corosync config with two interfaces:

  rrp_mode: passive

  interface {
    ringnumber: 0

    bindnetaddr: 10.10.10.0
    mcastaddr: 226.94.1.1
    mcastport: 5405
  }

  interface {
    ringnumber: 1
    bindnetaddr: 10.20.10.0
    mcastaddr: 226.94.1.1
    mcastport: 5407

  }

Pacemaker config:

# crm configure show
node srv1
node srv2
primitive cluster-ip ocf:heartbeat:IPaddr2 \
    params ip="10.10.10.100" cidr_netmask="24" \

    op monitor interval="5s"
primitive ha-nginx lsb:nginx \
    op monitor interval="5s"
location prefer-srv-2 ha-nginx 50: srv2
colocation nginx-and-cluster-ip +inf: ha-nginx cluster-ip
property $id="cib-bootstrap-options" \
    dc-version="1.1.6-9971ebba4494012a93c03b40a2c58ec0eb60f50c" \
    cluster-infrastructure="openais" \
    expected-quorum-votes="2" \
    no-quorum-policy="ignore" \

    stonith-enabled="false"

Status:

# crm status
============
Last updated: Thu Jan 29 13:40:16 2015
Last change: Thu Jan 29 12:47:25 2015 via crmd on srv1
Stack: openais

Current DC: srv2 - partition with quorum
Version: 1.1.6-9971ebba4494012a93c03b40a2c58ec0eb60f50c
2 Nodes configured, 2 expected votes
2 Resources configured.
============

Online: [ srv1 srv2 ]

 cluster-ip (ocf::heartbeat:IPaddr2):   Started srv2
 ha-nginx   (lsb:nginx):    Started srv2

Rings:

# corosync-cfgtool -s
Printing ring status.
Local node ID 185207306
RING ID 0
    id  = 10.10.10.11
    status  = ring 0 active with no faults

RING ID 1
    id  = 10.20.10.11
    status  = ring 1 active with no faults

And, if i do srv2# ifconfig eth1 down, pacemaker still works over eth2, and that's ok.
But nginx not available on 10.10.10.100 (becouse eth1 down, ya), and pacemeker says, that everything ok.

But, I want the nginx moves to srv1 after eth1 dies on srv2.

So, what can i do for that?

Answer

So, I resolve my issue with ocf:pacemaker:ping, thanks to @Dok.

# crm configure show
node srv1
node srv2
primitive P_INTRANET ocf:pacemaker:ping \
  params host_list="10.10.10.11 10.10.10.12" multiplier="100" name="ping_intranet" \
  op monitor interval="5s" timeout="5s"

primitive cluster-ip ocf:heartbeat:IPaddr2 \
  params ip="10.10.10.100" cidr_netmask="24" \
  op monitor interval="5s"
primitive ha-nginx lsb:nginx \
  op monitor interval="5s"
clone CL_INTRANET P_INTRANET \
  meta globally-unique="false"
location L_CLUSTER_IP_PING_INTRANET cluster-ip \
  rule $id="L_CLUSTER_IP_PING_INTRANET-rule" ping_intranet: defined ping_intranet
location L_HA_NGINX_PING_INTRANET ha-nginx \

  rule $id="L_HA_NGINX_PING_INTRANET-rule" ping_intranet: defined ping_intranet
location L_INTRANET_01 CL_INTRANET 100: srv1
location L_INTRANET_02 CL_INTRANET 100: srv2
colocation nginx-and-cluster-ip 1000: ha-nginx cluster-ip
property $id="cib-bootstrap-options" \
  dc-version="1.1.6-9971ebba4494012a93c03b40a2c58ec0eb60f50c" \
  cluster-infrastructure="openais" \
  expected-quorum-votes="2" \
  no-quorum-policy="ignore" \
  stonith-enabled="false"

memory - Windows Server 2008 R2 Metafile RAM Usage

I have a server which runs Windows Server 2008 R2 x64 with 4GB of RAM which hosts around 2-3 million files, the majority of which are image files.

Over a course of a week, I have noticed that applications on the server were slowing to a crawl due to excessive paging to the disk due to low memory, which has a knock-on effect to all services currently running on it, causing a major performance issue.

Upon investigation in Task Manager, I noticed that almost all 4GB was in-use but when you look in the Processes tab, the sum of all the memory usage there do not add up and at most only 1.5GB is supposed to be in use.

Using Google to find a solution, it appears that most of the RAM was used in the "Metafile" which is a cache of NTFS information for files on the file system so that the system does not have to query the MFT for information again. This cache is never cleared or marked as "cache" in Task Manager or as "Standby" in Sysinternal's RamMap.

There was a suggestion to install the KB979149 hotfix but upon trying to install it, it says "This update is not applicable to your computer".

The only temporary fixes I have so far found are:

1. Use RAMmap from Sysinternals to "Empty System Working Set" every 1-3 days which marks the cache as "standby" and "cache" in Task Manager so the RAM can be used by other applications.


2. Reboot the machine, which is undesirable as this server is serving public websites.

At the moment I am having to perform the 2. fix every few days to prevent it reaching bottleneck levels.

Before: (800 MB RAM used - other applications cannot use this RAM)

After: (800 MB RAM marked as cache - available for other applications)

So my question to you all is: Does any method exist out there to limit the RAM usage of this metafile?

Answer

The best method for dealing with this issue is to use the SetSystemFileCacheSize API as MS KB976618 instructs used to instruct.

Don't periodically clear the cache

Using the SetSystemFileCacheSize function rather than clearing the cache periodically improves performance and stability. Clearing the cache periodically will result in too much metafile and other info being purged from memory, and
Windows will have to re-read the required info back into RAM from HDD. This creates a sudden and severe drop in performance for several seconds whenever you clear the cache, followed by good performance that slowly degrades as memory fills with metafile data.

Using the SetSystemFileCacheSize function sets minimum and maximum that will result in Windows flagging excess old metafile data as standby memory that the normal caching functions can use or discard according to the current resource demands and normal cache priorities. This also allows more metafile data than the active memory maximum you set, to be in memory as standby data if Windows is not using the memory for anything else, while maintaining plenty of available memory. This is the ideal situation keeping the performance characteristics of the system good all the time.

Third Party Programs are Unsupported by MS

If you are like me and don't want to run a binary from some unknown third party on your production servers, you want an official MS tool or some code you can inspect before running on those servers. The DynCache tool for 2008 R2 is practically impossible to obtain from M$ without paying for a support case and quite frankly, based on the code for 2008, it seems overly bloated for the task as Windows already has the built in logic needed to dynamically size the cache—it just needs to know an appropriate maximum for your system.

Solution to all of the above

I wrote a Powershell script that works on 64 bit machines. You need to run it as an administrator with elevated privileges. You should be able to run it, as is, on any x64 windows Vista / Server 2008 up to and including 10 / Server 2012 R2 with any amount of RAM. You do not need to install any additional software, and as a result keep your server/workstation fully supported by MS.

You should run this script at every boot with elevated privileges for the setting to be permanent. Windows Task Scheduler can do this for you. If the Windows install is inside a virtual machine and you change the amount of RAM allocated to that VM, you should also run it after the change.

You can run this script at any time on a running system even while in production use without having to reboot the system or shut down any services.

# Filename: setfc.ps1
$version = 1.1

#########################
# Settings
#########################

# The percentage of physical ram that will be used for SetSystemFileCache Maximum
$MaxPercent = 12.5


#########################
# Init multipliers
#########################
$OSBits = ([System.IntPtr]::Size) * 8
switch ( $OSBits)
{
    32 { $KiB = [int]1024 }
    64 { $KiB = [long]1024 }
    default {

        # not 32 or 64 bit OS. what are you doing??
        $KiB = 1024 # and hope it works anyway
        write-output "You have a weird OS which is $OSBits bit. Having a go anyway."
    }
}
# These values "inherit" the data type from $KiB
$MiB = 1024 * $KiB
$GiB = 1024 * $MiB
$TiB = 1024 * $GiB
$PiB = 1024 * $TiB

$EiB = 1024 * $PiB


#########################
# Calculated Settings
#########################

# Note that because we are using signed integers instead of unsigned
# these values are "limited" to 2 GiB or 8 EiB for 32/64 bit OSes respectively


$PhysicalRam = 0
$PhysicalRam = [long](invoke-expression (((get-wmiobject -class "win32_physicalmemory").Capacity) -join '+'))
if ( -not $? ) {
    write-output "Trying another method of detecting amount of installed RAM."
 }
if ($PhysicalRam -eq 0) {
    $PhysicalRam = [long]((Get-WmiObject -Class Win32_ComputerSystem).TotalPhysicalMemory) # gives value a bit less than actual
}
if ($PhysicalRam -eq 0) {
    write-error "Cannot Detect Physical Ram Installed. Assuming 4 GiB."

