Sunday, March 31, 2019

python - Cron job fails silently



I've got a python script that I want to run via crontab. My crontab looks like this:



5,20,35,50 * * * * /var/www/django-apps/callreport/util.py


That script is set up to parse a bunch of flat files and stick the info into a MySQL db, then delete the files. It runs fine from the command line, data is copied to the db, and the flat files are removed. But nothing happens when set to run as a cron job.



In the past, I'd get a mail message when a cron job failed, but I'm not getting any feedback with this one, and I'm still feeling my way through being a sysadmin on this box. What am I doing wrong?



Answer



The usual problem with 'cron' jobs is that they have zero environment - unlike 'at' jobs which do copy your environment. When something works from the command line and not from 'cron', my experience is that 'environment' is one of the most common problems. Occasionally you run into another problem - 'cron' jobs are not run with a terminal, and occasionally programs get stroppy about this. However, this is in the 1% range compared with 99% for environment issues.



The other key technique I use is to always run a shell script from 'cron'; the shell script ensures that the environment is set correctly and then runs the real program. If a 'cron' job is giving me problems, I can then tweak the script to do useful things like this:



{
date
env | sort
set -x
...what was there before adding the debug...

} >/tmp/cron.jobname.$$ 2>&1


This redirects all the output - standard output and standard error - to a file name. You can build timestamps into the filename if you prefer that to the process ID. Analyzing the log files often reveals the problems swiftly.


database administration - Linux knowledge a Junior cannot miss











I am soon going to be graduating from college, and am looking for job offers right now. There is one that I have a lot of interest in, involving Linux system administration (PHP, MySQL, Apache Webserver, BIND, bash, postfix, and of course general system maintenance and security).



However, during my internship most of my assignments involved Hyper-V virtualization and Windows in general, and I didn't get much Linux-time. In my spare time, I'm usually a windows user as well with only very basic Linux knowledge.




What knowledge and skills would you say a new Junior job applicant needs to posess before he is really ready for the job (and the interview)? Any sources, going from books to e-books, tutorials, general skill descriptions, commands, websites, blogs, ... will help me a bunch.



Help me become a better Linux administrator, and getting ready for this interview!
Thanks a lot :-)



EDIT: As some people suggested, I'll update the original question: I stated that I am a Junior in the question title, and that refers to the title of the job I am applying for (without experience, there's almost no chance you'll get a job as a Senior, obviously). My Linux knowledge might be a bit better than I let you guys understand; I am way past the "how do I set up a dns server?" stage, dns, dhcp, webserver etc, I've set those up before several times.



I am looking for more advanced knowledge, stuff I'll need in my daytime job, or questions I may be asked in a job interview. I want to be prepared for it as I can be.




Thanks for the input so far!


Answer



There's already plenty of information(Questions/Posts) in ServerFault for a beginner Linux administrator:





In addition, I will suggest you find an old computer and install Linux on it. Play with it, setup a firewall, DNS, DHCP on it to start and test things. You could even set it up in a VM and do stuff in it. Nothing is going to help you better than getting yourself in there for the real experience. Decide of a good use for it and try to use it as much as you can. Ask questions when you get stuck (research it first, though), that's why we're here for.


apache 2.2 - how can I create name-server

I want to run multiple sites on my ubuntu machine. I know that I can achieve this by using virtual host configuration of the apache where servername = 'siteabc.com' in the configuration of siteabc and servername = 'sitexyz.com' in the configuration of sitexyz where siteabc.com & sitexyz both point to same IP address.
My questions is that how can I create these siteabc.com & sitexyz.com name-servers on ubuntu so that both of them are ping-able from outside my network?



Thanks,

Daulat

Saturday, March 30, 2019

linux - Server monitoring for medium scale UNIX network





I'm looking for suggestions for a good monitoring tools, or tools, to handle a mixed Linux (RedHat 4-5) and HPUX environment.



Currently we are using Hobbit which is working reasonably well but it is becoming harder to keep track of what alerts are sent out for what servers.



Features I'd like to see:





  1. Easy configuration of servers.

  2. The ability to monitor CPU, network, memory, and specific processes



I've looked into Nagios but from what I have seen it won't be easy to set up the configuration for all of our servers ~200 and that without installing a plugin into each agent I won't be able to monitor processes.


Answer



Set up SNMP on your servers, preferably via some configuration management tool like Puppet.



Then, use a monitoring tool like Zenoss Core to monitor them. Zenoss can scan a subnet for hosts, which makes it easy to add 200 servers, and you can group/organize the servers in various ways, to determine what exactly is monitored.




We're only monitoring a dozen devices so far, but Zenoss is very powerful yet user friendly. It has a friendly GUI, history graphs, alerts, etc.


backup - How to get cheap disaster recovery for a 124 TB Isilon filesystem?

On our Isilon cluster, we have a 124 TB file system. It is currently 38 percent full, with 31 million files. About half the data are image files, and the mean file size is 1.5 MB. We use snapshots to protect against accidental deletion, but we need something different to protect against total failure (e.g., sysadmin error, software error, or water, heat, or fire damage). And because we're a poor research lab, it shouldn't be too expensive.



We currently try to back up to tape, but that has two problems. First, just traversing the directory tree and stating each file takes more than five days, so even an incremental backup takes over a week. Second, and most important, a restore would takes many weeks, even months.



Ideally, we'd like to have access to much of the data again within a week of disaster. (It's fine to get the data back gradually over the course of several weeks if we can choose which directories to restore first, but sourcing new storage equipment and restoring would likely take much longer than that.) The only way I can think of recovering in a week is to maintain a replicate on disk at a separate location. It's OK to lose at least a few days of work, so the replication can lag a little or cover the file system over the course of several days. It's also OK for the replicate to have much poorer performance than the original.




The Isilon solution would be to use SyncIQ to replicate the file system to another cluster. Because this operates at the block level, it avoids the problem of traversing the file system and stat-ing each file. As can be expected, the cost is a little steep: the license for the SyncIQ software is $55k, and then there is the cost of the expensive Isilon storage to synchronize to (although using their cheaper NL storage helps a bit). I expect that the Isilon solution will come to somewhere between $500 and $1000 per TB, which is far better than the $1300–1900/TB we paid for the primary storage, but still a lot of money for us.



Given that raw hard drives can be had for $60/TB these days, I would hope that 124 TB of slow storage can be cobbled together for far below Isilon prices, and that there is a way to replicate changes in less than a week. Can you think of a way?

Thursday, March 28, 2019

linux - Ubuntu file permissions



I'm having some trouble with file permissions on an Ubuntu server. I'm using WinSCP to move files to the server. The server will work fine, and then after a while it appears that I no longer have permission to delete a file.




I'm connecting to the server using an account called svadmin, and the root directory of the Apache server is /var/www. Each website has it's own directory under this - i.e.



/var/www/site1
/var/www/site2


This is the output from the ls command...



cd /var/www
ls -al

drwxr-sr-x 4 svadmin svadmin 4096 2009-06-12 14:45 .
drwxr-xr-x 15 root root 4096 2009-05-05 15:47 ..
drwxr-sr-x 4 svadmin svadmin 4096 2009-06-12 15:15 site1
drwxr-sr-x 4 svadmin svadmin 4096 2009-06-12 15:15 site2


My understanding is that this mean the directory owner has read/write/execute? When I connect to the server using the svadmin account, shouldn't I be able to overwrite or delete files in /var/www/site1 or /var/www/site2?