    $PhysicalRam = 4 * $GiB
}
$NewMax = [long]($PhysicalRam * 0.01 * $MaxPercent)
# The default value
# $NewMax = 1 * $TiB


#########################
# constants
#########################


# Flags bits
$FILE_CACHE_MAX_HARD_ENABLE     = 1
$FILE_CACHE_MAX_HARD_DISABLE    = 2
$FILE_CACHE_MIN_HARD_ENABLE     = 4
$FILE_CACHE_MIN_HARD_DISABLE    = 8


################################
# C# code

# for interface to kernel32.dll
################################
$source = @"
using System;
using System.Runtime.InteropServices;

namespace MyTools
{
    public static class cache
    {

        [DllImport("kernel32", SetLastError = true, CharSet = CharSet.Unicode)]
        public static extern bool GetSystemFileCacheSize(
            ref IntPtr lpMinimumFileCacheSize,
            ref IntPtr lpMaximumFileCacheSize,
            ref IntPtr lpFlags
            );

        [DllImport("kernel32", SetLastError = true, CharSet = CharSet.Unicode)]
        public static extern bool SetSystemFileCacheSize(
          IntPtr MinimumFileCacheSize,

          IntPtr MaximumFileCacheSize,
          Int32 Flags
        );

        [DllImport("kernel32", CharSet = CharSet.Unicode)]
        public static extern int GetLastError();

        public static bool Get( ref IntPtr a, ref IntPtr c, ref IntPtr d )
        {
            IntPtr lpMinimumFileCacheSize = IntPtr.Zero;

            IntPtr lpMaximumFileCacheSize = IntPtr.Zero;
            IntPtr lpFlags = IntPtr.Zero;

            bool b = GetSystemFileCacheSize(ref lpMinimumFileCacheSize, ref lpMaximumFileCacheSize, ref lpFlags);

            a = lpMinimumFileCacheSize;
            c = lpMaximumFileCacheSize;
            d = lpFlags;
            return b;
        }



        public static bool Set( IntPtr MinimumFileCacheSize, IntPtr MaximumFileCacheSize, Int32 Flags )
        {
            bool b = SetSystemFileCacheSize( MinimumFileCacheSize, MaximumFileCacheSize, Flags );
            if ( !b ) {
                Console.Write("SetSystemFileCacheSize returned Error with GetLastError = ");
                Console.WriteLine( GetLastError() );
            }
            return b;

        }
    }

    public class AdjPriv
    {
        [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
        internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);

        [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
        internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);


        [DllImport("advapi32.dll", SetLastError = true)]
        internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

        [StructLayout(LayoutKind.Sequential, Pack = 1)]
        internal struct TokPriv1Luid
        {
            public int Count;
            public long Luid;
            public int Attr;

        }
        internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
        internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
        internal const int TOKEN_QUERY = 0x00000008;
        internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

        public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
        {
            bool retVal;
            TokPriv1Luid tp;

            IntPtr hproc = new IntPtr(processHandle);
            IntPtr htok = IntPtr.Zero;
            retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
            tp.Count = 1;
            tp.Luid = 0;
            if(disable)
            {
                tp.Attr = SE_PRIVILEGE_DISABLED;
            } else {
                tp.Attr = SE_PRIVILEGE_ENABLED;

            }
            retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
            retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
            return retVal;
        }
    }
}
"@
# Add the c# code to the powershell type definitions
Add-Type -TypeDefinition $source -Language CSharp


#########################
# Powershell Functions
#########################
function output-flags ($flags)
{
    Write-output ("FILE_CACHE_MAX_HARD_ENABLE  : " + (($flags -band $FILE_CACHE_MAX_HARD_ENABLE) -gt 0) )
    Write-output ("FILE_CACHE_MAX_HARD_DISABLE : " + (($flags -band $FILE_CACHE_MAX_HARD_DISABLE) -gt 0) )
    Write-output ("FILE_CACHE_MIN_HARD_ENABLE  : " + (($flags -band $FILE_CACHE_MIN_HARD_ENABLE) -gt 0) )
    Write-output ("FILE_CACHE_MIN_HARD_DISABLE : " + (($flags -band $FILE_CACHE_MIN_HARD_DISABLE) -gt 0) )

    write-output ""
}

#########################
# Main program
#########################

write-output ""

#########################

# Get and set privilege info
$ProcessId = $pid
$processHandle = (Get-Process -id $ProcessId).Handle
$Privilege = "SeIncreaseQuotaPrivilege"
$Disable = $false
Write-output ("Enabling SE_INCREASE_QUOTA_NAME status: " + [MyTools.AdjPriv]::EnablePrivilege($processHandle, $Privilege, $Disable) )

write-output ("Program has elevated privledges: " + ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") )
write-output ""
whoami /PRIV | findstr /I "SeIncreaseQuotaPrivilege" | findstr /I "Enabled"

if ( -not $? )  {
    write-error "user Security Token SE_INCREASE_QUOTA_NAME: Disabled`r`n"
}
write-output "`r`n"


#########################
# Get Current Settings
# Init variables
$SFCMin = 0

$SFCMax = 0
$SFCFlags = 0
#Get Current values from kernel
$status = [MyTools.cache]::Get( [ref]$SFCMin, [ref]$SFCMax, [ref]$SFCFlags )
#typecast values so we can do some math with them
$SFCMin = [long]$SFCMin
$SFCMax = [long]$SFCMax
$SFCFlags = [long]$SFCFlags
write-output "Return values from GetSystemFileCacheSize are: "
write-output "Function Result : $status"

write-output "            Min : $SFCMin"
write-output ("            Max : $SFCMax ( " + $SFCMax / 1024 / 1024 / 1024 + " GiB )")
write-output "          Flags : $SFCFlags"
output-flags $SFCFlags


#########################
# Output our intentions
write-output ("Physical Memory Detected : $PhysicalRam ( " + $PhysicalRam / $GiB + " GiB )")
write-output ("Setting Max to " + $MaxPercent + "% : $NewMax ( " + $NewMax / $MiB + " MiB )`r`n")


#########################
# Set new settings
$SFCFlags = $SFCFlags -bor $FILE_CACHE_MAX_HARD_ENABLE # set max enabled
$SFCFlags = $SFCFlags -band (-bnot $FILE_CACHE_MAX_HARD_DISABLE) # unset max dissabled if set
# or if you want to override this calculated value
# $SFCFlags = 0
$status = [MyTools.cache]::Set( $SFCMin, $NewMax, $SFCFlags ) # calls the c# routine that makes the kernel API call
write-output "Set function returned: $status`r`n"
# if it was successfull the new SystemFileCache maximum will be NewMax

if ( $status ) {
    $SFCMax = $NewMax
}


#########################
# After setting the new values, get them back from the system to confirm
# Re-Init variables
$SFCMin = 0
$SFCMax = 0

$SFCFlags = 0
#Get Current values from kernel
$status = [MyTools.cache]::Get( [ref]$SFCMin, [ref]$SFCMax, [ref]$SFCFlags )
#typecast values so we can do some math with them
$SFCMin = [long]$SFCMin
$SFCMax = [long]$SFCMax
$SFCFlags = [long]$SFCFlags
write-output "Return values from GetSystemFileCacheSize are: "
write-output "Function Result : $status"
write-output "            Min : $SFCMin"

write-output ("            Max : $SFCMax ( " + $SFCMax / 1024 / 1024 / 1024 + " GiB )")
write-output "          Flags : $SFCFlags"
output-flags $SFCFlags

There is line near the top that says $MaxPercent = 12.5 that sets the new maximum working set (active memory) to 12.5% of the total physical RAM. Windows will dynamically size the amount of metafile data in active memory based on system demands, so you don't need to dynamically adjust this maximum.

This will not fix any issues you have with the mapped file cache getting too big.

I've also made a GetSystemFileCacheSize Powershell script and posted it on StackOverflow.

---

Edit: I should also point out that you should not run either of these 2 scripts from the same Powershell instance more than once, or you will receive the error that the Add-Type call has already been made.

Edit: updated SetSystemFileCacheSize script to version 1.1 that calculates an appropriate max cache value for you and has a nicer status output layout.

Edit: Now I've upgraded my Windows 7 laptop, I can tell you that the script runs successfully in Windows 10, though I haven't tested if it is still needed. But my system is still stable even when moving virtual machine HDD files around.

linux - Can't reset permissions on amazon ec2

I've a big problem:

when I try to sudo something, this is what append:

sudo: /etc/sudo.conf is owned by uid 222, should be 0
sudo: /etc/sudoers is owned by uid 222, should be 0
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

I tried to detach volume and retach it into a new istance, then I mount it and I set right permission also with chown and chmod: doesn't work.

I also tried this:

chown root:root /etc/sudoers
chmod 440 /etc/sudoers
chown -R root:root /etc/sudoers.d
chmod  755 /etc/sudoers.d

chmod  440 /etc/sudoers.d/*

same result: doesn't work.
Worse I can't connect to ssh.

How can I fix this ?

here debug with -vv:

debug1: /etc/ssh/ssh_config line 50: Applying options for *
debug2: ssh_connect: needpriv 0
ssh: Could not resolve hostname ec2-user: Name or service not known

Really thanks for support.

performance - How can a single disk in a hardware SATA RAID-10 array bring the entire array to a screeching halt?

I'm a code-monkey that's increasingly taken on SysAdmin duties for my small company. My code is our product, and increasingly we provide the same app as SaaS.

About 18 months ago I moved our servers from a premium hosting centric vendor to a barebones rack pusher in a tier IV data center. (Literally across the street.) This ment doing much more ourselves--things like networking, storage and monitoring.

As part the big move, to replace our leased direct attached storage from the hosting company, I built a 9TB two-node NAS based on SuperMicro chassises, 3ware RAID cards, Ubuntu 10.04, two dozen SATA disks, DRBD and . It's all lovingly documented in three blog posts: Building up & testing a new 9TB SATA RAID10 NFSv4 NAS: Part I, Part II and Part III.

We also setup a Cacit monitoring system. Recently we've been adding more and more data points, like SMART values.

I could not have done all this without the awesome boffins at ServerFault. It's been a fun and educational experience. My boss is happy (we saved bucket loads of $$$), our customers are happy (storage costs are down), I'm happy (fun, fun, fun).

Until yesterday.

Some time after lunch we started getting reports of sluggish performance from our application, an on-demand streaming media CMS. About the same time our Cacti monitoring system sent a blizzard of emails. One of the more telling alerts was a graph of iostat await.

Performance became so degraded that Pingdom began sending "server down" notifications. The overall load was moderate, there was not traffic spike.

After logging onto the application servers, NFS clients of the NAS, I confirmed that just about everything was experiencing highly intermittent and insanely long IO wait times. And once I hopped onto the primary NAS node itself, the same delays were evident when trying to navigate the problem array's file system.

Time to fail over, that went well. Within 20 minuts everything was confirmed to be back up and running perfectly.

After any and all system failures I perform a post-mortem to determine the cause of the failure. First thing I did was ssh back into the box and start reviewing logs. It was offline, completely. Time for a trip to the data center. Hardware reset, backup an and running.

In /var/syslog I found this scary looking entry:

Nov 15 06:49:44 umbilo smartd[2827]: Device: /dev/twa0 [3ware_disk_00], 6 Currently unreadable (pending) sectors
Nov 15 06:49:44 umbilo smartd[2827]: Device: /dev/twa0 [3ware_disk_07], SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 171 to 170
Nov 15 06:49:45 umbilo smartd[2827]: Device: /dev/twa0 [3ware_disk_10], 16 Currently unreadable (pending) sectors
Nov 15 06:49:45 umbilo smartd[2827]: Device: /dev/twa0 [3ware_disk_10], 4 Offline uncorrectable sectors
Nov 15 06:49:45 umbilo smartd[2827]: Num  Test_Description    Status                  Remaining  LifeTime(hours)  LBA_of_first_error
Nov 15 06:49:45 umbilo smartd[2827]: # 1  Short offline       Completed: read failure       90%      6576         3421766910

Nov 15 06:49:45 umbilo smartd[2827]: # 2  Short offline       Completed: read failure       90%      6087         3421766910
Nov 15 06:49:45 umbilo smartd[2827]: # 3  Short offline       Completed: read failure       10%      5901         656821791
Nov 15 06:49:45 umbilo smartd[2827]: # 4  Short offline       Completed: read failure       90%      5818         651637856
Nov 15 06:49:45 umbilo smartd[2827]:

So I went to check the Cacti graphs for the disks in the array. Here we see that, yes, disk 7 is slipping away just like syslog says it is. But we also see that disk 8's SMART Read Erros are fluctuating.

There are no messages about disk 8 in syslog. More interesting is that the fluctuating values for disk 8 directly correlate to the high IO wait times! My interpretation is that:

• Disk 8 is experiencing an odd hardware fault that results in intermittent long operation times.


• Somehow this fault condition on the disk is locking up the entire array

Maybe there is a more accurate or correct description, but the net result has been that the one disk is impacting the performance of the whole array.

• How can a single disk in a hardware SATA RAID-10 array bring the entire array to a screeching halt?


• Am I being naïve to think that the RAID card should have dealt with this?


• How can I prevent a single misbehaving disk from impacting the entire array?


• Am I missing something?

Answer

I hate to say "don't use SATA" in critical production environments, but I've seen this situation quite often. SATA drives are not generally meant for the duty cycle you describe, although you did spec drives specifically rated for 24x7 operation in your setup. My experience has been that SATA drives can fail in unpredictable ways, often times affecting the entire storage array, even when using RAID 1+0, as you've done. Sometimes the drives fail in a manner that can stall the entire bus. One thing to note is whether you're using SAS expanders in your setup. That can make a difference in how the remaining disks are impacted by a drive failure.

But it may have made more sense to go with midline/nearline (7200 RPM) SAS drives versus SATA. There's a small price premium over SATA, but the drives will operate/fail more predictably. The error-correction and reporting in the SAS interface/protocol is more robust than the SATA set. So even with drives whose mechanics are the same, the SAS protocol difference may have prevented the pain you experienced during your drive failure.

debian - sometimes, crontab is not reloaded by cron daemon

I'm asking this question, because I couldn't find the answer here :
Why is my crontab not working, and how can I troubleshoot it?

Context

We have several servers running debian/wheezy.

One backup task requires that we deactivate the crontab of a specific user during the backup, so we have a script, run daily, which roughly does :

# user is legec :

# save the crontab to a file
crontab -ulegec -l > /home/legec/.backup/crontab
# empty the crontab
echo "" | crontab -ulegec


backup ...

# reload crontab
cat /home/legec/.backup/crontab | crontab -ulegec

And this works as we expect, the vast majority of times.

This task runs on ~80 servers ; depending on the server, the backup task will take from 1 minute up to 2 hours.

Bug

Once in a while, cron will not detect the last reload, and will not execute any of the jobs listed in the crontab.

The file in /var/spool/cron/crontabs/legec has the expected content, and modification date :

$ ls -lh /var/spool/cron/crontabs/legec
-rw------- 1 legec crontab 6.7K Sep 22 04:03 /var/spool/cron/crontabs/legec

but cron logs indicate that cron did not detect the last change :

$ cat /var/log/cron.log | grep -E "LIST|RELOAD|REPLACE"
...
# yesterday's backup : all went fine
Sep 21 04:00:06 lgserver crontab[6670]: (root) LIST (legec)
Sep 21 04:00:06 lgserver crontab[6671]: (root) LIST (legec)
Sep 21 04:00:06 lgserver crontab[6673]: (root) REPLACE (legec)
Sep 21 04:01:01 lgserver /usr/sbin/cron[2025]: (legec) RELOAD (crontabs/legec)
Sep 21 04:03:01 lgserver crontab[7071]: (root) REPLACE (legec)

Sep 21 04:03:01 lgserver /usr/sbin/cron[2025]: (legec) RELOAD (crontabs/legec)

# today's backup : no final RELOAD event
Sep 22 04:00:07 lgserver crontab[24163]: (root) LIST (legec)
Sep 22 04:00:07 lgserver crontab[24164]: (root) LIST (legec)
Sep 22 04:00:07 lgserver crontab[24166]: (root) REPLACE (legec)
Sep 22 04:01:01 lgserver /usr/sbin/cron[2025]: (legec) RELOAD (crontabs/legec)
Sep 22 04:03:01 lgserver crontab[24458]: (root) REPLACE (legec)
          # no RELOAD line here

"Once in a while" means : no regularity, we see this bug maybe once a month, on one random server out of the ~80 which are running.

Question

Does anyone have a lead on where to look ?

domain name system - Can an email server be set-up on an Azure VM?

I am considering the possibility of setting up a simple SMTP+IMAP email server for internal use on an extra small Azure VM. When I say internal use I don't mean "used by internal users", but for use as part of a larger system and to serve the main purpose of receiving email messages for audit/logging purposes which are then handled based on rules, which trigger actions. Occasionally there might be an automatic response back.

My question is whether a simple email server can be hosted inside an Azure VM, because what I see on the Internet from a preliminary search is that Azure does not support Reverse DNS (they do assign almost static IPs nowadays though), which will then caused the occasional auto-response outgoing emails to be marked as spam.

My question is: Is that the case or is there some setup that would allow to workaround this?

Note: This is just a preliminary research type of question. I am not an administrator.

EDIT: To those who would jump in and say use SendGrid. I am not going to be sending newsletters, but mainly receiving emails. Also an Azure extra small instance is $9/month where as SendGrid Push API (which won't let let poll as I would like to) starts at $90/month which is ten times the cost.

EDIT 2: My preference is to implement a poll-based system (poll the server for new emails every X hours) rather than implementing a push+queue based system (most 3rd party servcies provide a Push API that pushes each email to a web url)

EDIT 3: I would prefer not to use a 3rd party service, because I don't want the content of the email and attachments to go through them.

EDIT 4: Look, I am not looking for an advice on how to set it up or which 3rd party service to use. What I am asking is "Is it possible to set up an email server which can receive email and send the occasional email out which won't be marked as spam due to limitations of Azure? If there are limitations - what are those and how can they be worked around?"

Answer

No.

You can't be reasonably sure your outgoing email will be delivered, as many destinations simply blacklist, firewall, or even null route all major cloud providers' IP blocks due to the heavy abuse seen from those ranges - not just from email but via other services as well.

And even if your mail is delivered today, that's no guarantee it will continue to be delivered in future.

You really do need a mail server outside of Azure (or EC2 or whatever) to process your outgoing mail, though it does not necessarily need to be a third party mail server. If you have the expertise, you could do it yourself.

When I put a service on EC2 which had to deliver to a mailing list, I found from testing that almost 3/4 of the list addresses would not accept mail from there. I ended up sending everything to a smarthost located outside EC2. Interestingly, this also improved performance...

Having incoming mail on Azure would be no problem, as the above issues don't apply.

Apache, SSL, UCC not working on CN but works on subjectAltName

I recently generated a UCC for

• domain1.com



• *.domain1.com


• domain2.com


• *.domain2.com

now when i visit http://domain1.com in Firefox i get:

domain1.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.

The certificate is only valid for the following names:
  *.domain1.com , domain2.com , *.domain2.com

(Error code: sec_error_unknown_issuer)

It complaints that the SSL is

• Issued by a not trusted authority - which is fine...