I'm not very familiar with linux file/directory permissions, so have been struggling to work out what I should be doing. Any help would be greatly appreciated!




More info: (thanks for the quick replies!)



Output of ls -al for /var/www/site1



drwxr-sr-x 4 svadmin svadmin 4096 2009-06-12 15:15 .
drwxr-sr-x 4 svadmin svadmin 4096 2009-06-12 14:45 ..
-rw-r--r-- 1 svadmin svadmin 157 2009-05-12 13:23 error.php
-rw-r--r-- 1 svadmin svadmin 158 2009-05-12 13:23 .htaccess
-rw-r--r-- 1 svadmin svadmin 142 2009-05-12 13:23 index.php
drwxr-sr-x 2 svadmin svadmin 4096 2009-05-12 18:40 libraries



Error message When I try and delete the file:



rm admin.php
rm: cannot remove 'admin.php' : Read-only file system


Even more info
Just to add some possibly relevant information... everything was working until yesterday afternoon. At that point a coworker took out the SAN that the virtual machine file was on, and the web server had a less than graceful shutdown.



Answer



This isn't a permissions problem. The two clues are:




  • rm: cannot remove 'admin.php' : Read-only file system

  • everything was working until yesterday afternoon. At that point a coworker took out the SAN that the virtual machine file was on, and the web server had a less than graceful shutdown.



Somehow the filesystem containing /var/www dropped to "read only" probably when the SAN went away. The output of the mount command should identify this filesystem with a (ro) flag at the end.




The fix is to figure out why it happened, make sure it's corrected, and remount the filesystem rw with this command:



mount -oremount,rw $filesystem


domain name system - Besides files, what informations about a website are also being cahed into a browser?

My website was pointing to a shared hosting server in Godaddy, it is managed by cPanel. Recently I bought a Godaddy managed VPS. After I had WHM/cPanel installed on it I moved my website to this VPS. What I did was:
1) create a new cPanel account associated with a temporary subdomain(temp.mystie.com) in the new VPS

2) After I transfer files and databases over from the old hosting, I test it and make sure temp.mysite.com is good for visit.
3) I then change the A record of mystie.com to the IP of the new VPS.
4) Then I add mysite.com as an alias of temp.mysite.com in the new cPanel (yes I am lazy)
5) Then I go to the old cPanel and remove mysite.com from it (it was listed as an addon domain)



Now after all this, some of my clients complain that when they try to open the site, they got an error saying the IP of mysite.com can't be found while I myself have no problem opening up the website. I believe if they open it in incognito mode there should be no problem. Please be noted this happened 24 hours after I changed the DNS and I can't tell all of my clients to use incognito mode.



So I'm wondering if I can do anything to prevent this from happening, and I need to learn more about this cache thing. Apparently not only files like .js .css .jpg are cached, but also some other information is also being cached, like DNS information and, seemingly to me in other cases, PHP execution mode. So what kinds of information are being cached exactly? And on my end, can I do anything to prevent my client to get an error when they try to open my website as usual after I recently did some major change to my website?

Sunday, March 24, 2019

Increasing the number of MySQL connections



What is the best way to increase the max connections?




I plan on hitting my DB with a lot of connections (hundreds/thousands per second, they will open and close pretty quick from a multi threaded app). I am running MySQL on Ubuntu.


Answer



First answer is DON'T. In almost all scenarios a high amount of max connections is bad, as you will be wasting a large amount of resources for very little gain. Instead what you should be doing is to create a connection pool and reuse your connections. It will give you way better performance (both in ram and latency), especially if you are doing thousands of transactions per second.



To change the max connections value you use max connections:
http://dev.mysql.com/doc/refman/5.5/en/server-system-variables.html#sysvar_max_connections



Your OS and RAM is likely the limiting factor. Unless you have a huge amount of ram you are unlikely to be able to serve more than a few thousand connections at the same time.



Also, have a look at http://dev.mysql.com/doc/refman/5.5/en/too-many-connections.html



hp proliant - HP P410 RAID + Samsung 830 SSDs + Debian 6.0 - What performance to expect?



I'm renting two dedicated servers from a hosting company. Here are the specs:



server1:

HP ProLiant DL165 G7
2x AMD Opteron 6164 HE 12-Core
40 GB RAM
HP Smart Array P410 RAID controller
2x Samsung 830 256 GB SSD

server2:
HP ProLiant DL120 G7
Intel Xeon E3-1270
16 GB RAM

HP Smart Array P410 RAID controller
2x Samsung 830 128 GB SSD


Setup is the same on both servers:




  • Debian 6.0.

  • No swap.

  • File systems use ext3 with no special mount options (only rw) and I'm quite certain the partitions are properly aligned.


  • Using noop scheduler.

  • RAID 1.

  • RAID controller has BBU.

  • Drive Write Cache has been enabled in the RAID controllers.

  • Read / Write cache ratio is 25% / 75% on both RAID controllers.



I'm currently trying to figure out how to get the most out of the disks in these servers starting with sequential reads/writes. Here are the speeds I'm seeing at the moment:



Writes:

server1:~# dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 5.05089 s, 213 MB/s

server2:~# dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 4.09768 s, 262 MB/s


Reads:
server1:~# echo 3 > /proc/sys/vm/drop_caches
server1:~# dd if=tempfile of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 4.14051 s, 259 MB/s

server2:~# echo 3 > /proc/sys/vm/drop_caches
server2:~# dd if=tempfile of=/dev/null bs=1M count=1024
1024+0 records in

1024+0 records out
1073741824 bytes (1.1 GB) copied, 3.33901 s, 322 MB/s


First of all, can anyone explain the big difference between these servers?



Second, should I expect more than this? When I've read about the Samsung 830 SSD I've seen
write speeds of over 300 MB/s and read speeds of over 500 MB/s using the same benchmarking method (dd). But then there's no RAID controller involved. Is the penalty of RAID this high or is it a config issue?



UPDATE:




I've did some tests using iozone instead of dd and the results I'm getting make a lot more sense. No big difference between the two servers (server1 is slightly faster now) and I'm getting quite close to the speeds rated on these drives. So I guess I shouldn't have used dd. Lesson learned!



I'll be using noop with nr_requests and read_ahead_kb set at the defaults (128 and 128) to start with. Setting read_ahead_kb higher seems to hurt the random read performance too much on server2. Hopefully I'll get time to revisit this once I've used the servers in production for a while when I have a clearer picture of the usage patterns.


Answer



There's a lot to cover here.



If you want more performance (in order from greatest to least impact):





  • Add another pair of disks and expand to RAID 1+0. This will provide the greatest benefit.

  • Tune your filesystem (noatime, journaling mode, remove write barriers, etc.) and/or move to a higher-performance filesystem like XFS or even ext4.

  • Go back to a deadline elevator. It will perform better under realistic workloads than your noop scheduler.