• And its not valid for domain in question

Here is my SSL Cert in text form:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=Example-CA/emailAddress=webmaster@domain1.com
        Validity
            Not Before: Oct 28 11:26:20 2010 GMT
            Not After : Oct 28 11:26:20 2011 GMT
        Subject: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=domain1.com/emailAddress=webmaster@domain1.com
        Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:b8:bf:9a:73:a0:6e:b6:2d:98:97:74:03:fc:76:

                    44:36:1d:e8:e8:49:2c:02:01:45:77:24:fb:cc:37:
                    22:af:8c:41:2d:92:63:74:e3:08:81:59:49:2b:96:
                    22:bd:2e:f9:55:dd:d9:cb:7e:e8:bd:ce:15:24:87:
                    2d:9b:1a:9c:8e:bd:fe:20:99:cf:8c:29:d2:92:af:
                    5f:dc:7e:17:5e:25:e6:c2:bf:70:79:0f:e9:78:74:
                    a4:6c:15:4f:8b:c7:45:11:d0:4c:f0:05:85:cf:c0:
                    bc:37:e5:c7:45:fd:8e:05:37:c1:aa:50:ef:14:ab:
                    55:f9:7d:79:b7:1e:bd:83:bd:cf:59:25:e0:d9:99:
                    17:d7:00:46:8b:86:58:bf:66:1a:77:e0:a6:35:81:
                    45:51:0a:e7:86:f6:40:c7:73:a7:4a:b8:c4:66:5d:

                    dd:8b:9a:0f:8c:48:05:d5:bf:53:bc:e6:5b:60:3c:
                    50:21:a2:2c:e5:e1:15:eb:14:18:3d:f0:80:59:08:
                    74:f8:e7:d5:e9:7d:82:73:f2:f1:dc:e8:d9:7f:46:
                    d5:68:eb:c0:e2:6b:f1:6f:90:c3:af:66:d5:f3:24:
                    93:a1:9f:bd:a9:62:c9:0a:76:8e:b4:a1:28:4e:b7:
                    09:e3:90:99:44:4d:3e:4d:89:ec:7c:7f:ac:b5:77:
                    e3:8d:af:e3:da:09:98:51:09:bf:76:ac:d9:1a:34:
                    0c:4c:3c:43:eb:47:d6:b7:ed:d4:42:35:09:a0:b2:
                    98:3f:ad:b7:d1:49:4d:df:72:07:48:6c:3e:df:67:
                    6a:48:14:4b:0c:d4:48:37:a5:c8:f6:7b:4d:d3:01:

                    3f:32:e8:a9:ef:92:55:cb:24:25:9f:c0:98:53:d2:
                    0b:fa:30:3d:3d:c5:9d:90:cd:bf:c8:01:d3:7a:c2:
                    3a:78:b7:db:eb:c2:ee:de:bc:5c:c4:74:af:5a:23:
                    08:e5:8c:df:ec:0d:f1:b3:7a:86:88:99:17:e8:d9:
                    81:b2:3c:eb:40:d9:b3:09:82:5b:e0:fa:84:68:ed:
                    c6:2c:c9:59:93:c3:f8:80:70:67:1f:6c:f8:3c:25:
                    63:95:ee:de:e2:ba:92:34:b0:f8:a1:53:5b:22:d9:
                    f3:d3:4c:1a:91:12:e6:0d:af:e3:99:3a:29:d0:ba:
                    57:d3:08:3d:a1:2f:91:61:a2:86:f6:f8:33:61:dc:
                    da:39:82:03:25:f3:88:5a:8a:88:e3:be:5e:78:1b:

                    c2:74:a4:c8:0f:66:18:2a:1e:a0:a9:ac:1c:71:50:
                    81:b5:6e:d4:2a:c3:b6:bd:85:ea:ef:72:3d:76:08:
                    79:d5:59:6a:b4:f2:54:33:61:76:49:13:93:95:e5:
                    86:2a:c7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                    OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 
                3F:40:13:7E:25:04:0A:B9:0F:5F:DE:5E:9D:55:94:10:EE:F2:2B:B0
            X509v3 Authority Key Identifier: 
                keyid:8E:C4:D5:F3:69:12:A9:75:DA:0D:9B:59:11:C8:DE:53:67:C0:DA:1B

            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:*.domain1.com, DNS:domain2.com, DNS:*.domain2.com
    Signature Algorithm: sha1WithRSAEncryption

        20:cd:15:09:9a:0b:7b:90:bd:db:83:fd:21:15:9a:32:21:8e:
        98:42:28:63:8b:fe:9c:36:73:9e:2f:2c:87:af:a4:0d:01:06:
        f4:5e:c1:76:d9:3b:ab:85:90:87:8e:8a:63:a8:d8:49:82:98:
        a3:4b:4e:dc:fe:4f:af:6e:86:4c:64:55:74:ca:cd:7b:db:4a:
        b8:b0:ad:f5:75:c3:92:da:a7:2c:72:d0:dd:2e:0b:78:85:91:
        03:fd:51:40:df:58:02:c1:ab:c8:5d:09:4a:7c:15:e3:ec:30:
        13:ea:b3:26:bc:56:a2:66:a0:5d:d7:26:9c:f9:24:47:a7:55:
        15:5f:8a:d0:02:92:fd:f9:4d:40:74:7a:c1:a5:85:bc:83:ff:
        c5:d7:1d:97:48:e3:58:c6:c3:b9:ba:65:f7:ba:c8:db:86:13:
        32:48:42:fe:cf:07:58:47:3d:66:bd:87:c2:40:86:1b:3b:82:

        01:e1:57:7f:04:89:9c:45:2e:d9:7c:ae:cf:4f:87:50:0a:f0:
        ff:f6:b3:c1:ce:24:21:1c:2f:3c:62:80:a6:5d:3b:61:6c:b7:
        e4:22:c0:ed:a5:07:c5:a9:ad:e5:26:24:f2:d0:29:3e:b7:dc:
        b6:3a:2c:76:ee:a5:8e:ba:cf:bf:65:b3:40:93:9f:ad:82:1b:
        b2:d6:28:4c:2c:6b:3c:db:da:5f:73:20:3d:1b:59:13:93:de:
        cd:03:df:e8:fa:13:1f:9d:30:99:83:0b:12:60:63:65:64:d8:
        1e:3f:7e:4b:3a:fe:e4:19:db:55:f5:95:cc:77:f6:64:5b:53:
        4b:d0:e0:30:35:91:81:b8:65:2d:81:4e:1f:aa:c8:b3:d2:d8:
        7d:85:47:49:1d:a5:bc:65:16:a5:bb:3e:ea:12:f4:70:e7:11:
        59:52:d8:2b:5d:4e:14:5f:d3:ae:45:69:17:61:bc:43:dc:9a:

        03:c2:8b:79:f3:39:f4:a4:7f:f7:3c:c5:b7:9e:df:52:1b:41:
        8d:c4:5e:bf:5e:17:3e:c8:07:6f:35:47:a4:32:0f:8d:cc:ad:
        45:0e:72:a5:74:0d:08:64:cf:da:79:cb:e2:c5:73:78:ff:f6:
        fc:c8:b3:d2:88:ea:03:10:36:eb:d5:79:d6:97:99:17:cd:e3:
        17:cc:2a:27:0f:ff:41:84:8e:38:f0:b0:c2:7d:cb:b2:a1:40:
        af:74:98:fb:87:15:53:68:24:39:cb:8e:63:cf:c0:56:b3:7c:
        2f:39:5e:bd:6e:cf:5a:43:37:f6:20:db:34:65:48:8f:0e:49:
        6c:66:a5:a5:70:2f:09:d6:0f:ed:f8:86:a2:17:67:2b:fe:d3:
        aa:7b:56:7d:63:c3:17:a0

Answer

You need to include domain1.com as a Subject Alternative Name. Most browsers will ignore the common name in the subject if there are Subject Alternative Names present. That is why Firefox thinks that the certificate is not valid for https://domain1.com

Are 6Gb/s SAS drives compatible with 3Gb/s SAS interfaces?

Are SAS 3Gb/s controllers (SAS1) forward compatible with newer SAS2 drives specified at 6Gb/s? The controller I have in mind is an LSI SAS1064. I know that SAS2 controllers are backwards compatible with SAS devices. I found some information in this thread:

http://forums.seagate.com/t5/Savvio-Cheetah-and-Constellation/SAS-2-0-6GB-s-intercompatibility-with-SAS-3GB-s/td-p/35835

but not a lot at

http://www.lsi.com/products/storagecomponents/Pages/LSISAS1064.aspx

httpd.conf - Apache Keeps reverting to mpm_prefork (Apache 2.4.7 / Ubuntu 14.04.2)

I have had this problem for over a year now whereby each time there is a security update to Ubuntu and I have to reboot the server, Apache 2.4 decides to start using the mpm_prefork worker despite the fact I have mpm_event set as the enabled module in /etc/apache2/mods-enabled.

I went as far as editing the mpm_prefork.conf file in /etc/apache2/mods-available and commenting out where it loads the module but after a reboot this morning apache just would not start at all because it was insisting on starting up using Prefork.

Here is my /etc/apache2/mods-enabled/ directory list

access_compat.load
actions.conf

actions.load
alias.conf
alias.load
auth_basic.load
authn_core.load
authn_file.load
authz_core.load
authz_host.load
authz_user.load
autoindex.conf

autoindex.load
deflate.conf
deflate.load
dir.conf
dir.load
env.load
evasive.conf
evasive.load
expires.load
fastcgi.conf

fastcgi.load
filter.load
headers.load
mime.conf
mime.load
mpm_event.conf
mpm_event.load
negotiation.conf
negotiation.load
pagespeed.conf

pagespeed.load
rewrite.load
setenvif.conf
setenvif.load
socache_shmcb.load
spamhaus.conf
spamhaus.load
ssl.conf
ssl.load
status.conf

status.load

I checked to see if it had been compiled into Apache by running apache2 -l and this was the output

Compiled in modules:
  core.c
  mod_so.c
  mod_watchdog.c
  http_core.c

  mod_log_config.c
  mod_logio.c
  mod_version.c
  mod_unixd.c

And finally the result of a2query -M is

sudo a2query -M
event

But if I reboot right now, Apache is dead on startup because it wants the mpm_prefork module which as I said I have disabled by commenting out in its .conf file to prevent it loading which was not a solution to my problem.

I honestly am stumped as to where Apache 2.4 is just deciding by itself to load the mpm_prefork all the time.