  • Upgrade the firmware of your HP Smart Array P410 controllers (and the server, as well)

  • Consider some more advanced tuning techniques.

  • Improve your benchmarking technique. dd is not an appropriate way to measure I/O performance. Try purpose-built applications like iozone, bonnie++, etc. and tweak them to your desired read/write patterns.

  • For purely sequential reads/writes, regular SAS drives aren't too bad a choice either...



As far as compatibility, I use non-HP disks with HP RAID controllers and servers often. Sometimes, things don't work, but if your SSD is connected, reports proper temperature and doesn't display any errors in the HP Array Configuration Utility, you're fine.




You are using HP Management Agents on the server, aren't you?



Edit:



I ran the same on one of my systems, featuring the same controller with four SATA SSD's, tuned XFS, deadline elevator, etc.



[root@Kitteh /data/tmp]# dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc
1024+0 records in
1024+0 records out

1073741824 bytes (1.1 GB) copied, 3.1985 s, 336 MB/s

[root@Kitteh /data/tmp]# echo 3 > /proc/sys/vm/drop_caches
[root@Kitteh /data/tmp]# ll
total 1048576
-rw-r--r-- 1 root root 1073741824 Sep 24 14:01 tempfile

[root@Kitteh /data/tmp]# dd if=tempfile of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out

1073741824 bytes (1.1 GB) copied, 1.60432 s, 669 MB/s

Saturday, March 23, 2019

Windows/Samba connection error

I have a Linux fileserver serving up /home for linux and windows users.
I was able to connect from my windows client, but not from a DC. Then suddenly I could connect from the DC too.




The linux servers run Centrify clients, and as such are part of the domain. All on same subnet.



This is what the the log.smbd says, repeatedly:




[2010/02/11 11:25:57, 0] lib/util_sock.c:read_data(534)
read_data: read failure for 4 bytes to client 192.168.200.3. Error = Connection reset by peer




On Windows it appeared as an "unknown error". EDIT: the error code is "0x80004005".




We are developing a system depended on the samba share, and are worried this will appear again. It would be nice to pin point the root of this.



Any ideas what this might be? Places to look?

Thursday, March 21, 2019

Permissions with NFS and native windows file sharing of same folder

I have a folder shared via NFS, and also via native windows file sharing. I'm using username/uid mapped via AD and I thought it was working all OK.



I've now found that all files created via a windows share end up being owned by the creating windows user and domain users AD group, with unix style mod bits of 700. I'd like the mod bits to be 777, or at least 755. The containing folder is set to 777 - why aren't new files/folders inheriting this?




Basically I want all files to be available to all users via SMB and NFS. I will be enforcing some security via permissions on the share.

Tuesday, March 19, 2019

windows server 2008 r2 - DNS resolve .com domain on local domain



I'm building a local 2008 R2 domain as a test case to be able to write a roadmap for the real new domain that needs to be created soon.



What I would like to know if I'm able to make a record in DNS that will point the domain name:
www.example.com and example.com to one of the servers in my network.




I tried creating an a-record for it but that doesn't work. To be honest I'm not even sure if this is possible?



So can I do this? That way I would be able to fully test all our services (and webb app) offline before I build the real domain and switch the DNS records at the provider.



Some advice if possible and where to start is appreciated.



The solution (Thanks Brent):




  • Create new Forward lookup zone pointing to example.com


  • Create empty A record pointing to IP of the webserver you are targeting

  • If www is needed create A record with Name: www and IP of your webserver

  • sub domains repeat the process but then with names for example: sub or
    www.sub (and ip your webserver)

  • Be aware of the DNS Cache while you are in this process. Things can take time or do the following:


    • Right click the server and choose clear cache

    • in CMD: ipconfig /flushdns (to flush the client cache)




Answer



Just create a new forward lookup zone in your DNS box that matches the domain name you are trying to redirect.



We did this for ADFS to resolve fs.mydomain.com to a local IP.



So create a new forward lookup zone and then setup whatever A records you want it to resolve.


Sunday, March 17, 2019

hosting - Is Sql Azure useful without windows azure?



I am currently doing some research to get some preliminary IT cost projections for a project, and I was looking at Azure. Since this is a startup, I do not want to deal with the IT operations myself and instead am looking at having it all professionally hosted. I am looking at azure due to the SLA assurances, already in place disaster recovery operations, and the reliability.



I'm playing with some numbers, and I am wondering if hosting my database on Sql Azure is an option, while hosting the actual webpage on another host until I need the frontend scalability of Azure. Is this actually feasible or will the latency in requests between the web host and azure be too much and I would be better off hosting both on the same service?


Answer



Is the 5 cent hosting option out of the question for the hosting? Just curious as it may provide some context for your situation.




As for latency + bandwidth between SQL Azure and another host, that is unknown without identifying who the host is and doing a literal comparison of bandwidth + latency.



I would imagine, just from experience (I've done several deployments with SQL Azure + on-premises), that if you have a lot of queries (which is likely) for standard read/write operation of the database then you'll run into problems. Another option, if you're worried about cost is to use SQL Light or SQL Company Edition/Express and deploy the database with the site. This is a great way to have the simplicity of a SQL relational solution without the headache of needing an entire database server.



If you want the horsepower and redundancy of SQL Azure though, you might as well just go ahead and pop a few 5 cent per hour small web roles for hosting in there, then you'll have a better latency + bandwidth guarantee.



Provide some more information and I'd be happy to provide additional information.


fedora - Mounting Linux volume on second disk

The disk on my Fedora 12 box was starting to fail, so I bought a new disk and installed Fedora 15. I kept the old disk connected, which still sort of works, hoping to copy over some important files.



In Fedora 15, the "Disk Utility" application lets me mount the /boot partition, but not
the other volume on the old disk. "Disk Utility" shows the existence of that volume, but doesn't offer a way to mount it.



Here's what it says in the old /etc/fstab for the old root and /boot:



/dev/mapper/vg_flotsam-lv_root / ext4 defaults 1 1
UUID=f88eefec-a42f-4797-b704-bb1a426b8874 /boot ext4 defaults 1 2




How can I mount the old volume?

Saturday, March 16, 2019

java - Tomcat6 on RHEL 5.5



Based on the answer to a similar question (CentOS) I have installed the jPackage .repo file and attempted sudo yum install tomcat6. I am met with the following error messages:



--> Finished Dependency Resolution
java-1.4.2-gcj-compat-1.4.2.0-40jpp.115.x86_64 from rhel-x86_64-server-5 has depsolving problems
--> Missing Dependency: /usr/bin/rebuild-security-providers is needed by package java-1.4.2-gcj-compat-1.4.2.0-40jpp.115.x86_64 (rhel-x86_64-server-5)
java-1.4.2-gcj-compat-1.4.2.0-40jpp.115.x86_64 from rhel-x86_64-server-5 has depsolving problems
--> Missing Dependency: /usr/bin/rebuild-security-providers is needed by package java-1.4.2-gcj-compat-1.4.2.0-40jpp.115.x86_64 (rhel-x86_64-server-5)

java-1.4.2-gcj-compat-1.4.2.0-40jpp.115.x86_64 from rhel-x86_64-server-5 has depsolving problems
--> Missing Dependency: /usr/bin/rebuild-security-providers is needed by package java-1.4.2-gcj-compat-1.4.2.0-40jpp.115.x86_64 (rhel-x86_64-server-5)
Error: Missing Dependency: /usr/bin/rebuild-security-providers is needed by package java-1.4.2-gcj-compat-1.4.2.0-40jpp.115.x86_64 (rhel-x86_64-server-5)
You could try using --skip-broken to work around the problem
You could try running: package-cleanup --problems
package-cleanup --dupes
rpm -Va --nofiles --nodigest


I found a site stating that perhaps installing rpm-build was the solution to all my problems, but that was not the case – it's already installed.




I'd prefer to keep the package managed by a package manager (yum). Any experience with getting this to work?



The RHN packages only include Tomcat5. For reference this is RHEL 5.5 on Rackspace servers, to be used with Django/Solr/Haystack for site search. Moving from previous hosting on Ubuntu 10.04 LTS where the site was hosting/built with Tomcat6.


Answer



I've had the same problem today. My solution was to just install the missing RPM by hand:



rpm -Uvh https://github.com/downloads/pallet/pallet/jpackage-utils-compat-el5-0.0.1-1.noarch.rpm



No more problems after that.


Friday, March 15, 2019

ssl certificate - SBS 2008 CSR remove .local

SBS 2008 server the third party SSL certificate has just expired!!



trying to renew with a two year, SAN/Multi-Domain SSL



going through the SBS Console Adding a new cert and get the CSR copy/paste into the website to generate the cert it shows me my external domains AND my .local domain...




  • ~ExtDomain~.co.uk


  • remote.~ExtDomain~.co.uk

  • SBS-SRV.~IntDomain~.local



we need to remove 'SBS-SRV.~IntDomain~.local' from the CSR as only external FQDN are allowed in the new SHA-2 certificates.



Exchange 2007 Shell



Get-ClientAccessServer | select name,*internal* | fl 
Get-OABVirtualDirectory | select server,name,*url* | fl

Get-WebServicesVirtualDirectory | select name,*url* | fl
Get-UMVirtualDirectory | select name,*url* | fl
Get-ActivesyncVirtualDirectory | select name,*url* | fl
Get-OwaVirtualDirectory | select name,*url* | fl
Get-OutlookAnywhere | fl


all the above (and variants with out filters) are showing InternalURL and ExternalURL as the correct ExtDomain names



i.e.




[PS] C:\>Get-ClientAccessServer | Select Name, *Internal* | fl
Name : xxxxxx-srv
AutoDiscoverServiceInternalUri : https://remote.xxxxxx.co.uk/Autodiscover/Autodiscover.xml

[PS] C:\>Get-OABVirtualDirectory | select server,name,*url* | fl
Server : xxxxxx-srv
Name : OAB (SBS Web Applications)
InternalUrl : https://remote.xxxxxx.co.uk/OAB
ExternalUrl : https://remote.xxxxxx.co.uk/OAB


[PS] C:\>Get-WebServicesVirtualDirectory | Select name, *url* | fl
Name : EWS (SBS Web Applications)
InternalNLBBypassUrl : https://xxxxxx-srv.xxxxxx.local/EWS/Exchange.asmx
InternalUrl : https://remote.xxxxxx.co.uk/EWS/Exchange.asmx
ExternalUrl : https://remote.xxxxxx.co.uk/EWS/Exchange.asmx


I have read lots of posts but all was OK and I havnt needed to change anything




ref - http://support.microsoft.com/en-us/kb/940726



Any ideas?



Many Thanks.

linux - SSH client name resolution fails for names that are resolvable



We have a linux box (called jumper) that is used to access servers in a few separate DMZs. Each DMZ has its own subdomain name (e.g. idmz.example.org, jdmz.example.org), and each subdomain has its own authoritative name server.



We're in the process of replacing the old Solaris jumper with a new Linux box. Most things have worked well, but we have a problem with connecting to servers in the subdomain idmz.example.com using SSH. Ping works fine; we can resolv the name using dig, but SSH says "Could not resolve".




Name resolution works well on the server side, and when we connect using the IP address there is no delay or timeout. But SSH on the client side claims to not be able to resolve the server.



Ping and failed SSH connection:



jenny@jumper$  ping server.idmz.example.com
PING server.idmz.example.com (192.168.1.3) 56(84) bytes of data.

jenny@jumper$ ssh -v server.idmz.example.com
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
ssh: Could not resolve hostname server.idmz.example.com: Name or service not known


Successful SSH connection using IP instead of host name:



jenny@jumper$  ssh 192.168.1.3
jenny@192.168.1.3's password:



The one difference I can see from the client side is that I can't get an authoritative answer from the name servers for idmz, but I do get it from all the other DMZ domains.


Answer



We contacted the sysadmins for the DNS servers and asked them to verify the setup for idmz. It turned out that their name server claimed to handle IPV6, but it didn't give a correct answer for IPV6 queries.



On the Solaris server, IPV4 was used by default. On the new Linux server, SSH tried IPV6 first. In this case, it meant that since it couldn't resolve the servername using IPV6 it considered it unresolvable. For the other dmz domains, the nameserver gave correct responses even when using IPV6.



We changed the config for SSH to include



AddressFamily inet



and the problem went away.


hMailServer Email + MX Records Configuration

Trying to make DNS changes to enable email to be sent using hMailServer.



My mail server is on a separate machine with a separate IP Address.



I have already added MyDomain.com and an email account



I have create a MX Record with the mail server being mail.domain.com an a priority on 20.



1) But the question is how do I now link this MX record for the domain to my mail server/ mail server IP Address?




2) What changes are needed in hMailServer to complete the process and be able to send emails for the domain?



3) In Settings > SMTP > Delivery of email: What should my configuration here look like?

Centos Xen resizing DomU partition and volume group

I have a setup like so:



      Dom0 LV
|
DomU Physical Disk
| |

XVDA1 XVDA2
(/boot) (DomU PV)
|
VolGroup00
(DomU VG)
| |
LogVol00 LogVol01
(swap) (/)



I am trying to resize the DomU root Filesystem. (VolGroup00-LogVol01) I realize that I now need to resize the partition XVDA2, however when I try doing this with parted on Dom0 it just tells me "Error: Could not detect file system."



So to resize the root part VolGroup-LogVol00 shouldn't the process be:



# Shut down DomU
xm shutdown domU

#Resize Dom0 Logical volume
lvextend -L+2G /dev/volumes/domU-vol


# Parted
parted /dev/volumes/domU-vol

# Resize root partition
resize 2 START END

(This is where I get an error) "Error: Could not detect file system."


# add the vm volume group to Dom0 lvm

kpartx -a /dev/volumes/domU-vol

# resize the domU PV
pvresize /dev/mapper/domU-pl (as listed in pvdisplay)

# The domU volume group should automatically adjust
# resize the DomU lv
lvextend -L+2G /dev/VolGroup/LogVol00



And then obviously increase the fs, remove the device from kpartx etc



The problem is I dont know how to resize the partition? How do I resize this partition so I can run pvresize on the DomU?