Here is also my apache2.conf file stripped down without the comments

# Global configuration
Mutex file:${APACHE_LOCK_DIR} default

PidFile ${APACHE_PID_FILE}
Timeout 40
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostNameLookups Off
ErrorLog ${APACHE_LOG_DIR}/apache-error.log
LogLevel warn

SetEnvIf Remote_Addr "127\.0\.0\.1" loopback
SetEnvIf Remote_Addr "::1" loopback
CustomLog ${APACHE_LOG_DIR}/apache-access.log combined env=!loopback

# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

# Include list of ports to listen on
Include ports.conf




    Options -Indexes +FollowSymLinks
    AllowOverride None
    Require all granted



    AllowOverride None

    Require all granted



    Options -Indexes +FollowSymLinks
    AllowOverride None
    Require all granted




    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted



AccessFileName .htaccess


    Require all denied



LogFormat "%V %v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
LogFormat "%h %l %u %t \"%r\" %>s %O %b %D \"%{Referer}i\" \"%{User-Agent}i\"" custom



IncludeOptional conf-enabled/*.conf

IncludeOptional sites-enabled/*.conf

Answer

The problem looks to be that you have these installed as packages:

apache2-mpm-event 2.4.7-1ubuntu4.9 amd64 transitional event MPM package for apache2
apache2-mpm-prefork 2.4.7-1ubuntu4.9 amd64 transitional prefork MPM package for apache2

When you update, you are specifically telling the server to install the prefork version. If you have a proper install of Apache2 on Ubuntu 14.04, which would NOT have specified the MPM type, a dpkg -l | grep apache2 would include:

apache2 2.4.7-1ubuntu4.9 amd64 Apache HTTP Server

but would NOT show the two packages you have listed.

The proper Apache2 installation on Ubuntu 14.04 is simply:

sudo apt-get install apache2

without any specification of MPM. The basic Multi-Processing Modules are core features of Apache 2.4, and are included with the apache2 install.

You then set MPM as follows:

To determine which MPM is currently in use, run apache2ctl -V. You will see a line such as:

 Server MPM:     prefork

Assuming, for example, that you are running "prefork" (as in the above example apache2ctl -V result above) following the install, the switch to "event" is made with the following commands:

 sudo a2dismod mpm_prefork
 sudo a2enmod mpm_event
 sudo service apache2 restart

which will set up the correct symlink.

Once set up this way, under the correct install, updates WILL NOT change your settings.

NOTE: Your "edits" to *.conf files should be taking place in the /etc/apache2/mods-available directory, where they are protected from over writing during updates. The /etc/apache2/mods-enabled directory will just have symlinks back to /etc/apache2/mods-available.

LSI RAID: Write cache policy affects read performance?

I have a server with a LSI MegaRAID SAS 9260-4i controller, RAID-5 with 3 x 2 TB disks. I did some performance testing (with iozone3) and the numbers show clearly that the write cache policy affects the read performance as well. If I set the policy to WriteBack I get about 2x the read performance in comparison with WriteThrough. How could the write cache affect the read performance?

Here are the details of the setup:

megacli -LDInfo -L0 -a0

Adapter 0 -- Virtual Drive Information:
Virtual Drive: 0 (Target Id: 0)
Name                :
RAID Level          : Primary-5, Secondary-0, RAID Level Qualifier-3
Size                : 3.637 TB

Is VD emulated      : Yes
Parity Size         : 1.818 TB
State               : Optimal
Strip Size          : 512 KB
Number Of Drives    : 3
Span Depth          : 1
Default Cache Policy: WriteThrough, ReadAhead, Direct, No Write Cache if Bad BBU
Current Cache Policy: WriteThrough, ReadAhead, Direct, No Write Cache if Bad BBU
Default Access Policy: Read/Write
Current Access Policy: Read/Write

Disk Cache Policy   : Disabled
Encryption Type     : None
Bad Blocks Exist: No
Is VD Cached: No

With WriteBack enabled (everything else is unchanged):

Default Cache Policy: WriteBack, ReadAhead, Direct, Write Cache OK if Bad BBU
Current Cache Policy: WriteBack, ReadAhead, Direct, Write Cache OK if Bad BBU

Some numbers from iozone3:

 WriteThrough:
                                                    random  random
      KB  reclen   write rewrite    read    reread    read   write
 2033120      64   91963   38146   144980   139122   11795   21564
 2033120     128   83039   90746   118660   118147   21193   33686
 2033120     256   78933   40359   113611   114327   31493   51838

 2033120     512   71133   39453   131113   143323   28712   60946
 2033120    1024   91233   76601   141257   142820   35869   45331
 2033120    2048   58507   48419   136078   135220   51200   54548
 2033120    4096   98426   70490   119342   134319   80883   57843
 2033120    8192   70302   63047   132495   144537  101882   57984
 2033120   16384   79594   29208   148972   135650  124207   79281

 WriteBack:
                                                    random  random
      KB  reclen   write rewrite    read    reread    read   write

 2033120      64  347208  302472   331824   302075   12923   31795
 2033120     128  354489  343420   292668   322294   24018   45813
 2033120     256  379546  343659   320315   302126   37747   71769
 2033120     512  381603  352871   280553   322664   33192  116522
 2033120    1024  374790  349123   289219   290284   43154  232669
 2033120    2048  364758  342957   297345   320794   73880  264555
 2033120    4096  368939  339926   303161   324334  128764  281280
 2033120    8192  374004  346851   303138   326100  186427  324315
 2033120   16384  379416  340577   284131   289762  254757  356530

Some details about the system:

• Ubuntu 12.04


• 64 bit


• Kernel 3.2.0 (3.2.0-58-generic)


• Memory was limited to 1 GB for the test


• iozone3 version 397-2


• Partition used for the test:
  
  /dev/sda4 /var ext4 rw,relatime,user_xattr,barrier=1,data=ordered 0 0

domain name system - Windows Server 2008 R2 DHCP Server with multiple DNS servers?

We have two DC's running Windows Server 2008 R2. Each server has DNS running and one has DHCP running.

I have configured the scopes etc. and added two DNS servers to the configuration:

As you can see I have entered the two IP's .50 and .60.

When I try and test this (using a Macbook) I get given an IP address, the gateway is correct and the domain is showing as it should. For some reason though, I only get given one DNS server:

To be on the safe side I double checked 'nslookup':

danny$ nslookup

server Default server: 192.168.1.50 Address: 192.168.1.50#53

Any help or advice would be appreciated!

Wildcard DNS with BIND

I'm trying to setup BIND so that it catches any and all requests made to it, and points them to a specific set of NS servers, and a specific A record.

I have around 500 domains, and I'm adding new ones at the rate of 10-15 a day, so I don't want to explicitely add a zone for every domain.

My current setup is:
in my named.conf, I have a view (named external) with the following zone in it:

zone "." {
        type master;
        file "ext.zone";
};

This matches all requests.

ext.zone is:

$TTL    3600
@       IN      SOA     . root.nsdomain.com. (
                              1         ; Serial
                         3600         ; Refresh
                          300         ; Retry
                         3600         ; Expire
                         300 )        ; Negative Cache TTL



        IN      NS      ns1.example.com
        IN      NS      ns2.example.com

ns1     IN      A       192.0.2.4
ns2     IN      A       192.0.2.5

*.      IN      A       192.0.2.6

so, the goal is:
for all NS requests, return ns1.example.com and ns2.example.com
for all A requests, except where it is ns1.example.com or ns2.example.com, return 192.0.2.6. For ns1.example.com return 192.0.2.4, for ns2.example.com return 192.0.2.5.

This almost works, the only problem is that when I do a dig, I get:

dig @localhost somedomain.example

; > DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 > @localhost somedomain.example

; (1 server found)
;; global options:  printcmd
;; Got answer:
;; opcode: QUERY, status: NOERROR, id: 37733
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;somedomain.example.                        IN      A

;; ANSWER SECTION:

somedomain.example.         3600    IN      A       192.0.2.6 // as expected

;; AUTHORITY SECTION:
.                       3600    IN      NS      ns1.example.com. // expected, I don't know if the "." at the start is bad, though.
.                       3600    IN      NS      ns2.example.com. // see above.

;; ADDITIONAL SECTION:
ns1.example.com.  3600    IN      A       192.0.2.6 // not expected, this should be 192.0.2.4
ns2.example.com.  3600    IN      A       192.0.2.6 // not expected, this should be 192.0.2.5

How do I fix this? Am I doing something horrible? Is there a better way to do this?

Answer

Your origin for the zone is . per your configuration. You are creating records for ns1. and ns2. instead of ns1.example.com. and ns2.example.com. Since ns1.example.com and ns2.example.com aren't defined, they are matched by the wildcard.

EDIT: here's an edit of your config and zone:

zone "example.com." {
        type master;
        file "ext.zone";

};

ext.zone:

$TTL    3600
@       IN      SOA     ns1 root (
                              1         ; Serial
                         3600         ; Refresh
                          300         ; Retry

                         3600         ; Expire
                         300 )        ; Negative Cache TTL


        IN      NS      ns1
        IN      NS      ns2
        IN      A       192.0.2.6


ns1     IN      A       192.0.2.4

ns2     IN      A       192.0.2.5

*      IN      A       192.0.2.6

Everything in the zone is relative to the zone name in the named configuration, so adding a second zone just points to the same file:

zone "example.net." {
    type master;
    file "ext.zone";

};

Missing disc space on Ubuntu Hardy

I have a Dell Mini 10 running Ubuntu Hardy.

I ran out of disk space; looking at Disk Analyzer I noticed that in addition to the standard /dev/sda2 filesystem, there was a second called gfvs-fuse-daemon, each with 50% [5.9G] of my available disc space [11.8G]. Reading around a bit, it seems that gvfs has decided a network drive is in fact a root partition

https://bugs.launchpad.net/ubuntu/+source/simplebackup/+bug/227753

I unmounted gvfs-fuse-daemon, which removed it from the partition list but unfortunately didn't free up the 5.9G - I think it's somehow 'hidden' and would like it back as I am chronically short of space.