Thanks

Thursday, March 14, 2019

linux - Cron job once in three days

In linux ec2 instance i want to run a cron job 3 Days once to automate a process once in three days as a sudo user in my linux ec2 instance.



Can anyone help me out with the cron.

domain name system - Best practices for IPv4/IPv6 hosts in DNS zones?




I've got a VPS with IPv4 and IPv6 addresses, and I'd like to use them both for my website and other services I might use. I've added a "www" register both with "A" and "AAAA", and I've done the same for the "ns" register. Is this "the Right Way", or should I use different names for the IPv6 part? (i.e., "www6", "ns6", etc.)



Thanks in advance.


Answer



IMHO, it depends on what you want.



If you're using both protocols (v4 and v6) to offer the same service (eg IMAP/S, or HTTP, or whatever), and you want clients to be protocol-transparent - that is to say, if you want v6-enabled clients to use v6, and others to use v4, and no-one to care about which they're using - then use the same hostname in each record.



If you want people to be able to select protocol by hostname, use different hostnames for A and AAAA records.




So, for my webserver, where I want clients to be protocol-agnostic, I use the same hostname:



www.teaparty.net.   3600    IN  A   178.18.123.145
www.teaparty.net. 3600 IN AAAA 2a01:8000:0:4::1:1


For my ntp pool server, where I decided I'd like people to be able to select the protocol, I used different ones:



ntp.teaparty.net.   3600    IN  A   178.18.123.148

ntp6.teaparty.net. 3600 IN AAAA 2a01:8000:0:4::123:123


Work out what client behaviour you wish to encourage, and make policy accordingly.


domain name system - Why is RFC 7505 (Null MX) necessary?



IETF RFC 7505 describes MX records for a domain/host that explicitly should not receive email. This is accomplished by pointing the MX at the Domain Name System root. For example,



nomail.example.com. 86400 IN MX 0 "."


Why is this needed? In my understanding, explicit refutation is available by using domains under the TLD invalid. For example,



nomail.example.com. 86400 IN MX 0 "spam.invalid."

nomail.example.com. 86400 IN MX 10 "null.invalid."


I see that RFC 2782, DNS SRV, likewise specifies that "A Target of '.' means that the service is decidedly not available at this domain." So I suppose my question is:



Why should we use the DNS root to mean "not available" when invalid already serves this function?


Answer



Because that is not what you are supposed to be using .invalid for. Like .example it is meant for local testing and documentation.



Additionally, using .invalid still causes additional things to happen - additional DNS look ups and queuing on the mail server for retries for one off the top of my head.




Using the "." format is supposed to cause an immediate hard fail. Causing the MTA to immediately stop attempting delivery. At least that's the way the intro to the RFC reads.


Which Java binary should I install on my Linux server?



How can I find out which Java binary I should install on my Linux server?

In Java download page I see: Linux x64 - Self Extracting Installer and Linux x86 - Self Extracting Installer.



Running uname -a I get: Linux 2.6.26-2-amd64 #1 SMP Wed Aug 19 22:33:18 UTC 2009 x86_64 GNU/Linux



But the result confuses me, it has both numbers 64 and 86 in it so I still don't know which binary should I take. Could you help me out?


Answer



The x86 installer is for 32-bit operating systems, the x64 installer is for 64-bit operating systems. You are running a 64-bit operating system as evidenced by the uname string you provide, therefore you should use the Linux x64 installer.



The kernel architecture is called x86_64 because x86 is 32-bit, and 64-bit functionality was added (by AMD originally), as an extension to the instruction set. Hence why you might sometimes see x86-64 referred to as AMD64.


Wednesday, March 13, 2019

Email dkim=temperror (no key for signature)



I have a custom built web application that sends emails. This application is hosted by a third party. This application sends emails through their servers. I have correctly set my spf record. However, when my application sends emails the emails are getting a dkim error. I have no idea why I am getting this error. Below you will find some of the meta data from an email sent from the web application.



Delivered-To: test@holyfirepublishing.com
Received: by 10.12.180.68 with SMTP id e4csp2649123qvf;
Sun, 29 Apr 2018 07:12:41 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZqDmZKGZ3MCbLlo7r0rfpdjBif9w8/vsXHKXx/+L+F5udEeQiZt97ERlXIYvazAodyXmjLk
X-Received: by 2002:a6b:98b:: with SMTP id 11-v6mr9699820ioj.90.1525011161636;
Sun, 29 Apr 2018 07:12:41 -0700 (PDT)

ARC-Seal: i=1; a=rsa-sha256; t=1525011161; cv=none;
d=google.com; s=arc-20160816;
b=K8ytU3THBqD8rUY0aBaOCbH2SVUlVeVEJJXoYt7Z53oQA3wdldhpYToHrqxOuDg8Jo
lcQ1xqTYrh30FICoyOoRd+quDkQK5z//xlU1DXn753I+Tmc6aBBStMUMN7m3cGGWPW2j
bTGBeAzFlx1PGYSE+aIzPLcdfXPl6vVpMtVfeKnHf6LrcK35D2wBbG9o88q1xTOCZ9Ue
1fKI32QX7UgcT0zSrO4kLD9z1pS0jcYwS9wnbtAt5uVes+AyDjHR7YdSoUjT0SO5KVEc
JFwIndndrLH5XznWwfHdUq7IrLnLech7FToqGPujqS/Pz0RxXDu96yzuwX54z+exrfjj
JXWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=mime-version:to:from:subject:date:message-id:dkim-signature

:arc-authentication-results;
bh=uxadBWIDOxAaWOKJN8YSOnay3lDpPAaxgWm82T/s9FI=;
b=qZ9xPSGu6SztmcnDRkioXDL3BZcyOhdxQjECf441oe/vaLCWzxHtEfBJlO4+zo8vBa
/mij7vCitF2NFsh/yjCLxz/ellSuFfnDBc6ydOJ97t6X2y5eGVFREEDtTCigwi1exeQa
4+nU/ls3wvXuiU1vJo96z5RjebxCDd7wkVLu6W/7EPA3C7PYRbTQbJi2egI8Hoc0KORw
h7JaAwTfB787wdXnFuD72JT36LL52EjtSPUc4w7785VH49yH4rZhBeAFMU0JfAhoAu+3
YJIO5XP2+rK0b/ksfy1U+DoFW81LW4+CmnG89CLYHddlDUGyz956RGUVoqI+VcHsZsYJ
8sRw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=temperror (no key for signature) header.i=@holyfirepublishing.com header.s=default header.b=EXFzVKU0;

spf=pass (google.com: domain of publisher@holyfirepublishing.com designates 108.178.0.170 as permitted sender) smtp.mailfrom=publisher@holyfirepublishing.com
Return-Path:
Received: from mx1.tmdhosting.com (mx1.tmdhosting.com. [108.178.0.170])
by mx.google.com with ESMTPS id m2-v6si4491466ioe.253.2018.04.29.07.12.41
for
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Sun, 29 Apr 2018 07:12:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of publisher@holyfirepublishing.com designates 108.178.0.170 as permitted sender) client-ip=108.178.0.170;
Authentication-Results: mx.google.com;
dkim=temperror (no key for signature) header.i=@holyfirepublishing.com header.s=default header.b=EXFzVKU0;

spf=pass (google.com: domain of publisher@holyfirepublishing.com designates 108.178.0.170 as permitted sender) smtp.mailfrom=publisher@holyfirepublishing.com
Received: from [184.154.73.81] (helo=s920.tmd.cloud) by mx1.tmdhosting.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1fCn4C-0002gc-K4 for test@holyfirepublishing.com; Sun, 29 Apr 2018 09:12:41 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=holyfirepublishing.com; s=default; h=Content-Type:MIME-Version:To:From: Subject:Date:Message-ID:Sender:Reply-To:Cc:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=uxadBWIDOxAaWOKJN8YSOnay3lDpPAaxgWm82T/s9FI=; b=EXFzVKU0ZI0PBW6ug8u1mQ+D1 0WeVSF8lBoGNDKaM9o69wv9hkkedLn5Ga5hc6gaNGqjDtafv/DNv55Mo5t/a8Pqi48ciUBykHZl34 Hm98Zu4suFOK+MqMZIz9+Q7SZfgPdLRDtHLfyeLTRojxbeKSxJBZXTvvVT3N1Oy7PGQ0U1VR/WLe6 eTzli3cS7m6iI50CupM4cEPB0GY2eg1CRHAMk3lht4REa7WrsCeCJzDYqwCD8ojuo8ktQGbTtvKfB IsK+DBQT+W0c7GtICt1MvPp9UhLsb+bBvGAwWhzc8DARCW6N/I0EcOzqcV9Nujo3Y9Ch6eiDDeMYy qPPwf/elg==;
Received: from [184.154.73.81] (port=16188 helo=authors.holyfirepublishing.com) by s920.tmd.cloud with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89_1) (envelope-from ) id 1fCn4C-00ACo3-0A for test@holyfirepublishing.com; Sun, 29 Apr 2018 10:12:40 -0400
Message-ID:
Date: Sun, 29 Apr 2018 14:12:39 +0000
Subject: ed
From: Holy Fire Publishing
To: test@holyfirepublishing.com

MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_=_swift_v4_1525011159_6c682aef534d6916a1661ae64e35842a_=_"
X-Originating-IP: 184.154.73.81
X-SpamExperts-Domain: smtp-out.s920.tmd.cloud
X-SpamExperts-Username: 184.154.73.81
Authentication-Results: tmdhosting.com; auth=pass smtp.auth=184.154.73.81@smtp-out.s920.tmd.cloud
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.11)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5ofMTyLsMxNNa79NOyRl4kR602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvO1JtF3V00Djdp3UoOn/TrNhUFpOyEQHhn6Djm4dwHjyI6GJvfmVu97SEuqiv2A/Wxu/H 6thHOzZSgMLgT5nubXyfI3EVhqxj8Nu1voFLyLyTVa/Hj/lpqf8vwAdisrIBg4VkC48eQiO7bLwH uL7bs2gxLabuOOunQxV+pDIPQhL5PxO0jJAHsPdj1H6RNuBO69ryxNN7Nt2dqAnJR+rNdzv1wJNm k2OOvqxJC+I78JUyACQHwPTDFXEPVlYw9avkW9KDqQDBb2Jc1G66+z2HQZg45a4hT7CiYg8SCvI6 ZEK+MBH5YNWyvM39bJiwcDIpUHzSCH11x2j55k0vQWyIjNVOZQZ7JJKYXeLCzfLW9BSOGB+kK6X2 YkzEZOMV8NHwXLN7qYLAtCcaTgmnmyZDzqNSHDEoKrXCm1PS2vgB4ghQfb7mDHg6F7DCQw/QmRVt g675dwLB7orJf0UsoeQy3tTonV+E7OMXRvgtdyMlnmWiDV9lNYm5WzS+KSLj3jtoVhfBXB881d2n MQbnYGHCJ28tG8BTthNWTB1/5HxYxRg/56Dn5RwX9m/yl7fqKmGjdPo33lkt8ECA8ZsTjQzKO+Xo IZw0+8GnFDT9YVEr7iqcCTb71FzynTtMl1ZK50d7SmAkiNlF8yDvfn+8xtg2A5+mIE1y2+2rZk9T sAzY2/lJZuM7jUXIESohoO51xWmU8V2s3nPp1TdJicttLcyTSSrQ+yjGCjoKIAu+6onh8cJ0qjVl p0XhZmFVthT8ed1oWpaRgcwU9rlpCYIvaAUrUokSnhyEGzxc7gyYDzaDoEYweYhpXBAtxRdlRy6U 5bQe20FDmz24WKkPfOYR2dD7CCp/TsT9LCL4UdHDzEymj5r1llEjtKNMtF0f79BIT6ZN1Q==

X-Report-Abuse-To: spam@mx1.tmdhosting.com


Thank in advance for your help.


Answer



You don't have a DKIM record matching d=holyfirepublishing.com; s=default; domain / selector. That would be default._domainkey.holyfirepublishing.com. TXT "v=DKIM1; p=yourPublicKey", currently returning NXDOMAIN. The dkim=temperror (no key for signature) is consistent with this.


Tuesday, March 12, 2019

TCP connection stuck in SYN_RECV state despite ACK received, Linux 2.6.18, embedded, ARM

My client cannot connect to my protocol port (TCP) after some network glitches, even though all other protocols (telnet/HTTP/FTP) work fine.



netstat shows that my server is listening and tcpdump on the server shows all 3 packets are exchanged:





18:29:16.578964 IP 10.9.59.10.3355 > 10.9.43.131.5084: S 2602965897:2602965897(0) win 65535



18:29:16.579107 IP 10.9.43.131.5084 > 10.9.59.10.3355: S 3464857909:3464857909(0) ack 2602965898 win 5840



18:29:16.579284 IP 10.9.59.10.3355 > 10.9.43.131.5084: . ack 1 win 65535




But somehow netstat -t shows the connection still in SYN_RECV, as if the ack is not seen by the TCP state machine. I have to restart my server to get it to work.




syncookie is not enabled, and I know from client code behavior and tcpdump that there is no SYN flooding.



Help much appreciated.

Thursday, March 7, 2019

linux - how to increase user's permissions while creating files/directories under same user (and not root)?




Is there a command that allows a user to temporarily have root permissions but files and directories created by the user still reflects the user rather than root?



For example, I have a user that needs to install some software (Glassfish), but the self-extracting installer returns an error "permission denied". Is there a way to give the user higher permissions to run the installer such that when the installer creates directories and files they are owned by the user doing the installation (rather than root)?



Is this even possible?


Answer



Generally speaking: No. There are a few ways to achieve the end result you're looking for though.



Basically Your installer needs to write to a directory that your user cannot write to, your options for achieving this (at a quick glance) are:





  1. Change the group ownership of the directory, give the group write privileges, and add the user to that group.

  2. Do the install as root. Correct permissions post-install.

  3. Make the directory world-writable.

  4. Set appropriate ACLs on the directory (Google Linux filesystem ACLs for more info)



Pretty much all of this requires that you be root - and the best solution is probably to install this software as root the way the designers intended unless you have a really good reason not to (among other things, having the installed files owned by root prevents malicious code running as the user modifying the installed software later).