I'm certain this is related to plugging in a badly- formatted USB drive a couple of weeks ago. Reading the following

No free disk space

Out of disk space on 4GB partiton yet it's only using 2GB

it sounds like there may be a hidden file somewhere which needs deleting

I have run 'tune2fs -m 1 /var/sda2' to maximise what little space I have

Any assistance in cleaning up this mess would be gratefully received.

Thank you.

---

jhw@jhw:~$ fdisk -l /dev/sda
Cannot open /dev/sda
jhw@jhw:~$ fdisk -l /dev/sda2
Cannot open /dev/sda2

---

jhw@jhw:~$ df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda2 6123552 5517260 543080 92% /
varrun 512456 100 512356 1% /var/run
varlock 512456 0 512456 0% /var/lock
udev 512456 44 512412 1% /dev
devshm 512456 12 512444 1% /dev/shm
lrm 512456 1652 510804 1% /lib/modules/2.6.24-27
lpia/volatile

---

jhw@jhw:~$ lsof +L1
COMMAND PID USER FD TYPE DEVICE SIZE NLINK NODE NAME
firefox 5438 jhw 37u REG 8,2 1544 0 97221 /var/tmp/etilqs_WxQgt6n5lgV3QoI (deleted)
firefox 5438 jhw 38u REG 8,2 1024 0 98379 /var/tmp/etilqs_fkODKeKm4ZOazIo (deleted)
firefox 5438 jhw 55u REG 8,2 0 0 98402 /var/tmp/etilqs_GUbgrLdlbap3xK7 (deleted)
jhw@jhw:~$

What is a Storage Area Network, and which benefits does it have over different storage solutions?

I'm proposing this to be a canonical question about enterprise-level Storage Area Networks.

What is a Storage Area Network (SAN), and how does it work?
How is it different from a Network Attached Storage (NAS)?
What are the use cases compared to direct-attached storage (DAS)?
In which way is it better or worse?
Why is it so expensive?
Should I (or my company) use one?

Answer

First of all, for a (broad) comparison of DAS, NAS and SAN storage see here.

---

There are some common misconceptions about the term "SAN", which means "Storage Area Network" and as such, strictly speaking, refers only to the communication infrastructure connecting storage devices (disk arrays, tape libraries, etc.) and storage users (servers). However, in common practice the term "SAN" is used to refer to two things:

1. A complete storage infrastructure, including all the hardware and software involved in providing shared access to central storage devices from multiple servers. This usage, although not strictly correct, is commonly accepted and what most people refers to when talking about a "SAN". The rest of this answer will focus on it, thus describing every component of an enterprise-level storage infrastructure.


2. A single storage array (see later); as in, "we have a Brand X SAN with 20 TB storage". This usage is fundamentally incorrect, because it doesn't even take into account the real meaning of "SAN" and just assumes it's some form of storage device.

---

A SAN can be composed of very different hardware, but can usually be broken down into various components:

• Storage Arrays: this is where data is actually stored (and what is erroneously called a "SAN" quite often). They are composed of:
  
  
  
  
  • Physical Disks: they, of course, archive the data. Enterprise-level disks are used, which means they usually have lower per-disk capacity, but much higher performance and reliability; also, they are a lot more expensive than consumer-class disks. The disks can use a wide range of connections and protocols (SATA, SAS, FC, etc.) and different storage media (Solid-State Disks are becoming increasingly common), depending on the specific SAN implementation.
  
  
  • Disk Enclosures: this is where the disks are placed. They provide electricity and data connections to them.
  
  
  • Storage Controllers/Processors: these manage disk I/O, RAID and caching (the term "controller" or "processor" varies between SAN vendors). Again, enterprise-level controllers are used, so they have much better performance and reliability than consumer-class hardware. They can, and usually are, configured in pair for redundancy.
  
  
  • Storage Pools: a storage pool is a bunch of storage space, comprising some (often many) disks in a RAID configuration. It is called a "pool" because sections of it can be allocated, resized and de-allocated on demand, creating LUNs.
  
  
  • Logical Unit Numbers (LUNs): a LUN is chunk of space drawn from a storage pool, which is then made available ("presented") to one or more servers. This is seen by the servers as a storage volume, and can be formatted by them using any file system they prefer.
  
  
  


• Tape Libraries: they can be connected to a SAN and use the same communications technology both for connecting to servers and for direct storage-to-tape backups.


• Communications Network (the "SAN" proper): this is what allows the storage users (servers) to access the storage devices (storage array(s), tape libraries, etc.); it is, strictly speaking, the real meaning of the term "Storage Area Network", and the only part of a storage infrastructure that should be defined as such. There really are lots of solutions to connect servers to shared storage devices, but the most common ones are:
  
  
  
  
  • Fibre Channel: a technology which uses fiber-optics for high-speed connections to shared storage. It includes host bus adapters, fiber-optic cables and FC switches, and can achieve transfer speeds ranging from 1 Gbit to 20 Gbit. Also, multipath I/O can be used to group several physical links together, allowing for higher bandwidth and fault tolerance.
  
  
  • iSCSI: an implementation of the SCSI protocol over IP transport. It runs over standard Ethernet hardware, which means it can achieve transfer speeds from 100 Mbit (generally not used for SANs) to 100 Gbit. Multipath I/O can also be used (although the underlying networking layer introduces some additional complexities).
  
  
  • Fibre Channel over Ethernet (FCoE): a technology in-between full FC and iSCSI, which uses Ethernet as the physical layer but FC as the transport protocol, thus avoiding the need for an IP layer in the middle.
  
  
  • InfiniBand: a very high-performance connectivity technology, less used and quite expensive, but which can achieve some impressive bandwidth.
  
  



• Host Bus Adapters (HBAs): the adapter cards used by the servers to access the connectivity layer; they can be dedicated adapters (as in FC SANs) or standard Ethernet cards. There are also iSCSI HBAs, which have a standard Ethernet connection, but can handle the iSCSI protocol in hardware, thus relieving the server of some additional load.

A SAN provides many additional capabilities over direct-attached (or physically shared) storage:

• Fault tolerance: high availability is built-in in any enterprise-level SAN, and is handled at all levels, from power supplies in storage arrays to server connections. Disks are more reliable, RAID is used to withstand single-disk (or multiple-disk) failures, redundant controllers are employed, and multipath I/O allows for uninterrupted storage access even in the case of a link failure.


• Greater storage capacity: SANs can contain many large storage devices, allowing for much greater storage spaces than what a single server could achieve.


• Dynamic storage management: storage volumes (LUNs) can be created, resized and destroyed on demand; they can be moved from one server to another; allocating additional storage to a server requires only some configurations, as opposed to buying disks and installing them.


• Performance: a properly-configured SAN, using recent (although expensive) technologies, can achieve really impressive performance, and is designed from the ground up to handle heavy concurrent load from multiple servers.



• Storage-level replication: two (or more) storage arrays can be configured for synchronous replication, allowing for the complete redirection of server I/O from one to another in fault or disaster scenarios.


• Storage-level snapshots: most storage arrays allow for taking snapshots of single volumes and/or whole storage pools. Those snapshots can then be restored if needed.


• Storage-level backups: most SANs also allow for performing backups directly from storage arrays to SAN-connected tape libraries, completely bypassing the servers which actually use the data; various techniques are employed to ensure data integrity and consistency.

Based on everything above, the benefits of using SANs are obvious; but what about the costs of buying one, and the complexity of managing one?

SANs are enterprise-grade hardware (although there can be a business case for small SANs even in small/medium companies); they are of course highly customizable, so can range from "a couple TBs with 1 Gbit iSCSI and somewhat high reliability" to "several hundred TBs with amazing speed, performance and reliability and full synchronous replication to a DR data center"; costs vary accordingly, but are generally higher (as in "total cost", as well as in "cost per gigabyte of space") than other solutions. There is no pricing standard, but it's not uncommon for even small SANs to have price tags in the tens-of-thousands (and even hundreds-of-thousands) dollars range.

Designing and implementing a SAN (even more so for a high-end one) requires specific skills, and this kind of job is usually done by highly-specialized people. Day-to-day operations, such as managing LUNs, are considerably easier, but in many companies storage management is anyway handled by a dedicated person or team.

Regardless of the above considerations, SANs are the storage solution of choice where high capacity, reliability and performance are required.

windows - How to refresh hosts file without rebooting

On Windows, how do you refresh the hosts file without rebooting?

linux - Apache can't start - Address already in use - Unable to listen for connections, unable to open logs

I have Debian 9 installation (Bitnami appliance) with Moodle learning system and Lambda theme. We have https enabled. I tried to secure apache server according to best practices and the last two things I changed was adding "FileETag None" in some config files and installed apachetop to monitor web server. I suppose the apachetop installation caused this problem. When I enter the ip in the browser, I get the initial screen of apache web server, but the web page don't work.

When I try to start apache, I get this:

root@debian:/etc# sudo /opt/bitnami/ctlscript.sh start apache

Syntax OK
(98)Address already in use: AH00073: make_sock: unable to listen for 
connections on address [::]:80
(98)Address already in use: AH00073: make_sock: unable to listen for 

connections on address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
/opt/bitnami/apache2/scripts/ctl.sh : httpd could not be started
Monitored apache

I tried to search web for the solution, but I did'nt find exactly the same error message. Most answers to similar problems with binding were about killing the second apache processes, but I found only one apache2 listening. I tried this :

root@debian:/etc/apache2/sites-enabled# sudo netstat -ltnp | grep ':80'

tcp6       0      0 :::80                   :::*                    LISTEN      
475/apache2

root@debian:/etc/apache2/sites-enabled# netstat -tulpn | grep apache2
tcp6       0      0 :::80                   :::*                    LISTEN      
475/apache2

root@debian:/etc/apache2/sites-enabled# sudo netstat -ltnp | grep ':443'
root@debian:/etc/apache2/sites-enabled#

I also change the ownership of the log to www-data, but nothing changed.
When I stop apache with this

root@debian:/# /opt/bitnami/ctlscript.sh status apache
apache not running
root@debian:/# netstat -tulpn | grep apache2
tcp6       0      0 :::80                   :::*                    LISTEN      
475/apache2

I can still access the "Apache2 Debian default page" when I enter ip in the browser. Is this normal?