Wednesday, March 6, 2019

networking - How do I check how many connections are open currently on a specific TCP port?



I'm doing some comet benchmarks and would like to see how many open connections I have.



Actually I use netstat:



netstat -ant | grep 8080 | grep EST | wc -l



But it needs around 4-6 minutes to list the number, is there any tool that can do show it in real time?
The number of open connections is between 100'000 - 250'000.


Answer



Don't know if lsof is better, but give this a try:



lsof -ni:8080 -sTCP:ESTABLISHED | wc -l

Apache SSL reverse proxy with two name virtual host




I have an Apache reverse proxy that correctly proxies an https internal server. It is configured to use a wildcard self signed certificate and to be a name-based virtual host with ServerName directive.



I am trying to add a second https internal server to proxy, I copied the configuration from the first server, changed ServerName , but it does not work: If I try to connect to the name of the second server, it always proxies me to the first.



Here is the configuration:



NameVirtualHost *:443



ServerAdmin webmaster@siteX.com
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

SSLCertificateFile /etc/apache2/siteX-cert/wildcard.siteX.com.crt
SSLCertificateKeyFile /etc/apache2/siteX-cert/wildcard.siteX.com.key
SSLCACertificateFile /etc/apache2/siteX-cert/my-ca.crt

ServerName "website.siteX.com"


CustomLog "/var/log/apache2/website.siteX.com-ssl-access.log" combined
ErrorLog "/var/log/apache2/website.siteX.com-ssl-error.log"

# We're not an open proxy
ProxyRequests off

# Proxying is available for anyone

Order deny,allow
Allow from all



# The site we're proxying through
ProxyPass / https://10.3.0.16/
ProxyPassReverse / https://10.3.0.16/

# Allows the proxying of an SSL connection
SSLProxyEngine On



ServerAdmin webmaster@siteX.com

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

SSLCertificateFile /etc/apache2/siteX-cert/wildcard.siteX.com.crt
SSLCertificateKeyFile /etc/apache2/siteX-cert/wildcard.siteX.com.key
SSLCACertificateFile /etc/apache2/siteX-cert/my-ca.crt

ServerName "website2.siteX.com"


CustomLog "/var/log/apache2/website.siteX.com-ssl-access.log" combined
ErrorLog "/var/log/apache2/website.siteX.com-ssl-error.log"

#We're not an open proxy
ProxyRequests off

# Proxying is available for anyone

Order deny,allow

Allow from all


# The site we're proxying through
ProxyPass / https://10.3.0.26/
ProxyPassReverse / https://10.3.0.26/

# Allows the proxying of an SSL connection
SSLProxyEngine On



Answer



I switched to Nginx and managed to get the two https sites working, with a quite simple configuration:



ssl_certificate  /etc/nginx/siteX-cert/wildcard.siteX.com.crt;
ssl_certificate_key /etc/nginx/siteX-cert/wildcard.siteX.com.key;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;


server {
listen 443 ssl;
server_name website.siteX.com;
ssl on;
location / {
proxy_pass https://10.3.0.16/;
}
}


server {
listen 443 ssl;
server_name website2.siteX.com;
ssl on;
location / {
proxy_pass https://10.3.0.26/;
}
}

Tuesday, March 5, 2019

email - postfix: Cannot assign requested address

I have app that uses postfix. When i send an email from one user to another, works well, as you can see here




Sep 28 14:34:04 webcat-node-77f77644-vhq94 postfix/smtpd[546]: connect
from localhost[127.0.0.1] Sep 28 14:34:04 webcat-node-77f77644-vhq94

postfix/smtpd[546]: EA382280CA4: client=localhost[127.0.0.1] Sep 28
14:34:04 webcat-node-77f77644-vhq94 postfix/cleanup[551]: EA382280CA4:
message-id=<504605561.1538145244923.JavaMail.root@webcat-node-77f77644-vhq94> Sep 28 14:34:04 webcat-node-77f77644-vhq94 postfix/qmgr[146]:
EA382280CA4: from=, size=1232, nrcpt=1 (queue
active) Sep 28 14:34:04 webcat-node-77f77644-vhq94 postfix/smtpd[546]:
disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1
quit=1 commands=5 Sep 28 14:34:06 webcat-node-77f77644-vhq94
postfix/smtp[552]: EA382280CA4: to=,
relay=smtp.gmail.com[74.125.133.108]:587, delay=1.1,
delays=0.01/0.03/0.4/0.69, dsn=2.0.0, status=sent (250 2.0.0 OK

1538145246 h71-v6sm1532424wmg.4 - gsmtp) Sep 28 14:34:06
webcat-node-77f77644-vhq94 postfix/qmgr[146]: EA382280CA4: removed




The problem comes when someone uses the feedback feature in my app.




Sep 28 14:28:21 webcat-node-77f77644-vhq94 postfix/smtpd[531]: connect
from localhost[127.0.0.1] Sep 28 14:28:21 webcat-node-77f77644-vhq94
postfix/smtpd[531]: A0507280CA4: client=localhost[127.0.0.1] Sep 28

14:28:21 webcat-node-77f77644-vhq94 postfix/cleanup[535]: A0507280CA4:
message-id=<634841788.1538144901634.JavaMail.root@webcat-node-77f77644-vhq94> Sep 28 14:28:21 webcat-node-77f77644-vhq94 postfix/qmgr[146]:
A0507280CA4: from=, size=702, nrcpt=1 (queue active)
Sep 28 14:28:21 webcat-node-77f77644-vhq94 postfix/smtpd[531]:
disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1
quit=1 commands=5 Sep 28 14:28:21 webcat-node-77f77644-vhq94
postfix/smtp[536]: connect to
smtp.gmail.com[2a00:1450:400c:c06::6c]:587: Cannot assign requested
address Sep 28 14:28:22 webcat-node-77f77644-vhq94 postfix/smtp[536]:
A0507280CA4: to=,

relay=smtp.gmail.com[74.125.71.108]:587, delay=1.1,
delays=0.01/0.02/0.34/0.78, dsn=2.0.0, status=sent (250 2.0.0 OK
1538144902 u4-v6sm3253917wro.47 - gsmtp) Sep 28 14:28:22
webcat-node-77f77644-vhq94 postfix/qmgr[146]: A0507280CA4: removed




This is the content of my main.cf :



smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no


append_dot_mydomain = no

readme_directory = no
compatibility_level = 2

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = myDomain
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = gdfg, $myhostname, localhost.localdomain, localhost
relayhost = [smtp.gmail.com]:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0

recipient_delimiter = +
inet_protocols = all
inet_interfaces = all
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes
myorigin = /etc/mailname

How can I manage Dell H700 RAID controllers from the Linux command line?



Previous PERC controllers could all be managed/monitored by the LSI MegaCLI tools. The latest release of those tools does not appear to recognize my H700 card:



$ sudo /opt/MegaRAID/MegaCli/MegaCli64 -adpCount 


Controller Count: 0.


Are there any options aside from installing the massive OMSA suite?