Well, it's working now,

root@debian:/home/bitnami# ps aux | grep apache
root       462  0.0  0.4  75612  4268 ?  Ss   09:04   0:00 /usr/sbin/apache2 -k start
www-data   463  0.0  0.3 364772  4036 ?  Sl   09:04   0:00 /usr/sbin/apache2 -k start
www-data   464  0.0  0.3 364772  4036 ?  Sl   09:04   0:00 /usr/sbin/apache2 -k start
root      1179  0.0  0.0  12784   960 pts/0    S+   09:05   0:00 grep apache

root@debian:/home/bitnami# kill 462
root@debian:/home/bitnami# kill 463
bash: kill: (463) - No such process
root@debian:/home/bitnami# kill 464
bash: kill: (464) - No such process
root@debian:/home/bitnami# kill 1179
bash: kill: (1179) - No such process
root@debian:/home/bitnami# /opt/bitnami/ctlscript.sh start apache
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80

Monitored apache

I think that kill of the first process got it to work, but after server restart I get the same error message and killing the process and start apache is necessary :(

virtualhost - Apache 2.4 on Debian issue - "Forbidden" after upgrading virtual host

I have tried many suggestions I can find via Google to make my virtual host work properly after upgrading from Debian to Jessie (upgrade from Apach 2.2 to 2.4).

I have mod_rewrite and mod_access_compat, which is why it seems to work fine when I use the old syntax. As soon as I go to Require all granted, it stops working and I get 403 Forbidden.

I have many virtual hosts and it's the same accross the board... most are Drupal installs. Here's an example of a virtual host:

    ServerName www.skyjacobs.com
    Redirect 301 / http://skyjacobs.com/


    ServerAdmin skyjacobs@gmail.com
    ServerName skyjacobs.com

DocumentRoot /www/sky

        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny  # These 2 lines work 
        allow from all    # 
        Require all granted   # If I use this line only, it stops working

    ErrorLog /www/logs/sky/error.log
    LogLevel warn

    CustomLog /www/logs/sky/access.log combined

If I comment out the 2 lines of old syntax and use Require all granted, it stops working. Does anyone know what the problem might be? Thanks for any leads.

active directory - Why can I create objects on my read only domain controller?

I have a Windows Server 2012 Domain Controller. I have configured another Server 2012 machine as a Read-Only Domain Controller. When I log in with domain administrator credential on my RODC I can create objects, but I should not be able to do that.

Why am I not being blocked from creating objects on a RODC?

iis 7 - Redirect incoming requests to specific URLs in IIS 7

I found in IIS HTTP Redirect feature, but I can only redirect all incoming requests to specific destination. Is it possible to redirect incoming requests to specific URLs in IIS? For example:

my.domain.com/blog/about -> other.domainxyz.com/site/about
my.domain.com/blog/post/5 -> other.domainxyz.com/site/5

UPDATE

This is how web.config looks like:

I havent't found URL Rewrite module among the Role Services although HTTP Redirection is there.

Answer

This rule will redirect SPECIFIC incoming request to specific URL:

---

UPDATE:
I have merged them together -- just update it with real URLs:

php - Heartbleed vulnerability when SSL provided by unaffected servers?

*I'd like to ask about two scenarios where a vulnerable version of OpenSSL is installed on a server, but that server is not providing SSL services.

Scenario 1: I have an SSL certificate installed on a load balancer, behind which sits a farm of IIS servers. IIS is unaffected by Heartbleed and port 443 is switched off there. But we discover that the load balancer is vulnerable. What aspects of Heartbleed will impact us?

Scenario 2: In this scenario, the load balancer is NOT vulnerable. Again, the load balancer has the certificate installed. But, behind it sits a farm of servers running PHP, with a vulnerable version of OpenSSL installed and enabled -- possibly because another extension requires it or someone enabled it without thinking. Port 443 is switched off on these servers as well. What aspects of Heartbleed will impact us?

Based on my understanding, in Scenario 1 our keys and data going over the wire to/from the servers is at risk of being intercepted. However, the contents of the IIS application server memory would not be at risk for being exposed.

Again, based on my understanding, which could be wrong, in Scenario 2, there is no risk.

Can someone verify or correct my assumptions?

Answer

Heartbleed allows memory to be exposed from the server on which [a vulnerable version of] OpenSSL is running, during a TLS connection. So, for heartbleed to be exploitable, a server must both be running a vulnerable version of OpenSSL AND accept TLS connections.

Therefore, in Scenario 1, you'd be at risk of having the memory of your load balancer being exposed, as it is the server running OpenSSL.

In scenario 2, assuming your scenario is set up such that a TLS connection cannot be made to these servers, nothing is vulnerable. A TLS connection cannot be established, so the vulnerable versions of OpenSSL are not exploitable.

vpn - Multiple static WAN IP addresses to single LAN subnet

Below is my home network topology. I currently have 5 static IP addresses, 3 of which are in use by 3 routers. These routers in-turn subnet internal networks and port forward. I use my SSL VPN appliance to remote home from work or on the road. At this point I can remotely administer my Windows Server. I know the network is setup wrong, I was matching existing hardware the best I knew how.

http://storage.jessyhoule.com.s3.amazonaws.com/network_topology.jpg

Ok this said, here is the problem... One of my websites on my Windows Server now needs to be secure (SSL using port 443). However, I'm already port forwarding port 443 to my VPN appliance. Furthermore, if I'm going to have to reconfigure the network, I would really like to be able to use the SSL VPN to remotely administer all machines.

I mentioned this to a friend of mine, who said that what I was looking for was a firewall. Explaining that a firewall would take in multiple static (WAN) IP addresses, and still allow all internal devices to be on the same network. So, basically, I could supply my SSL VPN appliance it's very own static (WAN) IP address routing, and yet have it on the same internal network (192.168.1.x) as all my other devices.

The first question is... Does this sound right? Secondly, would you suggest anything different? And, finally, what is the cheapest way to do this? I am started down the road of downloading/installing untangle and smoothwall to see if they will do the job, hoping they take multiple static (WAN) IP addresses.

Thank you in advance for your answers.

-Jessy Houle

Answer

If you simplify your configuration to the following Modem -> DDWRT -> Optional switch if the DDWRT doesn't have enough ports -> Servers/Clients. You should be able to setup you configuration such that the DDWRT router is listening on all of the public IP's and forwarding to the correct host using iptables.

Sorry, I can't give you the exact commands as I don't work with iptables all that much, and do everything but basic host fire walling using Cisco routers/asa's.

Also you will probably get a better answer on SU - they probably use that type of setup more often, so i'm going to vote to have it moved over.

Ask and ye shall receive (From the DDWRT Website)

filesystems - Tmp folder and read-only-system...file system corrupt

fron 1 month I have always problems with my VPS. Before it was file system, it told Can't create/write to file '/tmp/ - error 30.

My host had fixed the problem but today tried to upgraded Webmin and now doesn't work more:

Installing package(s) with command apt-get -y install libmount1..

Reading package lists... Building dependency tree... Reading state

information... The following packages were automatically installed and

are no longer required: linux-image-3.13.0-37-generic

linux-image-3.13.0-39-generic linux-image-3.13.0-40-generic

linux-image-3.13.0-41-generic linux-image-3.13.0-43-generic

linux-image-3.13.0-44-generic linux-image-3.13.0-45-generic

linux-image-3.13.0-46-generic linux-image-3.13.0-48-generic

linux-image-3.13.0-49-generic linux-image-3.13.0-51-generic

linux-image-3.13.0-52-generic linux-image-3.13.0-53-generic

linux-image-3.13.0-54-generic linux-image-3.13.0-55-generic

linux-image-3.13.0-57-generic linux-image-3.13.0-58-generic

linux-image-3.13.0-59-generic linux-image-3.13.0-61-generic Use

'apt-get autoremove' to remove them. The following packages will be

upgraded: libmount1 1 upgraded, 0 newly installed, 0 to remove and 5

not upgraded. Need to get 60.2 kB of archives. After this operation, 0

B of additional disk space will be used. Get:1

http://archive.ubuntu.com/ubuntu/ trusty-updates/main libmount1 amd64

2.20.1-5.1ubuntu20.7 [60.2 kB] Fetched 60.2 kB in 0s (742 kB/s) (Reading database ... 54924 files and directories currently

installed.) Preparing to unpack

.../libmount1_2.20.1-5.1ubuntu20.7_amd64.deb ... Unpacking

libmount1:amd64 (2.20.1-5.1ubuntu20.7) over (2.20.1-5.1ubuntu20.6) ...

E: Sub-process /usr/bin/dpkg exited unexpectedly E: Failed to write

temporary StateFile /var/lib/apt/extended_states.tmp .. install

failed!

Now updating libuuid1 .. Installing package(s) with command apt-get -y

install libuuid1 .. dpkg: error: unable to access dpkg status area:
Read-only file system

I tried to restart MySQL but now also MySQL is dead and I can't do backup of my database...

I can still connect via SSH and FTP to server.

Just I connect to SSH I have various errors:

[163488.687353] EXT4-fs error (device xvda1):
ext4_mb_generate_buddy:756: group
318, 23274 clusters in bitmap, 23231 in gd; block bitmap corrupt.

[163488.687368] Aborting journal on device xvda1-8. [163488.687583]
EXT4-fs (xvda1): Remounting filesystem read-only [163488.687725] BUG:
unable to handle kernel NULL pointer dereference at 0000000
000000028 [163488.687732] IP: []
__ext4_error_inode+0x31/0x160 [163488.687738] PGD 6cffc067 PUD 530dc067 PMD 0 [163488.687743] Oops: 0000 [#1] SMP [163488.687747]
Modules linked in: xt_multiport ip6t_REJECT xt_hl ip6t_rt nf_con
ntrack_ipv6 nf_defrag_ipv6 ipt_REJECT xt_limit xt_tcpudp xt_addrtype
nf_conntrac k_ipv4
nf_defrag_ipv4 xt_conntrack ip6table_filter ip6_tables
nf_conntrack_netbi os_ns
nf_conntrack_broadcast nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack
ipt able_filter ip_tables

x_tables crct10dif_pclmul crc32_pclmul ghash_clmulni_intel
aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd
[163488.687780] CPU: 0 PID: 14460 Comm: dpkg Tainted: G W
3.13.0-24-ge neric #47-Ubuntu [163488.687785] task: ffff880053005fc0 ti: ffff880038aa2000 task.ti: ffff880038a
a2000 [163488.687789] RIP: e030:[]
[] __ext4_erro
r_inode+0x31/0x160 [163488.687795] RSP: e02b:ffff880038aa3a98 EFLAGS:
00010292 [163488.687799] RAX: 0000000000000000 RBX: 0000000000000000
RCX: 00000000009f000 0
[163488.687805] RDX: 00000000000012ea RSI: ffffffff81a6ae62 RDI:
000000000000000 0
[163488.687810] RBP: ffff880038aa3b28 R08: ffffffff81a74b60 R09:
000000000000000 5
[163488.687814] R10: 00000000ffffffe2 R11: ffff880038aa380e R12:

00000000009f000 0
[163488.687818] R13: ffffffff81835240 R14: 00000000000012ea R15:
ffffffff81a74b6 0
[163488.687827] FS: 00007f2491816840(0000) GS:ffff88007d200000(0000)
knlGS:0000 000000000000
[163488.687832] CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b
[163488.687835] CR2: 0000000000000028 CR3: 000000007add2000 CR4:
000000000000266 0
[163488.687840] Stack: [163488.687842] ffff880038aa3aa0
0000000000000103 d26d9f89685cebc7 000000000000
0007 [163488.687848] 0000000000000006 0000000000000000

0000000000000138 ffff88007b9d
a2a0 [163488.687855] ffff880038aa3b28 ffffffff812689c2
ffffffff810676cf ffff8800384b
d680 [163488.687862] Call Trace: [163488.687866] []
? ext4_journal_abort_handle+0x42/0xc0 [163488.687871]
[] ? warn_slowpath_common+0x8f/0xa0 [163488.687875]
[] __ext4_handle_dirty_metadata+0x10f/0x1c0
[163488.687880] [] ext4_free_blocks+0x646/0xbf0
[163488.687885] [] ?
radix_tree_lookup_slot+0xe/0x10 [163488.687890] []
ext4_clear_blocks+0x189/0x290 [163488.687895] []
ext4_free_data+0x143/0x190 [163488.687900] []

ext4_ind_truncate+0x1bd/0x490 [163488.687904] [] ?
ext4_discard_preallocations+0x159/0x460 [163488.687909]
[] ? mutex_lock+0x12/0x2f [163488.687914]
[] ? ext4_orphan_add+0x5c/0x1d0 [163488.687919]
[] ? __ext4_journal_start_sb+0x69/0xe0
[163488.687924] [] ext4_truncate+0x30c/0x3c0
[163488.687929] [] ext4_evict_inode+0x491/0x4f0
[163488.687933] [] evict+0xb0/0x1b0 [163488.687937]
[] iput+0xf5/0x180 [163488.687942]
[] do_unlinkat+0x18e/0x2b0 [163488.687946]

[] ? context_tracking_user_exit+0x4f/0xc0
[163488.687951] [] ?
syscall_trace_enter+0x145/0x250 [163488.687956] []
SyS_unlink+0x16/0x20 [163488.687961] []
tracesys+0xe1/0xe6 [163488.687965] Code: 48 89 e5 41 57 4d 89 c7 41 56
41 89 d6 41 55 49 89 f5 48 c
7 c6 62 ae a6 81 41 54 49 89 cc 53 48 89 fb 48 83 ec 68 4c 89 4c 24 60
<48> 8b 4 7 28 48 8b 57
40 48 8b 80 f8 02 00 00 48 8b 40 68 89 90 [163488.688008] RIP
[] __ext4_error_inode+0x31/0x160 [163488.688014]
RSP [163488.688017] CR2: 0000000000000028

[163488.688049] ---[ end trace d26d9f89685cebc8 ]--- [163898.263253]
init: mysql main process (31940) killed by KILL signal [163898.416951]
type=1400 audit(1442421984.518:18): apparmor="STATUS" operation=
"profile_replace" profile="unconfined" name="/usr/sbin/mysqld"
pid=14863 comm="a
pparmor_parser" [163898.532076] init: mysql main process (14875)
terminated with status 1 [163898.532107] init: mysql main process
ended, respawning [163899.521793] init: mysql post-start process
(14876) terminated with status 1 [163899.549762] type=1400
audit(1442421985.650:19): apparmor="STATUS" operation=
"profile_replace" profile="unconfined" name="/usr/sbin/mysqld"
pid=14899 comm="a
pparmor_parser" [163899.605335] init: mysql main process (14911)
terminated with status 1 [163899.605379] init: mysql main process

ended, respawning [163900.616355] init: mysql post-start process
(14912) terminated with status 1 [163900.635946] type=1400
audit(1442421986.734:20): apparmor="STATUS" operation=
"profile_replace" profile="unconfined" name="/usr/sbin/mysqld"
pid=14935 comm="a
pparmor_parser" [163900.698158] init: mysql main process (14947)
terminated with status 1 [163900.698200] init: mysql respawning too
fast, stopped [163912.524831] init: Failed to write to log file
/var/log/upstart/systemd-login
d.log [164061.712485] type=1400 audit(1442422147.814:21):
apparmor="STATUS" operation=
"profile_replace" profile="unconfined" name="/usr/sbin/mysqld"
pid=15030 comm="a
pparmor_parser" [164061.767517] init: mysql main process (15042)
terminated with status 1 [164061.767551] init: mysql main process

ended, respawning [164062.776180] init: mysql post-start process
(15043) terminated with status 1 [164062.802000] type=1400
audit(1442422148.902:22): apparmor="STATUS" operation=
"profile_replace" profile="unconfined" name="/usr/sbin/mysqld"
pid=15066 comm="a
pparmor_parser" [164062.859336] init: mysql main process (15078)
terminated with status 1 [164062.859369] init: mysql main process
ended, respawning [164063.868893] init: mysql post-start process
(15079) terminated with status 1 [164063.891965] type=1400
audit(1442422149.990:23): apparmor="STATUS" operation=
"profile_replace" profile="unconfined" name="/usr/sbin/mysqld"
pid=15102 comm="a
pparmor_parser" [164063.947418] init: mysql main process (15114)
terminated with status 1 [164063.947449] init: mysql respawning too

fast, stopped [164077.650423] type=1400 audit(1442422163.750:24):
apparmor="STATUS" operation=
"profile_replace" profile="unconfined" name="/usr/sbin/mysqld"
pid=15150 comm="a
pparmor_parser" [164077.705842] init: mysql main process (15162)
terminated with status 1 [164077.705873] init: mysql main process
ended, respawning [164078.714713] init: mysql post-start process
(15163) terminated with status 1 [164078.734022] type=1400
audit(1442422164.834:25): apparmor="STATUS" operation=
"profile_replace" profile="unconfined" name="/usr/sbin/mysqld"
pid=15186 comm="a
pparmor_parser" [164078.792127] init: mysql main process (15198)
terminated with status 1 [164078.792157] init: mysql main process
ended, respawning [164079.801544] init: mysql post-start process

(15199) terminated with status 1 [164079.822027] type=1400
audit(1442422165.922:26): apparmor="STATUS" operation=
"profile_replace" profile="unconfined" name="/usr/sbin/mysqld"
pid=15222 comm="a
pparmor_parser" [164079.878910] init: mysql main process (15234)
terminated with status 1 [164079.878941] init: mysql respawning too
fast, stopped [164100.211709] type=1400 audit(1442422186.310:27):
apparmor="STATUS" operation=
"profile_replace" profile="unconfined" name="/usr/sbin/mysqld"
pid=15270 comm="a
pparmor_parser" [164100.273478] init: mysql main process (15282)
terminated with status 1 [164100.273519] init: mysql main process
ended, respawning [164101.278431] init: mysql post-start process
(15283) terminated with status 1 [164101.299116] type=1400

audit(1442422187.398:28): apparmor="STATUS" operation=
"profile_replace" profile="unconfined" name="/usr/sbin/mysqld"
pid=15306 comm="a
pparmor_parser" [164101.355867] init: mysql main process (15318)
terminated with status 1 [164101.355911] init: mysql main process
ended, respawning [164102.362783] init: mysql post-start process
(15319) terminated with status 1 [164102.388224] type=1400
audit(1442422188.490:29): apparmor="STATUS" operation=
"profile_replace" profile="unconfined" name="/usr/sbin/mysqld"
pid=15342 comm="a
pparmor_parser" [164102.451563] init: mysql main process (15354)
terminated with status 1 [164102.451625] init: mysql respawning too
fast, stopped

How can at least I backup my database?? :( So I'll can reinstall all VPS.

I tried with:
mysqldump -p -u userdb namedb > dbname.sql
-bash: dbname.sql: Read-only file system

But nothing, server is in read-only mode now..I can't do something..

SQL Error:

2002 - No such file or directory

Query:
[READ] Unable to connect to MySQL server

Thank you in advance and sorry for my bad English