-Ben


Answer



You didn't mention which "latest release" you used. I just tried this and it seems to work fine now. The Dell H700 is using this chipset:




# lspci -v | grep LSI
01:00.0 RAID bus controller: LSI Logic / Symbios Logic LSI MegaSAS 9260 (rev 05)


Visit the support section of LSI's site, the 9260 is part of the "MegaRAID Value Line". That took me to MegaRAID SAS 9260-8i, click on the "Downloads" tab from there. I downloaded "MegaCLI - Linux (MegaRAID Release 5.0)", version 8.01.06 from 28-FEB-11. Unzip the package, then install/run it like this:



# rpm -i Lib_Utils-1.00-08.noarch.rpm MegaCli-8.01.06-1.i386.rpm 
# /opt/MegaRAID/MegaCli/MegaCli64 -AdpAllInfo -aALL

Adapter #0


==============================================================================
Versions
================
Product Name : PERC H700 Integrated
Serial No : 0000000
FW Package Build: 12.10.0-0025


I blanked the serial number here for privacy reasons. You might need to do a firmware upgrade to your card as well to make it compatible. I wouldn't be surprised that this didn't work when you tried it and has only been fixed since. I try to hold off buying these new controllers from Dell until as long as possible after they've been released because of issues like that.



Monday, March 4, 2019

mysql - Nginx Load Balancer Optimum Specs




I have 3 Nginx servers and each of them should handle about 2k users (concurrent connections). In front of them I have Nginx load balancer.



That's 4 Virtual machines, sharing same subnet and same physical machine. I would like to know, what VM specifications should I use for load balancer?



I have no experience with load balancing and have never done any tests, so I while I know what specs I need for my App Servers, I have no idea what should I use for nginx load balancer. Right now I'm thinking about 4 cores / 4GB RAM / 4GB HDD. What that be enough for load balancer?



Offtopic queston: Is it possible to configure mysql so that when one mysql DB is updated, so is another. Sort of like master/slave configuration or something like that?


Answer



In order to have some redundancy and avoiding single point of failure (like the droid station was in Phantom Menace) you actually should have 2 balancers and VRRP/CARP between them. So, it's 8k connections in total. The specs you are proposing will fit. I think even 2-cored CPUs will be enough.




And I see no point creating 4 VM on one physical. When this physical node will die, so will the VMs. If we talk about a VM setup, you should use at least 2 physical nodes for 4 VMs - 2 balancers and 2 backends. If you have only one machine, using it in old-fashioned server way will do the same. It's single failure point anyway.



Mysql: Yes, it's called replication.


Sunday, March 3, 2019

How can I search Domain Integrated DNS Entries




Example:




  1. I have a server named server1.domain.local

  2. I have lots of CNAME entries in various forward lookup zones pointed to server1.domain.local

  3. I want to decomission server1, and have a new server, server2, that is going to replace it.



I need to change all of my CNAMEs that point to server1.domain.local to point to server2.domain.local.




I know I can create server1.domain.local as another CNAME, but I would prefer to just find all the entries and change them individually.



How can I go about finding all references in all forward lookup zones to server.domain.local?


Answer



The dnscmd utility from the Windows Support Tools is probably your best bet. You can get a list of all the DNS zones with the command: dnscmd [servername] /EnumZones. You can enumerate all the CNAME records in each zone with the command: dnscmd [servername] /EnumRecords [zone name] . /TYPE CNAME.



In theory you could chain these two together in a script, process the output, and make the changes you want automatically (also using dnscmd with the /RecordDelete and /RecordAdd commands). That's an exercise I'll leave to you (for now).



Edit: Okay-- I couldn't resist. Here's that script. It will only echo the commands that actually make changes. If it does what you want then you can pull the echo commands out and let 'er rip.




@echo off

set SERVER_TO_REPLACE=server1.domain.com
set REPLACEMENT_VALUE=server2.domain.com

rem Quick and dirty list of Primary zones that aren't Reverse zones
for /F "usebackq" %%i in (`dnscmd %1 /EnumZones ^| find " Primary" ^| find /v " Rev"`) do call :process_zone %1 %%i
goto end

:process_zone

rem Quick and dirty enumeration of all CNAME records in a zone
for /F "usebackq tokens=1,3,4" %%i in (`dnscmd %1 /EnumRecords %2 . /TYPE CNAME ^| find " CNAME"`) do call :process_RR %1 %2 %%i %%j %%k
goto end

:process_RR
rem Check a record and alter it if necessary
if /I "%5" EQU "%SERVER_TO_REPLACE%" (
echo dnscmd %1 /RecordDelete %2 %3 %4 %5 /f
echo dnscmd %1 /RecordAdd %2 %3 %4 %REPLACEMENT_VALUE%
)


:end

Friday, March 1, 2019

centos - Can View Website on Localhost and By IP on machine but nothing from other machines



I have a centos apache2 webserver which is running and I can view the localhost website from localhost or by http://192.168.0.167 (its IP) through a browser on the machine itself, but if I try to view it by its IP on another machine through a browser on the network I can't load the website. Also pinging the machine from another machine works fine. I'm able to connect to the machine via SSH as well with no trouble.



"iptables -L" output:



Chain INPUT (policy ACCEPT)

target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Answer



In runtime:



iptables -I RH-Firewall-1-INPUT 7 -p tcp --dport 80 -j ACCEPT


startup in /etc/sysconfig/iptables


Docker returns connection error after being setup as cron job

I have a docker container on ubuntu 16.04 and I want to run a docker command periodically. After checking the command runs successfully from the command line I've setup a crontab with the following:




*/1 * * * * sudo docker run {image-name} python3 /{path-to-scrip}/script.py


This seems to work ok until the script outputs something after which point the crons don't run and it stops docker from working with the following message:



docker: Error response from daemon: connection error: desc = "transport: dial unix /var/run/docker/containerd/docke
r-containerd.sock: connect: connection refused".


I've read that stdout may be the problem and I've tried the following in crontab:




*/1 * * * * sudo docker run {image-name} python3 /{path-to-scrip}/script.py > /home/logs 2>&1


This didn't fix the problem and the logs file remains empty.



This is running on a virtual machine and restarting the instance gets me back to square one where docker runs.



I'm not the most experienced sys admin and suspect I've made a naive mistake, but I don't know how to progress this? What should I have done to setup the cron?




Additional info



I'm not sure if it's relevant, but this is running on a google cloud engine instance and the firewall is set to prohibit all external connections.



Update



After a hunch I've got it running on CentOS7, the cron job worked for a number of hours, but then the script gave an error. The error is something to be expected from the script, but this has lead to the same docker message and cron no longer works.



Further update
From this thread I decided to run docker inspect --format '{{json .State }}' {container id for failed run} - this shows the following:




    {"Status":"running","Running":true,"Paused":false,"Restarting":false,"OOMKilled":false,"Dead":false,"Pid":8204,"ExitCode":0,"Error":"","StartedAt":"2018-01-02T03:1
5:03.016836367Z","FinishedAt":"0001-01-01T00:00:00Z"}


I guess I just need to figure out how to stop the process from running in order to shut the container down.

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...